3.2.2 Statistical Detection Transactions can reference blocks belonging to the canonical blockchain, thus implicitely signing the chain. An attacker attempting to forge a long reorga- nization can only produce transactions involving coins he controlled as off the last checkpoint. A long, legitimate, chain would typically show activity in a larger fraction of the coins and can thus be distinguished, statistically, from the forgery. This family of techniques (often called TAPOS, for “transactions as proof of stake”) does not work well for short forks where the sample is too small to perform a reliable statistical test. However, they can be combined with a technique dealing with short term forks to form a composite selection algorithm robust to both type of forks. 3.3 The Nothing-At-Stake Problem An interesting approach to solving the nothing-at-stake problem was outlined by Vitalik Buterin in the algorithm Slasher[15]. However, Slasher still relies on a proof of work mechanism to mine blocks and assumes a bound on the length of feasible forks. Weretain the main idea which consists in punishing double signers. If sign- ing rewards are delayed, they can be withheld if any attempt at double spending is detected. This is enough to prevent a selfish stakeholder from opportunisti- cally attempting to sign a fork for the sake of collecting a reward should the fork succeed. However, once rewards have been paid, this incentive to behave honestly disappears; thus, we use a delay long enough for TAPOS to become statistically significant or for checkpointing to take place. In order to incentivize stakeholders to behave honestly, we introduce a ticker system. A prospective miner must burn a certain amount of coins in order to exercise his mining right. This amount is automatically returned to him if he fails to mine, or after a long delay. In order to allow stakeholders not to be permanently connected to the In- ternet and not to expose private keys, a different, signature key is used. 3.4 Threat Models Nosystemisunconditionallysafe, notBitcoin, notevenpublickeycryptography. Systems are designed to be safe for a given threat model. How well that model captures reality is, in fine, an empirical question. Bitcoin does offer an interesting guarantee: it attempts to tolerate amoral but selfish participants. As long as miners do not collude, it is not necessary to assume that any participant is honest, merely than they prefer making money to destroying the network. However, non collusion, a key condition, is too often forgotten, and the claim of Bitcoin’s “trustlessness” is zealously repeated without much thought. 14