*Double Spending Attack Prevention Scenario*

Only when both a PoW block and a PoS block confirm a transaction should it be considered confirmed on the blockchain. A transaction should not be considered confirmed when only PoS blocks confirm it because PoS blocks can be minted over multiple conflicting chains. As long as people refrain from erroneously considering 1-PoS-confirmed transactions as confirmed, this should not be an issue.

Furthermore, a transaction should not be considered confirmed when only PoW blocks confirm it because this could lead to double spending by an attacker using a 51% attack. This attack is much harder than double spending for someone accepting only PoS blocks as confirmation, but it is likely to be much easier than it is for today's Bitcoin because the new algorithm reduces the cost of mining (which in turn reduces the system's hash power by nature). For this reason, both PoW and PoS should be used to confirm or finalise transactions.

The expenditures required to launch a 51% attack are much greater than those for PoW for a given amount of honest mining. Hence, an attacker requires an amount of hash power equal to the honest hash power (which in an equilibrium case results in the attacker possessing 100% of the hash power). In addition, an attacker needs to own a considerable amount of hash stake. Given that the longest chain is determined by multiplying PoW and PoS accumulated difficulties, even if a single miner accumulates 90% of the mining power, it would not be able to produce a significantly longer chain without also owning more than 11% of current coins in circulation.

Considering a scenario in which the attacker attempts to create an additional sidechain and reveals it at a, we assume that the attacker has a hash power and stake power of (*a,b*), and the fair nodes have (*c,d*). Let *Yw* be the total mining difficulty. Then, *E*(*Yw*) = *E*(*X*) ∗ *dw*. This has been given in Equation (1), where the PoS block generation rate *λw* = *nd*2 , where *s* is the stake and *Ys* is the total mining difficulty presented in Equation (6). The total mining difficulty is an integration of the hash rate over time and vice versa of the stake over time. In duration *t*, the malicious chain has an expected weight of (*tdwc* + *a* · *t*) · (*tdsc* + *b* · *t*), and the fair nodes' chain has (*tdwc* + *c* · *t*) · (*tdsc* + *d* · *t*), where *tdw* and *tds* are the total difficulty for PoW and PoS from the genesis block, respectively.

For the attacker to gain the fair nodes' chain, the malicious nodes need to have a longer chain than the fair nodes' chain, which further leads to the following inequality: *ldsc* · (*a* − *c*) + *ldwc* · (*b* − *d*) + (*ab* − *cd*) · *l* ≥ 0. Given that this attack can only occur if the creation of blocks is free, we assume that the attacker will attempt to attack by using only PoS blocks. Assume that

$$td\_{\mathfrak{a}} = \sum\_{i=1\ldots 1 \ldots l\_{w-n}} d\_{\mathfrak{w}i} \cdot \sum\_{j=1\ldots l\_s} d\_{sj} = \left( (H\_{\mathfrak{w}} - n) \cdot \overline{d\_{\mathfrak{w}}} \right) \cdot \left( H\_{\mathfrak{s}} \cdot \overline{d\_{\mathfrak{s}}} \right),\tag{10}$$

where *tda* indicates the total complexity of the malicious chain. Even if the attacker holds the entire active stake and the total voting power remains unchanged, the best-case scenario is an identical *td* for the main chain. The projected maximum number of blocks that the LRA can create is (*φ* − *tNw*−*<sup>n</sup>*)/2*<sup>t</sup>* because the protocol forbids the creation of new blocks. If an attacker can increase his stake power through block rewards, then his chances of success increase with time. Specifically, the assailant must reach

$$\left(H\_{\mathfrak{s}} \cdot \left(\overline{d\_{\mathfrak{s}}} + \Omega\right)\right) > \left(H\_{\mathfrak{w}} \cdot \overline{d\_{\mathfrak{w}}}\right) \cdot \left(H\_{\mathfrak{s}} \cdot \overline{d\_{\mathfrak{s}}}\right) \Omega > \frac{H\_{\mathfrak{w}} \cdot \overline{d\_{\mathfrak{w}}}}{H\_{\mathfrak{s}}}.\tag{11}$$

Assuming that the primary chain's forging power is static (i.e., not subject to change), *Nw* = *Ns* is modified to reflect the extra power an attacker would require to equal the main chain's strength (expressed in difficulty). It must be more challenging than the PoW chain itself. Further research is required to determine how long it takes an attacker to gain access to increased difficulty, but the premise is that this process of gaining power gradually via block rewards occurs over a long period.
