Similar to proof-of-stake, proof-of-space protocols are susceptible to long-range (aka history rewriting) attacks. Specifically, an attacker does not need 51% of the storage today to mount a private double-spend attack, instead, they only need 51% of the time-average storage over the life of the protocol. We discuss these attacks in our technical white paper and postulate that these attacks are infeasible due to the proof-of-archival-storage (PoAS) consensus mechanism. This was later discovered to be incorrect.
The rest of this document includes
Key Questions for Supranational
Using old history
Should be detectable. But what is the exact verification procedure? If verification is probabilistic, can the adversary "cheat" by only replotting a little? How exactly does an adversary "cheat"?
Using new history — constrained by re-plotting (compute) and re-salting (I/O)
How much storage is required?
To create a chain with the same difficulty as the honest chain, the attacker needs the average storage of the honest network over the entire history of the fork. Then the solution range adjustment mechanism makes sure that the total difficulty of the chain matches that of the honest chain. If the total honest storage increased rapidly at the end of a long time interval, the average storage can be a small fraction of the total storage at the end of this interval, making this attack easier than a 51% attack. Let this required storage be denoted $S$.