So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.

Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.

And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…

Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.

To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.

For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.

For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.

With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.

With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.

With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.

Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.

As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...

https://www.cs.umd.edu/~gasarch/BLOGPAPERS/cbit-4-2.pdf

You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.

I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.

also, hi, long time! maksym here =)

You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.