General feedback: very well thought-out. I particularly liked how concepts like UTXO vs accounts were covered without the confounding factor of decentralized block production.
Brief specific comments:
POW analysis: the best bribing attacks I’ve seen are the P+epsilon attack (https://www.lesswrong.com/posts/a8QMgWCwGML69n9me/link-the-p-epsilon-attack-precommitment-in-cryptoeconomics) and feather forking, and the best presentation I’ve seen for those is this one: https://www.youtube.com/watch?v=UPxaCj8ZsEU. For selfish mining there is a nice expository article from the ACM that I can’t find right now.
I think the PoW section is also the best place to introduce the “cartel” attack where a majority cartel of miners earns more than its fair share of revenue by censoring blocks produced by non-cartel members, and once that cartel has monopolized block production a sub-cartel could form, etc., since a big part of casper is basically ways to discourage this attack.
That said, there are probably more interesting attacks on PoW than can reasonably fit into that section, so I suggest explicitly outlining in the document what the learning goals are (to understand the security assumptions of PoW, or to learn the language of analyzing protocols). Personally I think the most important ones are the cartel attack and validator’s dilemma. Selfish mining is a cute way to show that intuition can lead you astray and you need math™; IIRC before the selfish mining paper was published, someone published an incorrect “proof” showing that bitcoin mining was incentive-compatible, because their model implicitly didn’t allow block withholding, or something like that.
Leaking in casper-ffg: I think it would be good to learn to analyze this from the CAP theorem perspective; from that point of view in a partition, casper-without-leaking sacrifices availability (but with the caveat that the unfinalized tip continues growing) whereas casper-with-leaking sacrifices consistency (if the partition lasts more than 4 months, conflicting finalized blocks will start getting included)
Proof of Stake: I think it’s super important to talk about long-range attacks and weak subjectivity!
Analyzing Proof of Stake: I think it’s important to talk about economic finality in casper-ffg vs probabilistic finality in PoW!
Advanced PoS: I know almost nothing about full PoS (ie without PoW block proposal) but AIUI many schemes simpler than randao, threshold signatures etc are weak to stake grinding, which is “unavoidable” because of the impossibility of fair exchange, which means you have to use deposits, which … etc
Sparse merkle tree: AIUI their name is a bit of a misnomer, the main property is not sparsity inasmuch as that it’s an (implied) “perfect merkle tree”, thus allowing for non-inclusion proofs
Fault proofs: The idea could be introduced in a simpler context earlier, that is, light clients
State Channels: IMO it would be cleaner to explain them outside of plasma first before explaining them on top of plasma