
Bitcoin Gold Hit by Double Spend Attack, Exchanges Lose Millions - drexlspivey
https://www.ccn.com/bitcoin-gold-hit-by-double-spend-attack-exchanges-lose-millions/
======
jhpriestley
When Bitcoin was running up to $20,000, I tried to analyze the system and come
to a personal conclusion about its equilibrium value, because I didn't want to
miss out if it really was the currency of the future.

I ended up not investing, because of the possibility of a double-spend attack.
I think that cryptocurrency enthusiasts are seriously underestimating the
importance of double-spending attacks to the economics of bitcoin and other
cryptocurrencies.

A few points that convinced me not to put my money into this system:

If hash capacity were traded on a perfectly competitive market, then it would
always make sense to rent 51% of the capacity at market rates, earn the
transaction fees, and also perform a double-spending attack. There is no
equilibrium point for transaction fees where this attack becomes uneconomical.
The only defense is that the market for hash capacity is imperfect.

The market for hash capacity is going to become more efficient over time. ASIC
miners will be commoditized, so that hardware investment becomes a much
smaller factor in hash cost versus energy. This might be even worse during a
bitcoin downturn, because there could be a glut of ASIC miners.

Miners will coordinate with market prices, turning off capacity when the price
dips (for example, because someone is underbidding to create a 51% attack). If
mining becomes more decentralized, it will be harder for miners to act in
their common interest (fending off 51% attacks) and against their immediate
interest (selling their hashrate to the highest bidder, or taking it off the
market during an underbidding attack).

High transaction volume is not necessarily any help - the more transaction
volume, the higher the cost of the attack, but the greater the rewards. The
semi-anonymous nature of bitcoin means that one could easily flood the network
with double-spend transactions. Attacking a huge network like bitcoin would be
an audacious and expensive act, but there are certainly organizations with the
resources to do it, e.g. intelligence agencies, organized crime. The massive
rewards to such an attack also offset fixed costs such as writing and testing
the software to carry out the attack.

~~~
tlarkworthy
I think the argument is that by doing a 51% attack you undermine the market
value so you never get the rewards. This makes sense, but only for the leading
crypto coin. As we see here today, you can 51% attack smaller coins, which
should imply an increase in the value of Bitcoin from consolidation.

~~~
tehsauce
The spooky thing that this made me realize, is that if anyone did find a
vulnerability in bitcoin (or any cryptocurrency) is that they would have a
greater incentive to only slowly leech off the system, because they will be
able to siphon out much more over time than if everyone panics over security.
The weapon is no good unless it's secret.

~~~
MereInterest
Nah, you could short-sell Bitcoin. Take out a sell option, crash the value,
buy cheap, then exercise the option. Information is valuable, no matter which
direction it predicts the market to go.

~~~
tome
Where would you buy a put (sell) option on Bitcoin (without substantial
counterparty or settlement risk)? I genuinely want to know. I would have
bought one in November if I could have.

~~~
actsasbuffoon
I’ve read about plans to introduce crypto currency ETFs, but I’m not aware of
any that are publicly traded yet.

~~~
tome
Even then it's not clear you'll be able to buy _options_ on them...

------
apo
Oddly enough, one of the selling points of Bitcoin Gold (a hard fork of
Bitcoin) was its use of Equihash instead of SHA-256. The idea was that a
memory-hard proof-of-work function would inoculate Bitcoin Gold from miner
centralization.

The problem with mining centralization is that sufficiently powerful miners
can attack the network by rewriting blocks. This opens the door to double
spending.

This was exactly the attack the article described.

It appears that Bitcoin Gold's decision to use Equihash led to this mess. The
algorithm is used by several other coins. Hardware optimized for this
algorithm can therefore be used with equal ease to mine on a network or attack
it.

Bitcoin Cash may be headed for a similar fate. It retains SHA-256, but is a
minority chain in terms of hash power. A powerful Bitcoin miner deciding to
perform double spends on Bitcoin Cash would have everything needed to do
repeat the Bitcoin Gold attack.

BTW, a similar attack recently occured on Verge:

[https://blog.theabacus.io/the-verge-hack-
explained-7942f63a3...](https://blog.theabacus.io/the-verge-hack-
explained-7942f63a3017)

It's possible that any altcoin that becomes sufficiently valuable will suffer
similar attacks to the ones that have now taken place on Verge and Bitcoin
Gold.

~~~
IkmoIkmo
The problem I think is that there are 25 cryptocurrencies bigger than it.
Particularly with its form of mining, it's trivially easy for say a big player
in the 10th largest currency to shift their mining power to a smaller one like
Bitcoin Gold, overpowering everything else.

Normally the non-51% attack argument is that anyone who invests enough in 51%
of the infrastructure and has sufficient coins to profit from double-spending,
is very unlikely to do so because it would render the coins and mining
equipment worthless or at least worth less than the investment had cost.

That'd be true for bitcoin, but not for a GPU-mined 26th largest
cryptocurrency. You can completely destroy it, cash out and use your equipment
elsewhere on coins in which people still have faith.

~~~
vasilipupkin
so how exactly do you cash out? by exchanging double spent coins for btc or
usd? but then can't exchanges just stop that from happening?

~~~
bitreality
I'm not even sure you would need to exchange it to another coin. You would
never be exchanging it to USD because USD withdrawals will require you to
identify yourself and a corresponding bank account. To withdraw crypto you
just need an address.

So you can exchange it to BTC or ETH and withdraw. Or you can just deposit it
and withdraw it after. Most exchanges just mix customer funds together, so as
long as the exchange has enough BTG balance minus the double spent deposit,
they will send you real BTG.

------
zaroth
So this would require an attacker to pay into the exchange with BTCg, have the
deposit clear and approve for trading, trade it for another currency, and have
that trade settle and be clear for withdrawal, and then process the
withdrawal, all in under 4 hours. After which point the attacking miner
surfaces a longer chain they had been keeping which doesn’t include the
original BTCg deposit.

Alternatively, if the exchange isn’t smart enough to pay short-term
withdrawals with inputs that link back to the recent deposit, an attacker
could just deposit and then withdraw with no trade and the withdraw
transaction is valid even if the deposit is double-spent.

An exchange that lets a trader deposit millions in one crypto-asset, exchange
it for another, and clear a withdrawl in 4 hours... got what was coming to
them? Where’s the KYC process for a million-dollar deposit?

There’s a reason new deposits in a brokerage account take a few days to settle
/ be cleared for trading. And again after selling before funds can be
withdrawn. And that’s a currency where most transactions can be reversed!

It would be one thing to allow 10 block settlement for Bitcoin main-net. It’s
another to allow it with a thinly mined alt-coin.

~~~
dantillberg
Exchanges need to be built with the fluid nature of blockchain conflict
resolution in mind.

You can estimate the cost of double-spend attacks on each chain at any time,
calculate your potential exposure, track where the related funds are now in
your system, and mitigate your exposure by delaying the outflow of funds that
have outsize exposure to double-spend attack potential.

In the simple case, you might allow withdrawal of a single $10 deposit after 2
confirmations but enforce a long 1000-confirmation waiting period on a
million-dollar deposit, in order to increase the cost of executing a double-
spend against your exchange beyond the point which you estimate it becomes
infeasible.

It's a little trickier in practice because someone could split their million-
dollar deposit into 1000 thousand-dollar deposits from separate addresses into
separate accounts. But you can still track your exposure in aggregate, and you
should design a system to hold all impacted funds as long as is necessary to
make a double-spend attack infeasible.

You can be upfront with your clients about what's happening and why their
withdrawals are sometimes delayed: it would increase confidence in the safety
of honest customers' deposits while discouraging thieves from targeting you.

~~~
gruez
>But you can still track your exposure in aggregate, and you should design a
system to hold all impacted funds as long as is necessary to make a double-
spend attack infeasible.

also, you can monitor the value of transactions in the last few blocks. 500%
spike in transaction value in the last 2 blocks? better add a few more blocks
to the confirmation requirement, or require withholding on those deposits.

------
XR0CSWV3h3kZWg
more details here:

[https://forum.bitcoingold.org/t/double-spend-attack-on-
excha...](https://forum.bitcoingold.org/t/double-spend-attack-on-
exchanges/1362/17)

Bitcoin gold was a fork to try and decentralize mining. It changed to a proof
of work that is supposed to be ASIC resistant. It looks like the typical
situation is mining by GPU for equihash (BTG PoW).

BTG hashrate is at ~30MH/s at the moment, where Zcash's hashrate is at
~486MH/s.

I don't have the numbers off hand, but it'd be interesting to see how many
GPUs you'd need to pull of a double spend against BTG and if any of the other
equihash coins saw a drop off during the attack.

It'd be really interesting if it wasn't a rental attack, but an invested miner
just switching over to BTG to achieve the hack.

They reversed 22 blocks, the recommendation is to increase the # of
confirmations to rely upon to 50. If you are trying to react to 51% attack
doubling the number of confirmations only doubles the cost of attack, and the
attacker likely just doubled the number of BTG they have. If they can pay the
electricity/rental cost for the attack they have enough BTG to execute the
attack in a cost effective manner again.

~~~
xur17
You can rent hashing power on Nicehash, which currently has ~77MSol/s
available for rent. I'm not 100% familiar with how the auction process works,
but it looks like I could purchase 26MSol/s via a fixed contract for 1 hour
for ~1BTC.

Am I misunderstanding something here, or can I maintain a 51% attack right now
for ~$8k an hour. This can't be right.

~~~
Uberphallus
It is risky, but it is right, that's exactly why took a while to happen. A
relatively small botnet can overtake many smaller coins in hash power in no
time, that's the hypothesis where I'd put the money.

------
mike-cardwell
Crypto currencies are worthless unless they have an enormous amount of hashing
power behind them.

We could really do with a webpage with a list of crypto currencies, the
hashing power currently behind them, and how much it would cost somebody to
take over 50% of the network.

Or does that already exist?

~~~
bunderbunder
So, that's an interesting pair of ideas, in that it gets me thinking that any
Bitcoin-style cryptocurrency might ultimately be doomed by its own design.

Shooting from the hip:

They've go this 51% vulnerability that is well known and hypothetically cannot
be truly closed. Instead, we rely on the idea that mounting such an attack
would be "too expensive". But at the same time, the cost/benefit of mounting
such an attack is fairly easy to estimate using public data - all you really
need to know is the cost to get to 51% and stay there for a given amount of
time, which you can infer by monitoring mining activity, and the current price
of the currency you'd want to attack. And you have to assume that whenever the
cost of mounting such an attack dips below the benefit, such a thing _will_
happen.

So then, I think that implies that the only other feature you'd need to throw
into the mix to ensure a cryptocurrency is ultimately doomed is to make the
rate at which new coin can be mined asymptotically approach zero. Such a
feature would mean that, in the long term, miners' revenue would ultimately be
dominated by transaction fees, which, this being a supremely commodity
service, market forces will presumably tend to keep relatively low. That
would, in turn, limit the number of miners the economy can support, which
would serve to limit the cost of mounting a 51% attack.

Meanwhile, what with a money supply that can't grow being inherently
deflationary, the _benefit_ of mounting such an attack would be constantly
growing, for as long as said cryptocurrency remains in use.

~~~
nemo1618
On the other hand, there will be people who have a vested interest in
preventing such attacks. If you own a lot of BTC, a successful attack can
drastically lower the value of your assets, so it makes sense to deploy some
of that capital to secure the network. And of course this goes even more so
for business in the crypto space that rely on BTC remaining secure.

One example of this sort of behavior is in mining. We tend to think of miners
as being selfish to a fault, and to some degree, that's true. But sometimes
miners have the opportunity to mine empty blocks (a form of attack), and
refrain from doing so, because it would harm the ecosystem as a whole and
jeopardize their long-term profitability.

~~~
dbt00
Spending capital to build hash capacity to protect an existing holding in BTC
is inherently deflationary. Instead of "you need to spend money to make money"
aka inflation/interest/growth, you have to spend money to keep money, which
always reduces your holdings over time and turns the entire network over to
companies that produce hashing capacity (hardware manufacturers, power
companies).

~~~
hackinthebochs
But the initial assumption was that of an efficient market for hash power,
which means the cost to hash is equal to the block rewards. And so deploying
some capital to secure the network is nets zero loss.

------
B-Con
> Ordinarily, the blockchain would resolve this by including only the first
> transaction in the block, but the attacker was able to reverse transactions
> since they had majority control of the network.

Not a very precise explanation, just checking, what exactly does this mean?

I always thought the way a 51% double-spend attack worked was by broadcasting
a transaction for human consumption (eg, I'll give you Y coins for Z dollars),
then secretly mining your own blockchain for the N successive chains following
it. After the humans have completed the human-level transactions after waiting
the standard N successive blocks with no transaction conflicts, you release
your own secret blockchain fork back into the public with data that
contradicts the current popular one and instruct your network to ignore the
competing publicly-acceptable chain. The new private one wins so long as it is
equally as long as the public one which it should be because you have more
compute power than the rest of the public.

Is that basically what happened here?

~~~
swift532
You are correct. The longest chain is accepted as the correct one, so if you
have 51% hashpower and secretly mine while maintaining majority hashpower the
whole time, your chain will be longer and you can publish it at any time, and
effectively rewrite recent history.

~~~
giancarlostoro
Has there been other approaches at solving the double spend problem? I know
ByteCoin (which is from scratch and uses 'CryptoNote' (or CryptoNight?) and
respectively it's forks which includes Monero are designed a little different
and I think they boast having solved the double spend problem too but I am not
sure if they just do the same decisions as Bitcoin concerning updating the
Blockchain?

Anyone care to weigh in on this?

------
Havoc
>Obtaining this much hashpower is incredibly expensive

Is it? Presumably you only need to maintain it for a short amount of time.
Sounds like something one could smash with google cloud preemptible GPUs or
similar. Especially since such an attacker is presumably not above using a
stolen CC or three.

~~~
barbegal
Under normal free market assumptions, the cost of double spending is simply
the expected reward of each block multiplied by the number of blocks that need
to be mined. For bitcoin, where the reward for finding a block is currently
~$100,000, that means you should be able to double spend by mining 6 blocks at
a cost of less than a million dollars.

The question is: are bitcoin miners subject to the usual free market
assumptions? If someone offered you double the market rate to hire a bitcoin
miner for an hour would you accept that offer or not?

~~~
Taek
As a miner, you are likely not going to accept because your entire revenue
stream comes from the cryptocurrency being stable. If someone uses your
hashrate to launch an attack, it's a direct threat to your future revenue
especially if the attack discredits the security of the token you mine.

In this case though, Bitcoin Gold shares a hashing algorithm (Equihash) with
many other blockchains. It is possible that some Zcash mining farm decided to
attack Bitcoin Gold because they felt the revenue from attacking Bitcoin Gold
was greater than the potential damage to their income, which is primarily
Zcash based.

I'm just grasping at straws here, but generally speaking it's a bad idea to
share hashing algorithms with another cryptocurrency, especially if that
cryptocurrency is substantially more valuable (in terms of monthly block
reward) than your own.

And, all GPU-mined coins are essentially sharing one algorithm, because the
hardware can jump between them easily. So all GPU based coins share this
vulnerability, where the tiny GPU mined coins could easily be attacked or
wiped out by a large Ethereum farm at any point.

------
root_axis
I'm just waiting for the day when it's revealed that ~70% of miners on a top 5
cryptocurrency are compromised by a specialized worm or malware. We'll
probably only find out after the double spending is discovered but this type
of outcome seems almost inevitable. The people writing this type of software
are definitely financially motivated, but I can easily imagine such a person
throwing away millions of dollars in 0-days just to fulfill such a hackneyed
cyberpunk cliche.

Also, we know that things like stuxnet exist. Imagine something even a
fraction as crazy as that targeting mining nodes. It's going to happen
eventually.

~~~
gruez
>We'll probably only find out after the double spending is discovered but this
type of outcome seems almost inevitable

attacks like this is harder to pull off than you think. miners constantly
submit "shares" to the pool, which are then validated to credit them a share
in the block reward[1]. depending on the difficulty threshold of the shares
are, these could be submitted a few times a minute to every few minutes. if
you hacked and gained control of the miners, sure you can redirect all the
hashing power to you, but this will be detected quite quickly. with thousands
of dollars on the line per minute, you can bet that everybody has monitoring
in place to detect a dip in shares submission. also keep in mind that you have
to keep this going for about 1 hour (for your initial transaction to confirm)
without people noticing. moreover, the core problem stealing hash power to do
a 50% attack is that block times will skyrocket on the main chain, which will
let everybody (and not just the pool operator) know that something's up. plus
after this attack, you can bet that exchanges will start requiring additional
confirmations for large deposits, and instituting withholding times for
cryptocurrency withdraws.

[1] I don't know whether large mining operators do this. Strictly speaking,
they don't but I'd imagine they do this because it lets them know that their
rigs are up and producing valid hashes (ie. not malfunctioning). It's almost
certain that small mining operators use pools.

~~~
root_axis
You're right that there are a few canaries in the coal mine, but there are a
lot of creative options if you have the ability to execute arbitrary code on a
mining node botnet, _assuredly_ some of which are yet to be discovered (as far
as we know). Consider as well the many financial opportunities available to
someone who may have an interest in sabotaging or disrupting some kind of
mining activity, perhaps in subtle ways that are not usually noticed.

~~~
mrep
They could fake the results to make it look like everything was ok while the
attack happened. That's apparently what stuxnet did:
[https://news.ycombinator.com/item?id=17099969](https://news.ycombinator.com/item?id=17099969)

~~~
gruez
with that method, you might be able to fool the mining operator's monitoring
system (assuming you also pwn their pool server), but you can't fool the whole
network. there's simply no way to hide a 50% drop in network hashrate.

------
harryh
How many millions? Is it time to update
[http://dayssinceacryptocurrencyexchangehaslostmorethan100mil...](http://dayssinceacryptocurrencyexchangehaslostmorethan100million.com/)
?

Meh. I think I'm just gonna go ahead and add it. I haven't been paying close
attention. I'm sure I've missed 1 or 2.

------
SurrealSoul
Knee jerk reaction: Good.

However since it is a 'Bitcoin cash' type coin this will ultimately hurt
bitcoin and the community as a whole. I can already see the buzz "Bitcoin
double spending attack!" articles

~~~
mr_spothawk
seems more ammo for the argument by Bitcoin Maximalists - cant easily
own/manipulate a larger network

~~~
jadedhacker
Also minimalists.

~~~
mr_spothawk
ah, yes. never forget the devil you know.

------
49bc
Satoshi really downplayed 51% attacks in his/her original whitepaper[1]:

> _The incentive may help encourage nodes to stay honest. If a greedy attacker
> is able to assemble more CPU power than all the honest nodes, he would have
> to choose between using it to defraud people by stealing back his payments,
> or using it to generate new coins. He ought to find it more profitable to
> play by the rules, such rules that favour him with more new coins than
> everyone else combined, than to undermine the system and the validity of his
> own wealth._

Apparently he didn't realize that coins could quickly be transferred to other
crypto and not held, so who cares about the value of the stolen goods.

[1] [https://bitcoin.org/bitcoin.pdf](https://bitcoin.org/bitcoin.pdf)

~~~
baddox
But wouldn't the long-term honest mining be more profitable than a single hit
and run? Kinda the same reason that when you go to a restaurant the restaurant
owners almost always exchange food for money rather than rob you and leave
town forever. If you own a restaurant it's generally more profitable to run it
honestly than run away with a one-time dishonest payoff.

~~~
dpiers
Not if it destroys the credibility of a rival coin, which I suspect could be
the case here. Many in the "real Bitcoin" community call Bitcoin Cash a fraud
because its existence reveals the specious value of their "real"
cryptocurrency.

Executing a double spend attack on Bitcoin Cash would be a massive success for
Bitcoin owners. Same goes for Bitcoin Gold.

You could even create a mining pool/network - let's call it CoinFucker - where
every now and then the pool's resources were diverted to attack a rival coin.
Doing so damages that coin's reputation, and in doing so reduces the
competition. This would be a great way for the majority of
mining/computational power to squash would-be rivals.

~~~
stordoff
I'm not sure in this specific case it would make sense for Bitcoin users.
Unless you are already involved in cryptocurrencies, I'm not sure the average
person is going to differentiate between "Bitcoin" and "Bitcoin Gold" \-- the
negative impression of "Bitcoin Gold hit by attack" is going to reflect on the
original Bitcoin.

------
cutler
So much energy from the brightest minds of our age dedicated to getting
something for nothing. I'm outa here.

~~~
comboy
Yeah, producing software is insane.

~~~
cutler
I was referring to those out to game the system, not the creators of the
software. Then again, I have the same contempt for stock market traders,
currency speculators and purveyors of financial "products", "instruments" or
any other crazy term invented to make getting something for nothing sound
respectable.

------
oceanman888
I met the founder of Bitcoin Gold a few month before, I can not tell if there
is any other reason he forked bitcoin than mere profit. He said he was going
to fork ether as well. Given the speculative nature of the people involved in
this network. could this be a inside job?

------
josephagoss
Every POW coin should either switch to POS or if they are going to stick with
POW they need to focus on a different algorithm and let ASIC development
happen. The key to being a weaker chain is to encourage the community to build
an ASIC just for your coin. I don't understand this push by many POW coins on
sticking with commodity hardware, except for a few giants (zcash, eth, monero)
you're going to get destroyed.

Dedicated ASIC only for your chain = good. Commodity hardware = bad.

------
granaldo
How is the price [https://www.coingecko.com/en/price_charts/bitcoin-
gold/usd](https://www.coingecko.com/en/price_charts/bitcoin-gold/usd) still
good when this is all over the news?

~~~
bearjaws
This isn't the first time terrible news has broke and somehow a coin remains
valuable.

Remember when Bitcoin forked into Bitcoin Cash and somehow everyone just made
up a new value for the coin?

It was like billions of dollars were created out of thin air, everyone started
trading it and nobody batted an eye. Bitcoin even GAINED value.

There is no logic or sanity in the coin market.

~~~
carapace
> In August, a group split the chain to create a new form of Bitcoin that they
> called Bitcoin Cash. The two blockchains shared a transaction history up
> until the time of the split, giving anyone who held any number of Bitcoins
> until the so-called hard fork the equivalent number of Bitcoin Cash on the
> new fork. (A hard fork is a software change that runs the risk of splitting
> the blockchain into two, particularly if the community disagrees about it.
> If you follow Ethereum or cryptocurrency, you may have heard that Ethereum
> split into Ethereum and Ethereum Classic after a contentious hard fork.)
> However, many people who didn’t support Bitcoin Cash dumped their coins
> quickly, and, after initially spiking up to $900, the price has now deflated
> to about $300.

[https://firenewsfeed.com/news/635991](https://firenewsfeed.com/news/635991)

Good God you're not kidding.

It's like a car accident, but there's this siren song urging you to join in
because some of the people are thrown free holding chunks of gold.

It reminds me of a Jim Gaffigan joke. He's talking about trying to lose
weight, and how hard it is when the fast food restaurant has a $2 for 2
burgers deal... "Well... I don't want to lose money on this... I'll take
eighty."

On the one hand this whole cryptocurrency thing seems to be gone off the
rails. On the other hand, I do feel kinda dumb for not owning any.

------
ryanwaggoner
If Bitcoin became the dominant currency of humanity, eventually we’d darken
the galaxy by building Dyson shells in the ultimate energy arms race to
prevent a 51% attack.

Joking. Mostly.

~~~
quickthrower2
Having fun with your idea:

How do you adjust the algorithm for the communication time between opposite
nodes. Let's say earth distance, 16 minutes at speed of light direct.

~~~
AlexCoventry
You don't; it simply takes 200,000 years to confirm your transaction is in the
highest-work chain in the galaxy.

------
nemoniac
Bitcoin Gold has a director of communications?

------
ada1981
Curious if this is illegal in anyway?

I suppose there will be increasing incentive to do the numbers on the hash
cost to take over a coin and to execute these attacks.

Neat.

~~~
mike-cardwell
I think stealing is illegal, yes.

~~~
patmcc
Is this stealing by whatever definition police/the courts currently use? Isn't
it an intentional part of the design of a cryptocurrency that decisions are
made by a consensus based on hashing power?

If you have 51% of the hashing power, you have control over that
cryptocurrency; that's by design. Can you really steal at that point?

edit: to those replying, I'm not saying this double spend is ethically fine,
or not theft in the common parlance. I'm saying it's not entirely clear to me
a court would find this to be theft. Think about the Ethereum hard fork to
undo the DAO hack; there, a majority of the hashing power undid a bunch of
transactions. I wouldn't call that theft (because it was undoing a hack?) but
it doesn't seem that different to this situation.

~~~
Taek
Uh, yes, you can steal. Just because the vault is open at a bank doesn't mean
that you can walk in, take the money and leave, and then claim that it's yours
because they didn't lock the door.

When you send money to an exchange, there's an understanding that the money
now belongs to the exchange. The exchange waits 6 confirmations to ensure that
the money is not easily stolen, but the money legally belongs to the exchange
as soon as the transaction is sent.

\---------------

Also, a 51% attack doesn't give you control over the cryptocurrency. You still
have to follow the rules of the system, you can't print extra money from thin
air, you can't spend money you don't control, the most you can do is change
the ordering of the transactions that have happened on the system. And a lot
of times, those transactions have block height or block id dependencies, which
means you are even limited in your power to do that.

A 51% attacker is not God. They have a limited set of actions they can take,
and while certain forms of stealing are included in that set of actions, it's
overall a pretty limited set of things that you can do.

------
alistproducer2
What's interesting to me is that the bit game theory that is supposed to make
such an attack unprofitable seems not to be holding here. Supposedly the idea
that the blockchain was insecure would devalue the coin to such a degree as to
disincentive people from attempting these sorts of attacks. I see virtually no
movement in the price of BTG and relatively little in XVG (also attacked this
week). If anything, the fact that the chain's integrity can be compromised and
nothing happens appears to undermine a core assumption of Nakamoto consensus.

~~~
gruez
>Supposedly the idea that the blockchain was insecure would devalue the coin
to such a degree as to disincentive people from attempting these sorts of
attacks

The original claim was:

>He ought to find it more profitable to play by the rules, such rules that
favour him with more new coins than everyone else combined, than to undermine
the system and the validity of his own wealth

what satoshi didn't take into account, is the rise of "cloud mining" services
and thousands of competing "alt-coins" using the same hashing algorithm.

------
Lewton
A few thoughts:

\- It rubs me the wrong way to call it an "exploit" when 51% attacks are a
core part of the way blockchains function.

\- I'm surprised that the price for bitcoin gold isn't tanking. That's a sign
that the crypto marketplace really isn't healthy right now, imo

\- Conversely I'm surprised that this isn't causing a spike in coins that are
more robust in regards to 51% attacks, like BTC and BURST (because they're
both the majority coin in the realm of the resources they require)

------
Animats
This puzzles me. Although a miner with enough hash power can do a double
spend, it's obvious from the blockchain that they did so. To bring this off,
you have to have huge hash power and be anonymous. That limits the number of
possible attackers.

Bitmain could do this to Bitcoin, but everybody knows where Bitmain is.

------
cies
The team behind Cardano is proving their algorithms. I think they have even
proven Bitcoin in the process, of proving their own algos.

I guess this is why one would like proofs, and proglangs that can (to some
extend) incorporate the proofs/laws so your code is checked against them.

------
thedailymail
If all that is required to reverse transactions is 51% control, cannot the
transactions that occurred during the double spend attack also be reversed by
a 51% coalition once the attacker loses its majority?

~~~
IkmoIkmo
Sure but it doesn't solve anything. Remember that people do not trade token A
for token A. You don't buy dollars with dollars. You use dollars to buy
something else, like euros.

So you may reverse one token, but you won't be able to reverse the other.

i.e. suppose you have $100 and I have 100 tokens (e.g. bitcoin gold coins).
You pay me $100 and I give you the coins. I now double-spend and sell the
coins to someone else. You now have no coins and no money. I then double-spend
that and give the coins to myself.

You could at some point fix this and get the coins back, technically. But
you're not going to get your $100 back. Nor is the other person. And the other
person never got his coins. So both of you are out of money, and only one has
the token. Theft occurred.

Moreover, even if you somehow both had the coins, they ought to be worthless
because the entire system is completely useless. If a system can be
compromised like this, the tokens have no value. Just like a dollar bill has
no value if it can be printed, or can magically be transferred to a thief at
the click of a button.

I used dollars in this example, but the more likely avenue of attack is for
the attacker to sell his bitcoin gold for other cryptocurrencies like bitcoin
over and over. Like selling an expensive bicycle to a customer but keeping the
key to the lock, stealing it at night and selling it to someone else, a dozen
times in the span of a few hours.

All of this is a major issue without even getting into the political
discussion on forming a coalition and deciding which transactions were fair,
genuine, worthy to keep, and which weren't. That's virtually impossible,
particularly when there's one set of double-triple-quadruple-spent coins out
there to distribute with many people making equal claims that they were
scammed.

~~~
thedailymail
Thanks for the clear and detailed explanation!

------
pm24601
<snark>Remind me again why cryptocurrency are a good idea</snark>

Seriously, the idea of smart contracts can truly be of value if attacks like
this are no longer possible.

------
zby
The strange thing about this is that there is no visible effect on the price
of BTG. It is going down true - but most crypto go down now - and when you
look at the chart you would not guess that there was such a dramatic event:
[https://cryptowat.ch/markets/bitfinex/btg/usd](https://cryptowat.ch/markets/bitfinex/btg/usd)

------
tobiaswk
Well it was scamish to begin with. 100,000 coins were premined when it forked.
With a lot less mining competition a double spend attack was just waiting to
happen. It is possible to also do a double spend attack on Bitcoin and Bitcoin
Cash. It's just not very feasible because you would need A LOT of hashing
power. So this comes as no surprise to me at least.

------
powera
If Bitcoin Gold weren't worthless before, it is now.

If it weren't so difficult and risky to sell this, it would be worth almost
nothing already.

~~~
gruez
only down 10-20%

------
hartator
Stupid question: If an attack allows to successfully double spend, can you
also triple spend or quadruple spend?

~~~
Cogito
Well sort of.

Double spending is just convincing the network you've sent coins to multiple
places, and then undoing all of the transactions that were 'paying' for
something (in this case paying for credits at an exchange).

The actual details of what they were doing matters and I don't know them, but
it's almost certainly simpler to chain double spends together, one after the
other, than to try and do three or more transactions concurrently then reverse
most of them.

This achieves the same thing as a triple or quadruple spend but only
necessitates reversing one transaction at a time.

------
duxup
Is there a laymans explination for this attack?

"but the attacker was able to reverse transactions since they had majority
control of the network."

I thought these crypto currencies didn't allow for reversing a transaction? Or
is this "reversing" such as just deposit and then withdraw?

~~~
arconis987
Someone please correct me, but here's my best explanation.

When you first connect to the Bitcoin network, how do you find out what the
true blockchain is? You connect to other nodes and ask them. They may tell you
anything. However, it's easy to verify whether a blockchain given in a
response is valid. That is, it's easy to tell if a given blockchain is
following all of the rules.

But what if you receive a few valid blockchains that are different from one
another? Which one is the true blockchain for the world?

You simply choose the longest blockchain that you hear about.

Why the longest? It's the one that has had the most computing power focused on
it. Anyone can compute a very small, self-serving, malicious blockchain of a
few blocks. But to compute the longest blockchain in the world requires vast
computing resources. The longest blockchain is supposed to be uncontrollable
by any single party or network of colluders because it is supposed to be too
hard to acquire the majority of the computing resources in the world.

Unfortunately, it looks like someone did just this and controlled >51% of all
computing resources in the world dedicated to Bitcoin Gold. If you have enough
resources, you can generate the longest blockchain in the world, add a self-
serving transaction, get some goods or service in return, then recompute a new
longest chain in the world where that transaction is no longer there. Everyone
by default accepts the longest blockchain because it's supposed to be the most
safe, but they are wrong.

~~~
duxup
Thank you!

I'm not well versed in the block chain tech but it is surprising that there is
an inherent big ass monopoly type manipulation you can run ... inherent to the
system.

That seems very much not what Bitcoin would "intend" and yet there it is, very
available.

------
guiomie
How is the price not crashing? It's down 10%, which is pretty much like the
rest of the market.

~~~
21
Because shitcoin prices have no relation to any sort of reality. Some
shitcoins are traded on exchanges even if no actual coin or code existed.

~~~
guiomie
They would exist as ERC20 tokens I believe...?

~~~
fiatjaf
EOS has begin trading without any of that. Now it's a ERC20 token, I guess,
but still there is no code, no network, no nothing -- and in fact their
creators have declared they won't be starting the network or whatever, they're
just selling "the idea". The tokens themselves have no value at all, they only
_hope_ that whenever someone starts the network they will give some privileges
to the current token holders.

~~~
glitch003
>but still there is no code, no network, no nothing

EOS mainnet launch is June 2nd, 9 days away. There's lots of code:
[https://github.com/EOSIO/eos](https://github.com/EOSIO/eos)

Check this cool demo out:
[https://eosauthority.com/space/](https://eosauthority.com/space/)

~~~
fiatjaf
Ok, many things may have changed, my latest information was from about an year
ago, when there were people buying the token already.

------
brownbat
It's weird the reaction on cryptocurrency prices today has been so correlated,
you'd expect a flight from smaller more vulnerable coins into the larger
market caps.

Then again maybe everyone is just freaking out about the tether expansion...

------
throwawaylolx
So BTG has a hash rate in the order of tens of M using the same hashing
algorithm that is used on the ETH network, which has a hash rate in the order
of hundreds of T? So a millionth (10e-6) of ETH hashrate could 51% BTG?

------
daveguy
What do you want to bet the attacker shorted other crypto while they were at
it?

------
cat199
Anyone well versed in this topic care to comment about how these attacks
might/might not relate to the 'proof of work vs proof of stake' debate in the
wider cryptocurrency world?

------
paulie_a
I am just going to say two things: 1 it was only a matter of time 2 LoL

~~~
joejerryronnie
But what about my Lambo?!!

~~~
davesque
Exchange owners probably already have lambos.

------
Marazan
_No one would ever actually do a double spend attack as it would be more
profitable to mine the currency instead_ \--Every cryptocurrency enthusiast
ever.

------
fixermark
That's going to be okay though, right? Given that it's clear fraud, the FDIC
should be able to step in and make investors whole, right?

------
AlexCoventry
I met the founder of Bitcoin Gold at a meetup which turned out to be a sales
pitch for Bitconnect, funnily enough.

------
wellboy
Yes Bitcoin is vulnerable to a 51% attack right now and so are all other PoW
coins.

That's why crypto is still in its infancy.

------
kmbriedis
That's why Proof-of-stake is the way to go, you will never see a major
coinholder undermining the coin

------
sauravt
Is there any way to prevent 51% attacks in bitcoin forks besides increasing
confirmations?

------
brudgers
To me, this shows how Bitcoin type cryptocurrency mining incentives line up.
For good actors, there is little to no incentive to seek 51% capacity whereas
there is a lot of incentive for bad actors to seek it. As an economic
activity, the logic of ruthless competition makes double spend capability the
holy grail. Double spend is the sole reward for 51% capacity.

------
wrycoder
I hate to toss in a commonplace, but can’t anyone here play this game?

------
zygimantasdev
I wonder if the idea for this attack came from Silicon Valley tv series

~~~
atlih
Nope, this has been happening every year for the last 7 years. Great series
though :)

------
hwestiii
Wait a minute. Isn't bitcoin supposed to be immune from this?

------
whiteraven96
Who is taking the money? What is it going to be spent on?

------
whiteraven96
3 attacks in one week?! Who needs this kind of money?

------
branchless
Bolivar isn't goitto zero.

Bitcoin base value is comedy value .. ok.

------
zeth___
Purely hypothetical and mostly stupid: could double spending attacks be a way
to overcome the issue of a limited supply of coins and the fact the total
number of coins tends to zero as old coins are lost?

~~~
sanxiyn
No, because transactions are reversed in double spend attacks. It does not
increase the supply.

------
bshastry
how the heck did he acquire majority hash? Afaiu, this requires massive
computational resources that no individual has access to

------
CryoLogic
Hence why Iota is still using their coordinator.

~~~
gruez
centralization does solve a lot of issues, but at that point you might as well
go with a postgres instance.

------
zerostar07
maybe Bitcoin Diamond will prove harder

~~~
davesque
I see what you did there.

------
asasidh
play stupid games (like listing shitcoins) win stupid prizes

------
davesque
And the freakout cycle begins anew.

------
zaekona
Oh dear, it's not looking good for Bitcoin. Will Bitcoin recover, or should we
let other crypto kings such as Verge take over already?

