
Bitcoin security guarantee shattered by anonymous miner with 51% network power - somethingnew
http://arstechnica.com/security/2014/06/bitcoin-security-guarantee-shattered-by-anonymous-miner-with-51-network-power/
======
sktrdie
Satoshi wrote this in the original Bitcoin paper, which logic I think still
holds today:

    
    
      If a greedy attacker is able to assemble more CPU power than 
      all the honest nodes, he would have to choose between using it 
      to defraud people by stealing back his payments, or using it to generate 
      new coins. He ought to find it more profitable to play by the rules, such 
      rules that favour him with more new coins than everyone else combined, than 
      to undermine the system and the validity of his own wealth.

~~~
zorbo
The whole Game Theory element the bitcoiners keep throwing around surprises me
the most. It's not as in you can apply game theory like that in practice. It
also assumes rational players. People are anything but rational. Game theory
works in numbers, but not on an individual level like that. Besides, there are
plenty of profitable avenues if you control 51%.

~~~
eatitraw
> It also assumes rational players.

All models are wrong, but some are useful. What is the chance that there is an
irrational player that spends a lot of money only to destroy bitcoin? This
kind of player has to be politically motivated, not just simply irrational.

> Besides, there are plenty of profitable avenues if you control 51%

Like what? Basically you can do a few things:

1) Mine all the current coins

2) Double-spend

3) Not confirm any transactions

All of them are harmful to the network. However, given that it is not an
actual single entity that controls 51%, I wouldn't be worried much about
anything except 1)

~~~
KingMob
Game theory is not even a _useful_ model here. There are plenty of rational
players who would desire the downfall of Bitcoin.

The game theorists assume at the outset that everyone involved's primary
financial interest is in a valid working Bitcoin network. However, banks and
Western Union would not desire competitors for international currency
transfer. Governments may not want currencies they can't control. The Russian
mafia may want to exploit it for short-term gain or launder money. And now
that there's a single pool with >51% of the CPU power, the difficulty of a
hostile takeover just went way, way down.

Before, a group would have to set up a massive amount of computing power in
order to take it over, but now, taking over or disrupting Bitcoin is within
the reach of non-technical entities like criminal organizations and the CIA.
E.g., all the CIA has to do is threaten a few people and say "Insert this code
so we can freeze the transactions of $VILLAIN_OF_THE_MONTH at any time."
There's many more possibilities now.

~~~
eatitraw
> There are plenty of rational players who would desire the downfall of
> Bitcoin.

Then game theory is pretty useful model. Players are rational, after all.
Thats what's game theory is about.

> Governments may not want currencies they can't control.

Makes perfect sense. But we're discussing 51% attack. Would a miner with 51%
of hashrate willingly help a government(and why would he)?

Or, would a government simply try to legislate bitcoin out of existence? I
would say that the latter is more likely than the former.

> And now that there's a single pool with >51% of the CPU power, the
> difficulty of a hostile takeover just went way, way down.

Remember, it is not a single entity. It is a pool. And, in fact, ghash.io
share is down to 39%.

> all the CIA has to do is threaten a few people and say

I do agree with this point. One of the strongest points of bitcoin is
decentralization. We should keep bitcoin as decentralized as possible. But I
would say ghash.io having 51% is a minor obstacle.

~~~
KingMob
> Then game theory is pretty useful model. Players are rational, after all.
> Thats what's game theory is about.

Sorry, I wasn't clear enough. My argument is that the people citing game
theory as a reason Bitcoin players had an incentive to avoid a 51%+ scenario
kept assuming that all players wanted Bitcoin to succeed.

(However, as a former cognitive neuroscientist, I think it's mistaken to
assume that people always act rationally. Check out the literature on the
ultimatum game or anchoring effects in prospect theory (for which Kahneman got
the Nobel prize) to see examples of people acting irrationally in a sytematic,
biased way.)

> Would a miner with 51% of hashrate willingly help a government(and why would
> he)?

Who said anything about being willing? My example suggested threats, which is
way more likely than cooperation.

> Remember, it is not a single entity. It is a pool. And, in fact, ghash.io
> share is down to 39%.

Yes, but the people running the pool have the keys to the kingdom as long the
pool members don't know. So, more subtle perversion has a good chance of
lasting a while, while gross manipulation is more likely to cause pool members
to switch.

------
dperfect
These discussions seem fairly relevant now:

[https://bitcointalk.org/index.php?topic=393815.0](https://bitcointalk.org/index.php?topic=393815.0)

[https://bitcointalk.org/index.php?topic=399313.0](https://bitcointalk.org/index.php?topic=399313.0)

"...if every bank vault in the world had a vulnerability that you (and only
you) could exploit, possibly without detection (or at least with a degree of
deniability)... what would you do?"

Most people wouldn't immediately do the (irrational) thing and abuse that
power on a large scale because obviously, the global instability/problems
would outweigh the rewards.

"Sooner or later, if given the opportunity to take unfair advantage of the
system day after day, month after month, I think a lot of otherwise
"trustworthy" people/organizations will end up giving in, albeit in subtle
ways at first. Most people left to their own devices wouldn't flip a switch
(for a reward) to immediately contaminate all of the world's fresh water at
once, but if given a million switches each of which contaminates just 1
millionth of the world's fresh water for a substantial reward... I think
there'd be some serious switch-flipping going on."

The problem with Bitcoin (as described in the original Bitcoin paper) is that
Satoshi apparently didn't account for the very real likelihood of pools
gaining substantial amounts of power.

"If a greedy attacker is able to assemble more CPU power than all the honest
nodes..." sounds like a very remote possibility in the context of a world
where every miner operates independently, and if pools didn't exist, it
probably would be very unlikely. If every miner truly controlled his or her
own mining power, I doubt we'd ever run into this problem.

~~~
chez17
"...if every bank vault in the world had a vulnerability that you (and only
you) could exploit, possibly without detection (or at least with a degree of
deniability)... what would you do?"

I think this completely ignores the fact that messing with the block chain
would seriously screw over all the miners that are choosing this network for
monetary reasons. Your analogy is flawed. Basically, it's more like "if every
bank vault in the world had a vulnerability that you (and only you) could
exploit, and you spent tons of money to get that vulnerability, and exploiting
it would make all your money worthless, what would you do?" That's more like
the actual situation here.

~~~
dperfect
... except we should remember the fact that exploiting this power is not an
all-or-nothing choice. Some have shown that double spends and other abuses of
this kind of power have already happened, yet Bitcoin survives. As long as
someone can exploit this in small ways and get away with it (without causing
total collapse), they will have an incentive to continue. And the short-term
gains (converted to value that doesn't depend on Bitcoin's future) for that
person/entity may be much more attractive than the threat of eventual collapse
when their little game is up (and the masses start jumping the Bitcoin ship).

Also, the pool operators (who have the ability to exploit this power) have not
really spent large sums of money themselves. They have power because ignorant
minors are essentially handing over their vote to the pool operators in
exchange for convenience and low variance.

------
xkarga00
GHash.IO hasn't 51% of total network power anymore

[https://blockchain.info/pools?timespan=24hrs](https://blockchain.info/pools?timespan=24hrs)

~~~
StavrosK
How did that happen?

~~~
tlrobinson
Same as always, miners realized GHash had 51% and some subset of them moved to
a different mining pool.

Tragedy of the commons averted, for now.

------
Dylan16807
>There's no evidence the anonymous operators of GHash exercised any of those
abilities.

Which means it didn't happen. It would be blatantly obvious to watch whenever
GHash was mining on the 'wrong' chain to try to make it win. Even if GHash had
80% of the mining power, about one in 25 blocks would see non-GHash miners win
twice in a row and unarguably expose this behavior as GHash ignored them.

~~~
sillysaurus3
And when it does happen? (It's a when, not an if.)

I don't think people will like their financial system unfairly tampered with.

People say, "Why would Ghash do that? They profit from the system they'd be
manipulating." Well, so did Mt. Gox, and it didn't stop them from manipulating
it anyway.

~~~
Dylan16807
Why is it a when, not an if? It would hurt their ongoing profits so much to do
it.

But to answer when, I'd say probably after getting at least 60 percent of the
network to control it comfortably without instability and slowdowns.

------
rlpb
So what's an individual miner's incentive here to continue mining with a pool
that has 51%? If he wants more security in his own mined bitcoins, then surely
he has an incentive to switch to another pool?

Why is GHash so popular to miners?

~~~
pakitan
Tragedy of the commons. It may be bad for bitcoin as a whole but it's
beneficial for that single miner because bigger pool means less variation of
miner's income.

~~~
mpyne
In addition there's also the less rosy issue that _if_ G.Hash becomes more
powerful than the other pools and starts doing small-scale theft or other
activities, it's safer for _your_ money to "pick the winning team".

------
oelmekki
Well, for the sake of theory, it's a good thing to think about what the most
powerful person in the bitcoin ecosystem could do bad.

But please, don't stop here. What the most powerful political leader in your
country could do bad ? What the most powerful economical leader in your
country could do bad ?

"Power" as a concept is something that would need deeper inspection by
everyone, and should probably be dissolved as much as possible (that's the
point of democracy). If 51% attack scares you, push your reasoning to its
ultimate point.

~~~
krapp
I don't believe democracy is about decentralizing power, so much as
decentralizing the means of potentially taking and exploiting power. Or maybe
only in practice, versus theory.

That seems to be one of the fundamental paradoxes in the anarchistic ideal of
Bitcoin - that implicitly, collective action to centralize and exploit the
system is a perfectly legitimate act within its framework, if you can get away
with it.

~~~
mpyne
> That seems to be one of the fundamental paradoxes in the anarchistic ideal
> of Bitcoin - that implicitly, collective action to centralize and exploit
> the system is a perfectly legitimate act within its framework, if you can
> get away with it.

I'd say it's more a libertarian ideal. You'd have the same idea in an actual
anarchy of course, except that rolling up all the communes by force wouldn't
be considered legitimate just because you're able to do it.

------
scotty79
Why people won't change the pool to some other pool that doesn't take fees?

~~~
pmorici
Some people believe, wrongly, that being with the bigger pool reduces their
earnings variance and increases their earnings.

Someone on reddit went and did a Monte Carlo simulation to show them that that
really wasn't true so long as the pool had at least a few percent of over all
hashing power and that any risk to the BTC price from the negative perception
of a 51% attack was far costlier than the couple tenths of a percent you might
get by going with the largest pool.

[http://bitcoinswitzerland.wordpress.com/2014/06/15/miners-
lu...](http://bitcoinswitzerland.wordpress.com/2014/06/15/miners-luck-
smoothing-excuse-does-not-hold-up-to-scrutiny/)

~~~
jsmthrowaway
Wait, it's wrong to correlate pool size with steady income, but the simulation
correlated pool size with steady income? If you need a few percent to
guarantee steady income the base assertion is not wrong.

~~~
pmorici
People were trying to say that there was a big difference between mining with
a large pool vs the largest pool and what that guy showed is that once a pool
is big enough 3%+ any variance due to the size difference is negligible
compared to other considerations.

------
sciguy77
"So-called 51 per centers, for instance, have the ability to spend the same
coins twice, reject competing miners' transactions, or extort higher fees from
people with large holdings."

Woah, can someone please explain why this is?

~~~
patio11
The blockchain with the most blocks in it becomes the consensus blockchain. If
you build a blockchain higher than the existing blockchain without building
off of it, the One True Bitcoin Client will anoint your chain as the true
chain. Only the true chain happened, from the perspective of the bitcoin
client. Non-consensus chains mean nothing.

A chain losing consensus can happen retroactively (and by design does,
frequently), but shouldn't after about 6+ confirmations (~1 hour of work by
the network) _unless_ you control a lot of power and are willing to secretly
build a competing chain starting from a point in the past and build past the
existing consensus chain. If you are willing and capable of outrunning the
network for sustained periods of time, you can rollback the history believed
by the network and replace it with a history which includes only those
transactions which you think _should_ have happened.

For example: did you pay your rent an hour ago? Did your landlord accept your
payment after an hour and send it to Bitstamp, thereby getting money? Did
Bitstamp then allow people to withdraw it? _Psych._ You remember that
happening, but the Bitcoin consensus now says that the _Bitcoin_ half of all
those transactions never happened.

You could, for example, announce "Apropos of nothing: we find that
transactions with 1% fees [paid to the miner of the block] are pleasing to the
Bitcoin gods and are only willing to include them in our blocks. BTW, we will
also rollback history periodically for the hell of it. If you want your
transactions to survive rollbacks, take note."

------
po
The thing that surprises me the most is that people were seemingly ok with a
player having any large percentage of the network power.

The new development seems to be that one player is _verifiably_ controlling
51% of the market. This doesn't mean that two pools who each had 30% couldn't
have colluded outside of the network to control it beforehand. I've seen
people trying to persuade people not to join the most popular pool but this
seems like a more fundamental problem.

------
lifeisstillgood
Distributed trust systems _ought_ to work because we love the idea, but there
is always the chance we shall find that anonymity is not such a good thing for
trust.

I see no particular reason why bitcoin addresses should remain anonymous in
the future, making the impact of this power less, but still a fix to the
protocol or a lot more miners will be preferable.

I would love to know if this is because the GHash pool has grown (through
presumably investing 2012/13-bitcoin profits into hardware) or if it's because
others stopped hashing.

~~~
bdcravens
_if this is because the GHash pool has grown (through presumably investing
2012 /13-bitcoin profits into hardware)_

It has grown, but not because of Bitcoin profits. cex.io is probably the
easiest on-ramp to mining, and all miners are pointed at GHash.

------
PhasmaFelis
That's funny, I thought we are all told quite vehemently that 51% control was
ridiculous and would never happen.

~~~
ZenPro
This ^

The most complete and accurate statement on the entire thread.

------
Tycho
Is this really true?

So basically any government or any wealthy individual (or maybe even anyone
with a botnet) could easily muster enough computing power to destroy Bitcoin?

I thought by this point the amount of computing power required to do that was
supposed to be ungodly...

~~~
polemic
Compare the sort of user hardware that a botnet will typically control, vs the
hardware that specialist miners run, and you'll see why botnets don't have
much chance of upsetting the network. You might earn a few coins, but you'll
never take 51%:

[https://en.bitcoin.it/wiki/Mining_hardware_comparison#Intel](https://en.bitcoin.it/wiki/Mining_hardware_comparison#Intel)

------
bdcravens
It's worth noting that for much of yesterday the parent of Ghash, cex.io, was
DDoS'ed. Is this a good thing? Maybe it makes Bitcoin seem more self-policing,
or maybe it makes it the currency of scary hackers.

~~~
JacobEdelman
I can't really think of a scenario when DDOSing would be responsible policing.
If that kind of tactic becomes common it can set up the exact type of
aggressive struggle we don't want a 51%er in.

~~~
A_COMPUTER
This could be argued is a side-effect of the anarchic, decentralized nature of
Bitcoin. If you have a problem with another operator, you may not have any
legal, civilized means of achieving redress, so (virtual) "violence" may be
your only practical recourse. There may be a moral in here about the nature of
voluntaryism. I'm a bitcoin booster but these are real issues that need to be
thought about.

~~~
mpyne
> If you have a problem with another operator, you may not have any legal,
> civilized means of achieving redress, so (virtual) "violence" may be your
> only practical recourse.

It would be less depressing if these real issues were novel; but they were
written about by authors as far back in time as Hobbes.

------
jokoon
the more bitcoin news, the more I'll stay away from it.

------
dang
Discussed at length recently:
[https://news.ycombinator.com/item?id=7890215](https://news.ycombinator.com/item?id=7890215).
Unless the present article adds something of substance, I think we have to
call it a dupe.

Edit: so many people are upvoting this that we'll unbury it.

