

Compromise Bitcoin for just $1.2M - matt2000
http://matthall2000.tumblr.com/post/48520639291/can-the-bitcoin-blockchain-be-compromised-for-1-2m

======
PaperclipTaken
This may seem cheap, but there are already many, many orders out there for
ASIC, and all of the factories are backed up. Butterfly Labs only recently
released models that have been on order for many months (I want to say greater
than 6). If you put down $1.2 million, it could be months before you got your
machines and by then you would no longer control 50% of the mining.

This dollar amount is also particularly low because ASIC technology is new -
most people who have put money into ASICs aren't even mining yet. Once the
technology is settled in, controlling the block chain will become more
expensive.

Furthermore, the number of things that you can do while controlling the block
chain is actually really limited. You still can't spend other people's money.
You can prevent people from spending money, but you can't make them spend
money. You can double spend yourself, but if the bitcoin community was aware
that someone was manipulating the block chain, they would be much more careful
about accepting transactions from new wallets, and would reject all
transactions from a wallet they knew was controlled by the double spender.

Furthermore, if you did take control of the block chain I personally would
dump a few thousand into miners myself, to help regain control of the system.
I'm sure that I'm not alone, and the act of bitcoin users simply 'fighting
back' may be enough to minimize your control of the market.

And finally, as other people have stated, you can always change the hashing
algorithm. Most people use 1 bitcoin client. In fact, this client once had an
update that caused an error and forked the block chain and allowed at least
one person to double spend $10,000. In the event of a major crisis, there
would most be enough bitcoin users willing to fork the block chain that you
could indeed get a new hashing algorithm designed to be incompatible with the
attackers hardware. The choice is between that and watch your 'distributed'
currency fall under the control of a tyrant.

Someone taking control of the mining process IS a risk, and there are some
powerful things you can do with that (like mine 100% of all the new bitcoins,
taking control of the supply, and double spending, and rejecting transactions
by others), but it would probably take a lot more than $1.2 million dollars
because people would fight back, and you are still at risk of the rest of the
community forking away from your control. That said, you could still do
terrible damage and the price would probably plunge, and you may be able to
double spend millions of dollars before enough people noticed to start
rejecting your transactions. (are there even millions of dollars worth of
things you can buy? and would you have to worry about a government getting
involved because you committed financial crimes?)

And even if you manage to maintain control, all that will happen is people
will stop using bitcoin until you let up. It's much like a DDOS. It takes
power (electricity) to maintain that much computation, and the longer you
maintain control, the less bitcoin will be worth.

Edit: I want to add that the scariest attacks only happen at 50% control. At
40%, you can only double spend -sometimes-, and I don't think that you would
be able to block transactions at all. Furthermore an organized network (and
there is much debate about how organized bitcoin could get, after all it is
designed to be distributed) could undo any double spending and you would be
limited to slowing bitcoin down. At 20% market power, the probability of you
achieving a double spend or undoing some transactions is very small.

~~~
bitcoin-fool
I agree it would take a long time and be unlikely for a single ASIC-purchasing
party to reach 50%. Another organization, an ASIC-datacenter-hoster, could do
it.

BFL has an "ASIC hosting program" where those purchasing more powerful BFL
machines can put their machines in an affiliate datacenter. There is real
incentive to have one's ASICs hosted there, especially given that power
requirements are 6-7 times originally forecast (one needs commercial space to
run these now), and that this new hardware has an unknown failure rate and a
real tangible cost to not working. The hosting center provides direct
maintenance from BFL personnel, so one's machine shouldn't be down for more
than a day or two for any failure. _I wouldn't be surprised if a majority of
BFL ASIC purchasers opt to host their hardware in this datacenter._

The hosting program could lead to the mining pool (the default option is for
your BFL ASIC to join the mining pool) at the datacenter having > 50%, under
complete control of the affiliate datacenter.

<https://news.ycombinator.com/item?id=5584783>

------
wladimir
I don't expect this to happen, ASICs will be pretty widely distributed before
anyone can pull this off. However there is a contingency plan for when this
happens: switch the hashing algorithm (for example to scrypt, or something
memory hard w/ lots of random flow control). This puts all ASICs out of the
game at once. Miners will not like it, but if the other alternative is a non-
functioning currency, they will likely cooperate.

~~~
dualogy
> switch the hashing algorithm

OH boy now _this_ is interesting -- to an outsider like me, explain who would
decide this? Some central committee? The source-code "custodian"? Will BTC
fork at that point so every holder can "vote with their (pardon) dollar" but
would also need to bet on everyone else's choice?

~~~
nightpool
Changes to the Bitcoin protocol can be ratified by a majority of miners, in
the same "longest blockchain" method.

~~~
deepblueocean
This is a common misconception, I think. If you try to model the protocol
economically, it's pretty clear that it's a majority of currency holders (what
the core developers call an "economic majority"), not a majority of miners
that matters in determining whether a protocol change is valid.

Exercise for the reader: determine whether these sets are different in a
meaningful way.

~~~
dragonwriter
> This is a common misconception, I think. If you try to model the protocol
> economically, it's pretty clear that it's a majority of currency holders
> (what the core developers call an "economic majority"), not a majority of
> miners that matters in determining whether a protocol change is valid.

Actually, its neither, if you really think about it. Currency users (in
exchange) are more important than either miners or holders (with the caveat
that you need some number > 0 of miners to validate exchanges) to whether a
protocol change has economic effect, but once some group adopts a protocol
change, what you have is a fork into two separate currencies until a consensus
is achieved.

Passive currency holders have little driving force in this; currency users are
the main driving force, because wherever its being used is where it will have
value. Miners have some force because without some of them, the system
collapses.

And among currency users, the ones that matter the most are the ones that
_accept_ bitcoin for goods and services, not the ones that spend it. (In the
"steady state" those should be approximately the same, but as long as mining
is still producing coins you can have miners/spenders that aren't accepters,
and even in the steady state you could have people who inherit hoards and
slowly deplete them as users that aren't accepting.)

------
NamTaf
In comparison, Amazon EC2 offers GPU clusters for $2.10000/hr [1]. Each
cluster contains 2x M2050 Fermi cores [2] which each put out ~80MHash/sec [3].

To get the requisite 64686 GHash/sec, you'd need to spin up 404287 of these
things, which costs you $849000/hr. This is of course assuming Amazon has
400000 instances of the GPU compute clusters.

The cheaper alternative is to utilise spot GPU instances, costing only
$0.346/hr [4]. At that price, i's $139900/hr or so. I am willing to bet that
they do not just have 400000 spare GPU instances laying around unused,
however.

All this was purely academic, but it kind of amuses me that for a theoretical
$140000/hr, you could hyjack bitcoin as it is currently.

[1] <http://aws.amazon.com/ec2/pricing/>

[2] <http://aws.amazon.com/ec2/instance-types/>

[3] <https://en.bitcoin.it/wiki/Mining_hardware_comparison>

[4] <http://aws.amazon.com/ec2/pricing/#spot>

~~~
raverbashing
"To get the requisite 64686 GHash/sec, you'd need to spin up 404287 of these
things, which costs you $849000/hr."

Really, I don't think even Amazon has enough of this hardware. And AFAIK these
(GPU clusters) are not virtualized.

Makes me wonder what happens if you have a cost advantage in taking the
cheapest PC hardware and plugging high-end GPU cards (beyond ASICs)

------
drcode
Keep in mind that a plan like that would take, at best, half a year to put in
place. In that time the amount of ASICs in existence will already be far
higher than it is today (I would guess at least three times what it is at the
moment.)

~~~
polarix
3x? More like 300x, I'd say. Once the first few roll out of BFL these things
will be coming online as fast as you can say "money press".

~~~
consz
That assumes BFL won't just run off with all the money.

------
mjn
If the bar is that low, this does suggest that, contrary to some conspiracy
theories, governments aren't really out to destroy Bitcoin, since they
could've done so by now if they had really wanted to.

~~~
DanBC
There's other things they could be doing.

Bitcoin isn't intrinsically anonymous, so maybe they're just keeping an eye on
anyone not being anonymous.

Wait until someone sells polonium or uranium on Silk Road to see if Tor /
Bitcoin stand up.

~~~
polarix
Correction: bitcoin is only "not anonymous" if the transaction history network
contains a contact point with the physical world, that is, if some transaction
is associated with a physical good shipment or traditional world identity.

~~~
DanBC
Bitcoin is not inherently anonymous. Users have to do stuff to be anonymous
when using Bitcoin. To say otherwise is wrong and dangerous.

([http://www.newscientist.com/blogs/onepercent/2011/07/bitcoin...](http://www.newscientist.com/blogs/onepercent/2011/07/bitcoin-
is-not-inherently-anon.html))

(<https://news.ycombinator.com/item?id=2800790>)

(<https://en.bitcoin.it/wiki/Anonymity>)

([http://anonymity-in-
bitcoin.blogspot.co.uk/2011/07/bitcoin-i...](http://anonymity-in-
bitcoin.blogspot.co.uk/2011/07/bitcoin-is-not-anonymous.html))

------
fosap
AFAIK you don't need much computing power, you just need to be lucky to be the
first one to solve the problem and create a new hash. I case you have lot's of
tries even a 0.05% chance every 10 minutes might be enough.

Not sure if i make a mistake here, but it seems to be easy.

0,5 < (n choose 1) * (1-0.0005)^n

0,5 < 1 * (1-0.0005)^n

log(0,5)/log(1-0.0005) < n

1385.95 < n

13860 minutes < 10 days

So a 50% chance in 10 days. If you have a 0.05% of the computing power of the
whole network.

------
rheide
I'm not sure there's $1.2M worth of ASIC hardware made yet. Also, for that
amount of money you could do a lot of malicious things, even to traditional
banks.

~~~
betterunix
"I'm not sure there's $1.2M worth of ASIC hardware made yet."

I am pretty sure a large government could make its own ASICs...

~~~
joezydeco
You don't think the NSA could free up a few machines and have a couple of
Terahash/Sec available in a weekend?

------
bayesianhorse
There is probably no business case for such an operation. To benefit from an
extreme price crash you either have to short bitcoin or buy a ton of stuff
with it. In the latter case it is hard to imagine a merchant honoring such
orders if he is not convinced the blockchain is sound.

As for shorting bitcoin... It's certainly not impossible. But shorting a few
Million of Dollars of Bitcoin? If this is done in any kind of trading account
(without the money being physically in the hand of the attacker), the trading
institution would probably be out of business because of the price drop
anyway, before paying the profits to the attacker...

For everyone else... You shouldn't have more than 20 BTC on hand anyway.
Preferably a lot less, depending on the rest of your portfolio. In these cases
any price drop isn't going to wipe you out and the network resumes normal
operation.

------
bitcoin-fool
See <https://news.ycombinator.com/item?id=5585166> for information on BFL's
hosting program. It's likely that BFL and affiliate datacenter personnel will
control > 50% of the bitcoin hash rate at some point. Here's my comment on
that thread ...

\--

BFL has affiliate data centers where those purchasing the more powerful BFL
machines can have their systems hosted, for a fee. The default option: "Your
hosted units will be added to a mining farm and you will be paid out regularly
based on their collective output." Datacenter and BFL personnel will be
monitoring the machines for defects and maintaining them. The hosting option
makes sense for new untested hardware like this ...

So, it's likely the BFL datacenter mining pool will control > 50% of the
bitcoin hashrate at some point.

------
free652
And of course you forgot that the difficulty would increase?

Who sells ASICS 66GH for $1250? That page is outdated.

Avalons are going for 72BTC that's over $9000

~~~
kolinko
Well, the difficulty increase wouldn't stop an attacker having >50% computing
power. Only switching the algorithm would (assuming the attacker would use
ASICs)

------
kaoD
This would not disrupt Bitcoin for too long. I'd just move the blockchain to a
different algorithm and BOOM your ASICs are worthless and Bitcoin will still
go on.

$1.2M will shutdown Bitcoin for, at most, a couple days... and then you're
left with a bunch of useless ASICs.

And all that assuming that nobody else will get ASICs, which will make the
attack more expensive.

It's just not worth it.

~~~
Drakim
Don't you have to get all other bitcoin users to also migrate over to this new
algorithm?

And even if it's just down for a couple of days, that's terrible. Bitcoin is
still pretty small in the grand scheme of things, but imagine if regular money
stopped working for a couple of days.

~~~
kaoD
Miners WILL switch (for their own benefit). Something like this has happened
before[1] (though the mining algorithm didn't change) and the community did
cooperate. Some miners will be happy about it, specially the ones with GPUs
which will be thrown off the game once ASICs arrive (and will get back in the
game once ASICs are killed).

Well, if I can get a government to spend $1.2 M just to shutdown a currency
for a couple days, I guess _we won_ (specially hardware manufacturers).

Also: Bitcoin will never replace regular money, and it isn't meant to.

IMHO this attack will not kill Bitcoin, only ASICs.

[1] <http://bitcoin.org/chainfork.html>

~~~
swinglock
The algorithm was not replaced, then it wouldn't be BitCoin anymore.

[https://en.bitcoin.it/wiki/List_of_alternative_cryptocurrenc...](https://en.bitcoin.it/wiki/List_of_alternative_cryptocurrencies)

~~~
kaoD
It will still be Bitcoin, with a different algorithm... Bitcoin is not just a
protocol and some algorithms behind it.

Bitcoin is a community and a currency. Your Bitcoins will still be called
Bitcoin, you'll have the same wallet and the same number of BTC in your
accounts. The webpage will still be www.bitcoin.org and we'll talk in #bitcoin
as we used to do.

Changing Bitcoin to scrypt will not magically turn Bitcoin into Litecoin.

This scenario has been envisioned before. Nothing new here. Bitcoin will
prevail.

~~~
rubinelli
I think the fact that Bitcoin is a community is its main problem. Miners have
acted altruistically a few times in the past, but as the pool grows, getting
them to do anything beyond the Nash Equilibrium will get progressively harder.

Bitcoin may prevail, but it will have to go through a painful 2.0 evolution at
some point.

~~~
kaoD
Economic majority will ALWAYS win by definition.

~~~
rubinelli
And a smart agent with enough resources can lead the economic majority like
lemmings down a cliff once it reaches a certain size and becomes dumb.

While your miners are mostly hobbyists that you can access via Skype, it's
easy to say "hey guys, let's stop this chain and switch to that other one."
Once you have large companies with dedicated ASIC racks in the game, and any
change that could impact the short-term bottom line has to go through four
levels of management, you are SOL.

------
kalleboo
That's assuming you could get your hands on ASIC hardware. None of it has
shipped to customers yet, and once it has, the difficulty will skyrocket.

~~~
asdfaoeu
It has but only that first batch. The author also makes the mistake only that
first batch sold at they rate the new batch is priced at 75btc.

Interesting to know how much it would cost to build your own machines only
reasonable solution at this time.

~~~
jpdoctor
> _Interesting to know how much it would cost to build your own machines only
> reasonable solution at this time._

Finger in the air calculation: $3-4M. Assumes knowledgeable designers, and
good ops people with decent offshore assembly experience.

None of this is particularly difficult from the standpoint of a VLSI. The
issue is that profitability is questionable: If you're successful, you pretty
much destroy the economic niche that forms your customers.

~~~
jpdoctor
Whoops: s/VLSI/VLSI designer/

------
jordanbaucke
If you wanted to damage/degrade BTC with $1.2 million I think the "smart
money" wouldn't be investing in the custom hardware to compromise it - but
instead to flood the markets with liquidity. BTC is still so thinly traded
that a million dumped in pieces could have a serious destabilizing affect. Not
that reducing price was the actual subject of the topic but...

------
awestroke
I think longest blockchain attacks only apply to double-spending, so you still
can't "compromise" coins that are not your own

~~~
emiliobumachar
If a few agents start double-spending, that creates a strong disincentive for
anyone to accept bitcoin at all, which can doom the entire currency.

------
narcissus
Assuming nobody else buys any of this hardware too. That's how I see this
anyway. All of these theories assume that nobody else is going to try and do
the same...

