When Bitcoin was running up to $20,000, I tried to analyze the system and come to a personal conclusion about its equilibrium value, because I didn't want to miss out if it really was the currency of the future.
I ended up not investing, because of the possibility of a double-spend attack. I think that cryptocurrency enthusiasts are seriously underestimating the importance of double-spending attacks to the economics of bitcoin and other cryptocurrencies.
A few points that convinced me not to put my money into this system:
If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.
The market for hash capacity is going to become more efficient over time. ASIC miners will be commoditized, so that hardware investment becomes a much smaller factor in hash cost versus energy. This might be even worse during a bitcoin downturn, because there could be a glut of ASIC miners.
Miners will coordinate with market prices, turning off capacity when the price dips (for example, because someone is underbidding to create a 51% attack). If mining becomes more decentralized, it will be harder for miners to act in their common interest (fending off 51% attacks) and against their immediate interest (selling their hashrate to the highest bidder, or taking it off the market during an underbidding attack).
High transaction volume is not necessarily any help - the more transaction volume, the higher the cost of the attack, but the greater the rewards. The semi-anonymous nature of bitcoin means that one could easily flood the network with double-spend transactions. Attacking a huge network like bitcoin would be an audacious and expensive act, but there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized crime. The massive rewards to such an attack also offset fixed costs such as writing and testing the software to carry out the attack.
I think the argument is that by doing a 51% attack you undermine the market value so you never get the rewards. This makes sense, but only for the leading crypto coin. As we see here today, you can 51% attack smaller coins, which should imply an increase in the value of Bitcoin from consolidation.
The spooky thing that this made me realize, is that if anyone did find a vulnerability in bitcoin (or any cryptocurrency) is that they would have a greater incentive to only slowly leech off the system, because they will be able to siphon out much more over time than if everyone panics over security. The weapon is no good unless it's secret.
My assessment is that the greatest vulnerability in Bitcoin is its breathless supporters, who will look past the dynamics of Bitcoin in adoration of the mechanics of Bitcoin. To that end, larger, more sophisticated enterprises (banks, hedge funds, etc) are likely leeching slowly off the system, propping the price up and inflating it when they can, so they can extract as much value as possible out of its correction to a value commensurate to its utility. Every other technical vulnerability, notional or demonstrated, is at least an order of magnitude harder to exploit.
I think the split you draw between people looking at Bitcoin-the-real-thing and people adoring the machinery is an excellent one.
If you look at the original paper, it's pretty clear that Bitcoin was meant to be peer-to-peer electronic cash: https://bitcoin.org/bitcoin.pdf
In practice, it has failed at this aim. I don't think that was necessarily so; plenty of things start out rough and become more useful over time. But the mechanics-adorers I've talked with seemed willfully blind to all the practical issues. We can't fix problems we refuse to see, so Bitcoin has preserved its machinery at the expense of fulfilling its vision.
They have succeeded wildly in providing accommodation for conference-goers. The last conference I went to many people were staying in AirBnBs and even coordinating to share them.
They succeeded by expanding the mechanism to support actual discovered user needs. Which is what Bitcoin signally failed to do.
Is bitcoin becoming a store of value really as obviously better for it than AirBnb becoming a more general accommodation provider? If not, it's not really a fair comparison.
Besides, AirBnb didnt even fail in providing accommodation for conference goers with included breakfast. It still works perfectly in its original intended use.
Airbnb is a business. It's "aim" is to grow and make money.
Bitcoin was a political experiment before it was a technological one. You don't pivot political beliefs the way you pivot a business. The technological experiment is still ongoing, but the political experiment has failed its goals.
Airbnb is a service, where bitcoin is a commodity. I don't mean to imply you are wrong. I simply mean that there may be an even more interesting parallel out there where a commodity is no longer being used in its originally intended way which may support bitcoin's evolution of purpose.
It's structure and behaviour much more resembles a commodity than it does any other asset class; it is basically digital gold. The CFTC agrees and considers itself the responsible regulator.
With the important distinction that it's not an economically useful commodity. Sure, the CFTC regulated it, because their remit is one of the broadest. So you could call it a commodity by default. But it's not like you could make jewelry or breakfast cereal from Bitcoins in the same way you could use commodities like gold or wheat. So it's arguably more like a gambling instrument than any real commodity.
Personally, I wouldn't. Most people don't want digital cash for the same reasons they don't use real cash: your risk of theft is higher, it's not as convenient to use, transactions can't be reversed, and you lose a lot of buyer protections.
I use technology to solve problems for people. The few niches Bitcoin has found (e.g., speculation, money laundering, ransoms, light drug crime) are not really what I would call solving problems for people.
Your personal opinion on cash is irrelevant to the subject. Cash has property you say you don't want. Some people might and do want them. Just have a look at what the relationship between Germans and cash.
Bitcoin has property similar to cash to many extend. It was not technically possible before its invention and as such as it is a real intrinsect value (dont ask me to quantify it)
It wasn't my personal opinion. In the US, the use of cash is below half of personal transactions and has been declining for years; most countries are similar. I personally am more like the Germans here, but I recognize that I'm an outlier.
Regardless, your point doesn't make a lot of sense, because many Germans surveyed on this say they use cash because it gives them better control over spending and more clarity as to where their money goes. Bitcoin is in no way superior to a debit card in that regard.
The value of new possibility isn't really intrinsic; you measure it through seeing if people actually use it. With Bitcoin they mostly don't, which suggests that it is at best more useful to a small slice of people.
I see so many red flags with Bitcoin that is amazes me that it still has its backers.
There would seem to be organizations (states?) that can wield tremendous resources to mine Bitcoins. I would think this would devalue the currency and, as is so often the case in life, fuck over the little people.
Never mind the insane amount of actual energy resources needed for this virtual currency. It almost seems immoral.
And with exploits like the one in this article, how can anyone continue to have confidence in it? It feels more akin to Confederate money printed during the U.S. Civil War.
The mechanics would be the internal workings, a tamper-proof shared ledger. It's so amazing! Think of all the possibilities!
Then it hits the real world, and suddenly what people actually do with it and its valuation is dependent on how the exchanges operate (are exchanges even mentioned in the original paper?), energy prices in China, media coverage, interactions with alt-coins, etc.
You seem to assume that the greatest feat of Bitcoin is it's price. Yes, sure the price might be affected (somewhat) by how exchanges operate and media covers. However, many people don't care too much about the monetary price, and play the long game. In the long run, the market always adjusts. In in the end, it is the same with any other commodity or currency.
Mr. Bachman, with all due respect, I would argue that the majority of people proclaiming they don't care about the price are bluffing. Perhaps even bluffing themselves. Bitcoin's price increase has far outpaced its adoption or disruption of the financial system.
Everyone who decides whether to keep their dollars instead of spending/investing them (or even to borrow and be short dollars), do care about the future value of one dollar.
In loaves of bread, in liters of milk, in months of rent, gigabytes of internet, square feet of land, kilowatts of electricity; in i7s and shitty steam games and iPhones. I care about the price of 1 dollar in the labor I put in, and the goods I get out.
This is basically the plot of F. Scott Fitzgerald's The Diamond as Big as the Ritz, which takes it to its logical conclusion (but I won't spoil it, it's a fun short read.)
Nah, you could short-sell Bitcoin. Take out a sell option, crash the value, buy cheap, then exercise the option. Information is valuable, no matter which direction it predicts the market to go.
An interesting thought, but in practice, trading derivatives affects the value of the underlying pretty strongly. Whoever is selling you those puts is selling bitcoin (or futures) to hedge, which would drive the price down as you try to put on your position.
With options, buying deep OTM puts won't result in an immediate impact on the underlying market because they have such low delta and market makers aren't going to move a lot of spot to hedge it.
The problem is that if you successfully rook put sellers in this way for some ungodly amount of money, they will never be able to pay out on your claim. Kinda like when all the big Wall Street Banks were caught out because AIG was threatening to go bankrupt and default on their CDS.
That sounds like a perfect trade. But doing something like that will paint a target on hacker/s back. So, slowly leaching is a much better idea than getting it in one shot.
Where would you buy a put (sell) option on Bitcoin (without substantial counterparty or settlement risk)? I genuinely want to know. I would have bought one in November if I could have.
If you had a strong interest in Ethereum (for example), then I think you’d want to avoid the wholesale destruction of Bitcoin. If the biggest crypto currency fails, it’ll probably send shockwaves through out the entire crypto currency market.
Mind you, I say this as a crypto currency outsider.
> If you had a strong interest in Ethereum (for example), then I think you’d want to avoid the wholesale destruction of Bitcoin. If the biggest crypto currency fails, it’ll probably send shockwaves through out the entire crypto currency market.
That's true as long as cryptocurrency itself is seen as fringe; it's less true if cryptocurrency becomes generally accepted.
Of course, a nation-state or other actor interested in preserving the role of fiat and keeping cryptocurrency on the fringes is also a possibility.
No it would not. Finding a BTC double spend attack vector would be like finding a 0-day: good and maybe even profitable up until fixed, which would take hours, days at most. Have 0-days destroyed Microsoft, Android, Firefox, Electron or Chrome?
Microsoft, Android, Firefox, Electron and Chrome aren't currencies.
They have an underlying value/utility. People have a real, tangible need _outside of the use of those products_ to get them fixed. Can you say the same for a cryptocurrency?
Double spend isn’t like printing money on a printer.
It’s more like being able to write two checks for your whole bank balance
and having them both clear.
So very relevant are:
- whatever goods you bought with the checks need to be impossible to recall. So, like you need to find (two) someone’s who will effectively cash your check. You can’t buy a house because the police will come take the house back.
- you need to do it fast. The second you make are the first transaction you need fork and start mining hard. 51% gives you a speed advantage, but it’s very small. It still takes time to get the network to follow you.
Double spend is a very specific heist. Even if someone did it, it wouldn’t mean Bitcoin is valueless, it would just mean a certain class of heist is somewhat more probably and people need to adjust their security practices accordingly.
Tricks like waiting for extra confirmations, requiring identification before accepting payment, etc, are easy remediations.
Second, if I went to a store spent 199 dollars and those 199 dollars magically reappeared in my hand, didn't I create money out of nothing and reduce dollar value? Yes I did. Even if I never cloned any money I reduce the expectations of future stores that their money won't magically disappear.
And yes, I am aware banks do this, but they are regulated and when they abuse it, you get a financial crisis.
So it's ok if your currency becomes unreliable for many hours? It would immediately negate the trust of what happened during that period of time, affecting the trust of any balance in participating addresses.
That's definitely not proof of real economic utility. How many bets happen in Las Vegas every day? But economically, they're negative-sum events exploiting cognitive weaknesses.
Entertainment can also have negative value. That's what the parent meant: your entertainment is provided by someone exploiting your gambling-addicted (and gambling may cause an actual addiction afaik, no less so than opioid addiction although based on different biochemistry) dopamine circuitry in order to extract actual (social) value.
They mainly provide addiction. Go to a casino sometime and look around. Do those people look like they're entertained? The slot machine zombies barely look human anymore.
You're also wrong about taxes. Consider my local taqueria. They buy raw materials and create value by making ready-to-eat food just when people are hungry. They receive cash in exchange, a portion of which they pay in taxes to fund the infrastructure their business depends upon.
That is positive sum for all participants. It has to be. If taxes tipped it into the negative sum category, they'd eventually close down.
I dont think you've followed through on that model of yours.
If you buy 50 dollars of taco materials, then taco materials seller makes likes than 50 dollars ,because the state will charge a tax on him. If he didnt sell 50 dollars worth of raw materials, he would have 50 dollars of raw materials to consume, instead of less than 50 dollars.
On the other side, making the taco, you have the same issue: if you sell 100 dollars of tacos, and someone pays you 100 dollars for them, you then pay taxes.
You earn less than 100 dollars, and someone else lost 100 dollars. Repeat the proces ad-infinitum and your holdings go to 0. (assuming for simplification, any rate of positive taxation on income).
This makes no sense at all, and is not how business works.
Most economic activity is positive sum. When I'm hungry and on the go, a taco is more valuable to me than raw taco materials, so I pay more for it. Value has been created. The taqueria owner takes money in, pays their expenses, and is left with a profit. Taxes are paid out of that profit, and you could just as well model it as another kind of expense, a societal infrastructure fee.
I dont think you've followed through on that model of yours.
If you buy 50 dollars of taco materials, then taco materials seller makes likes than 50 dollars ,because the state will charge a tax on him. If he didnt sell 50 dollars worth of raw materials, he would have 50 dollars of raw materials to consume, instead of less than 50 dollars.
On the other side, making the taco, you have the same issue: if you sell 100 dollars of tacos, and someone pays you 100 dollars for them, you then pay taxes.
You earn less than 100 dollars, and someone else lost 100 dollars. Repeat the proces ad-infinitum and your holdings go to 0.
An awful lot of casino gambling involves series of small stakes bets on low payout options which don't even meaningfully increase upside portfolio variance over time after the house edge has been taken out. Might still be rational from a utilitarian perspective if one really, really enjoys card games of course, but not from a portfolio allocation perspective.
Apart from weird edge cases where an actor needs to double their money overnight to return to solvency in order to have a chance of benefiting from an income stream in future, there aren't many cases where it makes sense from a portfolio allocation basis given the existence of non-negative expectation bets in other markets with a wide range of possible variances. The insurance and investment management industries are built on the principle that economic rationality works in exactly the opposite way to gambling: that inherent value exists in reducing risk.
300 million transactions in 9 years is ridiculously low compared to any "fiat" currency. Googling around I find a post that gives a lower bound for number of debit card transactions in the USA alone as 47 billions for 2012 alone[1]. That's not counting the rest of the world and the other exchange media like cash or bank transfers. 300 million transactions is nothing. I mean thing about it, it's one single transaction for every person in the USA over the course of 9 years. Alternatively it's less one transaction per year for the entire population of Canada.
Amazon alone probably handles more transactions over the course of a couple of weeks.
Gambling has way more transactions. LIBOR options have more transactions. Any actively traded stock has more transactions. None of those things are currency.
That's not buying anything with Bitcoin. You are converting your Bitcoin to USD and then purchasing using the traditional, centrally controlled financial system.
And that's not even considering the transactions fees it costs to get the Bitcoin to your account.
Then there are the transaction fees for using the card, which coinbase says is free "for now".
No. Someone is traveling to Europe, going to a restaurant and paying for the Euro nominated beer with his US based VISA and starting to claim that hey, cool, I paid for the beer with USD. You see, I lost a portion of my USD balance and gained a beer.
If you insist that the guy paid his beer with USD, it is going to be very difficult to discuss about anything as the meanings of the concepts are so twisted.
It is quite obvious that using a credit card that then accepts BTCfrom you does not mean that you use BTC to pay for anything but your credit card bill.
It's more like saying you can't buy anything with gold.
Credit and debit cards are just a way of shifting dollars around. Bitcoin is more a commodity than a currency. Yes, you can convert gold or oil to dollars and buy things, but you can't walk into a store and give them some gold flake or a quart of Texas crude in exchange for a candy bar.
> Credit and debit cards are just a way of shifting dollars around
A credit card is shifting a line of credit, an intangible promise to pay, a form of trust, that happens to be denominated in dollars.
We can pretend it's just a balance of dollars, even though it technically isn't, because it makes conversations easier, and in practical fact that's how it appears to work. But that's just a shorthand.
We can use the same shorthand to say someone bought something with bitcoin.
There's no reason to demand perfect technical precision with bitcoin and no similar pedantic precision with lines of credit.
> you can't walk into a store and give them some gold flake or a quart of Texas crude in exchange for a candy bar
I think this is the best test. Here the guy has done that. He walked in with bitcoin and walked out with tacos. When you say that's not really what happened, it feels like a no true scotsman response.
It did not. He gave them dollars, not a quart of crude. That he might have a side deal with somebody else to trade beanie babies for dollars does not make beanie babies a currency.
Bitcoin is not a currency. Plenty of other things are true currencies, so there's no fallacy here.
Sure you could also pay your groceries with lead dispensed from a gun. But that's currently nowhere near broad addoption. It just doesn't meet the definition of "currency", though it will virtually always be current.
Shift isn't sustainable in it's current form. They are temporarily not charging for domestic transactions. Since there is a cost for those transactions, there will eventually be a fee per transaction.
It's happened quite a few times after that. Consider the merchants who have been known to use fewer than the standard # of confirmations and what it takes to reverse or reuse those charges. For example, here is a blog post on one way to do this: https://blog.acolyer.org/2015/10/01/misbehavior-in-bitcoin-a.... If you want to search you will find that there are scripts to automate this type of action by constructing bitcoin transactions.
Also, consider ghash.io or the odd OKPAY double spends.
Credit Card companies and banks can reverse the transactions, so long as they keep track of things in batches, have strong backup system for their ledgers. So long as they're not SWIFT transactions that leave the country, and the country that's attacked as a strong/regulated inter-bank transfer system.
If a bank is critically hit so bad funds become impossible to correctly attribute to people (Fight Club type unrealistic scenario), at least in the US FDIC would probably come in to play. The bank might even have to be treated as a failed bank.
People wouldn't stop using banks, but they would stop using that bank.
> People wouldn't stop using banks, but they would stop using that bank.
I'd really like to live in a world where that's true, but I don't see Equifax going anywhere. PayPal does a form of this as well, except it's the central system and not a rogue actor that locks your money away. Well informed users avoid PayPal, but there appear to be many more uninformed users.
Neither of those things "are money" and they're all highly reversible.
A major hack against Visa would absolutely tank the value of Visa the company however, and if people who believed they were paid weren't made whole somehow then it would also tank the acceptance of Visa.
And it would be an ongoing devaluation without Visa being able to show they'd fixed the underlying flaw - which you can't with a 51% attack.
Don't underestimate how long it takes to deploy a fix to such a vulnerability. Any change in consensus (which this would be) is a hard fork, and deploying it without carefully coordinating months in advance is certain to cause chaos.
Why do you think a double-spend attack would be easy to figure out? It could rely on start of the art crypto attacks which aren't known to the general public, or some very obscure bug which has slipped past thousands of eyeballs.
You won't really be able to process tx that low, you'll need to pay a tx fee proprtionate to the number of bytes. 1 satoshi per byte is a good rule of thumb for a very cheap tx. It takes more than 1 byte to describe one satoshi, so you can't get your tx to propagate.
Theoretically the attacker could also be picking up 0-fee transactions, but my intent was to really say this: it doesn't matter how small a double spend is - the ramifications for the network are the same.
What about state level actors, say the NSA, that consider bitcoin supplanting the US dollar as the standard medium of international currency exchange a huge threat to the world economy? (or at least their ability to control it)
I think people need to be concerned that Governments, at any point of time, with their incomprehensibly huge computation power, can use it to crush bitcoin. Not only that but they can pass laws that allow them to forcibly seize the fattest wallets. Which ultimately ensure's that the Government can, behind the scenes, kick the scaffolding out from beneath us. All I see right now is state level actors experimenting in this regard, because seriously who single handedly has the computation power to take control of these cryptocurrency's if its not the government or a company like Google?
To the extent there is a legitimate threat to dollar supremacy, it is in the Chinese renminbi. The U.S. dollar is ascendant because of the huge base of American consumers, who buy stuff with dollars others then need to find investment for. Plain and simple network effects.
The RMB is not even fully convertible, it is the opposite of liquid.
The US dollar is useful to countries like china is because the US government acts as a debtor of last resort, allowing them to park surpluses in treasuries.
> The US dollar is useful to countries like china is because the US government acts as a debtor of last resort
Which ultimately derives from our mammoth consumption. If Chinese consumption eclipses America's and their economy rebalances, they will have lots of Chinese consumers buying goods with renmimbi, leaving sellers offshore with boatloads of the currency to find investments for. (I consider this to be a moderate risk, and not one which would supplant the U.S. dollar but instead cause it to share the world stage.)
TL; DR Bitcoin is not a serious threat to the U.S. dollar. It promises huge profits to banks, which is why they're salivating over it.
Parking money in cash isn’t feasible, which is why much of the USD’s worth is in treasuries, the dollar is just incredibly liquid and easy to borrow/lend.
The Chinese government is not interested in filling this same role, even if now anemic Chinese consumption somehow picks up, they will probably still want to maintain absolute control over the exchange rate.
I agree that the renminbi is not presently a threat. Just that it has the potential of becoming one. That potential flows from the potential of China's consumers. A native base of consumers Bitcoin lacks. My point is that if the renminbi is a long shot for challenging the dollar's hegemony, Bitcoin is out past Pluto.
How is the government going to forcibly size a wallet? Are you suggesting they can break the crypto, or that they will compel people to divulge their keys?
You are not wrong to argue that state level actors are a serious threat.
But fortunately, these state actors seem to have no interest in attacking crypto.
It seems like the governments that matters IE the 1st world, are perfectly happy to allow people to have access to a censorship resistant method of financial transactions.
This makes a certain amount of sense. The governments of the 1st world claim to care a lot about freedom. And it seems that they are getting us have it.
Or you know, they love the idea of an immutable record that’s far from anonymous. Cash is hard to trace, a Bitcoin is easy to trace for something like the NSA. It’s a giant digital paper trail by design! Besides, Bitcoin is as likely to become a dominant currency as shells or promises. No one outside or BTC fanatics honestly entertain that idea, and only a few who do espouse it do so because they really think it’s likely. For obvious reasons hyping the currency translates directly into profit, so it’s hype all the way down.
Well, a couple of the cryptocirrencies out there have privacy baked in, such Monero.
I don't see any of these privacy coins being banned yet, so.....
But anyways that is besides the point.
The argument that the OP was making was that governments are areal threat to crypto. And MY point was that these governments are NOT actually attacking cryoptocurrencies so I guess things are going to work out fine for cryptocurrencies.
And MY point is that extrapolating too much from minimal data is unwise. If you’d like it put in historical terms, “...Let a hundred flowers bloom and a hundred schools of thought contend...”
> I think the argument is that by doing a 51% attack you undermine the market value so you never get the rewards.
Only if you make it public. A 51% attack works at a poker table too, but only if the marks don't know the game is rigged.
A successful double spend makes it public, as well as announcing your intentions to get to 51%. If you're quiet and can pull off a successful 51%, you can create the double spend before anyone knows.
To be in the position of being able to do a bitcoin 51% attack however you would have had to sunk enormous costs into buying ASIC miners. The minute everyone finds out that a 51% attack occurs you will have pressure to change the mining algorithm and suddenly all your miners are worthless.
What jhpriestley pointed out is that what's really saving bitcoin from a 51% attack is the inefficiency of obtaining computing power.
If renting asic miners becomes vogue (and it might because it makes the computing market more efficient) then it might be possible just to rent asic miners for nearly free, since you'd be acquiring bitcoins while you were amassing the 51% computing power.
You can profit from undermining the market. Futures volumes may currently be too low to find enough liquidity to use them for financing a major attack but this could change when BB’s start selling them in earnest to clients.
My conclusion is that since this is true, the real thing maintaining the system is mutual cooperation of sufficient mining interest. When you look at the theoretical division of hashpower in btc, it looks too stable over generations of hardware. Any non-colluding ecosystem should have centralized. I conclude btc is a collusion system.
So why the pow? Is this stabilizing the actors somehow? It seems like an explicitly managed network would be no less centralized, way more efficient, and way more user friendly.
It's important to understand that a "51% attack" isn't an attack at all. No algorithm or protocol has been compromised. The system is working exactly as it should. This is a fundamental aspect of all distributed systems: if the majority of the network elects that the state of A is X then that's the state of A. There is no mechanism by which one peer can disagree and override the majority -- unless the majority have also deigned to follow that peer and recognize it as a "leader."
> Any non-colluding ecosystem should have centralized.
Not exactly. There's real laws and borders and market realities that prevent the ultimate centralization of hashpower but what's clear is that centralization is works, centralization is extremely profitable, it's happening and it will continue [1]. Centralization, I would suggest, is the true goal of bitcoin and is the inevitable conclusion.
> So why the pow?
I see what you're getting at but it should be obvious. The miners are paid very, very handsomely not to collude. Bitcoin miners charge fees that are effectively far greater than any centralized authority. They reap billions in profit each year [2] for turning on a bunch of computers and plugging them in. A cynic might say the "proof of work" is a marketing tool to disguise what is really just the mass transfer of wealth to the miners. Certainly, bitcoin holders believe that miners have somehow "earned" these outrageous profits.
In the bitcoin system, miners make literally billions of dollars a year protecting the network. Any successful attack on the bitcoin network is going to massively erode confidence, reduce the price, reduce the usage, and therefore reduce the value of all that single-purpose, bitcoin-only hardware.
Large miners don't want to see Bitcoin get attacked because it destroys their income and de-values their incredibly expensive hardware. This is also why miners won't just let you borrow their hashrate for a while - it's a big issue if you use that hashrate to undermine their cash cow.
There is another--less talked about--way to double-spend: developers can cause forks and double-spend during the confusion.
In 2013, the network forked unexpectedly [0] and the Bitcoin network had 2 chains for about 4 hours. During those 4 hours, it is entirely possible that people sent BTC to exchanges they knew were going to be on the chain that ended up being orphaned.
A conniving team of centralized developers can take this a step further and discover or intentionally plant a consensus bug that causes such a fork and because developers ultimately tell everyone which chain contains the "fix" (in 2013, they commanded that the minority chain was the right one), the developers know which chain will be orphaned and thus which exchange they can exploit.
What a lot of people in the thread seem to be missing is that when you receive a huge payment you can require a higher amount of confirmations to accept it. High enough that it would make the 51% attack unprofitable.
Requiring more confirmations decreases the probability that a transaction will be reverted, under the assumption that an attacker has < 49% of the hashpower. If you attempt an attack with 49%, then you have a fair chance of mining, say, 6 blocks before the rest of the network. If you get unlucky then you sacrifice those rewards. But if you mine with 51% then your attack chain is (probabilistically) guaranteed to eventually become the longest chain, so there won't be any loss of revenue.
That ignores community consensus; such activity is easy to monitor and public sentiment about the illegitimacy of that fork can cause people to devalue it. This is essentially what happened with the DAO hack. This likely does create a situation where both forks have a non-zero value, but also dramatically lowers the rewards, and thus incentive, for such an attack.
Security in crypto is a very slippery concept, and many conclusions are non-obvious, if not outright counter-intuitive.
There's a question that you're missing or ignoring about how long the 51% attack is sustained. Sustaining a 51% attack for one day is very difficult, doing it for one week or one month is proportionally that much more expensive.
Why is mining an attack chain expensive? If you mine on the honest chain, you earn the block reward for each block you mine. If you mine an attack chain with 49% and your attack fails, then you sacrifice those rewards. Suppose you mine say 10+ blocks with 51%+, over the next three hours while the rest of the network only finds 8 blocks. Then your 10 blocks become the longest chain and you earn the block reward for all 10 of them.
The exchange can have thresholds for total volume per given time interval then. Once the total amount of pending transactions breaches a given volume, the transaction period for more transactions within the window goes up.
Great points. The thing is though that a double spend would harm both the attacker and all others on the network. It would weaken the trust. It is a double edged sword. You would have to do the double spend without anyone noticing and then liquidate your earnings as fast as possible. With more combined hashing power this would become very hard to do.
There are a lot of problems other than double spend with the Bitcoin. Transactions fees rise very quickly because of the block size limit of about 1MB. You can't really rely on 0-confirmation transactions. The saviour lightning network in my opinion is the wrong solution to the scaling problem. It changes fundamentally how bitcoins are exchanged and steers away from the original white paper by Satoshi. Not that this is wrong... it just becomes another project altogether.
It is often asserted (for example, in the Bitcoin white paper [22]) that a cartel can double-spend Bitcoins. In a strict sense, this is true: a cartel can spend a Bitcoin by paying it to a player Alice, receiving goods or services, and then shifting the consensus choice of history to a branch where that coin is instead paid to a different player Bob. However, we argue that double-spending by a cartel has a limited payoff. Bitcoins have value because people are willing to trade them for goods and services. If players were unwilling to accept Bitcoins for trade or unwilling to spend Bitcoins for fear of having their payments nullified, the value of Bitcoins would diminish significantly as players lost confidence in the system. Worse, because players are encouraged to generate a new identity for each transaction and because identities are not linked to any side information, players cannot easily determine whether a proffered payment is coming from the double-spending cartel or an honest user. Thus, a rational player should refuse to accept any payments when there is a significant threat of double-spending.
As a cartel must outmine the entire Bitcoin network and thus outspend the entire Bitcoin network for as long as it would remain a cartel, we believe it is very unlikely that a cartel could double-spend enough to recover the cost of the attack...
As described above, a 51% cartel attack is unlikely to generate enough reward within the Bitcoin economy to be worthwhile to the attacker. However, this does not rule out the possibility of a 51% attack that aims to destroy the Bitcoin economy in order to achieve utility outside the Bitcoin economy. We call this the Goldfinger attack after the character in film who tries to undermine U.S. currency by ruining its gold backing [15]...
In all of these cases, the attacker must achieve enough utility to justify the substantial cost of an attack. We agree with Becker et al. that it is unlikely that a protest movement could muster the resources to launch a successful attack. And at present it does not appear possible to acquire a short position on Bitcoins that is large enough to justify an attack. (2013)
The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries
Joshua A. Kroll, Ian C. Davey, and Edward W. Felten,
Princeton University
Buying (or trying to buy) 50% of the total supply of mining equipment would substantially increase the price, to the point where the ROI is so long that it becomes unprofitable (especially if your long-term goal is a $0 bitcoin).
You have used technical analysis for making an investment decision. Scientific method, skeptical approach, great. And the assumption is "the tech is broken, the price will fall because of it, won't buy".
But, if we take on step further and continue our experiment, lets compare the actual facts with the assumption.
And what we see? Two cryptocurrencies (Bitcoin Gold and Verge) which were successfully attacked this week, didn't lose in market cap.
How comes? What conclusion should we take from this assumption/fact, if continue being scientific? Do we need a new assumption?
> there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized crime
Nation states. Don't forget the large number of sanctioned regimes who would (a) have the resources to execute such an attack and (b) find great profit in doing so.
Plenty of legit and rouge nations (or departments within them) who would find that tempting I think. Currency politics and all aside that is a tempting way to make money.
> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates
"Renting 51%" (of any global market) and "at market rates" are mutually exclusive.
> There is no equilibrium point for transaction fees where this attack becomes uneconomical.
The counterforce against doublespending is not transaction fee but cost of ownership of mining equipment.
Some other arguments against your conclusion:
- As mentioned nearby, for big transactions you want to wait longer than 6 confirmations.
- Also, as recipient you might want to distribute huge payments into smaller ones distributed over time.
- It's in the interest of mining capacity lenders to make sure you don't get 51% because it renders their equipment worthless in case you are successful.
- As you correctly stated, low prices will lead to lower hash rates (and higher prices to higher rates). This means actually that bitcoin will be more stable (it's harder to obtain 51%) if prices rise. There's an equilibrium on that side as well! That is, if double spending is what you're worried about.
> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.
At this point in time the current hashrate of the bitcoin network is 32.500 PH/s, up from 5.000 PH/s a year ago and 1.400 PH/s two years ago. If you rent 51% of the network it's going to be rather obvious that something is happening, that will however not prevent an attack. Let us assume that you can rent capacity because the miners are greedy, what price would you have to pay? Let's assume that you can buy from miners that want to exit the mining business, so they do not care about deprecating the value of their hardware nor the bitcoin value itself.
So the assumptions are that 51% of the available capacity don't care if bitcoin tank and burn as long as they profit enough, and you're able to buy that. A 0.43% difficulty increase daily (average over last 2 years), bitcoin price of 7.600$, a 4MW powerdraw, and electricity prices of $0.08/KWh
Miners controlling 51% would profit north of $1.000.000.000 yearly, and if they just want to be compensated for that one year, you have to pay $1.000.000.000 to rent 51%. That is a lot of money, and at $20.000 high it would be tripple that value.
However, why would 51% of the capacity suddenly exit? Rather they want to be compensated for multiple years of profit, lets say 5 years and it's not unreasonable to expect bitcoin to reach $70.000 in that time. So we're looking at a $50.000.000.000 cost to coordinate the attack. That's expensive, and with that kind of money there are other ways to make them multiply. Who would pay that to ensure destruction of the thing we know as Bitcoin? After all, the success means it's likely that another *coin takes over, where you cannot 51% as easily.
It is far from clear that Bitcoin will likely ever reach $70,000. That implies an approx market cap of $1,200,000,000,000 or more. Would Bitcoin ever be useful enough or generate more value than Google or several Big Energy companies combined to justify and sustain that valuation?
People said the same thing about $1,000 when it reached $35. in about 6 months, bitcoin will be 10 years, so considering that it went from $0 to $20,000 in those 10 years, so as my statement say, it's not without reason to expect it to reach $70,000 in the next 5 years.
People like to compare bitcoin to gold, which has an estimated current market cap of $6,000,000,000,000. Will gold ever generate more value than Google or several Big Energy companies combined with more than a factor 10? Or does it hold value simply because it's rare?
Nearly 70% of gold is actually used as jewelry and in industrial applications (based on a diagram linked from an HN comment). So after 10,000+ years of trust building, the portion of gold used as a store of value is perhaps still less than $3 trillion. (Also, $20,000 Bitcoin was a tiny blip. The value was not sustained.)
Gold is also quite unique and "best" or close-to-best in its collection of properties. Bitcoin is not really rare and many other recent variants are "better" in a number of ways. Would the network effect be sufficient for its valuation to come close to physical gold? Warren Buffett, Robert Shiller, a well-known Nobel prize winner in economics, and several other respected economists say unlikely [1] [2] [3]. Basic logic says the same.
[1] ""It has no value at all unless there is some common consensus that it has value. Other things like gold would at least have some value if people didn't see it as an investment," Shiller told CNBC in an interview ahead of the World Economic Forum in Davos, Switzerland, where he will be speaking next week."
> Nearly 70% of gold is actually used as jewelry and in industrial applications (based on a diagram linked from an HN comment). So after 10,000+ years of trust building, the portion of gold used as a store of value is perhaps still less than $3 trillion. (Also, $20,000 Bitcoin was a tiny blip. The value was not sustained.)
I'd argue that jewelry is also a store of value. It doesn't serve a practical purpose, and was traditionally given as a gift for hard times. Industrial applications, fair enough. This also plainly written in your quote from [1]
> Bitcoin is not really rare and many other recent variants are "better" in a number of ways. Would the network effect be sufficient for its valuation to come close to physical gold? Warren Buffett, Robert Shiller, a well-known Nobel prize winner in economics, and several other respected economists say unlikely.
Bitcoin is exceedingly rare. Only 21 million will be created, and a non trivial portion of them is lost in wallets that no one controls. In [1] he states that "doesn't know what to make of bitcoin ultimately.". In [2] one of the main arguments seems to be "Practically no one, outside of computer science departments, can explain how cryptocurrencies work." which is true for the modern banking system too. Besides, it really isn't hard to explain the idea and workings, without going into the technical details.
One of the things that could super charge bitcoin is LN. The potential is enormous if adopted by companies.
The article in [3] shows a fundamental misunderstanding of bitcoin when it claims
> Bitcoin will be “mined” in diminishing quantities until it is exhausted in 2040, having delivered 21 million digital coins. In other words, there is no elasticity in the currency. This means that long before the mine is exhausted, the currency will run into the same problem as the gold standard: not providing enough money to support a growing economy and population.
Gold is limited by the smallest amount of gold you can reliably trade. Bitcoin have no such restriction. As the value of a whole bitcoin increases, you can trade a smaller and smaller fraction. At the current value 130 "Satoshi", which the name for the current smallest fraction possible to trade, is worth $0.01, so bitcoin can reach a value of $1,000,000 and still have the same monetary "resolution" as the current USD.
The last paragraph might on the face of it seems to contradict my statement about the rarity earlier. But there is a key difference. Because bitcoin is in limited supply, but possible to trade very small fractions of it, and ability to allow smaller fractions if needed, means that the currency is more likely to be deflationary, i.e. the money I save will not automatically be worth less because I do not use them.
I do believe you are vastly underestimating how difficult an attack on the bitcoin network would be. I seriously doubt anyone other than a handful of state level actors could pull it off, and even then I am not sure. The amount of energy we are talking is tremendous, and gets orders of magnitude larger the more blocks you go backwards in time. The XVG hack only went back 22 blocks, that is mathematically, and most certainly financially and perhaps even physically impossible with bitcoin. The amount of energy and money spent would never, ever make it worth it.
Interesting points. A defense against this type of attack is to use at least the hybrid proof-of-stake design that Ethereum is rolling out in about three months; blocks are proposed by proof of work, but proof of stake periodically adds a layer of "economic finality." Here's a paper: https://arxiv.org/abs/1710.09437
"In three months"...there's a chance that a problem will be found by the people doing formal verification, but otherwise there don't seem to be any potential roadblocks. Client implementation is very simple, partly because most of the protocol is implemented by a smart contract, which is already done. Ethereum does a hard-fork upgrade a couple times a year.
True, that's a risk it will still share with pure PoW. But at least you don't have to worry about doublespends after your transaction has finalized.
Full Casper may have stronger liveness guarantees eventually, I'm not sure. At a minimum it's easier to manually intervene to get the network going again. (You could also do that in PoW by changing the hash algorithm, but you can probably only pull it off once, migrating from ASIC to general purpose hardware.)
Those are some really great and interesting points. However, I think there is a resource you didn't mention that combats such attacks: time. If I'm a vendor, e.g. I pay cash for bitcoin, then I can tune the amount of time the transaction is held in limbo or escrow based on the vulnerability of the network.
For instance, I can decide not to finalize the transaction until I see a chain with 12 new blocks added after the transaction block. So an attacker has to control 51% for 2 hours to successfully scam me. Or I can make it 24 blocks (4 hours), or whatever.
Not sure this can mitigate the attacks and market forces you discuss, but it might. I see Bitcoin moving toward an intermediary system where you have a "Bitcoin balance" with a "Bitcoin bank" that allows you to make immediate transactions and takes on the risk and time delay of settling these transactions on the blockchain over the course of the next day or two.
> I see Bitcoin moving toward an intermediary system where you have a "Bitcoin balance" with a "Bitcoin bank" that allows you to make immediate transactions and takes on the risk and time delay of settling these transactions on the blockchain over the course of the next day or two.
How would this system differ from an ordinary bank in the system we have now?
In our current system, we have centralized, government bank run clearing houses that you cannot use (which Bitcoin could hypothetically replace). For a Bitcoin-based financial system, you can opt to pay higher fees and clear transactions on your own, or store your wealth in your own wallets and take on the management effort and fees in exchange for autonomy.
The second layer solutions such as Lightning Network don't require you letting other people hold your Bitcoin. They're still decentralized and trustless.
But they also require observation for cheating because time matters in the execution of contract settlement when you have bad actors. It is still trustless though.
You've always had to protect against cheating though; what's changed? The standard advice from as far back as I can remember is to wait six confirmations on transactions, more for big transactions, and 120 for freshly minted coins.
The difference here is you can just wait long and you are good. In the case of lightning network there is a time limit. If you wait too long and don't notice what happened/ is happening you are cooked.
Essentially, in the case we of somebody cheating you, they would broadcast a transaction co-signed by you that would close the channel in their favor. This wouldn’t be effective immediately but would have a time component associated from when the channel was opened. To prevent this state from closing out this way, you would be able to broadcast the proof of the actual offchain ledger balance (with the valid signatures for all transactions) and the co-signed transaction to close the channel. For all of this proof, you would also get to take the cheaters money, further disincentivisimg this behavior. However, if the time ran out before you noticed, none of you proof and signed offchain transactions would matter.
Right -- it would start looking like the traditional banking system, just sitting over Bitcoin rather than state-sponsored currency. (Not saying whether this is a desirable direction or not, just what I would expect to happen.)
I'm a bit ignorant about cryptocurrency, but doesn't "I pay cash for bitcoin" sort of prove the parent's point that it's not "the currency of the future?"
I think one of the other issues is that each transaction that they are double spending can be worth so much. If each transaction was maxed out at say $100, the incentive to double spend the transaction becomes smaller. Obviously that changes a lot about the costs of mining and transactions, just saying the bigger a single transaction or value in a single address, the larger the likelihood of an attack.
We see the same things with cash, they only run the "counterfeit" pen on $20 or larger.
Just wondering if there is some kind of crypto currency where the transactions had a max of some kind. Would the difficulty be able to be much smaller and blocks every minute (since there would be so many more to transact)? This isn't well formed, just off the top.....
This would probably lead to a huge increase in transactions, and PoW mining as of now will not to be able to process tranactions fast enough and the coin ends up clogged and unusable.
When Bitcoin was hitting $20,000, which I never thought they'd do, I mostly concluded I'd missed any investment opportunity.
I plausibly could have invested a few hundred or thousand in Bitcoin was in the low hundreds, and if I hodl'd to the moon realized a hundredfold gain, which would have been nice.
But once you're at the moon, then what?
The new price predictions are things like "If Bitcoin replaces gold it could be worth $135,000/BTC.". Which is a lot, and a little far fetched, but also only 6x from the last peak.
I'm not interested in a risky investment which takes years to come to fruition and only yields 6x. It's too risk for a safe investment and too low-yield for a risky investment. Boat missed.
If the scenario you laid out actually pans out it would be very good for Bitcoin, because there is a lot of free energy in the world but it is highly distributed.
The dominant form of mining would be utility companies and individuals redirecting excess electricity generated from their renewable electric power generators, during off-peak hours and spikes in generation, to mining, and the constituents would be both numerous and globally distributed, owing to the wide geography areas across which renewable energy resources are found.
> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.
You're killing your goose with the golden eggs. That is, if a currencies remains in use.
>Attacking a huge network like bitcoin would be an audacious and expensive act, but there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized
How do you propose they would go about doing this? Would they jam up the whole worlds chip production to source the ASICs at above market rates? How could this be profitable?
Perhaps by taking over existing mining operations, but then you’d need to somehow perform the attack before you’re detected.
Your analysis isn't really a good one, since Proof of Work consensus through mining, isn't really used anymore by the new coins.
It seems you're too focused on a specific decentralized consensus solution, while there are already much better ones out there, e.g. Iota with a tangle, skycoin with a web of trust or Elastos that are immune to 51% attacks.
It will never go to absolute zero as long as there are still people who at the very least see it as a joke. "Remember when BTC was $20000? I just bought 50000 of them, I would have been a billionair! Haha!"
Also tell people in Venezuela how their Bolivar is not going to zero, because they have to pay their taxes with it.
What do you mean, “underbidding”, e.g. “underbidding attack”? I don’t understand this term in the context of your hypotheses which assumes a perfectly efficient market for hashpower
Suppose that it takes $50 of energy to find a hash at current difficulty. Transaction fees are at $50 (in BTC). I can offer miners $51 for their hash power, but they might be suspicious. So the other thing I can do is confirm transactions for $49 in fees, which I'm calling underbidding. This will drive miners out of the market.
Wouldn't this mean you ignore the transactions with the higher fees for the other miners to pick up, thereby making mining more profitable for them?
How bitcoin transacting work is not that the miners publish their price and someone accepts that price and thus sends the transaction to that miner. How it works is that you publish your transaction with the fee you're willing to pay and if your fee is high enough, it will get included in the next block.
blockchains are not immutable, the software that blockchain servers run can be updated to any chain with the most social consensus, if an attack was that bad it can be fixed with a few git pushes and pulls, the price might suffer but even that is not a guarantee, price movements have a greater influence than fundamental value in crypto
can you explain this in better words: "then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack."
I think what jhpriestly is saying is: As the market gets efficient, the price of renting mining capacity will approach the profits earned from transaction fees. So renting mining capacity will almost pay for itself, i.e. is almost free. But then you might as well rent a lot of it, like 51%, because it's allowing you to attack the chain almost for free.
I've heard an opinion (but I'm not certain) that mined coins are considered less traceable than purchased coins.
For any purchase, there's a trail that leads to you through however you paid for it; for mining, the mined coins are totally disconnected from the hardware that mined the block and how you bought it.
Well then the buyer and seller would race to gain 51% of mining power (as its free) which will make it more expensive because of the constant biding war.
>If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack.
Lenin was right: "When it comes time to hang the capitalists, they will vie with each other for the rope contract."[0]
The numbers I've seen quoted for a double spend attach on Bitcoin Cash (assuming guaranteed block space) are that it would cost about 50K to double spend on a 0-conf transaction. So really, you can confidently accept 0-conf for <1K reasonably. More that that you can accept 1-conf or more which can take a minute or two. BTC rejects 0-conf transactions, but they are already in use around the world and are successful as far as I know.
Except you profit from mined blocks. In theory you should be able do do a 51% attack for a profit even without double spending as you capture high value transactions over a longer timespan than normal. Aka in 10 ten blocks you get the same number of high value transactions as would normally occur over 20 blocks. Where you would end up with the same 10 blocks without a 51% attack but someone else would also mine 10 blocks and capture some of those high value transaction fees.
If you wait long enough, say, for 144 confirmations (or 24 hours, whichever is greater) then a double spend may as well be the least of your worries, for bitcoin, or any of the top mined crypto-currencies.
These double-spend attacks are only successful if the receiving party doesn't wait long enough.
Also, could't find any sources from exchanges if they were actually successful? The article didn't mention which exchanges.
Quote:
"Blockchain data indicates that the attacker successfully reversed transactions as far back as 22 blocks, leading developers to advise raising confirmation requirements to 50 blocks."
So as long as exchanges wait 50 blocks before crediting, they should be all right.
Oddly enough, one of the selling points of Bitcoin Gold (a hard fork of Bitcoin) was its use of Equihash instead of SHA-256. The idea was that a memory-hard proof-of-work function would inoculate Bitcoin Gold from miner centralization.
The problem with mining centralization is that sufficiently powerful miners can attack the network by rewriting blocks. This opens the door to double spending.
This was exactly the attack the article described.
It appears that Bitcoin Gold's decision to use Equihash led to this mess. The algorithm is used by several other coins. Hardware optimized for this algorithm can therefore be used with equal ease to mine on a network or attack it.
Bitcoin Cash may be headed for a similar fate. It retains SHA-256, but is a minority chain in terms of hash power. A powerful Bitcoin miner deciding to perform double spends on Bitcoin Cash would have everything needed to do repeat the Bitcoin Gold attack.
It's possible that any altcoin that becomes sufficiently valuable will suffer similar attacks to the ones that have now taken place on Verge and Bitcoin Gold.
The problem I think is that there are 25 cryptocurrencies bigger than it. Particularly with its form of mining, it's trivially easy for say a big player in the 10th largest currency to shift their mining power to a smaller one like Bitcoin Gold, overpowering everything else.
Normally the non-51% attack argument is that anyone who invests enough in 51% of the infrastructure and has sufficient coins to profit from double-spending, is very unlikely to do so because it would render the coins and mining equipment worthless or at least worth less than the investment had cost.
That'd be true for bitcoin, but not for a GPU-mined 26th largest cryptocurrency. You can completely destroy it, cash out and use your equipment elsewhere on coins in which people still have faith.
I'm not even sure you would need to exchange it to another coin. You would never be exchanging it to USD because USD withdrawals will require you to identify yourself and a corresponding bank account. To withdraw crypto you just need an address.
So you can exchange it to BTC or ETH and withdraw. Or you can just deposit it and withdraw it after. Most exchanges just mix customer funds together, so as long as the exchange has enough BTG balance minus the double spent deposit, they will send you real BTG.
> It's possible that any altcoin that becomes sufficiently valuable will suffer similar attacks to the ones that have now taken place on Verge and Bitcoin Gold.
The trust in these systems seems to be based on proving a negative.
The lack of an attack is neither a proof of robustness nor proof that one or more zero days aren’t already known. We can only “know” it’s safe when the temptation to use an exploit is far too high to resist.
I think there are a lot of people who imagine “an attack” as a ready-aim-fire affair. There’s a juicy target, someone concocts a plan and then uses it.
But as you illustrate, maybe there is already a plan and someone is waiting for the target to get juicy enough. Aim, ready, fire.
I guess the conclusion is that if you're attempting to create a new PoW cryptocurrency you better make sure to tweak your PoW algorithm enough to make sure that existing miners cannot easily convert their special purpose mining rigs to sink you for fun and/or profit.
All those arguments do make sense, but only if the underlying cryptocurrency is actually big enough. That it has enough hashpower (in whatever algorithm) - to be secure. Bitcoin Gold simply was too small.
Sounds like it isn't very wise to come up with new cryptocurrencies as long as the mining network is unregulated and the double spending problem isn't solved...
All of the major Bitcoin miners are very pro Bitcoin cash. They basically created Bitcoin cash. They would be more likely to attack Bitcoin Core, if anything.
I would also point out that Bitcoin cash is the 4th largest crypto currency in the world, by market cap. If IT is in danger.... Well I fear for everyone else even more.
You are missing the point. Bitcoin and Bitcoin Cash use the same hash algorithm. Bitcoin Cash has about 15% of the total available SHA256 hashpower, and Bitcoin the other 85%. So it only take's a fraction of Bitcoin's miners to turn against Bitcoin Cash to attack it.
So this would require an attacker to pay into the exchange with BTCg, have the deposit clear and approve for trading, trade it for another currency, and have that trade settle and be clear for withdrawal, and then process the withdrawal, all in under 4 hours. After which point the attacking miner surfaces a longer chain they had been keeping which doesn’t include the original BTCg deposit.
Alternatively, if the exchange isn’t smart enough to pay short-term withdrawals with inputs that link back to the recent deposit, an attacker could just deposit and then withdraw with no trade and the withdraw transaction is valid even if the deposit is double-spent.
An exchange that lets a trader deposit millions in one crypto-asset, exchange it for another, and clear a withdrawl in 4 hours... got what was coming to them? Where’s the KYC process for a million-dollar deposit?
There’s a reason new deposits in a brokerage account take a few days to settle / be cleared for trading. And again after selling before funds can be withdrawn. And that’s a currency where most transactions can be reversed!
It would be one thing to allow 10 block settlement for Bitcoin main-net. It’s another to allow it with a thinly mined alt-coin.
Exchanges need to be built with the fluid nature of blockchain conflict resolution in mind.
You can estimate the cost of double-spend attacks on each chain at any time, calculate your potential exposure, track where the related funds are now in your system, and mitigate your exposure by delaying the outflow of funds that have outsize exposure to double-spend attack potential.
In the simple case, you might allow withdrawal of a single $10 deposit after 2 confirmations but enforce a long 1000-confirmation waiting period on a million-dollar deposit, in order to increase the cost of executing a double-spend against your exchange beyond the point which you estimate it becomes infeasible.
It's a little trickier in practice because someone could split their million-dollar deposit into 1000 thousand-dollar deposits from separate addresses into separate accounts. But you can still track your exposure in aggregate, and you should design a system to hold all impacted funds as long as is necessary to make a double-spend attack infeasible.
You can be upfront with your clients about what's happening and why their withdrawals are sometimes delayed: it would increase confidence in the safety of honest customers' deposits while discouraging thieves from targeting you.
>But you can still track your exposure in aggregate, and you should design a system to hold all impacted funds as long as is necessary to make a double-spend attack infeasible.
also, you can monitor the value of transactions in the last few blocks. 500% spike in transaction value in the last 2 blocks? better add a few more blocks to the confirmation requirement, or require withholding on those deposits.
You're hitting the nail on the head on this one. Couldn't have said it myself.
Majority of current exchanges are playing it absolutely fast-and dangerous. It's no surprise with new exchanges popping up like mushrooms.
I'd bet that the top exchanges didn't lose anything on this. I'd actually wager this didn't happen to an exchange, but some other type of site, like a BTG Betting site or something.
Many people use exchanges for arbitrage. Exchanges benefit from arbitrage since they take a fee out of every trade and because they want their prices to be close to the international price of the asset.
This trade would look exactly the same as an arbitrage move.
I still maintain that letting the assets come in and leave on a different blockchain within 24 hours is akin to a “RTFM” level mistake.
If exchanges are enticing arbitrage through insanely quick setttlement and clearance times on the order of 2 hours after closing a position, they are just playing with fire.
If there wasn’t an actual trade, just transfering in and out, not chaining the transactions is similarly RTFM.
If the facts are as I understand them, I think the exchange bears a significant portion of the blame.
It’s like the story a couple weeks ago where Deutche Bank accidentally approved a wire transfer for $35 billion dollars.
Exchanges are definitely playing with fire. Most crypto exchanges have probably more attack vectors than employees. Mitigating them is usually a tradeoff between security and UX. The most trustworthy exchanges don't even list shitcoins like Bitcoin Gold.
Bitcoin gold was a fork to try and decentralize mining. It changed to a proof of work that is supposed to be ASIC resistant. It looks like the typical situation is mining by GPU for equihash (BTG PoW).
BTG hashrate is at ~30MH/s at the moment, where Zcash's hashrate is at ~486MH/s.
I don't have the numbers off hand, but it'd be interesting to see how many GPUs you'd need to pull of a double spend against BTG and if any of the other equihash coins saw a drop off during the attack.
It'd be really interesting if it wasn't a rental attack, but an invested miner just switching over to BTG to achieve the hack.
They reversed 22 blocks, the recommendation is to increase the # of confirmations to rely upon to 50. If you are trying to react to 51% attack doubling the number of confirmations only doubles the cost of attack, and the attacker likely just doubled the number of BTG they have. If they can pay the electricity/rental cost for the attack they have enough BTG to execute the attack in a cost effective manner again.
You can rent hashing power on Nicehash, which currently has ~77MSol/s available for rent. I'm not 100% familiar with how the auction process works, but it looks like I could purchase 26MSol/s via a fixed contract for 1 hour for ~1BTC.
Am I misunderstanding something here, or can I maintain a 51% attack right now for ~$8k an hour. This can't be right.
It is risky, but it is right, that's exactly why took a while to happen. A relatively small botnet can overtake many smaller coins in hash power in no time, that's the hypothesis where I'd put the money.
It should come lower than that...rental price seems to be around 0.5 BTC/MSol/day, so the price for one hour would be 0.5 * 26 / 24 = 0.54 BTC, roughly $4k
I was curious about the cost as well, so I ran some rough numbers.
417.5 BTC/GH/day for equihash if you're renting from nicehash [1].
Block interval 10 minutes [2]. 144 blocks per day target yields 0.0869 BTC/block, so cost of the 22 block reversal was ~1.91 BTC, or roughly $15k.
I'm curious if this was done as one large deposit, or many smaller deposits. I've imagined a system where block confirmations required are based on a computed cost of attack done like I did above, which would be pretty effective for very large single transaction double spends. A bit trickier to handle multiple deposits spread across multiple user accounts.
As the space matures I'd love to see a company that offers double spend insurance for a given tx.
For example changes could wait for 10 minutes worth of blocks then request a quote for double spend insurance. The company evaluates the probability of a double spend and maybe even has a couple standing contracts with rentable hashing power to be able to target smaller PoW chains and prevent any double spend attack.
There are lots of interesting and cool problems to be solved in evaluating the safety of a given tx. Unfortunately I don't know if the space is mature enough that exchanges would actually use the service.
> If the exchange is aware of the attack, they may also freeze his account, so that all the funds will be locked inside the Exchange. A failed 21 block attack performed with a 10,000 BTG deposit where the Exchange freezes the account in time will result in a 10,262.5 BTG loss for the attacker. (From link.)
That sounds problematic. If I deposited coins and the exchange determined I was attacking them (how does that work beforehand?) to confiscate my money I'd be pretty miffed.
Not only that, but also an attacker can wait until the money is "safe" outside the exchange before revealing the attack. If the attacker really has more than half of the hash rate, there's no time limit; the malicious chain will always be longer than the innocent one.
It's only odd if you look at the community part of a decentralized coin as only the miners. You're missing the other critical parts which are its users and the exchanges.
A cryptocoin is worthless to miners if it cannot be exchanged, and it's worthless to exchanges if no one wants to trade it.
This introduces the "time" component of the attack increasing its riskiness. The longer you wait until releasing the chain, the more time there is for events to happen that might completely thwart your attack.
Except Bitmain has announced and will be shipping to preorders the first Equihash ASIC (Antminer z9) in July... only 3000 z9's would be needed to equal 30 Megahash, which would be $6M at the z9's $2k price tag. Bitmain obviously has been mining themselves with the z9's for a while, so I would bet that they noticed this and jumped on it before shipping their "lightly used" units out.
I run around 630 sol/s per 1080ti GPUs, each costed me around 950$. You'd also need to add the electricity in there, I think the challenge is to control an infrastructure being able to do over 15 MH/s as opposed to having the capital.
Not every distributed consensus algorithm is happy with 51%. If you increased the minimum to 60% you’d increase the number of machines the attacker requires by 50%.
If 100 machines play fair, >50% requires 101 evil machines, but >60% requires 151 evil machines.
I think you're misunderstanding the meaning behind a 51% attack?
An honest network participant will accept the chain with the largest accumulated proof of work. This is necessary to resolve forks of the chain, which are a natural occurrence.
A 51% attack means that the attacker can create a chain with more work than the rest of the network.
The idea that you can say "we require 60%" makes no sense by itself - you have to say what you actually mean in the context of a competitive and adversarial distributed proof of work blockchain network...
Maybe you have some ideas how to avoid history-rewriting attacks, in which case you should write a white-paper and launch your own sh1tcoin or ICO (only half joking).
Thank you for helping me put into words what bothers me about crypto currency. We’ve deployed an AP algorithm for financial transactions. That’s not fixable.
Crypto currencies are worthless unless they have an enormous amount of hashing power behind them.
We could really do with a webpage with a list of crypto currencies, the hashing power currently behind them, and how much it would cost somebody to take over 50% of the network.
So, that's an interesting pair of ideas, in that it gets me thinking that any Bitcoin-style cryptocurrency might ultimately be doomed by its own design.
Shooting from the hip:
They've go this 51% vulnerability that is well known and hypothetically cannot be truly closed. Instead, we rely on the idea that mounting such an attack would be "too expensive". But at the same time, the cost/benefit of mounting such an attack is fairly easy to estimate using public data - all you really need to know is the cost to get to 51% and stay there for a given amount of time, which you can infer by monitoring mining activity, and the current price of the currency you'd want to attack. And you have to assume that whenever the cost of mounting such an attack dips below the benefit, such a thing _will_ happen.
So then, I think that implies that the only other feature you'd need to throw into the mix to ensure a cryptocurrency is ultimately doomed is to make the rate at which new coin can be mined asymptotically approach zero. Such a feature would mean that, in the long term, miners' revenue would ultimately be dominated by transaction fees, which, this being a supremely commodity service, market forces will presumably tend to keep relatively low. That would, in turn, limit the number of miners the economy can support, which would serve to limit the cost of mounting a 51% attack.
Meanwhile, what with a money supply that can't grow being inherently deflationary, the benefit of mounting such an attack would be constantly growing, for as long as said cryptocurrency remains in use.
On the other hand, there will be people who have a vested interest in preventing such attacks. If you own a lot of BTC, a successful attack can drastically lower the value of your assets, so it makes sense to deploy some of that capital to secure the network. And of course this goes even more so for business in the crypto space that rely on BTC remaining secure.
One example of this sort of behavior is in mining. We tend to think of miners as being selfish to a fault, and to some degree, that's true. But sometimes miners have the opportunity to mine empty blocks (a form of attack), and refrain from doing so, because it would harm the ecosystem as a whole and jeopardize their long-term profitability.
Spending capital to build hash capacity to protect an existing holding in BTC is inherently deflationary. Instead of "you need to spend money to make money" aka inflation/interest/growth, you have to spend money to keep money, which always reduces your holdings over time and turns the entire network over to companies that produce hashing capacity (hardware manufacturers, power companies).
But the initial assumption was that of an efficient market for hash power, which means the cost to hash is equal to the block rewards. And so deploying some capital to secure the network is nets zero loss.
> They've go this 51% vulnerability that is well known and hypothetically cannot be truly closed. Instead, we rely on the idea that mounting such an attack would be "too expensive". But at the same time, the cost/benefit of mounting such an attack is fairly easy to estimate using public data - all you really need to know is the cost to get to 51% and stay there for a given amount of time, which you can infer by monitoring mining activity, and the current price of the currency you'd want to attack. And you have to assume that whenever the cost of mounting such an attack dips below the benefit, such a thing _will_ happen.
Or, to turn this around, if X is the amount of money needed to sustain a 51% attack for 1 block, then you have to wait for 1 confirmation for every X amount of coins received.
Attacks can hit multiple parties simultaneously. So you need to account for that as well and make sure an attacker doing a sweeping attack that includes you is still not incentivized.
Luckily, there are deeper incentives protecting large asic mined chains such as bitcoin.
> all you really need to know is the cost to get to 51% and stay there for a given amount of time
That's actually, if anything, underestimating the likelihood of a 51% attack. It seems that the more likely path to that situation is collusion between segments of the existing mining community. For such a cartel, the "cost" is zero, it's just a matter of trust.
Interesting point. The cryptocurrency energy consumption problem will never be solved, since if it is, it will be economically feasible to attack. So cryptocurrency adoption in the mainstream will require massive electricity consumption.
You might even say it will ultimately require at least 51% of worldwide electricity production, to ensure no actor (including nation-states) can suddenly on-line additional capacity to seize control.
And then if that's true, one might dream of a power plant arms race, where two competing nations build additional power plants as fast as possible to prevent the other from gaining enough electrical capacity to attack the network...
Not necessarily, non-hashing consensus seems to be where most blockchain projects are going. So these would require a stake of assets or similar, instead of wasting computing cycles.
Creating a proof-of-stake algorithm that doesn't degenerate to proof-of-work and that doesn't require a central authority (checkpoints, etc) is still an open problem.
Proof-of-Stake(POS) is still theoretical at this stage, there is no working solution or proof-of-concept. It is a nice(ish) idea to reduce the energy consumption of blockchains but isnt really a solution to decentralisation.
There are some working solutions now, like NEO, Dash, and NXT. Ethereum is sure to adopt it as well; a lot of details are TBD but there's little question that the community will adopt some form of PoS.
I'm not saying it's perfect -- there are some downsides like needing a cap on fork distance in order to prevent stake bleeding attacks [1] -- but it's certainly viable.
> Crypto currencies are worthless unless they have an enormous amount of hashing power behind them.
Why would you think an enormous amount of hashing power helps? Even with Bitcoin, the actual marginal cost of a 51% attack is quite low. The difficulty is the capital expense of actually connecting to a couple GW of power and finding enough rentable ASICs.
I think this is fundamental. In a proof-of-work scheme, if the mining rewards in whatever time frame is considered a full confirmation are less than the amount of gain available using a 51% attack, then a 51% attack is economical.
ASIC mining during boom time helps mitigate the issue a bit, since the ASICs are worth more if the currency isn’t devalued by 51% attacks, but even Bitcoin will be vulnerable of older, less efficient ASICs start flooding the market, which seems inevitable if the price of BTC stagnates enough.
You're looking at this as a static _binary_ model, while actually, the 51% attack is heavily dynamic. The profitability of the attack heavily depends on factors that are absolutely dynamic and not publicly available:
- The exchange/betting website not catching onto your scheme
- The volume of the coin being enough to mass sell it and not majorly affect the price
- How fast the community can act in unison against you
There's a hidden cost of trust there, though, which vanishes with bitcoin (or at least reduces its cost). Maybe the value of bitcoin is more apparent from the perspective of venezuela at the moment, where the risk involved with traditional banks, currency, and security is more apparent.
I am emphatically not taking a stance on which I prefer here, I might add, just pointing out that there are more variables here than you're acknowledging.
> There's a hidden cost of trust there, though, which vanishes with bitcoin
With fiat, I at least have some idea who I am trusting, and if my trust is betrayed, I have some idea who to work with others to organize to work to inflict punishment. And, the people involved are aware of that.
With crypto, I have to trust an anonymous network of people that I have only distant and indirect indications aren't, in overwhelming majority, mutually cooperating agents of a single potentially adverse party, and no idea of who to go after if my trust is betrayed. And the people involved know that, too.
Yes, except the trust is free. Bitcoin replaces that trust with burning electricity.
It's kind of like standing on the ground. The surface of the Earth stops you from accelerating under gravity for free. But if you want to hover just above it, you have to burn ungodly amounts of energy, because you're now replacing surface with active propulsion. This is the same relationship as Bitcoin has with trust.
And yes, flying is occasionally useful. So are trustless systems. But both the ground and trust are features that cut out a lot of unnecessary energy usage from our lives.
Bitcoin and other cryptocurrencies require even more trust than normal currency. With a normal currency transaction, you need only trust at most 2 other entities entities: your counterpart to the transaction and the government issuing the currency.
With a blockchain, you still need to trust the counterparty, but now you also need to trust that the coders have properly designed and programmed the system, and that the miners either don't have the power to corrupt the system or aren't corrupt, and you need to trust whatever exchange you use to get into and out of the cryptocurrency.
Plus, you've added in a significant amount of time--at a minimum 20x the time with Bitcoin and significant transaction fees that as a practical matter have exceeded card interchange fees by 2x or more for the past 3 years straight.
Your right about their being more variables...with cryptocurrency.
I think there are fundamentally different ways we're talking about trust: you "only" need to trust a government, you "only" need to trust a bank, vs trusting a certain proportion of miners to be following the same bitcoin specs you are, as well as trusting that people will value it tomorrow. Both of bitcoin and government-issued currency requires trust, and building that trust is fundamentally difficult, depending on your needs, and comes with tradeoffs. It seems like you're only acknowledging one end of these tradeoffs.
One obvious tradeoff you're not considering is that of a criminal getting its assets frozen, for instance. There are less black and white situations where you might prefer bitcoin as well, if you have a little imagination. If you could address that, I'd probably appreciate your comments more.
It probably cost a few billion dollars to build all those banks globally. It costs a few hundred million to maintain all those banks and vaults. However, these banks and vaults can handle more than 2000x the transactions of Bitcoin in a single day (Visa on its own is 750x the capacity of Bitcoin, and Mastercard handles about twice the number of transactions as Visa), so Bitcoin would need to be at least 1/2000th the price to build and maintain the network to maintain a comparative economic advantage against just those two companies. Including the entire financial system, Bitcoin would need to be somewhere in the neighborhood of 20,000x cheaper and more efficient.
And since we're taking into account all of the underlying systemic costs going into banks, we need to do the same for Bitcoin. That means including all of the power utilities, factories, and mining facilities that went into making the hardware, plus the cost of shipping the hardware worldwide, plus the cost of the utilities and transmission lines needed to operate the network. And that's clearly not 1/20,000th the cost or resource usage of our current financial system.
> It costs a few hundred million to maintain all those banks and vaults.
There are ~8000 banks in the US alone, around 15K around the world.
According to your made up number, it costs $6K/year to run a bank. That's not even remotely close. That would pay maybe a month of the desk clerk's salary + overhead.
Fort Knox has an entire military base to secure it. That alone would use up a good chunk of your few hundred million dollar budget. I think you are vastly underestimating the cost in supporting our current financial system.
> You don't consider a country's reserve assets to be a factor in their monetary system?
The U.S. dollar isn't backed by gold. The total value of the gold at Fort Knox, about $100 billion, is negligible [1] and does not appear on the Federal Reserve's balance sheet [2]. It is mostly an anachronism from the eras of the gold standard.
The global financial system is interconnected. Fast transactions can happen because counter party risk is removed by a government backstop. In effect you can't have Visa without a "risk free" store of value. Vaults such as Fort Knox are a part of that system.
In the case of bitcoin they aren't inherently necessary to the function of the system, although with the risk of hacks you can make the case for them.
That's not very relevant. It's a constant factor, and the actual problem is that conventional financial systems is something of O(n log n) with respect to energy usage, and desperately tries to minimize it (as not minimizing it means bleeding money), while cryptocurrencies are incentivizing everyone to maximize their energy usage.
If locking it or running the firewall required energy waste on the order of bitcoin they would. Fortunately both have been designed with minimizing energy use in mind, rather than wastefully maximizing it.
How much energy is spent securing conventional financial systems? You have to include everything: banks, minting, enforcement, physical security, even military and intelligence action.
If/when cryptocurrencies reach the same size as conventional financial systems, they will require all of the same.
Bitcoin is relevant for the US economy and a rogue state tries to have 51% of hashing power? Military and intelligence to the rescue.
Someone is very rich in Bitcoins? Bunker services for offline storage, physical/computer security, etc.
Too many scams with altcoins? Legal enforcement, more bureaucracy, education, etc.
One could say that, somehow, the cryptocurrencies won't require as much of any of that, but I don't see this point being made as often (and not with any realistic estimations).
The 51% scenario: just install more hash power. That would be cheaper and would not risk anyone's life.
Protecting cryptocurrency: there are cryptographic ways to achieve very high security that are free or very inexpensive. Physical encryption keys cost under $100. Combine those with multiple signatures and offline storage in a safe deposit box and you have several physical and cryptographic layers of security for pretty cheap. Services that do those things do not need to be very expensive.
Too many scams? Point taken. We will still need police.
BTW there's a reason I said cryptocurrency and not Bitcoin. Bitcoin is one of the slower cryptocurrencies. Energy spent securing the chain is per block, and its block size limit and other aspects of its design artificially boost its energy per TX. That and in the long term I expect people to find less energy intensive ways to secure block chains.
For conventional financial systems, energy spending is upkeep. Something that needs to be done (due to thermodynamics), but is best minimized, because it costs money. So banks, minting, enforcement, branches, ATMs, etc. - they all try to minimize their upkeep, per the regular ways markets optimize this. All of this also arguably represents the lower bound of what it costs to run a financial system.
Cryptocurrencies, on the other hand, have energy use as a feature, not cost. Unlike conventional financial systems, cryptocurrencies try not to minimize energy expenditure, but maximize it, as a core function ensuring their integrity.
(Also, military and intelligence action count to stability of both conventional and cryptocurrency-based systems. After all, you can't run a crypto economy without stable and secure nation states with rule of law that allow for development and availability of advanced microelectronics (for mining), electricity and the Internet. Crypto is much more dependent on that than conventional systems.)
--
A tangentially related analogy that comes to mind: cryptocurrencies are like trying to build a city on a big hovering platform, kept aloft by great fans or jets. In order to keep the whole thing airborne, you'd find yourself constantly burning fuel just to counter gravity. Now we find this idea stupid because we can just build city on the ground and not waste any fuel at all - the surface of the Earth counters gravity for free. This is cryptocurrencies' relationship with trust. Trust works 99% of the time for free. Cryptocurrencies try to replace it with burning energy.
I think the other reply about TX counts vs. people-hours of power convinced me that indeed cryptocurrency is much less efficient than conventional currency even if you put large error bars on that analysis. I do think it's a solvable problem.
Your reply about trust though...
Trust is massively less expensive until it's not. The trouble with trust is that when it breaks "fixing" it is immensely painful, often requiring major political upheaval or worse. In extreme cases people die when trust has to be "fixed."
I do still wonder... what happens when you amortize the cost of trust across say two hundred years time? Reminds me of the cost analysis of nuclear power. Nuclear power is cheap until Fukushima happens, and one Fukushima amortized over even 50-100 years renders nuclear power more expensive than any other energy source.
I do not think it's a coincidence that the cryptocurrency explosion happened right after the 2008 financial crisis. The level of corruption revealed by the crisis and by the nature of the state and financial sector response to the crisis (selective bailouts, bailouts only to the rich, bailouts that preserved the wealth of those responsible, etc.) showed that our trust in the financial sector and possibly in larger institutions is dangerous. People started looking for alternatives. I have doubts about whether cryptocurrency would have caught on to the level it has prior to 2008.
What cryptocurrency needs to be successful is some alternative to proof of work mining. I'm not convinced proof of stake is it since it has a lot of other problems.
What conventional economic systems need to be successful is a housecleaning and a restoration of public trust.
I've once worked out the CO2 output of Ethereum, which I think can be nicely worked over. Ethereum uses 191'000 people-equivalent CO2/year (1 PECO2 = 9 tons of CO2) or roughly 4 TWh per year (I'm using numbers from multiple sources and past comments from me, I apologize if it's not lining up perfectly)
The average state employes about 300'000 people (324'000) to be exact (about 16 million in total, which includes teachers and similar).
So already the Ethereum network uses half of an entire average US state to just secure it's network. The US state in question does a lot more and it includes education and similar.
Bitcoin uses 68 TWh anually, about 17 times as much or about 8.5 average US states. To secure 200'000 TX per day. In contrast the US employees handle the entire state affairs, including taxes, education, etc. for 54 million people every day.
Why is this argument repeated so often? How is that comparison not clearly absurd to you? The conventional financial system is very obviously many orders of magnitude more efficient than bitcoin.
How is it obvious that conventional financial transactions are orders of magnitude more efficient than bitcoin? You can't use transaction price as a metric because it reflects a lot more than just the energy consumption of the system and even if you did, conventional transactions are not orders of magnitude cheaper than bitcoin transactions.
I'm not talking about transaction price, I'm responding to
> How much energy is spent securing conventional financial systems? You have to include everything: banks, minting, enforcement, physical security, even military and intelligence action.
I really feel like I shouldn't have to explicitly point out why this reasoning is so flawed, but to start with, bitcoin does not IN ANY WAY obviate the need for banks, law enforcement, physical security, or "military and intelligence". There isn't some kind of "well, actually..." response to this, it's totally and obviously incorrect and we're living in two different fundamental realities if we can't agree on that base line.
Would you ask the same question if the world run 100% on renewables? If not, it seems that your argument should be "we should accelerate our transition to renewables" instead of "bitcoin spends too much power".
Also they pay for all the energy they spend so what exactly is the problem? Do you see vegans complain for the resources spent to raise animals?
> Would you ask the same question if the world run 100% on renewables
Opportunity cost. All that 100% renewable energy could be used for something that actually adds value to society but isn't because it is being pissed away on the Rube Goldberg invention known as Satoshi's BlockChain.
> Also they pay for all the energy they spend so what exactly is the problem?
Give me a fucking break. These miners raise the price of electricity for everybody else and produce absolutely nothing of value to society at large.
Same thing these miners have done with graphics cards -- they've made graphics cards more expensive than most people can afford... you know, people who want to use those video cards for playing games instead of sucking down large quantities of non-renewable energy in a vain attempt to Get Rich Quick.
Bitcoin and all the others in the crypto "space" add absolutely zero value to society.
How much energy do you and everyone else waste doing things that don't add value to my life or society?
Using your own comparison, why is it a big deal if little Jimmy can't afford a graphics card to play some Counter-Strike? Is gaming a better use for energy?
Seems weird to pick on cryptocurrencies if you actually believe your premise, which I don't think you do.
Hardly. What, exactly, does bitcoin add to our world? Near as I can tell it's only use case is Making Money Fast (for the folks at the top of the pyramid, anyway) and scamming the bejesus out of all the rubes who fall for the con.
> How much energy do you and everyone else waste doing things that don't add value to my life or society?
Bitcoin is estimated to consume more than 0.5% of all the worlds energy. Many nations use less power than bitcoin consumes. Bitcoin can process a mere 4 transactions per second. Please go on and explain to me why this is even a remotely acceptable thing.
The whole space is a deplorable shame and people like you should be absolutely ashamed of yourselves. You are a drain on the planet's limited resources.
It's a perfect place to argue about it, because it only shows that pissing away all that electricity still doesn't help, because someone else can piss away more of it to take your money.
> Would you ask the same question if the world run 100% on renewables?
Yes, because the resources (Material or labour) that went into building those renewable power plants could have gone into building something else that people want or need. Houses. Retaining walls. High-speed rail tracks. Electric cars. Bicycles. Video games. Rolls of sushi.
I will keep asking that question until we are in a post-scarcity society.
So we all get to decide how all the resources are spent? I am concerned that the desire to deem certain energy spending as unethical can lead us down a creepy path of authoritarianism.
This is a fairly good point. Any argument about externalities in energy usage applies to all usages of energy, and the solution is to internalize them in the price of energy.
Exactly. We should stop using the word "waste" to describe the energy consumption of the Bitcoin miners. It's not waste if it serves a purpose. The service it provides is to guarantee the integrity of the blockchain without the requirement of a central authority.
> We should stop using the word "waste" to describe the energy consumption of the Bitcoin miners.
All you bitcoin shysters can keep telling yourself that to sleep at night, but you are lying to yourself and you know it.
Bitcoin consumes massive amounts of energy for a pathetically small amount of transactions per second. ON a per transaction basis, Bitcoin uses several orders of magnitude more energy than anything used by modern day financial systems.
Like, embarrassingly, shamefully large amounts of electricity. Y'all should bow your heads in shame for the harm you are doing to the world.
> The service it provides is to guarantee the integrity of the blockchain without the requirement of a central authority.
The blockchain, whose only use case is to enable rampant speculation and amazingly large quantities of fraud.
Your biggest mistake is comparing energy use. You need to compare the total overhead of bitcoin to the total overhead of the competitive financial system. The second mistake is comparing a per-transaction basis; this is of interest when we are comparing suitability for particular applications, but if you want to talk more generally about whether bitcoin is efficient for payments you need to look at things on a value basis (use usd, eur, cny, or gold ounces).
But if the new system is better than the old one, why would comparing it to the old one imply that anyone using the new one should be ashamed of doing so?
But it turns out that the new system is significantly worse than the old one, for little to no practical benefit. That's why people are comparing and complaining.
it is a waste. Bitcoin is an unqualified environmental catastrophe that is literally erasing any progress we've made to combat climate change. Burning away the future, turning useful energy purely and directly into waste and profit by shouting numbers into the void, not even leaving any artifact of value in its wake.
There's not anything wrong with having a central monetary authority. There's not anything wrong with having institutional trust.
It could be argued that the trust could still be misplaced, but the idea that we can't trust governments for currency is barking up the wrong tree.
The fundamental problems of inequality don't stem from Treasury, but rather from the game theory concept of the https://en.wikipedia.org/wiki/Gambler%27s_ruin making barriers to entry for new players always higher than the incumbents. You can take this all the way down to the bottom, in the example of having no car to be a delivery driver, and to get a loan for a car is a tremendous risk.
Sort of. It does create an opportunity cost, in diverting electricity away from other, arguably more useful causes. The whole matter there is complicated by economies of scale and baseload demand etc though. It could also be seen in terms of finiteness of the source of energy.
The measure of usefulness is determined by how much money people are willing to allocate towards it. Given that the money is allocated there, it indicates that for those actors, they see some utility regardless of what other people think. Hence, the only way to modify the unwanted behaviour is to correctly account for those producing the externalities, such that this market signal reverberates all the way through the economic chain.
I agree with all of that except the definition of usefulness. As you eluded to with your use of regardless, rationality is not assured. It is expected (or more likely, hope) usefulness, aka speculation. Even funding the status quo is still speculation, because something could suddenly become not useful in the future. I suppose only time will tell what was actually useful, and I'm betting bitcoin is not among them. Maybe if proof of stake comes along, I'll consider that as more potentially useful.
Obviously capital allocation of individuals is not a perfect measure of utility, but it is the best/ fairest metric we have. Conveniently it provides a clear mechanism to sort out this mess. Price carbon pollution at the source and see the rest of the actors seeking profit fall in line. Miners will chose green energy, green energy will get more demand, their economies of scale will increase, pollution will decrease. Bitcoin energy use is no longer a problem and can provide whatever utility it is valued at without externalities.
If you had a mechanism to price externalities, and it wasn't government, then sure ok. But while we have no effective externality accounting and enforcement, this notion of wastage still exists fairly. If we could price in externalities with a government, then perhaps they would be more worthy of trust for currency too?
In terms of my original statement, I was effectively stating that the problem of decentralising currency doesn't really give back power to the people, because of the nature of wealth accumulation and propagation. Sure, it reduces the capacity for regulatory capture, but people with capital in whatever form still exercise a capacity to better maintain their capital base.
With regards to waste again, it becomes a moral issue. If we know that our externalities will cause problems, then by letting people continue to capitalise on them, we knowingly undermine the wider system we operate in. We have ethics committees for science and medical experiments, but when it comes to finance, experimentation occurs unimpeded. This leads to socio-economic outcomes which, while not fully understood, are also not complete unknowns.
It does not follow that if we can trust a Government to price carbon emissions then we should be able to trust them to not print money. We are basically guaranteed that they will, despite being able to effective disincentive things like smoking with an excise tax.
It is trivial for Governments to implement a carbon tax which would improve environmental conditions for all energy intensive production.
With regards to giving power to people, this is not done through wealth redistribution (although you get a little bit of that). The mechanism is tgrough the constraint that the currency can not be debased. A rising tide lifts all boats, especially when there are not holes in them.
Built in deflation you say? That once again, favours the incumbents. Those starting out will be at a disadvantage even more than they are now, for not having held any tokens of value. It also means that anyone who does attempt to do anything which requires money up front, whether that be starting a business, or starting a family, are at an even greater disadvantage. A rising tide lifts all boats, unless the boats haven't been built yet. Then it just becomes very difficult as more and more of the land is covered by the ever increasing tide.
You seem to be ignoring the status quo. I only need to prove it better than the current system, you need to prove that the current system is better. Those families and businesses that start from nothing still need money. Just that currently the money they do get is going to be worth less in the future.
Right, which means it is worth being spent. If spending is not worth it, then spending by and large dries up, resulting in a reduction of income to others, reducing the multiplier effect, and reducing the amount of actual trade that occurs. People continue to save as income opportunities dry up, and those with no income get royally screwed. With no risk taking occurring, things go back to bare essentials, which we are already very efficient at. Maintenance places are the only places which will maintain any expertise.
To be fair, I think there is already a risk of this, in any situation where capital becomes severely unequal. However, by making the monetary token itself an item of (appreciating) value, rather than only as means by which trade is mediated independently and in arbitrary small parts between multiple parties, is a sure way to speed that process up.
THIs is a wonderful story that doesn’t make any sense. You are suggesting that there are two sets of people, those with BTC that is increasing in value and those without. Those with are spending nothing and getting fabulously wealthy not spending their appreciating asset. Meanwhile, on the outside the no-coiners suffer from the lack of trade and become destitute and the economy drives to a halt.
This makes no sense for several reasons. The no-coiners could just buy a tiny fraction of a BTC with whatever fiat they have and become fabulously wealthy. When they do this they would be setting the market price even higher for all the rich Bitcoiners. All the of these fabulously wealthy holders think against deploying any capital to either enrich their life or increase their rate of return over asset appreciation.
It is absurd to think that as an entire population becomes wealthier that was risk taking occurs, when it it people that are mired in debt that often take less risk.
Before you respond remember these facts, the market price is set by buyers and sellers (trading). Bitcoin is infinitely divisible despite a capped supply. Gresham’s Law dictates that people will spend bad money first. Your no-coiner set has at least the ability to provide a service to begin wealth accumulation.
This point should be made more often. It also supports the ethereum and EOS use case, a general purpose computing blockchain and distributed vm, it allows smaller utility coins to be backed by the same size network as the eth token and ecosystem, something they would never do on their own. The token's security is proportional to it's network size. Fragmentation of the already small subset of people capable of running blockchain nodes that actually do run nodes is great for innovation but bad for network security and confidence.
Whilst that's an interesting page, it lacks the most important part of my request: "and how much it would cost somebody to take over 50% of the network"
That graph doesn't tell me how much it costs to launch a 50% attack. Maybe I'm just lazy, but I want a table with the name of the crypto currency in one column, and the cost in USD to launch an attack in another column.
Figuring that out sounds like a fun but non-trivial project.
Since crypto currencies have different mining schemes one would need to keep track of the hash/$ ratio for each one.
I guess the simplest way to do so would be to cross-reference the different mining market places that exists.
Do you have other ideas for figuring out the hash/$ ratio?
> but I want a table with the name of the crypto currency in one column, and the cost in USD to launch an attack in another column.
Doesn't the cost depend on who you assume the attacker is? The required hashing power doesn't have the same acquisition and operating costs for all potential attackers.
Of course, you're correct, but that's just an implementation detail.
Each currency would need an explanation of what resources the calculation was based on. E.g, n instances of a blah node on Google Cloud Platform running software x in config y for z hours.
> Ordinarily, the blockchain would resolve this by including only the first transaction in the block, but the attacker was able to reverse transactions since they had majority control of the network.
Not a very precise explanation, just checking, what exactly does this mean?
I always thought the way a 51% double-spend attack worked was by broadcasting a transaction for human consumption (eg, I'll give you Y coins for Z dollars), then secretly mining your own blockchain for the N successive chains following it. After the humans have completed the human-level transactions after waiting the standard N successive blocks with no transaction conflicts, you release your own secret blockchain fork back into the public with data that contradicts the current popular one and instruct your network to ignore the competing publicly-acceptable chain. The new private one wins so long as it is equally as long as the public one which it should be because you have more compute power than the rest of the public.
You are correct. The longest chain is accepted as the correct one, so if you have 51% hashpower and secretly mine while maintaining majority hashpower the whole time, your chain will be longer and you can publish it at any time, and effectively rewrite recent history.
Has there been other approaches at solving the double spend problem? I know ByteCoin (which is from scratch and uses 'CryptoNote' (or CryptoNight?) and respectively it's forks which includes Monero are designed a little different and I think they boast having solved the double spend problem too but I am not sure if they just do the same decisions as Bitcoin concerning updating the Blockchain?
>Obtaining this much hashpower is incredibly expensive
Is it? Presumably you only need to maintain it for a short amount of time. Sounds like something one could smash with google cloud preemptible GPUs or similar. Especially since such an attacker is presumably not above using a stolen CC or three.
Well, under the standard assumptions of blockchains like Bitcoin, yes it's incredibly expensive to obtain enough hashing power to do a 51% attack. There's a lot of nuance to it though.
In this case, Bitcoin Gold chose to have an "ASIC Resistant" algorithm, Equihash, and likely was only protected by GPUs mining the network. Bitmain has recently released an ASIC for Equihash that is substantially cheaper and more energy efficient than using GPUs, meaning that some pool which was able to buy a large number of the ASICs would have had a pretty easy time gaining enough hashrate to launch a 51% attack.
This is one of the big risks of attempting ASIC resistance. In the event that someone produces an ASIC, your coin is a complete sitting duck.
but hashrate on BTG has been falling consistently since inception, it doesnt look like someone invested in a load of ASIC devices to perform this attack, more like they kept the same operation and watched its % grow as other miners left the chain for a more profitable coin.
The hashrate charts don't measure orphaned blocks, so the attacker hashrate (manifested in the form of a bunch of orphaned honest blocks) wouldn't be visible in that chart.
Under normal free market assumptions, the cost of double spending is simply the expected reward of each block multiplied by the number of blocks that need to be mined. For bitcoin, where the reward for finding a block is currently ~$100,000, that means you should be able to double spend by mining 6 blocks at a cost of less than a million dollars.
The question is: are bitcoin miners subject to the usual free market assumptions? If someone offered you double the market rate to hire a bitcoin miner for an hour would you accept that offer or not?
As a miner, you are likely not going to accept because your entire revenue stream comes from the cryptocurrency being stable. If someone uses your hashrate to launch an attack, it's a direct threat to your future revenue especially if the attack discredits the security of the token you mine.
In this case though, Bitcoin Gold shares a hashing algorithm (Equihash) with many other blockchains. It is possible that some Zcash mining farm decided to attack Bitcoin Gold because they felt the revenue from attacking Bitcoin Gold was greater than the potential damage to their income, which is primarily Zcash based.
I'm just grasping at straws here, but generally speaking it's a bad idea to share hashing algorithms with another cryptocurrency, especially if that cryptocurrency is substantially more valuable (in terms of monthly block reward) than your own.
And, all GPU-mined coins are essentially sharing one algorithm, because the hardware can jump between them easily. So all GPU based coins share this vulnerability, where the tiny GPU mined coins could easily be attacked or wiped out by a large Ethereum farm at any point.
The math doesn't work that way because honest miners amortize the capital cost of their specialized equipment over long periods of time. An attacker undermines the network's value and so must operate on shorter timescales. The capital costs of an attack could perhaps be partially recovered via resale, but getting order ~50% of the existing network's specialized hardware might prove prohibitively difficult even given sufficient capital.
[edit] And renting existing miners' equipment would be difficult because you would have to: figure out who they are, convince them to point their equipment to your pool, run your own dark pool servers to handle data from tons of miners, run infrastructure to make payouts to these miners, hope that exchanges don't have reorg procedures that prevent you from accomplishing your double spend, hope your chain reorg doesn't panic the market for long enough for you to double spend exchange to another coin that won't be tanking (due to the reorg).
The article says they reversed some transactions up to 22 blocks later, which is 220 minutes, or 3 hours 40 minutes. So they would only need 51% for that time, but they didn't just add 51% of hashing power or that would be noticeable on the charts. From the looks of it [0] the hashrate has been falling slowly since BTG was created, so the miner may have just become the one with 51% by virtue of keeping mining with the same setup and then watching others stop mining, increasing his share of the network with no extra effort on their behalf. I would assume this miner also realises that BTG is dead/dying and is trying to extract as much as possible from it before they move their equipment to a new chain. If this attack method proves sufficiently profitable perhaps the miner will look at dying chains he can easily overpower instead of trying to mine a more profitable chain with a higher hash rate.
I'm just waiting for the day when it's revealed that ~70% of miners on a top 5 cryptocurrency are compromised by a specialized worm or malware. We'll probably only find out after the double spending is discovered but this type of outcome seems almost inevitable. The people writing this type of software are definitely financially motivated, but I can easily imagine such a person throwing away millions of dollars in 0-days just to fulfill such a hackneyed cyberpunk cliche.
Also, we know that things like stuxnet exist. Imagine something even a fraction as crazy as that targeting mining nodes. It's going to happen eventually.
>We'll probably only find out after the double spending is discovered but this type of outcome seems almost inevitable
attacks like this is harder to pull off than you think. miners constantly submit "shares" to the pool, which are then validated to credit them a share in the block reward[1]. depending on the difficulty threshold of the shares are, these could be submitted a few times a minute to every few minutes. if you hacked and gained control of the miners, sure you can redirect all the hashing power to you, but this will be detected quite quickly. with thousands of dollars on the line per minute, you can bet that everybody has monitoring in place to detect a dip in shares submission. also keep in mind that you have to keep this going for about 1 hour (for your initial transaction to confirm) without people noticing. moreover, the core problem stealing hash power to do a 50% attack is that block times will skyrocket on the main chain, which will let everybody (and not just the pool operator) know that something's up. plus after this attack, you can bet that exchanges will start requiring additional confirmations for large deposits, and instituting withholding times for cryptocurrency withdraws.
[1] I don't know whether large mining operators do this. Strictly speaking, they don't but I'd imagine they do this because it lets them know that their rigs are up and producing valid hashes (ie. not malfunctioning). It's almost certain that small mining operators use pools.
You're right that there are a few canaries in the coal mine, but there are a lot of creative options if you have the ability to execute arbitrary code on a mining node botnet, assuredly some of which are yet to be discovered (as far as we know). Consider as well the many financial opportunities available to someone who may have an interest in sabotaging or disrupting some kind of mining activity, perhaps in subtle ways that are not usually noticed.
with that method, you might be able to fool the mining operator's monitoring system (assuming you also pwn their pool server), but you can't fool the whole network. there's simply no way to hide a 50% drop in network hashrate.
However since it is a 'Bitcoin cash' type coin this will ultimately hurt bitcoin and the community as a whole. I can already see the buzz "Bitcoin double spending attack!" articles
As someone that follows the space partially because it's a really cool story, I am amped about all of the attacks these days! It looks like there weren't any protocol failures or anything that made the attack easier. It's a simple case of 51% attack.
The hashrate for BTG is well below most other coins, a modest miner on another coin could easily switch and execute the attack, then switch back to their main coin and not have to pay large transaction costs for hardware acq or rental costs.
Bitcoin gold uses a different hashing algorithm than bitcoin and bitcoin cash. Because of this, this fork was not able to take advantage of the enormous resources invested in the original bitcoin mining community like bitcoin cash was able to. There is still orders of magnitude more cost involved in attacking bitcoin cash (and bitcoin) than it was to attack bitcoin gold.
[edit] Also - bitcoin gold uses GPU mining - so one does not need to acquire specialized hardware to mine/attack it - and the hardware involved can be resold for other uses recovering a significant part of the capital cost. Or you could just rent it from the cloud.
I don't have an opinion on BTC vs. BCH, but I think network innovation through competition of these coins is ultimately a good thing. The free market will dictate what each of them is worth for different use cases. In any case, increased competition will increase the quality of Bitcoin and cryptocurrency as a whole.
Satoshi really downplayed 51% attacks in his/her original whitepaper[1]:
> The incentive may help encourage nodes to stay honest. If a greedy attacker is able to
assemble more CPU power than all the honest nodes, he would have to choose between using it
to defraud people by stealing back his payments, or using it to generate new coins. He ought to
find it more profitable to play by the rules, such rules that favour him with more new coins than
everyone else combined, than to undermine the system and the validity of his own wealth.
Apparently he didn't realize that coins could quickly be transferred to other crypto and not held, so who cares about the value of the stolen goods.
I think it's probably fair to say that he/she did not anticipate people spinning up a whole bunch of crypto-currencies and that those crypto-currencies would be worth something. How many coins are out there that are worth millions of dollars to people speculating? I certainly wouldn't have given that idea credence at the time Satoshi wrote the original whitepaper.
I personally thought that BTC would either be successful (in that it would be a useful currency) or that it would tank. I did not anticipate people dumping piles of money into it to speculate on its value. I certainly did not anticipate a bunch of wannabe coins sitting on millions and providing practically no value to anyone.
It's a testament to the number of people who are desperate to get rich. I probably should have taken a cue from the lotteries...
Yeah in the next couple years I'd expect to start seeing smaller PoW chains wither away due to attacks like this and exchanges starting to have prohibitively high conf times as they'll need to protect them selves from attacks like this.
But wouldn't the long-term honest mining be more profitable than a single hit and run? Kinda the same reason that when you go to a restaurant the restaurant owners almost always exchange food for money rather than rob you and leave town forever. If you own a restaurant it's generally more profitable to run it honestly than run away with a one-time dishonest payoff.
Not if it destroys the credibility of a rival coin, which I suspect could be the case here. Many in the "real Bitcoin" community call Bitcoin Cash a fraud because its existence reveals the specious value of their "real" cryptocurrency.
Executing a double spend attack on Bitcoin Cash would be a massive success for Bitcoin owners. Same goes for Bitcoin Gold.
You could even create a mining pool/network - let's call it CoinFucker - where every now and then the pool's resources were diverted to attack a rival coin. Doing so damages that coin's reputation, and in doing so reduces the competition. This would be a great way for the majority of mining/computational power to squash would-be rivals.
I'm not sure in this specific case it would make sense for Bitcoin users. Unless you are already involved in cryptocurrencies, I'm not sure the average person is going to differentiate between "Bitcoin" and "Bitcoin Gold" -- the negative impression of "Bitcoin Gold hit by attack" is going to reflect on the original Bitcoin.
Depends on if you feel that the crypto would continue to have value in the long term. If you've amassed that much power (or are close to it), and you didn't feel the coin was going to hold value long term, why not?
I was referring to those out to game the system, not the creators of the software. Then again, I have the same contempt for stock market traders, currency speculators and purveyors of financial "products", "instruments" or any other crazy term invented to make getting something for nothing sound respectable.
I met the founder of Bitcoin Gold a few month before, I can not tell if there is any other reason he forked bitcoin than mere profit. He said he was going to fork ether as well. Given the speculative nature of the people involved in this network. could this be a inside job?
Every POW coin should either switch to POS or if they are going to stick with POW they need to focus on a different algorithm and let ASIC development happen. The key to being a weaker chain is to encourage the community to build an ASIC just for your coin. I don't understand this push by many POW coins on sticking with commodity hardware, except for a few giants (zcash, eth, monero) you're going to get destroyed.
Dedicated ASIC only for your chain = good. Commodity hardware = bad.
> In August, a group split the chain to create a new form of Bitcoin that they called Bitcoin Cash. The two blockchains shared a transaction history up until the time of the split, giving anyone who held any number of Bitcoins until the so-called hard fork the equivalent number of Bitcoin Cash on the new fork. (A hard fork is a software change that runs the risk of splitting the blockchain into two, particularly if the community disagrees about it. If you follow Ethereum or cryptocurrency, you may have heard that Ethereum split into Ethereum and Ethereum Classic after a contentious hard fork.) However, many people who didn’t support Bitcoin Cash dumped their coins quickly, and, after initially spiking up to $900, the price has now deflated to about $300.
It's like a car accident, but there's this siren song urging you to join in because some of the people are thrown free holding chunks of gold.
It reminds me of a Jim Gaffigan joke. He's talking about trying to lose weight, and how hard it is when the fast food restaurant has a $2 for 2 burgers deal... "Well... I don't want to lose money on this... I'll take eighty."
On the one hand this whole cryptocurrency thing seems to be gone off the rails. On the other hand, I do feel kinda dumb for not owning any.
If Bitcoin became the dominant currency of humanity, eventually we’d darken the galaxy by building Dyson shells in the ultimate energy arms race to prevent a 51% attack.
A 51% attack, like you're saying, only needs more than half of the hashing power and that's it, and the whole thing is blown. But then again, all you need is 51% more weapons than your enemy and you can probably beat them too.
Is this stealing by whatever definition police/the courts currently use? Isn't it an intentional part of the design of a cryptocurrency that decisions are made by a consensus based on hashing power?
If you have 51% of the hashing power, you have control over that cryptocurrency; that's by design. Can you really steal at that point?
edit: to those replying, I'm not saying this double spend is ethically fine, or not theft in the common parlance. I'm saying it's not entirely clear to me a court would find this to be theft. Think about the Ethereum hard fork to undo the DAO hack; there, a majority of the hashing power undid a bunch of transactions. I wouldn't call that theft (because it was undoing a hack?) but it doesn't seem that different to this situation.
Uh, yes, you can steal. Just because the vault is open at a bank doesn't mean that you can walk in, take the money and leave, and then claim that it's yours because they didn't lock the door.
When you send money to an exchange, there's an understanding that the money now belongs to the exchange. The exchange waits 6 confirmations to ensure that the money is not easily stolen, but the money legally belongs to the exchange as soon as the transaction is sent.
---------------
Also, a 51% attack doesn't give you control over the cryptocurrency. You still have to follow the rules of the system, you can't print extra money from thin air, you can't spend money you don't control, the most you can do is change the ordering of the transactions that have happened on the system. And a lot of times, those transactions have block height or block id dependencies, which means you are even limited in your power to do that.
A 51% attacker is not God. They have a limited set of actions they can take, and while certain forms of stealing are included in that set of actions, it's overall a pretty limited set of things that you can do.
It is not by design, it is a known weakness. The intent behind the actions also matters and it would be known to the malicious miner that to take these coins from exchanges would result in a loss to the exchange. So it would be illegal.
If however the miner maintained 51% + network share and then wrote some code to create new coins and adopted that code and mined blocks awarding himself 1000 coins for each block, he could legitimately do that and then sell those coins. Of course this could lead to the price dropping as soon as people realised what was happening and likely to happen before the attacker could send enough coins to an exchange to make the same sort of profit as in the situation in the article.
Code is law, bro. These fine chaps simply gathered enough resources to execute a slightly different code-path than before.
The folks whose value was stored in Bitcoin Gold should have read the source code before committing any funds to the blockchain. Had they done so, it would have been very clear that this feature was baked right into the source code.
And yes, this is sarcasm.... but only kinda sorta--bitcoiners wanna live in a Truly Free Unregulated Market, free from statist jack booted thugs stealing their wealth at gunpoint... guess what, double spend attacks where everybody loses is the end result. Sorry for their loss....
What exactly was stolen here? This isn't legally recognized money. And the spend was of the attacker's own coins. The exchange into another cryptocurrency or fiat currency is fraudulent I suppose, but isn't that on the transacting exchange?
They pretended to transfer to the exchange an item of value, and agreed to swap that item for a different item of value. They've defrauded the exchange / obtained a benefit by deception, like writing a dud cheque or something.
Fraud doesn't require "legally recognized money" to be involved. If you had some scam where you knowingly traded counterfeit collectable cards for real ones you'd be in trouble too.
Both the location of the victim and of the attacker could prosecute; the location of the victim is more likely to start the process since they'll receive the complaint.
Why would the legal tender issue change anything whatsoever?
Fraud and theft statutes in general don't have any specific limitations to what the stolen assets must be, it's sufficient if they have some nontrivial value. No matter if Bitcoin Gold is treated like a currency, a security, or other asset, the treatment of it regarding fraud or theft would be the same.
In general, this seems like a clear-cut case of fraud - there's a victim (the exchange) that suffered a loss (by allowing to withdraw the coins) by deception (the attacker "demonstrated" that they deposited the coins, but reversed it), and there's clear premeditated intent to arrange the scheme for the attacker's financial benefit.
The technical details of how the victim was convinced to accept the deal and how the funds were extracted, and what's the nature of the currency are not particularly relevant to whether it's fraud, they'd be used only as evidence to show what happened and to evaluate the amount of loss.
What's interesting to me is that the bit game theory that is supposed to make such an attack unprofitable seems not to be holding here. Supposedly the idea that the blockchain was insecure would devalue the coin to such a degree as to disincentive people from attempting these sorts of attacks. I see virtually no movement in the price of BTG and relatively little in XVG (also attacked this week). If anything, the fact that the chain's integrity can be compromised and nothing happens appears to undermine a core assumption of Nakamoto consensus.
>Supposedly the idea that the blockchain was insecure would devalue the coin to such a degree as to disincentive people from attempting these sorts of attacks
The original claim was:
>He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth
what satoshi didn't take into account, is the rise of "cloud mining" services and thousands of competing "alt-coins" using the same hashing algorithm.
- It rubs me the wrong way to call it an "exploit" when 51% attacks are a core part of the way blockchains function.
- I'm surprised that the price for bitcoin gold isn't tanking. That's a sign that the crypto marketplace really isn't healthy right now, imo
- Conversely I'm surprised that this isn't causing a spike in coins that are more robust in regards to 51% attacks, like BTC and BURST (because they're both the majority coin in the realm of the resources they require)
This puzzles me. Although a miner with enough hash power can do a double spend, it's obvious from the blockchain that they did so. To bring this off, you have to have huge hash power and be anonymous. That limits the number of possible attackers.
Bitmain could do this to Bitcoin, but everybody knows where Bitmain is.
If all that is required to reverse transactions is 51% control, cannot the transactions that occurred during the double spend attack also be reversed by a 51% coalition once the attacker loses its majority?
Sure but it doesn't solve anything. Remember that people do not trade token A for token A. You don't buy dollars with dollars. You use dollars to buy something else, like euros.
So you may reverse one token, but you won't be able to reverse the other.
i.e. suppose you have $100 and I have 100 tokens (e.g. bitcoin gold coins). You pay me $100 and I give you the coins. I now double-spend and sell the coins to someone else. You now have no coins and no money. I then double-spend that and give the coins to myself.
You could at some point fix this and get the coins back, technically. But you're not going to get your $100 back. Nor is the other person. And the other person never got his coins. So both of you are out of money, and only one has the token. Theft occurred.
Moreover, even if you somehow both had the coins, they ought to be worthless because the entire system is completely useless. If a system can be compromised like this, the tokens have no value. Just like a dollar bill has no value if it can be printed, or can magically be transferred to a thief at the click of a button.
I used dollars in this example, but the more likely avenue of attack is for the attacker to sell his bitcoin gold for other cryptocurrencies like bitcoin over and over. Like selling an expensive bicycle to a customer but keeping the key to the lock, stealing it at night and selling it to someone else, a dozen times in the span of a few hours.
All of this is a major issue without even getting into the political discussion on forming a coalition and deciding which transactions were fair, genuine, worthy to keep, and which weren't. That's virtually impossible, particularly when there's one set of double-triple-quadruple-spent coins out there to distribute with many people making equal claims that they were scammed.
The strange thing about this is that there is no visible effect on the price of BTG. It is going down true - but most crypto go down now - and when you look at the chart you would not guess that there was such a dramatic event: https://cryptowat.ch/markets/bitfinex/btg/usd
Well it was scamish to begin with. 100,000 coins were premined when it forked. With a lot less mining competition a double spend attack was just waiting to happen. It is possible to also do a double spend attack on Bitcoin and Bitcoin Cash. It's just not very feasible because you would need A LOT of hashing power. So this comes as no surprise to me at least.
Double spending is just convincing the network you've sent coins to multiple places, and then undoing all of the transactions that were 'paying' for something (in this case paying for credits at an exchange).
The actual details of what they were doing matters and I don't know them, but it's almost certainly simpler to chain double spends together, one after the other, than to try and do three or more transactions concurrently then reverse most of them.
This achieves the same thing as a triple or quadruple spend but only necessitates reversing one transaction at a time.
Someone please correct me, but here's my best explanation.
When you first connect to the Bitcoin network, how do you find out what the true blockchain is? You connect to other nodes and ask them. They may tell you anything. However, it's easy to verify whether a blockchain given in a response is valid. That is, it's easy to tell if a given blockchain is following all of the rules.
But what if you receive a few valid blockchains that are different from one another? Which one is the true blockchain for the world?
You simply choose the longest blockchain that you hear about.
Why the longest? It's the one that has had the most computing power focused on it. Anyone can compute a very small, self-serving, malicious blockchain of a few blocks. But to compute the longest blockchain in the world requires vast computing resources. The longest blockchain is supposed to be uncontrollable by any single party or network of colluders because it is supposed to be too hard to acquire the majority of the computing resources in the world.
Unfortunately, it looks like someone did just this and controlled >51% of all computing resources in the world dedicated to Bitcoin Gold. If you have enough resources, you can generate the longest blockchain in the world, add a self-serving transaction, get some goods or service in return, then recompute a new longest chain in the world where that transaction is no longer there. Everyone by default accepts the longest blockchain because it's supposed to be the most safe, but they are wrong.
I'm not well versed in the block chain tech but it is surprising that there is an inherent big ass monopoly type manipulation you can run ... inherent to the system.
That seems very much not what Bitcoin would "intend" and yet there it is, very available.
It's not reversing per se, it's like the transaction never happened.
They send the money from their address to the exchange, the exchange credits that money.
Then they release their chain (that they have been building privately). This chain is taken as the consensus and accepted.
Why? Because it is the longest chain.
Why? Because it has had more than 50% of hashpower behind it, allowing it to add blocks faster than the current network.
Now the trick here is that because a single entity controls this new chain, they can just not include the transaction which happened between them and the exchange. So it a sense, it never happened. Yet, the exchange credited the account -- Thus the exchange account now has currency, and the original account has currency as well.
The purpose of mining is to solve a puzzle. In Bitcoin one solution is expected every 10 min on average. This can then be used store transactions on the blockchain in one block. To add to that block you need to solve a new puzzle and so on.
You can reverse transactions if you recalculate the puzzle solutions. This can take time but if you have more mining power than the rest of the network you can win this race. This is called a 51% attack.
So for example you deposit to an exchange and wait for that to confirm, in maybe 6 blocks. Meanwhile you create 7 blocks in secret yourself where you did not send to the exchange and release them to the world. The blockchain works by always considering the longest chain as the correct one, therefore overwriting or reversing the old transactions.
EOS has begin trading without any of that. Now it's a ERC20 token, I guess, but still there is no code, no network, no nothing -- and in fact their creators have declared they won't be starting the network or whatever, they're just selling "the idea". The tokens themselves have no value at all, they only _hope_ that whenever someone starts the network they will give some privileges to the current token holders.
I can see two explanations. One being the irrationality driving the amount of demand for it being unchanged by mere facts until reality gets in their face in some way like a recession forcing enough to withdraw.
The second and more disturbing possibility being it is still good for money laundering cycles even if the actual suckers have cashed out. If money launders say maintain storefronts that give out digital goods of some sort the costs to themselves are minimal so they don't particularly care if someone gets a few megs downloaded for now invalid bitcoin.
Well for one, the price is down by 10% from last week. Whatever was priced in from those 'in the know' a week ago wasn't that big of a deal.
Secondly, the theoretical expectation was always that the value should go to 0. i.e., if parties can steal money whenever they want then the system is worthless.
Obviously there are parties who together form 100% of the mining power, same with 51% of the mining power. They need only come together and decide in order to steal. The only thing preventing this was a bit of game theory about how their coins and mining equipment would become worthless the moment they do this.
The fact that hasn't at all happened means they profited hard. And it means virtually any coin that has a set of investors with similar levels of disinterest is susceptible to these attacks.
My prediction is this: the first attack has little influence, even on bitcoin. It'll be cast aside as some mysterious accident, the theft won't be large and it'll be seen as insignificant, people will remain hopeful. When these attacks happen with some frequency, like once a month and at a large scale, then we'll see trust completely plummet and prices with it.
It's weird the reaction on cryptocurrency prices today has been so correlated, you'd expect a flight from smaller more vulnerable coins into the larger market caps.
Then again maybe everyone is just freaking out about the tether expansion...
So BTG has a hash rate in the order of tens of M using the same hashing algorithm that is used on the ETH network, which has a hash rate in the order of hundreds of T? So a millionth (10e-6) of ETH hashrate could 51% BTG?
Anyone well versed in this topic care to comment about how these attacks might/might not relate to the 'proof of work vs proof of stake' debate in the wider cryptocurrency world?
No one would ever actually do a double spend attack as it would be more profitable to mine the currency instead --Every cryptocurrency enthusiast ever.
To me, this shows how Bitcoin type cryptocurrency mining incentives line up. For good actors, there is little to no incentive to seek 51% capacity whereas there is a lot of incentive for bad actors to seek it. As an economic activity, the logic of ruthless competition makes double spend capability the holy grail. Double spend is the sole reward for 51% capacity.
Purely hypothetical and mostly stupid: could double spending attacks be a way to overcome the issue of a limited supply of coins and the fact the total number of coins tends to zero as old coins are lost?
If you wanted you could "reclaim" coins which didn't move in 10 years let's say. Or you could just issue new coins. There is no need to go to such convoluted lengths.
I ended up not investing, because of the possibility of a double-spend attack. I think that cryptocurrency enthusiasts are seriously underestimating the importance of double-spending attacks to the economics of bitcoin and other cryptocurrencies.
A few points that convinced me not to put my money into this system:
If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.
The market for hash capacity is going to become more efficient over time. ASIC miners will be commoditized, so that hardware investment becomes a much smaller factor in hash cost versus energy. This might be even worse during a bitcoin downturn, because there could be a glut of ASIC miners.
Miners will coordinate with market prices, turning off capacity when the price dips (for example, because someone is underbidding to create a 51% attack). If mining becomes more decentralized, it will be harder for miners to act in their common interest (fending off 51% attacks) and against their immediate interest (selling their hashrate to the highest bidder, or taking it off the market during an underbidding attack).
High transaction volume is not necessarily any help - the more transaction volume, the higher the cost of the attack, but the greater the rewards. The semi-anonymous nature of bitcoin means that one could easily flood the network with double-spend transactions. Attacking a huge network like bitcoin would be an audacious and expensive act, but there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized crime. The massive rewards to such an attack also offset fixed costs such as writing and testing the software to carry out the attack.