But there is a far more benign and profitable attack: collect all of the block reward. No need to tell anybody, and no need to upset users by double-spending. Business as usual.
In other words, establish a benevolent mining monopoly:
The hash rate majority becomes an effective monopoly by censoring blocks from outside the cartel. The incentive is equal to half the block reward. If done properly and gradually, few users would notice. Nor would many care. Those who did would simply leave.
I suspect there's even a version of this attack in which a cartel makes public threats to censor blocks it disapproves of. This is, after all, what BIP-9 does:
Using this approach, a cartel may be able to leverage a hash rate below 50% to 100%.
There's some precedent for this with UASF. The hash rate of the group threatening to censor blocks there was quite small (certainly below 50%). Depending on who you talk to, the threat of block censorship by this group was enough to shut down segwit2x.
Due to the non-linearity of block rewards -- reward as a function of time spent working on a block is not constant -- an individual miner is always incentivized to pool hop after a certain point .
However, Bitcoin mining suffers from the same problem that Californian farmers face when there's a drought -- the tragedy of the commons .
In both scenarios, there is an individual incentive to deviate from the rules set: with Bitcoin, it would be with people secretly mining; with farmers, it would be with people secretly taking more water than their allotment.
The steady-state is a reduction in mining activity across all public blockchains by ~50% or so, although that's probably an upper bound that wouldn't actually be reached.
Based on a quick first read, and ignoring numerous important details, the main argument boils down to this: "mining" costs (i.e., the computational and other costs of processing transactions) in the network must be greater than the profits that could be obtained by compromising or sabotaging the network. Otherwise, it becomes profitable to compromise or sabotage the network. For example, if the cost of mining is lower than the one-time profit that could be made by betting a large sum against the price, it becomes profitable to bet such a large sum against the price and then investing a smaller sum necessary to acquire a majority of the computing power to sabotage the network.
This is correct... but only if there is a zero-profit condition among miners -- i.e., if the Bitcoin network behaves like a standard theoretical rent-seeking tournament that reaches and settles into a classical equilibrium, instead of behaving like a distributed transaction processing network that produces profits for the parties that process transactions (AKA "miners"). I have not seen a good study (or actually any study) on the profitability of miners, but many miners claim to be making money by processing transactions!
If mining is profitable, as miners claim, we have to add another condition: the net present value of the profits that could be obtained from compromising or sabotaging the network would need to exceed the net present value of the profits that could be obtained in perpetuity from behaving honestly. If the value of the profits that could be obtained in perpetuity by behaving honestly are greater, there would be no incentive to compromise or sabotage the network.
Those are my initial thoughts, based on a quick first read. But I'm barely doing justice to the paper, which I found to be well-written and easy-to-follow. I've downloaded it to read it (and think about it) more carefully.
Highly recommended reading if you have an interest in cryptoassets!
This is really why I don't think that 51% attacks are a problem for Bitcoin (and only Bitcoin). As soon as one is shown, the network's value will be destroyed. And if you're already on the gravy train through cheap power and cheap asics, why would you give that up?
I don't believe this to be accurate statement. Looking at two other cryptocurrencies -- Verge and Bitcoin Gold -- which have undergone 51% attacks, neither of them have experienced a collapse in value as a result.
Think about Bitcoin vs Bitcoin Cash. Bitcoin Cash was a somewhat controversial fork that some feared would split Bitcoin to unknown effect, but in the end it's only effect was giving all bitcoin holders an additional $754/coin (price as of today). In a time when a network was compromised, there would be a large market incentive to takeup the forks which would send their prices skyrocketing. Coins may end up being like the hydra. You slice off one head only for 10 to take its place. In a way this seems to be true of decentralized systems in general. Each time e.g. a major torrent site is taken offline, a dozen more come to try to fill that vacuum that's been created.
I think you have hidden one interesting assumption there. You assume there exists a relatively low upper limit for the interest rate used in npv calculations for all investors. In other words, if there is even one investor at any point of time that needs the money really badly very soon, your argument breaks down.
network grows beyond a certain point, it would be left more and more to
specialists with server farms of specialized hardware» https://satoshi.nakamotoinstitute.org/emails/cryptography/2/
Proof of work has become very expensive. Proof of stake has another set of problems.
How about proof of geographical distribution? If each node had to be a minimum physical distance from another node, that would put a big crimp into mining farms.
Distance can be verified. You can use speed of light lag to verify that two nodes are not further apart than some distance. So set up a mesh network. If you claim to be at a location, others in the mesh can verify that it's roughly correct by pinging it and measuring the round trip time. You can fake a longer distance, but not a shorter one. You might be able to do something in the WiFi bands in the 100m - 1KM range. Require that each node be at least a few hundred meters from any other node. Give an advantage to suburbs and rural areas.
> Another issue relates to the negative externalities arising in proof-of-work blockchains. First, as shown above, when choosing individually optimal computing capacity, miners fail to internalise the negative externality their investment generates for other miners by increasing difficulty. This implies that equilibrium capacity acquisition in proof-of-work mining is excessive. Second, proof-of-work mining generates greenhouse-effect negative externalities, whose order of magnitude is significant. As of January 2018, the electricity consumed for Bitcoin mining was equal to the electricity consumption of over 3,400,000 US households, with an average consumption per transaction of around 300 KWh. Pigovian taxation could curb overinvestment in mining, but it might also be difficult to put in place, given the international decentralisation of mining.
The crux of the below paper, though, is that actual game theory shows that miners are incentivized to create and persist alternative histories of the blockchain, thus jeopardizing the blockchain's key function, that is to produce a stable and immutable history of transactions. We've seen this in practice with the dozens of Bitcoin forks and with Ethereum Classic, and how unstable exchanges were during the forking process (eg. lost customer funds, double spending, replay attacks, etc.).
If A was honest beforehand, everyone will notice the higher delay for block mining. Two things follows:
(1) B could easily increase, since those would be "dangerous times".
(2) Mining-related investors on standby may jump-in and participate, increasing H since.. A's hashrate would suddenly vanish on the public's perspective.
So while A is eating [temporary] loss, other miners are eating [temporary] profit from block rewards (since equilibrium was assumed). B (for particular receivers, those involved in high-valued transactions) may be arbitrarily increasing while the mining delay is unstable. THat instability would reduce while other participants enter the mining game.
But for how long would A hold it's [temporary] loss?
Also, if and after he wins the race, it's not like people can't ignore his chain with a temporary hard-fork. If they do ignore it for a while, sooner or later A's chain must get weaker, and that temporary hard-fork could be erased.
For the incentives for such temp hard-fork.. remember those temporary profit and temporary loss during the race period? The attacker would need to happily turn his losses into other miners losses, and their profits into his profit (regarding block rewards). Also, standard users could be, very, negatively impacted by such chain change. This impact could be reduced if the attacker replicated the transactions in his private chain while racing, but some transactions may be specific to the block height, so.. to replicate the transactions, he can't be much faster than H chain.
So counting the chances of investors coming into mining field, temporary losses that could least longer than expected due to block mining instability, the possibility of a temporary fork..
I mean, I didn't get the paper's math nor read it fully, but I think that there are more variables.
You can't assume that equilibrium holds since the difficulty only adjusts every two weeks. (Even in cryptocurrencies with continuous difficulty adjustment, 51% of the hashrate missing for 2-3 hours would not cause a noticeable drop.) Because the difficulty does not adjust during the attack, honest miners would be producing blocks at half rate (every 20 minutes) and thus would still appear to get their fair share of the block reward; they wouldn't get more.
For ASIC-based cryptocurrencies I don't think there's much if any hashrate sitting on the sidelines and the attack would probably be over by the time miners noticed.
I don't know if an effective and immediate response could be taken place, but this sort of monitoring could be anticipated, and also, they would probably store the old chain's backup (just in case). I mean that if they do a rapid decision, it's not necessarily final (although this would cost the whole world economy a lot).
Only newcomers fullnodes, during the racing period, couldn't know which chain actually appeared first, but all other fullnodes and miners do know which one did, and that the alternative chain came at once and out of nowhere. This is an easy target for an "temporary chain force-choosing" algorithm. And again, this could be coded before the attack -try itself.
So I don't mean that this surely would be a "forced" (rushed) code-fork. On the other hand, without such a thing, everyone would enter a rushed data-fork, which probably will also be viewed as something risky and some costs may be applied (prepared in antecedence).
It looks like Decred doesn't use slashing, so I don't know if it's accurate to include the size of stake in the cost of an attack since the attacker would still have that stake afterwards; the price might go down but it might not be much if people say "that wasn't my money that was stolen; I didn't see anything".