Hey all, On Oct 13, 3:00 CDT, 4:00 EDT 1:00 PST I'm going to do a 51% attack against the cryptocurrency Einsteinium (i'll do the biggest, most established coin I can afford to attack, I'm putting in $50 of my money and if you want to donate you can 18YvVAxEMYxowSYEmWVtY75ZUdKXXk2vQc (If that's against the rules feel free to remove it Admins)) :
1. Demonstrate how easy these attacks are for anyone to do.
2. Generally teach people about the nuts and bolts of these attacks and potential mitigations.
A smaller blockchain might seem like a toddler compared to the big old bitcoin, however you shouldn't dismiss that the biggest shitcoins in market capitalization have a decent amount of people invested in them.
Take in account a 51% attack causes a double-spend. A double-spend targetting a transaction of a big amount costs the same as if you target a transaction of a small amount. This means that whoever performs this attack could just wait until the perfect victim comes in (think: a big transaction from/to a hotwallet of a big exchange).
This, in the end, could cause a big loss to some user of the exchange (especially if the exchange doesn't take responsibility for the issue); which could mean a lot more value than a lollipop.
Key takeaway from this IMO: don't invest in shitcoins, err.. altcoins sorry.
You should demonstrate an effective use of double-spend in your 51% attack, since there’s a lot of FUD around what can happen with a 51% attack. As in, people may assume you can drain accounts with 51% control, as opposed to double-spend transactions that did not yet hit high confirmation counts.
Of course you can drain accounts with 50% hash power or greater. And the number isn't 51%, it is actually 50%. If you have 50% of the hash power, you will be ahead exactly half the time. However, you will selfish mine and this creates an asymmetry. When you are ahead, other miners will mine off your chain, making your chain the longest. You will never mine off other published blocks, no matter how far behind you are. And no matter how far behind you are, you will eventually be greater than even at some point.
Because you can start mining at any point in the past, you can erase all transactions except the genesis/first transaction.
The bitcoin developers realize this so they essentially stuck the blockchain in the source code by putting 'checkpoints' in the code. This protects their coins. The developers are the actual central blockchain authority. If they changed the checkpoints, they would fork the whole chain. The chain is essentially in the source code.
> This, in the end, could cause a big loss to some user of the exchange
Not really. If someone is worried about a double spend attack, all they have to do is require a larger number of confirmations, until they are satisfied with the amount of security, for the given value of the transaction that they are accepting.
For example, if a big exchange is accepting a million dollars worth of crypto, they might want to wait a very long time, in order to be absolutely sure.
If someone is instead accepting payment for coffee, they could be perfectly happy to accept more risk.
^ This. Also, I agree that it's fairly trivial. That is the point, I want to show people how easy it is and maybe prompt developers to implement mitigations. I also just want to talk about 51% attacks because I think they're neat.
There are some ways to fix it and it's a fairly interesting problem. But yes, many are potentially dysfunctional due to this and it brings up some points about inherent weaknesses of small blockchains as they presently exist.
A great site. I made a version of it in python a while back and wanted to turn it into a website but never got around to it. Glad they did it for me but a lil sad I never got the media attention it got :(
No problem, I recommend it cause CherryPy will take any object oriented application and turn it into a website, you could make it all RESTful if it makes it easier and just have a jquery ajax client or something to make it stupid simple. Been using CherryPy for years and happy with it.
I'm not 100% sure what coin i'll attack. If people donate I might try for Vertcoin which will be $300-500 to attack. But if I stick with Einsteinium it will be very cheap, maybe $20-40. They could hardfork but I doubt they will. It's also sort of hard to implement a solution that quickly.
Bytecoin would take maybe a thousand, 4 or 5 if we want to get a transaction confirmed in an exchange. I'll do the biggest coin I can I'll put in $50 of my own money If anyone wants to donate you can:
bitcoin:18YvVAxEMYxowSYEmWVtY75ZUdKXXk2vQc
What these attacks are about is stealing money, right? Is that your plan? Why do you want donations to steal something or if you don’t steal anything how will you change the chain?
Generally, an attacker would deposit money in an exchange, exchange that money, withdraw it, then overwrite the transaction. I don't plan to do this. I'll either just do the overwriting part or just deposit like a dollar and not exchange or withdraw it. This is meant to just be educational.
I hope you realise Einsteinium has introduced dPoW algo to harden their blockchain security several weeks ago? They checkpoint to the Bitcoin blockchain every 10 minutes on average. You have not prepared accordingly, have you?
Can't we take profit too with this attack? It would affect the whole blockchain, so we can also send an amount of that coin to an exchange when you start the fork. Then we will have the amount restored when the fork becomes the real of the coin.
I think you've already done it. A central bank cannot run a blockchain level of trust that is smaller than they are. And nor can shipping companies, and basically anyone.
If you're not sure another party isn't in control of the 51% of the chain, nothing is safe.
I think how to judge this attack depends on how the coin presents itself. If they're clear about being in a phase of the project where such attacks are feasible then it's just vandalism, but if they're presenting a more flattering image of their project then demonstrating a 51% attack is a service to the public.
The security of proof-of-work based blockchains (which most of them are) is based on the assumption that the majority of participating nodes (or rather miners) as measured by the work they do, i.e. computing power, are honest.
Attacking a big, established blockchain like Bitcoin would require you to get more mining power than the rest of the network, which means massive datacenters of special purpose hardware.
Attacking a small blockchain still requires you to get more mining power than the rest of the network, but since there are not too many miners, you can rent enough mining power to have more than the rest of the network for an affordable price.
In the process, the attacker will legitimately get some currency, which is supposed to incentivize them to not actually attack the network, because it will affect the value of the coins they got − that's it, that's the only protection.
Was banned by Twitch before the demonstration so switched to stream.me who also banned him, says he'll record it and post a video later instead last I saw
Over half the HN readership lives in areas where these abbreviations are human-readable. And 100% can google the abbreviations. Would it be better if we started using UTC+5, etc.? Sure. But good luck getting Americans to change. If the OP's European counterpart posted a time in "CET" I'd have to go look it up, and I'd be fine doing that if it was important to me, rather than pointing the finger and crying Eurocentrism.
What I did find objectionable about the times, though, was the lack of "AM" or "PM". In the US, 3:00 might be in the morning or the afternoon, and the context does not make it clear which is intended.
We'll see. For example, Portugal has already said they will keep DST despite what EU decides. They already tried removing DST in the 90s and most people there disliked it.
Why would it be? You’re just mining like any other person, except you’re doing it faster than anyone else. I think the poster has mentioned that this is purely for educational purposes; they’re not trying to steal everyone else’s money.
On the contrary, you're contributing to the success of the coin by dedicating your personal resources to increase the total hash rate. It's not a denial of service, it's explicitly providing the mining service that the coin is asking it's participants to provide.
Now using that temporary hash rate imbalance to issue an explicit double spend attack could be considered fraud. But that's a totally separate.
lol, I taught you were gonna show us how it works on some testnet. If you are for real, this will be very educational!
tell us every detail please! The costs, hashpower, what exactly are you going to do? double spend?...
