That means: For SHA256^2-specific hardware, Bitcoin (the real one, not Cash, Gold, or SV), for scrypt, Litecoin, and for anything mined on GPUs, Ethereum (not Classic).
 or migrate from to another coin, such as the coin that the attackers left to fill their void?
Basically, you spend your coins today, while controlling a 51% share. When everyone else's 49% hash-power creates 98 blocks, your 51% share will create 102 blocks.
But secretly. That's the key. Now that your chain is +4 ahead (or wait even longer and become +10 ahead), you can spend your coins on the public chain. Then, you publish your 102 alternative blocks (which barely adds any hash power to the chain), and spend your coins again on the 2nd chain.
A 51% is the end-all-be-all for a cryptocoin. If you're vulnerable to the 51% attack, the coin is effectively worthless.
The only way to beat a 51% attack is to build more hash power than the attackers. IE: Prevent the attackers from getting to 51%.
The only problem here is that PoW only knows one cost: hashing, and due to macro shifts in mining hardware this can sometimes go down a lot more than the value of a coin (which makes the cost of this attack worth it).
As soon as you start introducing measures to subvert this attack you are subverting either decentralization or stability. If you for example program clients to not accept reorgs deeper than 10 blocks (for example) you simply introduce new attack vectors that can split the network (into following different chains - which is even scarier than 51% attacks).
If every x blocks you snapshot the chain and force everyone to follow that snapshot you just centralized the chain, etc.
> The Milky Way could crash into another galaxy way sooner than we thought
You'd be better off simply placing big bets at a casino
Private entities still practice consensus. Just because one can't inspect or participate in the consensus doesn't mean it doesn't exist.
It doesn’t matter who Satoshi is, I don’t need to know to opine on their ideas. That private entities practice consensus is fine (after all isn’t that just any human interaction?) and further I have no problem with consensus just the sheer wastefulness and intentional anti-efficiency of bitcoin as-is, the fact it’s waste isn’t sufficient to prevent an attack, it’s fiscal policy (inflation is fine, you’re not supposed to hold currencies) and the idea that somehow bitcoins dreadful wealth inequality will save us from the present dreadful wealth inequality. Not to mention the idea we should just defer monetary policy to a bunch of developers who hack on protocol instead of a group of trained economists. Or the idea of scarcity when anyone can and does fork coins to double the number outstanding every few weeks. Or it’s user hostility. Or it’s defenselessness to market manipulation. History won’t look kindly on this mess in a few years.
If you wait for 1008 confirms (for a transaction of $1 Million USD), then that doesn't stop the attack at all. After all, the attacker simply has to perform $2 Million USD worth of double-spends during that timeframe to make a profit. (Not necessarily with you, but across the entire blockchain).
After waiting 1008 confirms (1-week for a 10 minute/block coin), the attacker simply replaces those 1008 blocks with his 1049 secret-blocks and makes his chain the longest. That means that ALL spends for the past week are nullified, allowing the attacker to double-spend his coins on the new blockchain.
In effect, waiting for 1000-confirms (or whatever) is closing the barn door after the horse has bolted. It doesn't protect your transaction... it protects the NEXT GUY's transaction.
In any case, the attacker gets to double-spend his money, which probably includes a large exchange (where you can turn coins into US Dollars easily).
However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.
ETC's blockchain just had over 100+ blocks change, according to the tweet.
Even with 40% of the mining power, the probability of such an event (40% mining power, 100 consecutive blocks) is 0.000000000000000000000000000000000000016%. That's a very unlikely hypothesis you're presenting.
Only at the expense of leaving their coin more vulnerable to a similar attack.
Now imagine Dinkycoin comes along and releases their cryptocurrency that uses the same hashing mechanism for the block reward. Initially they have the block difficulty level pretty low as there aren't that many people participating in it yet.
Dinkycoin hopes that eventually enough people will join the network so that the total hashing power will be something approaching Bitcoin's. Great. But atm their total hashing power is a very small fraction of Bitcoin's total hashing power. I don't care enough to go find out how infinitesimal it would be-- enough to say very small.
Now suppose one of the Bitcoin ASIC miners gets bored one day and decides they don't like Dinkycoin. If they devote their ASIC to mining Dinkycoin they will immediately have more hashing power that the rest of the Dinkycoin network. That would virtually guarantee they solve every block of Dinkycoin and reap every reward. They'd easily have 100% control of the network at that point.
For example-- suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through." Well, the Bitcoin miner can use their enormous hashing power to go back 20/30/whatever blocks and build a competing branch from that historical point. And since the miner has 1000% more hashing power (or whatever the number is) than the entire Dinkycoin network, they can build a competing branch from that historical point that will eventually have solved more/more difficult block rewards than the branch the rest of the network builds off the current branch. Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner. Well, the devs can decide to do otherwise for whatever professed reason and roll back/hard fork/whatever. But that kind of "do over" would degrade trust in the cryptocurrency itself. Users would be afraid of another future attack. After all, they were initially told 20 confirmations was enough. How do they know 40 confirmations is any safer? (And again, if the attacker has superior hashing power to the rest of the network it isn't meaningfully safer.)
Of course such a miner would be wasting all of their hashing power to screw with Dinkycoin's network. But to screw up most PoW cryptocurrencies you only really need 51% of the total hashing power. Even with that the attacker will eventually always beat the rest of the network to produce the "longest" chain. (Also, I think you can still cause problems for many cryptocurrencies with even less than 51% control.) Anyhow, do the math with the real numbers and you'll see that a real Bitcoin miner could devote a tiny percentage of their mining power and still own fledgling cryptocurrencies like the Dinkycoin example.
Moreover, they can trivially collude with the other 99 Bitcoin miners to devote an even smaller part of their hashing power to owning Dinkycoin, or even automate the process of smashing any coin that uses their same hashing scheme, based on any criteria whatsoever.
And it gets worse because in the 51% percent attacks I've read about in the real world, it isn't a big time miner with a grudge. Rather, it's someone who saw a weak point in a combination of a dinkycoin, an exchange, and several other moving parts and just rented a hashing rig to pull off an attack. Most PoW cryptocurrencies naively assume miners will choose greed over destructive tendencies without ever investigating whether those two paths are really mutually exclusive.
Edit: what happened to the web site that compares hashing power of the various SHA256-based coins, scrypt, etc.? Those orders-of-magnitude differences are quite instructive. But I can't find a site that lays it out nicely.
Origin of the term shitcoin would most likely be unable to defend the 51% attack
Good write-up op
Monero plans to do that indefinitely, by constantly changing to a new hashing algorithm that doesn’t have dedicated ASIC chips for it.
Could this attack be addressed by changing the "total difficulty" function to value chains published earlier more than competing chains published later? Say a block published today is considered twice as difficult to achieve as a block starting from the same point published in 48 hours. Blocks don't need to be available in real time, but there should be enough communication between the miners to get some consensus on roughly when each block was published.
Intuitively, it seems like there is absolute agreement on the fact that a 51% attack happened (and which chain was mined by the attacker), nobody is saying "we can't be sure, this can sometimes just happen by mistake due to the distributed nature of mining". So if that can be trivially detected, why not build the detection into the mining algorithm in the first place?
> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.
These statements directly contradict each other. The very, very obvious solution is to say that, if 20 confirmations validate that a transaction happened, then validated transactions can't be rolled back. (They're validated!) Once block 26 comes online, block 6 is a permanent feature of the blockchain. That's the only possible meaning of "accepting that a transaction went through". And, note, that is the definition being used now to label this an "attack" rather than "huh, look what happened".
They don't contradict each other at all.
> Once block 26 comes online, block 6 is a permanent feature of the blockchain.
What defines the 'blockchain'? It's the chain with the most work. Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.
> They don't contradict each other at all.
They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.
> What defines the 'blockchain'? It's the chain with the most work.
No, it's the chain accepted by a group of miners. Miners are the sole authority of a bitcoin-style blockchain. Work is not.
> Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.
Centralization is not necessary for this. As a miner, you're free, in your individual capacity, to reject blockchain candidates that invalidate blocks you consider permanent. Centralization would mean that a block could require only 0 following blocks before being considered permanent. With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.
From the blockchain perspective a block with a confirmation is confirmed. But everyone else can make new rules on top regarding payments: Do you consider most crypto exchanges to not support "Bitcoin" since they require 6 confirmations per transaction before they credit it?
> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.
This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).
> This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).
No, it isn't done at all. You state as much:
> From the blockchain perspective a block with a confirmation is confirmed.
As far as I can see, this is just a design mistake. (And equivocating over the meaning of "confirmed".) The current system never treats any block as confirmed. The only statuses a block can have are "invalid" and "provisionally accepted". There is no "accepted" status, and a valid block may be revoked at any time, no matter how long it may have been valid for.
But there's also no reason not to have an "accepted" status, and to reject candidate blockchains which alter accepted blocks. This should be part of the mining protocol. Treating it as non-binding advice to merchants misses the point.
What the paper doesn't say is that the formula doesn't work if there is more than one chain. Since an ETH miner can easily switch to ETC at any time, proof-of-work isn't really protecting ETC at all. There is another chain that was a lot harder to calculate, which means the ETC chain stands on thin ice.
Why not freeze the blockchain at certain points, then? Well, it cannot be easily done. There is the problem of choosing which blocks should be frozen, and when. How do you calculate that? What if there's a network split at that time? What happens if the protocol results in an unwanted fork? What happens if malicious actors try to settle on a wrong chain? This is the very problem that Bitcoin solved. Forgetting the idea of a final truth, and making the blocks work like a wave of consensus that eventually reaches everyone. Clever and simple, but with some drawbacks that have to be understood.
Of course, there are lots of people working on new ways of establishing decentralized consensus. The Ethereum devs have been working hard on this for a few years.
How does a new entrant to the network know which is the valid chain?
They didn't see the previous 20 confirmations, so the only rule they can use is picking the longest chain.
Another way to do it is to have a separate voting system to attest to the "valid" chain, but then you could use an ordinary botnet to outvote the real chain.
In short, confirmations are there for vendors to be sure a few blocks weren't mined at the same time, but they do nothing against a 51% attack.
A new entrant to the network knows which is the valid chain because the chain the network uses defines "the network". Consider the case of Ethereum Classic (ETC) versus Ethereum (ETH). They are exactly the same, except for the chain each group of miners follows. The ETC blockchain is a valid ETH blockchain and the ETH blockchain is a valid ETC blockchain, but miners adhere to one or the other for political reasons. As a new entrant to the ETC network, how do you know which blockchain to use? Well, you use the ETC blockchain, because that's the network you're entering.
 I'm describing my understanding of the ETH/ETC split. If they've diverged more than I was aware of, that doesn't affect the argument; just substitute other names for ETH and ETC.
If you propose an addition that is one block long, and I propose an addition that's 2 blocks long, then my chain wins. (These all have to be valid blocks that solve the mining challenge). Miners select the chain with the most work. That's the consensus mechanism by which the blockchain is established (among nodes operating all with the same rule sets).
At any given instantaneous point in time, there may be multiple instantaneous forks of the main blockchain - people who have mined out valid next blocks and are fighting to get them accepted as the primary chain. Imagine that two different miners by coincidence mine out the next block. One of those chains has to win. The chain that wins is the one that propagates through the network most quickly such that other miners begin building upon it and extending the chain - the one with the most work wins. The other chain(s) die and the transactions on it have to be resubmitted.
When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain. Don't act as if one single block is magically appended to the chain and everyone knows which block that is; a consensus process operates to select that block (or sequence of blocks), and it operates by selecting the longest chain. When two or more blocks are mined out simultaneously by different miners, the one that wins is likely to be the chain that propagates more quickly to other miners. Since miners build on the longest chain, then the miner who distributes their chain more widely among other miners is likely to win, since those miners will begin building upon it (seeing it as the longest chain thus far).
To continue the story, let's say that you and I both simultaneously mine out the next block of Bitcoin. You don't tell anyone about your block, and keep it to yourself. I distribute my block to the entire network. Thus, other miners start building on my block, and it becomes part of the main bitcoin blockchain. Once that happens, it doesn't matter if you start telling other people about your block -- it's not part of bitcoin any more because my chain exists which is much longer (my block + whatever other blocks people have mined out on top of it).
I've been arguing that this is a design mistake, and that the following selection algorithm would be superior:
- Instead of selecting the longest chain, select the longest chain which does not alter any blocks which I, personally, consider permanent.
Robin_Message correctly identifies that this algorithm doesn't do anything for a new entrant, because a new entrant doesn't have the exposure to history that an established miner has. But I don't see why this is an issue, as to enter a particular network, you must already copy that network's existing blockchain, and this step -- which you already have to take -- will give you the same exposure to history as the miner you copy it from.
Imagine that two blockchains, ETH and ETC, diverge for political reasons. The ETH blockchain is more beloved among the people (the laity, not the miners), and for this reason a greater number of transactions occur in ETH than ETC over time. This guarantees that the ETH blockchain will be longer than the ETC blockchain. By the selection algorithm you identify, the ETC blockchain will be wiped out, because the ETH blockchain can always be re-proposed and will always dominate it. But in reality, the ETC miners will reject the ETH blockchain, because rejecting the ETH blockchain is the whole point of ETC.
Chain length is number of blocks, which is controlled by miners, not "laity".
I think your system might prevent double spends; unfortunately it would do so by rendering the network unusable for any new users, who wouldn't have a way to know which is the good network to join. I suppose a central authority could be used to identify the good chain, but most coins prefer not to have one of those.
The advantage of the simple chain length rule is that it is simple, requires no central authority, is self-correcting and the only weakness is a 51% attack.
This is an important distinction, because by fudging timestamps you can generate a valid chain of arbitrarily long length where each block has very low difficulty, but said chain would still not be preferred over a chain with fewer blocks of much higher difficulties (i.e. the real chain).
A block is a set of transactions, transfers of currency from one address to another address. Miners don't just add blocks because they're bored. They add blocks when someone submits a transaction.
So the number of transactions that occur is closely related to the number of blocks in the chain.
Of course miners are always adding blocks, even when the blocks are empty; they do so because there is a block reward. Even empty blocks, when mined by honest miners, are serving a purpose, because they are increasing the cost of a 51% attack. Look through the histories of many different blockchains and you'll see empty (or nearly empty) blocks that exist for a variety of reasons.
Also, transaction sizes differ drastically depending on what a transaction does, and blocks max out at a given size, not a given number of transactions. So when blocks are full (which they aren't most of the time except for the very highest used cryptocurrencies) the number of transactions per block still varies quite a bit.
Let's also say for the sake of argument that 10% of the BTC mining capacity is in that region.
The network self-adjusts so that every hour 6 blocks get confirmations, but over this short time period you wouldn't expect this to happen. This means that every hour the Australia split would confirm 0.6 blocks and the non-Australia split would confirm 5.4 blocks.
After 36 hours Australia would have confirmed ~21 blocks, and according to your proposal, the first of these is now 'accepted' and can't be rolled back.
In the same time the remainder of the network would have confirmed ~194 blocks, many of which are now accepted.
What would actually happen according to the consensus protocol is that RestOfWorldBTC is the longer chain and therefore "is" BTC, and AustraliaBTC would get thrown away. Any BTC transactions made in Australia during that time would get rolled back.
But if blocks become permanently accepted then these 2 chains are fundamentally incompatible; they are no longer the same coin. Your proposal says that the network should fork into 2 coins here -- AustraliaBTC and RestOfWorldBTC. This would be a pretty disruptive event. People who traded BTC for services in Australia would claim that they paid their obligation (after all, it's in an 'accepted' block) and therefore don't owe their counterparty any RestOfWorldBTC. But AustraliaBTC would likely become worthless very quickly, given that most of the transactions in those 36 hours were confirmed on the RestOfWorldBTC chain. Australian counterparties would get stiffed pretty hard.
OTOH, if you roll back those transactions and accept the mainline, those counterparties can more easily argue that you still need to pay them. Note that the network can't enforce you paying these obligations, but the legal system still exists! And assuming the actors were acting in good faith and didn't attempt to double-spend their coins, their transaction would get re-propogated automatically and get included in a future RestOfWorld BTC block once the network split ended.
And then everyone else on the network would say, "Crap, who should we believe? Let's go with the majority." And the attack would win.
Sure, it's less centralization than just trusting one party to determine the latest block , but it's a matter of degree.
 The further you go back in time/blocks, the less disagreement and resistance there will be to locking in a history.
I disagree that market cap is the primary indicator. Note that market cap (or really, price of ETC on major exchanges) has dropped dramatically in the past 3 to 6 months. So Market Cap / Price of ETC is a minor factor.
In contrast: the ABSOLUTE COST of a 51% attack drops each time the difficulty drops. That's what I personally think is the main contributor here, because the market-caps of all coins have dropped dramatically the past few months.
In effect: its not so much that the potential profit out of a hypothetical 51% has gone up (it hasn't: Ethereum Classic is way cheaper than it used to be). Its that the DIFFICULTY of ETC has dropped dramatically, finally making the 51% profitable.
The actual cost to take over a cryptocurrency tells you more valuable information than the naively calculated market map. If a cryptocurrency only costs $3/hr to take over then it's truly a shitcoin.
Yes. But it's the same for the market cap of company stocks. So saying that "the market cap isn't truly $5M" is missing the point a bit. The market cap can truly be $5M without $5M having been invested. That's just not what market cap means.
A company is a productive enterprise, that produces value for you, if you sit on shares of it. Something like bitcoin is a purely speculative instrument, that produces no value if you sit on it.
The market cap for a company is an imprecise proxy for all expected revenues, discounted by time. The market cap for a currency is an imprecise proxy for... How much you can hope to unload it to the next fool. 
 At least, it's supposed to be.
 Yes, yes, we know, Bitcoin is useful for transferring money. This usefulness is completely disjointed from its market cap. It doesn't matter if it's $20/coin, or $20,000/coin, if you're using it to send money.
But in this hypothetical attack, the complaint is that the "market capitalization" is more than you'd have to pay to buy out the network.
Hmm, does this mean Boeing, Saab Aerospace, the ammo factory is also a productive enterprise, which produces value for me? The bombs dropped on people in sandals in Yemen, how is that producing value for anyone owning the stock of war companies? Also owning said stock indirectly through pension funds.
How many companies are not in any definition "productive" and end up bankrupt, restructured or just bailed-out?
You can't focus on sellers and ignore buyers when discussing the valuation of something. If many people want to sell and few people want to buy the price will of course go down. But if many people want to buy and few people want to sell then the price will go up. This isn't a particularly interesting observation.
To put it another way: you are right that if everyone who held a portion of this asset tried to sell right now they would not cumulatively get $5 million, BUT ALSO, if someone wanted to buy all of this asset they would pay significantly more than $5 million. It goes both ways. Changing the balance of supply and demand necessarily changes value.
I do agree that naively using the price of a single trade can be misleading and prone to manipulation.
A cryptocurrency with a single sharehodler is a non sequitor and essentially worthless.
Isn't that literally the definition of market capitalisation?
A better analogy would be to calculate the "market cap" of gold.
This isn't actually relevant. Calculating market cap based on current trading price is equally valid for company stocks and cryptocurrencies. The divide is not between "companies" for which market capitalization is good and "cryptocurrencies" for which market capitalization is misleading, it is between objects for which the market capitalization is a reliable guide to the object's value and other objects for which it isn't.
You can judge the reliability of a market capitalization figure by looking at the trading volume of the object. If something has a market capitalization of $10,000,000 and sees $40,000 of trade per day, then you can reliably trade at the value reflected by the $10,000,000 market cap figure as long as the amount you're trading isn't significant compared to the background trading volume of $40,000 per day. If you try to trade $60,000 "worth" of whatevers, you'll crash or spike the price with your 150% increase in trading volume.
If something else has a $10,000,000,000 market cap and $40,000 of trade per day, then... you can trade at the value reflected by the market cap as long as you don't have a significant impact on the background trading volume of $40,000 per day. It doesn't matter that the market cap is a thousand times higher; it doesn't matter whether one of the things is company stock and the other thing is a cryptocurrency; what matters is whether you disturbed the normal trading volume, whatever that volume was.
Note that penny stocks see wild, spurious swings in their market capitalization all the time. That is because of their low trading volumes. It's not because Apple is a company and Shifty Joe's Investment Scam LLC isn't -- they're both companies.
On the other hand Shifty Joe's Investment Scam LLC and crypto-tokens don't really have a price floor, but that's because neither of them have any assets or reliable stream of future income attached to ownership.
You might get rich on paper, but good luck getting anyone to help you convert your riches into spendable currency.
To give you an idea, the overall Ethereum network is currently 190 PH/s, so you'd need significantly more than that to have a high chance of launching a short term attack with reasonable success rate (if you only control 51% then your odds actually aren't great). Let's say you need 300 PH/s.
Well, the average modern AMD graphics card that is suitable for mining Ethereum only does around 30 MH/s. That means that you need 10 million such graphics cards. They simply aren't available for rental anywhere at such scale.
That's why you're not seeing such an attack happening. The raw monetary figures are misleading.
Add in the opportunity cost of exercising such an attack and it's not clear that you could turn a profit.
You know, in case turning a profit is not the only possible motivation for anybody to do anything. Many acts of war and violence are not profitable, certainly not directly profitable, and yet history shows people will attack each other anyhow.
'Bit' worrisome if your whole concept of finance depends on altruistically greedy actors who can never act out of spite or malice. That would be creepy but nice compared to the real world as it has always existed.
You also have to actually do the double spend transactions, and hope that the person that you are stealing money from doesn't do anything about it.
It is that step 2 that is actually much harder than a nieve attack might suggest.
Historically speaking, the effects of an attack on the price aren't that clear cut.
The price of an "attacked" coin can jump, just as often as it crashes. The narrative being "oh, there was a problem, but we fixed it! Look at how great we were at defending against an attack!".
Crazy, I know. I am just saying that it is not that simple, and a person is risking losing as much money as they might gain.
Is this number for real? I can think of many actors for whom this is just small change, and who might have incentive to break trust in the Bitcoin network by successfully performing such an attack.
Sorry if this is confusing - the attack cost is calculated based on the cost of hashing power from NiceHash * the global hash rate. If the 'NiceHash-able' column is <100%, NiceHash doesn't have enough hashing power to complete an attack (and thus the price is greyed out).
This page  has more details.
> Using the prices NiceHash lists for different algorithms we are able to calculate how much it would cost to rent enough hashing power to match the current network hashing power for an hour. Nicehash does not have enough hashing power for most larger coins, so we also calculated what percentage of the needed hashing power is available from Nicehash.
Note that this ignores the fact that large mining operations could easily switch coins to carry out attacks.
50% chance spend 1.1 million get 1.1 million back minus substantial overhead. Say 10% overhead although I have no idea what the actual overhead would be. So negative 100k.
50% chance spend 1.1 million + 100k overhead get 1.6 million back. Net gain of 400k
So average gain of 200k assuming you can find a market to move that much bitcoin that quickly and always assuming your creativity isn't rewarded with jail time.
People with substantial resources can find way to make money that are repeatable and don't involve finding new and exciting ways to go to jail.
To actually steal money you need to falsify at least six blocks, which in turn means you need to mine six blocks in a row (roughly speaking). The probability of this being successful is (1.0-0.51)^6 - ie. about 1.5% chance of being successful. You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.
I'm not sure this is accurate. You don't need to mine 6 blocks in a row on the existing chain. Clients are programmed to recognize the longest chain, so you just need to silently mine new blocks (and not share them with anyone) until you have more blocks than the main chain. Then publish these new blocks, and existing clients will recognize your chain of blocks as being the correct ones.
You can double spend by making a transaction on the public chain while you quietly mine your own blocks on your private chain. Send the coins to an exchange on the public chain, but send them to your own address on your unpublished chain. After you steal funds from the exchange, publish your privately mined blocks.
Therefore, if our malicious miner identifies that they have had poor luck and begun to fall behind the "legitimate" chain by a block or two they can start the make-a-longer-competing-chain process over again from the legitimate head with -as far as I can see- no downsides except for some lost time/resources; the main risk to them isn't really there until they commit by initiating their double-spend, something they would almost surely not do until they're confident they've acquired their own, longer competitor to the "legitimate" chain.
This drops to zero every time they start over, so it doesn't change the basic calculus.
The chain starts at block 1000, and you make a spend that will be included at block 1001 on the public chain. At the same time, you start mining your private chain from block 1000 (and you don't include that transaction in it). Now, the exchange you're using requires 6 blocks of confirmation, so you need to wait until block 1006 on the public chain before you can actually take delivery. Now that you've done that, you can publish your private chain at block 1007 (or 1008, etc) and since it's the longest chain, it'll be accepted by the public.
You didn't have to get 6 blocks before the public chain got 1 - you only needed to get 1 more block than the public chain, at some point after the public chain has mined 6 more blocks.
1000 - 1001 - 1002 - 1003 - 1004 - 1005 - 1006 1008 Public Chain
\ 1001 - 1002 - 1003 - 1004 - 1005 - 1006 - 1007 / Private Chain
We're saying the same thing, but I see now that this was unclear.
The point of this sub-thread is that 51% doesn't give you a guarantee you'll mine faster than the 49%, just an edge, and that edge narrows as more blocks are required.
A casino with a 1% house advantage would have days when it was in the red, around 178 of them in fact. By analogy, you need to line up six days in the black, in a row.
The chance of doing that is lower than 51%.
You're focused on the chance of getting 6 in a row. But what you should be looking at is the chance of getting at least 7 in 13, which is given by this equation:
P(K>=N) = sum(nCr(M, k) * p^k * (1-p)^(M-k)) from k=N to M
With M=13, N=7 and p=.51 - which works out to about 53%. But 8 in 15 also works, 9 in 17, etc. The limit of that probability (n+1 in 2n+1 as n -> inf) is 1.
Also, a casino is not likely to have many days in the red, just like it won't have many years in the red. (for bets only, ignoring everything else) This is because while the chance on any one bet may only be 51%, the chance of 10,000 bets, or 1,000,000 bets having a majority go south starts to get very, very small. (~27.5% for 1000 bets, ~2.5% for 10,000 bets at 51%, etc)
However, after the attack wouldn't it be easy to compare both chains and see which coins were double spent? Wouldn't you obviously be the perpetrator, having both double spent, as well as having cashed out a large amount of money? Or is the idea that you'd be able to cash out to a bank account not tied to your real identity?
Then spend and/or clean your ill-gotten gains.
* Swap coin for Zcash and start mining with 51%.
* Wait until your chain is longer than the main chain, and you actually hold the Zcash.
* Publish the longer chain, and immediately swap your spent coin for Zcash again. (At a different exchange just to be sure).
Now, you got twice the value of Zcash you needed, and due to Zcash shielded transactions can't be traced. You just have to hope that your shenanigans won't tank the value of Zcash.
Similar things could be done with Monero.
It's tricky to directly apply these to cryptocurrency adopters' risk, although they apply more directly to "transaction size" than to "wallet size". You can probably apply some of Budish's calculations to transaction size unless you anticipate there's a way that your transaction counterparty could be defrauding you and other people in roughly the same way at roughly the same time. (For transaction size, the main risk is that you give someone something else of value in exchange for a transaction that's subsequently removed from the consensus history.) But for wallet size, the risk is not that someone steals your cryptocurrency from your wallet, but that your cryptocurrency becomes less valuable because other people recognize risks more immediately as a result of discovering and publicizing a successful attack. But that has most to do with how other people respond to the news of the successful attack, which is harder to predict.
And that's going to be governed by irrationality, especially given the irrationally exuberant bubble effects of the cryptocurrency market in the first place. But once that wears off...I don't know. If you somehow managed to make a cryptocurrency that couldn't be profitably attacked, and made the base minimum cost of such an attack high enough, you'd still be vulnerable to a state-level adversary, but every system is vulnerable to a state-level adversary.
"Prestige" is how people end up in jail, or otherwise...
In 30 years from now you’ll be able to brag about how back in your day you took down entire cryptocurrencies with 51% attacks.
Theft and fraud don't take on different meanings just because the currency is digital.
A properly constructed proof-of-work mechanism has no built-in mechanism for a malicious minority hash power to take control of the protocol, shutting out the higher hash rate majority from mining blocks.
I don't believe either (a) or (b) applies to either xtz or to ada, though ada hasn't yet deployed POS.
I can well believe that there are broken POS implementations, there have been a lot of broken implementations of a lot of things in the space -- but claiming every system is known to be broken or cannot be analyzed is a very bold claim to make.
For a write up of the general, unavoidable problems of proof of stake, see Andrew Poelstra’s proof of stake FAQ.
As far as Poelstra, that's a rather old document. A great deal of research has been done in the field since.
What has happened instead is that the basic / easy to analyze systems were broken, and so complications were added that defeated the simple attacks, but really just make attacking it more complicated. But there's no asymmetric advantage against attackers here -- a similarly complex attack can be made for any proof of stake scheme.
There are a whole lot of very smart people who disagree with you.
I'm done with this discussion as you're simply repeating the same things over and over.
New technologies are always shitshows when they get started. I remember DoubleClick ads hanging every copy of Netscape they ran on, ActiveX controls that could pwn your computer just by viewing a webpage, and unusable college Internet because the SQL Slammer worm had infected 50% of computers on campus and would reinfect anything as soon as it was plugged back in. The last was in 2003, 14 years after the Internet was introduced - put on the Bitcoin timeline, that's 4 years in the future, assuming cryptocurrency is adopted as fast as the Internet (and there're good reasons to believe it won't be).
The thing about disruptive technologies is that people continue to use them despite how shitty the technology is - they're so desperate for a solution that they put up with a solution that basically doesn't work.
This is a common comparison but it’s based on a very dubious equation of the history. By 2003, the internet had transformed many industries — e-commerce was in the billions of dollar range (Amazon’s earliest business lines had been profitable for the better part of a decade by then); millions of people used it daily for tasks like research or customer service, software or media downloads, etc. Mainstream media and ads were full of URLs not just for internet companies but for existing companies which were increasingly focused on the internet.
In contrast, Bitcoin has almost no reason for anyone to care about it other than speculation and the few people who do use it regularly for anything else are largely using it as a replacement for PayPal with worse customer protections.
A key difference is most of the new techs like Internet, email, Paypal, and so on improved on what people already had in a way that delivered obvious value. They also came with problems. Whereas, nobody I know in real life wants the drawbacks of these cryptocurrencies that come with giving up the benefits of their current, centralized offerings. The only folks I know out here doing crypto are speculators (esp day traders). That's the difference.
Now, if they wanted to solve those problems, they'd start with whatever tech/law/orgs already worked, identify their problems, and then mitigate them using proven methods. So, we're looking at credit unions, non-profits, or public-benefit companies chartered to make sure they do specific good things and don't do specific bad things. The most important stuff at least. These can be in the licenses and contracts, too, for re-enforcement. Then, centralized systems with decentralized checking of what's exchanged a la SWIFT all using existing high-performance tech we know how to secure. Open protocols and agreements for how disputes will be resolved in situations using decentralized mode with experts from both centralized and decentralized models weighing in on that. I've been talking about that in Gerard's threads on Lobsters:
I can't find the other ones sense the search feature is limited.
"they're so desperate for a solution that they put up with a solution that basically doesn't work. "
That's true when there's a need. This is part of a hype cycle pushing stuff people don't need to replace stuff that would meet their needs fine. Accelerated by massive amounts of money being thrown all over this area. Totally different kind of thing. The stuff that bubbles, bankruptcies, and broken dreams are made of.
I'd argue that for most people the value was only obvious afterwards.
To put email in perspective, early adopters had to choose between what they already knew and all the hurdles involved in connecting to the internet and using the new technology. There was also a good chance the people they were trying to communicate with didn't even have email. Outside of a few niche areas, email provided no obvious value to the vast majority of people for decades.
Thats a lot of hand waving for something that wasn't trivial at all in the 60s and 70s.
Quite a few Venezuelans would beg to differ about that.
That happens more often than one might think. There are quite a few countries, that are currenly on the brink of collapse, so it is not unlikely that one or more of them will adopt a cryptocurrency some time in the not to far-off future.
Bitcoin is an entirely different project. Although it is also a blockchain, it's like a calculator while the former is a fully programmable computer. These two projects are very different, two different groups of developers. I encourage you read into them more to educate yourself.
Pretty sure the joke is still on you when comparing to someone that told you about it in 2015.
The highest price for ETH in 2015 was $2.19, lowest in 2018 was $85. So even with the worst possible entry/exit in those years we're still talking about a 3881% ROI in 3 years. Again, that's the WORST possible ROI for entering in 2015 and leaving in 2018.
Those involved have been warning of the insecurity of smaller chains for a long time now, and they aren't representative of the entire ecosystem.
No it's not. Programming is a tool to create programs with. Block chain is a technological buzzword being used (and implemented) wildly inappropriately.
51% attacks are a fundamental vulnerability in decentralization. It would be like inventing programming when everyone pretends bugs don't exist at all. Bugs are inherent to the task, just like blockchains have a very narrow set of use cases, but everyone's too busy flying too close to the sun.
The extreme vast majority is trash, manipulative, and awful in most every way. Not to mention the charlatans and fanboys that hype it as able to do everything and anything perfectly.
But the few that use it well are doing fairly well, and innovation is happening. You shouldn't loop the entire ecosystem as one big unit making terrible choices together.
What examples of good use of blockchains are you thinking of?
* (depending on your stance on personal liberty) censorship resistant, pseudonymous e-cash/e-gold (Bitcoin)
If the whole concept is trustless decentralized (fill in the blank ???) profit, meaning that you can make currency or a timestamp or whatever else using blockchain,
and a sufficiently large force can basically fork off of an earlier block, race ahead in secret and then take over the currency or timestamps or whatever else the blockchain's about,
does this not render the replaced fork useless? As in, if it's money it doesn't count and you lost everything, if it's a timestamp it's not proof because it's not the blockchain anymore, etc?
I guess this is one way to make it so raw power is the only thing that matters, expressed as 'ability to marshal computer resources on a massive scale', which costs money and so it becomes circular. Power/money gives you power/money and so on. Given enough power/money you can simply take over Bitcoin: could be happening right now.
Bitcoin not only doesn’t deliver on those claims, it’s actively dangerous because it leaves an immutable public record of your activities, as numerous court cases have shown. There’s a reason why the mob doesn’t publish their ledgers.
“Censorship resistant” is also a complex claim since the network is trivially blocked as a whole, and the inability to comply with legal demands means that anyone legitimate faces risks which will encourage them to stop participating, reducing the defense for allowing it at all and removing the traffic everyone else is hoping to hide behind.
It's censorship resistant in its use. It only becomes an issue in terms of actually cashing out -- but that's not necessarily required.
That's why I said it's dangerous: telling people a word which sounds like anonymous but actually means “irrepudiable proof of identity” is setting them up to make decisions under the belief that they are closer to anonymous than they actually are. Given how proponents like to proclaim benefits for people in countries with repressive governments, that's just irresponsible.
> It's censorship resistant in its use. It only becomes an issue in terms of actually cashing out -- but that's not necessarily required.
What does that even mean? A government can block it easily because the design requires you to be on the network and the lack of anonymity means that anyone who attempts to bypass those restrictions has valid reasons to fear reprisal.
"the network" is a concept that doesn't necessarily mean "the public internet". Also, it really doesn't require everyone to be on the network -- it requires a network to exist. And pseudonymity can be "good enough".
The point was that the entire ecosystem can exist independent of cashing it out to fiat -- that point can be somewhat controlled, but it's not necessarily required.
Which is to say, it's not good enough for anything which matters, especially in any case where censorship is a relevant concern.
> "the network" is a concept that doesn't necessarily mean "the public internet". Also, it really doesn't require everyone to be on the network -- it requires a network to exist.
This is similarly meaningless: if you're talking Bitcoin, you're by definition saying you need to be on the regular internet and if you're running some private network you either have the exact same problems with trust & monitoring or you don't need a blockchain in the first place because you have some other trusted communications channel.
There are a variety of ways to have private transactions across either the public internet or other networks. There are a variety of coins that use tor, for instance.
It doesn't have to be bitcoin either.
My point was that if you can avoid cashing out to fiat using well known gateways, anonymity isn't difficult to preserve. It only becomes an anonymity problem if you are careless or if you cash out using known KYCd gateways.
This means you can't use it for currency transactions, with anyone you don't trust, or on any system which might be compromised by the authorities you're trying to evade. If you ever make a mistake, all of that not only won't help you but will be strong evidence of intention. There are very few threat models where “use cash” is not a much safer answer.
It means you need to operate inside the cryptocurrency ecosystem instead of counting on cashing out all the time, or you simply use any of the many non-regulated means to cash in and out of the ecosystem.
That's becoming more and more possible to do.
None of which has any bearing on the problems I mentioned earlier. If you're worried about a repressive government, the odds are high that other people in the system are compromised and will help reveal your identity. Those “many non-regulated means to cash in and out” are similarly not readily available and extremely likely to be compromised as well. People sometimes act like mixers solve this problem but they aren't effective against attackers who can see lots of traffic and even if they worked as well as advertised, simply using one is going to be considered proof that you were doing something illegal and attempting to hide it.
Finally, as we're already seeing you have the problem that in a repressive country simply being able to maintain software security is an unsolved problem: consider what the odds are that someone will manage to maintain perfect security of their devices and client trying to find software which is considered illegal and will attract attention simply by searching for it.
Read anything about the history of people living under regimes with black market economies and ask what a blockchain is adding other than a gift-wrapped transaction history for the authorities. It's simply irresponsible to tell people that you're not exposing them to more risk in the hope that it'll make some money for you.
Somehow, people in China still manage to get on the internet, how do you think that happens? As it happens, the internet was designed to route around censorship, and it's done a very good job so far.
Nobody wants that, nobody is saying they want that, there are mitigations against that (like backups), and it's a stupid straw man that's not even trying to engage in a meaningful conversation on the topic.
All money systems have tradeoffs, cryptocurrencies are just another option.
This is not a concern for 99% of people. Nobody is getting their bank accounts frozen except for high profile criminals.
> Or how people don't want a private company to be able to dictate what they are allowed to buy and sell
Another fake problem. 99% of people can buy and sell whatever they want. There is a very very small intersection between what is legal and prohibited by the banks. Once again, this is only a use-case for criminals.
> don't want to have to be constantly vigilant to ensure their simple 16 digit number doesn't get into the wrong hands
Do you not see the irony in complaining about vigilance over a credit card number in a response about the work of having to back up your bank cryptocurrency private key? If your 16 digit card number is stolen just cancel the card and any fraudulent purchases will be remedied. Crpyocurrency is clearly worse in this comparison.
> All money systems have tradeoffs, cryptocurrencies are just another option
Cryptocurrency is not a "money system" with "trade offs", it's a hamstrung toy that facilitates some dark-market commerce and that's about it, it is otherwise demonstrably useless and certainly not an alternative for the incumbent financial system.
I've had my credit cards frozen multiple times because I did something their fraud detection deemed shady. One time I was stuck in another country without any way to pay for things! Yes, I now know that I have to warn my credit card company where i'm going or they may turn my card off again on me, and I now know that I should bring cash with me (at the time I didn't have a ton of money to be able to take a bunch out in cash to carry around, not to mention that it would have cost me tens of dollars to withdraw all of my own money, and the bank can still deny me making it in one big withdraw!), but that is again a lot of work to have to do and worry about just to be able to spend my own money.
(Also, the whole premise there kind of freaks me out. You need to warn the bank where you are going, and then if they approve you are allowed to spend your money there, otherwise you could be stuck somewhere with no recourse... That's terrifying!)
>Another fake problem. 99% of people can buy and sell whatever they want.
And yet finding credit card processors for porn and other adult things is extremely difficult for most companies in that area. Not to mention that your agreement with your credit card company prohibits you from buying a lot of that stuff (porn, sex, donations to politically unfriendly sites like wikileaks, etc...)
And go ask a marijuana shop why they don't take credit cards, and how difficult it is for them to handle money and even pay their employees because they can't get a bank account in the US. How they need to hire armed guards because they have to work entirely via bundles of cash because of the blacklisting of their industry.
Hell, just LAST WEEK there was an article at the top of this very website about how Paypal banned a company and is holding their funds for 180 days. And that thread is FILLED with other examples not just from Paypal but other companies as well.
You can say it's unlikely, but you can't say it's a "fake problem".
>Do you not see the irony in complaining about vigilance over a credit card number in a response about the work of having to back up your bank cryptocurrency private key?
No, because you never have to give out your private key, but you do have to give out and protect your credit card number.
>If your 16 digit card number is stolen just cancel the card and any fraudulent purchases will be remedied.
Unless you waited too long to tell them, or they say you've disputed too many fraudulent purchases on your account, or they mess up the paperwork, or they say the fraudster used your pin and they don't cover charges where a pin is used.
>Cryptocurrency is not a "money system" with "trade offs", it's a hamstrung toy that facilitates some dark-market commerce and that's about it, it is otherwise demonstrably useless and certainly not an alternative for the incumbent financial system.
It's clear you've made up your mind, I don't even know why I'm typing this out, you aren't going to change your feelings.
But I'm not asking you to believe me, I'm asking you to let some of us make different choices. You say 99% of people don't have a concern about these things, what about the 1% of us that do? What about the 1% who are being failed by current money systems, the 1% who have to rely on cash which is EXTREMELY susceptible to fire, theft, and loss because they can't back it up, the 1% who want to try and transact safely without a middleman in some situations, the 1% who think that there is still improvements that can be made in cryptocurrencies and are working toward solving problems with them so that one day they may become more useful to a much larger portion of people.
>certainly not an alternative for the incumbent financial system.
I never said it was an alternative in it's current form. I don't believe it is. No cryptocurrency at the moment is ready for widespread usage, and I don't believe it is going to ever take over the incumbent financial system ever. But that doesn't mean we can't try to make it easier to use, better, safer, expand the usable situations, experiment with cryptographic protocols, and maybe eventually some of that tech can make it into other money systems in some way to make things better for everyone. Or maybe it will just stay a fringe system for some who have been burned or blacklisted by the current system to use in some situations where they would otherwise be stuck.
You don't need to be involved, you don't even need to like it, but don't make up straw men and act like nobody out there wants some of the benefits of it because you personally don't.
I didn't want to get into fucking arguments about cryptocurrencies today, especially with someone who just decides that the problems it's solving for some are "fake problems" and handwaves them away, so this is the last time i'll reply here.
A frozen credit card is not a frozen bank account. Your money is still available in the bank. You can try to paint fraud protection as a negative but the vast majority of consumers disagree with you. Not a real issue.
> No, because you never have to give out your private key, but you do have to give out and protect your credit card number
You're moving the goalposts. Giving out a credit card does not require a user to be vigilant about security, they simply leverage the number when they need to make a purchase, no back ups or additional work required.
> It's clear you've made up your mind, I don't even know why I'm typing this out, you aren't going to change your feelings.
Not an argument. It's clear you've made up your mind, I don't even know why I'm typing this out blah blah blah. See how pointless that is?
> I'm asking you to let some of us make different choices
Nobody needs my permission to do anything. I can assert that cryptocurrencies are useless and you can ignore me if you like.
> What about the 1% who are being failed by current money systems
What about them? They can do whatever they want, I'm not trying to stop cryptocurrency enthusiasts from doing their thing, it doesn't mean I have to agree that its useful.
> Paypal banned a company
Paypal is a private company... what's your point? Coinbase bans people all the time for arbitrary use of their coins. Based on your logic here that means cryptocurrency is failure.
> marijuana shop
Marijuana is federally illegal. Using cryptocurrency doesn't solve any problems that cash doesn't already solve just fine. Cryptocurrency has literally zero advantages for these businesses.
> that one day they may become more useful
Yeah... when that actually happens you won't hear any arguments from me.
> You don't need to be involved, you don't even need to like it, but don't make up straw men and act like nobody out there wants some of the benefits of it because you personally don't.
Talk about a straw man. I never said "nobody out there wants some of the benefits" of cryptocurrency, I said THE VAST MAJORITY of people don't want it, which is absolutely true and something you've already understood based on your response, so I am not sure why you have decided to pull up a starwman argument even though you already responded to my actual argument regarding the "1% who are being failed by current money systems".
> I didn't want to get into fucking arguments about cryptocurrencies today, especially with someone who just decides that the problems it's solving for some are "fake problems" and handwaves them away, so this is the last time i'll reply here.
This is a silly rhetorical trick. You drop a gigantic wall of text and then sign it with a complaint that you don't want to get in an argument and use that as an excuse to avoid responding to criticism. I didn't do any handwaving, I gave detailed specific responses explaining my position, but if regarding my argument as "handwaving" makes it easier for you to ignore it, by all means.
But honestly I missed the crypto currency expansion completely. Bitcoin when I noticed it at $50, bah.... It hasn't lived up to its promise of an alternative form of payment, but it certainly increased in value rapidly. But I wouldn't count it out completely, there may be a use case that in hindsight is obvious, that we aren't seeing yet. I doubt it but it is possible (my track record is good but mixed. I was the proud owner of buy.com stock.. that didn't work out so well.. )
Plus the algorithms are kind of interesting, and the fact it works at all is kind of miraculous.
The above part pretty much applies to humanity as a whole, going back at least 200k years.
Blockchain stands apart as repeating every single problem the financial system solved over the last 300 years, while being driven by a community best defined by their arrogant dismissal of that very financial system they are reinventing, piece-by-piece.
Turns out civil society (i. e. laws, courts, institutions, economics, shared fictions of value, and trust) cannot actually be replaced by an algorithm quiet as easily.
Blockchain stands apart as repeating every single problem the financial system solved over the last 300 years
Forgetting then repeating the mistakes of the past is yet another long standing hallmark of human beings. In every age, in every place, the deeds of people remain the same.
Turns out civil society (i. e. laws, courts, institutions, economics, shared fictions of value, and trust) cannot actually be replaced by an...
An algorithm. A new religion. A new social theory. A new lifestyle. A new understanding...
I've never seen SV. After I was assaulted over an iPhone project and complicated living situation, my ophthalmologist urged me to watch it. I actually stayed in a place billed as a "Hacker Hostel" when I first got to San Francisco. There is indeed a lot of fodder here for someone like Mike Judge.
Regarding the recent mining events. We may have an idea of where the hashrate came from.
ASIC manufacturer Linzhi confirmed testing of new 1,400/Mh ethash machines #projectLavaSnow
- Most likely selfish mining (Not 51% attack)
- Double spends not detected (Miner dumped bocks)
(Not all of us know a whole lot about how crypto works or why this is good or bad and what it means for our investments)
Privately, you are building a chain where said transaction did _not_ occur. Because your hash rate is high enough, you are generating blocks at at least the pace of the public chain. You keep mining your chain (without your transaction) privately until the bank transfer from the exchange goes through, or you are sure whatever you bought is on its way. Then you broadcast your private chain as soon as it has at least one block more than the public chain and voila, you have your ETC back and the USD/EUR/crypto you sold it for (or the product you bought). You can have your cake and eat it too. This is because the rule of most cryptocurrencies is that the longest chain is the truth, and everyone mines on top of the longest chain. If a longer chain appears out of nowhere, all miners will jump on top of this one. There is no such thing as "finality" in most cryptocurrencies, where something becomes actually (read: much more) irreversible.
Of course, doing this only makes sense if what you gain outweighs the costs of performing such an attack.
Note that you typically _cannot_ steal coins from specific wallets, as you do not have the keys to those coins. You can however censor transactions that you may not want, but the above is a common way to benefit from a 51% attack.
If the hardware to accomplish the attack is available for your use, the cost of the mining should net out at zero-ish, because you're also getting the rewards for doing the mining. So the net cost of the attack is just the overhead for the mining hardware.
Coincidentally, economist Alex Tabarrok just wrote about this today:
I would say that most (other) fringe coins are not as easily attacked as ETC was. They have very illiquid markets, and you cannot really sell a significant amount of them before you basically just deplete the order books. And merchants are typically not accepting anything other than the major coins either. I guess ETC was still riding along on its partially shared name/history with its bigger brother.
Eventually, some more details on the double spend transactions might shed some light on who suffered a loss in this case. It might be an exchange, but most of them require KYC nowadays (so it becomes hard to get away with).
I guess you could buy a hundred gadgets at $100 each from a hundred places in one day and then produce a fork censoring your whole $10k shopping spree?
Another mitigation is to shut down trading until the attack is over. Maintaining a 51% attack is expensive (assuming there is at least SOME usage of the coin), and if you just say "we won't be doing business for the next 24 hours", the attacker now has to maintain that attack for the next 24 hours, and if the company wants, they can just extend the time. Eventually (hopefully!) the attacker will run out of money, and the "correct" chain will take it over again.
Philosophically, what the distributed blockchain is, is an agreement for adjudicating whose record (eg list of transactions) should be agreed on as "the valid one". If you already have a different, reliable external way of deciding this question, that is (arguably) conceding that you didn't need a distributed blockchain in the first place.
EDIT: I've realised my comment could be misinterpreted as endorsing the blockchain 'movement'. I am among those who are quite skeptical of these many blockchain projects.
There's always dilution when an idea has been around long enough and I'm concerned about the copycats trying to use blockchain for other things.
If Raft is democracy, then blockchain is Might Makes Right. The guy with the biggest stick always wins. There is no actual vote. Everybody is an accomplice.
That doesn't sound like progress, that sounds like regression. A really big one.
If anything, relying on an outside source is what we're doing now. Coinbase and others are telling us that they detected something and I haven't heard anybody question them. (And I'm assuming they're not lying). Though that's not to say the blockchain will be changed by this information.
You are correct of course. To me, problems like this recent attack highlight an inherent contradiction in the blockchain idea
- that the "51%+ of hashing power determines the truth" rule is really either lip-service; techno-marketing vanity that doesn't actually translate to practice (if corrective action ensues), and in which case the adjudicator is clearly not the blockchain tech we were told, but instead a nebulous collection of companies and stakeholders OR
- that "51% determines the truth" is indeed a strictly-held principle even though we have already demonstrated that there exist actors with enough resources and motivation to make attacks of this nature on some of the most prominent blockchain projects already - and we haven't even yet witnessed what a 51% attempt by an actor with the resources of a state would look like.
This is one of the reasons I have become skeptical of blockchain projects.
Also, if you have clients follow the rule "never switch forks" to protect against 51% attacks, then any network partitions will cause a permanent fork.
I'd imagine that you would want to look for evidence of a double spend as that's the most likely goal of a 51% attack. But then the blockchain must have up-to-date knowledge of likely double spend targets (such as exchanges, OTC desks, etc), and be able to algorithmically and deterministically prove malicious intent with high certainty. Only then will you be able to maintain consensus and prevent unnecessary or accidental forks.
But since this is all open-source anyway, it would only be a matter of time before a slightly more sophisticated attacker read through the updated consensus algorithm and figured out how to game it. And so the cycle continues.
In truth, the only real strategy for mitigating attacks in PoW blockchains is hash power. It has proven to be very effective if you have enough of it (see BTC), and looking for other 51% resistance measures isn't really that productive unless you start from the ground up and rebuild the consensus mechanism on a different paradigm (e.g. PoS, which is still unproven afaik).
It is a pretty interesting solution, that seems to work out OK.
For example, most Bitcoin cash clients don't accept reorgs longer than 10 blocks, as such a reorg is 100% an attack. This protects the network against large reorgs.
I can't comment on investment. Note Ethereum has always been over-hyped which (imvho) makes it useless for any serious engineering. see https://news.ycombinator.com/item?id=18780489
 The idea is that the miner just pick the last block and select a bunch of the current transactions and a random number and makes a hash of all of them. If the hash has enough zeros at the beginning then it is a new block and it is distributed to all the network. The other nodes of the network validate all the transactions and also that this bunch of transactions with this random number produce a hash that has enough zeros at the beginning. Any invalid transaction of a wrong random number make all the other nodes of the network ignore the fake block.
Once the last block and the bunch of transactions are picked, the difficult part is selecting a random number that with them produces a has that has enough zeros at the beginning. So the mines must try, try, and retry with different random numbers until they are lucky (or someone else is lucky). They must try millions of millions of millions (gillons?) of times, because it's difficult to pick the correct one. This uses a lot of electricity to power the computer. The other people just validate with the lucky number, so it's much cheaper.
Mining is basically the way that everyone agrees a transaction is valid - you have a bunch of unrelated entities saying, "Yes, according to my copy of the ledger, the sending party has X dollars and wants to send Y dollars, and the two parties agreed." (It's much more nuanced, but this is the easiest way to summarize it.)
If someone said, "I'm going to send AccountB 100ETC from AccountA," but AccountA only had 50ETC then a miner would see that and deny the transaction (wouldn't add it as a valid block to the blockchain). In reality, there are several places that the transaction should be thrown out, but there are obvious ways around those, and every transaction incurs a fee, so trying to just flood the network is costly. More importantly, several miners have to agree that the transaction is valid. When sending bitcoin, you'll see a number of "confirmations," which is the number of miners that marked the transaction as valid. You can see this when sending coins between two exchanges, you'll see that the receiving exchange won't allow you to use the coins for trading until you hit, say, 30 confirmations.
The problem with this model for smaller projects is that those "confirmations" by unrelated miners can't be trusted if one person/group owns more than half the miners. I left out the idea of wallets/nodes to bring this up here. Every "full" wallet (or node) has a copy of the blockchain and does some cursory checks on transactions before broadcasting them to the network. Miners then package a bunch of transactions in a block and send this to the network - "Here is my version of block X. It should be added to the blockchain as block X for everyone." The miners then have to expend some effort to verify that the block is actually the block they think it is and contains valid transactions. When the miners confirm a block, it eventually propagates to all the miners and nodes, and competing blocks by other miners, which might have contained some of the same transactions are discarded. It doesn't mean the other blocks were fake, just that the chosen block reached "consensus" of the miners and can be trusted to be valid. (I realize this leaves lots of open questions, but I'm limiting the scope to OP's question.)
Consensus is the big problem in 51% attacks. If someone controls more than half the mining power, they can reach consensus on blocks faster than legit miners and add whatever they want to the blockchain that is distributed to all the other miners and nodes. That means they can add/delete transactions or manipulate existing ones to, say, change the receiving address to their own, and everyone that receives those blocks will accept the outcome.
This is why decentralization is so important to cryptocurrency. There's a level of necessary chaos that keeps the network honest. It is possible to roll back the blockchain to a previous version, but that also means that transactions in all blocks that followed must be rolled back as well. If the rogue party simply accumulated currency, that's not a big deal, since all other transactions would still be valid. But, if they immediately turned around and traded them for other coins, you start to see the problem. On top of that, if ETC was more "robust", the news would (and currently is) send the price into a nosedive, which creates an opportunity to legitimately buy it very low and profit from the recovery. That's not going to be the case here.
All this being said, Ethereum Classic was kinda declared dead a month ago when the development group halted operations, so anyone with any significant amount of ETC should have sold off by now. This attack will probably be the final nail in the coffin.
TL;DR - In the end, the state of the blockchain comes down to a simple majority of miners agreeing that a block (a group of transactions) is valid. At 51%, you can force everyone to see invalid transactions as valid. ETC development ceased around a month ago, so no one that follows it should be holding any now, but people blindly trading for profit will get a nasty surprise.
In many of these blockchain systems, the 51% attacks only applies to money in motion. I can't move all of your funds out of 'your account' unless I have stolen your wallet, and if I have stolen your wallet I don't need to change anything else about the network. I can just spend on your behalf.
Lacking that, I can convince you you got paid for services and then claw them back by making the network change their mind after the fact. I can repudiate all payments to you with a 51% attack, by voting again on what transactions just finished.
Congress has rules about votes. If you have a quorum, everybody sticks with the outcome. If you don't show up, you don't get a vote. To make that work, you have rules. A quorum is defined and static. Obstruction is not allowed - no secret votes, no locking the doors.
It may be as simple as this: When my transaction is settled I need to know the health of the system. If some definition of quorum is met I know my transaction can't be hijacked. If the network was degraded a revote is possible. I need to wait for more confirmation before rendering services.
That's kinda the essential problem. If you can trigger a revote, then the attacker will stuff the ballot to make their's the winner.
If I understand correctly this attack managed to reorganize hundreds of blocks. That's a lot of time to wait for confirmations.