Hacker News new | comments | ask | show | jobs | submit login
We can confirm that there was a successful 51% attack on Ethereum Classic (twitter.com)
549 points by doener 15 days ago | hide | past | web | favorite | 274 comments



This is inevitable. Ethereum Classic (ETC) isn't the only currency such attacks have been successful on. The site https://www.crypto51.app/ puts the cost of running a 51% attack on ETC at ~$5k per hour. The incentive for running these attacks for profit becomes higher as the market cap of these coins increases, making long-term 'investment' in these coins nonsensical.


If you're not on the largest coin for any particular interchangeable hashing algorithm then you're susceptible to these attacks, as people from a larger coin could simply turn their hardware against you and take you out.

That means: For SHA256^2-specific hardware, Bitcoin (the real one, not Cash, Gold, or SV), for scrypt, Litecoin, and for anything mined on GPUs, Ethereum (not Classic).


A defense against this is merged mining (e.g. Dogecoin and Litecoin, Namecoin and Bitcoin).


If a 51% attack is mounted by adding hash power, wouldn’t the existing miners on the target coin also start shutting down[1] because the competition is higher, reinforcing the strength of the attackers?

[1] or migrate from to another coin, such as the coin that the attackers left to fill their void?


51% attackers mine in secret.

Basically, you spend your coins today, while controlling a 51% share. When everyone else's 49% hash-power creates 98 blocks, your 51% share will create 102 blocks.

But secretly. That's the key. Now that your chain is +4 ahead (or wait even longer and become +10 ahead), you can spend your coins on the public chain. Then, you publish your 102 alternative blocks (which barely adds any hash power to the chain), and spend your coins again on the 2nd chain.

A 51% is the end-all-be-all for a cryptocoin. If you're vulnerable to the 51% attack, the coin is effectively worthless.

-----

The only way to beat a 51% attack is to build more hash power than the attackers. IE: Prevent the attackers from getting to 51%.


If only we had a currency that was immune to 51% attacks because a government was willing to use force to preserve its value, and therefore doesn't need a massive use of energy for its proof of work.


We call it a 51% attack an attack, but from the perspective of PoW it's always about the chain with the most work. Anyone is just as valid as anyone else to propose blocks. That's the point of Bitcoin: a way to always figure what the truth is, and make it as expensive as possible for people to attack/change this truth.

The only problem here is that PoW only knows one cost: hashing, and due to macro shifts in mining hardware this can sometimes go down a lot more than the value of a coin (which makes the cost of this attack worth it).

As soon as you start introducing measures to subvert this attack you are subverting either decentralization or stability. If you for example program clients to not accept reorgs deeper than 10 blocks (for example) you simply introduce new attack vectors that can split the network (into following different chains - which is even scarier than 51% attacks).

If every x blocks you snapshot the chain and force everyone to follow that snapshot you just centralized the chain, etc.


Splitting the network causes it to become a marketing problem.


Due to probabilistic nature of most PoW protocols, you don't actually need to have the chain with the most work. Attacker can keep trying till they are are lucky, with less than 50% hashpower.


In the same way you can endlessly throw money at the craps table until you get lucky and bankrupt the casino?


In the same vein, I've been yelling at the monitor over the "news":

> The Milky Way could crash into another galaxy way sooner than we thought


And the chance of successfully doing so is incredibly low, and meanwhile you're out all the computational resources you spent on your private chain that ends up being thrown out.

You'd be better off simply placing big bets at a casino


Estonia was planning (and announced) something along these lines .. but the EU basically told them no.

https://www.bloomberg.com/news/articles/2018-06-01/estonia-c...


I think OP was being facetious and was referring to normal currencies.


Maintaining that force also costs a lot of energy. Abnd such a currency doesn't do the same things as crypto currencies.


When a president tells the governor of the central bank not to raise interest rates despite the bank board's best professional judgement, is that considered an attack?


And then the governor of the central bank doesn't because they don't take their orders from the executive branch, because they're a private entity? That's actually the whole reason they're a private entity -- to separate monetary policy from politics. Them being a private entity was what Satoshi was mad about, and yet here it is, saving our asses. What if Satoshi was ... wrong about everything?


Ad hominem. It's an opinion that some "policy" is "saving our asses". BItcoin isn't undergoing a 51% attack, currently. You don't know Satoshi's identity.

Private entities still practice consensus. Just because one can't inspect or participate in the consensus doesn't mean it doesn't exist.


That’s all irrelevant to my point; I didn’t say bitcoin was being attacked. The “saving our asses” comment was that if the executive branch telling the fed how to monetary policy represents an attack then the private nature of the federal reserve represents a defense, one that’s working, or colloquially “saving our asses.” This effective structure is one bitcoin maximalists decry, and yet, it continues to work effectively. Further it’s not a stretch to attach that idea to Satoshi given the content of the genesis block. It’s not an ad hominem attack to suggest someone is wrong — even that someone’s entire thesis is wrong — the definition is to attack the attributes of someone instead of their argument, I’m refuting their argument.

It doesn’t matter who Satoshi is, I don’t need to know to opine on their ideas. That private entities practice consensus is fine (after all isn’t that just any human interaction?) and further I have no problem with consensus just the sheer wastefulness and intentional anti-efficiency of bitcoin as-is, the fact it’s waste isn’t sufficient to prevent an attack, it’s fiscal policy (inflation is fine, you’re not supposed to hold currencies) and the idea that somehow bitcoins dreadful wealth inequality will save us from the present dreadful wealth inequality. Not to mention the idea we should just defer monetary policy to a bunch of developers who hack on protocol instead of a group of trained economists. Or the idea of scarcity when anyone can and does fork coins to double the number outstanding every few weeks. Or it’s user hostility. Or it’s defenselessness to market manipulation. History won’t look kindly on this mess in a few years.


Or wait for many more confirms that the attack is impractical.


I'm not sure that is possible. If a 51% attack for 1-week costs $1-million USD to pull off (hypothetical round numbers against a hypothetical coin)... then how many confirms do you wait for?

If you wait for 1008 confirms (for a transaction of $1 Million USD), then that doesn't stop the attack at all. After all, the attacker simply has to perform $2 Million USD worth of double-spends during that timeframe to make a profit. (Not necessarily with you, but across the entire blockchain).

After waiting 1008 confirms (1-week for a 10 minute/block coin), the attacker simply replaces those 1008 blocks with his 1049 secret-blocks and makes his chain the longest. That means that ALL spends for the past week are nullified, allowing the attacker to double-spend his coins on the new blockchain.

----------

In effect, waiting for 1000-confirms (or whatever) is closing the barn door after the horse has bolted. It doesn't protect your transaction... it protects the NEXT GUY's transaction.

In any case, the attacker gets to double-spend his money, which probably includes a large exchange (where you can turn coins into US Dollars easily).


If the attacker has 50+% of mining power for the entire duration then yes it wouldn’t work as the longer things stretch out the further ahead the attacker gets (statistically).

However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.


> However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.

ETC's blockchain just had over 100+ blocks change, according to the tweet.

Even with 40% of the mining power, the probability of such an event (40% mining power, 100 consecutive blocks) is 0.000000000000000000000000000000000000016%. That's a very unlikely hypothesis you're presenting.


With a 51% attack the additional hash power is not visible on the chain until the attack is triggered to perform a rollback.


Sorry for being that guy, but it is usually called a re-org not a rollback


people from a larger coin could simply turn their hardware against you and take you out.

Only at the expense of leaving their coin more vulnerable to a similar attack.


Not if you're much larger than the alternatives, which tends to be the case.


Or they could just hop amongst 50 $smallCoins, destroying each, before jumping back into BTC/ETH. Thereby destroying all $smallCoins and driving users into $bigCoin


Not until the difficulty adjusts, and the attack takes less time than that to execute. And they'd have to be equally sized to actually leave the other coin vulnerable in any case, not asymmetric as in this case.


Would you mind elaborating on this for someone unfamiliar?


Most proof of work coins use unique hashing algorithms and the miners are custom-designed ASICs that are extremely efficient at that one specific algorithm. If per chance, your coin uses the same algorithm as Bitcoin [ SHA-256(SHA-256(Block Header)) ], a small portion of the much larger Bitcoin mining community could turn their miners toward the smaller coin and quickly overwhelm their network to perform a 51% attack. The Bitcoin community can perform something like 40 billion gigahashes per second, most 'shitcoins' have total mining capabilities of 0.05x that if not less. It's a quick economic calculation for any miner or group of miners to decide to attack a smaller double-SHA-256 coin, as long as the total hashing power of the smaller coin's network is small enough and the coin valuable enough.


Doing the attack tends to drive said shitcoin's value to zero, so the incentive to do it is often not there.


Shitcoin is not going to drop to zero immediately (as in 24hours) giving attackers plenty of time to to cash out.


Imagine all the Bitcoin miners out there right now using their ASICs to do extremely efficient hashing in the hopes of generating a block reward. Let's didactically suppose there are 100 such miners total.

Now imagine Dinkycoin comes along and releases their cryptocurrency that uses the same hashing mechanism for the block reward. Initially they have the block difficulty level pretty low as there aren't that many people participating in it yet.

Dinkycoin hopes that eventually enough people will join the network so that the total hashing power will be something approaching Bitcoin's. Great. But atm their total hashing power is a very small fraction of Bitcoin's total hashing power. I don't care enough to go find out how infinitesimal it would be-- enough to say very small.

Now suppose one of the Bitcoin ASIC miners gets bored one day and decides they don't like Dinkycoin. If they devote their ASIC to mining Dinkycoin they will immediately have more hashing power that the rest of the Dinkycoin network. That would virtually guarantee they solve every block of Dinkycoin and reap every reward. They'd easily have 100% control of the network at that point.

For example-- suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through." Well, the Bitcoin miner can use their enormous hashing power to go back 20/30/whatever blocks and build a competing branch from that historical point. And since the miner has 1000% more hashing power (or whatever the number is) than the entire Dinkycoin network, they can build a competing branch from that historical point that will eventually have solved more/more difficult block rewards than the branch the rest of the network builds off the current branch. Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner. Well, the devs can decide to do otherwise for whatever professed reason and roll back/hard fork/whatever. But that kind of "do over" would degrade trust in the cryptocurrency itself. Users would be afraid of another future attack. After all, they were initially told 20 confirmations was enough. How do they know 40 confirmations is any safer? (And again, if the attacker has superior hashing power to the rest of the network it isn't meaningfully safer.)

Of course such a miner would be wasting all of their hashing power to screw with Dinkycoin's network. But to screw up most PoW cryptocurrencies you only really need 51% of the total hashing power. Even with that the attacker will eventually always beat the rest of the network to produce the "longest" chain. (Also, I think you can still cause problems for many cryptocurrencies with even less than 51% control.) Anyhow, do the math with the real numbers and you'll see that a real Bitcoin miner could devote a tiny percentage of their mining power and still own fledgling cryptocurrencies like the Dinkycoin example.

Moreover, they can trivially collude with the other 99 Bitcoin miners to devote an even smaller part of their hashing power to owning Dinkycoin, or even automate the process of smashing any coin that uses their same hashing scheme, based on any criteria whatsoever.

And it gets worse because in the 51% percent attacks I've read about in the real world, it isn't a big time miner with a grudge. Rather, it's someone who saw a weak point in a combination of a dinkycoin, an exchange, and several other moving parts and just rented a hashing rig to pull off an attack. Most PoW cryptocurrencies naively assume miners will choose greed over destructive tendencies without ever investigating whether those two paths are really mutually exclusive.

Edit: clarification

Edit: what happened to the web site that compares hashing power of the various SHA256-based coins, scrypt, etc.? Those orders-of-magnitude differences are quite instructive. But I can't find a site that lays it out nicely.


This phenomenon of "mysterious Bitcoin miner smashing your shitcoin" was pretty common in the early days, especially around the time namecoin merged mining came into play. Any theoretical attack that might be possible on Bitcoin would be attempted elsewhere if you didn't have the hashpower to carry it out on mainnet.

Origin of the term shitcoin would most likely be unable to defend the 51% attack

Good write-up op


If this is true, then does the pre-existing size of BTC and other widely mined crypto-currencies create a moat? How can a new up-start coin ever hope to gain significant traction with the possibility of a 51% attack?


The parent’s scenario was predicated on using the same hashing algorithm for the mining/proof of work as the dominant coin. So you can avoid that by using a different hashing algorithm.

Monero plans to do that indefinitely, by constantly changing to a new hashing algorithm that doesn’t have dedicated ASIC chips for it.


You have to use a PoW that's different enough from popular blockchains that they are unable to use speciality hardware against you.


> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.

Could this attack be addressed by changing the "total difficulty" function to value chains published earlier more than competing chains published later? Say a block published today is considered twice as difficult to achieve as a block starting from the same point published in 48 hours. Blocks don't need to be available in real time, but there should be enough communication between the miners to get some consensus on roughly when each block was published.

Intuitively, it seems like there is absolute agreement on the fact that a 51% attack happened (and which chain was mined by the attacker), nobody is saying "we can't be sure, this can sometimes just happen by mistake due to the distributed nature of mining". So if that can be trivially detected, why not build the detection into the mining algorithm in the first place?


Terrific post. Thanks for taking the time to write it.


But if they throw hashpower on Dinkycoin, wouldn't Dinkycoin's difficulty increase? If the difficulty for Dinkycoin re-targets more aggressively, then Dinkycoin would quickly gain more security in the process!


The attacks tend to do something like "build a chain based off Dinkycoin's previous blocks, but don't publish it until a later date". The difficulty changes can't help because the chain doesn't know about the attack until the attacker publishes a longer chain.


Yes, of course! And once the damage has been done, it's even harder to reverse. Perhaps if Dinkycoin's devs are fast enough, they could release a fork to undo it?


As long as the attacker maintains 51%, he can eventually just repeat the attack, regardless of the number of forks.


Ooohchie, yes indeed!


You change the POW function in the fork to eliminate the attack.


Perhaps if the attack was done using ASICs, but when done with GPUs it can be repeated indefinitely. See discussion https://www.reddit.com/r/ethereum/comments/707h3b/can_anyone...


Yes, you have to address that kind of attack differently.

> suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through."

> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.

These statements directly contradict each other. The very, very obvious solution is to say that, if 20 confirmations validate that a transaction happened, then validated transactions can't be rolled back. (They're validated!) Once block 26 comes online, block 6 is a permanent feature of the blockchain. That's the only possible meaning of "accepting that a transaction went through". And, note, that is the definition being used now to label this an "attack" rather than "huh, look what happened".


> These statements directly contradict each other.

They don't contradict each other at all.

> Once block 26 comes online, block 6 is a permanent feature of the blockchain.

What defines the 'blockchain'? It's the chain with the most work. Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.


>> These statements directly contradict each other.

> They don't contradict each other at all.

They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.

> What defines the 'blockchain'? It's the chain with the most work.

No, it's the chain accepted by a group of miners. Miners are the sole authority of a bitcoin-style blockchain. Work is not.

> Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.

Centralization is not necessary for this. As a miner, you're free, in your individual capacity, to reject blockchain candidates that invalidate blocks you consider permanent. Centralization would mean that a block could require only 0 following blocks before being considered permanent. With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.


> They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.

From the blockchain perspective a block with a confirmation is confirmed. But everyone else can make new rules on top regarding payments: Do you consider most crypto exchanges to not support "Bitcoin" since they require 6 confirmations per transaction before they credit it?

> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.

This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).


>> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.

> This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).

No, it isn't done at all. You state as much:

> From the blockchain perspective a block with a confirmation is confirmed.

As far as I can see, this is just a design mistake. (And equivocating over the meaning of "confirmed".) The current system never treats any block as confirmed. The only statuses a block can have are "invalid" and "provisionally accepted". There is no "accepted" status, and a valid block may be revoked at any time, no matter how long it may have been valid for.

But there's also no reason not to have an "accepted" status, and to reject candidate blockchains which alter accepted blocks. This should be part of the mining protocol. Treating it as non-binding advice to merchants misses the point.


The original Bitcoin white paper explains this pretty well. The Bitcoin blockchain is never frozen, and the longest (the hardest) chain is always the valid one. The paper includes a formula to calculate the probability of a block being replaced by another, and sets 6 confirmations as the frontier where it is almost impossible for the chain to change.

What the paper doesn't say is that the formula doesn't work if there is more than one chain. Since an ETH miner can easily switch to ETC at any time, proof-of-work isn't really protecting ETC at all. There is another chain that was a lot harder to calculate, which means the ETC chain stands on thin ice.

Why not freeze the blockchain at certain points, then? Well, it cannot be easily done. There is the problem of choosing which blocks should be frozen, and when. How do you calculate that? What if there's a network split at that time? What happens if the protocol results in an unwanted fork? What happens if malicious actors try to settle on a wrong chain? This is the very problem that Bitcoin solved. Forgetting the idea of a final truth, and making the blocks work like a wave of consensus that eventually reaches everyone. Clever and simple, but with some drawbacks that have to be understood.

Of course, there are lots of people working on new ways of establishing decentralized consensus. The Ethereum devs have been working hard on this for a few years.


So, I just ran through the same thought process and the problem is this:

How does a new entrant to the network know which is the valid chain?

They didn't see the previous 20 confirmations, so the only rule they can use is picking the longest chain.

Another way to do it is to have a separate voting system to attest to the "valid" chain, but then you could use an ordinary botnet to outvote the real chain.

In short, confirmations are there for vendors to be sure a few blocks weren't mined at the same time, but they do nothing against a 51% attack.


I don't follow this.

A new entrant to the network knows which is the valid chain because the chain the network uses defines "the network". Consider the case[1] of Ethereum Classic (ETC) versus Ethereum (ETH). They are exactly the same, except for the chain each group of miners follows. The ETC blockchain is a valid ETH blockchain and the ETH blockchain is a valid ETC blockchain, but miners adhere to one or the other for political reasons. As a new entrant to the ETC network, how do you know which blockchain to use? Well, you use the ETC blockchain, because that's the network you're entering.

[1] I'm describing my understanding of the ETH/ETC split. If they've diverged more than I was aware of, that doesn't affect the argument; just substitute other names for ETH and ETC.


What you're missing is the process by which new blocks are added onto an existing chain. Let's say that you take the "true" Bitcoin or ETC blockchain, if you want to think of it that way, and now multiple actors are proposing to add blocks onto it, potentially multiple blocks. Which one of those additions wins? The one that's the longest and has the most work behind it - that one wins.

If you propose an addition that is one block long, and I propose an addition that's 2 blocks long, then my chain wins. (These all have to be valid blocks that solve the mining challenge). Miners select the chain with the most work. That's the consensus mechanism by which the blockchain is established (among nodes operating all with the same rule sets).

At any given instantaneous point in time, there may be multiple instantaneous forks of the main blockchain - people who have mined out valid next blocks and are fighting to get them accepted as the primary chain. Imagine that two different miners by coincidence mine out the next block. One of those chains has to win. The chain that wins is the one that propagates through the network most quickly such that other miners begin building upon it and extending the chain - the one with the most work wins. The other chain(s) die and the transactions on it have to be resubmitted.

When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain. Don't act as if one single block is magically appended to the chain and everyone knows which block that is; a consensus process operates to select that block (or sequence of blocks), and it operates by selecting the longest chain. When two or more blocks are mined out simultaneously by different miners, the one that wins is likely to be the chain that propagates more quickly to other miners. Since miners build on the longest chain, then the miner who distributes their chain more widely among other miners is likely to win, since those miners will begin building upon it (seeing it as the longest chain thus far).

To continue the story, let's say that you and I both simultaneously mine out the next block of Bitcoin. You don't tell anyone about your block, and keep it to yourself. I distribute my block to the entire network. Thus, other miners start building on my block, and it becomes part of the main bitcoin blockchain. Once that happens, it doesn't matter if you start telling other people about your block -- it's not part of bitcoin any more because my chain exists which is much longer (my block + whatever other blocks people have mined out on top of it).


> When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain.

I've been arguing that this is a design mistake, and that the following selection algorithm would be superior:

- Instead of selecting the longest chain, select the longest chain which does not alter any blocks which I, personally, consider permanent.

Robin_Message correctly identifies that this algorithm doesn't do anything for a new entrant, because a new entrant doesn't have the exposure to history that an established miner has. But I don't see why this is an issue, as to enter a particular network, you must already copy that network's existing blockchain, and this step -- which you already have to take -- will give you the same exposure to history as the miner you copy it from.

Imagine that two blockchains, ETH and ETC, diverge for political reasons. The ETH blockchain is more beloved among the people (the laity, not the miners), and for this reason a greater number of transactions occur in ETH than ETC over time. This guarantees that the ETH blockchain will be longer than the ETC blockchain. By the selection algorithm you identify, the ETC blockchain will be wiped out, because the ETH blockchain can always be re-proposed and will always dominate it. But in reality, the ETC miners will reject the ETH blockchain, because rejecting the ETH blockchain is the whole point of ETC.


With a hard fork, you change the code the miners are using so that blocks on the opposing fork are considered invalid. In a 51% attack, the malicious actor creates new blocks that look equally valid. The two lineages aren't labelled ETC and NewETC. How does a new entrant (or anyone who wasn't connected for the few hours it took to launch the attack) distinguish between the chains?


> guarantees that the ETH blockchain will be longer than the ETC blockchain.

Chain length is number of blocks, which is controlled by miners, not "laity".

I think your system might prevent double spends; unfortunately it would do so by rendering the network unusable for any new users, who wouldn't have a way to know which is the good network to join. I suppose a central authority could be used to identify the good chain, but most coins prefer not to have one of those.

The advantage of the simple chain length rule is that it is simple, requires no central authority, is self-correcting and the only weakness is a 51% attack.


It's worth pointing out that it's not chain length which ultimately wins out, but chain weight, which is the sum of the difficulties of each block on a given chain.

This is an important distinction, because by fudging timestamps you can generate a valid chain of arbitrarily long length where each block has very low difficulty, but said chain would still not be preferred over a chain with fewer blocks of much higher difficulties (i.e. the real chain).


> Chain length is number of blocks, which is controlled by miners, not "laity".

A block is a set of transactions, transfers of currency from one address to another address. Miners don't just add blocks because they're bored. They add blocks when someone submits a transaction.

So the number of transactions that occur is closely related to the number of blocks in the chain.


This is very wrong.

Of course miners are always adding blocks, even when the blocks are empty; they do so because there is a block reward. Even empty blocks, when mined by honest miners, are serving a purpose, because they are increasing the cost of a 51% attack. Look through the histories of many different blockchains and you'll see empty (or nearly empty) blocks that exist for a variety of reasons.

Also, transaction sizes differ drastically depending on what a transaction does, and blocks max out at a given size, not a given number of transactions. So when blocks are full (which they aren't most of the time except for the very highest used cryptocurrencies) the number of transactions per block still varies quite a bit.


Let's say there was a catastrophic event that split the internet and disconnected Australia and the surrounding islands from the internet for 36 hours.

Let's also say for the sake of argument that 10% of the BTC mining capacity is in that region.

The network self-adjusts so that every hour 6 blocks get confirmations, but over this short time period you wouldn't expect this to happen. This means that every hour the Australia split would confirm 0.6 blocks and the non-Australia split would confirm 5.4 blocks.

After 36 hours Australia would have confirmed ~21 blocks, and according to your proposal, the first of these is now 'accepted' and can't be rolled back.

In the same time the remainder of the network would have confirmed ~194 blocks, many of which are now accepted.

What would actually happen according to the consensus protocol is that RestOfWorldBTC is the longer chain and therefore "is" BTC, and AustraliaBTC would get thrown away. Any BTC transactions made in Australia during that time would get rolled back.

But if blocks become permanently accepted then these 2 chains are fundamentally incompatible; they are no longer the same coin. Your proposal says that the network should fork into 2 coins here -- AustraliaBTC and RestOfWorldBTC. This would be a pretty disruptive event. People who traded BTC for services in Australia would claim that they paid their obligation (after all, it's in an 'accepted' block) and therefore don't owe their counterparty any RestOfWorldBTC. But AustraliaBTC would likely become worthless very quickly, given that most of the transactions in those 36 hours were confirmed on the RestOfWorldBTC chain. Australian counterparties would get stiffed pretty hard.

OTOH, if you roll back those transactions and accept the mainline, those counterparties can more easily argue that you still need to pay them. Note that the network can't enforce you paying these obligations, but the legal system still exists! And assuming the actors were acting in good faith and didn't attempt to double-spend their coins, their transaction would get re-propogated automatically and get included in a future RestOfWorld BTC block once the network split ended.


I don't follow. Even if the current group of miners decided older blocks are irrevocable, if there was a prolonged 51% attack, it would mean the majority of miners would be saying, "Hey, those confirmed blocks... that's not what actually happened. Look, here's the real history, with the real confirmed blocks."

And then everyone else on the network would say, "Crap, who should we believe? Let's go with the majority." And the attack would win.


But once you start forcing the agreement that "this specific history up to block X is the official one", you're re-introducing centralization, which Bitcoin was introduced precisely to avoid.

Sure, it's less centralization than just trusting one party to determine the latest block [1], but it's a matter of degree.

[1] The further you go back in time/blocks, the less disagreement and resistance there will be to locking in a history.


Hooray decentralization!


> The incentive for running these attacks for profit becomes higher as the market cap of these coins increases, making long-term 'investment' in these coins nonsensical.

I disagree that market cap is the primary indicator. Note that market cap (or really, price of ETC on major exchanges) has dropped dramatically in the past 3 to 6 months. So Market Cap / Price of ETC is a minor factor.

In contrast: the ABSOLUTE COST of a 51% attack drops each time the difficulty drops. That's what I personally think is the main contributor here, because the market-caps of all coins have dropped dramatically the past few months.

In effect: its not so much that the potential profit out of a hypothetical 51% has gone up (it hasn't: Ethereum Classic is way cheaper than it used to be). Its that the DIFFICULTY of ETC has dropped dramatically, finally making the 51% profitable.


How can there be coins with $5M+ market cap where the cost of a 51% attack is $3.00 ?? In an efficient market, thieves should just immediately attack that. Or is the benefit too low?


Because the market cap isn't truly $5M. That figure uses the naive calculation of "whatever coins sold for most recently times the total number of outstanding coins". But if you tried to sell some significant fraction of the outstanding coins then the sale price would plummet, and you'd never actually reach $5M total. The actual depth of the order book at any given moment isn't close to $5M, plus a lot of outstanding coins are completely lost and unredeemable.

The actual cost to take over a cryptocurrency tells you more valuable information than the naively calculated market map. If a cryptocurrency only costs $3/hr to take over then it's truly a shitcoin.


> But if you tried to sell some significant fraction of the outstanding coins then the sale price would plummet, and you'd never actually reach $5M total.

Yes. But it's the same for the market cap of company stocks. So saying that "the market cap isn't truly $5M" is missing the point a bit. The market cap can truly be $5M without $5M having been invested. That's just not what market cap means.


No, this is precisely why trying to calculate the market cap of a crypto-currency is pointless.

A company is a productive enterprise, that produces value for you, if you sit on shares of it. Something like bitcoin is a purely speculative instrument, that produces no value if you sit on it.

The market cap for a company is an imprecise proxy for all expected revenues, discounted by time[1]. The market cap for a currency is an imprecise proxy for... How much you can hope to unload it to the next fool. [2]

[1] At least, it's supposed to be.

[2] Yes, yes, we know, Bitcoin is useful for transferring money. This usefulness is completely disjointed from its market cap. It doesn't matter if it's $20/coin, or $20,000/coin, if you're using it to send money.


It is correct to say that the market cap of a company is not the amount you can buy the company for. Most of the owners of shares in any company aren't ready to sell for the market price. That is the salient parallel being drawn.


That's not a good parallel. The market capitalization of a company is more than you could sell the company for. It's less than you'd have to pay to buy the company.

But in this hypothetical attack, the complaint is that the "market capitalization" is more than you'd have to pay to buy out the network.


Strictly speaking there is not even a "market cap" for currencies, because the term applies, by definition, only to stocks of publicly traded companies.


> A company is a productive enterprise, that produces value for you

Hmm, does this mean Boeing, Saab Aerospace, the ammo factory is also a productive enterprise, which produces value for me? The bombs dropped on people in sandals in Yemen, how is that producing value for anyone owning the stock of war companies? Also owning said stock indirectly through pension funds.

How many companies are not in any definition "productive" and end up bankrupt, restructured or just bailed-out?


>But if you tried to sell some significant fraction of the outstanding coins then the sale price would plummet, and you'd never actually reach $5M total.

You can't focus on sellers and ignore buyers when discussing the valuation of something. If many people want to sell and few people want to buy the price will of course go down. But if many people want to buy and few people want to sell then the price will go up. This isn't a particularly interesting observation.

To put it another way: you are right that if everyone who held a portion of this asset tried to sell right now they would not cumulatively get $5 million, BUT ALSO, if someone wanted to buy all of this asset they would pay significantly more than $5 million. It goes both ways. Changing the balance of supply and demand necessarily changes value.

I do agree that naively using the price of a single trade can be misleading and prone to manipulation.


Another salient point is that when an entity buys all the shares of a company they pay a premium over the current share price indicating that the company is perceived by the market to be more valuable with a single shareholder than with widely dispersed shares.

A cryptocurrency with a single sharehodler is a non sequitor and essentially worthless.


You've put it into words better than I have. To acquire all shares of a company requires a premium, but to acquire all shares of a crypto makes it worthless. Companies and cryptos are not remotely the same thing and frankly "market cap" is a misnomer when applied to cryptos; it misleads more than it enlightens.


37signals sold 0.000000001% of the company in exchange for $1. They put out a press release that they were now valued at $100 billion.

https://signalvnoise.com/posts/1941-press-release-37signals-...


> Because the market cap isn't truly $5M. That figure uses the naive calculation of "whatever coins sold for most recently times the total number of outstanding coins".

Isn't that literally the definition of market capitalisation?


What works for companies doesn't work for cryptocurrencies. Companies have actual assets and cash flows, while cryptos do not. Companies are routinely acquired for a bonus above the total market cap (a premium on the share price times all shares outstanding). The same would never happen for cryptos.

A better analogy would be to calculate the "market cap" of gold.


> What works for companies doesn't work for cryptocurrencies. Companies have actual assets and cash flows, while cryptos do not.

This isn't actually relevant. Calculating market cap based on current trading price is equally valid for company stocks and cryptocurrencies. The divide is not between "companies" for which market capitalization is good and "cryptocurrencies" for which market capitalization is misleading, it is between objects for which the market capitalization is a reliable guide to the object's value and other objects for which it isn't.

You can judge the reliability of a market capitalization figure by looking at the trading volume of the object. If something has a market capitalization of $10,000,000 and sees $40,000 of trade per day, then you can reliably trade at the value reflected by the $10,000,000 market cap figure as long as the amount you're trading isn't significant compared to the background trading volume of $40,000 per day. If you try to trade $60,000 "worth" of whatevers, you'll crash or spike the price with your 150% increase in trading volume.

If something else has a $10,000,000,000 market cap and $40,000 of trade per day, then... you can trade at the value reflected by the market cap as long as you don't have a significant impact on the background trading volume of $40,000 per day. It doesn't matter that the market cap is a thousand times higher; it doesn't matter whether one of the things is company stock and the other thing is a cryptocurrency; what matters is whether you disturbed the normal trading volume, whatever that volume was.

Note that penny stocks see wild, spurious swings in their market capitalization all the time. That is because of their low trading volumes. It's not because Apple is a company and Shifty Joe's Investment Scam LLC isn't -- they're both companies.


It is relevant, because daily trading volumes aren't fixed, and if major shareholder in a company with decent expectations' of a sustained flow of profits starts offloading shares, the price doesn't need to drop very much to get institutional investors interested in buying that equity to hold it.

On the other hand Shifty Joe's Investment Scam LLC and crypto-tokens don't really have a price floor, but that's because neither of them have any assets or reliable stream of future income attached to ownership.


The guy you replied to is correct. The difference between how the market values companies and how the market values a cryptocurrency is irrelevant. Market capitalisation is independent of this distinction. Also, companies are acquired above market cap to entice shareholders to give up the desired proportion of the company to the buyer.


There's no demand for those coins. $PAC may have a $5M market cap, but it had $6,500 in volume in the last 24 hours. Some (most?) of that volume is likely to be people just moving stuff around rather than actual buying/selling between people.

You might get rich on paper, but good luck getting anyone to help you convert your riches into spendable currency.


That's why Proof of Stake is a nice concept. Its like buying 51% of a company and then crashing it into a wall.


But even for the top currencies, it is quite cheap. Ethereum 51%/h for 106k? Wouldn't the attacker be able to get much more out of it?


The thing is, the amount of GPU processing power required to attack Ethereum is not readily available, and certainly not at a cost of only $106k. That $106k figure comes from extrapolating out marginal rental cost of a single GPU, never mind that there aren't enough GPUs rental to overwhelm the whole network.

To give you an idea, the overall Ethereum network is currently 190 PH/s, so you'd need significantly more than that to have a high chance of launching a short term attack with reasonable success rate (if you only control 51% then your odds actually aren't great). Let's say you need 300 PH/s.

Well, the average modern AMD graphics card that is suitable for mining Ethereum only does around 30 MH/s. That means that you need 10 million such graphics cards. They simply aren't available for rental anywhere at such scale.

That's why you're not seeing such an attack happening. The raw monetary figures are misleading.


That should tell you just how thin the order books actually are, despite the supposedly enormous "market caps".


The only way to profit is to double-spend, so you'll have to buy or already own a substantial amount of those junk coins and then sell them. After you performed the attack, those coins that you now could theoretically sell again may be suspended from trading or should at least trade at a substantially lower price.

Add in the opportunity cost of exercising such an attack and it's not clear that you could turn a profit.


Or, if you have any other motivation for attacking either a coin or a person or entity known to be heavily invested in that coin.

You know, in case turning a profit is not the only possible motivation for anybody to do anything. Many acts of war and violence are not profitable, certainly not directly profitable, and yet history shows people will attack each other anyhow.

'Bit' worrisome if your whole concept of finance depends on altruistically greedy actors who can never act out of spite or malice. That would be creepy but nice compared to the real world as it has always existed.


Unless there is margin trading, then you can simply just short the coin.


Is there margin trading on any of these junk coins? Doesn't seem like a good idea to offer something like that, given the relatively low liquidity/volume.


Because in order to 51% attack someone has to accept a huge payment in that coin.


Well, the reality is that "attacking" a coin is much more difficult than just spending 3$ on something.

You also have to actually do the double spend transactions, and hope that the person that you are stealing money from doesn't do anything about it.

It is that step 2 that is actually much harder than a nieve attack might suggest.


Not really, you just have to short the coin in trading, then cover your short when your double-spend discredits the coin's security.


Attacking a coin, in an attempt to drive down the price, and make money on an open short that you have is very risky behavior.

Historically speaking, the effects of an attack on the price aren't that clear cut.

The price of an "attacked" coin can jump, just as often as it crashes. The narrative being "oh, there was a problem, but we fixed it! Look at how great we were at defending against an attack!".

Crazy, I know. I am just saying that it is not that simple, and a person is risking losing as much money as they might gain.


If only there were laws against such behavior.


Yes because the crypto futures market is very well developed and is very liquid (for BTC) and exists for every tiny coin out there


Really surprised by the relatively low cost of attacking Bitcoin with 51% for one hour - claimed to be about $300k.

Is this number for real? I can think of many actors for whom this is just small change, and who might have incentive to break trust in the Bitcoin network by successfully performing such an attack.


> Is this number for real? I can think of many actors for whom this is just small change, and who might have incentive to break trust in the Bitcoin network by successfully performing such an attack.

Sorry if this is confusing - the attack cost is calculated based on the cost of hashing power from NiceHash * the global hash rate. If the 'NiceHash-able' column is <100%, NiceHash doesn't have enough hashing power to complete an attack (and thus the price is greyed out).

This page [0] has more details.

> Using the prices NiceHash lists for different algorithms we are able to calculate how much it would cost to rent enough hashing power to match the current network hashing power for an hour. Nicehash does not have enough hashing power for most larger coins, so we also calculated what percentage of the needed hashing power is available from Nicehash.

Note that this ignores the fact that large mining operations could easily switch coins to carry out attacks.

[0] https://www.crypto51.app/about.html


I believe the number assumes that you can get hashpower at the current price for (a small amount of) hashpower. However, as demand increases, the price goes up, making the attack more expensive in practice. Also, if people notice what you're doing, they'll probably stop selling hashpower to you (since you're attacking what makes their hardware valuable), driving your costs up further.


That is a really low cost. That's within crowdfunding territory. If a potato salad could make it big, why not fund a major event in web history? I'm thinking stretch goals like t-shirts and mugs.


Seems like it would be very difficult to make back your $300k with a double-spend in one hour, based both on my intuition and the fact that it doesn't appear to be happening.


If I'm reading it correctly you need 600k to have a 50/50 chance at double spending. So say you acquire 500k in bitcoin and you spend $600k to have your chance to double spend the 500k. Assuming your $600k in mining actually gets you $600k in bitcoins mined the expected result is.

50% chance spend 1.1 million get 1.1 million back minus substantial overhead. Say 10% overhead although I have no idea what the actual overhead would be. So negative 100k.

50% chance spend 1.1 million + 100k overhead get 1.6 million back. Net gain of 400k

So average gain of 200k assuming you can find a market to move that much bitcoin that quickly and always assuming your creativity isn't rewarded with jail time.

People with substantial resources can find way to make money that are repeatable and don't involve finding new and exciting ways to go to jail.


It's worth pointing out that just getting 51% hash rate isn't enough to steal money. It's really just the entry point at which you _might_ be able to steal money.

To actually steal money you need to falsify at least six blocks, which in turn means you need to mine six blocks in a row (roughly speaking). The probability of this being successful is (1.0-0.51)^6 - ie. about 1.5% chance of being successful. You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.


> You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.

I'm not sure this is accurate. You don't need to mine 6 blocks in a row on the existing chain. Clients are programmed to recognize the longest chain, so you just need to silently mine new blocks (and not share them with anyone) until you have more blocks than the main chain. Then publish these new blocks, and existing clients will recognize your chain of blocks as being the correct ones.

You can double spend by making a transaction on the public chain while you quietly mine your own blocks on your private chain. Send the coins to an exchange on the public chain, but send them to your own address on your unpublished chain. After you steal funds from the exchange, publish your privately mined blocks.


The six-blocks-in-a-row problem seems less of an impedence to me - because the "legitimate" blocks are still available to the malicious actor.

Therefore, if our malicious miner identifies that they have had poor luck and begun to fall behind the "legitimate" chain by a block or two they can start the make-a-longer-competing-chain process over again from the legitimate head with -as far as I can see- no downsides except for some lost time/resources; the main risk to them isn't really there until they commit by initiating their double-spend, something they would almost surely not do until they're confident they've acquired their own, longer competitor to the "legitimate" chain.


They still have to get out ahead by six blocks, however.

This drops to zero every time they start over, so it doesn't change the basic calculus.


They don't need to get ahead by six blocks. They need to get ahead, with at least six blocks mined on the public chain. There's a massive difference there!

The chain starts at block 1000, and you make a spend that will be included at block 1001 on the public chain. At the same time, you start mining your private chain from block 1000 (and you don't include that transaction in it). Now, the exchange you're using requires 6 blocks of confirmation, so you need to wait until block 1006 on the public chain before you can actually take delivery. Now that you've done that, you can publish your private chain at block 1007 (or 1008, etc) and since it's the longest chain, it'll be accepted by the public.

You didn't have to get 6 blocks before the public chain got 1 - you only needed to get 1 more block than the public chain, at some point after the public chain has mined 6 more blocks.

  1000 - 1001 - 1002 - 1003 - 1004 - 1005 - 1006          1008      Public Chain
       \ 1001 - 1002 - 1003 - 1004 - 1005 - 1006 - 1007 /           Private Chain


I take your point.

We're saying the same thing, but I see now that this was unclear.

The point of this sub-thread is that 51% doesn't give you a guarantee you'll mine faster than the 49%, just an edge, and that edge narrows as more blocks are required.

A casino with a 1% house advantage would have days when it was in the red, around 178 of them in fact. By analogy, you need to line up six days in the black, in a row.

The chance of doing that is lower than 51%.


And I'm saying that you're wrong there - the chance of getting more than half of the blocks approaches 1 as the number of blocks increases, given that you have 51% of the hashing power.

You're focused on the chance of getting 6 in a row. But what you should be looking at is the chance of getting at least 7 in 13, which is given by this equation:

P(K>=N) = sum(nCr(M, k) * p^k * (1-p)^(M-k)) from k=N to M

With M=13, N=7 and p=.51 - which works out to about 53%. But 8 in 15 also works, 9 in 17, etc. The limit of that probability (n+1 in 2n+1 as n -> inf) is 1.

Also, a casino is not likely to have many days in the red, just like it won't have many years in the red. (for bets only, ignoring everything else) This is because while the chance on any one bet may only be 51%, the chance of 10,000 bets, or 1,000,000 bets having a majority go south starts to get very, very small. (~27.5% for 1000 bets, ~2.5% for 10,000 bets at 51%, etc)


I'm trying to understand what "cashing out" would look like in an attack like this. One option would be to send coins to an exchange as you mentioned, and I presume cash them out before publishing your longer chain.

However, after the attack wouldn't it be easy to compare both chains and see which coins were double spent? Wouldn't you obviously be the perpetrator, having both double spent, as well as having cashed out a large amount of money? Or is the idea that you'd be able to cash out to a bank account not tied to your real identity?


It absolutely would be easy to compare both chains and see exactly which coins were double spent, and you'd obviously be the perpetrator. Not that I advocate it, but if you wanted to carry out an attack, you'd likely target an exchange that didn't require verification, and you might exchange and withdraw under another coin (ex: trade ETC for ETH).

Then spend and/or clean your ill-gotten gains.


Genuine question, forgive me if it's stupid: what happens immediately after you publish the blocks? Maybe I've misunderstood a step, but I think at this point you're in possession of a) whatever real-world goods or other currencies you bought with your bitcoins from the old chain, plus b) the same number of bitcoins on the new chain. Am I right that the value of bitcoin is now likely to crash rather quickly, as people inevitably realise what you've done? Is it just a question of completing the second spend quickly enough, before this happens?


The second spend in your double spend needs to be before the re-org is noticed. Make that spend a swap to Zcash / Monero and you can't be traced. So a full scenario would be:

* Swap coin for Zcash and start mining with 51%. * Wait until your chain is longer than the main chain, and you actually hold the Zcash. * Publish the longer chain, and immediately swap your spent coin for Zcash again. (At a different exchange just to be sure).

Now, you got twice the value of Zcash you needed, and due to Zcash shielded transactions can't be traced. You just have to hope that your shenanigans won't tank the value of Zcash.

Similar things could be done with Monero.


People reacted in so irrational ways to any BTC news related to crypto (the "this is good for bitcoin" meme), that I am not sure if it would crash the price. On hte other hand a "bank run" on attacked exchange is likely. And the victim of attack will almost always be the exchange. BTW no matter what crypto fans claim ("code is law") getting anything from a service and then canceling transaction that paid for it by 51% attack will be a criminal act under many jurisdictions. Considering that shorting crypto is probably better solution. Thought I am not sure if it is even possible to borrow required amount of coins.


You cash out by having a vested interest in damaging the exchange or currency in general. Say for example a hedge fund that shorts all crypto exchanges, or a competing cryptocurrency that wants to undermine confidence in their competition.

The tweet mentioned that it was a "chain reorganization". These happen all the time, even in Bitcoin, by design. The simplest way to defend against these is just to wait for more confirmations to arrive, thus making an attack more expensive. Many exchanges require a lot more confirmation for some of these smaller market cap coins.


I wonder if there's a formula for the maximum wallet or transaction size you can safely have on a particular cryptocurrency given the cost of a 51% attack. If a 51% attack costs $5,000 per hour, you're only going to do it if you can extract more than $5,000 of value (or if your motivation is to see the world burn). In theory you might be able to set things up such that the cost of a 51% attack is necessarily greater than whatever financial gain you could get from it.


Budish (2018) gives some attempts at formulas to determine attackers' incentives under various hypotheses: http://faculty.chicagobooth.edu/eric.budish/research/Economi...

It's tricky to directly apply these to cryptocurrency adopters' risk, although they apply more directly to "transaction size" than to "wallet size". You can probably apply some of Budish's calculations to transaction size unless you anticipate there's a way that your transaction counterparty could be defrauding you and other people in roughly the same way at roughly the same time. (For transaction size, the main risk is that you give someone something else of value in exchange for a transaction that's subsequently removed from the consensus history.) But for wallet size, the risk is not that someone steals your cryptocurrency from your wallet, but that your cryptocurrency becomes less valuable because other people recognize risks more immediately as a result of discovering and publicizing a successful attack. But that has most to do with how other people respond to the news of the successful attack, which is harder to predict.


> But for wallet size, the risk is not that someone steals your cryptocurrency from your wallet, but that your cryptocurrency becomes less valuable because other people recognize risks more immediately as a result of discovering and publicizing a successful attack. But that has most to do with how other people respond to the news of the successful attack, which is harder to predict.

And that's going to be governed by irrationality, especially given the irrationally exuberant bubble effects of the cryptocurrency market in the first place. But once that wears off...I don't know. If you somehow managed to make a cryptocurrency that couldn't be profitably attacked, and made the base minimum cost of such an attack high enough, you'd still be vulnerable to a state-level adversary, but every system is vulnerable to a state-level adversary.


Some of these numbers are very low. $30/h for Bitcoin Private? Seems inexpensive, what am I missing?


You're not missing anything. The coins are literally worthless other than to those who trade them on crypto exchanges, to steal each other's lunch money. Plus, launching an attack isn't just a case of paying $30 per hour. You need to have a client able to perform whatever your aim is for the attack, which requires a level of coding knowledge. And dev's at that level of knowledge are probably earning real money for their time.


No one uses it. So you attack it. Cool. You can't turn it into USD or anything else, so you just spend $30 for nothing.


It's listed on several exchanges [0], so assuming you can carry out the attack, you could pretty easily profit. Not a ton of volume, but you could make some money.

[0] https://coinmarketcap.com/currencies/bitcoin-private/#market...


And, that's exactly why it only costs $30.


But you still get the prestige of having taken down a coin.


"prestige" is exactly what smart criminals are attempted avoid.

"Prestige" is how people end up in jail, or otherwise...


What makes you think there would be any such prestige earned?


It’s not very often you get a chance to take down a currency.

In 30 years from now you’ll be able to brag about how back in your day you took down entire cryptocurrencies with 51% attacks.


51% attacks are quite possibly wire fraud so I would refrain from bragging about them. More accurately, trying to double spend the coins is wire fraud.


Not if you have the consent of the counter-parties (or are the counter-parties.) It might be against some other law to manipulate the price like that, though.


Which government will prosecute?


The person they are swindling can go through their own authorities, and if the authorities in the criminal's country are alerted to his activities, they can go after them as well.

Theft and fraud don't take on different meanings just because the currency is digital.


So basically it sounds like you'll never get caught.

In 30 years no one will use crypto and people that invested in crypto will be laughed at.


Yet another reason why Proof of Stake is destined to outcompete Proof of Work. ;)


Proof of Stake is a perpetual motion machine. You can't safely tie consensus to something (stake) which is determined by consensus. That's circular reasoning and ungrounded.


What would failure look like?


A system that has effectively bifurcated with conflicting chain tips caused by rewriting history with new nodes unable to tell which is original, or a fully centralized stake-mining where a subset of stake voters game the system to unfairly select themselves out of proportion of their stake weight.


Is that reeealy so different from a PoW fork?


A proof-of-work fork is an unstable situation, resolved when more work is applied to one side vs the other, which inevitably happens without active intervention. A proof-of-stake fork is permanent--someone new to the network has no built-in mechanism for deciding which side to prefer: they both seem equally valid.

A properly constructed proof-of-work mechanism has no built-in mechanism for a malicious minority hash power to take control of the protocol, shutting out the higher hash rate majority from mining blocks.


And yet we have multiple Proof of stake coins that seem to work just fine.


Until they don't. There have been proof-of-stake failures before, and there will be more. Every proof-of-stake system is either (a) known to be broken, or (b) too complicated to analyze to show how it is broken. As the exploitable order depth in category (b) increases, it becomes worthwhile to invest the hours, days, weeks, months it takes to develop attacks against these Rube Goldberg contraptions and they get moved to category (a).

That's an assertion that I haven't seen any data to back.

I don't believe either (a) or (b) applies to either xtz or to ada, though ada hasn't yet deployed POS.

I can well believe that there are broken POS implementations, there have been a lot of broken implementations of a lot of things in the space -- but claiming every system is known to be broken or cannot be analyzed is a very bold claim to make.


How would you expect a statement that certain mechanisms have become too complex for review to be backed by data? What observations could I convey to you over a HN comment other than “go look for yourself”?

For a write up of the general, unavoidable problems of proof of stake, see Andrew Poelstra’s proof of stake FAQ.


I gave you two of the best known examples of proof of stake that there are. The Tezos team has done it and it's been running for about a year now. The Cardano team is doing it, and I'll link their paper below.

As far as Poelstra, that's a rather old document. A great deal of research has been done in the field since.

Cardano's paper: https://eprint.iacr.org/2016/889.pdf


No new research can overturn the basic fact that proof of stake claims to do is impossible. It's perpetual motion machine. You can make proof of stake schemes more complicated, but it doesn't gain you actual security, just obscurity. You can't actually achieve the desired outcome of proof-of-work properties for a stake-based consensus mechanism.

What has happened instead is that the basic / easy to analyze systems were broken, and so complications were added that defeated the simple attacks, but really just make attacking it more complicated. But there's no asymmetric advantage against attackers here -- a similarly complex attack can be made for any proof of stake scheme.


If you want to claim it's a perpetual motion machine, you're going to have to prove that claim.

There are a whole lot of very smart people who disagree with you.


The paper by Poelstra has details.

I read it. It's old, and the issues in it have been addressed. There have been several years of research since that paper was released. I've pointed you to an academic paper that addresses the issues.

I'm done with this discussion as you're simply repeating the same things over and over.


Amazing, this blockchain technology really just keeps on giving. I have to say, it's quite entertaining to watch. It's pretty much a car crash happening in slow motion at this point. At least it provides something else to nerd joke about by the watercooler that isn't brexit for once.


That's what it was like in 2016. I remember seeing the headline for the DAO hack on HN back then and thinking "Wow, good thing I didn't invest in this Ethereum thing". Someone had told me about it in 2015, I took a quick glance and passed thinking "Looks like a scam." Then 2017 happened and the joke was on me. Then 2018 happened and the joke was on them again.

New technologies are always shitshows when they get started. I remember DoubleClick ads hanging every copy of Netscape they ran on, ActiveX controls that could pwn your computer just by viewing a webpage, and unusable college Internet because the SQL Slammer worm had infected 50% of computers on campus and would reinfect anything as soon as it was plugged back in. The last was in 2003, 14 years after the Internet was introduced - put on the Bitcoin timeline, that's 4 years in the future, assuming cryptocurrency is adopted as fast as the Internet (and there're good reasons to believe it won't be).

The thing about disruptive technologies is that people continue to use them despite how shitty the technology is - they're so desperate for a solution that they put up with a solution that basically doesn't work.


> The last was in 2003, 14 years after the Internet was introduced - put on the Bitcoin timeline, that's 4 years in the future, assuming cryptocurrency is adopted as fast as the Internet

This is a common comparison but it’s based on a very dubious equation of the history. By 2003, the internet had transformed many industries — e-commerce was in the billions of dollar range (Amazon’s earliest business lines had been profitable for the better part of a decade by then); millions of people used it daily for tasks like research or customer service, software or media downloads, etc. Mainstream media and ads were full of URLs not just for internet companies but for existing companies which were increasingly focused on the internet.

In contrast, Bitcoin has almost no reason for anyone to care about it other than speculation and the few people who do use it regularly for anything else are largely using it as a replacement for PayPal with worse customer protections.


I had the XP service pack burned to a CD (or maybe DVD?) because on my college campus Code Red would infect a computer on install faster than you could download the patches.


"New technologies are always shitshows when they get started. "

A key difference is most of the new techs like Internet, email, Paypal, and so on improved on what people already had in a way that delivered obvious value. They also came with problems. Whereas, nobody I know in real life wants the drawbacks of these cryptocurrencies that come with giving up the benefits of their current, centralized offerings. The only folks I know out here doing crypto are speculators (esp day traders). That's the difference.

Now, if they wanted to solve those problems, they'd start with whatever tech/law/orgs already worked, identify their problems, and then mitigate them using proven methods. So, we're looking at credit unions, non-profits, or public-benefit companies chartered to make sure they do specific good things and don't do specific bad things. The most important stuff at least. These can be in the licenses and contracts, too, for re-enforcement. Then, centralized systems with decentralized checking of what's exchanged a la SWIFT all using existing high-performance tech we know how to secure. Open protocols and agreements for how disputes will be resolved in situations using decentralized mode with experts from both centralized and decentralized models weighing in on that. I've been talking about that in Gerard's threads on Lobsters:

https://lobste.rs/s/wxqkyj/bitcoin_s_stupendous_power_waste_...

https://lobste.rs/s/opge2r/electricity_consumed_by_bitcoin#c...

I can't find the other ones sense the search feature is limited.

"they're so desperate for a solution that they put up with a solution that basically doesn't work. "

That's true when there's a need. This is part of a hype cycle pushing stuff people don't need to replace stuff that would meet their needs fine. Accelerated by massive amounts of money being thrown all over this area. Totally different kind of thing. The stuff that bubbles, bankruptcies, and broken dreams are made of.


> A key difference is most of the new techs like Internet, email, Paypal, and so on improved on what people already had in a way that delivered obvious value.

I'd argue that for most people the value was only obvious afterwards.

To put email in perspective, early adopters had to choose between what they already knew and all the hurdles involved in connecting to the internet and using the new technology. There was also a good chance the people they were trying to communicate with didn't even have email. Outside of a few niche areas, email provided no obvious value to the vast majority of people for decades.


The thing I was getting at is, if you had a computer and Internet, then email would be a free, fast alternative to traditional mail. That has obvious benefit. Whereas, these currencies are volatile, slower, often dont allow charge backs, use more energy, and accepted at fewer places. Worse in every way to checking accounts and credit cards. Esp if we have multiple cards or accounts to reduce risk of single institution.


> if you had a computer and Internet

Thats a lot of hand waving for something that wasn't trivial at all in the 60s and 70s.


Worse in every way to checking accounts and credit cards.

Quite a few Venezuelans would beg to differ about that.


So for cryptocurrencies to be the "better solution" you just need your entire country to have a total meltdown lasting multiple years?


> you just need your entire country to have a total meltdown

That happens more often than one might think. There are quite a few countries, that are currenly on the brink of collapse, so it is not unlikely that one or more of them will adopt a cryptocurrency some time in the not to far-off future.


I agree, but it's a super narrow niche for most people. Definitely one much smaller than the current hype for blockchains.


While I don't necessarily disagree with you on that, and I do think a lot of the hype comes from speculation, its worth noting that many ubiquitous technologies we take for granted started as a narrow niche.


No chargebacks is a feature in many situations.


Ethereum (the one where "The DAO" hack happened) is project that initially released in July 2015 [1]. The Roadmap was provided in the beginning and it is clearly understood that it is a work in progress. It is not yet ready for general public use.

Bitcoin is an entirely different project. Although it is also a blockchain, it's like a calculator while the former is a fully programmable computer. These two projects are very different, two different groups of developers. I encourage you read into them more to educate yourself.

[1] https://en.wikipedia.org/wiki/Ethereum


> Someone had told me about it in 2015, I took a quick glance and passed thinking "Looks like a scam." Then 2017 happened and the joke was on me. Then 2018 happened and the joke was on them again.

Pretty sure the joke is still on you when comparing to someone that told you about it in 2015.

The highest price for ETH in 2015 was $2.19, lowest in 2018 was $85. So even with the worst possible entry/exit in those years we're still talking about a 3881% ROI in 3 years. Again, that's the WORST possible ROI for entering in 2015 and leaving in 2018.


That's like saying "this whole programming thing just keeps on giving" every time a bug is discovered in any program.

Those involved have been warning of the insecurity of smaller chains for a long time now, and they aren't representative of the entire ecosystem.


> That's like saying "this whole programming thing just keeps on giving" every time a bug is discovered in any program.

No it's not. Programming is a tool to create programs with. Block chain is a technological buzzword being used (and implemented) wildly inappropriately.

51% attacks are a fundamental vulnerability in decentralization. It would be like inventing programming when everyone pretends bugs don't exist at all. Bugs are inherent to the task, just like blockchains have a very narrow set of use cases, but everyone's too busy flying too close to the sun.


You won't find any disagreement from me that there is a LOT of garbage out there using blockchains and cryptocurrency tech inappropriately.

The extreme vast majority is trash, manipulative, and awful in most every way. Not to mention the charlatans and fanboys that hype it as able to do everything and anything perfectly.

But the few that use it well are doing fairly well, and innovation is happening. You shouldn't loop the entire ecosystem as one big unit making terrible choices together.


Are they though? I'm honestly curious as to what those things could be. A lot of people talk about good uses of blockchains, but all examples I've seen are either not actually good uses, or they have some flaw that makes practical implementation impossible (or at least highly unlikely).

What examples of good use of blockchains are you thinking of?


* Trustless time stamping to proof that you had certain information at a certain point in time without revealing it https://opentimestamps.org/

* (depending on your stance on personal liberty) censorship resistant, pseudonymous e-cash/e-gold (Bitcoin)


I may be failing to understand, but:

If the whole concept is trustless decentralized (fill in the blank ???) profit, meaning that you can make currency or a timestamp or whatever else using blockchain,

and a sufficiently large force can basically fork off of an earlier block, race ahead in secret and then take over the currency or timestamps or whatever else the blockchain's about,

does this not render the replaced fork useless? As in, if it's money it doesn't count and you lost everything, if it's a timestamp it's not proof because it's not the blockchain anymore, etc?

I guess this is one way to make it so raw power is the only thing that matters, expressed as 'ability to marshal computer resources on a massive scale', which costs money and so it becomes circular. Power/money gives you power/money and so on. Given enough power/money you can simply take over Bitcoin: could be happening right now.

Nice :P


> censorship resistant, pseudonymous e-cash/e-gold (Bitcoin)

Bitcoin not only doesn’t deliver on those claims, it’s actively dangerous because it leaves an immutable public record of your activities, as numerous court cases have shown. There’s a reason why the mob doesn’t publish their ledgers.

“Censorship resistant” is also a complex claim since the network is trivially blocked as a whole, and the inability to comply with legal demands means that anyone legitimate faces risks which will encourage them to stop participating, reducing the defense for allowing it at all and removing the traffic everyone else is hoping to hide behind.


He said pseudonymous, not anonymous...

It's censorship resistant in its use. It only becomes an issue in terms of actually cashing out -- but that's not necessarily required.


> He said pseudonymous, not anonymous...

That's why I said it's dangerous: telling people a word which sounds like anonymous but actually means “irrepudiable proof of identity” is setting them up to make decisions under the belief that they are closer to anonymous than they actually are. Given how proponents like to proclaim benefits for people in countries with repressive governments, that's just irresponsible.

> It's censorship resistant in its use. It only becomes an issue in terms of actually cashing out -- but that's not necessarily required.

What does that even mean? A government can block it easily because the design requires you to be on the network and the lack of anonymity means that anyone who attempts to bypass those restrictions has valid reasons to fear reprisal.


Well, they're two concepts with quite different meanings -- I'm not sure how you do better than explaining it that way. I've always explained bitcoin that way, and I think most people understand it that way now.

"the network" is a concept that doesn't necessarily mean "the public internet". Also, it really doesn't require everyone to be on the network -- it requires a network to exist. And pseudonymity can be "good enough".

The point was that the entire ecosystem can exist independent of cashing it out to fiat -- that point can be somewhat controlled, but it's not necessarily required.


> pseudonymity can be "good enough".

Which is to say, it's not good enough for anything which matters, especially in any case where censorship is a relevant concern.

> "the network" is a concept that doesn't necessarily mean "the public internet". Also, it really doesn't require everyone to be on the network -- it requires a network to exist.

This is similarly meaningless: if you're talking Bitcoin, you're by definition saying you need to be on the regular internet and if you're running some private network you either have the exact same problems with trust & monitoring or you don't need a blockchain in the first place because you have some other trusted communications channel.


No, it's good enough if precautions are taken. If you apply a moderate amount of care, your identity is not hard to protect when using it.

There are a variety of ways to have private transactions across either the public internet or other networks. There are a variety of coins that use tor, for instance.

It doesn't have to be bitcoin either.

My point was that if you can avoid cashing out to fiat using well known gateways, anonymity isn't difficult to preserve. It only becomes an anonymity problem if you are careless or if you cash out using known KYCd gateways.


> It only becomes an anonymity problem if you are careless or if you cash out using known KYCd gateways.

This means you can't use it for currency transactions, with anyone you don't trust, or on any system which might be compromised by the authorities you're trying to evade. If you ever make a mistake, all of that not only won't help you but will be strong evidence of intention. There are very few threat models where “use cash” is not a much safer answer.


That's not what that means.

It means you need to operate inside the cryptocurrency ecosystem instead of counting on cashing out all the time, or you simply use any of the many non-regulated means to cash in and out of the ecosystem.

That's becoming more and more possible to do.


> It means you need to operate inside the cryptocurrency ecosystem instead of counting on cashing out all the time, or you simply use any of the many non-regulated means to cash in and out of the ecosystem.

None of which has any bearing on the problems I mentioned earlier. If you're worried about a repressive government, the odds are high that other people in the system are compromised and will help reveal your identity. Those “many non-regulated means to cash in and out” are similarly not readily available and extremely likely to be compromised as well. People sometimes act like mixers solve this problem but they aren't effective against attackers who can see lots of traffic and even if they worked as well as advertised, simply using one is going to be considered proof that you were doing something illegal and attempting to hide it.

Finally, as we're already seeing you have the problem that in a repressive country simply being able to maintain software security is an unsolved problem: consider what the odds are that someone will manage to maintain perfect security of their devices and client trying to find software which is considered illegal and will attract attention simply by searching for it.

Read anything about the history of people living under regimes with black market economies and ask what a blockchain is adding other than a gift-wrapped transaction history for the authorities. It's simply irresponsible to tell people that you're not exposing them to more risk in the hope that it'll make some money for you.


Mixers are hardly the only form of dealing with anonymity. We have multiple privacy coins and ways of getting in and out of them that do a very good job of dealing with the problems you mention if you are concerned about mixers for some reason.

Somehow, people in China still manage to get on the internet, how do you think that happens? As it happens, the internet was designed to route around censorship, and it's done a very good job so far.


There are some cool things you can do with blockchains, they’re just a little over hyped. It’s pretty neat to send funds to someone without going via a 3rd party, it’s cool to run code on a global computer, it’s awesome to have digital assets that can’t be doled out on a whim by a central authority.


[flagged]


can we not do this here please?

Nobody wants that, nobody is saying they want that, there are mitigations against that (like backups), and it's a stupid straw man that's not even trying to engage in a meaningful conversation on the topic.


Nobody wants to back up their money. Just use a bank and never worry about it.


Like how nobody wants to have their accounts frozen with no notice? Or how people don't want a private company to be able to dictate what they are allowed to buy and sell? Or how people don't want to have to be constantly vigilant to ensure their simple 16 digit number doesn't get into the wrong hands (or that the hands they are required to give it to don't misuse it) and if/when it does they quickly report it to the credit card company so they aren't on the hook for it.

All money systems have tradeoffs, cryptocurrencies are just another option.


> Like how nobody wants to have their accounts frozen with no notice?

This is not a concern for 99% of people. Nobody is getting their bank accounts frozen except for high profile criminals.

> Or how people don't want a private company to be able to dictate what they are allowed to buy and sell

Another fake problem. 99% of people can buy and sell whatever they want. There is a very very small intersection between what is legal and prohibited by the banks. Once again, this is only a use-case for criminals.

> don't want to have to be constantly vigilant to ensure their simple 16 digit number doesn't get into the wrong hands

Do you not see the irony in complaining about vigilance over a credit card number in a response about the work of having to back up your bank cryptocurrency private key? If your 16 digit card number is stolen just cancel the card and any fraudulent purchases will be remedied. Crpyocurrency is clearly worse in this comparison.

> All money systems have tradeoffs, cryptocurrencies are just another option

Cryptocurrency is not a "money system" with "trade offs", it's a hamstrung toy that facilitates some dark-market commerce and that's about it, it is otherwise demonstrably useless and certainly not an alternative for the incumbent financial system.


>This is not a concern for 99% of people. Nobody is getting their bank accounts frozen except for high profile criminals.

I've had my credit cards frozen multiple times because I did something their fraud detection deemed shady. One time I was stuck in another country without any way to pay for things! Yes, I now know that I have to warn my credit card company where i'm going or they may turn my card off again on me, and I now know that I should bring cash with me (at the time I didn't have a ton of money to be able to take a bunch out in cash to carry around, not to mention that it would have cost me tens of dollars to withdraw all of my own money, and the bank can still deny me making it in one big withdraw!), but that is again a lot of work to have to do and worry about just to be able to spend my own money.

(Also, the whole premise there kind of freaks me out. You need to warn the bank where you are going, and then if they approve you are allowed to spend your money there, otherwise you could be stuck somewhere with no recourse... That's terrifying!)

>Another fake problem. 99% of people can buy and sell whatever they want.

And yet finding credit card processors for porn and other adult things is extremely difficult for most companies in that area. Not to mention that your agreement with your credit card company prohibits you from buying a lot of that stuff (porn, sex, donations to politically unfriendly sites like wikileaks, etc...)

And go ask a marijuana shop why they don't take credit cards, and how difficult it is for them to handle money and even pay their employees because they can't get a bank account in the US. How they need to hire armed guards because they have to work entirely via bundles of cash because of the blacklisting of their industry.

Hell, just LAST WEEK there was an article at the top of this very website about how Paypal banned a company and is holding their funds for 180 days. And that thread is FILLED with other examples not just from Paypal but other companies as well.

https://news.ycombinator.com/item?id=18783493

You can say it's unlikely, but you can't say it's a "fake problem".

>Do you not see the irony in complaining about vigilance over a credit card number in a response about the work of having to back up your bank cryptocurrency private key?

No, because you never have to give out your private key, but you do have to give out and protect your credit card number.

>If your 16 digit card number is stolen just cancel the card and any fraudulent purchases will be remedied.

Unless you waited too long to tell them, or they say you've disputed too many fraudulent purchases on your account, or they mess up the paperwork, or they say the fraudster used your pin and they don't cover charges where a pin is used.

>Cryptocurrency is not a "money system" with "trade offs", it's a hamstrung toy that facilitates some dark-market commerce and that's about it, it is otherwise demonstrably useless and certainly not an alternative for the incumbent financial system.

It's clear you've made up your mind, I don't even know why I'm typing this out, you aren't going to change your feelings.

But I'm not asking you to believe me, I'm asking you to let some of us make different choices. You say 99% of people don't have a concern about these things, what about the 1% of us that do? What about the 1% who are being failed by current money systems, the 1% who have to rely on cash which is EXTREMELY susceptible to fire, theft, and loss because they can't back it up, the 1% who want to try and transact safely without a middleman in some situations, the 1% who think that there is still improvements that can be made in cryptocurrencies and are working toward solving problems with them so that one day they may become more useful to a much larger portion of people.

Also:

>certainly not an alternative for the incumbent financial system.

I never said it was an alternative in it's current form. I don't believe it is. No cryptocurrency at the moment is ready for widespread usage, and I don't believe it is going to ever take over the incumbent financial system ever. But that doesn't mean we can't try to make it easier to use, better, safer, expand the usable situations, experiment with cryptographic protocols, and maybe eventually some of that tech can make it into other money systems in some way to make things better for everyone. Or maybe it will just stay a fringe system for some who have been burned or blacklisted by the current system to use in some situations where they would otherwise be stuck.

You don't need to be involved, you don't even need to like it, but don't make up straw men and act like nobody out there wants some of the benefits of it because you personally don't.

I didn't want to get into fucking arguments about cryptocurrencies today, especially with someone who just decides that the problems it's solving for some are "fake problems" and handwaves them away, so this is the last time i'll reply here.


> I've had my credit cards frozen multiple times because I did something their fraud detection deemed shady

A frozen credit card is not a frozen bank account. Your money is still available in the bank. You can try to paint fraud protection as a negative but the vast majority of consumers disagree with you. Not a real issue.

> No, because you never have to give out your private key, but you do have to give out and protect your credit card number

You're moving the goalposts. Giving out a credit card does not require a user to be vigilant about security, they simply leverage the number when they need to make a purchase, no back ups or additional work required.

> It's clear you've made up your mind, I don't even know why I'm typing this out, you aren't going to change your feelings.

Not an argument. It's clear you've made up your mind, I don't even know why I'm typing this out blah blah blah. See how pointless that is?

> I'm asking you to let some of us make different choices

Nobody needs my permission to do anything. I can assert that cryptocurrencies are useless and you can ignore me if you like.

> What about the 1% who are being failed by current money systems

What about them? They can do whatever they want, I'm not trying to stop cryptocurrency enthusiasts from doing their thing, it doesn't mean I have to agree that its useful.

> Paypal banned a company

Paypal is a private company... what's your point? Coinbase bans people all the time for arbitrary use of their coins. Based on your logic here that means cryptocurrency is failure.

> marijuana shop

Marijuana is federally illegal. Using cryptocurrency doesn't solve any problems that cash doesn't already solve just fine. Cryptocurrency has literally zero advantages for these businesses.

> that one day they may become more useful

Yeah... when that actually happens you won't hear any arguments from me.

> You don't need to be involved, you don't even need to like it, but don't make up straw men and act like nobody out there wants some of the benefits of it because you personally don't.

Talk about a straw man. I never said "nobody out there wants some of the benefits" of cryptocurrency, I said THE VAST MAJORITY of people don't want it, which is absolutely true and something you've already understood based on your response, so I am not sure why you have decided to pull up a starwman argument even though you already responded to my actual argument regarding the "1% who are being failed by current money systems".

> I didn't want to get into fucking arguments about cryptocurrencies today, especially with someone who just decides that the problems it's solving for some are "fake problems" and handwaves them away, so this is the last time i'll reply here.

This is a silly rhetorical trick. You drop a gigantic wall of text and then sign it with a complaint that you don't want to get in an argument and use that as an excuse to avoid responding to criticism. I didn't do any handwaving, I gave detailed specific responses explaining my position, but if regarding my argument as "handwaving" makes it easier for you to ignore it, by all means.


This is not an effective argument - you are assuming that a user of digital currency will not keep multiple copies of their money, especially in meaningful amounts.


Blockchains are just another datastructure. A poor implementation of one doesn't necessarily mean the whole idea is fundamentally useleas.


But a vast majority of them being garbage does mean the vast majority of them are garbage


well programming is providing lots of value to humanity at the moment so it gets a pass


To be fair, as someone who is cynical and lived through the turn of the century dot-com crash we needed a few high profile failures after the pets.com sock puppet, myspace and cue-cats almost 20 years ago.... Thank goodness for Amazon...

But honestly I missed the crypto currency expansion completely. Bitcoin when I noticed it at $50, bah.... It hasn't lived up to its promise of an alternative form of payment, but it certainly increased in value rapidly. But I wouldn't count it out completely, there may be a use case that in hindsight is obvious, that we aren't seeing yet. I doubt it but it is possible (my track record is good but mixed. I was the proud owner of buy.com stock.. that didn't work out so well.. )

Plus the algorithms are kind of interesting, and the fact it works at all is kind of miraculous.


It will be crashing when the market caps start retracing previous years. Its still ridiculously high to what it was in 2016 or any year before that. We have a good five years of "evidence" to the get rich quick scheme that attracts money into crypto so a lot of ignorant naive people will keep slowly coming in to find their money lost.


I have to say, it's quite entertaining to watch. It's pretty much a car crash happening in slow motion at this point. At least it provides something else to nerd joke about by the watercooler...

The above part pretty much applies to humanity as a whole, going back at least 200k years.


Yeah, except a good portion of the errors made in those 200k years at least had the excuse of being new.

Blockchain stands apart as repeating every single problem the financial system solved over the last 300 years, while being driven by a community best defined by their arrogant dismissal of that very financial system they are reinventing, piece-by-piece.

Turns out civil society (i. e. laws, courts, institutions, economics, shared fictions of value, and trust) cannot actually be replaced by an algorithm quiet as easily.


Yeah, except a good portion of the errors made in those 200k years at least had the excuse of being new.

Blockchain stands apart as repeating every single problem the financial system solved over the last 300 years

Forgetting then repeating the mistakes of the past is yet another long standing hallmark of human beings. In every age, in every place, the deeds of people remain the same.

Turns out civil society (i. e. laws, courts, institutions, economics, shared fictions of value, and trust) cannot actually be replaced by an...

An algorithm. A new religion. A new social theory. A new lifestyle. A new understanding...


This comment sounds like Erlich Bachman on Silicon Valley.


Is he cynical about human progress?

I've never seen SV. After I was assaulted over an iPhone project and complicated living situation, my ophthalmologist urged me to watch it. I actually stayed in a place billed as a "Hacker Hostel" when I first got to San Francisco. There is indeed a lot of fodder here for someone like Mike Judge.


i think it is evolving tho. somewhat like beliefs in: tribe shaman -> pharaon -> church -> state -> algo -> .... Is it a successful branch of evolution? Who knows, I would definitely not bet against or for it at this point.

An update from eth classic amount linked in that thread: (not sure what they mean by selfish mining...)

Regarding the recent mining events. We may have an idea of where the hashrate came from. ASIC manufacturer Linzhi confirmed testing of new 1,400/Mh ethash machines #projectLavaSnow

- Most likely selfish mining (Not 51% attack)

- Double spends not detected (Miner dumped bocks)


Coinbase mentions a few reorgs without double spends, and a quite a few more with: https://blog.coinbase.com/ethereum-classic-etc-is-currently-...


IIRC selfish mining is mining without broadcasting the blocks. Some pools do it for only a short time to get a headstart on mining the next block, the obvious risk being someone else broadcasts a block before you do and your block becomes orphaned. In the case of a 51% attack, I believe you can simply selfish mine then reorg the chain every now and then because your chain is longer. This way, you mine every single block.


So this is a publicity stunt intended to show off their mining rigs.


Eyal, Ittay, and Emin Gün Sirer. "Majority is not enough: Bitcoin mining is vulnerable." Communications of the ACM 61.7 (2018): 95-102.

https://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf


What does this mean?

(Not all of us know a whole lot about how crypto works or why this is good or bad and what it means for our investments)


The most typical way to profit from this, is to have quite a bit of ETC, and then sell it on an exchange or buy something expensive. This transaction would then end up on the block chain, and eventually be considered secure / part of history.

Privately, you are building a chain where said transaction did _not_ occur. Because your hash rate is high enough, you are generating blocks at at least the pace of the public chain. You keep mining your chain (without your transaction) privately until the bank transfer from the exchange goes through, or you are sure whatever you bought is on its way. Then you broadcast your private chain as soon as it has at least one block more than the public chain and voila, you have your ETC back and the USD/EUR/crypto you sold it for (or the product you bought). You can have your cake and eat it too. This is because the rule of most cryptocurrencies is that the longest chain is the truth, and everyone mines on top of the longest chain. If a longer chain appears out of nowhere, all miners will jump on top of this one. There is no such thing as "finality" in most cryptocurrencies, where something becomes actually (read: much more) irreversible.

Of course, doing this only makes sense if what you gain outweighs the costs of performing such an attack.

Note that you typically _cannot_ steal coins from specific wallets, as you do not have the keys to those coins. You can however censor transactions that you may not want, but the above is a common way to benefit from a 51% attack.


Of course, doing this only makes sense if what you gain outweighs the costs of performing such an attack.

If the hardware to accomplish the attack is available for your use, the cost of the mining should net out at zero-ish, because you're also getting the rewards for doing the mining. So the net cost of the attack is just the overhead for the mining hardware.

Coincidentally, economist Alex Tabarrok just wrote about this today: https://marginalrevolution.com/marginalrevolution/2019/01/bi...


Yes, I would guess that coins sharing an algorithm with a much bigger brother (in hash rate) are particularly susceptible. Of course, the perceived security and valuation of many coins is somewhat tied together, and I can imagine many miners would avoid attacks on other (smaller brother) chains because they might end up hurting themselves as well. But it only takes one (big enough) actor to do serious damage to a smaller brother coin, possibly looking to gain financially, or maybe just to undermine its credibility/valuation. To do the latter, I would say continuously forcing many large reorgs is the way to go.


Upvoted for explaining the attack well but RE:longest chain, Blocks are added at a standard rate so the chain with the greatest accrued work is the "truth".


You are totally correct :) I figured it would be easier to forgo the explanation of "difficulty" and difficulty adjustments (which ETC/ETH do much quicker than e.g. Bitcoin does).


so to be safe, an exchange should require more confirmations depending on size of deposit. Basically the number of confirmations you could finance an attack for with the deposit.


I'm not sure how easy it would be for exchanges to implement variable confirmations depending on the amount transferred, but I would say that what you suggest is a very reasonable way to limit the risk of suffering such an attack. I would say that especially exchanges that support fringe coins would better look into something like that. Even if the exchange's potential loss is only a couple hundred or thousand dollars, it's worth doing in my opinion, even if only to avoid the technical or legal hassle that would otherwise follow.

I would say that most (other) fringe coins are not as easily attacked as ETC was. They have very illiquid markets, and you cannot really sell a significant amount of them before you basically just deplete the order books. And merchants are typically not accepting anything other than the major coins either. I guess ETC was still riding along on its partially shared name/history with its bigger brother.

Eventually, some more details on the double spend transactions might shed some light on who suffered a loss in this case. It might be an exchange, but most of them require KYC nowadays (so it becomes hard to get away with).


Shouldn’t any sale/transaction be considered “not final” (goods can’t be shipped, for example) until the official chain has progressed to a point where you can be sure the cost of producing a censored fork is higer than the transaction in question? That is: you buy something expensive then it might not ship for a month or two.

I guess you could buy a hundred gadgets at $100 each from a hundred places in one day and then produce a fork censoring your whole $10k shopping spree?


you can't predict that - the alternative chain is mined privately and it is a matter of amount at stake how long this mining will continue.

But in the publicly visible (longest, official) chain, can't I estimate the effort that was used to mine from a certain transaction up to the head? Say the transaction I want to hide is b, then the attacker would need to mine a longer alternative chain (c', d'...). If transaction b was for $1000 and we can estimate that the mining of the visible chain c...f is at least $2k with a conservative estimate, can't we estimate that the attackers chain c'...g' must cost something at least vaguely proportoinal to that as well? Is it not even possible to make a conservative guesstimate of cost-vs-chain-length?

    a<-b<-c<-d<-e<-f
     \
      c'<-d'<-e'<-f'<-g'

Yes, and most do. Many will semi-routinely increase the number of confirmations during times where it could be necessary (like chain splits or network upgrade events), or adjust the number of confirmations depending on the size of the currency and overall usage.

Another mitigation is to shut down trading until the attack is over. Maintaining a 51% attack is expensive (assuming there is at least SOME usage of the coin), and if you just say "we won't be doing business for the next 24 hours", the attacker now has to maintain that attack for the next 24 hours, and if the company wants, they can just extend the time. Eventually (hopefully!) the attacker will run out of money, and the "correct" chain will take it over again.


The attack cannot be observed until it is accomplished. Naturally the chain will be long enough to target the exchange the spend was made at.


it can't be observed until it's acted on, but it may not be done after the first "attack", especially if it's cheap enough to launch on that specific coin.


In this kind of blockchain network, the longest chain of blocks is considered to be the valid one. However, someone that has 51% of the hashing power (i.e. more hashing power than everyone else combined) can create a chain that grows faster than the chain used by everyone else. This means that they could tamper with their chain, potentially rewriting history on it, and because it is the longest chain, it will be accepted as the valid chain, and their version of events looks like it has been accepted.


Being only somewhat familiar, I wonder this: Why don't clients have a simple rule against accepting changes to history that are more than one or two blocks old?


Other people have answered this from a more technical perspective.

Philosophically, what the distributed blockchain is, is an agreement for adjudicating whose record (eg list of transactions) should be agreed on as "the valid one". If you already have a different, reliable external way of deciding this question, that is (arguably) conceding that you didn't need a distributed blockchain in the first place.

EDIT: I've realised my comment could be misinterpreted as endorsing the blockchain 'movement'. I am among those who are quite skeptical of these many blockchain projects.


> I am among those who are quite skeptical of these many blockchain projects.

There's always dilution when an idea has been around long enough and I'm concerned about the copycats trying to use blockchain for other things.

If Raft is democracy, then blockchain is Might Makes Right. The guy with the biggest stick always wins. There is no actual vote. Everybody is an accomplice.

That doesn't sound like progress, that sounds like regression. A really big one.


What I described would be part of the rules of system (or at least certain players). It just says "no changing history after X point".

If anything, relying on an outside source is what we're doing now. Coinbase and others are telling us that they detected something and I haven't heard anybody question them. (And I'm assuming they're not lying). Though that's not to say the blockchain will be changed by this information.


> If anything, relying on an outside source is what we're doing now.

You are correct of course. To me, problems like this recent attack highlight an inherent contradiction in the blockchain idea

- that the "51%+ of hashing power determines the truth" rule is really either lip-service; techno-marketing vanity that doesn't actually translate to practice (if corrective action ensues), and in which case the adjudicator is clearly not the blockchain tech we were told, but instead a nebulous collection of companies and stakeholders OR

- that "51% determines the truth" is indeed a strictly-held principle even though we have already demonstrated that there exist actors with enough resources and motivation to make attacks of this nature on some of the most prominent blockchain projects already - and we haven't even yet witnessed what a 51% attempt by an actor with the resources of a state would look like.

This is one of the reasons I have become skeptical of blockchain projects.


In short, because they don't know that the chain they saw first is the chain that other nodes saw first (especially if they weren't online at the time). At least in theory, an attacker can exploit this to permanently fork the chain.


Hmm. The humans at the exchanges seem to be able to tell the difference. I wonder if it could be encoded.


The "legitimate" fork can only be identified if you were online when the 51% attack started. Users who have started up their ETC client after the attack started will just see two forks and will pick the one with more blocks (which will be the 51% attacker's fork). No one wants a permanent fork, so the clients that were online the whole time disregard their knowledge of the previous "legitimate" fork and adopt the attacker's fork because it has more work and because that's the one everyone else is using.

Also, if you have clients follow the rule "never switch forks" to protect against 51% attacks, then any network partitions will cause a permanent fork.


I don't think that's feasible, to be honest.

I'd imagine that you would want to look for evidence of a double spend as that's the most likely goal of a 51% attack. But then the blockchain must have up-to-date knowledge of likely double spend targets (such as exchanges, OTC desks, etc), and be able to algorithmically and deterministically prove malicious intent with high certainty. Only then will you be able to maintain consensus and prevent unnecessary or accidental forks.

But since this is all open-source anyway, it would only be a matter of time before a slightly more sophisticated attacker read through the updated consensus algorithm and figured out how to game it. And so the cycle continues.

In truth, the only real strategy for mitigating attacks in PoW blockchains is hash power. It has proven to be very effective if you have enough of it (see BTC), and looking for other 51% resistance measures isn't really that productive unless you start from the ground up and rebuild the consensus mechanism on a different paradigm (e.g. PoS, which is still unproven afaik).


Because it's an eventually consistent system. If what you proposed was implemented, you could end up with a fork that would never get reconciled.


Those rules can cause breakage under normal usage because the probability of an N-deep reorganization is low but nonzero. They also don't help nodes that are syncing the chain from scratch.


Because then a simple accidental network partition could cause a permanent fork in the cryptocurrency.


Some clients do have this rule, actually!

It is a pretty interesting solution, that seems to work out OK.

For example, most Bitcoin cash clients don't accept reorgs longer than 10 blocks, as such a reorg is 100% an attack. This protects the network against large reorgs.


51% attack: https://www.investopedia.com/terms/1/51-attack.asp

I can't comment on investment. Note Ethereum has always been over-hyped which (imvho) makes it useless for any serious engineering. see https://news.ycombinator.com/item?id=18780489


The attacker rewrote part of the blockchain which was supposed to be immutable. Generally this allows spending the same money twice.


Because crypto-currencies are validating transactions by having them validated by the network as a whole, a group who controls more than 50% of the computing power can do whatever they want: reject valid transaction, create (and validate) fake transactions...


You can't create fake transactions[1]. You can reject some valid transactions or reject all transactions freezing the network for some time, and also try to double spend your money.

[1] The idea is that the miner just pick the last block and select a bunch of the current transactions and a random number and makes a hash of all of them. If the hash has enough zeros at the beginning then it is a new block and it is distributed to all the network. The other nodes of the network validate all the transactions and also that this bunch of transactions with this random number produce a hash that has enough zeros at the beginning. Any invalid transaction of a wrong random number make all the other nodes of the network ignore the fake block.

Once the last block and the bunch of transactions are picked, the difficult part is selecting a random number that with them produces a has that has enough zeros at the beginning. So the mines must try, try, and retry with different random numbers until they are lucky (or someone else is lucky). They must try millions of millions of millions (gillons?) of times, because it's difficult to pick the correct one. This uses a lot of electricity to power the computer. The other people just validate with the lucky number, so it's much cheaper.


(This is a very basic run down of what I understand to occur. There are places where I omit steps and oversimplify, but I THINK it's pretty accurate. Someone please correct me if I'm wrong.)

Mining is basically the way that everyone agrees a transaction is valid - you have a bunch of unrelated entities saying, "Yes, according to my copy of the ledger, the sending party has X dollars and wants to send Y dollars, and the two parties agreed." (It's much more nuanced, but this is the easiest way to summarize it.)

If someone said, "I'm going to send AccountB 100ETC from AccountA," but AccountA only had 50ETC then a miner would see that and deny the transaction (wouldn't add it as a valid block to the blockchain). In reality, there are several places that the transaction should be thrown out, but there are obvious ways around those, and every transaction incurs a fee, so trying to just flood the network is costly. More importantly, several miners have to agree that the transaction is valid. When sending bitcoin, you'll see a number of "confirmations," which is the number of miners that marked the transaction as valid. You can see this when sending coins between two exchanges, you'll see that the receiving exchange won't allow you to use the coins for trading until you hit, say, 30 confirmations.

The problem with this model for smaller projects is that those "confirmations" by unrelated miners can't be trusted if one person/group owns more than half the miners. I left out the idea of wallets/nodes to bring this up here. Every "full" wallet (or node) has a copy of the blockchain and does some cursory checks on transactions before broadcasting them to the network. Miners then package a bunch of transactions in a block and send this to the network - "Here is my version of block X. It should be added to the blockchain as block X for everyone." The miners then have to expend some effort to verify that the block is actually the block they think it is and contains valid transactions. When the miners confirm a block, it eventually propagates to all the miners and nodes, and competing blocks by other miners, which might have contained some of the same transactions are discarded. It doesn't mean the other blocks were fake, just that the chosen block reached "consensus" of the miners and can be trusted to be valid. (I realize this leaves lots of open questions, but I'm limiting the scope to OP's question.)

Consensus is the big problem in 51% attacks. If someone controls more than half the mining power, they can reach consensus on blocks faster than legit miners and add whatever they want to the blockchain that is distributed to all the other miners and nodes. That means they can add/delete transactions or manipulate existing ones to, say, change the receiving address to their own, and everyone that receives those blocks will accept the outcome.

This is why decentralization is so important to cryptocurrency. There's a level of necessary chaos that keeps the network honest. It is possible to roll back the blockchain to a previous version, but that also means that transactions in all blocks that followed must be rolled back as well. If the rogue party simply accumulated currency, that's not a big deal, since all other transactions would still be valid. But, if they immediately turned around and traded them for other coins, you start to see the problem. On top of that, if ETC was more "robust", the news would (and currently is) send the price into a nosedive, which creates an opportunity to legitimately buy it very low and profit from the recovery. That's not going to be the case here.

All this being said, Ethereum Classic was kinda declared dead a month ago when the development group halted operations, so anyone with any significant amount of ETC should have sold off by now. This attack will probably be the final nail in the coffin.

TL;DR - In the end, the state of the blockchain comes down to a simple majority of miners agreeing that a block (a group of transactions) is valid. At 51%, you can force everyone to see invalid transactions as valid. ETC development ceased around a month ago, so no one that follows it should be holding any now, but people blindly trading for profit will get a nasty surprise.


51% attack means someone (or a group of people) has successfully taken over the said blockchain.


I think I would be satisfied with the distributed consensus model in these blockchain systems if someone could solve the non-repudiation problem.

In many of these blockchain systems, the 51% attacks only applies to money in motion. I can't move all of your funds out of 'your account' unless I have stolen your wallet, and if I have stolen your wallet I don't need to change anything else about the network. I can just spend on your behalf.

Lacking that, I can convince you you got paid for services and then claw them back by making the network change their mind after the fact. I can repudiate all payments to you with a 51% attack, by voting again on what transactions just finished.

Congress has rules about votes. If you have a quorum, everybody sticks with the outcome. If you don't show up, you don't get a vote. To make that work, you have rules. A quorum is defined and static. Obstruction is not allowed - no secret votes, no locking the doors.

It may be as simple as this: When my transaction is settled I need to know the health of the system. If some definition of quorum is met I know my transaction can't be hijacked. If the network was degraded a revote is possible. I need to wait for more confirmation before rendering services.


That idea of having quorums voting to establish consistency is essentially what Stellar does in their consensus protocol: https://www.stellar.org/developers/guides/concepts/scp.html


> If the network was degraded a revote is possible.

That's kinda the essential problem. If you can trigger a revote, then the attacker will stuff the ballot to make their's the winner.


But with a large enough hashrate you can potentially go back many blocks..


According to [1], running a 51% attack for an hour is incredibly cheap for most currencies. Why doesn't this happen more often, or is running the attack for an hour not a long enough time frame to double spend?

[1] https://www.crypto51.app/


I think it's just not worth the time. What do you do when you've successfully run a 51% attack? You go on an exchange and double spend the money, which means you have to maintain the 51% attack for longer than min # of confirmations for this currency on said exchange. And even after that, most exchanges (in NA at least, can't say much about intl) require KYC.


Exactly, it's not worth the time. And once the attack is underway, it'll be detected and everyone can simply increase the number of confirmations needed before finalising.


Increasing the number of confirmations is easy but it also slows down everything. People don't want to have to wait for days for their transactions to be accepted.

If I understand correctly this attack managed to reorganize hundreds of blocks. That's a lot of time to wait for confirmations.


How is the 51% attack detected?


It's really obvious once the new chain is broadcasted. "Honest" miners switch over to mine on the deepest chain as soon as they become aware of it. It's very rare to even see a 2-block conflict. When you see a large N-block conflict then it's obvious there's a 51% attack going on.


But isn't the point of the whole thing that you do not broadcast it until after you are done? So yes, it's obvious in hindsight, but the damage will be done.


The question was how do you detect it. You obviously can't detect it until it's broadcasted because until then it's all happening in secret.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: