Hacker News new | comments | ask | show | jobs | submit login

If you're not on the largest coin for any particular interchangeable hashing algorithm then you're susceptible to these attacks, as people from a larger coin could simply turn their hardware against you and take you out.

That means: For SHA256^2-specific hardware, Bitcoin (the real one, not Cash, Gold, or SV), for scrypt, Litecoin, and for anything mined on GPUs, Ethereum (not Classic).




A defense against this is merged mining (e.g. Dogecoin and Litecoin, Namecoin and Bitcoin).


If a 51% attack is mounted by adding hash power, wouldn’t the existing miners on the target coin also start shutting down[1] because the competition is higher, reinforcing the strength of the attackers?

[1] or migrate from to another coin, such as the coin that the attackers left to fill their void?


51% attackers mine in secret.

Basically, you spend your coins today, while controlling a 51% share. When everyone else's 49% hash-power creates 98 blocks, your 51% share will create 102 blocks.

But secretly. That's the key. Now that your chain is +4 ahead (or wait even longer and become +10 ahead), you can spend your coins on the public chain. Then, you publish your 102 alternative blocks (which barely adds any hash power to the chain), and spend your coins again on the 2nd chain.

A 51% is the end-all-be-all for a cryptocoin. If you're vulnerable to the 51% attack, the coin is effectively worthless.

-----

The only way to beat a 51% attack is to build more hash power than the attackers. IE: Prevent the attackers from getting to 51%.


If only we had a currency that was immune to 51% attacks because a government was willing to use force to preserve its value, and therefore doesn't need a massive use of energy for its proof of work.


We call it a 51% attack an attack, but from the perspective of PoW it's always about the chain with the most work. Anyone is just as valid as anyone else to propose blocks. That's the point of Bitcoin: a way to always figure what the truth is, and make it as expensive as possible for people to attack/change this truth.

The only problem here is that PoW only knows one cost: hashing, and due to macro shifts in mining hardware this can sometimes go down a lot more than the value of a coin (which makes the cost of this attack worth it).

As soon as you start introducing measures to subvert this attack you are subverting either decentralization or stability. If you for example program clients to not accept reorgs deeper than 10 blocks (for example) you simply introduce new attack vectors that can split the network (into following different chains - which is even scarier than 51% attacks).

If every x blocks you snapshot the chain and force everyone to follow that snapshot you just centralized the chain, etc.


Splitting the network causes it to become a marketing problem.


Due to probabilistic nature of most PoW protocols, you don't actually need to have the chain with the most work. Attacker can keep trying till they are are lucky, with less than 50% hashpower.


In the same way you can endlessly throw money at the craps table until you get lucky and bankrupt the casino?


In the same vein, I've been yelling at the monitor over the "news":

> The Milky Way could crash into another galaxy way sooner than we thought


And the chance of successfully doing so is incredibly low, and meanwhile you're out all the computational resources you spent on your private chain that ends up being thrown out.

You'd be better off simply placing big bets at a casino


Estonia was planning (and announced) something along these lines .. but the EU basically told them no.

https://www.bloomberg.com/news/articles/2018-06-01/estonia-c...


I think OP was being facetious and was referring to normal currencies.


Maintaining that force also costs a lot of energy. Abnd such a currency doesn't do the same things as crypto currencies.


When a president tells the governor of the central bank not to raise interest rates despite the bank board's best professional judgement, is that considered an attack?


And then the governor of the central bank doesn't because they don't take their orders from the executive branch, because they're a private entity? That's actually the whole reason they're a private entity -- to separate monetary policy from politics. Them being a private entity was what Satoshi was mad about, and yet here it is, saving our asses. What if Satoshi was ... wrong about everything?


Ad hominem. It's an opinion that some "policy" is "saving our asses". BItcoin isn't undergoing a 51% attack, currently. You don't know Satoshi's identity.

Private entities still practice consensus. Just because one can't inspect or participate in the consensus doesn't mean it doesn't exist.


That’s all irrelevant to my point; I didn’t say bitcoin was being attacked. The “saving our asses” comment was that if the executive branch telling the fed how to monetary policy represents an attack then the private nature of the federal reserve represents a defense, one that’s working, or colloquially “saving our asses.” This effective structure is one bitcoin maximalists decry, and yet, it continues to work effectively. Further it’s not a stretch to attach that idea to Satoshi given the content of the genesis block. It’s not an ad hominem attack to suggest someone is wrong — even that someone’s entire thesis is wrong — the definition is to attack the attributes of someone instead of their argument, I’m refuting their argument.

It doesn’t matter who Satoshi is, I don’t need to know to opine on their ideas. That private entities practice consensus is fine (after all isn’t that just any human interaction?) and further I have no problem with consensus just the sheer wastefulness and intentional anti-efficiency of bitcoin as-is, the fact it’s waste isn’t sufficient to prevent an attack, it’s fiscal policy (inflation is fine, you’re not supposed to hold currencies) and the idea that somehow bitcoins dreadful wealth inequality will save us from the present dreadful wealth inequality. Not to mention the idea we should just defer monetary policy to a bunch of developers who hack on protocol instead of a group of trained economists. Or the idea of scarcity when anyone can and does fork coins to double the number outstanding every few weeks. Or it’s user hostility. Or it’s defenselessness to market manipulation. History won’t look kindly on this mess in a few years.


Or wait for many more confirms that the attack is impractical.


I'm not sure that is possible. If a 51% attack for 1-week costs $1-million USD to pull off (hypothetical round numbers against a hypothetical coin)... then how many confirms do you wait for?

If you wait for 1008 confirms (for a transaction of $1 Million USD), then that doesn't stop the attack at all. After all, the attacker simply has to perform $2 Million USD worth of double-spends during that timeframe to make a profit. (Not necessarily with you, but across the entire blockchain).

After waiting 1008 confirms (1-week for a 10 minute/block coin), the attacker simply replaces those 1008 blocks with his 1049 secret-blocks and makes his chain the longest. That means that ALL spends for the past week are nullified, allowing the attacker to double-spend his coins on the new blockchain.

----------

In effect, waiting for 1000-confirms (or whatever) is closing the barn door after the horse has bolted. It doesn't protect your transaction... it protects the NEXT GUY's transaction.

In any case, the attacker gets to double-spend his money, which probably includes a large exchange (where you can turn coins into US Dollars easily).


If the attacker has 50+% of mining power for the entire duration then yes it wouldn’t work as the longer things stretch out the further ahead the attacker gets (statistically).

However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.


> However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.

ETC's blockchain just had over 100+ blocks change, according to the tweet.

Even with 40% of the mining power, the probability of such an event (40% mining power, 100 consecutive blocks) is 0.000000000000000000000000000000000000016%. That's a very unlikely hypothesis you're presenting.


With a 51% attack the additional hash power is not visible on the chain until the attack is triggered to perform a rollback.


Sorry for being that guy, but it is usually called a re-org not a rollback


people from a larger coin could simply turn their hardware against you and take you out.

Only at the expense of leaving their coin more vulnerable to a similar attack.


Not if you're much larger than the alternatives, which tends to be the case.


Or they could just hop amongst 50 $smallCoins, destroying each, before jumping back into BTC/ETH. Thereby destroying all $smallCoins and driving users into $bigCoin


Not until the difficulty adjusts, and the attack takes less time than that to execute. And they'd have to be equally sized to actually leave the other coin vulnerable in any case, not asymmetric as in this case.


Would you mind elaborating on this for someone unfamiliar?


Most proof of work coins use unique hashing algorithms and the miners are custom-designed ASICs that are extremely efficient at that one specific algorithm. If per chance, your coin uses the same algorithm as Bitcoin [ SHA-256(SHA-256(Block Header)) ], a small portion of the much larger Bitcoin mining community could turn their miners toward the smaller coin and quickly overwhelm their network to perform a 51% attack. The Bitcoin community can perform something like 40 billion gigahashes per second, most 'shitcoins' have total mining capabilities of 0.05x that if not less. It's a quick economic calculation for any miner or group of miners to decide to attack a smaller double-SHA-256 coin, as long as the total hashing power of the smaller coin's network is small enough and the coin valuable enough.


Doing the attack tends to drive said shitcoin's value to zero, so the incentive to do it is often not there.


Shitcoin is not going to drop to zero immediately (as in 24hours) giving attackers plenty of time to to cash out.


Imagine all the Bitcoin miners out there right now using their ASICs to do extremely efficient hashing in the hopes of generating a block reward. Let's didactically suppose there are 100 such miners total.

Now imagine Dinkycoin comes along and releases their cryptocurrency that uses the same hashing mechanism for the block reward. Initially they have the block difficulty level pretty low as there aren't that many people participating in it yet.

Dinkycoin hopes that eventually enough people will join the network so that the total hashing power will be something approaching Bitcoin's. Great. But atm their total hashing power is a very small fraction of Bitcoin's total hashing power. I don't care enough to go find out how infinitesimal it would be-- enough to say very small.

Now suppose one of the Bitcoin ASIC miners gets bored one day and decides they don't like Dinkycoin. If they devote their ASIC to mining Dinkycoin they will immediately have more hashing power that the rest of the Dinkycoin network. That would virtually guarantee they solve every block of Dinkycoin and reap every reward. They'd easily have 100% control of the network at that point.

For example-- suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through." Well, the Bitcoin miner can use their enormous hashing power to go back 20/30/whatever blocks and build a competing branch from that historical point. And since the miner has 1000% more hashing power (or whatever the number is) than the entire Dinkycoin network, they can build a competing branch from that historical point that will eventually have solved more/more difficult block rewards than the branch the rest of the network builds off the current branch. Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner. Well, the devs can decide to do otherwise for whatever professed reason and roll back/hard fork/whatever. But that kind of "do over" would degrade trust in the cryptocurrency itself. Users would be afraid of another future attack. After all, they were initially told 20 confirmations was enough. How do they know 40 confirmations is any safer? (And again, if the attacker has superior hashing power to the rest of the network it isn't meaningfully safer.)

Of course such a miner would be wasting all of their hashing power to screw with Dinkycoin's network. But to screw up most PoW cryptocurrencies you only really need 51% of the total hashing power. Even with that the attacker will eventually always beat the rest of the network to produce the "longest" chain. (Also, I think you can still cause problems for many cryptocurrencies with even less than 51% control.) Anyhow, do the math with the real numbers and you'll see that a real Bitcoin miner could devote a tiny percentage of their mining power and still own fledgling cryptocurrencies like the Dinkycoin example.

Moreover, they can trivially collude with the other 99 Bitcoin miners to devote an even smaller part of their hashing power to owning Dinkycoin, or even automate the process of smashing any coin that uses their same hashing scheme, based on any criteria whatsoever.

And it gets worse because in the 51% percent attacks I've read about in the real world, it isn't a big time miner with a grudge. Rather, it's someone who saw a weak point in a combination of a dinkycoin, an exchange, and several other moving parts and just rented a hashing rig to pull off an attack. Most PoW cryptocurrencies naively assume miners will choose greed over destructive tendencies without ever investigating whether those two paths are really mutually exclusive.

Edit: clarification

Edit: what happened to the web site that compares hashing power of the various SHA256-based coins, scrypt, etc.? Those orders-of-magnitude differences are quite instructive. But I can't find a site that lays it out nicely.


This phenomenon of "mysterious Bitcoin miner smashing your shitcoin" was pretty common in the early days, especially around the time namecoin merged mining came into play. Any theoretical attack that might be possible on Bitcoin would be attempted elsewhere if you didn't have the hashpower to carry it out on mainnet.

Origin of the term shitcoin would most likely be unable to defend the 51% attack

Good write-up op


If this is true, then does the pre-existing size of BTC and other widely mined crypto-currencies create a moat? How can a new up-start coin ever hope to gain significant traction with the possibility of a 51% attack?


The parent’s scenario was predicated on using the same hashing algorithm for the mining/proof of work as the dominant coin. So you can avoid that by using a different hashing algorithm.

Monero plans to do that indefinitely, by constantly changing to a new hashing algorithm that doesn’t have dedicated ASIC chips for it.


You have to use a PoW that's different enough from popular blockchains that they are unable to use speciality hardware against you.


> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.

Could this attack be addressed by changing the "total difficulty" function to value chains published earlier more than competing chains published later? Say a block published today is considered twice as difficult to achieve as a block starting from the same point published in 48 hours. Blocks don't need to be available in real time, but there should be enough communication between the miners to get some consensus on roughly when each block was published.

Intuitively, it seems like there is absolute agreement on the fact that a 51% attack happened (and which chain was mined by the attacker), nobody is saying "we can't be sure, this can sometimes just happen by mistake due to the distributed nature of mining". So if that can be trivially detected, why not build the detection into the mining algorithm in the first place?


Terrific post. Thanks for taking the time to write it.


But if they throw hashpower on Dinkycoin, wouldn't Dinkycoin's difficulty increase? If the difficulty for Dinkycoin re-targets more aggressively, then Dinkycoin would quickly gain more security in the process!


The attacks tend to do something like "build a chain based off Dinkycoin's previous blocks, but don't publish it until a later date". The difficulty changes can't help because the chain doesn't know about the attack until the attacker publishes a longer chain.


Yes, of course! And once the damage has been done, it's even harder to reverse. Perhaps if Dinkycoin's devs are fast enough, they could release a fork to undo it?


As long as the attacker maintains 51%, he can eventually just repeat the attack, regardless of the number of forks.


Ooohchie, yes indeed!


You change the POW function in the fork to eliminate the attack.


Perhaps if the attack was done using ASICs, but when done with GPUs it can be repeated indefinitely. See discussion https://www.reddit.com/r/ethereum/comments/707h3b/can_anyone...


Yes, you have to address that kind of attack differently.

> suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through."

> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.

These statements directly contradict each other. The very, very obvious solution is to say that, if 20 confirmations validate that a transaction happened, then validated transactions can't be rolled back. (They're validated!) Once block 26 comes online, block 6 is a permanent feature of the blockchain. That's the only possible meaning of "accepting that a transaction went through". And, note, that is the definition being used now to label this an "attack" rather than "huh, look what happened".


> These statements directly contradict each other.

They don't contradict each other at all.

> Once block 26 comes online, block 6 is a permanent feature of the blockchain.

What defines the 'blockchain'? It's the chain with the most work. Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.


>> These statements directly contradict each other.

> They don't contradict each other at all.

They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.

> What defines the 'blockchain'? It's the chain with the most work.

No, it's the chain accepted by a group of miners. Miners are the sole authority of a bitcoin-style blockchain. Work is not.

> Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.

Centralization is not necessary for this. As a miner, you're free, in your individual capacity, to reject blockchain candidates that invalidate blocks you consider permanent. Centralization would mean that a block could require only 0 following blocks before being considered permanent. With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.


> They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.

From the blockchain perspective a block with a confirmation is confirmed. But everyone else can make new rules on top regarding payments: Do you consider most crypto exchanges to not support "Bitcoin" since they require 6 confirmations per transaction before they credit it?

> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.

This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).


>> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.

> This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).

No, it isn't done at all. You state as much:

> From the blockchain perspective a block with a confirmation is confirmed.

As far as I can see, this is just a design mistake. (And equivocating over the meaning of "confirmed".) The current system never treats any block as confirmed. The only statuses a block can have are "invalid" and "provisionally accepted". There is no "accepted" status, and a valid block may be revoked at any time, no matter how long it may have been valid for.

But there's also no reason not to have an "accepted" status, and to reject candidate blockchains which alter accepted blocks. This should be part of the mining protocol. Treating it as non-binding advice to merchants misses the point.


The original Bitcoin white paper explains this pretty well. The Bitcoin blockchain is never frozen, and the longest (the hardest) chain is always the valid one. The paper includes a formula to calculate the probability of a block being replaced by another, and sets 6 confirmations as the frontier where it is almost impossible for the chain to change.

What the paper doesn't say is that the formula doesn't work if there is more than one chain. Since an ETH miner can easily switch to ETC at any time, proof-of-work isn't really protecting ETC at all. There is another chain that was a lot harder to calculate, which means the ETC chain stands on thin ice.

Why not freeze the blockchain at certain points, then? Well, it cannot be easily done. There is the problem of choosing which blocks should be frozen, and when. How do you calculate that? What if there's a network split at that time? What happens if the protocol results in an unwanted fork? What happens if malicious actors try to settle on a wrong chain? This is the very problem that Bitcoin solved. Forgetting the idea of a final truth, and making the blocks work like a wave of consensus that eventually reaches everyone. Clever and simple, but with some drawbacks that have to be understood.

Of course, there are lots of people working on new ways of establishing decentralized consensus. The Ethereum devs have been working hard on this for a few years.


So, I just ran through the same thought process and the problem is this:

How does a new entrant to the network know which is the valid chain?

They didn't see the previous 20 confirmations, so the only rule they can use is picking the longest chain.

Another way to do it is to have a separate voting system to attest to the "valid" chain, but then you could use an ordinary botnet to outvote the real chain.

In short, confirmations are there for vendors to be sure a few blocks weren't mined at the same time, but they do nothing against a 51% attack.


I don't follow this.

A new entrant to the network knows which is the valid chain because the chain the network uses defines "the network". Consider the case[1] of Ethereum Classic (ETC) versus Ethereum (ETH). They are exactly the same, except for the chain each group of miners follows. The ETC blockchain is a valid ETH blockchain and the ETH blockchain is a valid ETC blockchain, but miners adhere to one or the other for political reasons. As a new entrant to the ETC network, how do you know which blockchain to use? Well, you use the ETC blockchain, because that's the network you're entering.

[1] I'm describing my understanding of the ETH/ETC split. If they've diverged more than I was aware of, that doesn't affect the argument; just substitute other names for ETH and ETC.


What you're missing is the process by which new blocks are added onto an existing chain. Let's say that you take the "true" Bitcoin or ETC blockchain, if you want to think of it that way, and now multiple actors are proposing to add blocks onto it, potentially multiple blocks. Which one of those additions wins? The one that's the longest and has the most work behind it - that one wins.

If you propose an addition that is one block long, and I propose an addition that's 2 blocks long, then my chain wins. (These all have to be valid blocks that solve the mining challenge). Miners select the chain with the most work. That's the consensus mechanism by which the blockchain is established (among nodes operating all with the same rule sets).

At any given instantaneous point in time, there may be multiple instantaneous forks of the main blockchain - people who have mined out valid next blocks and are fighting to get them accepted as the primary chain. Imagine that two different miners by coincidence mine out the next block. One of those chains has to win. The chain that wins is the one that propagates through the network most quickly such that other miners begin building upon it and extending the chain - the one with the most work wins. The other chain(s) die and the transactions on it have to be resubmitted.

When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain. Don't act as if one single block is magically appended to the chain and everyone knows which block that is; a consensus process operates to select that block (or sequence of blocks), and it operates by selecting the longest chain. When two or more blocks are mined out simultaneously by different miners, the one that wins is likely to be the chain that propagates more quickly to other miners. Since miners build on the longest chain, then the miner who distributes their chain more widely among other miners is likely to win, since those miners will begin building upon it (seeing it as the longest chain thus far).

To continue the story, let's say that you and I both simultaneously mine out the next block of Bitcoin. You don't tell anyone about your block, and keep it to yourself. I distribute my block to the entire network. Thus, other miners start building on my block, and it becomes part of the main bitcoin blockchain. Once that happens, it doesn't matter if you start telling other people about your block -- it's not part of bitcoin any more because my chain exists which is much longer (my block + whatever other blocks people have mined out on top of it).


> When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain.

I've been arguing that this is a design mistake, and that the following selection algorithm would be superior:

- Instead of selecting the longest chain, select the longest chain which does not alter any blocks which I, personally, consider permanent.

Robin_Message correctly identifies that this algorithm doesn't do anything for a new entrant, because a new entrant doesn't have the exposure to history that an established miner has. But I don't see why this is an issue, as to enter a particular network, you must already copy that network's existing blockchain, and this step -- which you already have to take -- will give you the same exposure to history as the miner you copy it from.

Imagine that two blockchains, ETH and ETC, diverge for political reasons. The ETH blockchain is more beloved among the people (the laity, not the miners), and for this reason a greater number of transactions occur in ETH than ETC over time. This guarantees that the ETH blockchain will be longer than the ETC blockchain. By the selection algorithm you identify, the ETC blockchain will be wiped out, because the ETH blockchain can always be re-proposed and will always dominate it. But in reality, the ETC miners will reject the ETH blockchain, because rejecting the ETH blockchain is the whole point of ETC.


With a hard fork, you change the code the miners are using so that blocks on the opposing fork are considered invalid. In a 51% attack, the malicious actor creates new blocks that look equally valid. The two lineages aren't labelled ETC and NewETC. How does a new entrant (or anyone who wasn't connected for the few hours it took to launch the attack) distinguish between the chains?


> guarantees that the ETH blockchain will be longer than the ETC blockchain.

Chain length is number of blocks, which is controlled by miners, not "laity".

I think your system might prevent double spends; unfortunately it would do so by rendering the network unusable for any new users, who wouldn't have a way to know which is the good network to join. I suppose a central authority could be used to identify the good chain, but most coins prefer not to have one of those.

The advantage of the simple chain length rule is that it is simple, requires no central authority, is self-correcting and the only weakness is a 51% attack.


It's worth pointing out that it's not chain length which ultimately wins out, but chain weight, which is the sum of the difficulties of each block on a given chain.

This is an important distinction, because by fudging timestamps you can generate a valid chain of arbitrarily long length where each block has very low difficulty, but said chain would still not be preferred over a chain with fewer blocks of much higher difficulties (i.e. the real chain).


> Chain length is number of blocks, which is controlled by miners, not "laity".

A block is a set of transactions, transfers of currency from one address to another address. Miners don't just add blocks because they're bored. They add blocks when someone submits a transaction.

So the number of transactions that occur is closely related to the number of blocks in the chain.


This is very wrong.

Of course miners are always adding blocks, even when the blocks are empty; they do so because there is a block reward. Even empty blocks, when mined by honest miners, are serving a purpose, because they are increasing the cost of a 51% attack. Look through the histories of many different blockchains and you'll see empty (or nearly empty) blocks that exist for a variety of reasons.

Also, transaction sizes differ drastically depending on what a transaction does, and blocks max out at a given size, not a given number of transactions. So when blocks are full (which they aren't most of the time except for the very highest used cryptocurrencies) the number of transactions per block still varies quite a bit.


Let's say there was a catastrophic event that split the internet and disconnected Australia and the surrounding islands from the internet for 36 hours.

Let's also say for the sake of argument that 10% of the BTC mining capacity is in that region.

The network self-adjusts so that every hour 6 blocks get confirmations, but over this short time period you wouldn't expect this to happen. This means that every hour the Australia split would confirm 0.6 blocks and the non-Australia split would confirm 5.4 blocks.

After 36 hours Australia would have confirmed ~21 blocks, and according to your proposal, the first of these is now 'accepted' and can't be rolled back.

In the same time the remainder of the network would have confirmed ~194 blocks, many of which are now accepted.

What would actually happen according to the consensus protocol is that RestOfWorldBTC is the longer chain and therefore "is" BTC, and AustraliaBTC would get thrown away. Any BTC transactions made in Australia during that time would get rolled back.

But if blocks become permanently accepted then these 2 chains are fundamentally incompatible; they are no longer the same coin. Your proposal says that the network should fork into 2 coins here -- AustraliaBTC and RestOfWorldBTC. This would be a pretty disruptive event. People who traded BTC for services in Australia would claim that they paid their obligation (after all, it's in an 'accepted' block) and therefore don't owe their counterparty any RestOfWorldBTC. But AustraliaBTC would likely become worthless very quickly, given that most of the transactions in those 36 hours were confirmed on the RestOfWorldBTC chain. Australian counterparties would get stiffed pretty hard.

OTOH, if you roll back those transactions and accept the mainline, those counterparties can more easily argue that you still need to pay them. Note that the network can't enforce you paying these obligations, but the legal system still exists! And assuming the actors were acting in good faith and didn't attempt to double-spend their coins, their transaction would get re-propogated automatically and get included in a future RestOfWorld BTC block once the network split ended.


I don't follow. Even if the current group of miners decided older blocks are irrevocable, if there was a prolonged 51% attack, it would mean the majority of miners would be saying, "Hey, those confirmed blocks... that's not what actually happened. Look, here's the real history, with the real confirmed blocks."

And then everyone else on the network would say, "Crap, who should we believe? Let's go with the majority." And the attack would win.


But once you start forcing the agreement that "this specific history up to block X is the official one", you're re-introducing centralization, which Bitcoin was introduced precisely to avoid.

Sure, it's less centralization than just trusting one party to determine the latest block [1], but it's a matter of degree.

[1] The further you go back in time/blocks, the less disagreement and resistance there will be to locking in a history.


Hooray decentralization!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: