Hacker News new | past | comments | ask | show | jobs | submit login
Bitcoin Gold hit by 51% attacks, $72K in cryptocurrency double-spent (thenextweb.com)
342 points by scalableUnicon 21 days ago | hide | past | web | favorite | 187 comments

A current thread about 51% attacks is here: https://news.ycombinator.com/item?id=22160523

That is a thread about the cost for a 51% attack against various crypto currencies, not about Bitcoin Gold actually being hit.

Yes, that's why we didn't merge the two threads.


Lots of cyptocurrencies use the same mining algorithm, i.e. they require the same type of puzzle to be solved to make money creating blocks. In recent years, lots of online services have sprung up to offer cloud mining, which people usually use to mine blocks on the bigger cryptocurrencies, like Bitcoin Core or Bitcoin Cash.

However, since the smaller cryptocurrencies, like Bitcoin Gold, have less users/miners, they also require easier "puzzles" to be solved, which opens an opportunity for any random person to pay some $$$ to hire a bunch of these cloud servers for a limited time and point them at these easier puzzles, which can cause such a smaller blockchain to get confused about account balances. The attacker can then re-spend the same currency multiple times to make a profit.

AFAIK there aren't really any good solutions to prevent this problem- For complex game-theoretic reasons, simply changing the mining algorithm to something different doesn't really offer much protection. (Some folks believe if these smaller currencies were to move to "proof of stake" it could help solve this problem, but this is an extremely contentious topic.)

IMO proof of stake is a lot less contentious than you imply. ETH2's slashing algo should make these types of attacks very hard.

For the curious a simple breakdown Ethereum 2.0's Proof of Stake (PoS) plan is:

-Minimum 32 ETH to stake

-Staking locks the currency in the staking pool

-Your node votes on the validity of the transactions (this is super light weight and fast, can run on a rPi instead of huge mining nodes).

-If the network agrees you was acting maliciously your locked stake begins to be slashed/burnt.

-Voting with the majority gives you a % of the block reward.

This means a 51% attack on the chain requires 51% of the currency staked which would be extremely hard to get without skyrocking the price (making 51% exponentially harder to achieve). They've also done some spooky proofs I don't understand that make the actual number to take over the network >51% (70% or so IIRC).

So it's green, fast, and harder to attack successfully. And unlike PoW, if you fail your "attack money" gets nuked.

The lack of action around ETH2's move to PoS makes me somewhat skeptical of the confidence in these arrangements.

Does each block need a strict majority of outstanding currency to pass muster? It seems like it would be super risky to align yourself with any stake unless you were sure that it was going to be the majority, lest you inadvertently follow a post-facto "malicious" branch.

Therefore it seems like it might require less than 51% of outstanding currency, depending on the level of risk you're willing to take on, and how much active stake is willing to commit itself to proving maliciousness -- if you're leading the "that was malicious" faction but your faction fails to assemble more stake than the attacker did, then instead you get burned, so there's no guarantee that evildoers will be brought to justice; and aligning with a reorganization in ETH is dicier in many ways (because of the per-address nonce's) than it is in a UTXO coin.

Attack vectors are never within the bounds of tidy proofs of complex ideas; Bitcoin's brute-force solution is very simple to verify the correctness of, and the effective cost of pulling off a double spend is fairly easy to compute from first principles with some very weak assumptions about the quality of the hash function used.

I'll give more credit to proof of stake when Ethereum makes the transition; at least then there's some skin in the game.

It will actually be staked currency, not outstanding, and it's more than 51% because Eth2 is sharded (64 shards at the moment) and randomly selects committees to verify blocks, so you'd need to hold enough validators (each holding 32 ETH) to guarantee a majority in a randomly selected committee for a block.

And the Eth2 genesis won't occur until a sufficiently large amount of validators are active on the beacon chain, so you can't hijack it by investing large early.

Some of the contention is directly in your choice of words: "should" and "plan". So far no Proof of Stake system has made it into the wild. There's a lot of talk about Proof of Stake, a lot of planning, a number of "almost attempts", but still no one running it at a big scale. It's trapped in "Soon™" the way Ethereum has talked about it, for years now. That's certainly an easy form of contention when even the biggest group talking about Proof of Stake have remained slow to pull the trigger.

This is completely false. PoS is securing billions of dollars on Cosmos and Tezos alone

Yes, I've been hearing these PoS stories for years now. Nothing happened besides a lot of talk.

Tezos isn't in the wild nor at scale?

First I've heard of it, so equating "wild/at scale" to include general mainstream acceptance/word of mouth (or at least the impression of such to the average HN reader such as myself), the short answer right now is, based on my personal barometer: no.

I will look into it later, and decide on the longer answer if it would meet characteristics that I would ascribe to "in the wild" or "at scale" given a deeper understanding of what it has accomplished to date.

>So far no Proof of Stake system has made it into the wild

Is wrong by years. See Blackcoin (2014) for just the tip of the iceberg.


"slashing" does nothing to address the fundamental problem. It leaves you with the same circular dependency.

Step 1. Acquire crypto currency. Step 2. Stake. Step 3. unstake and sell cryptocurrency. Step 4. use older keys to produce an alternative history.

Or, to simplify things, let other people do 1/2/3. Then purchase or hack their now-worthless old used keys to use in your attack... keys which they have no reason to protect and/or not sell. At most, all slashing does is makes Step 3 take more time.

I say "at most" because it doesn't necessarily do that much: if the funds you can earn from the attack (from double-spends and/or shorts) are large compared to the staked amounts, then step 3 isn't even required.

POS is fundamentally circular: you use ownership to determine ownership.

The only solution to this is to introduce another consensus mechanism like POW or, more commonly in POS proposals, a centralized authority. Some just assume the users are communicating over a synchronous lossless global totally ordered reliable broadcast-- which, again, is equivalent to running on top of another consensus system.

There is a reason you see people promoting POS that have an established history of committing fraud: the idea is most convincing if you obfscuate the details so much that no one is going to be willing to waste their time reviewing it. This is one of the classic moves used to convince someone to agree to a fradulent deal-- baffle 'em with bullshit.

You misunderstand some of the nuances of PoS that make it secure. Along with slashing, there is a period of time during which your staked funds are frozen, where they are unspendable and unsellable. This period is supposed to be long enough such that all nodes sync at least once during that period (think on the order of weeks or months). So if you try to create an alternative history during that period, your funds are slashed (since you couldn't have sold them). And if you try to create an alternative history after that period, everyone will know you're lying, since that portion of the history you are trying to recreate has already been finalized.

Sure, if you get a majority of stake in the network, you can create alternative histories. But, as others have pointed out, this is much more difficult than a 51% attack in PoW.

The text "At most, all slashing does is makes Step 3 take more time." makes it pretty clear that I understand that completely. If you can suggest a revision to my comment that makes it more clear I'd be happy to mae it.

> has already been finalized.

This is presuming the existance of an external consensus mechanism.

Why would anyone sell their old keys?

Because they have no value for their owner, but do have value for attackers.

FWIW, I've successfully acquired (often at next to cost) significant amounts of old spent Bitcoin wallets for the purpose of collecting dust sent to them, spinoff coins, and similar.

Any why is this not a trivial problem to solve?

Mind you, Bitcoin had the same issues and they solved it with hard coded checkpoints.

There's no reason this can't be solved with timestamps and some sort of checkpoint mechanism. Many coins have done this with no issues, and others with issues have hard coded alternative checkpoints for forked chains.

Why would a client ever reasonably revert to a chain back in time 1 day without human intervention? If someone could explain in what extraordinary remote case this would be reasonable, I might be able to comprehend the maxis.

No, Bitcoin does not have the same problem.

An extremely large number of cryptocurrencies are essentially completely centralized and only pretending to be decentralized as a regulation dodge. Centeralized systems can be extremely secure-- until the central parties decide to screw you over.

Bitcoin does have a thing called "checkpoint" but it is essentially completely unrelated to the centralized consensus mechanisms (usually a broadcast message signed by developers that force all nodes to switch to a chain with blocks that they've signed) added to many other altcoins which have used the same name for deceptive reasons to disguise their centralized control.

In Bitcoin there is a problem that the minimum POW difficulty was set based on 2009 CPU speeds just hundreds of thousands of hashes per-second, so at minimum difficulty a block requires 2^32 hashes to create. A single modern asic miner can perform 68 trillion hashes per second using a couple kilowatts. So, one of these devices could generate about 16k blocks per second at minimum difficulty.

This creates an issue where an attacker could fork the chain early on and create an incredible number of blocks at the minimum difficulty and feed them to your node. Your node wouldn't be sure if this chain of minimum difficulty blocks might not eventually add up to more work than whatever is your current chain, so it stores them. Eventually, this would exhaust your memory and disk and crash your node.

Currently, this attack is blocked by checkpoints that cause your node to ignore forks created from the chain back before the difficulty reached ~2^32 back in 2014 (so 2^64 work required to create a block). That's all checkpoints do.

There are alternative proposals to eliminate this problem which people are working on from time to time... and which have included adding consensus rules to increase the minimum difficulty (except for the earliest blocks), or making it possible to efficiently produce a compact proof of the total work behind a particular best block. But changes to consensus rules are fairly slow and hard to accomplish, so for the moment the adhoc fix protect nodes from an otherwise completely practical attack. Once one of these other fixes is implemented the 'checkpoints' would go away completely.

And never did they operate like 'checkpoints' in most other cryptocurrencies.

> client ever reasonably revert to a chain back in time 1 day without human intervention

Refusal to reorg at threshold X (for whatever X you choose) only creates vulnerabilities it doesn't resolve them:

Consider, if an attacker can't create enough blocks to produce a reorg X back from the tip then a refusal to reorg would simply be pointless (because the expected attack couldn't happen), so implicitly you're assuming the attacker can do that. If he can, then he can also create a fork right at X-1 and simultaneously announce it to whatever subset of the network he likes, carving the network into an arbitrarily shaped partition. If both sides have hashpower, both will continue on past block X-1 to X and and beyond on their own (and he can even contribute). They'll never heal on their own, the network becomes fragmented and exploitable in realtime. So the style of attack changes a bit but the ability of a supermajority hashpower attacker to reorg/disrupt the chain isn't materially reduced.

Worse, the refusal to reorg creates a whole new problem that didn't exist before: If a node was offline (say for days, months, years, or just coming online for the first time) then an attacker which didn't have anywhere near enough hashpower to successfully reorg near the tip could still (perhaps slowly over months) produce a X-long fork off an _earlier_ position in the chain and then aggressively feed it to nodes which are coming back online and redirect them into an attacker controlled bizarro-world which they won't recover from (without a user somehow discovering that they're on the 'wrong' chain and doing some unspecified action to fix them). This class of attack can be made more potent by DOS attacking a target's running node, forcing them to bring up new or backup nodes. This and similar attacks are an entire class of attacks created outright by a refusal to reorg.

Essentially the only case where a refusal to reorg is unambiguously safe is when you assume attackers lack the hashpower to cause the reorg in the first place. In which case... why bother?

As an aside, I think repeating an insult likening Bitcoin users to feminine hygiene products is extremely unprofessional and inappropriate for hacker news.

I know nothing about "feminine products". If you are referring to "maxis", it obviously means "Bitcoin maximalists." A google search of "maxis" over a vpn returns "Maxis is an American video game developer". A google search for "bitcoin maxis" quickly explains the usage of the word. I'm sorry you find this offensive, but I intended fully to name you a Bitcoin maximalist.

I don't see the need to continue if we've stumbled over something so trivial.

checkpoints == unrecoverable network partitioning risk

Why is that a problem more than any other?

"network partitioning risk" is an aspect of many issues, such as the Sybil attack. Just because the Sybil attack exists in the Bitcoin ecosystem doesn't mean it's a game stopper.

The same solutions that solve many kinds of bootstrapping problems can easily be employed to stop fragmentation problems. Also, I want attacker chains to be fragmented. Fragmentation isn't always negative.

If my node decides to revert to a chain past a few hours, I want it to stop and manually ask me what chain to follow. This is exactly why checkpoints were added to Bitcoin and checkpoint like systems are employed by many coins. Checkpoints represent human input, manually making a decision. Blockchain is a voting automation system, it is not a replacement for my voice.

This isn't just theory, but practice! Bitcoin Core version 0.8 _broke the bitcoin network_. Humans had to manually pick a chain and manually revert to an older version of software. And yet no apocalypse materialized.

> Bitcoin Core version 0.8

That's incorrect.

All prior versions before 0.8 were self-inconsistent-- accepting or rejecting some large blocks depending on their own history of orphaning and reorgs which would be different on different nodes-- and would have split all on their own eventually.

The distinction with 0.8 is that it made the maximum block size that a miner would create command-line configurable and larger blocks have a much easier time triggering the pre-0.8 inconsistency.

People originally thought that 0.8 was at fault since this happened a little while after 0.8's release and the first diverged node-pair people looked at were 0.8 vs 0.7. But that belief was mistaken.

> manually revert to an older version of software

Only a few percent of nodes had split there. The vast majority were on the more restrictive fork. I'm not, for example, aware of any exchange that observed a reorg from this.

> If my node decides to revert to a chain past a few hours, I want it to stop and manually ask me what chain to follow. This is exactly why checkpoints were added to Bitcoin

That was not why they were added and they have never had a behavior like that.

Stopping can be acceptable for some uses, but it's not a safe behavior in general and could dramatically exacerbate a network fault.

FWIW, ethereum will not stop in a big reorg. However, ethereum nodes do randomly stop for no reason whatsoever, and businesses have responded by automating blowing away the state of stuck nodes and re-warp syncing it against the network. The effect of this has been to essentially downgrade these exchanges to no-better than SPV security: they'll trust whatever gets mined.

> checkpoint like systems are employed by many coins

I'm not aware of systems like Bitcoin used by other altcoins, I am aware of quite a few where the developers broadcast signatures the rig the consensus which call themselves 'checkpoints' in order to deliberately deceive users about the security properties through an erroneous comparison to bitcoin like the one you're making.

> And unlike PoW, if you fail your "attack money" gets nuked.

To be fair, in PoW your "attack energy" (and thus money) gets nuked too.

Your spent attack energy is nuked. But you still have the miners and can run another attack at reduced cost (since you don't have to buy them anymore). If your money is nuked, you don't get to try again at reduced cost but at increased cost.

That's not the cost of the attack, though, any more than buying a house to put the miners in is. The cost of the attack is miner time + power (ie what you paid to rent the miners, more or less).

Even then, the initial cost of the miners will be a significant part of the attack's cost the first time. Any subsequent attack will then be cheaper.

I'm a full believer in POS, but if you don't think that asking Bitcoin variants to switch their algos to POS is contentious...I don't know what to tell you.

The biggest flaw in Proof of Stake IMO is that it then costs you nothing to fork.

Forking bitcoin requires deciding which fork to spend your mining processing time on. Forking a PoS coin does not, since you can use the same coins for stake on as many different chains as you want.

With Ethereum's algorithm I don't think this is the case (without some serious changes) because if you can prove that an address staked on a different chain then you can penalize that address on the main chain. I guess ultimately as long as you make sure that you empty out the address on the main chain, the main chain will simply disregard your attempts to claim a stake as being without merit. I don't know that anyone has analyzed the general case of an ongoing fork; the entire point of a proof-of-X is to be able to definitely prove from scratch that a given fork is the "correct" one simply by examining all alternative forks presented.

What happens in case of a hard fork like the ETH/ETC fork? (Assuming something similar happens in the future after the PoS has been released.) Can you move the proof from a chain to the other across hard forks?

During the ETH/ETC fork replay attacks were terrible until people figured out how to make a contract that was guaranteed to act differently in the two chains; you would send your ETH to that address, providing two output addresses, and your ETH would go to one and your ETC would go to the other.

Before that was commonplace there were numerous problems of transactions being replayed causing all sorts of problems.

If someone wanted to fork post-PoS ETH, chances are they would have to do so very deliberately, with code on the new fork deliberately designed to prevent replay attacks, as was done in the BTC/BCH fork.

Why is this a flaw?

Edit: it seems like it makes it more robust, basing ur interest in a fork not in your involvment in it but in its merit (e.g. you are incentivized to support them all)

Nothing to prevent you from staking honestly on one chain, and dishonestly on a chain that undoes some of the spends on the other chain. Hence people can band together to try and create forks without losing any money if the fork fails. Whereas with PoW, any effort spend on a fork is effort that did not to towards mining on the main chain.

But you'd lose money on the second chain? Assuming >50% are honest. If <50% are honest the second chain is probably not worth anything anyway

Nothing at stake is never truly nothing at stake, but I've always considered "nothing at stake" not really a problem that's unfixable.

Is it possible to spread conflicting information get half people voting one way and half the other for the sole purpose of griefing their stakes?

You should also take a look at 0chain. They are using proof of stake and have decentralized storage.

How does this deal with very large transactions? If someone wants to pay someone a billion ETH, where do you find enough stake-holders with big enough stakes?

A billion in dollar value? There's only about 110 million eth.

Lets not focus on the actual numbers. What happens if someone wants to conduct a transaction and there are no stake holders big enough? With proof of work it is not a problem, but if stakes have to be commensurate with the transaction amount, doesn't that put a hard limit on the transaction size?

I am unaware of any limit on transaction size in relation to staking.

I don't think this is even a problem. Most of these so-called "sh!tcoins" have no business existing at all. This just shows how risky they are to hold and people should move on.

I know people love proof of stake as a "solution" but you give up decentralization for "security". If that is what you want, use a bank.

This is really the best way of looking at it. We are discussing these problems and how to solve them, but they aren't even problems of cryptocurrencies in general, they are only problems of these shitty forks that have added nothing to the field, that exist only because use managed to bamboozle a small number of poorly educated users into thinking that they offer some real value...

They have just as much intrinsic merit as bitcoin, just less popular.

Most of the coins do not have merit, but there are PoS coins that are legit. PoS will likely result in more decentralization, not less. Cardano is aiming for 1000 stakepools, which is far more than the 5 or so pools that exist in bitcoin right now.

And it isn't like this problem wasn't foreseen ahead of time. I repeatedly tried to convince people that it was a real issue back seven or so years ago only to be met with (apparent[0]) scepticism that it's a real attack vector.

[0] Lots of millionaires came out of the cryptocurrency era. Sock puppets are cheap in comparison.

> cryptocurrency era

Cryptocurrencies and their associated boom-bust market cycles are here to stay.

95% of blockchain development happens on Ethereum, and Ethereum is growing well, https://medium.com/@jjmstark/the-year-in-ethereum-2019-24201..., so the idea that there was a cryptocurrency era that's ended is not true.

Bitcoin is the three card monte of the tech world. It's going to be around a long time, but not because it's a good thing.

https://en.wikipedia.org/wiki/Not_even_wrong "Not even wrong" describes an argument or explanation that purports to be scientific but is based on invalid reasoning or speculative premises that can neither be proven correct nor falsified and thus cannot be discussed in a rigorous and scientific sense.

Bitcoin is money. It's as simple as that.

Given that the number of 51% attacks has been quite rare and relatively low impact so far, I'd argue that your skeptics are still winning the argument. Far more problems have come from security failures outside of the cryptocurrency itself or predatory practices.

Thanks for helping me to buy lots of inexpensive cryptocurrency back in 2013, by keeping the prices low with your skepticism!

You misunderstand what I'm saying. They were skeptical of the attack vector I highlighted.

> AFAIK there aren't really any good solutions to prevent this problem


> Coins at the greatest risk of 51% attack are the ones where there exists large amounts of hashpower not actively mining the coin that could begin mining and disrupt the coin’s blockchain.

Also, Ethereum's upcoming transition to Proof of Stake is not contentious, it's a large-scale project years in the planning and execution.

If you disagree, please post a proposed solution, instead of sharing a quote that describes the existing problem.

I don't disagree :)

There's no silver bullet for 51% attacks, and proof of work uses unconscionable amounts of electricity, which is why Ethereum is transitioning to proof of stake.

Sorry, misinterpreted your comment.

Proof of work only reaches Nakamoto consensus if the average value transacted per block is less than twice the amount paid to miners. Otherwise it potentially becomes viable to 51% attack - it becomes cheaper to buy miner time to reverse my purchase of internet heroin than to buy the heroin.

Thus, there is a limit to the amount of economic activity that can be "safely" transacted by a proof of work chain per unit time, based on the amount of inflation/fees of that particular network. The more fees and inflation, the higher the economic value that can be transacted safely.

The actual real-world limit will be somewhat less than 2x because of options trading and other off-blockchain transactions.

Yes, this poses problems for smaller currencies where the average amount transacted per block is quite small. Bitcoin has not just a "network effect" of adoption resulting in places to spend it, but also a network security effect, where the vast amount of spending makes it much more economically difficult to justify a 51% attack.

(That or you need to wait increasingly long periods on these shitcoin chains before accepting them as "final" and transferring goods. Eventually all chains should reach consensus, as long as you wait long enough that it would be economically unviable to

And note that this is actually a parameter that cryptocurrencies can set themselves. When (eg) Ethereum cuts the block rewards, that results in network hashpower going down, and thus reduces the economic throughput that is possible before nakamoto consensus falls apart. Same for Bitcoin's block halvening.

> AFAIK there aren't really any good solutions to prevent this problem- For complex game-theoretic reasons, simply changing the mining algorithm to something different doesn't really offer much protection. (Some folks believe if these smaller currencies were to move to "proof of stake" it could help solve this problem, but this is an extremely contentious topic.)

Decred's mixed PoW/PoS would be extremely expensive to 51% attack, and would require a large amount of funds to be locked up in voting tickets for random amounts of time ranging from a few days to several months - so if you successfully attacked it, you'd presumably reduce the value of Decred and the many millions of dollars worth of Decred you had frozen in tickets.

I trust this guy : https://media.ccc.de/v/thms-26-cryptography-of-killing-proof...

And he's behind the crypto of GNU Taler and Polkadot

There is no Bitcoin Core! There is only one Bitcoin using Bitcoin Core as one of its clients used to connect to the Bitcoin blockchain. The rest are just irrelevant forks.

You meant Bitcoin; Bitcoin Core is the name of the software to run a Bitcoin node.

Since the other post got buried in a subthread: This is about Bitcoin Gold, not Bitcoin itself.

Bitcoin Gold is the least relevant of the forks (worth ~$12 per coin while the main chain BTC is worth ~8750 and the two major forks BCH/BSV are worth around 300, and only 7 of the 20 largest exchanges (by liquidity, according to coinmarketcap) list it - even though most of them list plenty of altcoins/shitcoins. For comparison, Bitcoin Cash is listed on all of them, Bitcoin SV on 14 of them. Additional stats here: https://news.ycombinator.com/item?id=22160458

clearly you've never heard of Bitcoin Diamond

The densest by far is Bitcoin Black Hole: hype goes in, but never comes out.

I prefer Bitcoin Platinum.

Is that real?

You're thinking of BitReal, the Brazilian cryptocurrency.

I'm fairly sure it's a Pokémon joke.

Doesn't mean it's not also a cryptocurrency :)

> He then provided a screenshot showing that Binance had since increased their BTG withdrawal requirement to 20 confirmations.

The journalist has missed an important part of the github gist that their story bases on:

> Based on Nicehash market price data for Zhash we estimate the cost of generating each reorg at around 0.2 BTC (~$1,700) and the attacker would have recouped around the same value in block rewards. Therefore, it is possible that the attacks were profitable if the double-spends succeeded at defrauding the attacker's counterparty, or break-even if the double-spends were unsuccessful. This suggests that a confirmation requirement on the order of tens of blocks for BTG is still far too few to make the budget constraint to launch an attack significant.

Double spends are an inefficient way to profit from an attack, they're merely the advertising/marketing angle.

The real profit will come from shorting the currency and capitalizing on the subsequent crash due to the crisis in confidence.

If you can short such an obscure coin and if there's a crash. Sometimes these attacks are already priced in.

I think the point they were making is that you keep double spending until it does. You profit or you profit very very big. It doesn't seem like news of a double spend would ever cause a pop.

But how do you go about shorting these coins? There's not an obvious way to short them, like traditional stocks.

Cryptocurrency exchanges are pretty involved nowadays, iirc they offer short on most

I would expect the probability of a crash to go down with each attack. The first attack is novel but the nth is not.

Second time this has happened to BTG. Boggles the mind that people continued to use this coin. https://fortune.com/2018/05/29/bitcoin-gold-hack/

Do other coins have any countermeasures against this? Other than it being expensive to control 51% of the networks hash rate?

I guess raising the amount of required confirmations helps but even then it's just a matter of time.

Yes, Ethereum is transitioning to proof of stake.

Proof of stake is more secure than proof of work because an attacker must acquire a large amount of ETH each time they attempt an attack. Attacks against proof of stake are incredibly capital-inefficient.

Ethereum has been announcing "proof of stake" since before their original launch. Yet, years after their deadline and their second deadline and their third deadline... it still isn't there. Multiple hardforks to push back the logic bomb in their consensus rules that was originally supposed to guarantee its successful deployment... Now their target has been to create a new parallel cryptocurrency (eth2) and let you buy into it with your eth.

If your goal is a decentralized system POS is just a fundamentally broken idea, as was known years ago (and long before ethereum existed https://download.wpsoftware.net/bitcoin/pos.pdf ). Ethereum isn't a decentralized system-- as demonstrated by them editing balances to recover coins the ETH administrators personally lost by gambling on an ill-advised contract-- but they have to keep up the pretext.

>Ethereum isn't a decentralized system-- as demonstrated by them editing balances to recover coins the ETH administrators personally lost by gambling on an ill-advised contract

Uh, I'm fairly sure this never happened but you're welcome to provide a source.

Not what he is referring to, the DAO was not a gambling contract and the funds lost accounted for ~14% of all ETH, not some administrators' personal losses. Those who disagreed with the proposed hard fork stayed on what became Ethereum Classic and everyone else jumped ship to what is now Ethereum.

That is exactly what I was referring to. DAO was an "investment" with an unspecified way to make money, it was essentially a gamble. The funds in it were a majority coming from ethereum foundation members. The reason that they were 14% of all ethereum at the time was that at the time something like 85% of ethereum in existance had been premined by the ethereum foundation (at the moment it's 75%).

Most people who opposed the fork also stayed with ethereum because the ethereum foundation, which they'd collectively invested millions in, announced it would not support the fork. (in fact, it announced that the fork wouldn't even exist-- which caused companies like coinbase hundreds of thousands in losses from replays due to not being prepared for it)

>That is exactly what I was referring to. DAO was an "investment" with an unspecified way to make money, it was essentially a gamble.

The DAO was supposed to be a VC firm. If you want to say that the DAO was gambling then so is all Venture Capital.

> The funds in it were a majority coming from ethereum foundation members. The reason that they were 14% of all ethereum at the time was that at the time something like 85% of ethereum in existance had been premined by the ethereum foundation (at the moment it's 75%).

What a laughably stupid thing to say. Ethereum did an ICO before that term was a thing, mined a shit ton of ETH and sold almost all of it for Bitcoin. By the time the DAO was a thing the Ethereum foundation controlled ~12M ETH, which did not overlap with the ~11.5M ETH in the DAO (The funds were for the development of Ethereum, not speculative purposes). There was an additional some 60M ETH from the initial sale + ETH from newly mined blocks, not in the DAO and not part of the ETH foundation.

>Most people who opposed the fork also stayed with ethereum because the ethereum foundation, which they'd collectively invested millions in, announced it would not support the fork.

The Ethereum foundation announced it would not support what exactly? If you mean Ethereum Classic well that is not a fork of anything - but a continuation of the original DAO chain. 11% of people voted against the Ethereum fork and presumably did not migrate (or likely just used both).

>in fact, it announced that the fork wouldn't even exist-- which caused companies like coinbase hundreds of thousands in losses from replays due to not being prepared for it

Er, what? Assuming you are referring to ETC, which again is the original chain, the Ethereum Foundation does not have the power to determine its existence or non-existence. The original chained continued to be mined and supported by nodes.

>attacker must acquire a large amount of ETH

The issue with proof-of-stake: How do you define consensus on what ETH is? Without PoW, an attacker can cheaply generate an alternate history in which they control a large amount of ETH. If the alternate history is accepted, they benefit, and if not, they risked nothing.

I would expect that this is because the rest of the network needs to agree with your version of history. And they will only accept your vote if you stake the currency they already recognize, not the currency you made up in your version. So to make the network accept a history version where you have a lot of money you need a lot of money.

A peer has no way of knowing which 'network' is real. Since there is no proof of work, it is effectively free to generate any number of alternate histories or blockchains (this is known as 'costless simulation').

It becomes trivial to generate the longest chain. This is a real problem, and some PoW currencies like NXT have proposed solving it by using an out-of-band solution like asking friends or trusted nodes whether you are on the right root blockchain. This defeats the very purpose of a decentralized currency. If you're going to trust a core set of nodes, just use a centralized database with M-of-N access control.

There is no evidence to back up this statement that PoS will be more secure. It's an over-marketed tech with no solid theory behind it

That's absolutely not true.

Heck proof of stake is significantly less secure because you can have stakes working together to game the system.

The main trick is to use a hashing algorithm that differs enough from that used by bigger chains, so there is no easy way to redirect hashing power from somewhere else to your own chain.

0chain does. It uses proof of stake and a block is only considered finalized when it is the sole ancestor in its generation.

The cost is the countermeasure, by design.


Note this is "Bitcoin Gold", not Bitcoin.

Funny how the whole article talks about Bitcoin Gold (BTG) but some automatic script liked Bitcoin (BTC) right in the first sentence. I wonder if anybody checks those articles after they've been posted or are those already automatically generated?

The linked-to affiliate doesn't support BTG https://bitcoinist.com/etoro-exchange-clarify-position-on-bi...

This is just a warm-up for taking on Bitcoin.

I doubt any single party owns enough compute to perform 51% attack on Bitcoin. Not now, maybe in the future if bitcoin's popularity significantly dies, they can do that.

Many parties do. The question is if they'd find it worth the effort. There's easier ways of making more money, at least for now.

Almost by definition, its impossible for more than one party to control 51% of all hashing power.

This leaves out any miners turned of because of power costs, and non-ASIC compute. I have no idea how big those are. My completely unfounded guess would be that all of AWS available CPU compute woudn't be enough compute for a 51% attack.

> Almost by definition, its impossible for more than one party to control 51% of all hashing power.

I suppose they meant, that many parties do have that much potential compute but they use it for other things. But they could in theory switch to computing bitcoin hashes and control 51%, and in turn some other party can do the same etc... Obviously you're right that eventually one party can own 51%, but that doesn't mean only one party can successfully perform 51% attack, since % of hashing power can change by time.

bitcoin electricity cost is the equivalent of a couple of small nations, or the full power of a nuclear power plant, its hashpower is equivalent to the top 500 supercomputers. (this info might be outdated by now). what secures it though is not the giant mountain of resources by itself but MAD (mutually assured destruction) which is hardly game theoretic. Its basically a way for people to park their money akin to real estate, so they wont ever attack the network as long as it keeps their money warm and fuzzy. Its not really decentralized (more like denationalized) and strongly vulnerable to regulations. However just like safe havens if a nation bans it others will welcome it, thats why it is unkillable. China despite having all the resources to crack down on bitcoin mining they wont do it because for the better or worse its like controlling a global currency, which they have been trying to turn the yuan into for a while

> CPU compute

well yeah, CPUs are many orders of magnitude slower than ASICs

There isn't a state actor or company that overturn Bitcoin with computing power.

That's why they just overturn the Devs.

You can't be serious.

Bitmain does.


I mean, real technical capabilities not just mention of facilities in Texas or whatever.

They manufacture the bulk of Bitcoin mining gear. They hold all the IP. They have all the manufacturing contracts. They have heaps of their own hardware and the capability of manufacturing more at cost.

They are the prime mover in the Bitcoin space, and have an outsized impact in other crypto mining spaces. They are the undisputed ASIC leaders.

What's your point? If Bitmain decided to 'overturn' Bitcoin all their gear would become worthless.

What if crashing Bitcoin helped them in some way, like pushing people to Ethereum where they also sell metric tons of mining equipment?

You're saying it's impossible, and now you're saying nobody would bother. Don't move the goalposts.

You know for sure what the processing power in Utah is?


The scale would be orders of magnitude bigger.

So? That just makes it harder, not impossible.

This vulnerability was baked into Bitcoin from day one. There is no outcome under which Bitcoin is not 51% attacked. it is an inevitability as sure as the heat-death of the universe.

Note there are plenty of other cryptocurrencies that are susceptible.


Meta: I spend a lot of time in crypto(currency) subreddits, and of course approach those conversations differently than I do when I see the same topics pop up on HN. That said, I see a lot of the Reddit-style comments and terminology ("altcoins", "shitcoins", derisive names, etc) show up where when there's a crypto discussion. Does this happen in other subjects and I'm just unaware of those topic's subcultures? Or am I correct that the level of discourse for crypto is that much lower?

I wouldn't necessarily call the discussion "lower" but you can see similar colorful language in forums dedicated to trading equities/options.

I imagine so. I think my question (maybe I missed the mark) was is that does as much as that leak into HN (where I consider the level of discourse far higher than the Internet as a whole) as much for other topics?

Oh, I guess I misunderstood. Not sure about that but that is an interesting question.

afaik some explain this with resentment for not having seen the signs of a good investment before time, considering all the wits that should float around here.

As someone who's been part of the crypto community since 2011, the level of discourse in most of cryptoland is rock bottom. I attribute it to the decentralized nature of the technology, which encourages lots of people to attempt manipulate prices through trolling.

I would concur (I've been around it a similar amount of time, building my first GPU rigs around that time). I would say it was once a bit better, but maybe that's just rose-tinted nostalgia. ("the good ole days")

Yeah, in the early days it was better... I would argue that the average IQ in the community around 2011-2013 was unusually high: The reason some of the people who bought currency in that time period made a fortune is because they foresaw the future and had a prescience that other people lacked (others just got lucky)

Additionally, the barrier to entry was much higher then (obviously not talking about the price)

its quite comparable to the web...as it got more widespread the density of likeminded people adjusted to the true average...this does not mean there are no more good places to talk and develop cc, just they are clouded by all the noise above board.

How disconnect the market is from facts. Price of Bitcoin Gold is not even affected by this news at all


The market may not even understand what 51% is about

Or maybe all buy orders have disappeared. Looking at the last exchange price does not measure the value of a cryptocurrency, you need to look inside order books to see if anyone is even interested in buying your cryptocurrency. It’s not relevant to the value of your cryptocurrency that someone was once willing to buy it.

Just an observation: 51% attacks are happening there days in some countries in governments. When 51% gives you the absolute power in a bitcoin, it gives you enough to rule a country and push it to 100% (there are a few real life examples). Maybe 51% is a threshold too low for some things.

That’s never really true, because even in a dictatorship the government doesn’t have total control of everything. And a 51% govt in a democratic country is constrained not only by rival political parties but also the business sector and public outrage.

Just 2 words: North Korea.

And all of that costed just about $1.2k, what a joke currency.

> Binance had since increased their BTG withdrawal requirement to 20 confirmations.

Perhaps they should require some multiple of (amount of the transfer / cost of the hashpower needed to mine one block)?

One point nobody is hitting on is that the price of BTG pumped a few weeks ago for no apparent reason. I guess we know why now. Pump the price and then attack it for even more profit.

The block which includes double-spent is invalid. When an honest node chooses the "strongest" chain it should check block If it's valid, not just look at a number of confirmations.

This is also true for blockchain browsers(and their api), which apps use to confirm the transaction(most of users don't run full node). The only way how 51% attack can be successful in the long term is that honest nodes(and blockchain browsers api) are re-configure to ignore double-spent(at least for a particular time period).

Someone will be left holding the bag. Your post assumes it will be the double spender, there is no reason to assume that.

How do you know which side of a blockchain fork is the double spent, and which is the original?

This is a valid point. Sorry for my post. Blockchain has few moving parts, but the whole game theory around it is very complex.

BTG might collapse as a result.

This might help general awareness that minor coins without a differentiating technology are simply highly vulnerable uninteresting clones, not worth any attention and thus, value. Perhaps some would just disappear, in a spiral of lower value, lower hash rate, more vulnerability, till all miners leave towards other, stronger coins?

This might sanitize the whole cryptocurrency domain a little.

Or not?

It's been known for some time that anything out of the top 10 that uses a pow algorithm for which you can buy hashpower in the market is pretty easy to run a doublespend on. It doesn't seem to have had a huge effect on adoption of those coins though.

The question now is: was hiring the cloud mining services cheaper than the reward of $72,000?

Looks like they took a loss doing that attCk

There are a lot of Bitcoin advocates that would attack out of motivations other than (short-term) profit.

Oh. Again.

i wonder if this will cause a fork.

No, this won't cause a fork. To be specific, little forks happen all the time as different clients get information about new blocks at different times. So blockchains are very resilient to that kind of thing. Clients only continue from the longest legit chain they have seen, so whichever side of the fork has more hashpower on it will win in a way that's pretty transparent. So the attacker did cause a fork, so that they could spend coins once on each side, but all clients other than the attackers' would agree on which side was legitimate. So once the attack is over, it settles down immediately.

It was a fork! That's how the double spends work. The attackers generated a new chain of blocks from just before their transaction, and produced their chain so fast that it became longer than the 'real' chain, causing miners to accept it as the legitimate record of all transactions.

As for 'resilient', try telling that to the people who were robbed of their coins because of this attack!

pwinnski 21 days ago [flagged]

This is good for Bitcoin. /s

Surprisingly, all cryptos (including BTG) seem to be going up. Normally a 51% attack on any somewhat-known cryptocurrency pushes the price down.

This kinda confirms that BTG being not just susceptible to 51% attacks but also getting hit by them isn't a surprise to anyone.

Edit to add: For anyone not familiar with the space, Bitcoin Gold is one of the many forks of the main Bitcoin blockchain, and one of the least meaningful among the ones commonly known. Here's the map of the main forks: https://i.redd.it/1pvmr98w5x041.png -- the main chain is by far the most known/popular/valuable, followed by Cash and SV in this order, followed by Gold far behind the rest.

Useful metrics are value/market cap, number/size of exchanges supporting it, or hash power. Hash power roughly correlates with value.

A main-chain Bitcoin (BTC) is worth about $8750 and basically the reserve currency of the crypto world (roughly all exchanges will have it), Bitcoin Cash (BCH) about $370 and has 400+ markets (that's as much as Coinmarketcap will show), Bitcoin SV (BSV) about $300 and 154 markets, Bitcoin Gold about $12 and 74 markets. Too lazy to count unique exchanges (an exchange can have multiple markets per coin).

Edit: Exchange listing counts here https://news.ycombinator.com/item?id=22161472

I feel like every attack on these networks that goes from theoretical to real (or that gets demonstrated on increasingly larger scales), will actually tend to cause the market to get more bullish on the ecosystem as a whole.

It’s a kind of de-risking—not in the sense that the particular blockchain, or blockchains in general, are now any less vulnerable to the attack (Sybil attacks generally are like the Halting Problem of open consensus systems—no real way around them) but rather that these attacks, for some investors, go from scary “unknown unknowns” to “known unknowns” that can be quantified in their impact, and thus ROI models can be clarified, making cryptocurrency’s value as an asset class more legible. Legible assets always have a place in a hybrid-strategy portfolio; while illegible assets (like illiquid real estate from the housing crash) almost never do.

> basically the reserve currency of the crypto world (roughly all exchanges will have it)

I would say that that’s more like either Monero or USDC right now: these are the cryptocurrencies people ask for when they just want cash but want to let you pay them in crypto, because you can cash out of crypto entirely in a non-value-losing way pretty well from either (with Monero, because it has low TX fees and fast processing times, so you can get rid of it in seconds; with USDC, because it’s stable-ish for now, so you don’t need to worry on a scale of minutes whether it’ll keep its value.)

Which is similar to what “reserve currency” means in practice for most people (other than banks): it’s the currency they’d prefer to be paid in, and the currency you’ll see them trading in their own currency for in the event that their own currency experiences high volatility.

You are right, I remember talking to Bitcoin core and lightning network developers before the segwit/bitcoin cash fork. They were quite depressed as the social/marketing attacks on Bitcoin core were quite successful in hindering Bitcoin's development by a few years.

At the same time as Bitcoin core won (by market share), now Bitcoin is a state where everybody accepts that Bitcoin won't have any hard forks in the future (even if it would be technically warranted).

For many things change is a good thing, but for creating a new monetary system it's only good if it fixes a huge flaw in the previous one (unlimited money supply and limited international money flow in the case of the current financial system).

Because most cryptos are traded in terms of BTC or ETH, if either of those two go up, virtually all other coins tend to rise as well. I haven't seen altcoins decoupled since 2017.

>Surprisingly, all cryptos (including BTG) seem to be going up

This might be because the "halvening" is this year.

Also all stocks are down due to the corona virus. which is allegedly a reason bitcoin is high.

There is zero rational basis for any movement in cryptocurrencies, and it was spiking at the same time that the normal stock market was hitting record highs.

Rationally, bitcoin should be worth close to nothing.

You mean just like gold?

Gold has intrinsic high value in an enormous number of processes, and is a physically very rare element with very novel properties. Cryptocurrency isn't remotely rare -- one can create a hundred Bitcoin clones in an afternoon -- and has zero fundamental value. It solves no real problem, and is worse at virtually everything than alternatives.

The comparison with gold has always been specious.

If a tiny, tiny fraction of holders of bitcoin liquidated to cash, it would be worth close to nothing overnight.

Gold's intrinsic value is obviously nowhere near its value on the market. Bitcoin does have some intrinsic value too as an international payments system, which like gold clearly is not the only driver of the price. Furthermore I don't see how you can compare the rarity of gold versus bitcoins. What makes one "more rare" or "less rare" than the other? Are we comparing grams to bits, or what?

> If a tiny, tiny fraction of holders of bitcoin liquidated to cash, it would be worth close to nothing overnight.

Being opposed to Bitcoin because you think it's too volatile is a totally different argument than "its value isn't defined intrinsically".

The entirety of mined gold, over the history of mankind, wouldn't fill an Olympic swimming pool. It has become exponentially more difficult to mine, and can't be created outside of alchemy (e.g. some radioactive processes).

Gold has a comparable price to platinum, and is positively cheap compared to rhodium. Gold has been valued by pretty much every civilization throughout history, independently and for the same reasons, even before its unique properties gave it secondary value.

I don't invest in gold, have little of it, and I don't know how this strawman got erected, but gold has a much better case than cryptocurrencies at having a so-called intrinsic value.

On the cryptocurrency side there are literally thousands of active offerings, and the barrier to entry to create one or a hundred more is negligible. They offer incredibly little value (outside of crime), and are largely illiquid with enormous transaction costs at every step. The transaction history of cryptocurrencies if aggregated would be 99.999+% trading and gambling, with a rounding error of transactions for illicit purposes. And a minuscule amount of early-adopter, feel-good "look I used it to buy a pizza" legitimate transactions.

As to your last line, that's another strawman and certainly isn't the argument I'm making. What I am saying is that no cryptocurrency currently in play has any legitimate intrinsic value, and because of that the trading of the same is effectively a game of chicken where everyone waits to see who blinks.

There is a non-zero chance that Bitcoin could crash to effectively $0 in a short period.

> gold has a much better case than cryptocurrencies at having a so-called intrinsic value.

The point is that the intrinsic value doesn't come anywhere close to explaining the price in either case.

And what about cash? That also doesn't need intrinsic value to be worth something.

> On the cryptocurrency side there are literally thousands of active offerings, and the barrier to entry to create one or a hundred more is negligible.

I don't see why the scarcity of one cryptocoin affects the value of the others. Creating a new coin doesn't devalue existing coins.

you're probably right.

This is sarcasm, but it really is: with crypto, there's strength in numbers.

Well it is, any copy cat coin sharing the same hashing algorithm as Bitcoin has this risk. So stay away from shitcoins.

Edit: I was wrong about BTG sharing the same algorithm.

Every coin which uses the same proof of work method has this problem. It is independent of the actual hashing algorithm used.

This is also not the first time this coin has been targeted.

I think it's more complicated than that. You'd need enough computing resources to "beat" half of the Bitcoin network's current hashrate, which is absolutely massive compared to BTG's.

Oops: I see what you mean though. Because there's so many BTC miners, they can easily swap over to BTG to overwhelm the much smaller network.

This is part of the reason why it's most likely everything will converge on a single money. Currencies will be issued on top, rather than dividing the global effort.

I don't think Bitcoin gold uses the same hash function as Bitcoin

Correct, it uses equihash [1].

[1] https://bitcoingold.org/equihash-btg/

Equihash is not SHA-256.

who on earth has got Bitcoin Gold in his pocket ??? ;)

1 for 1 so far on my 2020 decade predictions


Sorry, but this doesn't seem related to quantum - I don't think you get credit yet.

I wonder why this ended up in the front page of HackerNews? It's not news that altcoins are much much easier to attack than the top coin(s). Lesson to learn here: top coins are not only better due to the network effects (users and developers), they are also better in terms of security (it's much more expensive to carry out an attack in BTC or ETH, for example).

> It's not news that altcoins are much much easier to attack than the top coin(s)

Not everyone here is a cryptocurrency enthusiast. The fact that this is even possible is interesting by itself; an instance of it happening even more so. What's not news to you is indeed interesting to someone else. Alas, this isn't Reddit, so the usual "OMG Don't spread FUD!" response doesn't apply here.

Crypto failures were always well received here. The infamous DAO drainage alone triggered multiple 200+ comments threads.

Would it be fair to say altcoins are the “penny stocks” of the cryptocurrency world? Easily subjected to price manipulation and typically the perpetrator doesn’t have to spend too much.

I think altcoins are not even penny stocks, they will die soon in the same way there are no other networks these days that try to be the internet. The penny stocks are the Ethereum tokens.

As far as showing up on the front page goes the HN community has shown to have a lot of interest in the strange world of cryptocurrency. I'm not surprised it made it this far.

When I first read it, I read "Bitcoin Cash" which stuck me as alarming as it's one of the larger ones. But upon further investigation realized that it's "Bitcoin Gold" something I have no recollection of.

I don't consider Bitcoin Crash as one of the larger ones (it possibly has less than 5% of BTC's hashpower).

As in all things cryptocurrency related, when most people are talking about the biggest coins, they are talking about trading price and volume.

You'd do well to frame your discussions about cryptocurrency from the HN perspective, not that of a BTC-enthusiast or -maximist. Using derisive terms like "Bitcoin Crash" really doesn't add to the conversation. Like I said in another comment, this isn't Reddit.

You’re assuming all blockchains are created equal. A new smaller blockchain can pop up and provide better security, finality, and the coin could actually be backed by something.


Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact