Lots of cyptocurrencies use the same mining algorithm, i.e. they require the same type of puzzle to be solved to make money creating blocks. In recent years, lots of online services have sprung up to offer cloud mining, which people usually use to mine blocks on the bigger cryptocurrencies, like Bitcoin Core or Bitcoin Cash.
However, since the smaller cryptocurrencies, like Bitcoin Gold, have less users/miners, they also require easier "puzzles" to be solved, which opens an opportunity for any random person to pay some $$$ to hire a bunch of these cloud servers for a limited time and point them at these easier puzzles, which can cause such a smaller blockchain to get confused about account balances. The attacker can then re-spend the same currency multiple times to make a profit.
AFAIK there aren't really any good solutions to prevent this problem- For complex game-theoretic reasons, simply changing the mining algorithm to something different doesn't really offer much protection. (Some folks believe if these smaller currencies were to move to "proof of stake" it could help solve this problem, but this is an extremely contentious topic.)
For the curious a simple breakdown Ethereum 2.0's Proof of Stake (PoS) plan is:
-Minimum 32 ETH to stake
-Staking locks the currency in the staking pool
-Your node votes on the validity of the transactions (this is super light weight and fast, can run on a rPi instead of huge mining nodes).
-If the network agrees you was acting maliciously your locked stake begins to be slashed/burnt.
-Voting with the majority gives you a % of the block reward.
This means a 51% attack on the chain requires 51% of the currency staked which would be extremely hard to get without skyrocking the price (making 51% exponentially harder to achieve). They've also done some spooky proofs I don't understand that make the actual number to take over the network >51% (70% or so IIRC).
So it's green, fast, and harder to attack successfully. And unlike PoW, if you fail your "attack money" gets nuked.
Does each block need a strict majority of outstanding currency to pass muster? It seems like it would be super risky to align yourself with any stake unless you were sure that it was going to be the majority, lest you inadvertently follow a post-facto "malicious" branch.
Therefore it seems like it might require less than 51% of outstanding currency, depending on the level of risk you're willing to take on, and how much active stake is willing to commit itself to proving maliciousness -- if you're leading the "that was malicious" faction but your faction fails to assemble more stake than the attacker did, then instead you get burned, so there's no guarantee that evildoers will be brought to justice; and aligning with a reorganization in ETH is dicier in many ways (because of the per-address nonce's) than it is in a UTXO coin.
Attack vectors are never within the bounds of tidy proofs of complex ideas; Bitcoin's brute-force solution is very simple to verify the correctness of, and the effective cost of pulling off a double spend is fairly easy to compute from first principles with some very weak assumptions about the quality of the hash function used.
I'll give more credit to proof of stake when Ethereum makes the transition; at least then there's some skin in the game.
And the Eth2 genesis won't occur until a sufficiently large amount of validators are active on the beacon chain, so you can't hijack it by investing large early.
I will look into it later, and decide on the longer answer if it would meet characteristics that I would ascribe to "in the wild" or "at scale" given a deeper understanding of what it has accomplished to date.
Is wrong by years. See Blackcoin (2014) for just the tip of the iceberg.
Step 1. Acquire crypto currency. Step 2. Stake. Step 3. unstake and sell cryptocurrency. Step 4. use older keys to produce an alternative history.
Or, to simplify things, let other people do 1/2/3. Then purchase or hack their now-worthless old used keys to use in your attack... keys which they have no reason to protect and/or not sell. At most, all slashing does is makes Step 3 take more time.
I say "at most" because it doesn't necessarily do that much: if the funds you can earn from the attack (from double-spends and/or shorts) are large compared to the staked amounts, then step 3 isn't even required.
POS is fundamentally circular: you use ownership to determine ownership.
The only solution to this is to introduce another consensus mechanism like POW or, more commonly in POS proposals, a centralized authority. Some just assume the users are communicating over a synchronous lossless global totally ordered reliable broadcast-- which, again, is equivalent to running on top of another consensus system.
There is a reason you see people promoting POS that have an established history of committing fraud: the idea is most convincing if you obfscuate the details so much that no one is going to be willing to waste their time reviewing it. This is one of the classic moves used to convince someone to agree to a fradulent deal-- baffle 'em with bullshit.
Sure, if you get a majority of stake in the network, you can create alternative histories. But, as others have pointed out, this is much more difficult than a 51% attack in PoW.
> has already been finalized.
This is presuming the existance of an external consensus mechanism.
Mind you, Bitcoin had the same issues and they solved it with hard coded checkpoints.
There's no reason this can't be solved with timestamps and some sort of checkpoint mechanism. Many coins have done this with no issues, and others with issues have hard coded alternative checkpoints for forked chains.
Why would a client ever reasonably revert to a chain back in time 1 day without human intervention? If someone could explain in what extraordinary remote case this would be reasonable, I might be able to comprehend the maxis.
An extremely large number of cryptocurrencies are essentially completely centralized and only pretending to be decentralized as a regulation dodge. Centeralized systems can be extremely secure-- until the central parties decide to screw you over.
Bitcoin does have a thing called "checkpoint" but it is essentially completely unrelated to the centralized consensus mechanisms (usually a broadcast message signed by developers that force all nodes to switch to a chain with blocks that they've signed) added to many other altcoins which have used the same name for deceptive reasons to disguise their centralized control.
In Bitcoin there is a problem that the minimum POW difficulty was set based on 2009 CPU speeds just hundreds of thousands of hashes per-second, so at minimum difficulty a block requires 2^32 hashes to create. A single modern asic miner can perform 68 trillion hashes per second using a couple kilowatts. So, one of these devices could generate about 16k blocks per second at minimum difficulty.
This creates an issue where an attacker could fork the chain early on and create an incredible number of blocks at the minimum difficulty and feed them to your node. Your node wouldn't be sure if this chain of minimum difficulty blocks might not eventually add up to more work than whatever is your current chain, so it stores them. Eventually, this would exhaust your memory and disk and crash your node.
Currently, this attack is blocked by checkpoints that cause your node to ignore forks created from the chain back before the difficulty reached ~2^32 back in 2014 (so 2^64 work required to create a block). That's all checkpoints do.
There are alternative proposals to eliminate this problem which people are working on from time to time... and which have included adding consensus rules to increase the minimum difficulty (except for the earliest blocks), or making it possible to efficiently produce a compact proof of the total work behind a particular best block. But changes to consensus rules are fairly slow and hard to accomplish, so for the moment the adhoc fix protect nodes from an otherwise completely practical attack. Once one of these other fixes is implemented the 'checkpoints' would go away completely.
And never did they operate like 'checkpoints' in most other cryptocurrencies.
> client ever reasonably revert to a chain back in time 1 day without human intervention
Refusal to reorg at threshold X (for whatever X you choose) only creates vulnerabilities it doesn't resolve them:
Consider, if an attacker can't create enough blocks to produce a reorg X back from the tip then a refusal to reorg would simply be pointless (because the expected attack couldn't happen), so implicitly you're assuming the attacker can do that. If he can, then he can also create a fork right at X-1 and simultaneously announce it to whatever subset of the network he likes, carving the network into an arbitrarily shaped partition. If both sides have hashpower, both will continue on past block X-1 to X and and beyond on their own (and he can even contribute). They'll never heal on their own, the network becomes fragmented and exploitable in realtime. So the style of attack changes a bit but the ability of a supermajority hashpower attacker to reorg/disrupt the chain isn't materially reduced.
Worse, the refusal to reorg creates a whole new problem that didn't exist before: If a node was offline (say for days, months, years, or just coming online for the first time) then an attacker which didn't have anywhere near enough hashpower to successfully reorg near the tip could still (perhaps slowly over months) produce a X-long fork off an _earlier_ position in the chain and then aggressively feed it to nodes which are coming back online and redirect them into an attacker controlled bizarro-world which they won't recover from (without a user somehow discovering that they're on the 'wrong' chain and doing some unspecified action to fix them). This class of attack can be made more potent by DOS attacking a target's running node, forcing them to bring up new or backup nodes. This and similar attacks are an entire class of attacks created outright by a refusal to reorg.
Essentially the only case where a refusal to reorg is unambiguously safe is when you assume attackers lack the hashpower to cause the reorg in the first place. In which case... why bother?
As an aside, I think repeating an insult likening Bitcoin users to feminine hygiene products is extremely unprofessional and inappropriate for hacker news.
I don't see the need to continue if we've stumbled over something so trivial.
"network partitioning risk" is an aspect of many issues, such as the Sybil attack. Just because the Sybil attack exists in the Bitcoin ecosystem doesn't mean it's a game stopper.
The same solutions that solve many kinds of bootstrapping problems can easily be employed to stop fragmentation problems. Also, I want attacker chains to be fragmented. Fragmentation isn't always negative.
If my node decides to revert to a chain past a few hours, I want it to stop and manually ask me what chain to follow. This is exactly why checkpoints were added to Bitcoin and checkpoint like systems are employed by many coins. Checkpoints represent human input, manually making a decision. Blockchain is a voting automation system, it is not a replacement for my voice.
This isn't just theory, but practice! Bitcoin Core version 0.8 _broke the bitcoin network_. Humans had to manually pick a chain and manually revert to an older version of software. And yet no apocalypse materialized.
All prior versions before 0.8 were self-inconsistent-- accepting or rejecting some large blocks depending on their own history of orphaning and reorgs which would be different on different nodes-- and would have split all on their own eventually.
The distinction with 0.8 is that it made the maximum block size that a miner would create command-line configurable and larger blocks have a much easier time triggering the pre-0.8 inconsistency.
People originally thought that 0.8 was at fault since this happened a little while after 0.8's release and the first diverged node-pair people looked at were 0.8 vs 0.7. But that belief was mistaken.
> manually revert to an older version of software
Only a few percent of nodes had split there. The vast majority were on the more restrictive fork. I'm not, for example, aware of any exchange that observed a reorg from this.
> If my node decides to revert to a chain past a few hours, I want it to stop and manually ask me what chain to follow. This is exactly why checkpoints were added to Bitcoin
That was not why they were added and they have never had a behavior like that.
Stopping can be acceptable for some uses, but it's not a safe behavior in general and could dramatically exacerbate a network fault.
FWIW, ethereum will not stop in a big reorg. However, ethereum nodes do randomly stop for no reason whatsoever, and businesses have responded by automating blowing away the state of stuck nodes and re-warp syncing it against the network. The effect of this has been to essentially downgrade these exchanges to no-better than SPV security: they'll trust whatever gets mined.
> checkpoint like systems are employed by many coins
I'm not aware of systems like Bitcoin used by other altcoins, I am aware of quite a few where the developers broadcast signatures the rig the consensus which call themselves 'checkpoints' in order to deliberately deceive users about the security properties through an erroneous comparison to bitcoin like the one you're making.
To be fair, in PoW your "attack energy" (and thus money) gets nuked too.
Forking bitcoin requires deciding which fork to spend your mining processing time on. Forking a PoS coin does not, since you can use the same coins for stake on as many different chains as you want.
Before that was commonplace there were numerous problems of transactions being replayed causing all sorts of problems.
If someone wanted to fork post-PoS ETH, chances are they would have to do so very deliberately, with code on the new fork deliberately designed to prevent replay attacks, as was done in the BTC/BCH fork.
Edit: it seems like it makes it more robust, basing ur interest in a fork not in your involvment in it but in its merit (e.g. you are incentivized to support them all)
I know people love proof of stake as a "solution" but you give up decentralization for "security". If that is what you want, use a bank.
 Lots of millionaires came out of the cryptocurrency era. Sock puppets are cheap in comparison.
Cryptocurrencies and their associated boom-bust market cycles are here to stay.
95% of blockchain development happens on Ethereum, and Ethereum is growing well, https://medium.com/@jjmstark/the-year-in-ethereum-2019-24201..., so the idea that there was a cryptocurrency era that's ended is not true.
Bitcoin is money. It's as simple as that.
> Coins at the greatest risk of 51% attack are the ones where there exists large amounts of hashpower not actively mining the coin that could begin mining and disrupt the coin’s blockchain.
Also, Ethereum's upcoming transition to Proof of Stake is not contentious, it's a large-scale project years in the planning and execution.
There's no silver bullet for 51% attacks, and proof of work uses unconscionable amounts of electricity, which is why Ethereum is transitioning to proof of stake.
Thus, there is a limit to the amount of economic activity that can be "safely" transacted by a proof of work chain per unit time, based on the amount of inflation/fees of that particular network. The more fees and inflation, the higher the economic value that can be transacted safely.
The actual real-world limit will be somewhat less than 2x because of options trading and other off-blockchain transactions.
Yes, this poses problems for smaller currencies where the average amount transacted per block is quite small. Bitcoin has not just a "network effect" of adoption resulting in places to spend it, but also a network security effect, where the vast amount of spending makes it much more economically difficult to justify a 51% attack.
(That or you need to wait increasingly long periods on these shitcoin chains before accepting them as "final" and transferring goods. Eventually all chains should reach consensus, as long as you wait long enough that it would be economically unviable to
And note that this is actually a parameter that cryptocurrencies can set themselves. When (eg) Ethereum cuts the block rewards, that results in network hashpower going down, and thus reduces the economic throughput that is possible before nakamoto consensus falls apart. Same for Bitcoin's block halvening.
Decred's mixed PoW/PoS would be extremely expensive to 51% attack, and would require a large amount of funds to be locked up in voting tickets for random amounts of time ranging from a few days to several months - so if you successfully attacked it, you'd presumably reduce the value of Decred and the many millions of dollars worth of Decred you had frozen in tickets.
And he's behind the crypto of GNU Taler and Polkadot
Bitcoin Gold is the least relevant of the forks (worth ~$12 per coin while the main chain BTC is worth ~8750 and the two major forks BCH/BSV are worth around 300, and only 7 of the 20 largest exchanges (by liquidity, according to coinmarketcap) list it - even though most of them list plenty of altcoins/shitcoins. For comparison, Bitcoin Cash is listed on all of them, Bitcoin SV on 14 of them. Additional stats here: https://news.ycombinator.com/item?id=22160458
The journalist has missed an important part of the github gist that their story bases on:
> Based on Nicehash market price data for Zhash we estimate the cost of generating each reorg at around 0.2 BTC (~$1,700) and the attacker would have recouped around the same value in block rewards. Therefore, it is possible that the attacks were profitable if the double-spends succeeded at defrauding the attacker's counterparty, or break-even if the double-spends were unsuccessful. This suggests that a confirmation requirement on the order of tens of blocks for BTG is still far too few to make the budget constraint to launch an attack significant.
The real profit will come from shorting the currency and capitalizing on the subsequent crash due to the crisis in confidence.
I guess raising the amount of required confirmations helps but even then it's just a matter of time.
Proof of stake is more secure than proof of work because an attacker must acquire a large amount of ETH each time they attempt an attack. Attacks against proof of stake are incredibly capital-inefficient.
If your goal is a decentralized system POS is just a fundamentally broken idea, as was known years ago (and long before ethereum existed https://download.wpsoftware.net/bitcoin/pos.pdf ). Ethereum isn't a decentralized system-- as demonstrated by them editing balances to recover coins the ETH administrators personally lost by gambling on an ill-advised contract-- but they have to keep up the pretext.
Uh, I'm fairly sure this never happened but you're welcome to provide a source.
Most people who opposed the fork also stayed with ethereum because the ethereum foundation, which they'd collectively invested millions in, announced it would not support the fork. (in fact, it announced that the fork wouldn't even exist-- which caused companies like coinbase hundreds of thousands in losses from replays due to not being prepared for it)
The DAO was supposed to be a VC firm. If you want to say that the DAO was gambling then so is all Venture Capital.
> The funds in it were a majority coming from ethereum foundation members. The reason that they were 14% of all ethereum at the time was that at the time something like 85% of ethereum in existance had been premined by the ethereum foundation (at the moment it's 75%).
What a laughably stupid thing to say. Ethereum did an ICO before that term was a thing, mined a shit ton of ETH and sold almost all of it for Bitcoin. By the time the DAO was a thing the Ethereum foundation controlled ~12M ETH, which did not overlap with the ~11.5M ETH in the DAO (The funds were for the development of Ethereum, not speculative purposes). There was an additional some 60M ETH from the initial sale + ETH from newly mined blocks, not in the DAO and not part of the ETH foundation.
>Most people who opposed the fork also stayed with ethereum because the ethereum foundation, which they'd collectively invested millions in, announced it would not support the fork.
The Ethereum foundation announced it would not support what exactly? If you mean Ethereum Classic well that is not a fork of anything - but a continuation of the original DAO chain. 11% of people voted against the Ethereum fork and presumably did not migrate (or likely just used both).
>in fact, it announced that the fork wouldn't even exist-- which caused companies like coinbase hundreds of thousands in losses from replays due to not being prepared for it
Er, what? Assuming you are referring to ETC, which again is the original chain, the Ethereum Foundation does not have the power to determine its existence or non-existence. The original chained continued to be mined and supported by nodes.
The issue with proof-of-stake: How do you define consensus on what ETH is? Without PoW, an attacker can cheaply generate an alternate history in which they control a large amount of ETH. If the alternate history is accepted, they benefit, and if not, they risked nothing.
It becomes trivial to generate the longest chain. This is a real problem, and some PoW currencies like NXT have proposed solving it by using an out-of-band solution like asking friends or trusted nodes whether you are on the right root blockchain. This defeats the very purpose of a decentralized currency. If you're going to trust a core set of nodes, just use a centralized database with M-of-N access control.
Heck proof of stake is significantly less secure because you can have stakes working together to game the system.
This leaves out any miners turned of because of power costs, and non-ASIC compute. I have no idea how big those are. My completely unfounded guess would be that all of AWS available CPU compute woudn't be enough compute for a 51% attack.
I suppose they meant, that many parties do have that much potential compute but they use it for other things. But they could in theory switch to computing bitcoin hashes and control 51%, and in turn some other party can do the same etc... Obviously you're right that eventually one party can own 51%, but that doesn't mean only one party can successfully perform 51% attack, since % of hashing power can change by time.
well yeah, CPUs are many orders of magnitude slower than ASICs
I mean, real technical capabilities not just mention of facilities in Texas or whatever.
They are the prime mover in the Bitcoin space, and have an outsized impact in other crypto mining spaces. They are the undisputed ASIC leaders.
You're saying it's impossible, and now you're saying nobody would bother. Don't move the goalposts.
This vulnerability was baked into Bitcoin from day one. There is no outcome under which Bitcoin is not 51% attacked. it is an inevitability as sure as the heat-death of the universe.
Also in 2018: https://news.ycombinator.com/item?id=17173051
The market may not even understand what 51% is about
Perhaps they should require some multiple of (amount of the transfer / cost of the hashpower needed to mine one block)?
This is also true for blockchain browsers(and their api), which apps use to confirm the transaction(most of users don't run full node). The only way how 51% attack can be successful in the long term is that honest nodes(and blockchain browsers api) are re-configure to ignore double-spent(at least for a particular time period).
This might help general awareness that minor coins without a differentiating technology are simply highly vulnerable uninteresting clones, not worth any attention and thus, value. Perhaps some would just disappear, in a spiral of lower value, lower hash rate, more vulnerability, till all miners leave towards other, stronger coins?
This might sanitize the whole cryptocurrency domain a little.
As for 'resilient', try telling that to the people who were robbed of their coins because of this attack!
This kinda confirms that BTG being not just susceptible to 51% attacks but also getting hit by them isn't a surprise to anyone.
Edit to add: For anyone not familiar with the space, Bitcoin Gold is one of the many forks of the main Bitcoin blockchain, and one of the least meaningful among the ones commonly known. Here's the map of the main forks: https://i.redd.it/1pvmr98w5x041.png -- the main chain is by far the most known/popular/valuable, followed by Cash and SV in this order, followed by Gold far behind the rest.
Useful metrics are value/market cap, number/size of exchanges supporting it, or hash power. Hash power roughly correlates with value.
A main-chain Bitcoin (BTC) is worth about $8750 and basically the reserve currency of the crypto world (roughly all exchanges will have it), Bitcoin Cash (BCH) about $370 and has 400+ markets (that's as much as Coinmarketcap will show), Bitcoin SV (BSV) about $300 and 154 markets, Bitcoin Gold about $12 and 74 markets. Too lazy to count unique exchanges (an exchange can have multiple markets per coin).
Edit: Exchange listing counts here https://news.ycombinator.com/item?id=22161472
It’s a kind of de-risking—not in the sense that the particular blockchain, or blockchains in general, are now any less vulnerable to the attack (Sybil attacks generally are like the Halting Problem of open consensus systems—no real way around them) but rather that these attacks, for some investors, go from scary “unknown unknowns” to “known unknowns” that can be quantified in their impact, and thus ROI models can be clarified, making cryptocurrency’s value as an asset class more legible. Legible assets always have a place in a hybrid-strategy portfolio; while illegible assets (like illiquid real estate from the housing crash) almost never do.
> basically the reserve currency of the crypto world (roughly all exchanges will have it)
I would say that that’s more like either Monero or USDC right now: these are the cryptocurrencies people ask for when they just want cash but want to let you pay them in crypto, because you can cash out of crypto entirely in a non-value-losing way pretty well from either (with Monero, because it has low TX fees and fast processing times, so you can get rid of it in seconds; with USDC, because it’s stable-ish for now, so you don’t need to worry on a scale of minutes whether it’ll keep its value.)
Which is similar to what “reserve currency” means in practice for most people (other than banks): it’s the currency they’d prefer to be paid in, and the currency you’ll see them trading in their own currency for in the event that their own currency experiences high volatility.
At the same time as Bitcoin core won (by market share), now Bitcoin is a state where everybody accepts that Bitcoin won't have any hard forks in the future (even if it would be technically warranted).
For many things change is a good thing, but for creating a new monetary system it's only good if it fixes a huge flaw in the previous one (unlimited money supply and limited international money flow in the case of the current financial system).
This might be because the "halvening" is this year.
Also all stocks are down due to the corona virus. which is allegedly a reason bitcoin is high.
Rationally, bitcoin should be worth close to nothing.
The comparison with gold has always been specious.
If a tiny, tiny fraction of holders of bitcoin liquidated to cash, it would be worth close to nothing overnight.
> If a tiny, tiny fraction of holders of bitcoin liquidated to cash, it would be worth close to nothing overnight.
Being opposed to Bitcoin because you think it's too volatile is a totally different argument than "its value isn't defined intrinsically".
Gold has a comparable price to platinum, and is positively cheap compared to rhodium. Gold has been valued by pretty much every civilization throughout history, independently and for the same reasons, even before its unique properties gave it secondary value.
I don't invest in gold, have little of it, and I don't know how this strawman got erected, but gold has a much better case than cryptocurrencies at having a so-called intrinsic value.
On the cryptocurrency side there are literally thousands of active offerings, and the barrier to entry to create one or a hundred more is negligible. They offer incredibly little value (outside of crime), and are largely illiquid with enormous transaction costs at every step. The transaction history of cryptocurrencies if aggregated would be 99.999+% trading and gambling, with a rounding error of transactions for illicit purposes. And a minuscule amount of early-adopter, feel-good "look I used it to buy a pizza" legitimate transactions.
As to your last line, that's another strawman and certainly isn't the argument I'm making. What I am saying is that no cryptocurrency currently in play has any legitimate intrinsic value, and because of that the trading of the same is effectively a game of chicken where everyone waits to see who blinks.
There is a non-zero chance that Bitcoin could crash to effectively $0 in a short period.
The point is that the intrinsic value doesn't come anywhere close to explaining the price in either case.
And what about cash? That also doesn't need intrinsic value to be worth something.
> On the cryptocurrency side there are literally thousands of active offerings, and the barrier to entry to create one or a hundred more is negligible.
I don't see why the scarcity of one cryptocoin affects the value of the others. Creating a new coin doesn't devalue existing coins.
Edit: I was wrong about BTG sharing the same algorithm.
This is also not the first time this coin has been targeted.
Oops: I see what you mean though. Because there's so many BTC miners, they can easily swap over to BTG to overwhelm the much smaller network.
Not everyone here is a cryptocurrency enthusiast. The fact that this is even possible is interesting by itself; an instance of it happening even more so. What's not news to you is indeed interesting to someone else. Alas, this isn't Reddit, so the usual "OMG Don't spread FUD!" response doesn't apply here.
You'd do well to frame your discussions about cryptocurrency from the HN perspective, not that of a BTC-enthusiast or -maximist. Using derisive terms like "Bitcoin Crash" really doesn't add to the conversation. Like I said in another comment, this isn't Reddit.