Bitcoin Forum

There have been a few discussions lately about large mining pools (including GHash and others) and the possible threat of 51% (and other similar) attacks.

In some of these threads, I see people dismissing the threat by saying things along the lines of "why would a pool of significant size do something so stupid so as to destroy the value of their own profits?" Others defend the pools by saying "these are honest, legit people - we can trust them."

At first these arguments seemed to put me at ease, but as I've given it more thought, they're not really sitting right with me.

Consider this analogy:

If we all share the same planet, and any amount of harmful pollution (however insignificant) released into the environment ultimately threatens our own well-being as inhabitants of the planet, then why would any individual or organization chose to continue any operation that releases pollution?
(I'm not trying to start any political debate about the environment here, but I think most would agree that many forms of pollution have at least some kind of detrimental impact on the environment).

The fact of the matter is, it's not a simple winner-takes-all and loser-gets-nothing scenario. We can live with a degree of pollution in the environment if it means we can enjoy the benefits of large-scale manufacturing, transportation, etc.

Self interest (as a whole) is very much tuned to the short term. While the long-term effects of our actions do have a varying degree of weight on our decisions, I think it's safe to say that short-term benefits - in general - take priority over long-term considerations. In a perfect world, perhaps the negative effects of pollution would be felt and shared immediately by all, and the free market alone could adapt and find an appropriate balance. In the real world, however, we rely on regulation to help minimize poor decisions (intended to maximize short-term profits) of self-interested organizations that would negatively impact us all.


Now, going back to Bitcoin....

I've been watching the growth of Bitcoin since around 2010. I strongly believe that Bitcoin (or at least the concept of a decentralized cryptocurrency) is "an idea whose time has come." It provides a solution that (in theory) needs no regulation - except by democratic vote - in order to protect everyone's interests (unlike the example of pollution above). In my mind, Bitcoin's greatest achievement isn't so much technical, but rather social. The brilliance is not in the algorithms used or even in the decentralized network. The real achievement is in engineering incentives that keep the system in check.

The U.S. Constitution was (at least at one time) hailed as a remarkable system that ensured a balance of powers. The United States government has been called "the grand experiment", much in the same way Bitcoin is a great, borderless experiment of a similar nature. Whether it's Bitcoin or a successor to Bitcoin, I think this experiment is here to stay.


So what does this have to do with mining pools? As others have said, I really doubt that any mining pool would be foolish enough to do something completely crazy and destroy all of our trust in Bitcoin overnight - at least not intentionally. But think about it this way: if every bank vault in the world had a vulnerability that you (and only you) could exploit, possibly without detection (or at least with a degree of deniability)... what would you do? I doubt any sane person with that ability would immediately go drain every account they could get their hands on. It would cause global economic collapse - a world where even obscene amounts of money really wouldn't be worth much. You'd probably even tell yourself "I'm an honest person - I'm not touching that money"... until that nagging starts getting stronger and stronger.

Sooner or later, if given the opportunity to take unfair advantage of the system day after day, month after month, I think a lot of otherwise "trustworthy" people/organizations will end up giving in, albeit in subtle ways at first. Most people left to their own devices wouldn't flip a switch (for a reward) to immediately contaminate all of the world's fresh water at once, but if given a million switches each of which contaminates just 1 millionth of the world's fresh water for a substantial reward... I think there'd be some serious switch-flipping going on.


So what am I saying? Basically, I'm more worried now than I've ever been about the future of Bitcoin for one reason: the very real possibility for mining pools to be dishonest and carry out attacks. It's something that we really shouldn't wait to see before trying to address it. I don't care how "trustworthy" this or that pool is. I also don't care if a pool is normally incentivized (by block rewards) to stay honest and play by the rules. Bitcoin was built on the assumption of mistrust by all parties - whether or not their actions are in their own best interest. It needs to be immune to the very real possibility of mining pools abusing power for whatever reason.

No, I don't think any large pool is going to team up with another pool tomorrow and go on a "rampage" destroying all of Bitcoin's value by double-spending, reversing transactions, etc. But I don't KNOW that's not going to happen. It's certainly within the grasp of a couple of the pools at the moment. More likely, such abuse would happen slowly at first (as the pool or pools try not to draw attention). There would be speculation of wrong-doing, but no definite answers at first. The value would fluctuate as some people begin to lose trust in the system, while others would believe the system should self-correct with time. So the pools would continue to take advantage of their power, testing our trust in the system even more. At some point, a cascade of fear and mistrust would trigger panic in the markets, but this time, there would be no recovery...

Am I alone in this fear? I've heard/read that some Bitcoin alternatives are built on proof-of-work systems that are supposedly immune to this sort of thing... How practical are these solutions really, and is there any chance the core Bitcoin devs will modify Bitcoin's algorithms (assuming miners will adopt the change) to incorporate a solution like that? Is there a plan?

they aren't a threat because they are not nefarious.  

You answered your own question ... because destroying the network benefits nobody.

I hope you're being sarcastic. "Not nefarious" - just like the banks, NSA, government, and pretty much any other organization with power is decidedly not nefarious.

Maybe I didn't explain this point clearly enough. Of course no one is going to destroy the network intentionally, especially if they are benefitting from its function.

But if you think someone with (the potential for) a majority of the network's hashing power wouldn't consider a double-spend here and there (possibly getting away with it), you're fooling yourself. No one sets out trying to destroy the environment, but after getting away with a few seemingly insignificant misdeeds, people can and will push the envelope will a false sense of safety and a little greed. In this case, it starts small and snowballs into the network's destruction before anyone realizes what has happened. Even factoring in the possible destruction of the network, such an abuse could actually be quite profitable for a pool if the rewards are quickly converted to other forms of value before Bitcoin's value crashes.

People get greedy - even when it's ultimately self-destructive. History gives us plenty of examples illustrating this.

unless they can manipulate the price upward, there's no reason to do.  what are they planning to do?  double spend on weed transactions on Silk Road??  happy new year!!

Alright, let's try a little thought experiment: suppose for a moment that you (yes, just you) control a majority of the Bitcoin network's hashing power. Is buying weed really the only thing you can think to do? If so, then more power to you - enjoy!

Give it some thought, and I'm sure you can come up with a number of ways to extract value (where that value no longer depends on the price of Bitcoin) in a series of seemingly small abuses that wouldn't draw much attention or cause immediate widespread panic of the network (according to some, this has already happened). At least, not at first.

You may not have any INTENTION to destroy the network, but if you have that kind of power, I'm sorry... it's just a matter of time.

You realize how big the hashing power of the  network already is right? And getting bigger by the day

All I can suggest is if you believe the 51% attack is bound to happen one day, don't invest anything in bitcoins.

And by the way, this topic has been discussed to death over the last couple of years.

Here's another point to consider:

If we catch a traditional criminal secretly syphoning money from a bank, we call in the authorities, shut down the operation, and (in many cases) recover the funds.

Now consider what happens on the Bitcoin network: we find evidence of pools abusing their power and... wait, there's not a whole lot we can do other than try and buy/build enough competing mining power. Otherwise, the pool just continues on with criminal behavior day after day while we watch Bitcoin's value suffer. It's either that, or be proactive and stop this kind of attack before it happens and destroys the network.

Food for thought.

How exactly does this criminal pool pull this heist off?

I realize this topic has been beat to death previously, but apparently it hasn't been discussed enough. Otherwise, I believe it would have already been addressed by a change in the protocol and/or algorithms (which hasn't happened).

I do understand the level of hashing power on the network. I also recognize that if just two or three of the large mining pools were to collude, then 51% would easily be within reach. 51% isn't even necessary to attempt and succeed in many cases in such attempts. Is that really so remote a chance?

Well for one, the increasing adoption of Bitcoin by major businesses/retailers is perhaps a double-edged sword in this case.

Every day, more and more people are willing to accept Bitcoin as a form of payment, which means that every day, more and more people are open to loss via double-spend attacks.

In essence, it's basically a form of money laundering where the game is all about converting value from a high-risk store of value to another store of value with lower risk.

EDIT: The difficulty in profiting from an attack vector really shouldn't even have any bearing on the discussion here. The truth is, it's a known vulnerability with possible/proposed solutions that exist, so why is there so much pushback? I really want Bitcoin to succeed in the long run (hence why I'm even posting). I just think this issue deserves more serious attention.

So... since this topic has apparently been discussed already at length, would someone kindly summarize the current plan for dealing with this type of attack?

Let's put motives aside. As the wiki explains, "if this attack is successfully executed, it will be difficult or impossible to 'untangle' the mess created." Something which, as we know, is easily within reach even now.

Please don't tell me "it's unlikely to happen because mining pools have no reason to do so." That's not an answer to the question.

I'm not trying to make a point here that Bitcoin is flawed; I'm genuinely curious about the current best proposed solution to what I believe is a very real threat.

Even miners controlling large amounts of hash power are significantly limited in their ability to unfairly benefit from their hash power:

Miners can't:

- spend other people's coins
- issue themselves 'extra' bitcoins (beyond the block reward)
- spend coins twice (in a permanent way such that extra coins come into circulation)

Sure they can attempt to "double spend" and be guaranteed to succeed with a certain probability, but this just means they tricked someone into thinking--for only a very short amount of time--that they were paid when in fact they weren't.  When the double spend is complete, everyone will see that the coins were only ever "really spent" once.  This is why you can't withdraw your 1000 BTC jackpot from just-dice.com until your original deposit reaches 7 confirmations.
 

 

So, it's my understanding that GHash recently mined 6 blocks in a row, with 25% of the network hashing power according to blockchain.info. Let's assume they collude with another similarly-sized pool and mine 12 blocks in a row (not unreasonable or particularly unlikely).

With an average time of 10 mins per block, that's 2 hours. I agree - not a LONG time in day-to-day life, but certainly a long time in the digital world. How much time (or how many confirmations) are most reasonable people waiting for these days? A few? Maybe 8 or 10 confirmations for something of high value?

Now, think of all the coins an attacker may have in reserve, and realize that they could easily all be double-spent in that somewhat short time period in transactions where people are being reasonably careful (waiting for several confirmations)... And unlike many other types of fraud, no one can simply reach in the attacker's bank account and seize/recover those funds. Bitcoin merchants & service providers will lose money, and they'll have little recourse.


Let's try some cost/benefit analysis: assuming 12 blocks of double-spend time... (we'll ignore the costs associated with operating the pool's mining resources as the cost will be the same in either scenario)

Opportunity cost to the pool: none if only the double-spend transactions are somehow reversed because you'll still get the block reward for those blocks. Otherwise, if those blocks are completely discarded by the network, then your opportunity cost is 12 * 50 BTC = 600 BTC (plus transaction fees).

Benefit to the pool operator(s) in attack scenario: The value of all coins in possession of the pool operator. Even after the attack is discovered and the double-spends are corrected on the network, you have whatever you spent your coins on + your original coins.

Risk: possible devaluation of Bitcoin if enough people become concerned with what you just did. But let's be honest - no one's going to care about a few double-spends, right?


I'm not talking about going out and "buying some weed" or having a crazy night on the town. There are plenty of businesses now (brick-and-mortar as well as online services and marketplaces) where people are willing to sell high-value items (e.g., exotic cars) for Bitcoin. Heck, many online exchanges only require 8 or 10 confirmations before funds can be traded. In that time, you could literally crash the market with your double-spent funds. Then just as people figure out what you've done, you buy back in as the market is recovering. Your double-spends are corrected by the network, but guess what - you still have all of your original coins + whatever you made while manipulating the market. As long as that's greater than the opportunity cost (accounting for the level of risk you feel it poses to Bitcoin's long-term value), then it makes economic sense to perform the attack.


Or maybe I'm missing something that prevents all of this... if so, please tell me.

But again, the debate really shouldn't even be about the profitability of the attack. It's about looking for real solutions to real problems (which can and will affect the future of Bitcoin), instead of dismissing them as being "unlikely" because "no one would ever want to."

It does not matter who mined the 12 blocks. If you want to double spend a coin in 12 blocks before (say current block height is 10012, and you want to double spend a coin at 10001), you have to reverse back 12 blocks and begin mining a new block (10001). In the same time, other miners are mining 10013. Your hash rate needs to be faster than all other miners so you can catch up with the main chain before next difficulty adjustment. Don't expect you will finish all blocks 10001 - 10013 before other miners find their block 10013. You have to catch up with them slowly, maybe at block 10033 or even 10133. Before that, all the blocks you mined are treated as orphan blocks.

If you are still mining the shorter chain after next difficulty adjustment, you will never catch up because the other miners mining speed will be doubled due to difficulty decrease.

Moreover, it is very easy for the public to find you are trying to do this malicious thing.
1) The confirmation time of following blocks are doubled, because your hash rate has left to mine a 10001.
2) You've mined many orphaned blocks in a row (10001, 10002, ...) until your chain catches up with the main chain and replace it.
3) All the clients will suffer from a deep reorganization after your chain finally catches up and replace the old block chain.

In short, even if you have 51% hash rate, you will not double spend some coins 12 or even 6 blocks away. Otherwise, it takes a lot of time for you to catch up with the main chain, and people will notice this very easily.

I never said you have to wait for the 12th block to begin spending on transactions that will ultimately be nullified by the pool's private fork of the chain. You begin spending at 10001 (from your example), and you broadcast the private fork at 10012, recovering your spent coins. According to the wiki, with > 50% hashrate, the attack "has a probability of 100% to succeed. Since the attacker can generate blocks faster than the rest of the network, he can simply persevere with his private fork until it becomes longer than the branch built by the honest network"

Again, you don't have to wait - you spend, spend, spend, then magically reveal your fork that nullifies the transactions of the past 2 hours (or however long). Except, whoever sold you good/services in that time (or a middleman like BitPay) doesn't get to magically take back all that you stole.

And no, difficulty adjustments should have nothing to do with the scenario as they happen so infrequently, they really don't affect the outcome.


But still, why are we even talking about how easy it is "for the public to find you are trying to do this malicious thing", or the profitability of such a thing? It doesn't matter!

Let me put it this way:

If tomorrow morning you wake up and find out that some colluding mining pools have (surprise surprise) gone on a large-scale double-spending spree, stealing an enormous amount of value from merchants and service providers, which of the following questions are you going to be asking:

"How did this happen?" - No, because we already know how it will happen.

"Why did they do it?" - No, because who cares? I guarantee you won't be thinking "I sure hope the attackers were profitable in this."

"What can we do to prevent this from continuing to happen?" and "Why the heck didn't we take this threat more seriously?" - Yes, because even discovering who did it and what happened, you'll have little recourse. Sorry, can't whine about it to some central authority that makes everything right. You just have to suck it up (while the attack will likely keep happening, over and over) and try to actually do something about it.


But why wait? Why is this not discussed more seriously? Why isn't this a top priority issue?

I think one thing you're missing is the fact that the nefarious miner can only succeed with a certain probability.  Consider a nefarious miner with 25% of the global hash power:


The probability that he mines the next block = 25%
The probability that he mines the next two blocks is 0.25 x 0.25 = 6.25%
...
The probability that he mines the next six blocks is 0.25^6 = 0.024%
The probability that he mines the next seven block is 0.25^7 = 0.0061%


Consider your example of double-spending to crash the market: the nefarious miner transfers 10,000 BTC to MtGox to dump, and then starts trying to mine a new chain fast enough that he can "undo" this 10,000 BTC transaction.  While feverishly mining, he waits till his MtGox deposit has confirmed, and then market sells his 10,000 BTC.  Due to slippage he gets significantly below market price.  Then it dawns on him that since he only has 25% of the global hash power, the chances that he will actually succeed in this double-spend attempt is remarkably small.  He literally must perform this fraud attempt hundreds of times before he is likely to succeed.  Each time he fails, he looses a significant amount of his capital (because he just did something stupid like market selling 10,000 coins).  In the extremely unlikely event that he succeeds before he runs out of bitcoins, what he did will be pretty obvious since he would orphan a long valid chain, that, hmm, just happens to correspond with the big dump at MtGox.  
  

I've started a thread about the possibility of subsidizing mining pools that keep themselves under 25% of the total hash power. I think it may be completely feasible to fund this entirely from community donations, assuming funds are spent intelligently. Let me know what you think.

https://bitcointalk.org/index.php?topic=397708.0

Don't forget that no exchange will actually send your funds instantly, they all wait days/hours, and large transactions are manually processed.  Additionally, a double spend is not only publicly viewable but OBVIOUS once it has successfully happened.  You'd never get any money from the exchange.

It benefits a lot of people, ask Ben Bernanke and his friends.

Bitcoin is supposed to be based on mathematics and logic, not social factors.
If we wanted to rely on social themes instead of logical proofs, we wouldn't need Bitcoin in the first place.

If a pool does that, do you know what will happen? People will abandon the pool. People will discourage blocks made by the pool.

OK. I think you guys are not understanding (or choosing to ignore) what I'm saying. I am NOT trying to argue exactly HOW a miner would make the attack profitable (I have no doubt that there are profitable methods for doing so, but that's not what this is about). I'm also not arguing that it wouldn't be obvious as to what happened after the fact.

It would be completely stupid to bring a gun into a bank and try to rob it. Any rational person would realize that the potential gain is not really very significant as most banks don't have a lot of cash on hand anyway. Any rational person would not risk the very real possibility of losing years of life, freedom, and "honest" income for such a low payout. A rational person would know that if you were to get away with it (such a low possibility), everyone would know the bank had been robbed. A rational person wouldn't attempt this, BUT IT HAPPENS ALL THE TIME.

The motivation doesn't have to make perfect sense for something to be a very serious threat. The >50% attack is known, there's little we can do currently to stop it (short of significant changes to the protocol and/or algorithms), and it's very much within reach for some of the pools.

Why in the world is there so much pushback (or willful blindness) about this?? Every day that Bitcoin becomes more mainstream, the stakes are higher, and the possible "exit strategies" for this attack become more plentiful. I sincerely don't want it to happen, but I guarantee it will happen eventually unless we are proactive about stopping it. And when it happens, we all (as supporters of Bitcoin) stand to lose.


Or, just go ahead and keep ignoring it because "it wouldn't be as profitable as you'd think." Because the chances are low (never mind the fact that a small probability multiplied over days, months and years becomes a very high probability).

OP is perfect example of people still not understanding every tiny thing in BTC is recorded.

The resources used to attempt and cheat the system will never be worth it ever.

Believe me, I understand the idea of a distributed, peer-verified ledger. Perhaps you still do not understand that "being worth it" SHOULD NOT MATTER. The system is built to be mathematically strong, not strong due to someone's predictions regarding human nature and incentives.

The hashing power size is barely relevant for this discussion.
If an attacker has 51% of it, its absolute size doesn't matter.

Not correct.
There is one final defense against a 51% attack.
Nodes can refuse to propagate blocks made by a malicious node.

Mine on p2pool.

I don't see how your statement invalidates, or even relates to mine.

Regardless of last-defense measures (which don't exist yet in the client anyway), what determines the possibility of an attack is not the total hashing power, but its relative concentration.

A network with trillion times the power of the current network, concentrated in 1 hand, will be horribly weaker than the current.

It isn't worth doing something that will just be erased within the system itself.

This is the first time in history where thieves/bankers can't steal without being publicly seen throughout the whole system.

A fork would terminate any massive attempts, and it would have to be massive for the resources used to be almost worth it, but again it will never be worth it period.

You have got to be kidding me. Did you hit reply and quote me without reading what I said?

BEING "WORTH IT" DOESN'T MATTER.

If the attack is possible, then it CAN and WILL happen. Just give it time. If you are all really too blind to see that, then gosh, this community really isn't what I thought it was. I thought we (most of us) wanted Bitcoin to succeed. I thought we'd support a discussion about possible measures that would help ensure the long-term success of Bitcoin. Instead, all I hear is people saying "you're an idiot for thinking someone would want to do that."

Sheesh.

P2Pool seems like a good solution from what I understand. Yet according to blockchain.info, it accounts for only 2% of mining power. Can someone familiar with P2Pool vs other pools explain why it's not more popular? Is there something that could be done to help it grow?

I'm all with you on this.
It's depressing to see how people advocate Bitcoin as being trust free, yet chose to ignore any threat that makes it trust based.
If the developers won't address such threats, Bitcoin will be destroyed sooner or later.
It's value is derived from its main promise; of being trust free. Without this promise, Bitcoin is nothing.

To me the issue is this, lets say 95% of the network hashing power is spread across 5 pools. All a malevolent group needs to do is disable these 5 pools for a matter of hours to successfully attack the network. As Im sure all miners know, even the best pools dont have 100% uptime. Now imagine the 5 biggest pools all went down within minutes of each other. Im quite sure a group with big resources and talent, let alone the nearly omnipotent NSA, could achieve something like this with relative ease.

How do you counteract such an attack? Fork the blockchain, and orphan the cheating block.

So why don't we just cut to the chase and pool all the mining power into a single pool owned by a single, non-nefarious, person?

The pool may not be a threat, but the possibility of downtime weakening the network is.

The variance in payouts is pretty big since each share has a larger difficulty than shares of other pools.
Also p2pool has a 1% fee or something, I think other large pools can afford to take no fee at all.
It shouldn't matter in the long run. I guess miners don't know or don't care as long as the btc keeps coming in.

People can donate to p2pool which adds to the rewards miners get. If enough people do it publicly it might convince miners to switch.

By the time you detect the block as being a "cheating block", the attacker will have already spent their coins and converted them into something that can't be taken back. All your fork does is restore the attacker's original balance, allowing them to repeat the attack again and again.

Instead of relying on people doing something "smart" and supporting a solution like P2Pool, is there some way the concept behind P2Pool could be built in to the Bitcoin protocol itself, disallowing any mining that doesn't happen in a decentralized way? In my opinion, the solution needs to be built in to Bitcoin at a fundamental level.

......because Bitcoin is really just a centralized form of privatized currency that is under the control of non elected officials called exchange and mining pool owners.

I think it takes about 4-5 of these large pools (BTCGuild Size) to get the %51 enough for this. Now to get all these people insane and to target the network they benefit from can be considered as a conspiracy theory. also if this is noticed miners will simply leave that pool.

You can just go right ahead with your blind ignorance. I respect your freedom to do so.


For those of us actually concerned about Bitcoin's longevity, how about giving some thought to my proposal earlier: what if we (and the Bitcoin devs) just built the concept of P2Pool (something similar) into Bitcoin itself? Basically, for any block to be accepted anywhere, it would have to be mined by someone participating in the one - and only - decentralized "pool".

If a system is only as strong/secure as its weakest component, I would consider mining to be that for Bitcoin. The way mining currently works encourages centralized mining pools (which happen to consolidate over time into large pools). This flies in the face of Bitcoin's core, foundational objectives.


The Bitcoin protocol is a piece of software. As a software developer, I can tell you that no piece of software is EVER perfect. I often get the feeling that people on these forums assume Bitcoin is perfect in its current state. That is not the case (the Bitcoin devs will be the first to tell you it's not perfect), but it's getting better every day.

So, why not fix this aspect of Bitcoin now before it becomes a problem? Why leave it up for debate, letting people speculate about how feasible it may or may not be? Why not just, you know, actually face these problems like clear-minded adults? I realize that changing the protocol (especially to modify it in this way) is no trivial task. But the whole concept of a decentralized cryptocurrency was no trivial task either, yet it exists (thanks to some hard work), and it's pretty dang awesome in my opinion. That doesn't mean we shouldn't try to improve it when weaknesses are identified (however "unlikely" we may think they are).

One serious problem with a 51% attack is that the attacker can just ignore other people's blocks.  Given more than half the hashing power, eventually the blockchain he creates all by his lonesome is longer.  At which point, he pockets all the block rewards. 

Heck, he could even start mining ten or twenty blocks in the past, forcing a chain reorg when he catches up, and thereby get block rewards that were given to someone else before his attack began. 

It is not at all unusual to see seven or eight out of every nine blocks go to one of the top three mining pools.  Even the top two account for more than half.  If they collude, then they can just freeze out all other miners until they feel like letting go. 

Of course you wouldn't want to do it for more than a few hours a week or so, because hey, people would notice and then the value of what you stole would crash to nearly nothing.

Y'all may be more worried about double spends, and a merchant who finds himself out of merchandise that someone bought with coins on an orphaned fork.  But that's surely not the only thing you need to worry about.