Bitcoin Forum

Let's say a person drops a few million bucks and now has 51% of the network hashing power, and he wants to run the 51% attack we hear so much about. What does he do?

My understanding is that he makes a payment to a person for goods, receive the goods, and then quickly make a second payment to an address he owns. If he happens to mine the next block (which he will with 51% probability), he includes the payment to his own address in the block but not the payment to the person who he received goods from. Then what? Will all further blocks reflect that the first transaction to the defrauded person never happened and the second transaction did happen?

The problem I have with my understanding of this is that there is only marginal benefit to having 51% of the network - having 51% of the network only allows you to double spend 51% of the time. But if you had 40% of the network, you would be able to double spend 40% of the time, which is still a pretty serious problem. There's nothing really special about getting 51%, right?

Is my understanding of this wrong? Thanks.

Your understanding is close.
If I had 51%, I could mine a chain of blocks in which I transfer all my coins to my personal wallet. I'd mine this chain about 10 long, but not tell the rest of the network. At the same time, I convert all my coins to dollars on the exchange and withdraw them. This happens on the normal blockchain.

After my withdrawal has gone through. the normal blockchain is about 9 long, while my blockchain is 10 long. I announce all my blocks to the network, and lo and behold, the network confirms I am right.

But dollars can't be reverted! So the exchange takes a loss.


Instead of the exchange, I could do this with buying anything for bitcoins. If this happens a few times, it will probably kill bitcoin, or at least hurt the trust in the system severely.

Ahh, I see. So 51% is the magic number because that's the point at which a person can make alternative blocks faster than the rest of the network combined, and then spring the alternative, longer blockchain on everybody all at once, later on, where it replaces the blocks everyone thought were already finalized and settled.

Thank you!

Exactly. Satoshi's original paper contains calculations for how many blocks the recipient has to wait to keep the chance of succeeding in double-spending at a given level (say 0.1%), as a function of the attacker's hashrate. At >50% hashrate the number of blocks if infinite - no matter how many blocks are waited, the attacker has 100% chance to eventually have the longer chain.

This attack isn't the only thing you can do with high hashrate, though.

What else can you do ? Please share. Thank you !

If you have a lower percentage but still reasonable, like 40% or something, you can do a Finney attack.
I can't think since I'm listening to the bitcoin interview, but have a look here: https://bitcointalk.org/index.php?topic=3441.msg48384#msg48384

  The key thing to note in Meni's explanation is 'eventually'. Due to variation it would be quite possible that the attacker might not find more blocks than the 49% for days or weeks even.. There is a HUGE amount of luck involved on the attackers end if they are to be successful. Plus the attacker would have to ensure he actually had complete control of the daemon that was keeping tabs on his attack blocks. A pool in itself over 50% means nothing unless it can be hacked and controlled completely or the OP was in on it. In the case of most pools they would lose more than they would stand to gain from what would certainly only be allowed to happen once.

  That being said, we are seeing more spread of hashing power these days and there are projects in the works that will help to maintain a high overall network hashrate, detering 'lone' 51% wolves from gaining enough to beat the entire network on their own.

I think there are many misunderstandings about a 51% attack. There isn't much you stand to gain by using 51% of the hashing power to double spend. Let me explain...

There can only be one entity at a time who is in a position to do a 51% attack. It's not like everyone you transact with is suddenly going to burn you with a double spend. All the honest miners will focus their efforts on identifying who this 51% attacker is and not doing trades with them. Once it's known the network is under a 51% attack, the honest nodes will quickly start blacklisting addresses that performed double spends and limit the attackers ability to spend his coins. He would essentially be destroying all his coins.

I think the most important thing about a 51% attack is not what the entity will do with a new block chain...  it is only the fact that it happened and the bitcoin network will crumble! unfortunately.

You can reject all blocks which do not belong to you, to make sure you get 100% of the block reward rather than your hashrate proportion.

You can reject all blocks which do not belong to you and not include any transactions in your own blocks, to prevent any transaction from being confirmed.

Identifying addresses involved in double spending isn't trivial, especially if you consider that future advanced transaction schemes could make use of legitimately superseding one transaction by another.

Even if you could detect them, I for one disagree with the idea to blacklist addresses. And my own disagreement is indicative of the fact that it will be very difficult, if at all possible, to obtain consensus to do this, and even if so, the client software isn't set up for this and a lot of work would be required to enable this feature. Also, for this to work the entire network needs to agree which addresses are blacklisted which is also difficult, so you're guaranteed to have chaos.

The main misunderstanding is to think that the only reason to carry out a hashrate attack is to profit from a double-spend. More likely a hashrate attack will be carried out by someone who wants to destroy Bitcoin, or at least to profit from short-selling bitcoins. Generally, mechanisms to protect against profitable double spending will amplify the chaos that ensues during such an attack, making us more vulnerable to a malicious attack.

Also, once this starts happening the bitcoin rate will probably drop, and depending on the attack miners will have their blocks rejected so it won't be profitable. Miners will quit and then it will be even easier to continue the hashrate attack. And since the difficulty targeting algorithm doesn't handle sudden drops in hashrate well we have a whole new set of problems.

This is a problem which hasn't been solved yet. It is probably solvable, and I've written occasionally on some pieces of what I think the solution will be. And I'm sure you could respond with some additional protection mechanisms. But these all have their own pros and cons, and need to be carefully considered, agreed upon and implemented. We need to prepare in advance for the contingency of a hashrate attack. Otherwise the chaos of the event could radically shake the faith in Bitcoin.

1) You won't have any warning a 51% attack is in progress until after the fact.  The attacker will build an "attack chain" in private.  With 51% of the hashing power it is a mathematical certainty that eventually his chain will be longer than the legit chain at which point he publishes it and it rewrites the prior transaction.

2) Even if you did blacklist an address it is unlikely the entire mining community would do so by unanimously.  If there was a "blacklisted" address involved in a transaction with a 5% fee you honestly think no miner or mining pool would every accept that from now till the end of time?

3) Preventing blacklisting would be trivial.  You simply make sure the address never has more than the double spend.  i.e  I have address X w/ 10K BTC.  I double spend it via two transactions A (involving 10K BTC) and B (involving 10K BTC).  After the double spend is complete address X has a value of 0 BTC.  Given you can generate an infinite number of addresses for free what value is there is blacklisting an 0 value address?



I believe this is the most likely.  The huge cost of amassing that much hashing power means it would likely always be more profitable to use that hashing power for "good".  Getting away w/ double spend would be difficult because any shipped products (or transfered fiat) can be traced.  Even if the double spend could go untracable there is going to be meatspace trails. 

So IMHO the only reason to 51% the network is to kill it.  A currency has value only if its value can be trusted.  Bitcoins which can disappear at the will of an attacker have no value.  The collapsing price, falling hashrate, and reluctance of merchants to accept them after a 51% attack will kill Bitcoin.

I object to the idea that a "few million bucks" would place a person in control of mining capacity large enough to be 51% of the network.
Between video cards, computer hardware, networking equipment, furniture (server racks, etc.), cooling, OFFICE SPACE, labor, advertising to get that much labor, electricity, etc. it would have to be quite a chunk of change. A few million probably wouldn't do it.

Just take one of the items, "labor" for example -- we're not talking the kind of labor you can pick up outside Home Depot  ;)  PC techs make more than minimum wage, and the guy who can design and manage something of that scale (layout, cooling, connectivity, Linux expertise, etc.) is certainly going to make more than $10/hour.

That's my point -- the Bitcoin network is HUGE at this point, and to get 51% would take an operation of insane magnitude.

Besides, when NewEgg and everyone else is all the sudden "sold out" of 6XXX series cards, many Bitcoin advocates and miners would know something is up :)

In another thread I estimated that it would be ~$2M per TH with COTS when you consider labor, electricity (including mains upgrades), warehouse space, racking, cooling, and administration.

However I personally believe the network is too large to be sustainable at this point.  In the medium term I expect hashing power of the network to continue to decline as there is insufficient real transaction volume to warrant the current network size.

Well, currently mining is subsidized by generation. But once that's over it's not at all obvious that the network hashrate (scaled to hardware advances) will be as high as it is now even if Bitcoin is successful, and the incentives of trillion-dollar entities to attack it become ever greater.

Subsiziding doesn't remove the cost it merely obfuscates it. That cost is felt in inflationary pressure.  If the economy only needs 1000 new BTC daily to satisfy growing demand (due to rising economic activity) and achieve stable prices, but instead generates 7200 via mining then the price of BTC relative to fiat will fall.   Another way to look at it is 7200 BTC daily reward @ $3 is a ~$20K daily expansion to the money supply.  If that expansion is unwarranted then price will fall.

So users of Bitcoin either pay the cost of the network (massively outsized compared to necessity) via direct cost (say a 8% transaction fee looking at volume vs hashing power) or they pay it indirectly via inflationary pressure on their currency.

Subsidy or not the cost is real.  At this point there is no economic demand for an 8TH network.  Maybe not even enough for a 1 TH network.  The current network (at a guesstimate of 2MH/W, $0.10 per kWh and $1 per MH capital cost) consumes nearly $10,000 daily in electrical power and burns through another $1000 in depreciating hardware).  That simply isn't sustainable given the tiny amount of economic activity actually occurring.  

From what I understand, it would take way more than a few million bucks to have more than 50% of the network hashing power.

The blockchain should have checkpoints every X blocks to limit the time the attacker has to act.  Then if you wait 2x blocks you should be pretty safe.  Blocks 1 to x are checkpointed by block x+1, which itself will be checkpointed by block 2x+1.

  Not that I would, but I was bored and calculated it out using existing tech, cost of  space, servers, etc. And, I could do it for ~1.28mil per TH..... That's just cost, and has 0 to do with the value of that space, hardware, etc if used for something else. It simply is to state it CAN be done at that price and not how feasible it is or isn't...

I think the bitcoin client already does this.

There are manual checkpoints hardcoded with each release.  I'm proposing a much higher frequency of checkpoints.

What I meant by blacklisting was not as elaborate as some have suggested. I merely meant to say that double spends can be easily detected. Once the address which has the proceeds of the double spend is detected then no one will accept payment from that address as good for a trade. Of course the transaction will be processed and received but the recipient will know (through monitoring the forums, etc) that the payment came from a blacklisted address. Merchants just need to keep a lookup table of bad addresses that is published by some trusted unofficial group.

Detecting the double spend should be easy. Address A(ttacker) sends money to Address B(ob) and Address C(on). Bob gets burnt and looks up Attacker's address in the block chain and see's the money went to Con and announces that no one should accept payment from Con, the 51% attacker.

I'm glad no one is worried about a 51% attack being used to perform a double spend.

Everyone is still worried about a 51% attacked being used as FUD. That brings a question to mind, how would we stop a 90% attack? If we can't then what's the difference in worrying about a 51% attack versus a 90% attack? Other than 39%

Nobody would be foolish enough to keep extra funds in the address they double spent from.

I transfer 1000 BTC in Address X.
I spend those 1000 BTC on GPU from Alice.
I publish the 51% attack chain (built in private) reversing that transaction.
I spend 1000 BTC on gold coins from Bob.
I delete address X from my private keys because it has 0 balance.

What good does "blacklisting" address X do?


Detecting a double spend after the fact is both easy and useless.  It is likely detecting if a bank has been robbed by checking to see if the vault is empty when you open it.  In your example there what happens if money has already been transferred from C(on) to P(atsie).  Patsie loses her funds because she was the 2nd half of the victims in the double spend attack?

There is no way to know if address P is owned by the attacker, an accomplice, or a third party victim.  Also there is no concept of "a bitcoin" just balances of addresses. 

So attacker transfers 1000 BTC from address C(on) into address X.
He also transferred 1000 BTC from address L(egit).
He never uses address C again so blacklisting it is useless.

Are you going to also blacklist address X which may or may not be controlled by the attacker?  Are you going to blacklist all 2000 coins even though only half of them are were derivitives of the double spend?

Right, a 51% attack would only benefit the attacker if someone was dumb enough to trust them with a large transaction. I doubt they would bother with a small transaction. Rather than 'blacklisting' addresses it is simple enough to 'whitelist' or rather 'greenlist' addresses from trusted sources for larger transactions.

51% = 100% control over blockchain.

Why try steal 1M BTC when you can steal 100 BTC per transaction over 10,000 transactions?  You going to whitelist every transaction big or small from now till the end of time?

51% = 100% chance over overcoming the legit chain.  No attacker needs 90%.  They just need 51% and enough time.  While an attacker may use more hashing power to execute the attack quicker it isn't necessary. 

There's enough variance that an attacker will not be able to sustain an attack indefinitely with only 51%. This has been discussed ad nauseum. Besides, whitelisting can be automated so it may someday become the norm, at least for large transactions.

Once again with 51% (or whatever comfortable margin you feel is necessary) whitelisting is useless.  Why reverse a single 1M transaction when you can just as easily reverse 10,000 100BTC transactions. 

With 55% hashing power the attacker has a 99.99% chance of having longest chain after 340 blocks.  With 60% hashing power is it only 89 blocks to give the defenders less than 1 in 1000 chance of preventing a reversal.  With 52% of hashing power just jumps to 700 blocks and with 51% it is 2411 blocks. 

Not sure where you get the idea that can attacker couldn't sustain the attack.  Most of the cost would be an capital expenditure once spent the ongoing electrical cost would be modest.  340 blocks is <3 days.  Even 2411 blocks is <16 days.

It will be interesting to see how a 51% attack actually plays out. It's all theory for the moment. It would take a large entity to do this, but there is more than one large entity out there. Probably several. If they were discovered, it's doubtful that their identity would remain unknown and there would be offline repercussions. On that note, Casascius has even shown that Bitcoin can be traded offline entirely if necessary. If there are ever Bitcoin Network wars unleashed by the major superpowers, we may be conscripted to fire up our GPUs to fight. :D

If what you mean is that the client will never switch to a different branch, even if longer, if it rejects a block which already has x confirmations, this will lead to situations where a node has checkpointed the wrong version and will never be convinced to switch to the true one. I'll call this approach (which isn't new, of course) "branch cementing".

My own ideas for synchronizable checkpoints - proof of stake via signature blocks - can be found here (https://bitcointalk.org/index.php?topic=37194.msg462786#msg462786). In fact this can work in conjunction with block cementing, since a wrong cement will occasionally be overthrown by a signature block.

DeathAndTaxes, you are making some interesting points!

The traditional scenario is the 51% attacker is using his hashing power to somehow directly profit. The disincentive in that scenario is that 51% hashing power will net more in mining than in double spends.

The scenario you describe is the 51% attacker is spending money to destroy bitcoin without a direct profit incentive (there incentive may be indirect like a competing monetary regime). With 51% or more of the hashing power the attacker will secretly mine for 1 day to two weeks then drop a new chain on the internet. This new chain will contain zero transactions, or non other than what directly benefits the attacker. The honest nodes will have a fresh pool of transactions to confirm and 49% or less chance to get the next block. Do honest blocks eventually get rejected because the attacker is able to perpetually rewrite the chain with empty blocks?

Yes and that is a powerful disincentive.  Also getting away with widespread fraud will leave trails in meatspace and that likely will get the attacker caught.  I believe the risk of an economic 51% attack is highly improbable.  As economic activity increases, the value of BTC will increase and the value of the hashing power required to have 51% will also increase.  The network is essentially self-protecting.


Exactly.  The amount of time can vary but with 51% of hashing power it is a mathematical certainty that eventually the attacker will have a longer chain.  One thing to note is that the attacker can't go back in time.  Meaning if an attacker started now they could only affect future blocks.  Going back in time requires exponentially increasing hashing power because the attacker is essentially starting behind.

The attacker could generate blank blocks but it would create more destruction to create double spends even if the attacker doesn't benefit.  An attacker for example could place 10,000 orders at various Bitcoin merchants using names & addresses harvested via "win a free gold coin, free PS3, free ipad, etc" websites.  These patsies would simply exist to be destinations for merchants goods.  The attacker could then double spend the network reversing all those transactions and the merchants would be out hundreds of thousands of coins.  The resulting chaos would likely create a lot of negative press when merchants contact these "contest winners" asking for merchandise back.  Also remember when the transaction is reverse it also reverses any follow-on transactions.  Attack sends 100 BTC to you.  You pay me 20 BTC.  If attacker reverses his transaction it also reverses mine (as you never had the coins to pay me).  That creates further chaos as there is no a conflict between you and me. 

So even if the attacker has no economic gain using double spends would cause massive chaos and economic losses for participants.


It is unlikely it would require attacker continuing in perpetuity.  The reversal would wipe out all miner profits for those reversed blocks.  Imagine if every miner received 0 BTC income this month but still had hundred or even thousand dollar power bills.  Miners would quit in droves.  Merchants would stop accepting Bitcoin as fear of the reversability of transactions spread.  Bitcoin prices would crash and the attacker could profit by shorting or using put options to gain when Bitcoin prices decline.

However yes any good blocks will eventually be overwritten because the longest chain always wins.  So while in the first block the defenders (if they have 49% of hashing power) will have a 49% chance of being ahead the attacker will make the alternate chain in private.  If the defenders get lucky and get 2 or 3 blocks ahead he can simply restart at the current block attempting to win the next race.  Eventually the defenders luck will break and their chain will fall behind.  Once the attacker has a longer chain (with a solid lead that is improbable to overcome) and enough transactions ready to double spend he can broadcast the alternate chain, clients will replace the good blocks with bad and in doing so reverse all those transactions and render all other transactions unconfirmed.

Ask altcoin attackers.

I think we ought to ask BCX as he has threatened and actually done many a 51% attacks :

-NMC threatened and got 30 000 NMC ransom
-FBX killed off by him
-SLC threatened but failed

I think I am missing another one here too.

Please correct me if I'm wrong,

Currently the network hashrate is 17.35. Amazon EC2 has a product that have 2 x NVIDIA Tesla M2050 GPUs. This have a combined power of 160Mhash/s. 17,350,000 / 160 = 108,000 instances to achieve 51% attack.

So 108,000 * 2.10 = $226,800 / hour to achieve 51% attack. Is my calculations correct?

Yes, but using Nvidia cards for that is retarded. ATI is much much much better. But well, if you want to use something simple like Amazon EC2 instead of setting up hundreds of rigs with ATI cards maybe it's fine.

Since we're bringing things back from the dead:

Assuming 200,000 btc trade hands at lets say an average of $10, (just at mtgox) thats 2 million per day, with mining costs of 11,000 per day. Is this not a favourable ratio?

It may not be possible to buy 108,000 of these products. 108,000 of them may not even exist.

Probably not.  Just because 200K BTC trades ON the MtGox exchange (which has nothing to do with the blockchain) doesn't mean an attacker could profit from all that.

So an attacker has a large number of BTC.  He deposits it on MtGox and then starts building an "attack chain" in secret.  Even if he converted the 200K into $2M he can't withdraw that in a day.  Tier 3 verification (requires requires an apostle seal from your state govt for US residents) is still limited to $100K per day ($500K per month).  So an attacker "could" in theory profit $500K in 5 days.  Of course that ignores the effect of an additional 50K BTC in selling pressure driving down the price.

However in 5 days an honest miner could generate $225,000.  So the ratio between good and bad is much smaller.  Also the only way you are moving $500K in 5 days is by bank wire which is going to leave a trail.  So $225K honestly or $500K + $225K = $725K and risk of going to prison?  Factor in some delays by MtGox on wires and it may require more like 10 days to ensure you have sufficient funds which makes the attack more like $450K honestly or $950K + prison.  Worse say there is a mixup or an AML/KYC hold by one of the banks for 15 days.  Ouch more and more hashing power just to get this "easy" $500K.

Of course even if successful you are now a wanted man and likely wouldn't get more than one attack.  Next month if you tried again (even with a new account) MtGox likely would have lower limits or more stiff validation so it is a low return of then $20M or so you spent on hardware.  Plus nobody is going to run a 10TH/s farm by themselves you are talking an entire crew (admin, technical, electricians, security - you weren't going to leave $20M unguarded in some warehouse were you).  Seems a pittifully small "score" divided 5? 10? ways to risk prison. 

Much easier to just offer 7% returns and have people hand you 10x as much with no strings attached. :)

Satoshi designed it well.  The economic disincentive for doing the wrong thing makes it very unlikely there will ever be an economically viable 51% attack.  The only real threat is a non-economic 51% attack (where the attacker sees the attack as simply an unrecoverable cost to destroy Bitcoin).

That is correct.  IIRC Amazon has only ~10K of those GPU instances.  Also Amazon puts limits on the number of instances one person can purchase.  It isn't completely anonymous (they don't want the bad press of say Iran finally perfect nuclear detonation timing using EC2 instances).  After the Sony hack, in which the attackers used Amazon instances, there is a lot more cross checking of instances.  Large number of similar instances run by "different users" is very likely going to get audited/halted.

If you need 100 nodes EC2 is viable.  If you need 1,000 nodes you might be able to get away with it if very clever (multiple identities, careful IP proxying, camouflaged instances, etc).  More than that EC2 is a dead end.

Thank you for explaining this so well, I'm new to Bitcoin so I'm looking into all the flaws before I dive in.. So thank you.

I did this once. Went to that bar in Orlando that accepts Bitcoin. Bought a beer and some nachos and paid in Bitcoin. What they did not know is that I overclocked my CPU at home to 66MHz and executed the 51% attack perfectly.

By the time I walked out, the Bitcoin I had used to buy the beer was back in my wallet and nobody was the wiser.

Though when I got home, my overclocked computer was fried. Lost all of my favorite gifs and clean Win3.1 install.

That is 100% incorrect.  In the future how about phrasing things you don't know as a question.  There are no redundant attempts on each block (baring the implementation issue at a specific pool where the pool incorrectly issues the same work to more than one worker).

You really think so? -_-

There's some great information here explaining the 51% attack.

One thing I didn't see mentioned was how Satoshi was planning on building a 51% attack defense into the code. But he got spooked and vanished after Gavin informed him that he was going to talk to the CIA/feds about Bitcoin. A few years after Satoshi's disappearance, a young Canadian programming student studied the existing code and engineered the missing 51% defense system that Satoshi was unable to complete.

This is the system currently integrated in Goldcoin (GLD).

Once again making false statements as fact.  Why not say "I believe it is redundant" or "I can't see a scenario where miners unknown to each other don't duplicate work accidentally?".  You state you don't know much about Bitcoin but you feel confident about making absolute statements of fact about something you don't know much about?

The different computers (1, 2, a trillion it doesn't matter) use different inputs and thus (barring some isolated implementation errors) never attempt work which has already been attempted.  Miners aren't hashing some random value, they are hashing the blockheader and Satoshi designed it so there would be no duplication of work.

https://en.bitcoin.it/wiki/Block_hashing_algorithm

Even if everything else is the same in a block, the coinbase tx for each miner will be unique and thus the hash for that tx will be unique and thus the merkle tree will be unique and thus the merkle root hash will be unique and thus the blockheader will be unique.