Bitcoin Forum

So, back in the day when Gavin Andresen was still lead developer of Bitcoin (BTC) ...we had the GHash.IO incident, were in July 2014, the GHash.IO mining pool briefly exceeded the 51% threshold. I still remember Gavin Andresen calming people down, saying that there were failsafe action plans in place to stop 51% attacks, if the miners did not want to switch mining Pools or if one entity managed to get more that 51% of the hashing power.

Was this something written in the Bitcoin protocol or was this something that they would implement with a hard fork if this continued? If this was just a smoke screen answer from him to get the miners to switch pools, I want to ask if it would be possible to implement something like this in the code to circumvent this type of attack? (Protocol level)  ???

I don't remember any concrete proposal regarding the mitigation of 51% attacks. I believe what he meant at that time was for Bitcoin to have a hard fork to switch from SHA256D to something else to make all the ASICs worthless. It's not possible for them to insert any viable safeguards, checkpoint was mistaken by some as one but it doesn't really do anything that is beneficial against said attacks.

there are a bunch of things that could be added at the protocol level to solve the 51% attack issue to some extent and i believe some altcoins have done some stuff in this area although i'm not really following them closely.

for example a simple solution could be adding a simple rule that prevents any block that is n blocks deep to be reversed. for example if the head is at 100 then block 95 and lower would be irreversible even if 100% of mining power was owned by one entity.

changing PoW algorithm is also a solution as it was mentioned but i don't think it can be considered an actual solution, it is more like sweeping the problem under a rug. the problem doesn't go away, it is simply postponed and there is a good chance that it becomes a lot worse because if we change the algorithm the richest miners or the hardware producers could invest a lot of money buying equipment mining the new algorithm and if before we had 51% of hashrate owned by one pool by then we have 80-90% of hashrate of new algorithm owned by one farm.

I believe protection against 51% attacks isn't only solved in a technical level. There's something else holding everything together in the network. There's also the incentives placed to keep miners/mining pools honest.

That is correct. Satoshi actually briefly mentioned the fact that a miner would gain more by being honest than if they were to attack the network. I doubt it would be easy to solve it on a technical level without compromising the trustless and decentralised part of Bitcoin. I would love to read up on solutions that could potentially do it without compromising them but I've yet to come across any.

Yes, if you attack the chain, the price of BTC would drop as people get out if they no longer feel it's secure. Would not matter if it's another coin or to fiat. So from a business point of view there would not be a reason to do it. If you had enough money you could do it, just to do it. But we are talking about a fair amount of money and time. There would be other cheaper ways of causing problems on the chain.

-Dave

Yes that's right. I did read that part where Satoshi mentioned that if any party did get to implement the 51% attack successfully and do try to reverse a transaction or chain of transactions  then the cost of reversal process would itself be so heavy that they would rather choose to continue mining in the longest chain rather than initiating the reversal process.
This will force the miners to remain honest. So the point of doing a 51% attack is actually pointless.

It wouldn't actually be that simple to do in Bitcoin. The attacker would have to build their farm, buy all the chips available in the market and more, increasing demand and increasing the price of ASICs. They would spend millons more for the electricity, and what for? For a double-spend, which would then be rejected by the community/army of full nodes, and the attacker would fork into a shitcoin if he/they continue.

Who would follow them to their shitcoin?

BUT if he/they were honest, and do their job in the network, they would earn Bitcoins.

There was a window that an entity could have killed Bitcoin through a 51% attack. I believe that window is closed. 8)

"Temporary-coordinated-control", and what? For one double-spend, which will be rejected by the community/network? They'll be rewarded WITH BITCOINS if they simply mine.

Plus your other debates has never, and WILL NOT happen.

Unfortunately, there is not anything that can be done on a technical level to prevent an entity with sufficient mining resources from executing a 51% attack. It is also not possible to be guaranteed to detect the same entity controlling 51% of mining resources because one entity could own multiple pools for example, or could publically identify themselves as two or more entities.

As others have mentioned, economic incentives will largely prevent anyone from executing this kind of attack. It would be possible that a government, or other entity that might profit from the failure of bitcoin may execute a 51% attack, but I would find this unlikely.

Some altcoins have been 51% attacked, and were vulnerable because they shared algorithms with other altcoins. This means someone could buy a miner, use it to attack a particular blockchain, and subsequently repurpose their miner to mine on another altcoin's blockchain honestly. An altcoin using the same mining algorithm as other altcoins will reduce its security. The reduction in security for i altcoin will be nominal if the resources going into mining on i's blockchain make up the overwhelming majority of resources being used for that algorithm.

It's not only the incentives that keeps the network together, it's also the cost that adds to the risk, which also adds to the Game Theory aspect.

Would you attack the network, and pay for the cost to destroy the thing that enriches you, or simply be honest and cooperate with the network to enrich you?


OR rent the hashing power, attack, pay for the rent, enrich themselves.

I see the troll believes someone will take the risk for ONE double spend in Bitcoin. The window to 51% attack Bitcoin has closed.

If it's so easy and profitable why haven't any of those scenarios happened yet though? Especially the first scenario is something where moving first and as soon as possible would be of utmost importance.

Not quite true. It has been discussed lately  (https://bitcointalk.org/index.php?topic=5270680.msg55138116#msg55138116)and an ultimate solution has been proposed: put a cap on the depth of chain-reorg attempts.

it is controversial though: implementing finality in PoW is not welcomed by many of the core devs of because theytraditionally believe in a booting from the genesis idea, aking it as a measure of how trustless the system is or at least looks like. Once the blockchain is finalized in some heigth, individuals have no strong incentive to validate the whole history to become convinced about the state of the machine individually, it is frghtening for many people. Obviously, it turns to be more of a philosophical debate about what trust means and questions like 'is it possible ever to get rid of the social aspects of a monetary system?' Believe it or not it is considered as a Satoshi tradition the idealized bitcoiner who does not trust, verifies! A mathematical notion of a timeless, alone entity called individual user who is surrounded by a bunch of thieves and scammers and adversaries and the super hero fights with all of them by verifying the history of the blockchain they propose from day one, the genesis block.

My point: it is not a pure technical hurdle because the suggested cap would fix it easily, rather it is a political/philosophical debate.

does it really fix anything? it doesn't look like it to me and it is not philosophical.
such solutions are targeting X blocks and not the blocks 1 to X-1 from head and those blocks remain vulnerable (assuming 51% attack were possible) which means it really didn't solve anything. which is why i categorize them under band-aids rather than solutions.

Will "crush the price" truly "kill Bitcoin"? I believe, not. Plus they can "crush the price", it will be a golden opportunity for us. The wiser move would be to HODL.

https://pbs.twimg.com/media/Eh7KQSJXkAIlgzC?format=png&name=large


That will NEVER happen. ::)

The troll's debate is not about a 51% attack.

It has already been done...
Elastos is a PoW (auxPoW, to be clear) coin with validation performed on an additional DPoS layer.
Which ensures finality (very low probability of a fork) because miners can add only signed blocks to the chain, and a possible attacker would have to dominate both layers of consensus.

But Bitcoin is still well secured, there is no need for change here.
It can be assumed that an investment in Bitcoin mining is the equivalent of about two years of profits from honest mining, isn'it?
So whoever undertakes to enter this business accepts a deep economic commitment.

According to this article by the end of 2018 governments all across the globe had confiscated about BTC 453,000 i.e. 2.6% of the global supply at the time.

https://www.theblockcrypto.com/genesis/2944/analysis-the-u-s-has-seized-nearly-200000-bitcoins-to-date-global-confiscations-are-up-to-453000

Looking at CoinMarketCap the last 24h saw a trading volume of about BTC 3,000,000.

So looking at these numbers the global government holdings of Bitcoin are barely enough to cause a market dip for maybe a day or two, so... just another Tuesday when it comes to crypto.

Of course that was 2018 so maybe the governments already increased their stashes since then.

Except they didn't even held onto the aforementioned amount and have maybe a tenth of that left so like 0.2% of the current global supply.

¯\_(ツ)_/¯



"They"

Sure.

This will not prevent a 51% attack. Someone with >50% of the network hashrate can successfully execute a reorg of a handful of blocks reliably.

It may be able to stop a 51% attack but it also introduces a chain split attack, someone can just mine the number of blocks N needed to lock the rolling checkpoint, broadcast it to several nodes as soon as the main chain hits N blocks after the block with transactions they want to mess up, and the network will be split in half with no way to put it back together as a consequence of how rolling checkpoints work.

51% attacks are more of a practical problem to small altcoins (e.g. bcash), than a coin with exahashes/s total hashrate like bitcoin.

Thank you for this post.

There was something iffy about reorg prevention that I couldn't quite put my finger on but now I know what it was.

It's not imaginary. Many coins with low hashing power, and especially POS coins, use rolling check points to protect their chains from potential attacks. They are potentially insecure, and might never reach the same level of network-effects that Bitcoin has. Simple.

We can't just delete the bitcoin blockchain and start over because of a chain split. Too many exchanges, businesses and merchants would be disrupted all at once while waiting for the blockchain to reload. Waiting during events like this will also discourage people from adopting it. Hence why this solution doesn't work for a network as large as bitcoin.


There seems to be a misunderstanding about the damage a 51% attack can do. Miners can only block transactions from being relayed to the network, they can't double-spend your transaction because they don't have your private keys, only the signature script. Without private keys for your addresses they cannot create another spending transaction.

Of course, it does!
The main problem with 51% vulnerability, the most tempting force to commit such an attack, is double-spending of large amounts of PoW coins by reorganizing the chain deep enough to defraud the potential victims who are used to release their assets after a specific number of confirmations.

Until recently, I was among the people who used to say : There is always a number of confirmations large enough to make it look irrational for the adversary to commit such an attack. Now, I'm reconsidering this argument because of two main reasons:
1- There is always a possibility for stakes  to be high enough for making it impractical to wait for a very large number of confirmations.
2- It is not always about being a direct victim of a double-spending attack, in the process of a medium to long-range chain re-org that goes beyond a certain threshold, the maturity window for freshly generated coins, as a receiver of newly matured coins, people are losing their funds definitively, very different situation with other transactions having a chance to be confirmed in the new chain eventually or even primarily.

You need finality if you are serious about bitcoin agenda. You need a threshold that is absolutely safe for sensitive, high stakes transactions and I've proposed it for bitcoin to be set at 100 blocks because such a cap on chain-reorg guarantees that you never receive bitcoins that may become void somehow and in case of a short-range chain re-write you have good chance to see your transaction is included  or (given you are not a direct victim of the attack or your business partner is not greedy that much to try rbf attacking you) will be included eventually in the new chain.

Double spending is not the only risk from a 51% attack. A 51% attack can also blacklist addresses/outputs from being spent, cause other miners from being able to mine all the blocks their hashrate would project them to mine, and create other arbitrary rules for transactions to get confirmed.

A 1/2 waiting time is also not reasonable. Most financial transactions are instant, or take a matter of seconds, minutes, or a single hour for complex transactions. On top of this, it would accelerate the timeframe LN closing transactions need to be confirmed by to avoid possible loss of coin.

that's true but here is a bigger problem. a blockchain that can be 51% attacked whether it is more than the locked in number (X) or smaller than it (X-1) is no longer immutable and it suddenly becomes a failed experiment.

lets say we placed it at 100 and it were possible to reverse 99 blocks. if someone performs that attack, your coins that are 100 block deep don't move but their value drops to 0 so you have actually lost your money.

again, it is not a solution but a bandaid. and it is a bad one. imagine if we encountered a bug and had to actually perform a reorg (like the overflow bug in early years), that way the entire network must upgrade which is impossible in bitcoin within reasonable time due to huge size of it and the way it is spread around the world.

Depositing a check from a friend does not make up many financial transactions. When you are dealing with a friend, there is a level of trust involved, hence the description "friend"

Most consumer financial transactions are in person that take a matter of minutes to complete.

---

You also ignored my comment about LN closing transactions needing to be confirmed earlier.

Errr... why would you add a rolling checkpoint if in the case of a chain split you go for the chain with the most accumulated work anyways? That's what current implementations do already, except automatically and without requiring centrally coordinated manual intervention.

The actual reason is because there's an army of full nodes that will reject invalid transactions, reject anyone not following the rules in the network, are actually the ones giving security to the network.

The trolls don't want you to learn this.

Checkpoints always entail centralization, because you need a checkpointing authority.
Unless the checkpoints are performed through special transactions that save the appropriate hash on the Bitcoin chain...
But this only confirms the superiority and importance of Bitcoin  :)

It is an inherent feature of a blockchain to be re-writable to some degrees , short-range chain re-writes are not a problem at all it is how consensus works in a distributed p2p network. You have always propagation delays and orphans and extreme scenarios are possible where parts of the network are isolated because of global communication disasters, there is no immediate finality feature affordable in such an environment, hence blockchains are to be re-writable and blocks are subject to orphanization by ordinary, honest competitors and/or adversaries.

A miner should be ready to pay the price when his/her block becomes an orphan. The problem with the current situation is miners' ability to project this risk over innocent users who are not part of the competition and have no obligation to keep this or that chain on the top.


Firstly, good solutions are simple solutions, it is the rule of thumb in software engineering and programming. Usually people think code is magic and eveluate it according to the extent it is tricky and complicated, well it is just wrong, the best solution is the most simple and straightforward one.

Secondly, the infamous overflow bug happened in block #74638 and the new improved chain took over the wrong one in block #74691, it was just about a 53 blocks deep re-org and an exceptional incident which is not going to happen ever again even for new projects because lessons have been learned since then.

actually the main feature of a blockchain based currency that makes it viable is its immutability and the fact that "re-writes" don't happen. whether an extreme scenario happens such as a communication disaster where such things happened more is considered special cases not a regular occurrence.
also "immediate" in this context is a couple of blocks (eg. 1 or 2) not large numbers (eg. 100).

that's only the case for users if the replacing block was malicious otherwise stale blocks have pretty much the same transactions as the ones they are replacing so there is no risk for users.

true, but there is a fine line between simple and pointless.

my point is that similar to this being 53 (a very large number) of blocks we can't come up with any number that doesn't have negative side effects. if it is placed at a very high number it would be useless and if it is at a low number it could be harmful without solving anything (since 51% attack in bitcoin doesn't happen due to extremely high cost).
i also wouldn't be so sure about it not happening again (https://bitcoincore.org/en/2018/09/20/notice/).

From where did you get that interpretation? If 100 looks to be too "large", suggest a more reasonable number and it will be the limit both for maturity and re-org depth cap purposes.

You are getting it wrong: For reorgs (being either intentional or unintentional) shallower than maturity level (100 for bitcoin) ordinary users are not in danger, correct, but the mere possibility of a deep re-org (deeper than 100 blocks in bitcoin) implies an existential threat to innocent users who are not even the subject of a double-spending attack. Such an existential threat is what the whole 51% attack discussions in the literature is focused on because it would be easy for paranoid users or people engaged in very high-stakes transactions to wait for a limited number of confirmations (100 in bitcoin) but not forever.

CVE-2018-17144 that you are mentioning above was a special case and more detailed examinations revealed that even after a malicious transaction was added to the blockchain, nodes would commit to the right chain immediately after a simple reboot (because bitcoin client checks the integrity of the blockchain when it restarts). In practice, 100 blocks is good enough to cover the problem domain and I don't understand why should anybody dispute this solution:
You want finality? Wait for 100 confirmations! Otherwise, wait for as many confirmations as you find useful for your trade and meanwhile be sure about one thing: Unless you are directly targeted by an adversary with a huge hash power, you are almost safe even with 1 confirmation.

Rather than rehashing false arguments about how useful it is to put such a cap on the depth of re-org attempts or whether it is useful at all , one should focus on the price: what the implications and consequences are?

As of the later question, because of my general approach to blockchain technology, I am more than happy with the most distinguished consequence: putting an end to the extreme individualism built into bitcoin ideology for years!
I'm mentioning the same individualism that is the main driving force behind the slogans like 'do not trust, verify', according to this extremism, which is mainstream in the bitcoin community BTW, users should boot from the genesis block and verify both the integrity and consistency of the blockchain on one hand and the infamous longest/heaviest proposed chain rule on the other hand for themselves. It is the root of the possibility of medium to long range chain re-write attacks, for the record.

From a pure mathematical point of view, it looks to be an interesting problem: how an individual, e.g. a robot or an alien, came from nowhere could possibly boot from scratch in a wild uncertain environment full of scammers and adversaries? This is supposed to happen without having any clue about who is who in the actual business world, just the bitcoin code and a 32 bytes long hash hard-coded in it: 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f.
Let's not be distracted by checkpoints for now. A bitcoin puritan , already has the answer: boot from the genesis and verify the whole history as if you are travelling in the time! S/he never asks anything about the ontology of the original problem: who defined it and why, in the first place?  How important or useful it is? Does it worth to pay a huge price like giving up about the finality and immutability of the blockchain?

Not every interesting mathematical question is a valuable problem or at least a practical one. In the real world, bitcoin is a social phenomenon and should be treated as such phenomenon. Extreme mathematical considerations are void and worthless and a source of confusion and impotency. IMHO, it is time to grow up and put the bitcoin puritanism behind.