Bitcoin Forum

Attack example:

1. Make several large transactions in block X and wait for N blocks.
 
2. Contact more than 50% of miners (for example large pools) and bribe them in real life to make a fork just before block X and to mine on that fork for N blocks. So the old branch becomes obsolete.

3. For a bribe you offer reward that is several times (let's say 3x) larger than the reward for N blocks.

------------------------------------------------------------
Conclusion:
The parties you paid to in block X will be accept your payment (as you picked N as 15 for example), and after rewind you get your bitcoins back.

I am asking myself, why this is the third question of this crazy construct within this week... coincidence?

So: why would the miners accept this? When they know, that afterwards the currency is out of value?
They can't even use the remaining hardware to mine other coins, cause they know, that history shows, when bitcoin goes down, all other currencies go down - and vice versa.
The incentive for the miners is not recognizable.

Besides that nobody knows, how many miners there are (yes, there are pools, but then what?), you would need +8billion to bribe the miners. 16 billion is the amount of newly generated bitcoins at a rate of 10.000 Euro/CHF/USD ...
To whom would go the transactions of this size? To an exchange? to a bank? Who would be your counter party? Who is going to loose the large amount, if you take "your" transaction back with the miners after 15 blocks?
I guess, nobody takes a risk, that is higher than everything else that have been seen before? An alien bank perhaps, that doesn't care, if they loose 16billion?

This is not an attack on bitcoin currency. This is an attack construction, which has no visible chance of getting realized. As such the headline and the word "attack" is highly misleading.

Old news since day 1. You can do anything once you have >50% of the hashpower.

https://en.bitcoin.it/wiki/Majority_attack

I think, I'm the one with the "crazy" attack construction, so I think I should answer...

If it is crazy, why can't everybody give an easy logical reason, why it doesn't work. By the way, this here is less crazy than my construction and there are also papers dealing with this so called whale attack, look for example in https://www.cs.umd.edu/~gasarch/reupapers/bitcoin.pdf (suggested by Pieter Wuille on stackexchange)

If it's obvious till "day 1" that we can do this attack, why isn't there anybody who does it?

It does work.  It just isn't typically profitable.  It is too difficult and expensive to gain control over enough hash power for a long enough amount of time to make the attack profitable.  If you do have control over enough hash power to complete the attack, then in the majority of scenarios it is more profitable to engage cooperatively than maliciously.


Too expensive and difficult to accomplish.  Less profitable than cooperative engagement.

Sorry. I posted this again as simgabe said his thread did not receive attention. But actually there are some replies there and a lot of views.

Well there is significant money in crypto-currencies and money will stay there. If an attack on bitcoin happens money and miners will migrate to other currencies that don't allow such attacks.

I think this attack shows 51% attack is much more affordable and easy to achieve.

Well this attack shows that it IS more profitable for both miners and attacker to execute the attack rather than just cooperate.

And that is easy to achieve (you just have to contact handful of top pools) and relatively inexpensive (to execute you pay let's say =N*3, where N is reward for N blocks, and you can take N as 15 for example).

the bribe should be paid with fees if you want bribed miners to keep working on the whale-chain

that would be a visible attack, more like a an announced fork with a new whale coin and the original coin

so not much difference than a normal fork where devs and miners are bibred with premined shit coins and  whatever , cheaper for Alice

i'm curious when that paper was written, seems very innocent

Sorry for doing discussion in two posts, it was my idea that croraf could ask with the simpler formulation because I had the hope for more understanding and there was only one post to my question till then. Maybe there's an moderator who can do the posts together.

Yes, in usual whale attack you bribe with fees, but why shouldn't you bribe them in real life? I think it's even better - and this is addition in my post - to do things together with shorts. So you can also bribe miners with shorts and so they are interested in destroying the coin. Maybe this is an old attack scenario, but maybe not. The question is how to realize the big short positions and this is much easier today, because with the hype on coins financial institutes start to offer shorts even leveraged 25x.

Just lock one thread.  You can do that yourself.

In the future, avoid creating sockpuppet accounts, and posting the same thing multiple times. It's a good way to get yourself ignored by people that are interested in intelligent discussion, and you'll end up spending all your time taking to silly sig ad farmers.

People have been talking about 51% attacks for nearly a decade now.  Satoshi even laid out some of the math behind it in section 11 of the original whitepaper.  There are thousands of posts, blocks, YouTube videos, maths papers, and articles written about it.  You'll probably be better off doing some research and reading up on it than trying to find someone here that feels like going over all the same points for the X thousandth time.

However, when I'm not too busy I'll stop in and take a look at what you've written and see if your maths adds up.  Given the history of discussions, I'll be surprised if you discovered anything new, but I won't rule it out without giving it a bit of a look.

croraf is no sockpuppet account but a user of stackoverflow I don't know. I think there's no easy way to proof this, but just look at the discussion between my "sockpuppet" and me in
https://bitcoin.stackexchange.com/questions/63914/egoistic-miners-combined-with-large-transactions-destroy-pow
a make you your own picture.

There is a reason for the two posts beside to get more attention. I wasn't clear if we have the same points in argumentation and his argumentation is more humble, I can't say thinks so simple. Also I think call a real person sockpuppet isn't fine... I think both threads contain argumentation so it's not a good idea to lock one.

Also you don't know how much I know about bitcoin, maybe I'm Satoshi, oh no my Enlish is to bad... ;) But I've read and maybe understood the whitepaper and some other things...

Possibly there is a simple fault in my argumentation, but then somebody can show it and the thing is done. Coming from math background, I don't like historical argumentation, you can't do a new step if you use this argumentation line. Thousands of years people don't know about sheafs and geometry, but this doesn't show that Grothendieck was a fool doing such new concepts.

It would be very kind, if you take a look on argumentation line, when you are not too busy.

For profit, the bribe should be high enough. I've they are bribed with shorts they are interested in a low value of currency


I've written some numbers in the other post.


You can do many medium large transactions instead of one very big. In my version of argumentation in the other post you can do this over a long time (as long as you hold the short), so nobody sees very high transactions.

Perhaps.  Perhaps not.  Either way, the replication is annoying at best.


There are thousands of them around here.  If it looks like a sockpuppet, and it sounds like a sockpuppet, it gets treated as a sockpuppet.  The alternative is to waste hundreds of valuable hours reading and responding to nonsense.


Up to you, but I doubt any moderator will join them.


Seems exceedingly unlikely given your willingness to repeat an age-old argument.


Your english doesn't matter to me.  Where did I say that it did?


Perhaps a bit more reading is in order?


I'm not saying that history is proof.  Even mathematicians learn about the maths that has already been completed before them.  That way they don't waste time on things that are already solved, and the don't waste time on things that are already proven.  I'm not saying "it's been discussed, therefore you are wrong".  I'm saying, "It's been discussed, so do some research and make sure that you aren't just repeating something that has already been answered.  We are not your personal army, and I'm not here to do for you what you can do for yourself.

I'll help you where I can and where I feel like it, but in the end you are responsible for your own education around here.


I'll take a look.  Just not right now.

you ask for answers but you don't seem to take time to read or understand  them.

what's the purpose of the attack? a double spent? then you want the miners to keep mining your whale-chain if you want to benefit from it. And i don't think your whale-coin would be worth much until it becomes accepted.


The short is an other problem i think. If you buy huge amont of shorts price should go down anyway?  so your (2nd) idea is to buy some shorts and then attack the block chain to make it more efficient?

Sorry, if I haven't understood your comment.

I want to do double spending while holding a short position. I want the miners to destroy the coin. I think this version of the attack is stronger as the version of croraf. So I want that the coin isn't worth much.
Profits are from the short and the double spending, so you get a factor 2 in calculation and we mustn't care about some comparable low fees that are somewhere around.

EDIT: Maybe I don't understand your comment till now. What is called the "whale-coin"? Is it the coin which stays after whale attack, as I interpreted it?

well,the hack might work, but unless you are some drug baron, bribing >50% miners might need some huge cash and time

I've done some calculation in the other post, yes you need billions. But if argumentation is correct the big mining pools would be the first to try the attack together and so they have as costs only the fees of the short position, they own the hardware already. I estimated the cost for the fee of the short as about 2 billion. But big mining pools own hardware worth about 10 billion, so they should have possibilities to get the cash.

so again, the proposed attack is a fork, bribed miners mine (whale coin) on what i call the whale-chain

honest miners mine the original chain

yeah you get a factor 2 because you're mixing 2 different things that should be looked at independently

Ok, but what is the question there? Yes, bribed miners, which are a majority, mine on the whale-chain, and when community notices that they are sucessful, the currency goes down. If currency isn't totally down after sucessful double spending, they use their mining power to do other strange things and when community notices there is a masacre now and you can trust nobody, they will all leave the coin and so the access is sucessful.

Why can't we do double spending and holding the short together? Is there a wrong assumption in scenario?

After sleeping for a while I think I see your point. There is no factor 2. Using the short only bring down risks.
If we lend X coins worth 10 billion $ to use in a majority attack as value of our double spending, we have double spend benefit of 10 billion $ if the attack is sucessful. We still hold the coins after the attack, because we have double spended them, and so we can give them back to the one who has offered the us the lending of the coins. So argumentation is independent from the worth of the coin after the attack. But we get the profit only ones and there is no factor 2.

In argumention line of croraf, we use our own coins worth 10 billion $ for double spending in the majority attack. So if currency is down afterwards our double spended coins are worthless and so there is no profit. But if currency isn't completely down, say it has half the value from before, we still hold coins worth 5 billion $ and so we have a profit of 5 billion $.

Do I see it correct now? Than I would cancel factor 2 from calculation. But there is still a huge profit from the attack and the profit is for free without any risk because majority attack is always sucessful if you really have majority of mining power and as I showed above profit is independent from worth of the coin after attacking.

 Other possible attacks on bitcoin could be:
•   Denial of Service (DoS) attacks
 Sending lots of data to a node may make it so busy it cannot process normal Bitcoin transactions. Bitcoin has some denial-of-service prevention built-in, but is likely still vulnerable to more sophisticated denial-of-service attacks.
•   Sybil attack
 An attacker can attempt to fill the network with clients controlled by him, you would then be very likely to connect only to attacker nodes. Although Bitcoin never uses a count of nodes for anything completely isolating a node from the honest network can be helpful in the execution of other attacks.
•   Packet sniffing
 Someone who can see all of your Internet traffic can easily see when you send a transaction that you didn't receive (which suggests you originated it). Bitcoin-QT has good Tor integration which closes this attack vector if used.
•   Illegal content in the block chain
It is illegal in some countries to possess/distribute certain kinds of data. Since arbitrary data can be included in Bitcoin transactions, and full Bitcoin nodes must normally have a copy of all unspent transactions, this could cause legal problems. However, Local node policy generally doesn't permit arbitrary data (transactions attempting to embed data re non-standard), but steganographic embedding can still be used though this generally limits storage to small amounts.

For more information on Bitcoin currencies attacks, check out these links:

https://en.bitcoin.it/wiki/Weaknesses   
https://www.reddit.com/r/Bitcoin/comments/7cht20/classification_of_attacks_on_bitcoin_oc/
https://btc-hijack.ethz.ch/

I know there are several attacks. I wanted to post this attack as an example of low cost variant of 51% attack. In this attack you only have to spend like 3xN where N is the total mining reward for N blocks. You can use N as 10 for example. So if the current reward per block is around 130 000$. The attack will cost you 3x1.3 million USD or around 4 million USD.

And you can make around 1000 transactions in block X, if each is worth 10 000$ you gain 10 million USD. So you are in net gain of 6 million USD.


Parties you pay to will accept your payment of 10 000$ after 10 blocks.

Maybe I understand now the argument of many here, the problem is that even with majority mining power we can't realise double-spending profit in every scenario. There is no automatism of trust in the longest chain, when it's obvious that cheaters have build it. So honest miners stay on the shorter "real" chain and users too and they aren't interested in the whale chain. We have just created a "new coin" with the whale chain but nobody besides us is interested in it. Is this the point I didn't see?

If N == 1, you will need to bribe miners with 37,5+ BTC (Assuming miners will decide to accept your bribe). Most services accept transaction after at least 2 confirmation, it effective doubles the bribe and makes it 75 BTC. Since you probably won't be able to cash out double spent funds in next 10 minutes, you will have to bi lightning fast and still need at least 3 orphans block and bribe budget of 3 blocks in best case scenario (112,5 BTC or 1,3 millions of dollars at the very least). So the amount of fraud you planning should be considerably bigger than that sum (say 100 millions). And this is ideal case.

In reality you can't know for sure who will mine next block so you will have to bribe majority of miners. Miners will likely not accept just 3x of minig rewards keeping in mind that if fraud goes public (and it will after you double spend 100 000 000 worth of BTC) price will dip hurting future mining profits. This will raise cost up tenfold at least.

Overall without having 10-20 millions (probably way, way more in prior organizational costs) of throwaway money you should not be considering creating side chain of 3 orphan blocks (that translates to 30 minutes of reversible BTC transactions). That should make you think that just buying and holding probably more profitable for you.

Bribing a majority of miners does not guarantee success.

If you bribe 51% of hash power, then there is only a 51% chance that they will mine the next block.

If someone that you did NOT bribe ends up getting lucky and solving the next block, then the attackers need to continue their attack for extra blocks in hopes of catching up with the longer chain.  They also have to hope that the amount of hash power on the longer chain doesn't increase enough during their attack to overcome their 1% advantage.

At any moment, any number of bribed miners could panic and fear that they are wasting time and money mining on a fork that will never catch up.  Realizing that other miners may be feeling the same fear, there will be a large incentive to defect early rather than waiting to be the last fool on the losing fork.

You'll need to find an equitable way to split up that bribe across all the pools that you bribe, and you'll need to hope that the pool participants don't figure it out and abandon the pool.