Bitcoin Forum

Posted by Sebastiano Scròfina, a decentral banker at kakigarden.com

Is Bitcoin doomed to fail ?
http://www.quora.com/Is-Bitcoin-doomed-to-fail?srid=uLs

He states:
"I love the concept of Bitcoin. I believe the Internet will redefine currency in the following years. But I've got 5 major concerns about Bitcoin's scalability (other than the block chain size)"..........

Why is it nonesense?

I'm not worried about a competitor to bitcoin, provided the attack described in point number 1 can be resolved, trying to bring about a competing cryptocurrency like bitcoin would be like trying to reinvent the wheel.

Far better to start inventing new things to do with this new-fangled "wheel" thing, new bitcoin services and the like.

If the technical attack described in the link can be overcome then the other points are moot. Governments would have to abolish the internet or learn to live with it. If the internet is abolished or destroyed, then we'll probably have far more to worry about than being denied the use of cryptocurrency.

It is utter nonsense.

It looks that the guy doesn't understand how the network works when he says about "stealing" BTC, and getting 5Million BTC... It is not possible in a reasonable amount of time.

I'm sorry, but the article is silly.
The only considerable risk is the legal one (number 2). But then, fighting the current banking system isn't the whole purpose of this idea anyway? Does anyone expect it to be easy?

And about competition, that might represent a risk for someone that puts all his eggs on bitcoins, but in general, if something better come up, we should celebrate.

Still strikes me as re-inventing the wheel, but what features would you say could make another cryptocurrency better than bitcoin?

I don't know. If I knew, I'd be working on it. ;)

That's quite a clever point of view.  Indeed, if something better than bitcoin comes up, it will be great news.

Why d'ya think I was trying to get ya to spill?:D

I'ld like to create a community response to the post.

I set up a collaborative editing pad:
   http://meetingwords.com/GO5tVHslbz

Following is my stab at a response.  Anyone care to make it better?  I'll paste the community response on the Quora post at a later time.


Community response to:
  http://www.quora.com/Is-Bitcoin-doomed-to-fail


Is Bitcoin doomed to fail?

> 1.) Technical
> it would require ~2k CPUs for 1h to steal 5M BTC.

Let's do the math.
 - Amazon Quadruple Extra Large Cluster Compute Instance $2.10 per hour. http://aws.amazon.com/ec2/pricing/
 - That instance is 2 NVIDIA M2050s, or about 32 Mhash/s per https://www.bitcoin.org/smf/index.php?topic=1334.msg26185#msg26185

The currenty network is about 150 Ghash/s.  To get 50% of current network hashing, that means you'ld need to match that amount.
That's 4,688 of those XL Cluster instances.  Hey ... that's just under $10,000 for the hour.

Whether or not that amount of capacity is available to just spin up is unlikely however.  49.9% of the hashing strength won't be enough.

So if you take over the network, what does that let you do?

Yes, there are over 5 million bitcoins that exist, but they aren't yours to spend.  You can try to accumulate bitcoin and then double spend once you have control of the network.  Assuming you start sending those to Mt. Gox and other exchanges in hopes of double spending, its quite likely the combination of a ramp in the number of nodes plus an influx of bitcoin funding by the exchanges wouldn't go unnoticed.

Amazon is likely to be the only one likely to profit from such an attempt.

> 2.) Legal
> BTC will represent a deadly threat for a national state, and that they would react accordingly using their full moral, legal, judiciary, police, military, PR, press powers to shut down such a threat.

Governments could make trade using bitcoins difficult, that is true.  If they make it a crime to trade with bitcoins only criminals will trade bitcoins, or something to that effect is how the saying goes.

> 3) Competition
> the lock-in power of such network is extremely low, and the entry barrier for competitors is also very low

There already is competition.  Testnet Bitcoin is a live, functioning parallel currency.  Today you can mine for it, exchange it .. it even trades on Bitcoin-OTC!  But you might want to think twice.  Because it is not protected by 150 Ghash/s like Bitcoin currency is, it is rather vulnerable at this stage.  There will be competition at some point, certainly.

> 4) Community
> infiltrate the community of developers in order to push their own agendas

Bitcoin is open source and runs on open protocols.  Let the best fork win.

We are trying to make an attempt to add a gpu cluster to the network 
http://bitcointalk.org/index.php?topic=2884.new#new (http://bitcointalk.org/index.php?topic=2884.new#new)

My thought is we need to do it before someone else does and while it is still early enough to make it viable.

Another, perhaps wild idea: If we could convince a whole technology/software/hardware,etc. company (at least midsize) to do mining with their employee computers in non-working hours, this could also strengthen the network.

And on top, create some PR...

Hi guys, I'm glad you're taking time to answer my question on Quora. I just edited it and corrected some details such as the hypothesis of "stealing" BTCs with the hypothesis of double-spending BTCs. Still, I'm very curious about your answer on the first of 4 points, given it looks like the most controversial of all. The other 3 also do concern me, in terms of fluctuations in the value of BTC: how much value will evaporate with government regulation, better forking, community infiltration, etc ? 10%, 30%, 50% ?

Again, the question is here:
http://www.quora.com/Is-Bitcoin-doomed-to-fail (http://www.quora.com/Is-Bitcoin-doomed-to-fail)

It also becomes more profitable to buy computing power to support the blockchain.  When I first heard of Bitcoin a couple months ago a coin was worth about $0.25.  At that time, I calculated the return on investment for buying a Radeon 5870 and accompanying hardware was around 3% APY.  Similar calculations with current market prices suggest 38% APY.

The exact numbers don't matter much, but as coins become more valuable honest participants are encouraged strengthen the network further by increasing their mining activities.


As sgornick mentioned above, the calculations in the original question are incorrect.  It's also important to note that mining difficulty has been increasing exponentially (http://bitcointalk.org/index.php?topic=2345.0) for quite some time.  The longer an attacker waits, the more expensive it becomes to attack the network.

Heh, ... composing answers, collaborative / wiki style against questions that evolve based on the answers being composed.

Somebody correct me if I'm wrong, but all that can be done by outcoming the network computing power is double-spending, right? More precisely, rewriting recent blocks.

I think we all agree that there is no monetary incentive to do so... the costs clearly outweigh the benefits.

And even thinking on the possibility of a politically motivated action... what exactly could they accomplish with it? If they start double-spending, they would hardly remain anonymous for too long... their victims would eventually denounce it, and the sorcery would turn against the sorcerer. Besides double-spending, they could erase transactions... but still, is that worth such a big investment? Particularly in a post-wikileaks world where this action could eventually become public?

I really don't think this is the kind of thing we should worry about.

It might be profitable if the $10,000/hour figure is correct. The attacker could clean out every Bitcoin-accepting site in existence, which is enough to make even several hours of attack time profitable.

Some obstacles, however:
- It is possible for the double-spends to be removed if the community can come to an agreement about which transactions were real.
- The attacker needs to actually own enough BTC in order to double-spend them.
- The attack will take a few hours, which is enough for many people to notice. Satoshi might broadcast an alert.
- The price will plummet after the attack, reducing the profit.

A more likely attack is one against sites that accept big payments with only one or two confirmations. This is both quicker and easier.

Isn't the point that it doesn't matter once he's got what he 'bought'? If two people both give him USD for the coins which is the real spend? The first I suppose, but someone is still screwed and attacker still gets money.

I was thinking he'd send one version to himself, since that is easier. If he buys two things, then you're right -- there is no "real" version.

It would be nice if Bitcoin could detect this case and treat it specially. If you see a transaction to you in a block, but it conflicts with a transaction in your memory pool, then you're getting a double-spend.

To limit this possibilty we can take action ourselves so by the time someone notices bitcoin it is incredibly expensive and/or difficult to accomplish.

 :)

Hi guys,

Again, I love the spirit of Bitcoin and I hope the attack I'm outlining in public helps the Bitcoin project to better understand possible points of failure. Unfortunately, based on your answers I'm starting to believe that the attack outlined in my Quora question (please check the latest edit at http://www.quora.com/Is-Bitcoin-doomed-to-fail (http://www.quora.com/Is-Bitcoin-doomed-to-fail)) is both technically feasible and economically profitable. This is scary. Correct me if I'm wrong, since I need to know this before deciding whether to invest some money to buy BTCs or not.

To theymos:

As noted by Freemoney, it's too late: goods and services are already in the hands of the attacker.


He should buy them before the attack.


The attack should target less-sofisticated users who don't check all the forums at every given transaction. The transactions should be prepared before the attack, so that the provider is already ready to sell to the attacker before the attack starts.


Yes, it is reasonable to assume that the price of BTC will plummet. Unfortunately goods and services are already in the hands of the attacker. This means that the attacker looses nothing, while every BTC owner sees the value earned true labour or mining evaporate before his very eyes.

In answer to issue 2, it is almost certain that a large number of governments would ban everything bitcoin related( some governments, not all ). And the effect of this will be the same as the government and recording industries efforts to prevent file sharing, that is, almost no effect at all.

The weakest points of entry and exit into the bitcoin economy are the currency exchangers and these will be the first targets. Already hidden, anonymous currency exchanges are begining or being developed in for example, China that would allow continued entry and exit into the bitcoin economy despite being entirely illegal.

Secondly because of the financial motivation as long as there is money to make from using bitcoin people will use it, as long as the internet has not been turned off completely bitcoin will continue to work unaffected.

QQ coin was easily targeted by the Chinese government as it was a currency based on the servers of a Chinese company, the government only had to ask and Tencent(QQ's owners) had to take action. Bitcoin is entirely p2p and short of turning off the internet there is nothing that can be done to stop it.

We forget about one thing.
It does not have to be profittable at all.

It can be used by FEDs/Governments to attack bitcoin. Millions of dollars is not much when it comes to eleminate the threat to all known fiat currencies. Banksters will be mad about this. And they will surely try everything - It's only matter of time.


---------
Also, i see on weakness in the proposed attack scenario. Bitcoin clients by default only connect to every 1 of 16 bitcoin nodes IPs (or was it 1/8 ?).
So if I am correct, the attacker would also have to set up a lot of different bitcoin clients in different IP ranges to successfuly broadcast his fake double spent transactions. Otherwise, when using nodes in a small IP range, the double spent transactions will be rejected by most honest nodes (which will not connect to many nodes in the small IP range, and choose some other nodes instead), thus rejected by the whole network.

I don't know if I am reasoning correctly here, somebody correct me if not.

I have a few thoughts. An attacker isn't likely to want a bunch of services, those can't usually be resold easily. Goods will usually not ship until the next day so the attacker has to overcome the whole network for ~12 or more. Even if he pulls this off people will notice and many will be warned not to ship goods ordered after X time. Gambling sites don't make a great target, because you win bitcoins, which will be devalued if you are successful. The exchanges are probably the most fertile ground, but major
exchanges (where the most money will be available) will have the best detection of funny business.

In addition to all the power that the attacker will have to buy or rent there will be a lot of planning involved. They need to search out what goods will ship fast enough to go out during their attack, if they can't hold on to the network for over a day this will only be certain parts of the world. They need to set up a place or places for delivery, and a way to resell the goods unless they are doing this for their own consumption. They need to find all the little exchanges and make accounts and set up bank accounts to send the money to, under different names I guess. LR makes this pretty easy though.


Do you mean that after an attack people will stop using bitcoin? Some probably would, I think most would move to safer arrangements. Certain types of business would be unaffected, live sex shows, programming work, donations, etc. People using bitcoin for these purposes would presumably buy on the cheap driving the price back up somewhat, granted not all the way.

In short, I don't think a for-profit attack is likely. Government attacks are where the risk is imo, damaging stuff is a lot more viable when you are using other peoples money. We have some advantages though, government is slow to act and difficulty is growing exponentially at least for now. When government does act it isn't likely to be all at once and decisive. The publicity of "Bitcoin is worrying world governments and bankers" will be pretty huge. The greatest thing about bitcoin is that they have to outmatch all of us combined at once. Sure it looks really easy right now, but there are like 4 users in Japan and 3 in China. We can easily grow by a factor of a hundred thousand.

I don't even think that it is forgone that every government would want to break bitcoin, if a few realize the value in embracing it first there won't be a chance at breaking it.

Lying nodes is a different attack which I think would be focused on just one target. The double spend attack spends a coin legitimately and then rewrites history and spends it "legitimately" again.

I didn't think of this when I was writing my last post, but doesn't this make it difficult for even someone with ~60% to double spend and make it look good for a whole day? Going all the way back a whole day would take about 5 days if you were writing 6 blocks for every 5. Am I thinking correctly?

edit to add: Actually I think that's wrong. The first spend batch is totally legit, at the moment the attacker starts making blocks keeping up with the real chain, but not publishing, if he is even a little faster he can publish at any point pulling back his coins. So a 24 hour later pull back only requires 24 hours of matching the speed of the whole network.

I don't think fiats are going to last much longer with or without bitcoin. They are inherently just the overvaluing of paper, the price has to come back down eventually.

Another thing to consider is that the people who run fiat are deluded, king of the world types, they can print dollars: United States of American Dollars. Nothing is better, no way something called Bitcoin eliminates the dollar, to even suggest spending millions to squash a little play money internet currency will get you laughed at, not funded. They are going to wait way way too long to act.

There will be a smear campaign about how we torture children and eat puppies, of course the puppy eaters aren't involved yet and when they hear about the perfect way to pay for a steady supply of puppies they'll get them some coins, the price will go up and the follow up report will be about how all the puppy eaters are getting rich and other people will want in on that, etc.

You can have a fast attack scenario targeting fast-shipping goods and services, and a slow-attack scenario targeting slow-shipping goods and services.


No. I mean the FRN/BTC exchange ratio would plummet, therefore goods and service providers will ask for more BTCs for the same goods and services, therefore the purchasing power in the hands of a BTC owner evaporates.

The attacker is spending BTCs, and then creating a fake payback from the recipient to himself with his malicious subnet closing blocks faster than the honest subnet, therefore the malicious block chain is regarded by every client as the best one.

Why, if the ROI of such an attack is positive ?


If the ROI of an attack is positive now, it will be positive at any given time, since minting is not involved in such an attack scenario. Instead, given the FRN/BTC ratio is growing exponentially, the likelihood of such an attack would grow exponentially with time.

That cannot be done. The transaction will not look valid to any clients no matter if it is in the longest chain or not. The attacker cannot send coins from a public address that he does not have the private key for. The way this attack works is that a legitament spend happens in, say, block 105000. After the merchant acknowledges it the attacker releases a new 105000 and as many blocks after it as needed to make it the longest chain. Now the network knows the attacker holds the coin because there is no record of the transaction.  

I don't really see how you'd get a positive ROI if you factor in the previous assertion "the price would plummet" :)

I don't think it is positive.

The rest of my post gave a bunch of reasons why the return is lower than at first glance. Many types of merchants would be immune, many would be warned, etc. Shops are not going to mindlessly ship their entire stock without making sure nothing weird is going on. Even if they aren't savvy they are likely to know other bitcoin merchants. "Huh, all of your stuff was just bought too? Cool, I guess we're rich now."

Bitcoin price is up about 6x since I got here and difficulty is up over 90x.

The value of attack calculation is hard, but you aren't even looking at the right numbers. The attacker doesn't just get to turn bitcoins into cash via magic. He's going to flood exchanges and tip people off by buying to many sneakers. A lot of what you can do with bitcoin doesn't help him at all, so he can get a lot of credits at A Tale in the Desert, so what, doesn't help him at all. He can bet at bitcoinsportsbook, so what? The only thing valuable to him is the exchanges and they are likely to be the most alert to weird stuff.

The point is that you have to match the whole thing, but you only get a subset of a certain type of good. Except for a few exceptions you will get at most the total of bids at all exchanges.

In the future it will be even harder to get a hold of enough goods and money to justify the attack. Many of the goods will be meals and nights in a hotel. How many of those can you get?

 

It's not positive... you have to spend a fortune, and what could you accomplish? In the best scenario you would attack some exchanges and get some cash, but then, that would identify you, since cash transfers are not anonymous. You wouldn't manage to make a positive ROI by doing cash-in-the-mail exchanges!

Seriously, I can't see how such an attack would be profitable. I bet that, if you're willing to engage in criminal activities, there are probably much better ROIs you could obtain with such an investment....

Regarding your 3 other points:

1. Legal: Yes, .gov could make it illegal. However, think through your underlying premise a bit....any currency sufficiently open enough to be a "better" currency than current Central Bank currency would also be pressured via the same tactic. I mean with that premise (.gov will make it illegal), why try at all?

2. Competition: Great, I think competition would be outstanding. I don't think lots of us who support BTC actively think its going to be the "only" currency used. Whats wrong with having 10 active competing currencies? Doesn't that benefit mankind the most anyway? Moreover, due to the nature that BTC is purely electronic, there will always be instantaneous exchanges available to translate between BTC and the new XYZ currency of favor.

3. Infiltration: Again this is a 'so what?' sort of premise. Poor Linus should've never tried to create his own Linux operating system....after all IBM and MSFT may have tried to subjugate the process via its open development process.

Thanks for explaining this, I've edited my question to correct how BTCs can be double-spent in the attack.

No problem. Explaining it helps me keep straight how it all works. And lets other people fix any wrong ideas I have.

As I wrote above, I'm happy and eager to learn what I don't know about BTC, and I love the spirit of it. Unfortunately, according to the calculations on http://www.quora.com/Is-Bitcoin-doomed-to-fail (http://www.quora.com/Is-Bitcoin-doomed-to-fail) it looks like the ROI of such attack would be positive.

After such an attack:
-The attacker is happy, because he now owns good and services with intrinsic value.
-The BTCs owners could be very sad, because panic could trigger a drop in the FRN/BTC exchange ratio, triggering evaporation of purchasing power of their BTCs, e.g. their BTCs can buy much less goods and services than before the attack.

Your calculations are garbage. You cannot spend coins 80 times in an hour. The attacker has the power to rewrite a history that doesn't include him spending the coins, that is all. He can't simultaneously convince 80 people that they have the same coins. In the slow shipping example you need to let the shipper think he has coins until after he ships, then you can pull them back. You can't do this 80 times in 2days. You would need about 40 days if people are shipping same day.

If you try to spend them twice in an hour at, say, MtGox you won't ever get credit and can't get dollars because he waits for 6 confirmations. If you go for 2 hours you can spend them there twice this will not get you double your money because you will be bidding the price down by buying quickly which you will have to do since your cover is blown when you stop paying $8560/hr.

Not to mention that Mtgox (the only site with anywhere near enough bids to get your 'investment' back) has some max withdrawal per day.

Once again, the reason this is not profitable is that you have to match the entire network, but you only get a little tiny slice of the flow, not "everything conceivably for sale for bitcoins"

And this attack does not get more profitable as USD/BTC increases. Difficulty has been increasing faster than price for a long time. It is getting more costly at a faster rate than the payout is growing.

The attacker must hold a large amount of BTC in order to execute the attack. So he'll also be affected by the lower price. If he brings the price of BTC to 0, then his attack was pointless, since the money that he got back is now worthless.

The attacker would have the advantage of knowing an attack had happened before all others knew. And a smart attacker wouldn't just trade his coins for different coins he'd try to get stuff. But as I've been explaining it takes a long time to get the stuff and you have to maintain the pullback ability for a long time, not 1 hour, if you want to get a bank transfer or bullion shipped.

FreeMoney is absolutely right.

The only way to get 80 people to accept the same 400 bitcoins would be to control all of their bitcoin connections and feed them different versions of the block chain.

And THAT will be impossible, because the people you're trying to rip off (merchants selling stuff) are exactly the people with long-running, well-connected bitcoin nodes.

Hi Freemoney,

thanks for answering me with such detail.


I think you're referring to this:


I disagree. A slow attack can target slow-shipping goods/services coming from isolated community-unaware sellers. A fast attack can target immediate-delivery goods/services making sure the interval of being alerted is smaller than the duration of the attack.


Yes. That's exactly the business of a malicious attacker. The whole point of Bitcoin should be being resilient to malicious attacks.

You also add:


I disagree. The first scenario I outlined involves attacking just 80 providers accepting BTC, in 60 minutes.



The transactions involved in such attack would be worth around FRN ("USD") 160 each, which is surely not the entire stock of a shop owner, nor all the goods/services providable by a generic seller.


See the two points above.


The attack scenario is based on the current Bitcoin network status.


I disagree. As I said, it takes only 80 relatively small transactions to complete the attack, and it doesn't have to by central banks' currencies. If I were a merchant I would like to be 100% sure that I can't be ripped off if I accept BTC, regardless of what I'm selling. Am I wrong, or do merchants lack this insurance if they use BTC ?

In your last post you add:


I understand your argument. Why shouldn't the attacker be able to releases a new block and as many blocks after it as needed to make its malicious chain the longest chain after the merchant has delivered the good/service to him ?


Makes a lot of sense. The attacker should buy immediate-delivery or fast-delivery goods services, such as: face-to-face material goods (in real shops), virtual goods, music, movies, ebooks, etc. The more the Bitcoin network grows, the more stuff available to be stolen will be available. Also, please consider that the job of an attacker is to figure out these details, while a merchant should be insured that hacking the system is not an option on Bitcoin.


You're right, but you'll agree with me that the attack should consist of 80 small transactions, involving sellers who are not superalert as moneychangers or bankers are.


I agree. The goal of the attacker should not be to steal everything available in Bitcoin, but just enough to reap a positive ROI.


A technical question: isn't owning the majority of the CPU power enough to impose a malicious chain, regardless of the size and age of the network, and the consequent difficulty ?

Hi caveden


Absolutely. Please note that in the attack I outilned the targets are not moneychangers, nor banks, nor any BTC pro.


Please look at the numbers outlined in the Quora question for this.


I totally agree with you on a moral side. Criminal activities are a bad thing, and Bitcoin is an effort to liberate people from criminal-like monopolies. Unfortunately I think there will always be a country in the world where hacking Bitcoin is not considered illegal. On the other hand, I fear that Bitcoin will soon be rendered illegal in many countries.

HI freetx


I agree with you: the fact that governments, competitors and infiltration will attack Bitcoin should not be a reason not to fight. But my concern is: how will the FRN/BTC ratio be affected when such shocks happen ? This is very important for me and people to know: if I am to accept BTCs in exchange for my labour, I wanna know how likely it is that the result of my labour could plummet, and how much. I hope you have the same concern :)

Hi theymos


I'm sorry but I don't understand your argument. The goal of the attacker is to harvest goods/services and have 0 BTCs at the end of the attack, but be plenty of goods/services. The attacker will therefore not suffer from the FRN/BTC ratio plummeting because of panic triggered when the the community realizes to have been hacked, which is after the attack is completed. I hope you agree with me.

Hi Gavin,

thanks for your technical answer. You sound expert in the details of how Bitcoin works, I hope to learn more.


Satoshi Nakamoto writes in his white paper that it is not needed to control all of the bitcoin connections, but just a majority of them. Am I missing something ?


Please note that the attack I outline targets BTC users who are not pros.

No. Rewriting old blocks requires you to generate them again. So if you want to go back 6 blocks, you have to do the work required to generate them with the current difficulty and continue to compete against legitimate generators.


That's much more difficult. A future version of Bitcoin will probably let the second recipient identify this attack immediately, since it is easy to see. A more likely attack is one where the second spend is back to the attacker.

You are confusing "control 50+% of generating power" with "control connections."

Lets say you control 51% of the generating power.

You can:

Spend bitcoins once.  Then wait for them to be confirmed by the rest of the network as many times as the merchant requires, while secretly working on another version of the block chain where you did NOT spend them.  Your secret block chain should be longer than the network's, since you control 51% of the generating power.

So you announce your secret block chain, and instead of sending those coins to a merchant you include a transaction where you send them to yourself.  YEAH!  you just ripped off the merchant!  Wahoo!

You cannot rip off two merchants with the same bitcoins-- one or the other of the transactions will be seen as valid.

And you cannot "unspend" the transaction to the merchant-- if you don't spend it SOMEWHERE, the merchant's bitcoin node will re-announce it to the network and all the other nodes will consider those bitcoins "spent, just waiting to be included in the next generated block."


If you run the numbers again with the realistic double-spend scenario, you'll see crime doesn't pay.  There is no way you can rent enough hashing power to commit a profitable double-spend attack.

If you can steal the hashing power (maybe you're a bot farmer), then if you run the numbers you'll find it is more profitable to just generate blocks and sell the bitcoins rather than try to somehow get stuff trying to double-spend.

Hi Gavin,

thanks for the explanation.


Are you saying that:
a) an attacker should announce a block chain where the spend is never acknowledged ?
b) the attacker should announce a block chain where the spend is acknowledged, and where another opposite transaction is, too ?
c) the attacker should announce a block chain where the spend is acknowledged, but the recipient is not the merchant address anymore but the/a attarcker's address ?


Would you agree on this description of the attack ?

"So in summary the attack works like this: the first BTCs spend happens in, say, block 105000. After the merchant acknowledges it and delivers the good/service to the attacker, the attacker's malicious network releases a new block 105000 and as many blocks after it as needed to make it the longest chain. Now the whole network (honest clients included) acknowledges that the attacker holds the coin because there is no record of first the transaction according to the majority of CPUs. Then the BTCs are spent again, and the process is repeated many times."

I feel that your point is: the transaction can't just disappear.


Ummm ... are you sure ? Could you be specific as which numbers are wrong in my Quora question ? According to my calculations, the ROI of such attack would be extremely positive.

Hi theymos,

thanks for the very technical answer.


Why should an attacker want to go back, instead of just being faster than the honest network in producing a longer chain ?


1) Why do you say that a "backspend" is a better double-spending than a second spend towards a second recipient ?
2) How could a future Bitcoin client ever be protected from the double-spending exploit that currently affects Bitcoin ?

From the Quora question:


You can't spend 400 BTC 80 times in 1 hour.  If you control a majority of the generation you could spend them twice an an hour (assuming merchants require 6 confirmations).

So you need to divide your expected profit per hour by 40, making your ROI very, very negative.

It would allow you to double-spend without controlling the network at the time of the initial transaction that you want to double-spend. Otherwise you need to control the network for the entire time between the first and second transaction.


It's another person do deal with, and they won't be cooperating with you to improve speed. Perhaps it is not much more difficulty right now, but it will be if this is implemented:


Whenever a block chain reorganize occurs, check if any of the replaced transactions are yours or are being replaced by a version that is now yours. If they are, then a double-spend is almost certainly happening with you as a party. The transaction should then be marked specially and not listed by any of the RPC methods by default. You can also watch memory pool transactions in the same way.

This wouldn't protect against an attacker who can reverse your 6-confirmation transactions, but it would stop the person receiving the double-spend from accepting it and alert everyone that someone is double-spending.

Why ?

These guys certainly show a lack of understanding here about the Bitcoin protocols.  The issue here isn't gaining temporary control of a majority of the CPU power of the network, the issue is gaining control of a majority of the network over a prolonged period of time.

More importantly, there is a mistaken notion here that transactions are "irreversible".  If you are engaged in gaming Bitcoins, transactions are indeed reversible and any attempt to double spend will be wiped out upon verification by the trusted nodes on the network.  BTW, CPU power alone isn't sufficient but also having the transactions verified by the various nodes including those who aren't necessarily even providing CPU power but rather merely network bandwidth.  If you can't get the majority of the nodes to accept your blocks & transactions, it is a wasted transaction even if you have a huge amount of CPU bandwidth being thrown at the issue.

BTW, this is one of the reasons why changed in 0.3.16 were such a big deal because it did change some of what the "ordinary nodes" were doing with some of the blocks and packets, rejecting certain transactions because of "unusual" data.

This kind of "attack" does point out that folks who are shipping physical merchandise ought to set up perhaps some sort of policy of requiring perhaps a few more than just six confirmations, as that is the real scam here.  In the attempt to double-spend, the attacker is trying to fool somebody into thinking they have legitimately received payment when in fact they haven't received any bitcoins at all.  When the attack fails, the "accounts" or at least who has what bitcoins will be a settled issue.

From the article:


Assuming that they are trying to get physical merchandise from somebody where it is being sent to a physical address of some kind as their way of being able to gain money from this scam.  By double spending, the attacker is assuming that they are going to be receiving the merchandise in spite of the merchant not receiving payment.  When the merchant realizes that the transaction is invalid (you don't even need to be reading the forums to notice that fact... contrary to what was said in the article earlier) they are going to either withhold shipment (and announce a strange set of blocks on the forums if they are thinking clearly or at least saying WTF happened to my transaction!) or they can then notify the shipping agent they are using that some sort of fraud was going on with the package and "request" that the package be returned or discarded and not sent to the addressee.  Either way, the scammer isn't going to get the merchandise and at worst is only wasting somebody's time or forcing a merchant to lose some money.

Furthermore, fraud can certainly be prosecuted under current laws.  Nothing new even needs to be passed in terms of going after these scammers legally in most countries and jurisdictions.  This is indeed very much within the legal definition of fraud and can be proven in court and certainly explained to law enforcement as if a "check" bounced and that payment failed or some other similar kind of explanation until you have to get inside of a court room.  You might be able to attack the validity of Bitcoins as a payment method, but certainly the fact that something of value was transmitted in exchange for something else of value, but then that "something" (in this bitcoins) was not in fact actually transferred would be considered fraud.  I would also argue that typically a judge in this situation would recognize Bitcoins as a valid payment method, at least if you can get somebody to explain what exactly is Bitcoins in simple terms that can be told to a jury without getting into the gritty details.  That both parties thought Bitcoins had value is the only legal question that would have to be asked in this case.

Some idiot presuming that the court system will stay away from you merely because you are using Bitcoins may have cold hard reality facing down upon themselves.  It isn't that this could be illegal, I'm suggesting that an attack of this nature would be illegal already and in fact is.  If you want chapter and verse, at least specify jurisdiction if you want me to give you an answer.  I can think of several laws this would violate and in at least America nearly a dozen law enforcement agencies who would all have jurisdiction too in any given town depending on what was sold and how it was shipped.

It is possible that somebody really thinking this through might set up dead drop mailboxes and have other ways to launder the merchandise, but we aren't talking check kiting here that can take a day or two and up to a couple of weeks to detect.

In short, the author of this piece is completely clueless about Bitcoins and doesn't know what he is talking about.  A good try, and certainly there are ways to scam Bitcoins from people who are unsuspecting, but trying to do that through an attack on the system in the nature described is not only a waste of time, but dangerous to do even from a legal standpoint where the risk on the ROI is far greater than even presumed as with potential criminal penalties and loss of liberty are enough to make this a negative ROI... at least with this method.  If you are going to scam, scam at least with "legitimate" transactions with something like a Ponzi scheme.

The issue of money laundering via Bitcoins is something real, but that is confusing a criticism of Bitcoins with a legal protection of some weird and perverse kind.  Just because trade in cocoa beans may or may not be legal in a jurisdiction doesn't stop a trade transaction using cocoa beans from being illegal for other reasons too.

The other issues listed in this article have been amply debunked in earlier postings on this thread and deserve no further analysis as they are equally faulty.

There are only, on average, about 1 transaction every 10 minutes.  That is six confirmations in an hour which is the hard time limit before a transaction is confirmed.  Let's assume the attackers are real lucky and get twice that many blocks as they are doubling the generation rate.... hence only two attacks would be possible in an hour.  Maybe a few more than that by "double spending" on each block, but you would also have to "win" all of those blocks too.

BTW, attempts to double spend coins would be ignored once the "attack" is over with likely a bunch of competing chains floating around the network temporarily while nodes are analyzing the transactions, but once the double spending filters are applied to the transactions the double spending transactions and blocks associated with those transactions will be culled... as if the attack never happened in the first place.

It would essentially be wasted CPU effort and even the bitcoins "earned" by winning a block would be discarded too.  It is as pointless of an attack as I've ever seen proposed.

This just occurred to me.  The existing 150 Ghash/s network costs just $144 per hour.

There were 165 blocks created in the past 24 hours (per Bitcoin Watch) and each earned 50 BTC.  That means 8,250 BTC were paid to those mining.  At BTC/USD currently at $0.42 each, that's $3,465 per day that is paid for a network that will do 150 Ghash/s.

So why does Amazon charge seventy times as much?   :-)

Interesting when one considers it that way.  So what about a parallel currency whose exchange rate is being subsidized such that mining the new parallel currency is more profitable than mining Bitcoin currently is?

In other words can enough of Bitcoin's miners be seduced into switching to a new parallel currency such that Bitcoin becomes vulnerable?

Maybe that quora question's part 3 (#3. Competition) merits further discussion?

This is all about perceived value (miners hope to gain much more than the current value) and flexibility (amazon offers more than computing hashes).

kakigarden.com redirects to a facebook page.

Why should I read anything more from someone who does that ?

Because ideas matter :)