He said he wouldn't mind that (buying back at a loss), he just wasn't comfertable with the amount off his stash then and the attack. Warz, if this isn't right please correct me!

I have no idea since it is something I have no interest in.

While theoretically possible, any attack on Bitcoin that would require brute hash strength is near impossible.

Perhaps some unknown technical exploit but nonetheless, it would just be fixed.

I don't think anything but a coin with perhaps better technology will kill BTC.


~BCX~

Possible. This guy had been calling that since 2011:

http://www.youtube.com/watch?v=eoWCZtsV4ls

So far, it seems they're right.

Challenge

In a regime of slow initial emission of a currency, propose ways that capture the part of the value of the coins emitted (which currently goes to excess mining cost), in such a way that the value is automatically and trustlessly (or, as close to that as possible) spent/distributed in way that increase the adoption of the currency.

So you agree ring signature entanglement from the coinbase transactions of the attackers fork could in theory occur??

How to unwind those?

Just willing to restate my points:
- No, I am not advocating changing the total number of coins;
- No, I am not advocating higher inflation;
- Yes, I am advocating that inflation is more evenly spread over time;
- Reason I do this is that fully mined coins have a hard time finding buyers if there are growing coins also available (don't be confused with pumps - that's something that cannot happen with XMR anyway anymore).

Reading my posts in this short thread might be enjoyable and insightful.

How do you unentangle rings which bind to double-spent (conflicting) transactions in the fork? The entire point of forking is to double-spend or...

How do you identify the claimed lost wallets from the claimed not lost ones? (assuming BCX does have the exploit he alleged)

30 blocks is probably not enough for a Gordian knot. What do you do when you people claim very important transactions that they don't want rewound? How do you identify who is who they claim to be as a sender in order to pick and choose which transactions to retain and which to unwind?

GE coins are the personal property of the imperial government (here, the current emperor) of a 240 x 10¹⁵ km³ empire (the largest celestially permissible for this planet).

That gives "These note are legal tender in all debts, public and private" a whole new meaning (and value).

Of course it was, I posted one then the next.


~BCX~

You said to me upthread you like disagreement. So please pardon that I need to point out that afaics miner's choice doesn't resolve the issue that once a 51% fork has run for a while and many users get their transactions intertwined with it, you can't untangle it to revoke it any more, especially given the anonymity with the ring signatures.

Sorry.

(note I wrote this already far upthread)

Why do people think we are one in the same?

It is an interesting idea.

~BCX~

Bitcoin has about 1 million and the marketcap per user is $5,000. Now if we think Monero has the same marketcap per user (which is very far-fetched), it should have 1,000 users.

Monero downloads typically measure in 10,000s per week. Poloniex alone has 5,000 distinct speculator accounts. MEW has 60 members a week after inception while membership costs 10 XMR at least and is only really possible for BCT accounts.

By getting back to marketcap per user metric, 5,000-10,000 users ($500-$1,000 per person) is reasonable. If all exchanges are considered, the number might be 10,000-15,000. Probably not more though.

I don't know of anything that Quark has accomplished, so it's not a comparison. Auroracoin had a much bigger pump, but is equally dead now.

This may be wrong but I think there is a pretty reasonable chance that it isn’t, so this is an important insight I think. Also something I had not thought of myself, so thanks for bringing that up.

Allright I took fischer's provability class so I'll give it a go:

First of all whether BGP is solvable or not depends on the "powers" given to the honest vs. lying generals.  Can the honest generals "broadcast" a message to everyone else?  Can lying generals "intercept" and rewrite messages?  Do you have a mostly-synchronized clock, or even a local sense of time?  So papers basically define these "powers" and then prove a yes or no result based on them.

Let me try to couch why BGP is sometimes unsolvable in what you are familiar with: bitcoin.  Let's just say we choose one node to grab all txns and add them to the blockchain.  That node can't steal $ because it can't sign the txns.  But it could insist that there are no txns, or disappear.  If it insists there are no txns (but there are) then no progress is made (algorithm is halted).  If it disappears, can you just choose another?  No because you can't prove that it is really gone vs just slow.  That is, it could seem to disappear causing the rest of the network to pick another "issuer".  Then both nodes post a block at the exact same moment resulting in half the nodes using block A and the other half B [1].  Could you then get the network to "settle" on one of the 2 blocks?  Well, doing so is equivalent to solving the original problem (picking a block in the first place), so the above strategy made zero progress solving this problem.  

But note that if you had some relatively consistent sense of elapsed time (an additional "power"), say all nodes have time accuracy within an interval E (say 5 min), you could do something like:  the announcer has until time X to announce a block, at time X+E, we choose another announcer [2].  Ok that works but it requires a synchronized clock.  No clock is ever synchronized perfectly.  So in practice it solves 99.99% of the problem, but what happens if the announcer issues the block exactly at time X+E.  So half of the nodes will think that it is valid, the other half will reject.  So now we have to decide whether to accept the proposed block or not.  Doing so is equivalent to the original problem.  We have made no progress.

How about you use a "fitness function" to choose the best block?  Perhaps use the longest block (most txns in it).  This doesn't work because at any time someone could add a few more txns to a very old block and reissue it, wiping out the blockchain up to that point.  That is, an uncooperative node could cause the algorithm to never make progress.  Ok so let's say once the block is issued it can't be "unissued".  But what if 2 nodes "issue" conflicting blocks simultaneously.  We have to pick one.  Oops, we are back to square one!  (and what does "issued" mean anyway -- in fact it is not definable in a p2p network).

Bitcoin itself does not even solve the problem.  At any time, someone could show up with an alternate blockchain that is full of empty blocks since 2009 (say he's secretly been racing with the public chain) and all clients would switch to that chain where no transactions have happened.  So in fact from a theoretical perspective the algorithm can be proved to never make progress.  However, from a practical perspective this is unlikely to happen, and if it did, I as a community we could throw in some kind of hard coded change (essentially a centralized decision hard-coded in a new client) that forces "our" chain to be chosen.  

So what's cool about Bitcoin is if it breaks down it can essentially "devolve" into (worst case) a centralized scheme.  No worse then we had before Bitcoin (and actually a whole lot better in other metrics).


[1] http://cs-www.cs.yale.edu/homes/arvind/cs425/doc/fischer.pdf
[2] http://research.microsoft.com/en-us/um/people/lamport/pubs/reaching.pdf

1 - I can say whatever that is not against the rules plus I don't want to back a terrorist publicly

2 - I can shill Monero if I want and you'll never see what hit you

3 - He is doing harm and adding substance to the FUD and helping the terrorist

4 - I dont give 2 tacoshis about your opinion, as far as I know you were heavy anti-xmr troll not a long ago so you are pretty burned on everyones book already

5 - Please ignore me so I don't need to read your weak, neutral-evil BS attacks.

6 - Welcome to my ignore-list as well.

The threat was (likely intentionally) issued at a time when me and several other large holders were online in the trollbox. I don't know if the other holders sold, but if they did, it was likely in anticipation of a bigger drop (which never materialized, so they bought back at a loss).

What I do remember for certain is that most of the bid side was pulled instead of being sold into, resulting in <50 BTC of bids at the lowest point instead of the normal ~300 BTC and high of >600 BTC. It builded up in minutes after seeing the initial flashcrash to 0.00280.

By the way, contrary to what many think, the higher lows trend has not been violated daily vwap-wise. The last low from August was 0.00305 and lowest during this bottom is 0.00310.

Afaics, ignoring decentralized checkpoints should be plausible since the attacker would control the decentralized consensus.

Ignoring centralized checkpoints is not so feasible, since you've got to convince others not to run the reference client.

I keep trying to posit there are other forms of difficulty attacks that can't be defeated with checkpoints. I been hinting at it for many days now.

What % of hashrate is needed for selfish mining attack?

How much can he amplify his hashrate by hiding it in the 20%?
Remember he said he needed only 20% of the hashrate. Seems obvious to me what he is doing.
Perhaps he can further amplify it by getting miners to join his pools which are gaining an edge in payouts, but I don't assume that is necessary.

How will your checkpoints work if his attack catapults his effective hashrate to 51%? He can then ignore the checkpoints and replace with any chain he wants.

Does XMR still throw away 20% of the timestamps which are the statistical outliers when computing the difficulty?

So thus I could mine a chain with a much higher cumulative difficulty without triggering a difficulty adjustment.

Have you analyzed this genre of attack vectors?