lucas jeffrey (OP)
Newbie
Offline
Activity: 6
Merit: 26
|
|
August 19, 2024, 08:46:46 PM |
|
In this topic i will explain a way in which in theory, users could successfully double spend their bitcoin. This is just a game-theory based analysis of the interaction between bitcoin users and the profitability of different mining strategies.
Background So, first of all, i will asume that you are familiar with both bitcoin's white paper and game theory in some extent. Also you should be familiar with how transaction fees work, and the concept of how a 51% attack works.
The profitability of miners An honest miner profits from both block subsidies and transaction fees. In the scenario i will describe, block subsidies are over, and the only income miners have is transaction fees.
How double spending works So first of all, in synthesis a double spend occurs when a transaction X that sends founds from A to B is added to the longer chain, and after its added, a miner mines 2 blocks in a row but without the transaction X: instead it adds a transaction X' in which the coins are sent from A to A', which is an address controlled by the same person.
Of course running such attack is not that easy, you have 2 posibilities: You can obtain enough computing power to overtake the network's computing power, and create the longer chain, or, having a small proportion of the hashing power, you can try to get lucky and mine 2 blocks in a row, and then broadcast it to the network. In this scenario both options are completely discarded. But of course, you have an alternative: you can put an incentive on miners to support your double spend, and that is the scenario i will be exploring.
The attack The sequence of the attack goes like this: * Broadcast a transaction X which sends money from A to B and with a low fee * Wait for the transaction to appear in the longest chain * When X is added to the longest chain, you broadcast a new transaction X', which sends money form A to A' with an extremely high fee. (Of course, X' would not be a valid transaction in the current longest blockchain)
After following those steps, you created an inventive for miners to fork the blockchain and create a new longest chain with your fake transaction X' because of the extremely high fee you set.
The incentive Miners who support your double spending will see an extremely high profit due to your high transaction fee. Also consider that you may not be the only one trying to double spend, so miners could collect all of these high fees on the fake transactions compared to what they could gain remaining honest building on top of the longer chain with honest transactions.
The cost Of course, trying to disrupt the incentives of miners, who are supposed to secure the network is not free, and assuming there is no single miner or group of miners controlling more than a 50% of the hashing power, the cost of rolling back a transaction increases exponentially the deeper it is on the blockchain: Let's assume the miner controls a percentage H of the total hashing power of the network. In order to revert the last N blocks, the miner should create a longer chain stating n blocks behind the network. The probability of success of the attacker will be: P = (H / (1 - H) ** (n + 1). Of course, giving that H is below 0.5 that probability decays exponentially. But, remember that P is not zero.
The miner's dilemma Now the miner could choose to remain honest or betray the network. Now lets calculate the expected rewards of both strategies: * expected rewards of remaining honest: R = H * B where H is the hashing power as a percentage of network's hashing power and B is the honest block reward * expected rewards of betraying: R' = P * B' where P is the probability of success and B' is the reward of the blocks containing those fake transactions. Note that if B' is big enough, the best strategy of a miner could be to betray the network instead of remaining honest.
The solution As you saw earlier, users can disrupt the incentives of miners to make them betray the network, but also the cost of doing it increases exponentially the deeper they are on the blockchain, and that's exactly the solution to that problem: users must require more confirmations to consider a transaction valid. If a transaction that is rolled back is not sufficiently deeper in the blockchain, there would be no double spends because the transaction wasn't considered valid on the first place. Even if a double spend can occur 'on paper' if there is no actual damage, then the attempt of double spending will be costly to the user who tried to double spend (due to the high transaction fee they payed) further discouraging that behavior.
Why it think that's OK There are cases in which users may want to roll back a transaction, for instance if you send money to the wrong address, or you regret your decision of spending that money, i think that's OK, and the network should provide users a way to do such a thing. Also as i mentioned earlier, there is a solution for that which is to just wait more validations before considering a transaction valid. Also there is something i think it's important to notice: blockchain is a probabilistical model, where it's accuracy increases over time.
Conclusion With all that said i think that bitcoin fundamentals are intact. Even if a user, or a group of users succeed on performing a double spend attack, the security of the network remains intact. Regarding to the validity of transactions, and given that the cost of performing a double spend increases as the transactions are deeper in the blockchain, wait for long enough time and there will be no rational incentive to perform a double spend on a deep transaction.
|
|
|
|
Upgrade00
Legendary
Offline
Activity: 2226
Merit: 2369
Playgram - The Telegram Casino
|
So first of all, in synthesis a double spend occurs when a transaction X that sends founds from A to B is added to the longer chain, and after its added, a miner mines 2 blocks in a row but without the transaction X: instead it adds a transaction X' in which the coins are sent from A to A', which is an address controlled by the same person.
If transaction X being moved from A to B is already in the longest chain and means it has gotten a least 1 confirmation, successfully mining the next two blocks doesn't invalidate that transaction. Transaction X will not appear in the next blocks, they just push it deeper into the chain. Unconfirmed transactions go into mempools not the blockchain. The incentive Miners who support your double spending will see an extremely high profit due to your high transaction fee. Also consider that you may not be the only one trying to double spend, so miners could collect all of these high fees on the fake transactions compared to what they could gain remaining honest building on top of the longer chain with honest transactions.
This is not feasible, from your analogy you are the one mining the blocks which double spend the transaction, this means there is no incentive for other miners. A one time ridiculous fee is not an incentive to build a chain with more PoW. All of these doesn't matter cause the initial transaction X was already confirmed. 51% attack does not allow you manipulate older transactions. There are cases in which users may want to roll back a transaction, for instance if you send money to the wrong address, or you regret your decision of spending that money, i think that's OK, and the network should provide users a way to do such a thing. That is centralization which is not how Bitcoin works.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
hosseinimr93
Legendary
Offline
Activity: 2590
Merit: 5678
|
|
August 19, 2024, 09:37:48 PM |
|
All nodes will reject the second transaction and it's very unlikely that mining pools receive that. Also, the cost to perform such an attack would be very high and even if you pay the cost, no mining pool will perform a 51% attack to include the second transaction in the blockchain. It's surely more profitable to be a honest mining pool. By the way, your topic has nothing to do with "Economics" boards and should be moved to "Development & Technical Discussion" board. If transaction X being moved from A to B is already in the longest chain and means it has gotten a least 1 confirmation, successfully mining the next two blocks doesn't invalidate that transaction. Transaction X will not appear in the next blocks, they just push it deeper into the chain.
I feel you didn't understand OP correctly. Let's say the transaction A has been included in the blockchain. A dishonest mining pool try to include transaction B (which spends the same input as transaction A) in a new chain that doesn't have the block contaning transaction A. If the dishonest mining pool manage to add more blocks to the new chain fast enough, so that it becomes the winning chain, the transaction A would be invalidated. In practice, it's very unlikely to perform such an attack successfuly. 51% attack does not allow you manipulate older transactions.
It does, if it's done successfully.
|
|
|
|
SquirrelJulietGarden
|
|
August 20, 2024, 04:15:29 PM |
|
51% attack does not allow you manipulate older transactions.
It does, if it's done successfully. It can be done but a deeper into the Bitcoin blockchain and Bitcoin block history, a harder it is to be manipulated successfully. It's very hard to do it successfully for transactions with 10+ confirmations or 100+ confirmations. How many Bitcoin confirmations is enough?Bitcoin confirmations. It does not credit information source to blog.lopp.net. The Bitcoin blockchainOne way to think about the blockchain is like layers in a geological formation, or glacier core sample. The surface layers might change with the seasons, or even be blown away before they have time to settle. But once you go a few inches deep, geological layers become more and more stable. By the time you look a few hundred feet down, you are looking at a snapshot of the past that has remained undisturbed for millions of years. In the blockchain, the most recent few blocks might be revised if there is a chain reorganization due to a fork. The top six blocks are like a few inches of topsoil. But once you go more deeply into the blockchain, beyond six blocks, blocks are less and less likely to change. After 100 blocks back there is so much stability that the coinbase transaction—the transaction containing the reward in bitcoin for creating a new block—can be spent. While the protocol always allows a chain to be undone by a longer chain and while the possibility of any block being reversed always exists, the probability of such an event decreases as time passes until it becomes infinitesimal.
1 confirmation: sufficient for small payments less than $1,000.
3 confirmations: for payments $1,000 - $10,000. Most exchanges require 3 confirmations for deposits.
6 confirmations: good for large payments between $10,000 - $1,000,000. Six is standard for most transactions to be considered secure.
10 confirmations: suggested for large payments greater than $1,000,000.
|
|
|
|
garlonicon
Copper Member
Legendary
Offline
Activity: 923
Merit: 2215
Pawns are the soul of chess
|
|
August 20, 2024, 05:01:42 PM |
|
First, try to demonstrate it on testnet. For example, I successfully sent 9950 tBTC as a fee, and nobody reorged my block. I wonder, how big amount can be sent, without being reorged by another miner, but so far, it seems that miners are not running any kind of code, related to stealing coins in this way.
|
|
|
|
ABCbits
Legendary
Offline
Activity: 3052
Merit: 8087
Crypto Swap Exchange
|
The attack The sequence of the attack goes like this: * Broadcast a transaction X which sends money from A to B and with a low fee * Wait for the transaction to appear in the longest chain * When X is added to the longest chain, you broadcast a new transaction X', which sends money form A to A' with an extremely high fee. (Of course, X' would not be a valid transaction in the current longest blockchain)
Nodes which already receive and verify block which contain transaction X will reject transaction X'. That means you can't broadcast it to Bitcoin network, where you're forced to communicate with miner/pool directly and hope they agree to perform 51% attack.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1792
Merit: 7376
Top Crypto Casino
|
|
August 22, 2024, 06:36:17 AM Merited by garlonicon (1) |
|
I'm pretty sure OP is talking about double-spending after a block confirmation, because to double-spend a transaction while it is unconfirmed is trivial as long as you pay a higher fee.
As for the case when you're trying to send a UTXO after it has already been confirmed, that only works when the same miner mines the next block too, and only if they are in on the scheme and patched their nodes accordindly. (Which never happens.)
|
|
|
|
garlonicon
Copper Member
Legendary
Offline
Activity: 923
Merit: 2215
Pawns are the soul of chess
|
|
August 22, 2024, 06:49:12 AM |
|
and patched their nodes accordindly You only need "invalidateblock" to do that. But: invalidating a block, and mining two blocks in a row, is not that easy.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1792
Merit: 7376
Top Crypto Casino
|
|
August 22, 2024, 08:07:29 AM |
|
Oh and also - it would be much easier to convince a private miner to go along with this than trying to convince a public mining pool, because the moment anyone suspects that a replacement is going on, they are going to take their hash-power out and direct it to some other pool, so the probability of hitting two successive blocks goes down rapidly.
Although the difference between the probabilities for each type of miner are like comparing the numbers 1e-10 and 0.00001.
|
|
|
|
Knight Hider
Member
Offline
Activity: 360
Merit: 91
a young loner on a crusade
|
|
August 22, 2024, 11:36:38 AM |
|
The attack The sequence of the attack goes like this: * Broadcast a transaction X which sends money from A to B and with a low fee * Wait for the transaction to appear in the longest chain * When X is added to the longest chain, you broadcast a new transaction X', which sends money form A to A' with an extremely high fee. (Of course, X' would not be a valid transaction in the current longest blockchain)
For this to be worth the extremely high fee, the transacted amount must be very high. Nobody is going to accept that large amount with only 1 confirmation, for exactly the reason you described. Why it think that's OK There are cases in which users may want to roll back a transaction, for instance if you send money to the wrong address, or you regret your decision of spending that money, i think that's OK, and the network should provide users a way to do such a thing. Also as i mentioned earlier, there is a solution for that which is to just wait more validations before considering a transaction valid. Also there is something i think it's important to notice: blockchain is a probabilistical model, where it's accuracy increases over time.
Use a credit card if you want insurance against mistakes.
|
in a world of criminals who operate above the law one man can make a difference and you are going to be that man
|
|
|
odolvlobo
Legendary
Offline
Activity: 4494
Merit: 3417
|
In short, your attack is easily defeated by waiting for multiple confirmations, but you already acknowledge that.
But, the real point of your post is to claim that a double spend is still possible because a miner will be incentivized to reorg the blockchain if the replacement transaction pays a sufficient fee.
I don't think there is any dispute about that, but something being possible is not the same as it being likely. Where your post falls short is the analysis. I would like to see an analysis so that I can know at what point it might become an issue.
Also, I don't feel that a miner is "betraying the network" by reorging the chain to replace a transaction. Reorgs are expected to happen. That's why waiting for multiple confirmations is a common practice.
|
Join an anti-signature campaign: Click ignore on the members of signature campaigns. PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
|
|
|
Knight Hider
Member
Offline
Activity: 360
Merit: 91
a young loner on a crusade
|
|
August 23, 2024, 08:03:50 AM Merited by garlonicon (1) |
|
First, try to demonstrate it on testnet. For example, I successfully sent 9950 tBTC as a fee, and nobody reorged my block. I wonder, how big amount can be sent, without being reorged by another miner, but so far, it seems that miners are not running any kind of code, related to stealing coins in this way. It is possible a miner tried to double spend your transaction, but couldn't create a longer chain fast enough.
|
in a world of criminals who operate above the law one man can make a difference and you are going to be that man
|
|
|
JiiBs
|
|
August 25, 2024, 08:23:56 AM |
|
I'm pretty sure OP is talking about double-spending after a block confirmation, because to double-spend a transaction while it is unconfirmed is trivial as long as you pay a higher fee.
What I thought initially as, it’s said you can archive this double spending in events where you have to cancel a transaction after it already had been broadcast but, still awaiting confirmations. It’s even said, you can cancel a transaction with one confirmation using Blockchain.com which is yet I verified at my end. As for the case when you're trying to send a UTXO after it has already been confirmed, that only works when the same miner mines the next block too, and only if they are in on the scheme and patched their nodes accordindly. (Which never happens.)
Why should a miner be in on this? Assisting a user of the network to double spend or perform a 51% attack. Wouldn’t that be putting the integrity of the very network you should be protecting in question and what becomes the case with the transparency of the Bitcoin blockchain?
|
|
|
|
garlonicon
Copper Member
Legendary
Offline
Activity: 923
Merit: 2215
Pawns are the soul of chess
|
|
August 25, 2024, 09:17:07 AM |
|
It is possible a miner tried to double spend your transaction, but couldn't create a longer chain fast enough. Possible, but unlikely. The block number is 33201. Which means, that if anyone would try to do this, then it could be possible to observe it in the chaintips. However, this is how it looks like: { "height": 33415, "hash": "00000000bd03031bc5ca1acad6ac769d18b536aae43bf6a889713a9b4a981984", "branchlen": 1, "status": "valid-headers" }, { "height": 33113, "hash": "000000000046ac492bf59c7fe3c567b6fa5dc9dae43ba6c0b7b071299b911616", "branchlen": 1, "status": "valid-headers" } As you can see, between 33113 and 33415, nothing like that happened. If it would happened, nodes would see at least some block hash on that height. So, if anyone tried, then that miner could not produce even a single block, with difficulty one, on that block height.
|
|
|
|
|