Probing for Community Interest

[c4n10]

I am thinking about setting up an exchange specifically for alt-coins which currently lack an exchange for one reason or another.

For example, Terracoin, Solidcoin, Liquidcoin, I0Coin, etc...

I would most likely use the open-source software from either Intersango or Bitcoin-Central but I am also open to suggestions from the community.

[foggyb]

I want to see this project go forward. Need a place to trade my alt alt coin. 

[doublec]

I am thinking about setting up an exchange specifically for alt-coins which currently lack an exchange for one reason or another.

How do you plan to protect against double spend attacks on low hash rate alt-coins?

[c4n10]

I am thinking about setting up an exchange specifically for alt-coins which currently lack an exchange for one reason or another.

How do you plan to protect against double spend attacks on low hash rate alt-coins?

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing. I sometimes have to wait a few hours for my coins to confirm at some of the exchanges, it doesn't bother me and those exchanges seem to be doing just fine.

[c4n10]

I want to see this project go forward. Need a place to trade my alt alt coin. 

LOL, I think a LOT of us do...

[doublec]

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing.

That doesn't help though. If someone has greater than 50% you can wait as many hours as you want but they can still double spend. I'm not trying to trash your idea, I'm just giving you a heads up on the risk from someone who had an i0coin exchange double spent in this manner for about 200 btc. It was an expensive lesson.

[c4n10]

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing.

That doesn't help though. If someone has greater than 50% you can wait as many hours as you want but they can still double spend. I'm not trying to trash your idea, I'm just giving you a heads up on the risk from someone who had an i0coin exchange double spent in this manner for about 200 btc. It was an expensive lesson.

From the wiki on the subject of 51% attack: "The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack."

[cunicula]

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing.

That doesn't help though. If someone has greater than 50% you can wait as many hours as you want but they can still double spend. I'm not trying to trash your idea, I'm just giving you a heads up on the risk from someone who had an i0coin exchange double spent in this manner for about 200 btc. It was an expensive lesson.

From the wiki on the subject of 51% attack: "The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack."

This holds if they have less than 51%. If they have 51%, your coins are their coins.

[c4n10]

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing.

That doesn't help though. If someone has greater than 50% you can wait as many hours as you want but they can still double spend. I'm not trying to trash your idea, I'm just giving you a heads up on the risk from someone who had an i0coin exchange double spent in this manner for about 200 btc. It was an expensive lesson.

From the wiki on the subject of 51% attack: "The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack."

This holds if they have less than 51%. If they have 51%, your coins are their coins.

Not according to the wiki:

Code:

51% attack
A miner or cartel who controls more than fifty percent of the hashing capacity of the bitcoin mining network has the potential to fraudulently double-spend recent transactions. With majority of hashing power the attacker has the technical ability to mine blocks which do not include a previous spend transactions from the miner but instead include a double spend of the coin. With majority control the potential exists for this double spend even if the transaction had already seen confirmations as those blocks could be overtaken in the attack.
The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack.

While this is from the Bitcoin wiki, the principles should still be pretty much the same seeing as how all the alt-coins are basically using Bitcoin's code for their underlying infrastructure just with variations on block rewards, re-target times, hashing algorithm, etc...

Unless there is something that I am simply not understanding which is entirely possible being that I've only known about Bitcoin and it's alt-coins for a little over 2 months now...

[cunicula]

I plan to heavily test the site before opening it to the public. People will just have to wait a few hours for an appropriate number of confirmations for each type of coin to be determined in beta testing.

That doesn't help though. If someone has greater than 50% you can wait as many hours as you want but they can still double spend. I'm not trying to trash your idea, I'm just giving you a heads up on the risk from someone who had an i0coin exchange double spent in this manner for about 200 btc. It was an expensive lesson.

From the wiki on the subject of 51% attack: "The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack."

This holds if they have less than 51%. If they have 51%, your coins are their coins.

Not according to the wiki:

Code:

51% attack
A miner or cartel who controls more than fifty percent of the hashing capacity of the bitcoin mining network has the potential to fraudulently double-spend recent transactions. With majority of hashing power the attacker has the technical ability to mine blocks which do not include a previous spend transactions from the miner but instead include a double spend of the coin. With majority control the potential exists for this double spend even if the transaction had already seen confirmations as those blocks could be overtaken in the attack.
The risk lessens of this with each confirmation as the computational advantage the attacker needs grows to a mathematically improbable level and six confirmations is widely accepted as being the amount where the transaction is secure from this attack.

While this is from the Bitcoin wiki, the principles should still be pretty much the same seeing as how all the alt-coins are basically using Bitcoin's code for their underlying infrastructure just with variations on block rewards, re-target times, hashing algorithm, etc...

Unless there is something that I am simply not understanding which is entirely possible being that I've only known about Bitcoin and it's alt-coins for a little over 2 months now...

That is true, but keep the following in mind.

1) If they owned the coins at some point in the past, then they can reclaim them from you without your permission.
2) If you ever want to send the coins, you need their permission to do so. This permission could be quite costly to obtain.

Point (2) is kind of functionally equivalent to them stealing the coins directly. Your only recourse is to not give into blackmail and destroy the coins.

[doublec]

Unless there is something that I am simply not understanding which is entirely possible being that I've only known about Bitcoin and it's alt-coins for a little over 2 months now...

Here is how an attacker with 51% or more of the hash rate can bankrupt your exchange. For this example I use i0coin:

1) Attacker starts mining a new blockchain fork, starting from the existing block.
2) Attacker deposits i0coin in your exchange.
3) Attackers fork of the chain in (1) does not include this deposit transaction.
4) Attacker sends the same coins as (2) to another address they own and this transaction is included in the blockchain fork in (1).
5) After the required number of confirmations attacker trades for bitcoins and withdraws the bitcoins.
6) When (1) is longer than the existing main chain attacker publishes their fork.
7) repeat from (1)

The result of (6) is that the exchange loses the i0coins due to the transaction no longer being valid. The transaction in (4) has replaced it. The exchange can't reverse the bitcoin withdrawal as the coins are already gone.

The exchange can't detect this offline mining. There's no way to know someone is building the blockchain fork in advance. The exchange can only notice the chain reorg after the fact. By that time all the coins are gone.

It doesn't matter how many confirmations you wait to confirm the deposit in (2). If the attacker has greater than 51% then eventually they will have a longer chain and can force a reorg. It doesn't matter if you process withdrawals manually. The attacker just waits until you've confirmed the btc withdraw and then publishes their fork.

The attacker can even re-use the i0coins they used in the attack to repeat the process since they still own them.

If the alt coin is able to be merge mined then there is no cost to the attacker. They essentially perform the attack for free since they are mining bitcoins at the same time. If it is not a merge mineable coin then the attacker has the opportunity cost of them not mining bitcoins. The amount taken from the exchange can compensate for this however.

In this attack note the attacker started mining the fork before they initiated the fraudulent deposit. This makes it much easier to reverse since they don't need to go back X blocks and mine from there - as the wiki entry you quote notes this could be computationally difficult. Although with >51% they'll eventually get there.

[cunicula]

Here is how an attacker with 51% or more of the hash rate can bankrupt your exchange. For this example I use i0coin:

1) Attacker starts mining a new blockchain fork, starting from the existing block.
2) Attacker deposits i0coin in your exchange.
3) Attackers fork of the chain in (1) does not include this deposit transaction.
4) Attacker sends the same coins as (2) to another address they own and this transaction is included in the blockchain fork in (1).
5) After the required number of confirmations attacker trades for bitcoins and withdraws the bitcoins.
6) When (1) is longer than the existing main chain attacker publishes their fork.
7) repeat from (1)

The result of (6) is that the exchange loses the i0coins due to the transaction no longer being valid. The transaction in (4) has replaced it. The exchange can't reverse the bitcoin withdrawal as the coins are already gone.

The exchange can't detect this offline mining. There's no way to know someone is building the blockchain fork in advance. The exchange can only notice the chain reorg after the fact. By that time all the coins are gone.

It doesn't matter how many confirmations you wait to confirm the deposit in (2). If the attacker has greater than 51% then eventually they will have a longer chain and can force a reorg. It doesn't matter if you process withdrawals manually. The attacker just waits until you've confirmed the btc withdraw and then publishes their fork.

The attacker can even re-use the i0coins they used in the attack to repeat the process since they still own them.

If the alt coin is able to be merge mined then there is no cost to the attacker. They essentially perform the attack for free since they are mining bitcoins at the same time. If it is not a merge mineable coin then the attacker has the opportunity cost of them not mining bitcoins. The amount taken from the exchange can compensate for this however.

Very nice summary. I particularly liked the part where you threw in opportunity cost, pointing out a vulnerability associated with merged mining.

[Nolo]

In theory, the threat of a 51% attack is always present.  At what hash rate would you guys consider the risk pretty well mitigated?  I know it depends on the coin, as they're slightly different.  But just looking for a ballpark number. 

[markm]

If there are quite a few nodes running, and they are running updated code that includes a checkpoint that happened since you got your coins, then possibly your coins might be reasonably safe as long as an attacker does not publish a different copy of the node code that contains a different set of checkpoints that feature their fork of the chain instead of the version of the chain in which you got your coins.

Consider for example an Open Transactions server that obtained a bunch of coins many many months ago, and several new versions of the client have come out since then, each one adding another checkpoint which favours the chain in which those coins were obtained.

To reverse those coins would involve going massively far back in time and would be refuted by the last several checkpoints that are already hard-coded into the current batch of nodes that are currently running.

Possibly in that circumstance the tokens the Open Transactions server is backing with those ancient well established coins can be considered to be fairly securely backed by actual coins. Such tokens could even in some ways be considered more secure than any recently mined actual coins.

Still though if a time ever came when there was no more demand/need for the tokens, so that it was time to liquidate, deleting the tokens and sending out the actual coins they represent, an attacker would at that point have an opportunity to try to mess up the actual transfer on the blockchain of those coins. So the liquidation could take a while, involving sending out the coins then waiting a few hardcoded checkpoints before regarding them as having been reasonably securely sent to their new owners.

This is basically why I try to release new versions of node software from time to time with new checkpoints coded in. I hope that over time doing so will eventually make it reasonable to consider the coins backing my tokens as actually fairly secure in their cold wallets so that the tokens are somewhat securely backed by actual coins.

-MarkM-

[c4n10]

Unless there is something that I am simply not understanding which is entirely possible being that I've only known about Bitcoin and it's alt-coins for a little over 2 months now...

Here is how an attacker with 51% or more of the hash rate can bankrupt your exchange. For this example I use i0coin:

1) Attacker starts mining a new blockchain fork, starting from the existing block.
2) Attacker deposits i0coin in your exchange.
3) Attackers fork of the chain in (1) does not include this deposit transaction.
4) Attacker sends the same coins as (2) to another address they own and this transaction is included in the blockchain fork in (1).
5) After the required number of confirmations attacker trades for bitcoins and withdraws the bitcoins.
6) When (1) is longer than the existing main chain attacker publishes their fork.
7) repeat from (1)

The result of (6) is that the exchange loses the i0coins due to the transaction no longer being valid. The transaction in (4) has replaced it. The exchange can't reverse the bitcoin withdrawal as the coins are already gone.

The exchange can't detect this offline mining. There's no way to know someone is building the blockchain fork in advance. The exchange can only notice the chain reorg after the fact. By that time all the coins are gone.

It doesn't matter how many confirmations you wait to confirm the deposit in (2). If the attacker has greater than 51% then eventually they will have a longer chain and can force a reorg. It doesn't matter if you process withdrawals manually. The attacker just waits until you've confirmed the btc withdraw and then publishes their fork.

The attacker can even re-use the i0coins they used in the attack to repeat the process since they still own them.

If the alt coin is able to be merge mined then there is no cost to the attacker. They essentially perform the attack for free since they are mining bitcoins at the same time. If it is not a merge mineable coin then the attacker has the opportunity cost of them not mining bitcoins. The amount taken from the exchange can compensate for this however.

In this attack note the attacker started mining the fork before they initiated the fraudulent deposit. This makes it much easier to reverse since they don't need to go back X blocks and mine from there - as the wiki entry you quote notes this could be computationally difficult. Although with >51% they'll eventually get there.

I see, that makes a lot of sense... I will have to put some thought into this, but I am confident that I can figure something out.

[c4n10]

If there are quite a few nodes running, and they are running updated code that includes a checkpoint that happened since you got your coins, then possibly your coins might be reasonably safe as long as an attacker does not publish a different copy of the node code that contains a different set of checkpoints that feature their fork of the chain instead of the version of the chain in which you got your coins.

Consider for example an Open Transactions server that obtained a bunch of coins many many months ago, and several new versions of the client have come out since then, each one adding another checkpoint which favours the chain in which those coins were obtained.

To reverse those coins would involve going massively far back in time and would be refuted by the last several checkpoints that are already hard-coded into the current batch of nodes that are currently running.

Possibly in that circumstance the tokens the Open Transactions server is backing with those ancient well established coins can be considered to be fairly securely backed by actual coins. Such token could even in some ways be considered more secure thn any recently mined actual coins.

Still though if a time ever came when there was no more demand/need for the tokens, so that it was time to liquidate, deleting the tokens and sending out the actual coins they represent, an attacker would at that point have an opportunity to try to mess up the actaul transfer on the blockchain of those coins. So the liquidation could take a while, involving sending out the coins then waiting a few hardcoded checkpoints before regarding them as having been reasonably securely sent to their new owners.

This is basically why i try to release new versions of node software from time to time with new checkpoints coded in. I hope that over time doing so will eventually make it reasonable to consider the coins backing my tokens are actually fairly secure in their cold wallets so that the tokens are somewhat securely backed by actual coins.

-MarkM-

Hmmm, interesting but doesn't sound practical for the time-frames an exchange would need to work within. I think my strongest defense would be implementing IPSec, .htaccess and a few other tricks to prevent access from proxies and spoofed ip's so that I know exactly who is on my exchange at all times.

I may even manually review all registration forms and block dynamic ip's unless I can find a way to block dynamic ip's via software/hardware configuration.

It will detract from the spirit of anonymity in buying, selling and trading crypto-coins but the people trading there will be able to trust for the most part that if someone DOES "rob" the exchange they will be found, prosecuted and have their assets returned.

[CoinHoarder]

I, like others, am very interested in such a thing should you be able to work out the kinks!

Good luck... it sounds quite complicated.

[c4n10]

I, like others, am very interested in such a thing should you be able to work out the kinks!

Good luck... it sounds quite complicated.

I appreciate the support!

I'm sure it will be complicated and I definitely won't be able to do it alone. I will definitely be looking for programmers and security experts if there becomes real enough interest in this concept that people are willing to contribute to bounties for the things we will need.

I would want to set the bounty purse(s) up with a trusted escrow and keep the whole operation completely transparent and if we can do so without compromising the site's security I would like to make it an open-source project as well.

[cunicula]

In theory, the threat of a 51% attack is always present.  At what hash rate would you guys consider the risk pretty well mitigated?  I know it depends on the coin, as they're slightly different.  But just looking for a ballpark number.  

At proof-of-stake. I wouldn't accept any plausible hash rate as adequately safe. Wait a few years and bitcoin will start getting ravaged too.

[Nolo]

In theory, the threat of a 51% attack is always present.  At what hash rate would you guys consider the risk pretty well mitigated?  I know it depends on the coin, as they're slightly different.  But just looking for a ballpark number.  

At proof-of-stake. I wouldn't accept any plausible hash rate as adequately safe. Wait a few years and bitcoin will start getting ravaged too.

So what's the answer to the problem?