An alternate "51% attack" possible?

[ATC777]

Since I've set my mind to unraveling the brilliant design of Bitcoin I've also been interested in the overall security and integrity of the p2p network... One of the hypothetical scenarios I'm most intrigued by is the so-called "51% attack". We all know what it is so there's no need to explain it.

Like many, however, I feel that the economic viability of such an attack is negligible... and there's little incentive to do, for the gains to be had are small in comparison to the massive amount of investment, work and energy resources it would require. So that narrows down the "attacker profile" to attackers whose goal it is to simply destroy Bitcoin rather than turn a profit. Such an attacker is most likely to be a government, central bank(s), large institutions threatened by Bitcoin or even a coalition of such entities who despise Bitcoin. At this point in time, however, I feel that Bitcoin is still a bit too small and "niche" for these guys to target us. The threat will doubtlessly grow as Bitcoin's market cap continues to rise though...

However, I've been thinking about another hypothetical scenario which is sort of a "spin-off" of the 51% attack. It goes something like this:

The attackers, which we will call "X", would most likely be a team of black-hat hackers with a decent amount of resources and some incredible technical talent; possessing an intimate understanding of how the Bitcoin network functions. Perhaps they even team up with some former developers or contributors to Bitcoin. X reasons that trying to accumulate enough hashing power to represent 51% of the network's computing power is too expensive and difficult. With that in mind, X instead opts to create a self-replicating worm or virus capable of corrupting records of the block chain on any system it infects. They program the worm to appear as benign as possible and lie dormant on the infected systems until, as if of one mind, every instance in the wild simultaneously strikes -- like Japanese honey bees waiting for a signal to spring a trap on an invading giant hornet.

This means that X does not need to accumulate 51% of the network's computing power, but instead they need only propagate their worm across at least 51% of the network -- which is much cheaper and potentially much easier. With the average computer user having nothing but some garbage like Norton or McAfee between them and extremely malicious code I have little faith it could be stopped before things get ugly...

When the worms have spread thoroughly across the Bitcoin network they strike, and they replace parts of the block chain with their own, corrupt version of it. The result is that they have effectively "rebalanced" the internal Bitcoin ledger and either stolen or created a significant amount of coin -- millions of dollars worth. The worst part is that if it is done with enough gentle precision no one is likely to notice soon enough before X is selling their fraudulently acquired coin and slipping away into the shadows...

I present this entire scenario very humbly, and I don't claim to be an expert on the Bitcoin network or computer security. And there are people here who have forgotten more about Bitcoin than I even know. But since I conceived this scenario and thought about it more and more I actually became mildly concerned... There are some brilliant programmers out there capable of writing some very dangerous self-replicating and self-modifying code. Throughout my programming career I have experimented with benign forms of code injection, self-modifying code and security exploits. Someone who has made a huge digital heist their life's ambition and has put many years of study and practice into it just might be able to pull it off, provided enough resources...

Do you feel this is a real danger to the Bitcoin network, or is it a bit of a stretch? And if so, what counter-measures might we put in place to prevent such an attack from taking place and succeeding?

Regards,

--ATC--

[1715036058]

1715036058

[1715036058]

1715036058

[DannyHamilton]

It won't work.

Each new block in the blockchain contains the hash of the previous bock.  Change any one block and its hash changes.  This changes the next block, and it's hash has to be calculated, and so on until you get up to the most recent block. To modify a "part" of the blockchain, they have to modify EVERY block after that part.  They therefore have to re-"mine" all the blocks since the modified one and they have to do that faster than the entire network of miners is creating new blocks.  In order to do that fast enough they have to have more hashing power than the entire rest of the network which brings us right back to the "51% attack".

[Blazr]

It would be more difficult by a few orders of magnitude to infect 51% of all Bitcoin nodes with a worm than to do a traditional 51% attack.

[ATC777]

It won't work.

Each new block in the blockchain contains the hash of the previous bock.  Change any one block and its hash changes.  This changes the next block, and it's hash has to be calculated, and so on until you get up to the most recent block. To modify a "part" of the blockchain, they have to modify EVERY block after that part.  They therefore have to re-"mine" all the blocks since the modified one and they have to do that faster than the entire network of miners is creating new blocks.  In order to do that fast enough they have to have more hashing power than the entire rest of the network which brings us right back to the "51% attack".

Ok, I didn't realize that... but it makes sense, as each block references the preceding block...

But what if they had already pre-calculated hashes for the corrupted blocks and just dropped them in place. It seems like they wouldn't need 51% of the computing power if they're able to trick more than 51% of the existing computing power into believing their version of events...

[DannyHamilton]

. . . what if they had already pre-calculated hashes for the corrupted blocks and just dropped them in place. It seems like they wouldn't need 51% of the computing power if they're able to trick more than 51% of the existing computing power into believing their version of events...

Like I said, to get any bitcoin client to accept the modified blockchain as valid, they'd have to pre-calculate the hash for the block they want to modify AND every block that has been created since that corrupted block was first created.  The only way to create all those hashes is to "mine" them (Brute force calculation of hashes modifying a nonce until the resulting hash meets the target difficulty). And the only way to do that fast enough to catch up with the "valid" blockchain is to have more hashing power than the rest of the entire network combined.

Just modifying a single transaction in a single block will cause all the clients to reject it since the hash no longer matches.

Just modifying a single transaction and recalculating a single hash will cause all the clients to reject it since the hash doesn't meet the target difficulty.

Just modifying a single transaction and "mining" a hash that matches the target difficulty will cause all the clients to reject it since the hash doesn't match the previous_hash in the next block.

Just modifying a single transaction and "mining" a hash that matches the target difficulty and overwriting the previous_hash in the next block will cause all the clients to reject it since the next block hash no longer matches the contents of that block.

And so on, and so on until you've re-"mined" all the necessary hashes up to the current block.

[payb.tc]

Just modifying a single transaction and "mining" a hash that matches the target difficulty will cause all the clients to reject it since the hash doesn't match the previous_hash in the next block.

wouldn't this just cause the client to reject the next block, not the current one? (because it's 'previous_hash' is incorrect)

[DannyHamilton]

Just modifying a single transaction and "mining" a hash that matches the target difficulty will cause all the clients to reject it since the hash doesn't match the previous_hash in the next block.

wouldn't this just cause the client to reject the next block, not the current one? (because it's 'previous_hash' is incorrect)

The client chooses the longest "valid" chain.  If any client communicates with any un-infected peer, it will find a longer "valid" chain that contains the undamaged block.  It will use that chain instead of the the damaged one.  The correct chain will then propagate through the network.

I suppose if you could simultaneously damage EVERY blockchain in existence at the exact same time, modifying the exact same block.  You could effectively truncate the blockchain eliminating all transactions that happened after the damaged block.  But this would have to be a worm that would affect EVERYONE. And not just 51%, or even 99.99%.  If even a single valid longer blockchain existed anywhere on an un-infected machine, it would propagate and repair everyone else.

[DeathAndTaxes]

Ok, I didn't realize that... but it makes sense, as each block references the preceding block...

But what if they had already pre-calculated hashes for the corrupted blocks and just dropped them in place. It seems like they wouldn't need 51% of the computing power if they're able to trick more than 51% of the existing computing power into believing their version of events...

Precomputed with what computing power?  That is the point of proof of work.  Any hash isn't useless only a hash which is smaller than the target (based on difficulty).  For a given difficulty it requires x hashes on average to find one which produces a block hash smaller than the target.  You can't just precompute the blockchain.  It would require an amount of computing power equal to the amount of computing power which has existed for bitcoin since the beginning of the network.  i.e. the network has existed for ~48 months.  If you wanted to "precompute" an alternate blockchain in say 4 months you would need computing power equal to not 50% of the current network but 1000% of the average computing power which has existed since the network began.  Even then you are limited to rewriting history back to the last checkpoint.

Also as Danny points out the network doesn't "believe" that if 51% of nodes say x is correct it is correct.  Each node validates independently so even if you made a worm which infected 10% of the network you would simply fork those 10% of nodes into an alternate coin which is essentially worthless.  Now when you consider there are multiple clients, eWallets, hybrid wallets (and eventually hardware wallets) running on multiple OS with multiple different AV/malware tools etc the idea that nobody would notice this is essentially 0%.

So maybe you could create a false fork of the network.  One which is quickly corrected, checkpointed, and updated clients released along with methods to protect against the malware.  You might be able to get some nodes on the false fork to accept worthless bitcoins but that would be the extent of that short lived attack.

[ATC777]

Just modifying a single transaction and "mining" a hash that matches the target difficulty will cause all the clients to reject it since the hash doesn't match the previous_hash in the next block.

wouldn't this just cause the client to reject the next block, not the current one? (because it's 'previous_hash' is incorrect)

The client chooses the longest "valid" chain.  If any client communicates with any un-infected peer, it will find a longer "valid" chain that contains the undamaged block.  It will use that chain instead of the the damaged one.  The correct chain will then propagate through the network.

I suppose if you could simultaneously damage EVERY blockchain in existence at the exact same time, modifying the exact same block.  You could effectively truncate the blockchain eliminating all transactions that happened after the damaged block.  But this would have to be a worm that would affect EVERYONE. And not just 51%, or even 99.99%.  If even a single valid longer blockchain existed anywhere on an un-infected machine, it would propagate and repair everyone else.

But if that were true then it seems possible to introduce a fraudulent fork longer than the last valid one and have every node in the network digest it as if it were legitimate... which seems even easier than the elaborate heist I describe in the OP...  

Bear with me, I'm learning a lot from this conversation and just reading this forum section.  

[DeathAndTaxes]

Just modifying a single transaction and "mining" a hash that matches the target difficulty will cause all the clients to reject it since the hash doesn't match the previous_hash in the next block.

wouldn't this just cause the client to reject the next block, not the current one? (because it's 'previous_hash' is incorrect)

The client chooses the longest "valid" chain.  If any client communicates with any un-infected peer, it will find a longer "valid" chain that contains the undamaged block.  It will use that chain instead of the the damaged one.  The correct chain will then propagate through the network.

I suppose if you could simultaneously damage EVERY blockchain in existence at the exact same time, modifying the exact same block.  You could effectively truncate the blockchain eliminating all transactions that happened after the damaged block.  But this would have to be a worm that would affect EVERYONE. And not just 51%, or even 99.99%.  If even a single valid longer blockchain existed anywhere on an un-infected machine, it would propagate and repair everyone else.

But if that were true then it seems possible to introduce a fraudulent fork longer than the last valid one and have every node in the network digest it as if it were legitimate... which seems even easier than the elaborate heist I describe in the OP...  

Bear with me, I'm learning a lot from this conversation and just reading this forum section.  

I think Danny was being academic with the "I suppose", your "super worm" would need to infect every single copy of the blockchain simultaneously on every client running on dozens of different OS, protected by hundreds of different AV/malware versions on every single computer (even those offline, and airgapped, including permanently offline copies of the blockchain such as written on DVD or BD).  It would also have to be so perfect that nobody, not a single AV expert in the world would detect it and determine the effect of its payload. If the worm failed to get every single last copy, then the entire network could be rebuilt from the single offline legit copy (from say a DVD-R) and it would be the "true longest chain".

The only way around that would be to write a true longer chain. At which point ... Um yeah you just discovered the 51% attack.  Not an alternate 51% attack ... THE 51% attack.  The one first outlined in Satoshi's paper prior to the genesis block.  How else could you make a longer chain with less computing power than "good miners"?

[payb.tc]

But if that were true then it seems possible to introduce a fraudulent fork longer than the last valid one and have every node in the network digest it as if it were legitimate... which seems even easier than the elaborate heist I describe in the OP...  

according to the rules of bitcoin, it would be legitimate.

but to hash more blocks than the rest of the network combined (so your chain is longer), you'd again have to have 51% of the network's hashing power.

[dree12]

With a worm like that, modifying the Bitcoin clients would be more effective. Even with 20% of the Bitcoin network redirecting all their transactions to you, much more damage can be done than a 51% attack.

[DannyHamilton]

. . . I'm most intrigued by is the so-called "51% attack". We all know what it is so there's no need to explain it . . .

Clearly we don't "all know what it is".  I'd suggest learning what it is, and why/how it works and then you won't have these questions anymore.

[ATC777]

With a worm like that, modifying the Bitcoin clients would be more effective. Even with 20% of the Bitcoin network redirecting all their transactions to you, much more damage can be done than a 51% attack.

That's something else that bothers me. It wouldn't necessarily require a worm. What if everyone started using a popular client, then the developers suddenly released a malicious version and hijacked the network to their bidding... or someone in an open-source project managed to sneak something in at the last minute or modify the program offered to users for downloads. Hacking (the malicious kind) is often the most effective by subtle means, rather than banging at the door with a sledge hammer (brute force -- e.g., 51%er).

But to me a "super worm" sounds more feasible than building a massive, trillion-dollar array of supercomputers to comprise 51% of network computing power. 

[FreeMoney]

With a worm like that, modifying the Bitcoin clients would be more effective. Even with 20% of the Bitcoin network redirecting all their transactions to you, much more damage can be done than a 51% attack.

That's something else that bothers me. It wouldn't necessarily require a worm. What if everyone started using a popular client, then the developers suddenly released a malicious version and hijacked the network to their bidding... or someone in an open-source project managed to sneak something in at the last minute or modify the program offered to users for downloads. Hacking (the malicious kind) is often the most effective by subtle means, rather than banging at the door with a sledge hammer (brute force -- e.g., 51%er).

But to me a "super worm" sounds more feasible than building a massive, trillion-dollar array of supercomputers to comprise 51% of network computing power. 

A popular closed source bitcoin client that automatically updates? And maybe everyone will just eat poison and you can have all the gold.

[ATC777]

With a worm like that, modifying the Bitcoin clients would be more effective. Even with 20% of the Bitcoin network redirecting all their transactions to you, much more damage can be done than a 51% attack.

That's something else that bothers me. It wouldn't necessarily require a worm. What if everyone started using a popular client, then the developers suddenly released a malicious version and hijacked the network to their bidding... or someone in an open-source project managed to sneak something in at the last minute or modify the program offered to users for downloads. Hacking (the malicious kind) is often the most effective by subtle means, rather than banging at the door with a sledge hammer (brute force -- e.g., 51%er).

But to me a "super worm" sounds more feasible than building a massive, trillion-dollar array of supercomputers to comprise 51% of network computing power. 

A popular closed source bitcoin client that automatically updates? And maybe everyone will just eat poison and you can have all the gold.

Yeah, imagine if Valve Corporation made a Bitcoin client with recycled code from Steam...  Ewww... lol

[Vitalik Buterin]

Generally speaking, a 51%-like attack with any kind of virus is pretty much impossible. The majority, and soon overwhelming majority, of mining power these days is controlled by specialized mining computers, which are not running anything close to standard consumer web browsers, operating systems, etc. They're just sitting there interacting with other nodes through the Bitcoin and stratum protocols. Regardless of any kind of local damage that you might be able to pull off, the nodes are just going to keep on churning out proof of work, and when you get tired everyone else will simply pick back up on the main chain.

[Atruk]

Generally speaking, a 51%-like attack with any kind of virus is pretty much impossible. The majority, and soon overwhelming majority, of mining power these days is controlled by specialized mining computers, which are not running anything close to standard consumer web browsers, operating systems, etc. They're just sitting there interacting with other nodes through the Bitcoin and stratum protocols. Regardless of any kind of local damage that you might be able to pull off, the nodes are just going to keep on churning out proof of work, and when you get tired everyone else will simply pick back up on the main chain.

Pretty much this and the other points. A more damaging virus would probably just steal private keys anyway once again running into the incredible variety of operating systems, browsers, antivirii, and people who just don't use a java runtime. The realistic attacks that do happen and are very damaging tend though to be the social engineering attacks like Pirate40 and GLBSE.