Reminder: zero-conf is not safe; $1000USD reward posted for replace-by-fee patch

[etotheipi]

It should never allow you to reemplace a transaction, or to change outputs,
it should allow you to give more priority to a transaction that it's stuck on the limbo of 0 fee/smaller fee transactions.

Only replace the transaction if it's the same transaction with bigger fee. to the same outputs.

Any other thing is not bitcoin, btc is not reversible.
or you just killed satoshi dice.

But talking about improving you could also change the 10 min confirmation to 2 and slash the rewards 5 times.
then they will change to a 1or 2 confirmations .

You just completely ignored the entire discussion in this thread.  You don't get to decide what transactions get to go in a block.  I don't, no one else does, either.  Only the miners get to decide for themselves what transactions go in the block.  And if it involves more money, they will do it eventually (though they generally are not doing it, yet).  Because they can do so while operating completely within the rules of the system.  You are welcome to add your own mining power to the system and refuse to replace transactions with your share of power.  But you don't get to tell others what they get to do with their share.

As the number of confirmations goes to infinity, transactions are irreversible.  But zero-confirmation transactions are, by definition, not confirmed, and thus there is no such thing as "reversing them."  They were never confirmed to begin with, and should never have been trusted at all until they had confirmations.   (Note:  this applies only to trustless transactions:  zero-conf can still be useful if there is a persistent relationship between the two parties, but Bitcoin was never designed to do instantaneous transactions with zero-trust)

[1713832442]

1713832442

[1713832442]

1713832442

[1713832442]

1713832442

[1713832442]

1713832442

[1713832442]

1713832442

[jgarzik]

It should never allow you to reemplace a transaction, or to change outputs,
it should allow you to give more priority to a transaction that it's stuck on the limbo of 0 fee/smaller fee transactions.

Only replace the transaction if it's the same transaction with bigger fee. to the same outputs.

Any other thing is not bitcoin, btc is not reversible.
or you just killed satoshi dice.

Zero-confirmation transactions were never safe.  Note that Satoshi DICE apparently waits for confirmations, on higher value bets -- an admission that SD themselves know zero-conf are not safe.

However, with regards to transaction replacement, it should be noted that it introduces race conditions that increase non-determinism.

The first step towards improved determinism is, instead, making transactions expire after a certain amount of time in memory pools, without being mined.

[kjj]

It should never allow you to reemplace a transaction, or to change outputs,
it should allow you to give more priority to a transaction that it's stuck on the limbo of 0 fee/smaller fee transactions.

Only replace the transaction if it's the same transaction with bigger fee. to the same outputs.

Any other thing is not bitcoin, btc is not reversible.
or you just killed satoshi dice.

Bitcoin is a system for deciding which of two or more transactions is the "right" one.  We use a global network and consume quadrillions of hashes every few minutes not for our own amusement, but because the problem really is that hard.

A transaction is exactly as secure as the quantity of work it would take to reverse it.  Zero work?  Zero security.  STOP ACCEPTING ZERO WORK TRANSACTIONS.  You've spent too long in dreamland, assuming that the intention to hash in the future was as good as hashes already done in the past.  They aren't, they never were, and now everyone will be forced to accept reality as it is.

But talking about improving you could also change the 10 min confirmation to 2 and slash the rewards 5 times.
then they will change to a 1or 2 confirmations .

Confirmations don't secure transactions.  Hashes do.  Making the blocks more frequent would mean that they have correspondingly fewer hashes of security.  Changing the lump size that hashes come in won't help anyone.

[Peter Todd]

It should never allow you to reemplace a transaction, or to change outputs,
it should allow you to give more priority to a transaction that it's stuck on the limbo of 0 fee/smaller fee transactions.

Only replace the transaction if it's the same transaction with bigger fee. to the same outputs.

Any other thing is not bitcoin, btc is not reversible.
or you just killed satoshi dice.

Zero-confirmation transactions were never safe.  Note that Satoshi DICE apparently waits for confirmations, on higher value bets -- an admission that SD themselves know zero-conf are not safe.

Yup. I've spoken with evoorhees about this issue and while I don't know what their plans are exactly they had no objections. In fact, out of the roughly half dozen people running services I have either contacted, or who have contacted myself or John Dillon, nobody has actually asked us not to implement replace-by-fee. I don't want to pretend I'm speaking for them, but I suspect the few merchants that actually need zero-conf security would like to see a genuinely secure solutions be implemented like trusted computing, fidelity bonds w/ double-spend fraud proofs and off-chain mechanisms rather than the current half-measure of hoping everyone follows a de-facto standard.

However, with regards to transaction replacement, it should be noted that it introduces race conditions that increase non-determinism.

The first step towards improved determinism is, instead, making transactions expire after a certain amount of time in memory pools, without being mined.

Mind expanding a bit on what you mean by non-determinism?

[jonytk]

okay so let me understand, this problem already exist and can be triggered by bad miners,

but don't you think you are overreaching, you were ask to do a way to take transactions out of limbo.
I know very well that because i have one of those chain games, and i time i configured it under .0001 btc and
the transactions that didn't include fee never arrived, yet still pending.

Don't be naive, the coding you are doing is exactly what the bad miner needs,
if i give you 1000$ will you code me an alt-coin and an exchange for me?
Because i'm in...

A few days ago i saw a thread "how to make a genesisblock" by some kid from 4chan trying to do a noob-coin...
if you see a new alt-coin every 4 hours now you know why...

PD: i'm not questioning retep nor do i have shares on SD. Just want this discussed further before he releases any of the code.

[etotheipi]

okay so let me understand, this problem already exist and can be triggered by bad miners,

but don't you think you are overreaching, you were ask to do a way to take transactions out of limbo.
I know very well that because i have one of those chain games, and i time i configured it under .0001 btc and
the transactions that didn't include fee never arrived, yet still pending.

Don't be naive, the coding you are doing is exactly what the bad miner needs,
if i give you 1000$ will you code me an alt-coin and an exchange for me?
Because i'm in...

A few days ago i saw a thread "how to make a genesisblock" by some kid from 4chan trying to do a noob-coin...
if you see a new alt-coin every 4 hours now you know why...

PD: i'm not questioning retep nor do i have shares on SD. Just want this discussed further before he releases any of the code.

This patch makes the best case the same as the worst case: zero-confirmation transactions can be "overridden" if another transaction with a higher fee is broadcast before it makes it into a block.  We are arguing that this unquestionably how miners will operate in the future, anyway, so we change the default now to prevent any further adaptation to a  false sense of security/reality.  i.e. users currently experience transactions not being replaced so readily, so they build around an assumption that zero-conf are okay for zero-trust situations.  They're not. 

I agree this is not inline with the original intention of the software, but I don't think there's a way around it.  Miners will do this eventually, even if most of them aren't, yet.  Let's not pretend they won't.

Plus, this patch comes with the nice benefit that "stuck" tx can be easily fixed.  Though, I do agree that a non-deterministic "undo" button is a bad idea.  It would be unreliable in many ways, and would also give a false sense of reality to users.  Instead, I'd like to see a button/dialog that says "This transaction has been waiting more than one hour without being accepted.  Would you like to increase the fee to try to speed up its acceptance?" 

[Peter Todd]

Plus, this patch comes with the nice benefit that "stuck" tx can be easily fixed.  Though, I do agree that a non-deterministic "undo" button is a bad idea.  It would be unreliable in many ways, and would also give a false sense of reality to users.  Instead, I'd like to see a button/dialog that says "This transaction has been waiting more than one hour without being accepted.  Would you like to increase the fee to try to speed up its acceptance?" 

Yeah, the user-interface aspects will be tricky to communicate. For instance if an undo button is implemented, it probably should actually be called something like "Attempt to cancel", and at least initially be hidden off in the RPC interface anyway.

Increasing the fee isn't such a big problem, although a dialog box that points out you have the option after some reasonable delay is a good idea. It should probably be called "Offer a higher fee" so users aren't as surprised if the lower fee version goes through anyway.

[colindean]

What is the effect of this change on retail sales? Won't this make it possible to effectively re-route a transaction after an exchange of physical goods has already taken place?

Or is there an assumption or recommendation that Bitcoin not be used for transactions that are immediate, such as point-of-sale? I know it's always been recommended to wait for at least one confirmation, but up until now, there's reasonable security in accepting unconfirmed as long as you've got a full blockchain by which to compare the transaction's inputs and outputs.

[thezerg]

We are arguing that this unquestionably how miners will operate in the future, anyway, so we change the default now to prevent any further adaptation to a  false sense of security/reality.

I doubt it.  If there is ever a significant zero-conf market (especially a brick & mortar), they can pay mining pools to NOT allow replacement for TXNs originating from them.

This would reduce the likelihood of a double-spend dramatically.

As the credit-card business aptly shows, problems not theoretically solvable are often 99.93% (7 cents out of 100 bucks) solvable in practice http://en.wikipedia.org/wiki/Credit_card_fraud

[kjj]

up until now, there's reasonable security in accepting unconfirmed as long as you've got a full blockchain by which to compare the transaction's inputs and outputs.

Except that there really hasn't been any security in that, just hope.  People have been living on the hope that those transactions would be confirmed some block in the future.  Most of them got away with it.  But they never had any security, not really.

[Maged]

Or is there an assumption or recommendation that Bitcoin not be used for transactions that are immediate, such as point-of-sale?

No, this is an assertion that bitcoins not be used for transactions that are immediate, even if a business is already capable of handling the levels of fraud the current system would entail.

In fact, out of the roughly half dozen people running services I have either contacted, or who have contacted myself or John Dillon, nobody has actually asked us not to implement replace-by-fee.

Of course not. Until bitcoins become commonplace, the most common user of zero-confirmation transactions - brick and mortar businesses - won't really exist. If this change is inevitable like you guys claim, why not wait for it to happen naturally?

[etotheipi]

Or is there an assumption or recommendation that Bitcoin not be used for transactions that are immediate, such as point-of-sale?

No, this is an assertion that bitcoins not be used for transactions that are immediate, even if a business is already capable of handling the levels of fraud the current system would entail.

In fact, out of the roughly half dozen people running services I have either contacted, or who have contacted myself or John Dillon, nobody has actually asked us not to implement replace-by-fee.

Of course not. Until bitcoins become commonplace, the most common user of zero-confirmation transactions - brick and mortar businesses - won't really exist. If this change is inevitable like you guys claim, why not wait for it to happen naturally?

False sense of security.

The point of all this is that zero-conf tx should not be used for zero-trust situations.  But merchants will, because it "seems to work" right now.  What we want is merchants to recognize this lack of security and decrease required trust, say, by having the buyer show ID before they walk out with the merchandise.  Just like they do for cashing a check (which carries much of the same risks).  As long as there is a way to use the legal system as backup, then they have appropriately compensated for the lack of security behind the zero-conf tx.  

Merchants could learn the hard way, and then they'll stop trusting zero-conf tx.  But if they do that, there's no reason any more to artificially maintain this illusion that they are somehow secure.  Might as well just write it off now and let everyone start adapting now. 

[edmundedgar]

I agree this is not inline with the original intention of the software, but I don't think there's a way around it.  Miners will do this eventually, even if most of them aren't, yet.  Let's not pretend they won't.

I'm not intending this as a point for or against this patch, but I reading this set me wondering how many of the other assumptions we'd normally make about Bitcoin would still hold given this (fairly reasonable-sounding) idea that a majority of miners will be acting purely out of economic self-interest, regardless of damage they might do to the Bitcoin ecosystem.

One assumption that immediately falls is the idea that Bitcoins are censorship-resistant. If miners are all acting in their own rational self-interest, I can pay miners to blacklist transactions coming from your address. If you tried to spend, I'd tip any miner who creates a block that doesn't include your transactions at a higher rate than their fee. If they do manage to get into a block, I can (for a greater cost) also tip people for ignoring that block and building on another one.

If I'm trying to do this on a large scale - say I'm the DEA trying to interfere with the flow of money to drug smugglers - I can keep that taint going on all the way down the chain through future spends, so that once you take money from a drug smuggler, that money will be forever less valuable than other money. If you don't want to receive dud money that's hard to spend, you're going to have to check for the taint as well. I can run a convenient web service so that you can check for black-lists, and also white-lists of people who have confirmed their identity with me so you can be sure I won't bribe people to taint their coins. Hey presto, everybody is cooperating with me to do AML checks...

This wouldn't fly now because miners are
a) Decent people, not purely rational economic actors.
b) Fairly [shock horror] centralized, which makes them resistant to a Tragedy of the Commons. BTC Guild and Slush won't cooperate with my evil scheme for fear of damaging the future of Bitcoin, which costs them more in the long run.

[etotheipi]

I'm not intending this as a point for or against this patch, but I reading this set me wondering how many of the other assumptions we'd normally make about Bitcoin would still hold given this (fairly reasonable-sounding) idea that a majority of miners will be acting purely out of economic self-interest, regardless of damage they might do to the Bitcoin ecosystem.

One assumption that immediately falls is the idea that Bitcoins are censorship-resistant. If miners are all acting in their own rational self-interest, I can pay miners to blacklist transactions coming from your address. If you tried to spend, I'd tip any miner who creates a block that doesn't include them at a higher rate than their fee. If they do manage to get into a block, I can (for a greater cost) also tip people for ignoring that block and building on another one.

If I'm trying to do this on a large scale - say I'm the DEA trying to interfere with the flow of money to drug smugglers - I can keep that taint going on all the way down the chain through future spends, so that once you take money from a drug smuggler, that money will be forever less valuable than other money. If you don't want to receive dud money that's hard to spend, you're going to have to check for the taint as well. I can run a convenient web service so that you can check for black-lists, and also white-lists of people who have confirmed their identity with me so you can be sure I won't bribe people to taint their coins. Hey presto, everybody is cooperating with me to do AML checks...

This wouldn't fly now because miners are
a) Decent people, not purely rational economic actors.
b) Fairly [shock horror] centralized, which makes them resistant to a Tragedy of the Commons. BTC Guild and Slush won't cooperate with my evil scheme for fear of damaging the future of Bitcoin, which costs them more in the long run.

You do bring up some interesting context.  And I will spend some time thinking about it.  But I wholly dispute this statement:

..regardless of damage they might do to the Bitcoin ecosystem

Replacing unconfirmed transactions doesn't do harm to the Bitcoin ecosystem.  It's how the system operates.  We're not "removing" security, it was never there to begin with.  The success of Bitcoin never depended on it, in any way.  We're just guaranteeing that no one is ever misled about that aspect of the system.

Also, your comment about blacklisting is really not the same at all (nor feasible).  Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.  That's not the same as blacklisting, which needs 100% miner participation to work.  Or rather, I only need a few miners to agree to mine my transaction for it to be eventually accepted.  And convincing miners to not mine the top block is going to cost you a $#!+load of money...every 10 minutes...forever.

Your point is not lost on me, I just didn't like your specific examples

[kjj]

I'm not intending this as a point for or against this patch, but I reading this set me wondering how many of the other assumptions we'd normally make about Bitcoin would still hold given this (fairly reasonable-sounding) idea that a majority of miners will be acting purely out of economic self-interest, regardless of damage they might do to the Bitcoin ecosystem.

I reject your premise.  The health of the bitcoin ecosystem is hopelessly intertwined with the self-interests of miners.  This relationship goes in both directions.  Bitcoin cannot survive contrary to the self-interest of miners, and miners cannot survive without the common good of bitcoin.

If it turns out that the bitcoin system does not ultimately align these two forces, it does not deserve to be continued

The good news is that bitcoin does not appear to contain this flaw.  The people that are damaging the ecosystem are those that are advocating and defending practices that are unsafe and cannot be made safe, such as accepting transactions secured by hope rather than work.

[edmundedgar]

And convincing miners to not mine the top block is going to cost you a $#!+load of money...every 10 minutes...forever.

I shouldn't need to do this forever, because, once I set up a reasonable assumption that I can keep this thing going (remember I'm the DEA, I just seized a shedload of bitcoins in a drug bust) it's in everyone's interests not to mine that block. They want to mine on top of the longest chain because everyone else wants to mine on top of the longest chain, but given purely rational economic actors who don't care about Bitcoin, that rule, like everything else, is up for sale.

Hell, I may not even need to spend any money - I just need to convince all these rational economic actors that I could and would spend that money if necessary, then it'll be in the interests of each individual miner to start following my rules, not Satoshi's.

Edit: "in the network's interests" -> "in the interests of each individual miner" to distinguish from the interests of miners in general, which are different here because it's a classic Tragedy of the Commons situation.

[edmundedgar]

Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.

I don't think that's right - people accepting zero-confirmation transactions are already playing the odds. 1% of mining power taking the later arrival with the higher transaction fee still leaves you getting the payment 99% of the time, so in a lot of cases it would still be worth it for the extra sales.

Double-spend attackers welcome, buy 99 pizzas and get one free...

[Maged]

Of course not. Until bitcoins become commonplace, the most common user of zero-confirmation transactions - brick and mortar businesses - won't really exist. If this change is inevitable like you guys claim, why not wait for it to happen naturally?

False sense of security.

The point of all this is that zero-conf tx should not be used for zero-trust situations.

Why are you on the internet right now? After all, it is impossible* to get a virus if you don't have an internet connection.

*Yeah, there are other ways, but ignore that for now.

What about your money? I suspect that you have it all in gold (because USD can't be trusted) stored in a vault that you personally designed (because someone else may have put a backdoor in their design) stored under your personal supervision. After all, every action you ever take must require zero-trust, right?

Please tell me that you get where I'm going with this. This is a problem that should be solved through general education, not reducing effective security. Also, stores don't even need to ask for ID - they just need to have a camera, which is something that they should have to prevent general shoplifting anyway.

Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.

I don't think that's right - people accepting zero-confirmation transactions are already playing the odds. 1% of mining power taking the later arrival with the higher transaction fee still leaves you getting the payment 99% of the time, so in a lot of cases it would still be worth it for the extra sales.

Double-spend attackers welcome, buy 99 pizzas and get one free...

And that's worst case, when every order is made by an attacker.

[justusranvier]

Security in this context is being inappropriately treated like a binary concept.

There's an entire consumer economy out there based around charge cards which, in bitcoin terms, take 90 days to confirm transactions. Trillions of dollars are being transacted out in the real world via payment methods that are no less insecure than zero-confirmation Bitcoin transactions.

Accepting zero-conf transactions is an issue of risk management and business planning, not a case of "secure" vs "insecure".

[Gavin Andresen]

Security in this context is being inappropriately treated like a binary concept.

+1