FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 20, 2011, 08:14:12 PM |
|
Is there anything stopping this?
1. get 25000 coins stolen 2. after a few confirmations submit a tx with 1000BTC fee that comes from the now empty address 3. The fee could be claimed by rewriting the block that the first tx happened in.
Obviously this could be used for bad (double spends) too. Right now it can't be done with normal client, and miners aren't on the lookout anyway, but is it possible?
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
makomk
|
|
June 20, 2011, 09:04:11 PM |
|
Cunning. It wouldn't work as you've proposed it, though - in order for the rewritten block to be accepted, you'd need to build a longer chain than the original one, and since all the mining pool that didn't find the first block would have no incentive to do so that's unlikely to happen. The obvious solution is that whoever builds the first block gives an incentive - in the form of a transaction fee - to find the next one, and so on. Even with this, it'd only work if mining pools making up significantly more than 50% of the total hashing power were in on the conspiracy.
The real barrier is that this would undermine trust in Bitcoin itself, which would probably make the conspirators' profits worthless.
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
June 20, 2011, 09:45:44 PM |
|
Is there anything stopping this?
1. get 25000 coins stolen 2. after a few confirmations submit a tx with 1000BTC fee that comes from the now empty address 3. The fee could be claimed by rewriting the block that the first tx happened in.
Obviously this could be used for bad (double spends) too. Right now it can't be done with normal client, and miners aren't on the lookout anyway, but is it possible?
In the end you either want to have a negative balance in an address (I think this is NOT possible in Bitcoin at all) OR to have someone with a lot more hashing power than the current network performing an good old 51% - they won't do this for just 1000 BTC! To invalidate a 6 blocks chain, you need 7 blocks faster than the rest of the network. I'm also not 100% sure how/if clients accept a block that is from a "netsplit" and originates a few blocks further behind. In the end you want to give miners an incentive to 51% attack the network and cover your losses. If only a few catch on though, they won't have enough power and if all catch on, this would REALLY endanger their own systems (payouts etc.) as well... I think in theory it might work, in practice I guess you won't find enough miners in less than an hour to mine for that Jackpot.
|
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 21, 2011, 05:05:00 AM |
|
Cunning. It wouldn't work as you've proposed it, though - in order for the rewritten block to be accepted, you'd need to build a longer chain than the original one, and since all the mining pool that didn't find the first block would have no incentive to do so that's unlikely to happen. The obvious solution is that whoever builds the first block gives an incentive - in the form of a transaction fee - to find the next one, and so on. Even with this, it'd only work if mining pools making up significantly more than 50% of the total hashing power were in on the conspiracy.
The real barrier is that this would undermine trust in Bitcoin itself, which would probably make the conspirators' profits worthless.
You only need to get the chain to be the longest for a second then everyone else starts working on it for you. If you are mining then you consider what your chances are of finding 2 blocks in a row and getting 50 + 50 + 1000 compared to the chance that you'll get only 1 block and it'll go to waste. It does not require mining pools at all, but they do make it more feasible for people to make the most profitable decisions without actually having to do it themselves. And why would you need "way more than 50%"? If you have more than 50% it's a lock, but with less you still have a chance. I don't think it would undermine confidence in bitcoin at all. This can only happen if two or more entities that both have the private keys for an address are fighting over where to send the coins. It should reduce the profit in stealing someones wallet a little, that's all I see.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 21, 2011, 05:10:40 AM |
|
I'm think of this as essentially a message saying "Hey network, something went really wrong and I'm willing to pay X for you to go back and fix it".
It's actually seeming to me like the equilibrium is for large amounts of stolen coins to get paid to miners. If person A with access gives a modest fee then B comes back with a high fee and A comes back with a 99% fee and maybe B does 100% to spite him. This assumes you can nearly instantly reissue a tx, but anyone who's on top of that is unlikely to be in this situation.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
ByteCoin
|
|
June 21, 2011, 05:21:19 AM |
|
1. get 25000 coins stolen 2. after a few confirmations submit a tx with 1000BTC fee that comes from the now empty address 3. The fee could be claimed by rewriting the block that the first tx happened in.
As people have pointed out, you'd have to rewrite the block and all subsequent blocks. However, the basic idea is sound. It's true that very large fees would induce rational miners to abandon work on continuing the current block chain and start a new branch which would allow the collection of the fee. In order to encourage miners to work on the new block chain, the miner that got the huge fee would have to pay the other miners for their blocks on the "old" branch which will never mature, as well as cut them in on the remaining profit from the massive fee. As long as >50% of the hashing power feels adequately compensated then the attack should succeed. So the new block which collects the fee would also contain transactions which compensate the miners and cut them in. No special communication or negotiation with other miners is required if they are "fee aware"! The miners in the above scenario act as an ad-hoc cartel for a period of time. ByteCoin
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8805
|
|
June 21, 2011, 05:33:31 AM |
|
In order to encourage miners to work on the new block chain, the miner that got the huge fee would have to pay the other miners for their blocks on the "old" branch which will never mature, as well as cut them in on the remaining profit from the massive fee. As long as >50% of the hashing power feels adequately compensated then the attack should succeed.
Nope. TXN 1 pays 200 BTC fee plus 1000 to TXN 2 and the rest back to owner, TXN 2 pays 200 BTC fee 700 to TXN 3... and so on, enough to pay for the race and then some. The TXN use nLocktime to spread them out and pay for the complete fork all on their own.
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
June 21, 2011, 06:46:20 AM |
|
Why wouldn't the next guy just pay 1500 BTC to reverse the 1000 BTC "earned" by the first miner?
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 21, 2011, 09:08:24 AM |
|
Why wouldn't the next guy just pay 1500 BTC to reverse the 1000 BTC "earned" by the first miner?
Yep, there won't be much profit left in stealing wallets. If multiple warring entities both have keys the coins go to miners.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
da2ce7
Legendary
Offline
Activity: 1222
Merit: 1016
Live and Let Live
|
|
June 21, 2011, 10:52:46 AM |
|
@FreeMoney, I really like this idea... the bad guy must both steal the coins AND put in a massive transaction fee.
Whomever owns the wallet will put the transaction fee up to 100% before letting the adversary keep the coins. It would be reasonable (and rational) that the owner of the coins could put the fee at 120% or more.
You could even have code that automatically detects an unauthorized spend and creates a transaction of a higher fee automatically to a new address. The adversity will automatically rise the fee also... so the fee will quickly get to 100% / 100%
This will kill much the incentive for stealing somebodies btc.
Problem... make a new transaction after paying somebody... That has a fee higher fee. Means that double spends are easy.
|
One off NP-Hard.
|
|
|
just_someguy
|
|
June 21, 2011, 12:26:24 PM |
|
Very interesting double spend attack.
To get more miners involved you could keep building very profitable transactions off of the last block. First you would spend 25,000. Then double spend but only 1k at a time: 1k in fees and 24k back to you. If a miner takes the bait turn right around and do it again off of the new block: 1k in fees and 23k back to you. Like dangling a carrot in front of a donkey you could slowly build that other side of the chain getting more and more miners involved each time.
This would require more active management on part of the miners but its very interesting.
|
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 21, 2011, 07:02:09 PM |
|
Problem... make a new transaction after paying somebody... That has a fee higher fee. Means that double spends are easy.
Keep in mind that this is only feasible for large amounts and that it gets more expensive the more confirms you want to wait before double spending. If this became common we would know how much miners require to go back a certain number of blocks and wait until it would be more than the whole amount of the tx to deliver goods.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
hannesnaude
Full Member
Offline
Activity: 169
Merit: 100
Firstbits : 1Hannes
|
|
June 22, 2011, 06:14:16 PM |
|
Problem... make a new transaction after paying somebody... That has a fee higher fee. Means that double spends are easy.
Keep in mind that this is only feasible for large amounts and that it gets more expensive the more confirms you want to wait before double spending. If this became common we would know how much miners require to go back a certain number of blocks and wait until it would be more than the whole amount of the tx to deliver goods. But this does make one doubt the oft-repeated statement that a retailer does not need to wait for confirmations when selling goods of small value. I could buy a cup of coffee and broadcast a new version of the transaction into the network offering half of the price as tx fee. If 10% of miners are maximising transaction fees then there's a 10% chance I get a 50% discount on my coffee. If everyone does this the retailer sees a 10% loss. Suddenly makes Mastercard and VISA look good. As far as confirmed transactions are concerned, one can easily calculate for a miner with a give percentage of total network hash power that coldly maximises profit, how large the tx fee would have to be to attempt to overturn something X blocks back in the chain (assuming that none of the other miners are bribeable and he needs to do it alone). The figures look good for solo mining, but for pooled mining and especially 0% fee pooled mining, the situation quickly changes since the pool owner (who will make the decision) will keep all of the bribe if he attempts the heist and is successful, but keep 0% (or a very small %) of the coinbase reward if he chooses to keep to the straight and narrow. Once miners know that other miners may be corruptible the figures change dramatically and a vicious cycle may be born. Also, a large bribe on large tx is not necessarily required, many small bribes on many small txs can add up to the same effect. All in all, I'm a little worried. Please tell me why this won't happen.
|
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 23, 2011, 09:07:47 AM |
|
Problem... make a new transaction after paying somebody... That has a fee higher fee. Means that double spends are easy.
Keep in mind that this is only feasible for large amounts and that it gets more expensive the more confirms you want to wait before double spending. If this became common we would know how much miners require to go back a certain number of blocks and wait until it would be more than the whole amount of the tx to deliver goods. But this does make one doubt the oft-repeated statement that a retailer does not need to wait for confirmations when selling goods of small value. I could buy a cup of coffee and broadcast a new version of the transaction into the network offering half of the price as tx fee. If 10% of miners are maximising transaction fees then there's a 10% chance I get a 50% discount on my coffee. If everyone does this the retailer sees a 10% loss. Suddenly makes Mastercard and VISA look good. As far as confirmed transactions are concerned, one can easily calculate for a miner with a give percentage of total network hash power that coldly maximises profit, how large the tx fee would have to be to attempt to overturn something X blocks back in the chain (assuming that none of the other miners are bribeable and he needs to do it alone). The figures look good for solo mining, but for pooled mining and especially 0% fee pooled mining, the situation quickly changes since the pool owner (who will make the decision) will keep all of the bribe if he attempts the heist and is successful, but keep 0% (or a very small %) of the coinbase reward if he chooses to keep to the straight and narrow. Once miners know that other miners may be corruptible the figures change dramatically and a vicious cycle may be born. Also, a large bribe on large tx is not necessarily required, many small bribes on many small txs can add up to the same effect. All in all, I'm a little worried. Please tell me why this won't happen. Even if this was implemented I wouldn't hassle people at my shop to wait around for small value tx to confirm. People just don't steal very often when they looked you in the eyes. How many people walk out on restaurant bills? So few that everyone gets served all they want and pays afterwards. For bigger, but not huge, stuff maybe you wait 1 confirm. Paying the network to go back even one block is going to cost a lot more than a tv. For selling cars and larger, you know how you are dealing with anyway. For goods bought online it doesn't matter at all, they won't ship for 100 confirms anyway.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
hannesnaude
Full Member
Offline
Activity: 169
Merit: 100
Firstbits : 1Hannes
|
|
June 23, 2011, 09:47:19 AM |
|
Even if this was implemented I wouldn't hassle people at my shop to wait around for small value tx to confirm. People just don't steal very often when they looked you in the eyes. How many people walk out on restaurant bills? So few that everyone gets served all they want and pays afterwards.
This is a very powerful argument. The problem is that many people may not even realise they are stealing. A single corrupt individual releases a new android app that attempts a double spend 2 minutes after every transaction. This spend targets 50% of the value at miners 25% to the author and 25% back to the originator. This gets pitched as a "loyalty program" where you would occasionally win 25% cashback on transactions. Initially people don't even know they are stealing, so this gets real popular real quick.. Then retailers make a noise and most people know, but suddenly it looks more like a morally gray area. Also most people won't steal from a mom & pop shop after looking the shopkeeper in the eye. But many have far less of a problem ripping off Wallmart or pretty much any giant faceless corporation. How many people point it out when they are given too much change at a till? For bigger, but not huge, stuff maybe you wait 1 confirm. Paying the network to go back even one block is going to cost a lot more than a tv. For selling cars and larger, you know how you are dealing with anyway.
Problem is, if many people are doing it, the total bribe quickly adds up. If it works, more people start doing it, more miners become corruptible and the vicious cycle fuels itself. Even a 0.01 BTC bribe may be enough if the block was going to get invalidated anyway due to other unrelated bribes. For goods bought online it doesn't matter at all, they won't ship for 100 confirms anyway.
Agreed.
|
|
|
|
FreeMoney (OP)
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 23, 2011, 10:01:22 AM |
|
Even if this was implemented I wouldn't hassle people at my shop to wait around for small value tx to confirm. People just don't steal very often when they looked you in the eyes. How many people walk out on restaurant bills? So few that everyone gets served all they want and pays afterwards.
This is a very powerful argument. The problem is that many people may not even realise they are stealing. A single corrupt individual releases a new android app that attempts a double spend 2 minutes after every transaction. This spend targets 50% of the value at miners 25% to the author and 25% back to the originator. This gets pitched as a "loyalty program" where you would occasionally win 25% cashback on transactions. Initially people don't even know they are stealing, so this gets real popular real quick.. Then retailers make a noise and most people know, but suddenly it looks more like a morally gray area. Also most people won't steal from a mom & pop shop after looking the shopkeeper in the eye. But many have far less of a problem ripping off Wallmart or pretty much any giant faceless corporation. How many people point it out when they are given too much change at a till? For bigger, but not huge, stuff maybe you wait 1 confirm. Paying the network to go back even one block is going to cost a lot more than a tv. For selling cars and larger, you know how you are dealing with anyway.
Problem is, if many people are doing it, the total bribe quickly adds up. If it works, more people start doing it, more miners become corruptible and the vicious cycle fuels itself. Even a 0.01 BTC bribe may be enough if the block was going to get invalidated anyway due to other unrelated bribes. Those are some good points. I hadn't thought about the rewrite fees adding up, but of course they do. All of this is only a problem as long as people are sending coins directly, but there will surely be mybitcoin esque sites that handle payments for people so that you can get instant clearing and not have to worry about securing a wallet file and such. Those companies won't cheat for fear of losing all of their connections and reputation. Being able to use the chain directly is really nice though and the whole point is not to need large trusted parties, I need to think some more about these issues.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
June 23, 2011, 10:08:00 AM |
|
Most nodes won't even bother relaying a transaction that involves an input that has already been redeemed, so it will be difficult to get your second spend out to enough miners. Also, having some fraction of honest miners that are unwilling to rewrite transactions for money will make the attack much less likely to work, since the mercenary miners are also facing the risk that their work will be wasted if someone else wins.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
hannesnaude
Full Member
Offline
Activity: 169
Merit: 100
Firstbits : 1Hannes
|
|
June 23, 2011, 11:33:23 AM |
|
Most nodes won't even bother relaying a transaction that involves an input that has already been redeemed, so it will be difficult to get your second spend out to enough miners. Also, having some fraction of honest miners that are unwilling to rewrite transactions for money will make the attack much less likely to work, since the mercenary miners are also facing the risk that their work will be wasted if someone else wins.
That's a good point. However, this attack would almost certainly need a corrupt pool owner to get started in the 1st place, so anyone attempting it would send it directly to each of the pools. I suspect determining their IPs will be trivial. Haven't studied the relaying mechanism in detail so I might be way off base here. If all corrupt miners follow the same rule, then as soon as one of the pools turn rogue, all of the corrupt miners will be connected to one another with the corrupt pool serving as a hub. However, it is not clear that even a corrupted miner will relay such a message as, in doing so, he increases the probability that the heist will be successful, but reduces the probability that he will get a cut of the gains. I need to think this through some more.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 23, 2011, 01:42:09 PM Last edit: June 23, 2011, 05:11:36 PM by JoelKatz |
|
If all corrupt miners follow the same rule, then as soon as one of the pools turn rogue, all of the corrupt miners will be connected to one another with the corrupt pool serving as a hub. However, it is not clear that even a corrupted miner will relay such a message as, in doing so, he increases the probability that the heist will be successful, but reduces the probability that he will get a cut of the gains. I need to think this through some more.
This is not true, he increases the probability that he will get a cut of the gains. I think you mean he decreases the contingent probability that he will get a cut of the gains if the block is rewritten. But there is no rational reason for him to care about this contingent probability unless he has some grudge against other miners. The numbers look like this (oversimplified and with small errors, but the concept is correct): Case 1: I have 10% of the world's mining pool. Two blocks have to be rewritten. I work alone. The odds that I'll solve two blocks in a row is 10% of 10% or 1%. So there is a 1% chance the blocks will be rewritten. If they are, there's a 100% chance I get the money. 100% of 1% is 1%. So there's a 1% chance I'll claim the funds. If two 10%'ers each work alone, the chance the attack will succeed is 2%, and they each have a 1% chance to claim the funds. Case 2: I have 10% of the world's mining pool. Two blocks have to be rewritten. But I conspire with another 10%. The odds we'll rewrite the transaction are 20% of 20% or 4%. Since I'm half the conspiracy, if the blocks are rewritten, there's a 50% chance I get the money. 50% of 4% is 2%. So there's a 2% chance I'll claim the funds. So a corrupt miner would, if he is rational, cooperate with other corrupt miners.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
ByteCoin
|
|
June 23, 2011, 06:22:50 PM |
|
So a corrupt miner would, if he is rational, cooperate with other corrupt miners.
Correct. Your analysis however assumes that the other miners will blithely accept his blocks if he wins the fee. The odds for a corrupt miner working by himself are even worse than you suggest because the other miners, seeing that they have not been "cut in" are not going to accept the lone miner's blocks. Even in 1% chance that the 10% miner gets two blocks, the other miners will not accept his blocks and will rapidly regain the longest chain. The only way in which the rewriting can succeed is if enough of the miners gain "enough" of the profits. Exactly what their negotiating strategies should be is hard to determine though.... It seems plausible, given completely rational miners, that the rewrite would not be accepted unless >50% of the hashing power consents. ByteCoin
|
|
|
|
|