[PSA] Attention: Security vulnerability in new alt coins!

[arjay45]

Please do not start at zero difficulty (0.00024414 to be precise, which is the default start difficulty of litecoin). I know you're hoping to get rich quick but here's why you should not do this: 51% attack.

All someone has to do is build a tool that will mine valid blocks using GPUs as quickly as possible without asking the network if the blocks are valid or not (except the first one). Then you periodically broadcast your attack chain to the network without caring at all about the longest chain seen by your client from the network. As long as the chain is valid this will work.

With the difficulty at the default of 0.00024414, all you need is 0.00024414 * 2^23 * 10 = 10.5 MHash/s to be able to mine 10 blocks per second (the equation is difficulty * 2^32 * blocks_per_second = hashrate_required). I have noticed usually the network is only able to go 2-5 blocks per second because of network latency, and nearly everyone is getting 95%+ orphans thus wasting their hashing power. So at 10 blocks per second an attacker would have absolutely no problem mining faster than a network that's having a laggy orphan-fest. And 10.5 MHash/s is cheap... quite a lot of people have that or more. You might even be able to pull off this attack with just 5 MHash/s as long as you can build your chain faster than the legit network can.

If your new or upcoming coin uses scrypt the above tool will be able to attack your coin! I don't even think there's any need for the tool to be modified for new coins in order to work, it just needs to grab your genesis block and then go nuts producing blocks as fast as it can, periodically broadcasting its chain to ensure if you use checkpoints there's a high chance you'll checkpoint the chain it's produced. It might need some tweaking knobs for commonly changed parameters like the difficulty retarget period, number of coins per block, etc. It's also quite possible this tool could be made by using a simple proxy wrapper around the *coind server to censor data coming in to ensure it's not aware of other chains but the attacker's chain. This ensures the attacker will be able to jump on your new coin an hijack the chain as soon as you launch.

If anyone can prove that the above tool cannot be created, I am all ears. Please quote source code or something as proof. But as far as I know I am correct and it's possible to perform this attack provided the difficulty is low enough.

TL;DR New altcoin authors, please stop using the default litecoin starting difficulty. Please use a sane value such as 0.25 or 1.0 as the starting difficulty. Otherwise a 51% attack can easily steal all your and your early adopter's coins! Checkpoints will not foil this attack!

[1713585923]

1713585923

[Tobius]

Please do not start at zero difficulty (0.00024414 to be precise, which is the default start difficulty of litecoin). I know you're hoping to get rich quick but here's why you should not do this: 51% attack.

All someone has to do is build a tool that will mine valid blocks using GPUs as quickly as possible without asking the network if the blocks are valid or not (except the first one). Then you periodically broadcast your attack chain to the network without caring at all about the longest chain seen by your client from the network. As long as the chain is valid this will work.

With the difficulty at the default of 0.00024414, all you need is 0.00024414 * 2^23 * 10 = 10.5 MHash/s to be able to mine 10 blocks per second (the equation is difficulty * 2^32 * blocks_per_second = hashrate_required). I have noticed usually the network is only able to go 2-5 blocks per second because of network latency, and nearly everyone is getting 95%+ orphans thus wasting their hashing power. So at 10 blocks per second an attacker would have absolutely no problem mining faster than a network that's having a laggy orphan-fest. And 10.5 MHash/s is cheap... quite a lot of people have that or more. You might even be able to pull off this attack with just 5 MHash/s as long as you can build your chain faster than the legit network can.

If your new or upcoming coin uses scrypt the above tool will be able to attack your coin! I don't even think there's any need for the tool to be modified for new coins in order to work, it just needs to grab your genesis block and then go nuts producing blocks as fast as it can, periodically broadcasting its chain to ensure if you use checkpoints there's a high chance you'll checkpoint the chain it's produced. It might need some tweaking knobs for commonly changed parameters like the difficulty retarget period, number of coins per block, etc. It's also quite possible this tool could be made by using a simple proxy wrapper around the *coind server to censor data coming in to ensure it's not aware of other chains but the attacker's chain. This ensures the attacker will be able to jump on your new coin an hijack the chain as soon as you launch.

If anyone can prove that the above tool cannot be created, I am all ears. Please quote source code or something as proof. But as far as I know I am correct and it's possible to perform this attack provided the difficulty is low enough.

TL;DR New altcoin authors, please stop using the default litecoin starting difficulty. Please use a sane value such as 0.25 or 1.0 as the starting difficulty. Otherwise a 51% attack can easily steal all your and your early adopter's coins! Checkpoints will not foil this attack!

+1

[c4n10]

As much as I agree that starting a coin with base difficulty is just fucking retarded, I seriously doubt the majority are going to listen. This exact issue is addressed and complained about hundreds of times per week and it doesn't seem to be changing anything.

But still, I totally agree and +1 OP

[Mhash pipe]

These coins aren't meant to last more than 5 days anyways

[baka]

These coins aren't meant to last more than 5 days anyways

Yup just enough time to dump 'em on an exchange.

[arjay45]

As much as I agree that starting a coin with base difficulty is just fucking retarded, I seriously doubt the majority are going to listen. This exact issue is addressed and complained about hundreds of times per week and it doesn't seem to be changing anything.

But still, I totally agree and +1 OP

Well I figure maybe some math and a convincing blurb on why it's against their best interest to do this silliness might convince some people. Maybe. We can only hope.

Anyway c4n10 I can't wait for your coin to come out with its 0.25 start difficulty. Hopefully some people start using your idea. Maybe it would help if you write a few words explaining how to properly set the initial difficulty to 0.25?

[thekidcoin]

While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

[r3animation]

+1

[c4n10]

As much as I agree that starting a coin with base difficulty is just fucking retarded, I seriously doubt the majority are going to listen. This exact issue is addressed and complained about hundreds of times per week and it doesn't seem to be changing anything.

But still, I totally agree and +1 OP

Well I figure maybe some math and a convincing blurb on why it's against their best interest to do this silliness might convince some people. Maybe. We can only hope.

Anyway c4n10 I can't wait for your coin to come out with its 0.25 start difficulty. Hopefully some people start using your idea. Maybe it would help if you write a few words explaining how to properly set the initial difficulty to 0.25?

It's actually VERY easy, in main.cpp:

Code:

static CBigNum bnProofOfWorkLimit(~uint256(0) >> 20)

Change "20" to something higher. A value of "30" gives you a starting difficulty just under 0.25

[arjay45]

While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

Okay well if you really want to premine the shit out of it, the minimum *safe* starting difficulty can be calculated using the following equation:

difficutly = plausible_attacker_hashrate * time_per_block / 2^32

So using 2 blocks per second and an attacker with 50 MHash/s that would make the minimum sane starting difficulty 0.0058207. Anything lower than that and an attacker with 50 MHash/s or less can hijack the network easily. But 0.005 is not a very fair starting difficulty in my opinion, as it will still be an orphan-fest for everyone mining.

[c4n10]

While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

Bitcoin's starting difficulty was technically higher than 0.25

Code:

static CBigNum bnProofOfWorkLimit(~uint256(0) >> 30)

that generates a starting scrypt difficulty of ~0.25, every incremental increase doubles the difficulty.

Bitcoin started with:

Code:

static CBigNum bnProofOfWorkLimit(~uint256(0) >> 32)

[arjay45]

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

I agree. For a GPU mined coin 0.25 is a pretty fair starting difficulty. There will be MUCH fewer orphans, and people will still get a large number of coins in the first few days. It's just the coins will be spread out to more miners that's all.

[c4n10]

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

I agree. For a GPU mined coin 0.25 is a pretty fair starting difficulty. There will be MUCH fewer orphans, and people will still get a large number of coins in the first few days. It's just the coins will be spread out to more miners that's all.

It also has the bonus side effect of helping to keep your coin within your desired block-target parameters. All the coins now are going through their first "week" of blocks in a matter of hours or days. For example, Worldcoin has a block target of 15 seconds yet for the first ~10,000+ blocks the blocks are coming in every second, sometimes multiple blocks per second. This doesn't balance out until the coin reaches higher difficulties (usually around 0.25 or so which is why I chose that for 0pticoin's starting difficulty).

[sidelsky18]

Agreed. I think a coin like worldcoin would have a good chance of stability if it didn't start at such a low difficulty (and therefore give all the early blocks to a few people).

[arjay45]

Worldcoin just hit difficulty 0.25 now, and it's getting coins every 1-5 seconds at current hashrate. That's pretty good, considering the minimum scan time in cgminer is 1 second, that means if you have cgminer getwork every second you have a good chance of having almost no stales. You also have very low load on the network. Still a lot of orphans but a lot less than 99.9% orphan rate I was getting for the first few hours.

I was seeing more than 5 blocks per second on worldcoin when I checked. I don't know what the peak was but that's pretty crazy.

EDIT: 5 blocks per second at first I mean.

[c4n10]

Agreed. I think a coin like worldcoin would have a good chance of stability if it didn't start at such a low difficulty (and therefore give all the early blocks to a few people).

It might, but I suspect that 15 second block times with only 4 confirmations for a transaction is going to turn out to be a huge disaster.

It seems generally accepted that it takes ~60 seconds for a block to fully propagate across the network, when you use longer block times you can use fewer confirmations because you're allowing time for the blocks to propagate across the network. When you use shorter block times, you should always require more confirmations because you are no longer allowing enough time for the blocks to propagate across the entire network.

Using 15 second block times with only 4 confirmations I believe is going to lead to epic problems on a massive scale. I suspect the blockchain will fork multiple times and every time it forks it will have a cascading effect causing more and more forks and forks of forks which will make it nearly impossible for the network to ever find the correct chain as each fork continues to grow too fast for that fork's clients to find the correct blockchain.

Should have named this one "Fractal Fork Coin"...

And then there's the fact that Worldcoin is literally a copy/paste coin with absolutely ZERO new features or innovations...

Don't get me wrong, I'm still going to mine it for a few days to have some coins to hold (I have coins in pretty much EVERY crypto-currency) but I do not intend to be using Worldcoin for longer than a day or two (which can probably be said for the majority of people in here).

[arjay45]

Yeah I am mining worldcoin because I am bored. I do not expect it to hit an exchange, nor do I expect to be able to sell it for anything more than pennies if it does.

It would be nice if a coin came along that was a serious distraction from litecoin so litecoin's difficulty would go down though. And these copy-pasta clones are not going to do it.

[c4n10]

Yeah I am mining worldcoin because I am bored. I do not expect it to hit an exchange, nor do I expect to be able to sell it for anything more than pennies if it does.

It would be nice if a coin came along that was a serious distraction from litecoin so litecoin's difficulty would go down though. And these copy-pasta clones are not going to do it.

Not sure if you meant copy-pasta or copy-paste, but I think copy-pasta is brilliant because it really feels like all the new alt's are just trolling us like copy-pasta on 4chan...

"Copy-pasta" clones should be the new official name for coins with nothing new to offer...

[Kyune]

+1 OP.  Thanks for posting this.

[arjay45]

Copy-pasta was intentional :-) I stole it from someone on IRC I think but I thought it was very fitting.