Pools With a Significant Hashrate: A Realistic Double Spend Attack Taking 2 Hr

[mrb]

A double spend attack may be detectable after the fact, but is not likely to be stopped on time to prevent BTC theft. Pool owners with a significant hashrate are not the only persons capable of using it to their advantage. Here is an example: I am Malory, the proverbial malicious attacker, and I want to attack the Deepbit pool, managed by Tycho.

(Edit: Fixed the chain on which the BTC needs to be spent - thanks kjj/DamienBlack).
(Edit: Replaced fictional "500 BTC" amount with "10k BTC").
(Edit: Removed mentions of "50% hashrate" to emphasize that it is not required to perform a double spend.)

Step 1: I buy 10k BTC and transfer them to my wallet.

Step 2: I attack Deepbit's infrastructure to surreptitiously gain administrative control of the servers (eg. via a compromise of Tycho's workstation). Optionally, I also rob the pool of its BTC to further maximize my gains (using the pool's computational power to double spend its own money - hah!)

Step 3: I select a period of time of 2 hours during which Tycho is offline/sleeping. 2 hours is all I need because his pool, Deepbit, controls about half of the global Bitcoin network hashrate. Note that controlling exactly 50% or more is not necessary; if less than 50%, the probability of the attack being successful is simply lower.

Step 4: During these 2 hours, I send pool users work items to start forking the block chain, from the current legitimate block, but without broadcasting the forked blocks to the global Bitcoin network. The only visible effect is that the global network appears to solve ~6 blocks (instead of ~12) during these 2 hours; but no one notices because it happens all the time due to expected statistical variation. As a matter of fact, it is happening right now: in the last ~110 minutes only 6 blocks have been solved (135104-135109), and there is no reason to find this suspicious whatsoever.

Step 5: In the legitimate block chain (built by miners not in the pool), I include a transaction to transfer 10k BTC from my wallet to my TradeHill/Bitcoin7/MtGox account.

Step 6: TradeHill/Bitcoin7/MtGox detects my txfer after the legitimate block chain grows by 6 blocks (6 confirmations). I sell the 10k BTC.

Step 7: Profit! I have plenty of USD in my account. I quickly sell it on bitcoin-otc (eg. using MtGox's merchant API), or transfer it to my Dwolla account, or multiple accounts to bypass typical withdrawal limits.

Step 8: During this time, my forked chain should have grown 1 more block than the legitimate chain (if the attack was successful). I broadcast it to the network, which instantly invalidates the 10k BTC I transferred to TradeHill/Bitcoin7/MtGox. The 10k BTC automatically "reappears" in my original wallet (which I can now double-spend). The exchange is short on BTC and is screwed. An investigation later in the day reveals that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. I repeat the same attack on the other pool, and double spend again the BTC stolen from previous pools. Rinse and repeat.

[1714793999]

1714793999

[1714793999]

1714793999

[1714793999]

1714793999

[1714793999]

1714793999

[1714793999]

1714793999

[1714793999]

1714793999

[Jack of Diamonds]

Your original 500 BTC wont be much good after the price of bitcoin collapses
when the biggest pool is known to be used in a forging attack against the blockchain.

Which hacker with such skills will really ruin the entire economy for a few thousand bucks?

[mrb]

No problem. I also quickly resell this remaining 500 BTC right after my attack.

[Jack of Diamonds]

No problem. I also quickly resell this 500 BTC right after my attack.

Why would the hacker not divert the legit blocks being mined with 5000ghash/s to himself instead?
You have zero risk

(no initial purchase of 500BTC or need to fork the blockchain, people are still being shown they get paid so they continue mining, and you get about 6-10 solved blocks worth of BTC within 2 hours)

After the attack you have BTC from the 'normal' blockchain and you can launder them & sell for cash. Much less effort

[Bitcoin Swami]

What if the hacker is ben bernanke and doesn't give a crap about bitcoins and just wants to see them fail.

[DamienBlack]

You get right on that then. I'll be waiting.

Remember, if deepbit is 50% of the network, you'd only have about a 50% chance of this attack working (you making a longer chain than the rest of the network. Otherwise you'll probably be found out with no harm done. And this attack could work even if deepbit had 49% or 48% of 40%... the odds just start tilting against you.

[DamienBlack]

What if the hacker is ben bernanke and doesn't give a crap about bitcoins and just wants to see them fail.

Then he could much around for a few hours until people leave the pool. Then everything is ok (with maybe a minor blockchain rollback).

[mrb]

Why would the hacker not divert the legit blocks being mined with 5000ghash/s to himself instead?

Well, many (most?) pool users automatically withdraw their BTC balance to their wallet. If the attacker diverted the blocks to keep the BTC he would not be able to honor these withdrawals and would be noticed very quickly, perhaps after mining only a few hundred BTC.

Whereas my attack works with any amount of BTC (I should have picked a few thousand BTC as an example). The only limit is your budget to purchase the initial amount. And withdrawal restrictions on the exchanges. But there are ways to bypass them (register multiple accounts, sell your USD balance on bitcoin-otc, etc).

[DamienBlack]

If you hacked the site so thoroughly, you would probably have access to the pool's wallet, the one that makes payouts. I'm sure there is 10s of thousands. Take that and be done with it.

[mrb]

DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

I doubt Tycho keeps tens of thousands of BTC on his online infrastructure. His pool profits (~3% fee) only amount to ~100 BTC per day. But my counter example was also to illustrate that Deepbit, with its size, is now a valuable target to any attacker out there. The fact a pool owns ~50% of the hashrate is bad not only for Bitcoin, but also because it concentrates risk. My advice to users is to not keep any significant amounts of BTC in their Deepbit account.

[FreeMoney]

How easy is it to look at what you are mining? Won't people see that they are working on a different block number than the current one? And shouldn't some people notice that they found blocks that don't show?

[DamienBlack]

DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.

[DamienBlack]

How easy is it to look at what you are mining? Won't people see that they are working on a different block number than the current one? And shouldn't some people notice that they found blocks that don't show?

The block data is actually pre-hashed when given to miners in a pool. We have no idea what we are working on. This is the main problem, and various solution have been floated / are being worked on.

You could check your successful blocks, but I don't think many people do. I don't even know of any mining programs that inform you.

[kjj]

Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

[DamienBlack]

Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

[kjj]

DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.

You can never move backwards through the chain.  The best you can do is pick a spot in the past and try to catch up.

[DamienBlack]

DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.

You can never move backwards through the chain.  The best you can do is pick a spot in the past and try to catch up.

Yes, you are correct. My mistake. Thank you for pointing out that misconception.

[mrb]

Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

Correct. The 500 BTC txfer to the exchange would need to be in the "legit" chain. I fixed my original post.

[kjj]

Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

It is still a double spend, and it is even more obvious if you spend on the main chain first and then try to reverse it.  Check your debug log.  The node already flags chain reversions and double spends.  Sites that wait for multiple confirmations can (should) be watching.

[BitcoinPorn]

I wonder what exchange would allow for such a mass transaction of funds to cash if it were sourced from this way, it would cause the exchanges to no longer exist, I don't think there would be a person to give the cash over for this Bitcoin.  Whoever controlled it would have to make sure it has value.