How would it be know if a segwit thieft actually happened?

[cellard]

Most likely you already know about the theory of the colliding miners planning a 51% attack to steal funds of transactions sitting on segwit addresses. Let's say it actually happens: Jihan and co gather and enough hashrate collides to steal segwit funds. Let's say the funds are a small amount and the address has been inactive a lot of time. Most likely the owner wouldn't even notice, or by the time he notices, nobody would believe that it actually happened, unless you can answer the question of the thread:

In the event that it actually happened, would there be any way to prove it, or it would be seen just as a regularly sent transaction?

[1714142394]

1714142394

[1714142394]

1714142394

[1714142394]

1714142394

[DannyHamilton]

Most likely you already know about the theory of the colliding miners planning a 51% attack to steal funds of transactions sitting on segwit addresses. Let's say it actually happens: Jihan and co gather and enough hashrate collides to steal segwit funds. Let's say the funds are a small amount and the address has been inactive a lot of time. Most likely the owner wouldn't even notice, or by the time he notices, nobody would believe that it actually happened, unless you can answer the question of the thread:

In the event that it actually happened, would there be any way to prove it, or it would be seen just as a regularly sent transaction?

Since the miners don't have the correct private key, they will be unable to provide the correct signature for the transaction that they use to "steal the funds".  Therefore, everyone else on the network will reject their invalid block which contains the invalid transaction.  They will have wasted their time and money and they will have accomplished nothing.

[HeRetiK]

Most likely you already know about the theory of the colliding miners planning a 51% attack to steal funds of transactions sitting on segwit addresses. Let's say it actually happens: Jihan and co gather and enough hashrate collides to steal segwit funds. Let's say the funds are a small amount and the address has been inactive a lot of time. Most likely the owner wouldn't even notice, or by the time he notices, nobody would believe that it actually happened, unless you can answer the question of the thread:

In the event that it actually happened, would there be any way to prove it, or it would be seen just as a regularly sent transaction?

Since the miners don't have the correct private key, they will be unable to provide the correct signature for the transaction that they use to "steal the funds".  Therefore, everyone else on the network will reject their invalid block which contains the invalid transaction.  They will have wasted their time and money and they will have accomplished nothing.

I think OP is alluring to the anyone-can-spend "vulnerability" that has been a talking point against the SegWit softfork for a while. What usually got ignored during this discourse was that "exploiting" this attribute of SegWit transactions would require a hardfork, basically rolling back BTC's SegWit upgrade and creating a shittier version of BCH.

So in theory, at least the way I understand it, anyone -- not just miners -- can try to spend inputs from a SegWit transaction while ignoring the correct private key. But while legacy (ie. non-SegWit) nodes would accept such a transaction, the majority of the network -- and thus the canonical BTC blockchain -- would reject it.

[DannyHamilton]

But while legacy (ie. non-SegWit) nodes would accept such a transaction, the majority of the network -- and thus the canonical BTC blockchain -- would reject it.

Most importantly (to me), MY NODE will reject it.  It won't matter how much hash power they have.  They could mine 99% of the blocks, and my node will still reject it because it will STILL be an invalid block with an invalid transaction.

The only people that will be effected will be those foolish enough to still be running a non-segwit enabled wallet on the SegWit network.

[ManaMan]

But while legacy (ie. non-SegWit) nodes would accept such a transaction, the majority of the network -- and thus the canonical BTC blockchain -- would reject it.

Most importantly (to me), MY NODE will reject it.  It won't matter how much hash power they have.  They could mine 99% of the blocks, and my node will still reject it because it will STILL be an invalid block with an invalid transaction.

The only people that will be effected will be those foolish enough to still be running a non-segwit enabled wallet on the SegWit network.

It doesn't matter if your node will reject it, I think that you forgot that miners have complete power and if you are not mining there is not much you can do. Miners are the ones who control the network I mean we should say mining pools as mining solo is not what we want. Anyway I think if this happens however we will see that BTC price will dump since people will not have faith in it due to mining pools living to their own terms and thus it would drastically decrease profit from miners.

The real question here is are they really ready to go that far to hurt BTC in a way where they will lose potential profit? I think not.

[DannyHamilton]

- a whole lot of nonsense from a sig ad that doesn't know what they are talking about -

No.

Just no.

You clearly have no idea what you are talking about.

Please take your sig ad spam elsewhere. It is not welcome in the Technical areas of this forum.

[TechPriest]

Since the miners don't have the correct private key, they will be unable to provide the correct signature for the transaction that they use to "steal the funds".  Therefore, everyone else on the network will reject their invalid block which contains the invalid transaction.  They will have wasted their time and money and they will have accomplished nothing.

As i know, witness data contains signature. So, miners could do that without private key if i understood it right.
Here is good topic about it - https://bitcointalk.org/index.php?topic=1434842.0

[DannyHamilton]

As i know, witness data contains signature. So, miners could do that without private key if i understood it right.

There is no witness data until you spend the bitcoins.  The miners would need to create the witness data if they want to steal the bitcoins.  Since they don't have the private key, it is not possible for them to create valid witness data.

Here is good topic about it - https://bitcointalk.org/index.php?topic=1434842.0

As indicated by the link YOU provided:

Non-validating clients would be exposed to the reorganization, ones that are validating would not be.

You also are encouraged to take your sig ad spam nonsense elsewhere. It is not welcome in the Technical areas of this forum.

[nullius]

Most likely you already know about the theory of the colliding miners planning a 51% attack to steal funds of transactions sitting on segwit addresses.

That’s not a “theory”.  It is a disturbingly pernicious and persistent urban legend about Segwit, predicated on a common misconception about the role of miners.  Miners have one, only one, and exactly one job:  To provide the ordering of transactions in a Byzantine fault-tolerant manner (which in turn prevents double-spends).  That’s what miners do.  That is all miners do.  Granted, it is an important and resource-intensive job; that’s why miners get paid for it.  But that is the one and only security function of miners.

Of course, miners must validate each block they produce; if they didn’t, they would be unable to reliably produce valid blocks.  But miners are not the parties responsible for enforcing validation on the network.  Full nodes do that.  Each individual full node does that, so as to provide better security for its owner; and all full nodes collectively do that, thus providing validation security for the whole network.  Observe how here as everywhere, Bitcoin precisely aligns the individual’s selfish interest with the common good.

Full nodes do not blindly “follow the longest chain”.  They follow the chain independently validated by them which has the highest total POW.  A miner (or 51+% of miners) who produced invalid blocks would only be wasting hashrate, and likely risking widespread blacklisting of IP addresses.  It doesn’t matter if the invalid blocks steal money from Segwit transactions, steal money from old-style transactions, create 21 billion new coins, or are filled with gibberish from /dev/random.  An invalid block is an invalid block, and shall be promptly discarded by all full nodes—period.

In the event that it actually happened, would there be any way to prove it, or it would be seen just as a regularly sent transaction?

That begs the question:  It can’t actually happen.  Segwit transactions require signatures, just like old-style transactions.  Segwit transactions have security greater than or equal to old-style transactions in each and every characteristic.  If a miner could somehow steal Segwit funds with a 51% attack, then the same attack could be used against all bitcoins, including Satoshi’s coins.  But such an attack is impossible; the whole idea is ridiculous, just nonsense peddled by Btrash supporters so that

Jihan and co

can smear the Segwit upgrade.  And why do they hate Segwit?  Because the Segwit upgrade stops

Jihan and co

from covertly exploiting a security vulnerability which gives an unfair advantage of up to 30% in the energy costs of mining.  Of course, they will hate Segwit; and their cronies and shills lie about Segwit.  Give them no credence.


DannyHamilton is correct on all points here.  I just have a few things to add or expand upon.

I think OP is alluring to the anyone-can-spend "vulnerability" that has been a talking point against the SegWit softfork for a while. What usually got ignored during this discourse was that "exploiting" this attribute of SegWit transactions would require a hardfork, basically rolling back BTC's SegWit upgrade and creating a shittier version of BCH.

I always wonder why nobody stops to notice that the same “attack” based on the “anyone-can-spend” notion could be used against all P2SH transactions.  Oh no, Btrash is also vulnerable!

miners have complete power

WRONG.

Miners are the ones who control the network

WRONG.

I am sometimes amazed at the confident airs put on people who make authoritative-sounding declarations of totally incorrect information.

As i know, witness data contains signature. So, miners could do that without private key if i understood it right.
Here is good topic about it - https://bitcointalk.org/index.php?topic=1434842.0

Interesting link.  Did you read past the OP?  Try the second post, to which I just awarded merit:

Is the following scenario valid?

1. Some unhonest segwit mining pool takes top-1000 segwit utxo and mines a block at height N with a transaction which transfers all funds to his p2pkh address
2. This block does not have segwit data portion, but it can be broadcasted to all non-segwit nodes on the network
3. All other pools have a dilema - wait the segwit data associated with this block or start mining block N+1 on the top of N
4. What if miners will use SPV-mining on the top of this block? They will create blocks at heights N+1, N+2... etc without checking the segwit-validity of block N

No different than the situation today with "spend all the coins in the first 10000 blocks, without knowing the private key; and hope that miners extend the chain without having or checking the block. The segwit data is not sent separately.

In either case the corrupt chain would be simply reorged out after miners hit their limit of mining without data or otherwise some process realizes they are mining a chain the network is rejecting. Non-validating clients would be exposed to the reorganization, ones that are validating would not be.

[AGD]

Sorry for beeing off topic, but @DannyHamilton and @nullius are you guys merit sources already? If not I would like to give my vote to you. Please @theymos ...

[gmaxwell]

Nullius and DannyHamilton are spot on.

It's sad that people are getting bamboozled by malicious disinformation on this subject.

The _exact_ same thing protects segwit outputs from being stolen by malicious miners as any other coin: Following the rules is part of what _defines_ mining.  A miner that steals an output hasn't mined as far as nodes are concerned, their blocks will simply be ignored (and the peers relaying them eventually banned).

Segwit is no different from any other consensus rule in this respect-- other than some were introduced later than others, but many have been introduced over time.

We didn't see these same sorts of malicious FUD with P2SH though it was exactly the same-- I guess because back then felons hadn't figured out how to monetize that sort of confusion.

[ManaMan]

miners have complete power

WRONG.

Miners are the ones who control the network

WRONG.

I am sometimes amazed at the confident airs put on people who make authoritative-sounding declarations of totally incorrect information.

Could you then explain me at least why miners don't control the network? Because from my understanding they are the ones who control rules of creation of new blocks. It doesn't matter if your node starts to reject new blocks as long as miners opt for other block rules if you don't comply you won't then see any incoming blocks. What you could potentially do is do another fork another alt with lower hash power.

[cellard]

Nullius and DannyHamilton are spot on.

It's sad that people are getting bamboozled by malicious disinformation on this subject.

The _exact_ same thing protects segwit outputs from being stolen by malicious miners as any other coin: Following the rules is part of what _defines_ mining.  A miner that steals an output hasn't mined as far as nodes are concerned, their blocks will simply be ignored (and the peers relaying them eventually banned).

Segwit is no different from any other consensus rule in this respect-- other than some were introduced later than others, but many have been introduced over time.

We didn't see these same sorts of malicious FUD with P2SH though it was exactly the same-- I guess because back then felons hadn't figured out how to monetize that sort of confusion.

Indeed, the Bcash scammers finally found a way to get money out of it, BUT there are groups of people not selling a shitcoin, an ICO or any other monetizable product whatsoever, which also think segwit poses risks, for example I remember this log from MP that someone posted in the bitcoin classic thread:

thestringpuller: cause there is no way TRB will ever enforce segwit, so there is no way it can ever truly verify a segwit output was spent "legitimately"
mircea_popescu: thestringpuller the derp in question can just spend again normally and his coins will be visible.
mircea_popescu: trb has no notion of "coin history". nor should it. because taint is not a thing.
thestringpuller: gotcha. just never have anyone spend to your from a fake address.
mircea_popescu: moreover, there ISNT, in general, and for very good reasons, a way to verify segwit crapolade.
mircea_popescu: which is what it aims to be, a sort of "let's dao bitcoin"
thestringpuller: TMSR rule of thumb: "Never accept non standard transactions" ?
mircea_popescu: pretty much.
thestringpuller: gotcha. thanks for clarity. mod6 ^^^ nvm question has been answered.
mircea_popescu: but this said, yes it is deeply irresponsible for anyone to use prb clients. this doesn't just mean 13, or 12, or 10. ANY of them.
mircea_popescu: they keep adding shit, but it's been shitsoup for years now.
mod6: thestringpuller: np.
mod6: if we needed to add code everytime these gnomes comeup with a new crapolade, that's all we'd ever be doing.
thestringpuller: i just don't want them to add something in a "fork" that allows TMSR to get scammed.
thestringpuller: but I think at that point BTC is dead
mircea_popescu: and in other lulz, ro chicks trying hard :http://fabulousmuses.net/2016/06/marina-yachting-summer-trends.html
mircea_popescu: mod6 the main concern is that their bullshit will "accidentally" start fabricating coins.
mircea_popescu: nevertheless, we're not making the mistake of introducing coin taint, under any name.
BingoBoingo: thestringpuller: From what I understand Segwit to a normal 1xxx adress requires a signature in the blockchain so when segwit stops being miner enforced the recieved transaction would still be, even though it came from freemoneyshitsoup.
thestringpuller: BingoBoingo: AHA!
mircea_popescu: yeah, except the next stop is for shitsoup to put out more coins than it got in.
thestringpuller: elaborate?
mircea_popescu: you been watching the dao thing ?
mod6: <+mircea_popescu> nevertheless, we're not making the mistake of introducing coin taint, under any name. << totally agree.
mircea_popescu: segwit is EXACTLY "dao for bitcoin".

Im not too familiar with this but apparently MP got a lot of bitcoins, and these guys are not trying to scam anyone with shitcoins (forks included) and as far as I understand they are trying to do what's best for bitcoin, so I value their opinion on the matter. I would like to know what you think and why there are big discrepancies with Core, because these must be real technical reasons, since again, they aren't selling their own scamtoken, as Roger and co do.

[DannyHamilton]

It doesn't matter if your node starts to reject new blocks as long as miners opt for other block rules if you don't comply you won't then see any incoming blocks.

Yes.  I'll still see blocks from all the honest miners that are NOT mining invalid blocks.  The ONLY blocks that I (AND the entire rest of the SegWit enabled network of users, merchants, exchanges, nodes, wallets, etc) won't see are the few nonsense invalid blocks created by the "attackers" that are wasting their own time and money on block rewards that they will never be able to spend.

[codewench]

Could you then explain me at least why miners don't control the network? Because from my understanding they are the ones who control rules of creation of new blocks. It doesn't matter if your node starts to reject new blocks as long as miners opt for other block rules if you don't comply you won't then see any incoming blocks. What you could potentially do is do another fork another alt with lower hash power.

Example:

You're trying to buy a GPU from EggsRUs. You send BTC. Unbeknownst to you, the big mining pools have changed the rules to give themselves a 2100 BTC block reward every block forever. (Purists are calling the pools' coin MinerCoin.) Eggs, being a merchant, knows about this inflationary change - and doesn't like it. Your transaction quickly confirms on MinerCoin, but Eggs isn't looking for it on that chain. A rag tag collection of miners are still on the legacy chain. Eventually, your transaction does confirm on the legacy chain. With some delay, you get your GPU. At some point, the big pools attempt to cash out their new found riches, but alas, nobody with real money on the line will accept their coins.

TLDR summary: Users transacting real value determine which fork has value.

[ManaMan]

Example:

You're trying to buy a GPU from EggsRUs. You send BTC. Unbeknownst to you, the big mining pools have changed the rules to give themselves a 2100 BTC block reward every block forever. (Purists are calling the pools' coin MinerCoin.) Eggs, being a merchant, knows about this inflationary change - and doesn't like it. Your transaction quickly confirms on MinerCoin, but Eggs isn't looking for it on that chain. A rag tag collection of miners are still on the legacy chain. Eventually, your transaction does confirm on the legacy chain. With some delay, you get your GPU. At some point, the big pools attempt to cash out their new found riches, but alas, nobody with real money on the line will accept their coins.

TLDR summary: Users transacting real value determine which fork has value.

I understand this situation - it could fork if they wanted to tweak and price would crash.
And that is exactly why I wrote what I wrote in the first place this:

It doesn't matter if your node will reject it, I think that you forgot that miners have complete power and if you are not mining there is not much you can do. Miners are the ones who control the network I mean we should say mining pools as mining solo is not what we want. Anyway I think if this happens however we will see that BTC price will dump since people will not have faith in it due to mining pools living to their own terms and thus it would drastically decrease profit from miners.

The real question here is are they really ready to go that far to hurt BTC in a way where they will lose potential profit? I think not.

They certainly have the power over the network, the outcome of it is another story. Just this dude said I am wrong so I wanted to make sure where I was wrong plus I don't see that what I said is incorrect info...

[Random Seller]

From the information in this thread, I understand that it would be impossible for miners to forge a transaction even they have more than 51% of the network because all Segwit nodes recognize the fact that they are illegal transactions. (Please correct me if I am wrong).

Let go at it from a different angle than.

If miner B controls 51% of the network could they prevent anyone they want from making a bitcoin transaction?

[DannyHamilton]

If miner B controls 51% of the network could they prevent anyone they want from making a bitcoin transaction?

If someone controls more Bitcoin hash power than the entire rest of the world combined, then yes.

[nullius]

It's sad that people are getting bamboozled by malicious disinformation on this subject.

I wish to reply to some of the other above posts; perhaps later.  For now, I want to explain something about this post I gave +40.

Bitcoin would not be what it is today without the efforts of a select few people, including Greg Maxwell (gmaxwell).  Without them, Bitcoin would be slower, less reliable, and less secure.  Early on, the Satoshi software was run-and-gun cypherpunk code; it was important because it created Bitcoin, but many parts were—problematic.  Nowadays, despite some necessarily remaining idiosyncrasies in the RPCs, etc., Core is a product of professional software engineering.  This is thanks to the work of many contributors, but principally among them, a few who have more or less dedicated their lives to the project.

Money can’t buy the combination of expertise and devotion which gmaxwell has given to Core.  That can only be bought by ideological dedication to the freedom made by a new form of money.  I’m not saying this to praise gmaxwell; I doubt he needs some Internet hagiography.  Rather, I want to make sure that newbies reading this will understand who gave the answer I deemed to merit +40 (which would have been +50, but the system wouldn’t let me).  He’s not just someone who knows what he’s talking about:  He’s someone who helped make what we’re talking about.  I think he knows how it works.

gmaxwell (a/k/a nullc) is also active in places where Bitcoin is discussed, and used to be much more active here in those days from the archives of the Bitcoin Forum as I wish I could experience it.  To variations of the same disinformation, he’s given that same answer (often at greater length) so many times over the years that I really only gave him a few millimerits for each time he’s explained this.  Sorry about that.

[amishmanish]

It's sad that people are getting bamboozled by malicious disinformation on this subject.

I wish to reply to some of the other above posts; perhaps later.  For now, I want to explain something about this post I gave +40.

Bitcoin would not be what it is today without the efforts of a select few people, including Greg Maxwell (gmaxwell).  Without them, Bitcoin would be slower, less reliable, and less secure.  Early on, the Satoshi software was run-and-gun cypherpunk code; it was important because it created Bitcoin, but many parts were—problematic.  Nowadays, despite some necessarily remaining idiosyncrasies in the RPCs, etc., Core is a product of professional software engineering.  This is thanks to the work of many contributors, but principally among them, a few who have more or less dedicated their lives to the project.

Money can’t buy the combination of expertise and devotion which gmaxwell has given to Core.  That can only be bought by ideological dedication to the freedom made by a new form of money.  I’m not saying this to praise gmaxwell; I doubt he needs some Internet hagiography.  Rather, I want to make sure that newbies reading this will understand who gave the answer I deemed to merit +40 (which would have been +50, but the system wouldn’t let me).  He’s not just someone who knows what he’s talking about:  He’s someone who helped make what we’re talking about.  I think he knows how it works.

gmaxwell (a/k/a nullc) is also active in places where Bitcoin is discussed, and used to be much more active here in those days from the archives of the Bitcoin Forum as I wish I could experience it.  To variations of the same disinformation, he’s given that same answer (often at greater length) so many times over the years that I really only gave him a few millimerits for each time he’s explained this.  Sorry about that.

I remember thinking nullc was nullius due to the similarity!! i did later see that it was Gregory Maxwell. I've taken the liberty to quote and credit these posts. LOL.
 I wanted to add that this discussion also puts light to the fact that this "dishonest miner" scenario is kept in check because normal users, small merchants CAN run full nodes. That should explain why keeping block size within sustainable limits is important. A lower block size keeps the entry-barrier for running a full node as low as possible.
The 'core' idea of giving preference to basic developments like SegWit that optimize data usage for transactions is much better than randomly increasing block size to say, 8 MB, 32 MB and so on. This way you give more time for the hardware costs to go lower while code improvements are built upon.