Bitcoin Forum
April 21, 2021, 07:23:50 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: When will nodes forward doublespends based on fee?  (Read 1389 times)
mustyoshi
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250



View Profile
March 04, 2014, 06:59:59 PM
 #1

We need to move away from the mindset that zero confirmation transactions are safe.

Miners will eventually start to prioritize what to include by the fee it gives them, which is exactly what they should be doing. Even if that were to nullify another unconfirmed transaction, the one which gives the most to the network (miners) is the one that should be included.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1000


bits of proof


View Profile WWW
March 05, 2014, 06:08:05 AM
Last edit: March 05, 2014, 07:53:59 AM by grau
 #2

Simply knocking out unconfirmed tx from memory pool by another higher fee variant would enable the payor to cancel any payment before included in a block - by double spending to own account. This is a no-go.

I also think that block inclusion would better be simple fee/size order and that memory pool should expire somewhat faster than current 3 days.
Peter R
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 05, 2014, 08:46:11 AM
 #3

Zero-confirm transactions are safe1 for low-value purchases provided the transacation has been accepted by a significant fraction of network nodes and no double spends have been detected.  

To attempt a double-spend, you'd need to be in cahoots with a nefarious miner and pass your fraudulent transaction over a non-public back channel.  You'd only succeed with a probability equal to the nefarious miner's percentage of global hash power.


Why would you want to intentionally make zero-confirm transaction less secure?


1Ignoring the malleability nuance related to accepting zero-confirm transactions built from unconfirmed change outputs that is being resolved. 

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
March 05, 2014, 08:57:47 AM
 #4

Simply knocking out unconfirmed tx from memory pool by another higher fee variant would enable the payor to cancel any payment before included in a block - by double spending to own account. This is a no-go.
The thing about Bitcoin is that you can't rely on good behavior in the nodes. Just like there were griefers who set up tx mutation nodes for the hell of it, there could be nodes that are programmed to make double spending of 0 conf transactions easier.

Merchants need a better solution than "hope adversaries decide to play nice".

Maybe something along the lines of pools offering subscription services via which a merchant can obtain assurance the pool will not mine a conflicting transaction.
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1003


View Profile
March 05, 2014, 09:00:27 AM
 #5

Zero-confirm transactions are safe1 for low-value purchases provided the transacation has been accepted by a significant fraction of network nodes and no double spends have been detected.  

No, zero-confirm transactions should not be considered safe to any degree, because...

Quote
To attempt a double-spend, you'd need to be in cahoots with a nefarious miner and pass your fraudulent transaction over a non-public back channel.  You'd only succeed with a probability equal to the nefarious miner's percentage of global hash power.

... this is ridiculously easy to do.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Peter R
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 05, 2014, 09:26:52 AM
 #6

Zero-confirm transactions are safe1 for low-value purchases provided the transacation has been accepted by a significant fraction of network nodes and no double spends have been detected.  

No, zero-confirm transactions should not be considered safe to any degree, because...

Quote
To attempt a double-spend, you'd need to be in cahoots with a nefarious miner and pass your fraudulent transaction over a non-public back channel.  You'd only succeed with a probability equal to the nefarious miner's percentage of global hash power.

... this is ridiculously easy to do.


This has been debated endlessly.  It comes down to whether the expected losses from double spends are significant to the merchant's bottom line.  

Purchasing a latté from Starbucks is almost certainly fine, while purchasing 100 oz of gold will definitely require a few confirmations.  Purchasing $300 of groceries (low profit margin business), well, we'll have to see how the double spend statistics look.

Remember, the expected loss due to double spending on zero-confirm transactions is:

(% expected loss) = (% of people that will attempt to defraud you) x (% of global hash power controlled by fraudulent miners)

In a retail setting, I expect less than 5% of customers to attempt to defraud the merchant, and I expect less than 10% of global hash power to be nefarious. This gives an expected loss on zero-confirm transactions of less than 0.1 x 0.05 = 0.5%.  


EDIT: do you know of any mining pools that control a significant fraction of global hash power that current accept out-of-band knowingly-fraudulent transactions?


Run Bitcoin Unlimited (www.bitcoinunlimited.info)
DannyHamilton
Legendary
*
Offline Offline

Activity: 2436
Merit: 1932



View Profile
March 05, 2014, 09:32:26 AM
 #7

Remember, the expected loss due to double spending on zero-confirm transactions is:

(% expected loss) = (% of people that will attempt to defraud you) x (% of global hash power controlled by fraudulent miners)

In a retail setting, I expect less than 5% of customers to attempt to defraud the merchant, and I expect less than 10% of global hash power to be nefarious. This gives an expected loss on zero-confirm transactions of less than 0.1 x 0.05 = 0.5%.

Give your customer a "loyalty card" if they provide some identifying information (so you can send them sales building promotions), and only accept bitcoin payments from members with a "loyalty card", and I'll bet you reduce that to below 0.1%
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1003


View Profile
March 05, 2014, 09:40:56 AM
 #8

EDIT: do you know of any mining pools that control a significant fraction of global hash power that current accept out-of-band knowingly-fraudulent transactions?

Ghash.io has been caught with their hand in the cookie jar. Other cloud mining operations that are coming online soon have the capability to do this with limited risk to themselves. A further 15% of the network is not identifiable and therefore would be able to do this with plausible deniability.

"Knowingly fraudulent" is not a phrase I would use. There is no way for 3rd parties to know with certainty which transaction came first, and therefore which one is the fraud. It's the nature of the bitcoin consensus system.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
DannyHamilton
Legendary
*
Offline Offline

Activity: 2436
Merit: 1932



View Profile
March 05, 2014, 09:45:38 AM
 #9

Ghash.io has been caught with their hand in the cookie jar.

Interesting.  I had missed the news on this.  I'd certainly be interested in reading up about it.  Would you happen to have any links?
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1003


View Profile
March 05, 2014, 09:48:19 AM
 #10

It was double-spends / rerolls against BetCoin.

"ghash.io betcoin" in google should get you some results.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Peter R
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 05, 2014, 09:54:06 AM
Last edit: March 05, 2014, 10:11:19 AM by Peter R
 #11

Ghash.io has been caught with their hand in the cookie jar. Other cloud mining operations that are coming online soon have the capability to do this with limited risk to themselves. A further 15% of the network is not identifiable and therefore would be able to do this with plausible deniability.

Thanks for the info.  That is interesting.  Do you know how I could pass a double-spend to Ghash.io or one of the unknown miners?  I'd like to try to double-spend on myself, see how well it works, and report back.

Quote
"Knowingly fraudulent" is not a phrase I would use. There is no way for 3rd parties to know with certainty which transaction came first, and therefore which one is the fraud. It's the nature of the bitcoin consensus system.

There is an important subtlety.  To perpetrate a double-spend, the nefarious miner must agree to not broadcast the fraudulent double spend (otherwise the merchant's listening node would detect the attack).  If the transaction is legit, why not broadcast it publicly?

Similarly, if the miner receives the transaction long after the non-fraudulent transaction has been accepted by the majority of nodes in the network (and the merchant's node is no longer listening), then the miner would be knowingly complicit in the fraud if he accepts this clear double-spend into his memory pool.  

So I think the phrase "knowingly fraudulent" is accurate.  Do you still disagree?  

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1000


bits of proof


View Profile WWW
March 05, 2014, 05:38:55 PM
 #12

I do not think one can call a miner fraudulent if prefers a transaction with higher fee/kb above a lower variant. It is their freedom to mine whatever transactions they choose to.

The relay nodes are also free to relay or reject whatever they like. It is however beneficial to the network as a whole if relay nodes do not replace transactions with their double spend of a higher fee.

Nowadays relay nodes are quite homogenous and do not replace transactions, therefore unconfirmed double-spends are usually not making to the miner, this could however change. I guess merchants will feel the pain if so, and adapt.

 
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1003


View Profile
March 05, 2014, 06:14:20 PM
 #13

If you peer with the merchant and miner directly, but the merchant and miner themselves are not peered, then it is relatively easy to perform a double-spend: as soon as the merchant's transaction hits the network, you send the double-spend to the miner. The merchant will not find out until it is confirmed because he already sent the first transaction to his peers, and so his peers will not relay the double-spend.

And @grau is spot on. It's the miner's freedom to mine whatever transactions they feel like, and they have no moral responsibility to include one over the other (especially because without additional information they can't tell which one is "correct"). If you are making any assumptions about how double-spends are relayed, or which transactions miners will include in blocks, you are in the wrong.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Peter R
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 05, 2014, 07:02:37 PM
Last edit: March 05, 2014, 07:23:01 PM by Peter R
 #14

I do not think one can call a miner fraudulent if prefers a transaction with higher fee/kb above a lower variant. It is their freedom to mine whatever transactions they choose to.

A miner also has the freedom to walk out on the street and kick some random guy in the nuts.

Just because a miner is able to replace a lower-paying transaction with a higher-paying variant, doesn't mean that doing so is not fraudulent in certain cases.  Most societies have laws against fraud and for good reason.  A common definition of fraud would be:

    fraud: wrongful deception intended to result in financial or personal gain

If a miner knowingly runs a service that accepts out-of-band double-spend transactions, then in most (all?) cases the purpose of doing so is fraudulent.  Typically, these miners would be accepting the transaction for a higher fee, from a user trying to deceive a merchant.  If this can be proven, then it's fraud.  If bitcoin gains widespread acceptance, I expect law enforcement to respond, making it difficult for this type of behaviour to flourish.  This, and social pressure to behave ethically, I believe will keep bitcoin fraud on most zero-confirm transactions below the loss percentages due to counterfeit bills, stolen credit cards, or chargeback fraud.  

That being said, I believe I do understand the bigger point you are making: the network can change and miners and nodes might not behave in the way we expect.  I agree with that statement.  Still, the risk of accepting zero-confirm transactions always comes down to the excepted loss statistics at that time.  But at least right now, I can walk down to Central Bistro in Vancouver, eat an expensive dinner, pay via BitPay, and leave before the first confirmation has arrived.  So far it's working.  


Run Bitcoin Unlimited (www.bitcoinunlimited.info)
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1000


bits of proof


View Profile WWW
March 05, 2014, 07:50:09 PM
 #15

I do not think one can call a miner fraudulent if prefers a transaction with higher fee/kb above a lower variant. It is their freedom to mine whatever transactions they choose to.

A miner also has the freedom to walk out on the street and kick some random guy in the nuts.

Bitcoin defines the order of transactions as they are in a valid block on the trunk with most work on it. There is no higher order truth or moral.

A miner does not need to have the information which of conflicting but otherwise valid transactions is the "right" one, therefore free to chose. It is the sender who commits/attempts the fraud by creating two valid but conflicting transactions. The miner is just a paid time stamping service, not the police or judge.
 
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1000


bits of proof


View Profile WWW
March 05, 2014, 08:00:44 PM
 #16

Consider two different scenarios:

a) A fraudulent customer pays for a product and broadcasts a double spend with higher fee.
b) A poorly written wallet sends a transaction with excessive fee, the developer notices and attempts to double spend it with a lower fee variant.

A miner receives any of the above transactions through relay nodes in random order. Which one should he chose to remain honorable?
Raize
Donator
Legendary
*
Offline Offline

Activity: 1418
Merit: 1008


View Profile
March 05, 2014, 08:12:18 PM
 #17

If I was a local merchant, I would not accept zero-confirmation transactions for items over $50/value. That said, I might consider it for folks I know and can identify.

For an online retailer, waiting one hour isn't a real problem except in the case of digital asset sales. I'd still recommend waiting an hour regardless of the transaction.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1000


bits of proof


View Profile WWW
March 05, 2014, 08:24:04 PM
 #18

Another way to get more comfort at local trade is to observe network propagation. The merchant can connect to a high number of nodes and observe if all of them echo the "right" transaction.

But observing propagation does not protect from a fraudster with a big miner buddy and is vulnerable to network isolation/siblings attack.

I think as the network matures merchants and their software will learn to combine evidences to a degree of trust. At the end nothing beats what is on the block chain, so for certainty one has to be patient.
Peter R
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 05, 2014, 08:38:28 PM
 #19

Consider two different scenarios:

a) A fraudulent customer pays for a product and broadcasts a double spend with higher fee.
b) A poorly written wallet sends a transaction with excessive fee, the developer notices and attempts to double spend it with a lower fee variant.

A miner receives any of the above transactions through relay nodes in random order. Which one should he chose to remain honorable?

Whichever one he receives first; but that's not the point and I agree that there are cases where it would be fine to choose either.  

I am talking about cases where the miner offers a service of accepting out-of-band transactions that are knowingly double-spent.  I am saying that if the miner offers this service for profit and if customers uses it to deceive merchants, then the miner is complicit in fraud.  

I started a poll here: https://bitcointalk.org/index.php?topic=502571.0

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1001



View Profile
March 06, 2014, 06:03:26 AM
 #20

To sum up:

The order of transactions is exactly the problem that bitcoin was invented to solve.

The order presented in the blockchain is the only order with any meaning.
 - If you disagree with the order in the blockchain, you are wrong, not the chain.

If you are relying on the order of things not yet in the chain, you are wrong.
 - Bitcoin is not a coercive system.  No one can stop you from being wrong, but you do so at your own risk, and inevitably to your own peril.

If you have an opinion on what order things should be in when they are eventually included in the block chain, you are wrong.
 - Even if you guessed right.
 - Bitcoin is not a coercive system.  No one can force a miner to prefer any ordering over any other.


Not that one can't or even necessarily shouldn't take risks based on undefined future ordering.  The real problem is that some people don't understand the risks they are taking right now.  The network is fairly polite right now and it usually does what you think it will do.  But that politeness is not a property of the system, but an accident of history.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!