Bitcoin Forum
March 03, 2021, 02:45:42 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Is it possible to fake the BTC blockchain?  (Read 501 times)
johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 07:59:48 AM
Merited by mk4 (1)
 #1

It's a bit of time I'm asking myself this question.
Let's imagine the following situation:
A guy visits another guy to receive a payment in BTC.
He doesn't have mobile internet connection, so he asks his host to connect to his host's wi-fi.
His host, that we assume for the sake of our inquiry wants to scam his guest, connects him to a fake internet in which the real BTC blockchain was forked in order to fake a transaction that in really will never happen.
So once the first guy will go back home he'll see that his payment has disappeared.
Is this situation technically possible?

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1614739542
Hero Member
*
Offline Offline

Posts: 1614739542

View Profile Personal Message (Offline)

Ignore
1614739542
Reply with quote  #2

1614739542
Report to moderator
mk4
Legendary
*
Offline Offline

Activity: 1596
Merit: 1885


🔐 NotYourKeys.org 🔑


View Profile WWW
November 08, 2019, 08:24:33 AM
Merited by johnwhitestar (1)
 #2

As far as I know, the receiver cant get tricked assuming:

  • The receiver has had his bitcoin address ready(probably pre-copied address to his notes app, or a screenshotted QR code)
  • The receiver is viewing his bitcoin address through a reputable and untampered app(Mycelium, Electrum, etc)

Not sure how a 'fake blockchain' can affect the receiver's mobile app, unless the sender asks the receiver to download a wallet of this 'fake blockchain'. And take note that the receiver can verify through block explorers if he actually received the funds in the first place.

In the top of my head, the only way the sender could tricked the receiver is probably through a double spend, or through a phishing site redirection through the wifi's DNS settings if the receiver is going to use a web wallet through a browser(and not a wallet app).

Correct me if I'm wrong of course.

johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 08:33:55 AM
 #3

As far as I know, the receiver cant get tricked assuming:

  • The receiver has had his bitcoin address ready(probably pre-copied address to his notes app, or a screenshotted QR code)
  • The receiver is viewing his bitcoin address through a reputable and untampered app(Mycelium, Electrum, etc)

Not sure how a 'fake blockchain' can affect the receiver's mobile app, unless the sender asks the receiver to download a wallet of this 'fake blockchain'. And take note that the receiver can verify through block explorers if he actually received the funds in the first place.

In the top of my head, the only way the sender could tricked the receiver is probably through a double spend, or through a phishing site redirection through the wifi's DNS settings if the receiver is going to use a web wallet through a browser(and not a wallet app).

Correct me if I'm wrong of course.

I was thinking about the receiver that is using bitcoin-qt wallet.
So if he connects to the forked BTC blockchain he'll download wrong blocks then the sender will send him BTC, a valid transaction on the forked blockchain, and then the receiver will go home, connect to the right blockchain and see the transaction has never occurred.
This is of course not possible with Electrum, but is it possible with bitcoin-qt wallet, assuming the receiver doesn't check on any other source his transaction when he is still at his host's home?

mk4
Legendary
*
Offline Offline

Activity: 1596
Merit: 1885


🔐 NotYourKeys.org 🔑


View Profile WWW
November 08, 2019, 08:41:45 AM
Last edit: November 08, 2019, 09:35:29 AM by mjglqw
 #4



So, the receiver's bitcoin-qt wallet syncing the 'forked blockchain' through the sender's wifi? I'm really not sure, but I don't think that's really possible (apparently, it is). But if it is indeed possible, I assume that it would be very difficult to pull off, and the sender probably needs to do some stuff to the receiver's wallet for this to work. But again, I'm not sure.

Very interesting question nonetheless. Let's wait for other replies.

NeuroticFish
Legendary
*
Offline Offline

Activity: 2506
Merit: 1972


Privacy is important


View Profile
November 08, 2019, 08:44:21 AM
 #5

Is this situation technically possible?

The buyer has to check the transaction. It depends a lot on how he does that. I would check a reputable blockchain explorer.

Let's say that the buyer checks in his own wallet.
If he has a full wallet, it may work, but that would mean the buyer comes with his laptop (why would he do that if all he needs for checking is a browser which he already have on the smartphone?)
If he has a SPV (Electrum, Mycelium), I think that there's a possibility he can have a corresponding (fake) server in his own network. But he will have to know what wallet to expect (to prepare the corresponding server), he will have to have his own custom DNS...

Overall I think that, although possible, it's not viable.
The seller has to know too much info about the buyer to have everything right. And quite some skills to get the buyer into that certain situation. And nowadays people just use the mobile data, there are far too many warnings to avoid using 3rd party WiFi.

johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 08:49:33 AM
 #6

If he has a full wallet, it may work, but that would mean the buyer comes with his laptop (why would he do that if all he needs for checking is a browser which he already have on the smartphone?)
This it the detail I was missing in my description. Of course he has to come with his laptop.
And of course he doesn't have to check any other thing than his own full wallet.

I'm thinking about this situation in context of the wide BTC adoption. There are places in the world where people don't have that much internet access and where they may consider more sure seeing their BTC on their own laptop. And by the way the full wallet is usually perceived as a better solution than any light wallet, in terms of security.

NeuroticFish
Legendary
*
Offline Offline

Activity: 2506
Merit: 1972


Privacy is important


View Profile
November 08, 2019, 08:51:42 AM
 #7

If he has a full wallet, it may work, but that would mean the buyer comes with his laptop (why would he do that if all he needs for checking is a browser which he already have on the smartphone?)
This it the detail I was missing in my description. Of course he has to come with his laptop or with his mobile wallet that doesn't have internet connection.

I meant that people don't really have full wallet on smartphone. On smartphone they'll have a SPV.

And of course he doesn't have to check any other thing than his own full wallet.

Well, Blockchain.com can be faked even easier, after all, but as I said, he will have to know what (websites, servers, ...) to fake, there are too many options.

johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 08:53:50 AM
Last edit: November 08, 2019, 09:04:32 AM by johnwhitestar
 #8

If he has a full wallet, it may work, but that would mean the buyer comes with his laptop (why would he do that if all he needs for checking is a browser which he already have on the smartphone?)
This it the detail I was missing in my description. Of course he has to come with his laptop or with his mobile wallet that doesn't have internet connection.

I meant that people don't really have full wallet on smartphone. On smartphone they'll have a SPV.

True, I edited my above post in the mean time :-)

And of course he doesn't have to check any other thing than his own full wallet.

Well, Blockchain.com can be faked even easier, after all, but as I said, he will have to know what (websites, servers, ...) to fake, there are too many options.
The scammer goes usually by probability. I think at least 90% of the users don't double-check transactions they are seeing on their full wallets.
And the long run the scammer could create a bunch of fake resources where their victims could double-check their transactions as well.

sureshnsnet
Legendary
*
Offline Offline

Activity: 1434
Merit: 1008



View Profile
November 08, 2019, 08:58:57 AM
 #9

Yes, there a chance to generates bitcoin transactions into the bitcoin network for hours and stays unconfirmed before it disappears.

You can use powerful PXbitcoin Transaction Builder

This software generates bitcoin traction and it will stay unconfirmed in the blockchain network for up to a few hours. that you can use to trick anyone.

Now you understand about way all exchanges or any other services providers to set the 6 bitcoin network confirmation needs.




 


░░░░░░░░░░▄▄████████████▄▄
░░░░░░░▄███▀▀▀░░░░░░░░▀▀▀███▄
░░░░▄███▀░░░░░░░░░░░░░░░░░░▀███▄
░░░███▀░░░░░▄▄▄▄▄▄▄▄▄░░░░░░░░▀███
░▄██▀░░░░░░░░▀█████████▄░░░░░░░▀██▄
▄██▌░░░░░░░░░░░░░░░░▀███▌░░░░░░░▐██▄
███░░░░░░░░░░░░░░░░░░▐███░░░░░░░░▐██
██▌░░░░░░░░░░░░░▄▄▄▄████▀░░░░░░░░░██
██▌░░░░░░░░░░░░░█████▀▀░░░░░░░░░░░██
███░░░░░░░░░░░░░██▌░░░░░░░░░░░░░░▐██
▀██▌░░░░░░░░░░░░██▌░░░░░░░░░░░░░▐██▀
░▀██▄░░░░░░░░░░░██▌░░░░░░░░░░░░▄██▀
░░░███▄░░░░░░░░░░░░░░░░░░░░░░▄███
░░░░▀███▄░░░░░░░░░░░░░░░░░░▄███▀
░░░░░░░▀███▄▄▄░░░░░░░░▄▄▄███▀
░░░░░░░░░░▀▀████████████▀▀




.......JOIN OUR COMMUNITY......

Twitter  Telegram  Reddit  Medium





░░░░░░░░░░░▄▄▄▄▄▄▄░░░░░░░▄▄▄▄
░░░░░░░░░▄▀░░░░░░░▀▀▄▄▄▀▀░░░░▀▀▄
░░░░░░░░▐▌░░░▄▄░░░░░░░░░░░░░░░░▀▄
░░░░░░░░█▄▀▀▀░░░░░░░░░░░░░░░░░
░░░░░░▄▀░▌░░░░░░▀▄▄▀▀▀▀░▀▀▄▄░░░
░░░░░░░░░░░▄▄▄▄░░░░▄▀▀▀▀▄▄█░░▐▄
░░░░░░█░▄▀░█▌▄▄▄░▀▄░█▄▄▄▄▄░▐░█░░░▀▄▄
░░░▄▄▀▀█░░░░▄██░█▌█▄▄▀██▌▄█░▌█░░░░░░▀▄
░▄▀░░░░░▀▄▀▀▀▀▀░░░▐▐░░▀▀░░░░▌█░░░░░░░
░░░░░░░▐▀▌░░░░░░░█░▌░░░░░░▐█▀░░░░░░░
▐▄░░░░▄▄▀░█░░░░░░▀█▀▀▄▄░░░░░░░░░░░▄▀
░░█▄▀▀░░░░░░░░░░▀█▀█▀░░░░▄▀█░░░░▄▀
░▐░░▀▀▄▄░░░░▀▄░░░░░▀▀░░░░▄▀░░▀▄▀▀
░▐▄░░░░░▀▀▄░░░▀▄▄░░░░▄▄▄▀░░░▄▀▀▄
░░░▀▄▄░░░░░░░░░░▀▀▀▀░░░░░░░░░░
johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 09:01:20 AM
 #10

Yes, there a chance to generates bitcoin transactions into the bitcoin network for hours and stays unconfirmed before it disappears.

You can use powerful PXbitcoin Transaction Builder

This software generates bitcoin traction and it will stay unconfirmed in the blockchain network for up to a few hours. that you can use to trick anyone.

Now you understand about way all exchanges or any other services providers to set the 6 bitcoin network confirmation needs.
 

I see your point, but I'm afraid it's a bit different.
I'm imagining people tricked into downloading a forked blockchain, so the transaction would have the regular 6 confirmations there.

figmentofmyass
Legendary
*
Offline Offline

Activity: 1652
Merit: 1479



View Profile
November 08, 2019, 09:09:30 AM
Last edit: November 08, 2019, 05:26:41 PM by figmentofmyass
Merited by mk4 (1), johnwhitestar (1)
 #11

As far as I know, the receiver cant get tricked assuming:

  • The receiver has had his bitcoin address ready(probably pre-copied address to his notes app, or a screenshotted QR code)
  • The receiver is viewing his bitcoin address through a reputable and untampered app(Mycelium, Electrum, etc)

a sybil attack is theoretically possible. if the sender sets up lots of malicious nodes (or electrum servers), the receiver might connect to them and become separated from the honest network. this opens them up to double spending, de-anonymization, and DOS attacks.
https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack

I was thinking about the receiver that is using bitcoin-qt wallet.
So if he connects to the forked BTC blockchain he'll download wrong blocks then the sender will send him BTC, a valid transaction on the forked blockchain, and then the receiver will go home, connect to the right blockchain and see the transaction has never occurred.

the attack is theoretically possible but extremely unlikely because it requires mining blocks at the current difficulty level.

franky1
Legendary
*
Online Online

Activity: 3052
Merit: 1894



View Profile
November 08, 2019, 09:19:44 AM
Merited by mk4 (1), johnwhitestar (1)
 #12



So, the receiver's bitcoin-qt wallet syncing the 'forked blockchain' through the sender's wifi? I'm really not sure, but I don't think that's really possible. But if it is indeed possible, I assume that it would be very difficult to pull off, and the sender probably needs to do some stuff to the receiver's wallet for this to work. But again, I'm not sure.

Very interesting question nonetheless. Let's wait for other replies.

it is possible
take normal internet. your fullnode can select any node. and have many connections to avoid the risk of a dodgy node sending a dodgy block(thats one of the points/security features). but if the internet is a closed internet where the only available nodes are that of a dodgy block maker. then yes the only block your node gets will be a dodgy block.

however. its complicated as the block will have to pass the difficulty threshold to pass one of the security checks. (blockhash needs to have certain amount of 0000's .. which means alot of hashpower to achieve such. meaning its expensive to achieve

so yes its possible. but not cheap.
.....

where it is definetly possible and practical to do. is the lite wallets that dont involve validating blocks at client/user level where the lite wallet only gets UTXO data which can easily be faked on a closed internet

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 09:25:29 AM
 #13

since you are talking about a full node, this attack is impossible. your node will detect invalid blocks. with an SPV wallet, the attack is theoretically possible but extremely unlikely because it requires mining blocks at the current difficulty level.
Thank you very much you've reminded me about the difficulty! :-)

where it is definetly possible and practical to do. is the lite wallets that dont involve validating blocks at client/user level where the lite wallet only gets UTXO data which can easily be faked on a closed internet
So should the attacker be certain his victim only uses a lite wallet he can invite his victim to his home to receive the payment?

And again I'd like to make it clear what is the purpose of this question. People are often ask and speak about wide BTC adoption here. But should this issue exist it can be the cause of many scams in the places like Africa, for instance, where many people have a mobile phone and also a free internet connection, but only... enabled to use Facebook and Whatsapp. So with a high degree of probability the sender's home wi-fi would be used in the above described transaction.

Asuspawer09
Sr. Member
****
Offline Offline

Activity: 938
Merit: 334


Not your keys 🔑, not your bitcoin


View Profile
November 08, 2019, 10:34:31 AM
 #14

It's a bit of time I'm asking myself this question.
Let's imagine the following situation:
A guy visits another guy to receive a payment in BTC.
He doesn't have a mobile internet connection, so he asks his host to connect to his host's wi-fi.
His host, that we assume for the sake of our inquiry wants to scam his guest, connects him to a fake internet in which the real BTC blockchain was forked in order to fake a transaction that in really will never happen.
So once the first guy will go back home he'll see that his payment has disappeared.
Is this situation technically possible?
I this it is possible to do but the guy will notice it eventually of course and you just make it appear that he has received the transaction or make it appear like a legit transaction in the blockchain but not really a hack or sending a fake bitcoin, I think your going to need to crack the code of the bitcoin to fake a transaction but the method you just says is just making it appear a transaction was made but it was not. By the way transaction in the blockchain could sometimes cancel it happened to be sometimes due to traffic.

        ▄▀▀▀▀▀▀   ▄▄
    ▄  ▄▄▀▀▀▀▀▀▀▀▀▄▄▀▀▄
  ▄▀▄▀▀             ▀▀▄▀
 ▄▀▄▀         ▄       ▀▄
  ▄▀         ███       ▀▄▀▄
▄ █   ▀████▄▄███▄       █ █
█ █     ▀▀▀███████▄▄▄▄  █ █
█ █       ██████████▀   █ ▀
▀▄▀▄       ▀▀█████▀    ▄▀
   ▀▄        ▐██▄     ▄▀▄▀
  ▀▄▀▄▄       ███▄  ▄▄▀▄▀
    ▀▄▄▀▀▄▄▄▄▄████▀▀ ▄▀
       ▀   ▄▄▄▄▄▄▄
               ▄███▄
            ▄████████

        ▄▄██████████
       █▀▀▀██▀▀▀████
      ███████████
    ▀▀▀████████████
      ▀███████████▀
      ▄███████████▄
 ▄
    ▀▀▀▀▀▀▀▀███▀▀   ▄
▀▀█▀▀
███████████▀▀▀█▀▀
    ████████████████
   ▄████████████████
▄█████████████████████▄
P L A Y   S L O T S   o n     
CRYPTO'S FASTEST
GROWING CASINO
★ ‎
‎ ★
UP
TO
15%CASH BACK
EVERY SPIN

‎ ★
        ▄██▄
     ████████▄
     ██████████

    ████████████
     ▄████████▄
    █████████████
  ▄██████████████
  ▀██████████████▀
   █████████████▄
 ▄████████████████▄
████████████████████
 ▀▀▀████████████▀▀▀
       ██████
█▀▀▀▀▀▀▀











█▄▄▄▄▄▄▄
.
PLAY NOW
▀▀▀▀▀▀▀█











▄▄▄▄▄▄▄█

Hero -
johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 11:29:12 AM
 #15

however. its complicated as the block will have to pass the difficulty threshold to pass one of the security checks. (blockhash needs to have certain amount of 0000's .. which means alot of hashpower to achieve such. meaning its expensive to achieve

so yes its possible. but not cheap.

And would it be possible for the attacker to fake the hashpower? As he has all the nodes he can modify the bitcoind in order to drop the difficulty and to mine with a CPU, but to communicate to "blockchain" the hashpower multiplied by let say 10whatever?

And another thought. What if the attacker performs the same attack without inviting his victim to a physical place, just by knowing the victims IP and isolating from him the right net and offering only connections to the fake nodes?  

Quote
where it is definetly possible and practical to do. is the lite wallets that dont involve validating blocks at client/user level where the lite wallet only gets UTXO data which can easily be faked on a closed internet
So should the attacker be certain his victim only uses a lite wallet he can invite his victim to his home to receive the payment?

And again I'd like to make it clear what is the purpose of this question. People are often ask and speak about wide BTC adoption here. But should this issue exist it can be the cause of many scams in the places like Africa, for instance, where many people have a mobile phone and also a free internet connection, but only... enabled to use Facebook and Whatsapp. So with a high degree of probability the sender's home wi-fi would be used in the above described transaction.
The BTC blockchain is becoming more and more heavy, so more and more people are switching to lite wallets. I don't know whether a 10% of people are using a full wallet anymore. Does it mean that this kind of attack is something to consider?

Eugenar
Sr. Member
****
Offline Offline

Activity: 1274
Merit: 278



View Profile
November 08, 2019, 12:54:13 PM
 #16

In the first place, people don't even need to go to the other party's place just to make a payment. Bitcoin blockchain works in a way that everywhere you are, as long as you have an internet connection, you can transfer funds to another account.

Though, faking the BTC blockchain will not be possible. There are articles that state that blockchain can be hacked: https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/. But in this case, it is not BTC blockchain. What they did to compromise the blockchain is to to have a huge hash power authority.

In terms of bitcoin, these hashing power is distributed that makes it strong enough to be invulnerable to hacking.
franky1
Legendary
*
Online Online

Activity: 3052
Merit: 1894



View Profile
November 08, 2019, 12:57:06 PM
 #17

where it is definetly possible and practical to do. is the lite wallets that dont involve validating blocks at client/user level where the lite wallet only gets UTXO data which can easily be faked on a closed internet
So should the attacker be certain his victim only uses a lite wallet he can invite his victim to his home to receive the payment?

??should an attacker be certain his victim only uses a lit wallet??

well..
most people dont carry around a desktop computer when wanting to use remote/someone elses internet. so usually people are checking via a smart phone by default when they go visit someones house. so chances that the victim is using a lite wallet being very very high without attacker even having to try

..
secondly. if someone is a noob and doing their first step into bitcoin as an introduction, an attacker can sway the noob whwich lite wallet to download.
"EG to save you learning all the technobabble just download wallet XXX which is user friendly" most nobs would do it without thinking

thirdly and a good defense for victim. if iin your scenario of meeting up with an attacker. the victim has a face, location and other details which authorities can use to catch the attacker. this isnt as much the case in remote private exchanges

this topic doesnt mean that its super easy for an attacker to do it.. like advertising to scammers a get rich quick and easy.. but its just stating its not impossible to achieve and people should atleast be wary

its like debit card cloning. in quiet village/small towns that dont have much police patrols and where ATM's are scarce. the population usually end up using the limited atm's more. and its stuff like that which card cloner love. secluded location to give them time to insert the card skimmer without being spotted and knowing the footflow(usage) of atm will be high due to lack of competing atm's
hense people should be wary when using an ATM

its like getting a random phone call from an accented voice saying they are technical support and that you have a virus and need to download their software.. just be wary..

even of chances of being scammed seem low. doesnt man saying something is impossible to happen should be said, nor should it be said to not be aware of the potential risk even if chances are low

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
dothebeats
Legendary
*
Offline Offline

Activity: 2478
Merit: 1246


www.Crypto.Games: Multiple coins, multiple games


View Profile
November 08, 2019, 01:07:35 PM
 #18

Possible if the buyer is not really that into bitcoin just yet since the seller could give him a link to a pre-fabricated app displaying wrong information and feed/supply the wrong information. The only real way to avoid this is to not use the seller’s hotspot connection. Go to a public place wherein wifi is available and could not easily tampered, let seller scan your address’ QR code and pay him/her. Personally I don’t really connect to a public network I don’t trust but when it comes to such need, I go to Starbucks or anywhere else where wifi is free and use their connection.

████  ███████  ███
██████████
███      ███████
███      ███████████
██████████████████
████████
███   ████  ███████████
███ ███████████████
█████████
█████████████████
███  ███████
██████████████
███        ████████
███████████▀▀███▀▀███████████
██████▀▀     ███     ▀▀██████
████▀   ▄▄█████████▄▄   ▀████
████▄▄▄███▀  ▀█▀  ▀███▄▄▄████
██▀▀▀██▀      ▀      ▀██▀▀▀██
█▀  ▄██               ██▄  ▀█
█   ████▄▄         ▄▄████   █
█▄  ▀██▀             ▀██▀  ▄█
██▄▄▄██▄             ▄██▄▄▄██
████▀▀▀███▄ ▄█ █▄ ▄███▀▀▀████
████▄   ▀▀███▄█████▀▀   ▄████
███████▄     ███     ▄███████
███████████▄▄███▄▄███████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
..PLAY NOW..
███  ███████  ████
██████████
███████      ███
███████████      ███
██████████████████
████████
███████████  ████   ███
███████████████ ███
█████████
█████████████████
███████  ███
██████████████
████████        ███
DannyHamilton
Legendary
*
Offline Offline

Activity: 2394
Merit: 1843



View Profile
November 08, 2019, 01:07:47 PM
Last edit: November 08, 2019, 01:40:32 PM by DannyHamilton
Merited by mk4 (1)
 #19

. . . I was thinking about the receiver that is using bitcoin-qt wallet . . .

. . . the full wallet is usually perceived as a better solution than any light wallet, in terms of security . . .

In terms of Bitcoin-Qt wallet, this attack would be VERY expensive.  The attacker would need to have control of nearly as much bitcoin block hashing power as the rest of the world combined if they wanted to provide blocks at a reasonable rate of about one every 10 minutes.  They *might* be able to get away with about one-sixth of the world's hash power if they knew for sure that their vicitim was only going to wait for 1 confirmation but...

1) The average time for the attacker to create a valid forked block will be an hour (some blocks will take even longer).
2) One sixth of the world's hashpower is still very expensive.
3) The more value you are exchanging, the more confirmations you should wait for, and the more suspicious you should be of unusual circumstances
4) It is going to take nearly an hour to get that 1 confirmation which is a lot of time for the victim to become suspicious and decide to check on things.
5) All that hashpower could have earned real bitcoins by mining on the real blockchain (approximately 12.5 bitcoins per hour).  So, unless the attack is for more than 12.5 bitcoins or is driven by pure vengeance (And not a profit motive), the attacker probably could have earned a lot more money by simply mining instead of attacking.
6) If the attack IS for more than 12.5 BTC... See #3


. . . So should the attacker be certain his victim only uses a lite wallet he can invite his victim to his home to receive the payment? . . .

You are changing the rules here.  You said that you were thinking about Bitcoin-Qt BECAUSE it is usually perceived as a better solution than any light wallet.  Now you are saying that the victim is going to use a worse solution?

If the user is willing to use any system the requires some amount of trust (Lite wallet, hosted wallet, blockchain explorer, paypal, credit card, paper check from a bank account, etc), then it will always be possible to take advantage of that trust with enough effort. The more trust that is needed the easier it will be to take advantage of that trust.

And would it be possible for the attacker to fake the hashpower? As he has all the nodes he can modify the bitcoind in order to drop the difficulty and to mine with a CPU, but to communicate to "blockchain" the hashpower multiplied by let say 10whatever?

No.  Bitcoin-Qt doesn't care how much hash power you have.  It just cares if you were able to provide a valid hash. On average it requires a LOT of attempts before you stumble across a valid hash.  If you don't actually have enough hash power, then it is going to take you a very long time to try enough attempts to stumble across a valid hash.  At the current difficulty, it requires generating (on average) approximately 46,800,000,000,000,000,000,000 hashes before stumbling on a valid hash. Without a lot of hashpower, it is going to take a long time to generate that many hashes.

It isn't going to be enough to "modify the bitcoind".  The attacker doesn't get to choose the valid difficulty.  The victim's Bitcoin-Qt calculates the difficulty itself (it does not trust the difficulty that it hears from other nodes).  It does this by looking at the amount of time it took to calculate the previous 2,016 blocks (approximately 2 weeks of blocks), and the difficulty that those blocks were calculated at. The attacker would need to modify the victim's Bitcoin-Qt if he wanted to change the difficulty value that the victim's software would accept.

There is no hashpower "communicated to the blockchain".  There is only a hash that is either valid (below the current difficulty threshold) or isn't valid (is above the current difficulty threshold).  Since the victim's Bitcoin-Qt gets to set that difficulty threshold itself, either the attacker generated enough hashes to stumble across blocks with a low enough hash, or they didn't generate enough and haven't yet found blocks with a low enough hash.

And another thought. What if the attacker performs the same attack without inviting his victim to a physical place, just by knowing the victims IP and isolating from him the right net and offering only connections to the fake nodes?

Place has nothing to do with the attack you are trying to describe.  The point of your described attack is simply that the victim is isolated from other Bitcoin nodes and is forced to communicate with nodes that the attack controls.  There may be MANY different ways to accomplish this, but in the end it isn't likely to be a profitable attack unless you have a VERY VERY gullible victim.
johnwhitestar
Sr. Member
****
Offline Offline

Activity: 636
Merit: 259


Slimcoin - the Prove of Donation inventors!


View Profile
November 08, 2019, 01:29:42 PM
Last edit: November 08, 2019, 01:49:00 PM by johnwhitestar
 #20

well..
most people dont carry around a desktop computer when wanting to use remote/someone elses internet. so usually people are checking via a smart phone by default when they go visit someones house. so chances that the victim is using a lite wallet being very very high without attacker even having to try
Agreed.  Smiley

. . . So should the attacker be certain his victim only uses a lite wallet he can invite his victim to his home to receive the payment? . . .

You are changing the rules here.  You said that you were thinking about Bitcoin-Qt BECAUSE it is usually perceived as a better solution than any light wallet.  Now you are saying that the victim is going to use a worse solution?

This post is a kind of work in progress, as much info I get that make me change my mind as much the "rules" are changed. I'm not after imposing my opinion, just to see whether there is an issue or not. So I "changed my rules" because of the previous post. But thank you for many valid points explained.

And another thought. What if the attacker performs the same attack without inviting his victim to a physical place, just by knowing the victims IP and isolating from him the right net and offering only connections to the fake nodes?

Place has nothing to do with the attack you are trying to describe.  The point of your described attack is simply that the victim is isolated from other Bitcoin nodes and is forced to communicate with nodes that the attack controls.  There may be MANY different ways to accomplish this, but in the end it isn't likely to be a profitable attack unless you have a VERY VERY gullible victim.

That's right. It's nothing to do with the place, what I described in OP is only a specific case of a more general kind of attack. But putting the attack into contest of receiving a visitor gives the attacker the possibility to receive something "after he paid" and then disappear or just wash his hands as the victim has actually seen his BTC on his wallet, while in Internet it's more difficult.

Seems like performing this kind of attack against a lite wallet is much easier, right?

Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!