How exactly would a 51% attack work?

[barbarousrelic]

Let's say a person drops a few million bucks and now has 51% of the network hashing power, and he wants to run the 51% attack we hear so much about. What does he do?

My understanding is that he makes a payment to a person for goods, receive the goods, and then quickly make a second payment to an address he owns. If he happens to mine the next block (which he will with 51% probability), he includes the payment to his own address in the block but not the payment to the person who he received goods from. Then what? Will all further blocks reflect that the first transaction to the defrauded person never happened and the second transaction did happen?

The problem I have with my understanding of this is that there is only marginal benefit to having 51% of the network - having 51% of the network only allows you to double spend 51% of the time. But if you had 40% of the network, you would be able to double spend 40% of the time, which is still a pretty serious problem. There's nothing really special about getting 51%, right?

Is my understanding of this wrong? Thanks.

[1713868638]

1713868638

[BTCurious]

Your understanding is close.
If I had 51%, I could mine a chain of blocks in which I transfer all my coins to my personal wallet. I'd mine this chain about 10 long, but not tell the rest of the network. At the same time, I convert all my coins to dollars on the exchange and withdraw them. This happens on the normal blockchain.

After my withdrawal has gone through. the normal blockchain is about 9 long, while my blockchain is 10 long. I announce all my blocks to the network, and lo and behold, the network confirms I am right.

But dollars can't be reverted! So the exchange takes a loss.


Instead of the exchange, I could do this with buying anything for bitcoins. If this happens a few times, it will probably kill bitcoin, or at least hurt the trust in the system severely.

[barbarousrelic]

Your understanding is close.
If I had 51%, I could mine a chain of blocks in which I transfer all my coins to my personal wallet. I'd mine this chain about 10 long, but not tell the rest of the network. At the same time, I convert all my coins to dollars on the exchange and withdraw them. This happens on the normal blockchain.

After my withdrawal has gone through. the normal blockchain is about 9 long, while my blockchain is 10 long. I announce all my blocks to the network, and lo and behold, the network confirms I am right.

But dollars can't be reverted! So the exchange takes a loss.


Instead of the exchange, I could do this with buying anything for bitcoins. If this happens a few times, it will probably kill bitcoin, or at least hurt the trust in the system severely.

Ahh, I see. So 51% is the magic number because that's the point at which a person can make alternative blocks faster than the rest of the network combined, and then spring the alternative, longer blockchain on everybody all at once, later on, where it replaces the blocks everyone thought were already finalized and settled.

Thank you!

[Meni Rosenfeld]

Your understanding is close.
If I had 51%, I could mine a chain of blocks in which I transfer all my coins to my personal wallet. I'd mine this chain about 10 long, but not tell the rest of the network. At the same time, I convert all my coins to dollars on the exchange and withdraw them. This happens on the normal blockchain.

After my withdrawal has gone through. the normal blockchain is about 9 long, while my blockchain is 10 long. I announce all my blocks to the network, and lo and behold, the network confirms I am right.

But dollars can't be reverted! So the exchange takes a loss.


Instead of the exchange, I could do this with buying anything for bitcoins. If this happens a few times, it will probably kill bitcoin, or at least hurt the trust in the system severely.

Ahh, I see. So 51% is the magic number because that's the point at which a person can make alternative blocks faster than the rest of the network combined, and then spring the alternative, longer blockchain on everybody all at once, later on, where it replaces the blocks everyone thought were already finalized and settled.

Thank you!

Exactly. Satoshi's original paper contains calculations for how many blocks the recipient has to wait to keep the chance of succeeding in double-spending at a given level (say 0.1%), as a function of the attacker's hashrate. At >50% hashrate the number of blocks if infinite - no matter how many blocks are waited, the attacker has 100% chance to eventually have the longer chain.

This attack isn't the only thing you can do with high hashrate, though.

[bulanula]

Your understanding is close.
If I had 51%, I could mine a chain of blocks in which I transfer all my coins to my personal wallet. I'd mine this chain about 10 long, but not tell the rest of the network. At the same time, I convert all my coins to dollars on the exchange and withdraw them. This happens on the normal blockchain.

After my withdrawal has gone through. the normal blockchain is about 9 long, while my blockchain is 10 long. I announce all my blocks to the network, and lo and behold, the network confirms I am right.

But dollars can't be reverted! So the exchange takes a loss.


Instead of the exchange, I could do this with buying anything for bitcoins. If this happens a few times, it will probably kill bitcoin, or at least hurt the trust in the system severely.

Ahh, I see. So 51% is the magic number because that's the point at which a person can make alternative blocks faster than the rest of the network combined, and then spring the alternative, longer blockchain on everybody all at once, later on, where it replaces the blocks everyone thought were already finalized and settled.

Thank you!

Exactly. Satoshi's original paper contains calculations for how many blocks the recipient has to wait to keep the chance of succeeding in double-spending at a given level (say 0.1%), as a function of the attacker's hashrate. At >50% hashrate the number of blocks if infinite - no matter how many blocks are waited, the attacker has 100% chance to eventually have the longer chain.

This attack isn't the only thing you can do with high hashrate, though.

What else can you do ? Please share. Thank you !

[BTCurious]

If you have a lower percentage but still reasonable, like 40% or something, you can do a Finney attack.
I can't think since I'm listening to the bitcoin interview, but have a look here: https://bitcointalk.org/index.php?topic=3441.msg48384#msg48384

[sadpandatech]

Ahh, I see. So 51% is the magic number because that's the point at which a person can make alternative blocks faster than the rest of the network combined, and then spring the alternative, longer blockchain on everybody all at once, later on, where it replaces the blocks everyone thought were already finalized and settled.

Thank you!

Exactly. Satoshi's original paper contains calculations for how many blocks the recipient has to wait to keep the chance of succeeding in double-spending at a given level (say 0.1%), as a function of the attacker's hashrate. At >50% hashrate the number of blocks if infinite - no matter how many blocks are waited, the attacker has 100% chance to eventually have the longer chain.

This attack isn't the only thing you can do with high hashrate, though.

  The key thing to note in Meni's explanation is 'eventually'. Due to variation it would be quite possible that the attacker might not find more blocks than the 49% for days or weeks even.. There is a HUGE amount of luck involved on the attackers end if they are to be successful. Plus the attacker would have to ensure he actually had complete control of the daemon that was keeping tabs on his attack blocks. A pool in itself over 50% means nothing unless it can be hacked and controlled completely or the OP was in on it. In the case of most pools they would lose more than they would stand to gain from what would certainly only be allowed to happen once.

  That being said, we are seeing more spread of hashing power these days and there are projects in the works that will help to maintain a high overall network hashrate, detering 'lone' 51% wolves from gaining enough to beat the entire network on their own.

[pointbiz]

I think there are many misunderstandings about a 51% attack. There isn't much you stand to gain by using 51% of the hashing power to double spend. Let me explain...

There can only be one entity at a time who is in a position to do a 51% attack. It's not like everyone you transact with is suddenly going to burn you with a double spend. All the honest miners will focus their efforts on identifying who this 51% attacker is and not doing trades with them. Once it's known the network is under a 51% attack, the honest nodes will quickly start blacklisting addresses that performed double spends and limit the attackers ability to spend his coins. He would essentially be destroying all his coins.

[jjiimm_64]

I think the most important thing about a 51% attack is not what the entity will do with a new block chain...  it is only the fact that it happened and the bitcoin network will crumble! unfortunately.

[Meni Rosenfeld]

This attack isn't the only thing you can do with high hashrate, though.

What else can you do ? Please share. Thank you !

You can reject all blocks which do not belong to you, to make sure you get 100% of the block reward rather than your hashrate proportion.

You can reject all blocks which do not belong to you and not include any transactions in your own blocks, to prevent any transaction from being confirmed.

I think there are many misunderstandings about a 51% attack. There isn't much you stand to gain by using 51% of the hashing power to double spend. Let me explain...

There can only be one entity at a time who is in a position to do a 51% attack. It's not like everyone you transact with is suddenly going to burn you with a double spend. All the honest miners will focus their efforts on identifying who this 51% attacker is and not doing trades with them. Once it's known the network is under a 51% attack, the honest nodes will quickly start blacklisting addresses that performed double spends and limit the attackers ability to spend his coins. He would essentially be destroying all his coins.

Identifying addresses involved in double spending isn't trivial, especially if you consider that future advanced transaction schemes could make use of legitimately superseding one transaction by another.

Even if you could detect them, I for one disagree with the idea to blacklist addresses. And my own disagreement is indicative of the fact that it will be very difficult, if at all possible, to obtain consensus to do this, and even if so, the client software isn't set up for this and a lot of work would be required to enable this feature. Also, for this to work the entire network needs to agree which addresses are blacklisted which is also difficult, so you're guaranteed to have chaos.

The main misunderstanding is to think that the only reason to carry out a hashrate attack is to profit from a double-spend. More likely a hashrate attack will be carried out by someone who wants to destroy Bitcoin, or at least to profit from short-selling bitcoins. Generally, mechanisms to protect against profitable double spending will amplify the chaos that ensues during such an attack, making us more vulnerable to a malicious attack.

Also, once this starts happening the bitcoin rate will probably drop, and depending on the attack miners will have their blocks rejected so it won't be profitable. Miners will quit and then it will be even easier to continue the hashrate attack. And since the difficulty targeting algorithm doesn't handle sudden drops in hashrate well we have a whole new set of problems.

This is a problem which hasn't been solved yet. It is probably solvable, and I've written occasionally on some pieces of what I think the solution will be. And I'm sure you could respond with some additional protection mechanisms. But these all have their own pros and cons, and need to be carefully considered, agreed upon and implemented. We need to prepare in advance for the contingency of a hashrate attack. Otherwise the chaos of the event could radically shake the faith in Bitcoin.

[DeathAndTaxes]

I think there are many misunderstandings about a 51% attack. There isn't much you stand to gain by using 51% of the hashing power to double spend. Let me explain...

There can only be one entity at a time who is in a position to do a 51% attack. It's not like everyone you transact with is suddenly going to burn you with a double spend. All the honest miners will focus their efforts on identifying who this 51% attacker is and not doing trades with them. Once it's known the network is under a 51% attack, the honest nodes will quickly start blacklisting addresses that performed double spends and limit the attackers ability to spend his coins. He would essentially be destroying all his coins.

1) You won't have any warning a 51% attack is in progress until after the fact.  The attacker will build an "attack chain" in private.  With 51% of the hashing power it is a mathematical certainty that eventually his chain will be longer than the legit chain at which point he publishes it and it rewrites the prior transaction.

2) Even if you did blacklist an address it is unlikely the entire mining community would do so by unanimously.  If there was a "blacklisted" address involved in a transaction with a 5% fee you honestly think no miner or mining pool would every accept that from now till the end of time?

3) Preventing blacklisting would be trivial.  You simply make sure the address never has more than the double spend.  i.e  I have address X w/ 10K BTC.  I double spend it via two transactions A (involving 10K BTC) and B (involving 10K BTC).  After the double spend is complete address X has a value of 0 BTC.  Given you can generate an infinite number of addresses for free what value is there is blacklisting an 0 value address?

The main misunderstanding is to think that the only reason to carry out a hashrate attack is to profit from a double-spend. More likely a hashrate attack will be carried out by someone who wants to destroy Bitcoin, or at least to profit from short-selling bitcoins. Generally, mechanisms to protect against profitable double spending will amplify the chaos that ensues during such an attack, making us more vulnerable to a malicious attack.

Also, once this starts happening the bitcoin rate will probably drop, and depending on the attack miners will have their blocks rejected so it won't be profitable. Miners will quit and then it will be even easier to continue the hashrate attack. And since the difficulty targeting algorithm doesn't handle sudden drops in hashrate well we have a whole new set of problems.

I believe this is the most likely.  The huge cost of amassing that much hashing power means it would likely always be more profitable to use that hashing power for "good".  Getting away w/ double spend would be difficult because any shipped products (or transfered fiat) can be traced.  Even if the double spend could go untracable there is going to be meatspace trails. 

So IMHO the only reason to 51% the network is to kill it.  A currency has value only if its value can be trusted.  Bitcoins which can disappear at the will of an attacker have no value.  The collapsing price, falling hashrate, and reluctance of merchants to accept them after a 51% attack will kill Bitcoin.

[AngelusWebDesign]

Let's say a person drops a few million bucks and now has 51% of the network hashing power, and he wants to run the 51% attack we hear so much about. What does he do?

I object to the idea that a "few million bucks" would place a person in control of mining capacity large enough to be 51% of the network.
Between video cards, computer hardware, networking equipment, furniture (server racks, etc.), cooling, OFFICE SPACE, labor, advertising to get that much labor, electricity, etc. it would have to be quite a chunk of change. A few million probably wouldn't do it.

Just take one of the items, "labor" for example -- we're not talking the kind of labor you can pick up outside Home Depot    PC techs make more than minimum wage, and the guy who can design and manage something of that scale (layout, cooling, connectivity, Linux expertise, etc.) is certainly going to make more than $10/hour.

That's my point -- the Bitcoin network is HUGE at this point, and to get 51% would take an operation of insane magnitude.

Besides, when NewEgg and everyone else is all the sudden "sold out" of 6XXX series cards, many Bitcoin advocates and miners would know something is up

[DeathAndTaxes]

I object to the idea that a "few million bucks" would place a person in control of mining capacity large enough to be 51% of the network.
Between video cards, computer hardware, cooling, OFFICE SPACE, labor, advertising to get that much labor, electricity, etc. it would have to be quite a chunk of change. A few million probably wouldn't do it.

In another thread I estimated that it would be ~$2M per TH with COTS when you consider labor, electricity (including mains upgrades), warehouse space, racking, cooling, and administration.

However I personally believe the network is too large to be sustainable at this point.  In the medium term I expect hashing power of the network to continue to decline as there is insufficient real transaction volume to warrant the current network size.

[Meni Rosenfeld]

In the medium term I expect hashing power of the network to continue to decline as there is insufficient real transaction volume to warrant the current network size.

Well, currently mining is subsidized by generation. But once that's over it's not at all obvious that the network hashrate (scaled to hardware advances) will be as high as it is now even if Bitcoin is successful, and the incentives of trillion-dollar entities to attack it become ever greater.

[DeathAndTaxes]

In the medium term I expect hashing power of the network to continue to decline as there is insufficient real transaction volume to warrant the current network size.

Well, currently mining is subsidized by generation. But once that's over it's not at all obvious that the network hashrate (scaled to hardware advances) will be as high as it is now even if Bitcoin is successful, and the incentives of trillion-dollar entities to attack it become ever greater.

Subsiziding doesn't remove the cost it merely obfuscates it. That cost is felt in inflationary pressure.  If the economy only needs 1000 new BTC daily to satisfy growing demand (due to rising economic activity) and achieve stable prices, but instead generates 7200 via mining then the price of BTC relative to fiat will fall.   Another way to look at it is 7200 BTC daily reward @ $3 is a ~$20K daily expansion to the money supply.  If that expansion is unwarranted then price will fall.

So users of Bitcoin either pay the cost of the network (massively outsized compared to necessity) via direct cost (say a 8% transaction fee looking at volume vs hashing power) or they pay it indirectly via inflationary pressure on their currency.

Subsidy or not the cost is real.  At this point there is no economic demand for an 8TH network.  Maybe not even enough for a 1 TH network.  The current network (at a guesstimate of 2MH/W, $0.10 per kWh and $1 per MH capital cost) consumes nearly $10,000 daily in electrical power and burns through another $1000 in depreciating hardware).  That simply isn't sustainable given the tiny amount of economic activity actually occurring.  

[btc_artist]

Let's say a person drops a few million bucks and now has 51% of the network hashing power,

From what I understand, it would take way more than a few million bucks to have more than 50% of the network hashing power.

[notme]

The blockchain should have checkpoints every X blocks to limit the time the attacker has to act.  Then if you wait 2x blocks you should be pretty safe.  Blocks 1 to x are checkpointed by block x+1, which itself will be checkpointed by block 2x+1.

[sadpandatech]

Let's say a person drops a few million bucks and now has 51% of the network hashing power,

From what I understand, it would take way more than a few million bucks to have more than 50% of the network hashing power.

  Not that I would, but I was bored and calculated it out using existing tech, cost of  space, servers, etc. And, I could do it for ~1.28mil per TH..... That's just cost, and has 0 to do with the value of that space, hardware, etc if used for something else. It simply is to state it CAN be done at that price and not how feasible it is or isn't...

[pointbiz]

The blockchain should have checkpoints every X blocks to limit the time the attacker has to act.  Then if you wait 2x blocks you should be pretty safe.  Blocks 1 to x are checkpointed by block x+1, which itself will be checkpointed by block 2x+1.

I think the bitcoin client already does this.

[notme]

The blockchain should have checkpoints every X blocks to limit the time the attacker has to act.  Then if you wait 2x blocks you should be pretty safe.  Blocks 1 to x are checkpointed by block x+1, which itself will be checkpointed by block 2x+1.

I think the bitcoin client already does this.

There are manual checkpoints hardcoded with each release.  I'm proposing a much higher frequency of checkpoints.