Cost to perform a 51% attack on the BTC blockchain?

[Abiky]

https://www.crypto51.app/

If any of you are too lazy to click :  $468.961 / h (would have assumed a higher number tbh)

The price can be calculated in many ways. The way they do it is

Using the prices NiceHash lists for different algorithms we are able to calculate how much it would cost to rent enough hashing power to match the current network hashing power for an hour

But also mention that it's purely theoretical at least un BTC case. BCH is another discussion )

A very useful site. Thanks, mate. At least, we have an estimation of how much money it would take the attacker to perform a 51% attack. The results are not accurate, so they may vary according to the network's hashrate over time. One thing for sure is that some BCH miners have migrated to the BTC blockchain. This should make Bitcoin Cash weaker against a 51% attack, while strengthening the original Bitcoin (BTC). I believe this is temporary as a result of BCH's halving event. Once Bitcoin (BTC) halves on May, those same BCH miners that migrated to BTC could go back to supporting their chain. If that doesn't happen, then Bitcoin Cash would be at risk. As a last resort, developers could make use of merged mining or fork to a new PoW algorithm to strengthen the underlying blockchain network.

At least, it's nearly impossible to attack the BTC blockchain because of how expensive it is to do so. Not even governments will be able to afford such costs. I hope that the BTC blockchain continues to grow in hashrate so that it would become a truly unstoppable form of money for the whole world to enjoy.

Hmmm. I think you can look at it a number of ways.. If you actually plan on buying all your machines, a simplified version would be something like

 number of miners = ( total network hashpower ) / hash power per miner
 number of miners * price per miner = $$$$$$


If you rent them, i guess it could be significantly cheaper.

Nicehash offers 1PH/s on the bitcoin chain for ~ 0.0168BTC

Bitcoin sees ~ 120 exahash. https://www.blockchain.com/charts/hash-rate
 = 120000 pentahash (?)

120000*0.168 = ~141.120.000 $ (For, lets say - a month?) to get 51% hashing power (this doesn't seem that expensive.)

Although they obviously don't have that much mining power for rent (I see nicehash only has ~ 180 PH).

Purely theorethically speaking (if we forget about the practicalities of renting 120 ph worth of hashing equipment/however many hashes/s a chain has, (let alone buying it, in which case i highly doubt it would be profitable.)) i could see a number of scenario's where it could definitely be profitable to do a 51% attack.

Interesting. Calculating the cost of a 51% attack looks somewhat complicated, but at least there are sites and apps available which makes your life easier. Considering current estimates, it would take the attacker a hefty sum of money to attack the BTC blockchain. No one could afford doing a 51% attack on Bitcoin, unless it's a company that produces mining hardware. In this case, Bitmain has a greater chance of attacking the BTC blockchain than anyone else as it dominates a large portion of Bitcoin's hashrate. Up to this date, Bitmain hasn't become a threat to Bitcoin's PoW consensus, but it could sometime in the future.

Anyone can easily rent miners on Nicehash to perform a 51% attack on smaller blockchain networks. You don't need to setup mining equipment or incur in energy costs. Just paying the rent for "x" amount of hashrate, could allow anyone to attack a PoW blockchain if he/she has the capital to do so. But I believe that the attacker's efforts will be in vain, as more money will be lost than what it is gained.

I wonder if hybrid PoW + PoS blockchain networks are much more expensive to perform a 51% attack? After all, the attacker would need to control 51% of mining hashrate and 51% of the coin's supply (if I'm not mistaken). Bitcoin devs could decide to implement this in the future if the community allows it. As long as Bitcoin has an immense hashrate backing it, nothing should go wrong. The one's that need to be concerned are Bitcoin Cash and Bitcoin SV supporters + developers. Miners from those chains could migrate to Bitcoin itself, making them completely vulnerable against a 51% attack. But I believe that the damage done will be minimal since "nobody" uses those chains nowadays.

OP,
Firstly you should understand that a 51% attack has two different class of costs:
1) Fixed cost: It includes infrastructure and the machines. Essentially, it doesn't matter whether the attacker could be able lease such facilities the fixed cost would be reasonably the same.

2) Variable cost: It is mainly the electricity cost.

Nicehash sells both sha256 and Ethash power online but both for Ethereum and bitcoin, the available volume is far less than anything potentially helping a 51% attacker.

...

A well thought-out and detailed explanation. This basically summarizes how to calculate the costs to perform a 51% attack on any PoW blockchain. Considering that hashrate volume is low on Nicehash, the attacker would simply need to own mining hardware to attack a PoW blockchain of his desire. The energy consumption and hardware costs, would make it unfeasible to disrupt a large blockchain network like Bitcoin or Ethereum. That's the beauty of decentralization/censorship-resistance. As long as Bitcoin maintains astronomical levels of hashrate, not even governments will be able to stop it. Of course, Bitmain already controls more than 51% of the BTC hashrate, but the fact that it's more profitable to support the BTC blockchain greatly defeats the purpose of an attack of such degree. The real deal will be with smaller blockchain networks that are relatively inexpensive to attack. But developers could easily rely on other solutions to mitigate security risks.

As long as Bitcoin is alive and running, nothing else matters

[d5000]

I wonder if hybrid PoW + PoS blockchain networks are much more expensive to perform a 51% attack? After all, the attacker would need to control 51% of mining hashrate and 51% of the coin's supply (if I'm not mistaken).

In PoW + PoS coins, he doesn't need 51% of the supply. It depends on the exact algorithm, but he has to control 50% of the coins that are actively staking. This is almost never 100% of the supply and can be a different value each block, or also each "epoch" like in some newer algorithms.

The problem is that due to the Nothing-at-stake problem an attacker could fool nodes into a fake chain. It is a difficult and impractical attack (it has been carried out afaik only once in a very weak coin) but it could lower the amount of the supply he needs to attack the PoS "part" of the algorithm. The problem, however, is that it's currently not known how much he could lower the attack cost with a sophisticated attack. (This is also, basically, why many people consider PoS insecure).

Nevertheless the PoS part of the security is "free". So even if the attack cost is increased by PoS (in a PoW/PoS algorithm) only by 10%, it is still an additional cost. So PoS could add security without needing extra hashrate. For example, one could imagine a hybrid coin where only one out of 6 blocks is a PoS block. Those not having confidence in PoS can then simply wait for one more confirmation when they receive a payment and the first confirmation is a PoS block. But a miner carrying out a 51% attack has to ensure that he gets the PoS majority in at least one block if all users wait for 6 confirmations (this is of course simplified, but I think it's understandable).

PS: You may get very different answers here (that PoS does "not work at all" or even is "dangerous") but what I wrote is the conclusion I got after having followed several PoS currencies and reading a lot about the Nothing at stake problem (from PoS supporters and PoS detractors) since 2013. I consider the Nothing at stake problem severe, and I think a PoS-only currency is risky, but a combination with PoW may work.

[Chlotide]

I remember reading a while back about fake-stake attacks.
This applied to a few POS coins, not a general rule.
https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806
Some guys managed to stake a very small amount or nothing at all and feed nodes a big amount of bogus data and filled up the hdd/ram and made them crash. Less nodes... more stake power for them.
It was responsably disclosed in 2018 but still a weird ass attack vector imo.

[Wind_FURY]

I wonder if hybrid PoW + PoS blockchain networks are much more expensive to perform a 51% attack? After all, the attacker would need to control 51% of mining hashrate and 51% of the coin's supply (if I'm not mistaken).

The problem is that due to the Nothing-at-stake problem an attacker could fool nodes into a fake chain. It is a difficult and impractical attack (it has been carried out afaik only once in a very weak coin) but it could lower the amount of the supply he needs to attack the PoS "part" of the algorithm. The problem, however, is that it's currently not known how much he could lower the attack cost with a sophisticated attack. (This is also, basically, why many people consider PoS insecure).

Nevermind "fooling". You won't lose anything from behaving dishonestly in POS. You can sign each, and every fork. It's actually better for you, because it won't cost you anything.

[aliashraf]

After going through everything I've some open questions in my mind:

Lease Cost,                        LC = P0 * IR *WT* 1.17
Partial Compensation,           PC = 0.2*P0 *IR *WT

Net Attack Cost, NAC= LC-PC    =  P0 * IR *WT * 0.93

Where are these numbers 1.17, 0.2 and 0.93 coming from?

In the same post I've described it:

Now we need to make some assumptions about D, TF, Pa:
Let's suppose XCoin drops 80% after the exploit and the attacker chooses to set D at 10% of the network hash power and TF, normally adds another 5% to miners' income. While miners' profit expectation could be reasonably estimated at 10%,  i.e. a customer with legitimate incentives expects 10% profit when he or she leases a specific amount of hash power.

Try replacing the assumed parameters.
We need such assumptions to do something meaningful about the problem.

[aliashraf]

Antonoupoulos explains it best as usual: https://www.youtube.com/watch?v=ncPyMUfNyVM

I don't think it is a thorough analysis, it is not supposed to be anyway. Actually, there is a hole in his argument: The audience is questioning the feasibility of a hypothetical government attack against bitcoin seemingly with a political incentive yet Antonopoulos mistakenly is using the rational behavior assumption which is not adequate. To be clear: Bitcoin is not safe and secure against multibillion-dollar, (in its economic sense) irrational aggression of governments, it is not designed to be.

Bitcoin was designed not to trust each other, plus under the assumption that THERE ARE bad-actors, and that's why, don't trust, and verify everything yourself by running a full node.

And you are wrong! As usual  

First: "Bad-actors" are not "irrational actors". A greedy selfish person, who is by no means an altruist and is ready to steal people's funds or defraud them, finds himself ways more comfortable to follow rules instead of trying to defraud people (who are careful enough to wait for enough confirmations) by running a costly 51% attack.
It is how bitcoin is designed and what bitcoin is designed for.
But once an irrational person with unlimited resources shows up, decided to ruin a PoW coin by running a 51% attack for long periods of time, he or she will succeed to ruin the coin and his interests simultaneously and there is absolutely nothing bitcoin can do to avoid it. It is not designed for "the crazy man" game.


Second: Full nodes have nothing to do with 51% attack. A full node would never become aware of such an attack, let alone resisting it.

[d5000]

Nevermind "fooling". You won't lose anything from behaving dishonestly in POS. You can sign each, and every fork. It's actually better for you, because it won't cost you anything.

You're referring to multi-fork staking. However, this is only a problem in cryptocurrencies which have a fixed staking block reward and/or high transaction fees. The problem has been recognized as early as the creation of Peercoin by not allowing that and to set a block reward proportional to coin-age, and to burn transaction fees. In these setups, you win nothing if you stake on multiple forks - and even if there was a minimal profit, e.g. from extra transaction fees, what Vitalik Buterin describes as "altruism-prime" (you play by the rules because it lowers the risk of an attack which would affect you too) would be probably much stronger.

It's a much bigger problem that you can easily fool nodes which are re-connecting to the network after an absence, which is why I consider PoS-only coins risky. However, in a setup like the one I described, with 1 PoS block each 6 PoW blocks, this would only be exploitable if people accepted 1-confirmation transactions for amounts big enough to justify the hassle of an attack. Thus, in this case, I would consider that a low amount of PoS blocks can add security to a PoW-only chain.

[Wind_FURY]

Antonoupoulos explains it best as usual: https://www.youtube.com/watch?v=ncPyMUfNyVM

I don't think it is a thorough analysis, it is not supposed to be anyway. Actually, there is a hole in his argument: The audience is questioning the feasibility of a hypothetical government attack against bitcoin seemingly with a political incentive yet Antonopoulos mistakenly is using the rational behavior assumption which is not adequate. To be clear: Bitcoin is not safe and secure against multibillion-dollar, (in its economic sense) irrational aggression of governments, it is not designed to be.

Bitcoin was designed not to trust each other, plus under the assumption that THERE ARE bad-actors, and that's why, don't trust, and verify everything yourself by running a full node.

And you are wrong! As usual  

Yet, you haven't showed that you understood how the network actually works.

First: "Bad-actors" are not "irrational actors". A greedy selfish person, who is by no means an altruist and is ready to steal people's funds or defraud them, finds himself ways more comfortable to follow rules instead of trying to defraud people (who are careful enough to wait for enough confirmations) by running a costly 51% attack.

It is how bitcoin is designed and what bitcoin is designed for.

But once an irrational person with unlimited resources shows up, decided to ruin a PoW coin by running a 51% attack for long periods of time, he or she will succeed to ruin the coin and his interests simultaneously and there is absolutely nothing bitcoin can do to avoid it. It is not designed for "the crazy man" game.

Then, he would be kicked out of the network, and have wasted the resources he had for a attempted double-spend.

Game Theory, would he waste his resources, or cooperate with the herd?

Second: Full nodes have nothing to do with 51% attack. A full node would never become aware of such an attack, let alone resisting it.

But if they do it, full nodes will always verify that the blocks produced are always valid, or else, they will be rejected, resources and time wasted. Full nodes keep miners honest.

[aliashraf]

First: "Bad-actors" are not "irrational actors". A greedy selfish person, who is by no means an altruist and is ready to steal people's funds or defraud them, finds himself ways more comfortable to follow rules instead of trying to defraud people (who are careful enough to wait for enough confirmations) by running a costly 51% attack.

It is how bitcoin is designed and what bitcoin is designed for.

But once an irrational person with unlimited resources shows up, decided to ruin a PoW coin by running a 51% attack for long periods of time, he or she will succeed to ruin the coin and his interests simultaneously and there is absolutely nothing bitcoin can do to avoid it. It is not designed for "the crazy man" game.

Then, he would be kicked out of the network, and have wasted the resources he had for a attempted double-spend.

Game Theory, would he waste his resources, or cooperate with the herd?

Nope, no kick-off, just ruining the coin and his/fed resources at the same time. It may be politically justifiable for the adversary but it is not economically. Bitcoin is not designed to mitigate All types of adversary behaviors,  there is no such coin and won't be feasible to have such a coin ever.
Bitcoin uses a very important and basic assumption for taking advantage of Game Theory: All players are supposed to be aware of their interests and act rationally according to this awareness.

Second: Full nodes have nothing to do with 51% attack. A full node would never become aware of such an attack, let alone resisting it.

But if they do it, full nodes will always verify that the blocks produced are always valid, or else, they will be rejected, resources and time wasted. Full nodes keep miners honest.

A 51% attack is not about breaching the bitcoin protocol by producing invalid blocks, it is about two very important threats: 1) defrauding users/exchanges and 2) Censorship. Full nodes are not able to do anything about none of the two.

P.S. it is getting derailed, pretty much.

[philipma1957]

First off China can simply go to bitmain and tell them to expand manufacturing s19pros.

next China can tell bitmain to build many many many containers. ten fold what is normal.


then commandeer two or three dams.  set up a 65% of the network attack and its done.


it would take six months and be unstoppable by private industry.

only a rich country could counter it.

doubt this is going to happen.
 
formula to calculate are nice but kind of worthless in the case of btc.

they would be better in smaller networks as you can get in and get out in a small network.

[Wind_FURY]

This is the only point I'm making, although full nodes CANNOT prevent a 51% attack, they CAN prevent other attacks, which make them very essential to the network.

They validate transactions, and blocks, relay the valid ones, and ignore the invalid ones.

It's also the full nodes that demand for the kinds of blocks the miners should produce. If miners produce blocks that full nodes don't want, they won't be relayed, and miners would have wasted resources on mining that invalid block.

Full nodes are responsible for making sure that everyone is following the rules. Full nodes keep the miners honest. It's also important that there's a sufficient number of independent parties that run full nodes.

[gmaxwell]

This thread keeps getting derailed by offtopic trolling. Locked.