51% attack

[o_e_l_e_o]

Can't they make a valid transaction invalid?

Not for transactions which do not belong to them, no. They can refuse to mine any transactions they don't want to, but the transactions they don't mine remain perfectly valid and as soon as the 51% attack ends those transactions can be mined as normal.

Isn't it double spending?

They can double spend their own coins only. For example, the 51% attacker might make a transaction paying you 100 BTC. You wait for 6 or 10 or 20 confirmations, and then hand over whatever expensive goods you were selling. The 51% attacker can then mine an alternate chain to replace the last 20 blocks and include in that chain a transaction which sends the same 100 BTC back to one of their own addresses. They have double spent their own coins. They cannot do this for anyone else's coins, since having 51% of the hashrate does not give them any special ability to forge your private keys, break ECDSA, force nodes to accept invalid signatures, and so on.

[1714554312]

1714554312

[flyingcarpet]

Not many people were mining with high-tech mining machines when Bitcoin was released (2009, if I'm not mistaken).
Thus, bitcoin was vulnerable to a 51% attack by a big company or an individual with huge resources.

But was there any such attack on Bitcoin around that time?

In those years, there was no obvious reason for the attack, why should they attack. There is no such reason now, of course, but since the mass it affected was not that big at first, an attack was not even considered. I know there is no 51% attack yet.

Its widespread use and popularity today are just some of the biggest obstacles to attacks. I don't think there is such a risk for Bitcoin. This is just one of the beautiful aspects of Bitcoin.

At the same time, the cost of such an attack is very high, and I don't think there is any organization that would want to do something like this.

[pawel7777]

There have been a number of occasions in the past where a single pool has controlled >51% of the hashrate, but they have not used this to attack bitcoin.

Deepbit in 2011 - https://bitcointalk.org/index.php?topic=26656
BTCGuild in 2013 - https://bitcointalk.org/index.php?topic=152296.0
GHash.IO in 2014 - https://bitcointalk.org/index.php?topic=645056.0
/snip/

Thanks for sharing. I thought ghash.io was the only time the pool went above 50%. I got into Bitcoin in late 2013 ao wasn't around when the first two times happened.

I guess we can draw the conclusion that the simplest and cheapest way to perform the attack is not to buy or produce enough hashpower, but to create a pool (or few pools pretending to be independent) and attract enough miners.

The 51% attacker can then mine an alternate chain to replace the last 20 blocks and include in that chain a transaction which sends the same 100 BTC back to one of their own addresses.

But that new chain would get rejected by the majority of the network, meaning nodes, right?

[bitbollo]

@OP
I suggest you watch this video (it contains some small errors and on some topics it is dated but it explains these topics in a complete way).
https://www.youtube.com/watch?v=Lx9zgZCMqXE&t=0s

In practice, even if an entity had 51% of computing power available, its ability to solve blocks only slightly increases, and if it wants to reorganize them it must always compete both to solve the new block and to "modify" the previous one. If you think about it, ok it increase the chance but this not means it would be able to make a reorganization.

In short, 51% of potential power does not guarantee anything.
In the past, the cex.io pool has reached this value without any particular problems...

[Hamza2424]

Haha seems like we are going to have a couple of topics similar to that every week, Becasue now the rumors are the king of fud. Actually, the problem is with our people haha they just follow the blind news from unknown sources. Improper research and information behind asking the questions and posting the queries, I think a few days ago we had discussed the same topic with another view. It was clearly explained there that currently now the hash power 51%+ cant offer control over the network.

This thread is also based on quite a similar query and there the theory of 51% is discussed.

Unraveling the Ridiculous: Exposing the Absurdity of the 51% Power Attack FUD

[o_e_l_e_o]

But that new chain would get rejected by the majority of the network, meaning nodes, right?

No, not at all.

Nodes will follow the chain with the most valid accumulated work. The whole point of a 51% attack is that a malicious miner can produce blocks faster than the rest of the network. So while the rest of the network mines the original transaction and x number of blocks on top of it, the 51% attacker can mine an alternate chain in secret which double spends the coins in the original transaction back to themselves and x+1 number of blocks on top of it. Once you have released the goods or whatever, the 51% attacker can then broadcast their alternate chain they were mining in secret. Assuming that this chain remains consensus valid (and there is no reason it wouldn't be), then nodes will immediately switch to this chain upon learning about it, since it is longer than the honest chain and therefore has more accumulated work. At that point the original transaction and all its confirmations disappear from the network, and are replaced by the double spend transaction.

Nodes do not police which chains are "honest" or "dishonest", and really, have no way of making that judgement. They simply follow the valid chain with the most accumulated work.

[Blitzboy]

Bitcoin has always been a tempting target for the technically knowledgeable and financially well-equipped. A 51% attack, as you suggest, could have been catastrophic for Bitcoin back when it was still in its infancy. Interestingly, according to my findings, no such attack ever took place.

However, the motivation to launch such an attack was likely considerably lower back then, despite Bitcoin's increased susceptibility. There was much less incentive to launch such an attack because Bitcoin has not yet established itself as a reliable digital money or investment option. There was also a lack of both the availability and sophistication of the computational resources needed to launch such an attack.

[Wind_FURY]

it still can't make invalid transactions into valid transactions. It can JUST censor transactions.

Can't they make a valid transaction invalid? Isn't it double spending? If anyone can censor transactions, the network won't be any more decentralized. My bad if I have written something wrong, that's what I know. I'm not saying that's going to happen though.

Well, it doesn't make sense. Why would someone bother to attempt to do so by spending this huge amount in achieving this huge hash rate?

No, because the full nodes validate ALL blocks and ALL transactions, and enforce the rules. If there's a mining pool that announces an invalid block, the full nodes in the network will know and not send it out, disallowing it from propagating around the network.

[ICYNOTE2023]

Not many people were mining with high-tech mining machines when Bitcoin was released (2009, if I'm not mistaken).
Thus, bitcoin was vulnerable to a 51% attack by a big company or an individual with huge resources.

But was there any such attack on Bitcoin around that time?

we use reason and logic, why attack a coin that at that time had no value? even people were given it for free at that time many did not want it. but after a valuable item, then people will look for it. 

[jrrsparkles]

Not many people were mining with high-tech mining machines when Bitcoin was released (2009, if I'm not mistaken).
Thus, bitcoin was vulnerable to a 51% attack by a big company or an individual with huge resources.

But was there any such attack on Bitcoin around that time?

But back then the value of bitcoin is close to few dollars so why would even try such things especially it will not have any benefit for them once they lose 51% hash rate power the blocks will be back and all the malicious blocks will be replaced by actual one.

They care only if the price is higher ironically the expense of 51% attacks also higher enough for not to attempt such attacks on the bitcoin network which is what keeping the bitcoin standout from other shitcoins.

[pawel7777]

Nodes will follow the chain with the most valid accumulated work. The whole point of a 51% attack is that a malicious miner can produce blocks faster than the rest of the network. So while the rest of the network mines the original transaction and x number of blocks on top of it, the 51% attacker can mine an alternate chain in secret which double spends the coins in the original transaction back to themselves and x+1 number of blocks on top of it. Once you have released the goods or whatever, the 51% attacker can then broadcast their alternate chain they were mining in secret. Assuming that this chain remains consensus valid (and there is no reason it wouldn't be), then nodes will immediately switch to this chain upon learning about it, since it is longer than the honest chain and therefore has more accumulated work. At that point the original transaction and all its confirmations disappear from the network, and are replaced by the double spend transaction.

Nodes do not police which chains are "honest" or "dishonest", and really, have no way of making that judgement. They simply follow the valid chain with the most accumulated work.

Thanks again for clarifying. Technical aspects of the network have never been my strong suit. Just another daft question: If nodes do not police the chain, then why is it advised for nodes to have a full copy of the blockchain? I always imagined it was for situations like the one discussed, to prevent malicious miners from propagating invalid chains.

[ranochigo]

Thanks again for clarifying. Technical aspects of the network have never been my strong suit. Just another daft question: If nodes do not police the chain, then why is it advised for nodes to have a full copy of the blockchain? I always imagined it was for situations like the one discussed, to prevent malicious miners from propagating invalid chains.

There is a difference between the validity and the honesty. The onus of maintaining a chain that is mined with fairness and integrity in mind is on the miners. No one on the network can judge which is the honest chain and which one isn't, and the only assumption that we can make is to assume that the majority of the network are honest and not engage in double spending, malicious chain-reorg, etc. Keep in mind that executing a 51% attack doesn't break the protocol rules.

Nodes play an important role in being economic agents in ensuring that the blockchain that they see is valid and for SPV nodes to be receiving the a chain that is valid, keeping in mind that SPV nodes has no idea whether a chain is valid or not. Nodes are useful for individuals to ensure that the chain that they are seeing is valid.

[o_e_l_e_o]

Thanks again for clarifying. Technical aspects of the network have never been my strong suit. Just another daft question: If nodes do not police the chain, then why is it advised for nodes to have a full copy of the blockchain? I always imagined it was for situations like the one discussed, to prevent malicious miners from propagating invalid chains.

Not daft at all - a good question.

As ranochigo explains, nodes are important to verify and validate all the transactions and blocks which make up the blockchain, but they do not judge where these transactions and blocks came from.

For example, if I submitted a transaction which sent all of Satoshi's coins to an address I control, then obviously that transaction would have an invalid signature. Nodes would therefore reject that transaction and not propagate it through the network.
If a 51% attacker submitted a block which contained such a transaction with an invalid signature, then again, nodes would reject that entire block and not propagate it through the network.
However, a 51% attacker is able to submit valid blocks which contain valid transactions, which nodes will accept. They can also submit a whole chain of blocks which is longer than the current main chain, and nodes will automatically swap to this new longer chain if it is all valid. So as I explained above, if there is already a confirmed transaction sending their coins to someone else, they can replace that by releasing a longer chain which includes a transaction sending those same coins back to themselves. This double spend is still entirely valid as far as nodes are concerned - it spends a valid UTXO with a valid signature - so nodes will validate it and accept it.

This is the crux of a 51% attack. It allows the attacker to freely double spend their own coins. But nodes checking the validity of all transactions are what prevents the 51% attacker from accessing anyone else's coins.

[worldofcoins]

It allows the attacker to freely double spend their own coins. But nodes checking the validity of all transactions are what prevents the 51% attacker from accessing anyone else's coins.

Maybe that's the reason exchanges back then approved transactions of Bitcoin that had "3+" confirmations.
Gambling websites also required 3+ confirmations around 2013, but now it's reduced to 1+ confirmations looking at how hard it would be for someone to double-spend their coins on the website (there's still a possibility of performing the 51% attack, but the malicious party will waste their resources looking at the current overall hash rate of bitcoin network)

Some websites, even today, require 3+ confirmations.

[o_e_l_e_o]

Gambling websites also required 3+ confirmations around 2013, but now it's reduced to 1+ confirmations looking at how hard it would be for someone to double-spend their coins on the website (there's still a possibility of performing the 51% attack, but the malicious party will waste their resources looking at the current overall hash rate of bitcoin network)

Gambling websites are fairly unique in the regard that no coins actually need to move until you withdraw your winnings. You can play and win dozens of bitcoin, but the gambling site only needs to honor that when you actually withdraw. And so they can just place a hold on any withdrawals until your deposit has enough confirmations. You can deposit, start playing after 1 confirmation (or even immediately), but then not be allowed to withdraw until after 3 confirmations, or something along those lines. This keeps the risk of any double spends to a minimum.

This is not possible with centralized exchanges, since as soon as you start trading the exchange has to start filling orders. If you double spent, they would be left with a bunch of orders they would still have to honor. And so you have to wait for longer on centralized exchanges.

[Ndabagi01]

Not many people were mining with high-tech mining machines when Bitcoin was released (2009, if I'm not mistaken).
Thus, bitcoin was vulnerable to a 51% attack by a big company or an individual with huge resources.

But was there any such attack on Bitcoin around that time?

51% attacks have never occurred in the bitcoin network and will never occur because one company (miner) cannot own close to that amount of mining power possible for that because it is expensive to possess such mining power; additionally, other miners will never allow such an attack to occur and are constantly on the lookout for such attacks.

Only in 2014 did a company called Ghash.io get close to that amount, with a total mining power of 38.24% at the time. The company no longer exists, and no one has ever gotten close to that percentage since. If miners do not collaborate to conduct an attack on the network, they will give the longest chain and dominate the network attackers. 51% is not possible practically because of the way the bitcoin network is built, we don’t need to worry about that.

[pawel7777]

/snip/

/snip/

Thanks both, it all makes sense now. I had a slightly wrong idea of how nodes validate transactions. Every day is a school day.

Only in 2014 did a company called Ghash.io get close to that amount, with a total mining power of 38.24% at the time. The company no longer exists, and no one has ever gotten close to that percentage since.

As mentioned before, ghash.io actually went above the 50% and it wasn't the first time that happened (it was the last time though). Hashpower distribution improved a lot since then, at least officially, it's hard to know for sure whether different pools are actually independent of each other.

[o_e_l_e_o]

Hashpower distribution improved a lot since then, at least officially, it's hard to know for sure whether different pools are actually independent of each other.

Even if more than one major pool was owned by the same entity, it doesn't make a huge amount of difference. Remember of course that each big pool is used by thousands or even tens of thousands different miners - everything from huge ASIC farms down to individuals running a single ASIC at home. All of these miners are separate entities despite mining under the same umbrella of the pool they use. Should that pool operator decide to turn malicious and attempt to 51% attack the network, then any of these individual mining entities can switch to a new pool in a matter of minutes.