Ethereum could afford a 51% attack on Bitcoin, and profit greatly from it

[HeRetiK]

But this effectively still requires a rethinking of the Bitcoin protocol, namely if the defense against a Goldfinger attack is to always soft-fork back to the original chain. And then one in theory has to determine exactly what reorgs constitute an attack, and what reorgs are just normal activity on the blockchain. Otherwise the community might disagree on a particular decision, which could thus cause a hard fork.

Not really, as it's pretty straightforward to determine: Does the chain include an adversarial double-spend? Reorg. No adversarial double-spend? No reorg.

Obviously actually pulling the hashing power to trigger a reorg would be no small feat in itself, but determining whether the chain is "honest" or run by the attacker is rather trivial.

[mjdamgaard]

But this effectively still requires a rethinking of the Bitcoin protocol, namely if the defense against a Goldfinger attack is to always soft-fork back to the original chain. And then one in theory has to determine exactly what reorgs constitute an attack, and what reorgs are just normal activity on the blockchain. Otherwise the community might disagree on a particular decision, which could thus cause a hard fork.

Not really, as it's pretty straightforward to determine: Does the chain include an adversarial double-spend? Reorg. No adversarial double-spend? No reorg.

Obviously actually pulling the hashing power to trigger a reorg would be no small feat in itself, but determining whether the chain is "honest" or run by the attacker is rather trivial.

Hm, maybe you are right..! It actually does sound quite simple when you put it like that.

It sort of brings into question why we bother so much with consensus mechanisms at all, then, but still...

... Yeah, so maybe a mitigation strategy could simply be to add to the protocol: 'If a chain is the result of a reorg that has allowed double spending, then it should be regarded as invalid.' Could that work?

Ideally you should then also roll out an update where miners can vote to declare any new contentious chain invalid.

... Well, but then in theory, we still have the problem that 51% of the miners might be compromised, if voting is distributed according to PoW. So the voting power still has to distributed some other way, doesn't it..?

Edit:
How about this: The vote in such a case is not distributed to the miners, but rather to the investors, who pay the miners (and other bitcoin owners) for their coin. Could this principle be enough to prevent a hard fork?

[HeRetiK]

Circling back a bit, because I just noticed I never got around answering:

Either way, as interesting as I find this whole discussion to be, there are probably cheaper and more effective ways to sway the market in one way or another.

Imagine what you could do with even the low end of $6 billion. That's 17 times the budget of Avengers: Endgame, except it's a whole cinematic universe about crypto (tacky, I know, please don't do this). 8 stadiums like the crypto.com arena, except the crypto-community builds and owns it, instead of merely sponsoring it. Provide UBI for a small town of 1,500 people (named after the cryptocurrency of your choice), each receiving a yearly income of 50k over a lifespan of 80 years.

Or, you know, just buy a handful of politicians.

I believe either of these would probably more effective than attempting a 51% attack on Bitcoin.

I'm sure that you are right to some extent, but then again, by that logic, the Ethereum investors, as well as Bitcoin investors, should then all pursue these ventures and make their fortunes double in no time.

1) Who says they aren't? (buying politicians, I mean)

2) Bitcoin and Ethereum investors haven't used their money to attack each other's network either. That is to say, I said these examples would be probably cheaper and more effective than the attack scenario you describe. They're still bad ideas, just slightly less bad.

Hm, maybe you are right..! It actually does sound quite simple when you put it like that.

It sort of brings into question why we bother so much with consensus mechanisms at all, then, but still...

Because in the end you still need consensus on where the coins of a transaction should end up.

... Yeah, so maybe a mitigation strategy could simply be to add to the protocol: 'If a chain is the result of a reorg that has allowed double spending, then it should be regarded as invalid.' Could that work?

No. Double spends are not detectable on a protocol level. They also don't need to be. But they are pretty obvious to outside observers, e.g. non-adversarial miners that could then direct their hashrate accordingly or exchanges that would ignore the double spends until matters are settled.

Ideally you should then also roll out an update where miners can vote to declare any new contentious chain invalid.

... Well, but then in theory, we still have the problem that 51% of the miners might be compromised, if voting is distributed according to PoW. So the voting power still has to distributed some other way, doesn't it..?

PoW is the voting power.

But any merchant, exchange, counterparty that an adversary would transfer coins to can just ignore whatever looks like a double spend. In the end the coins will end up either here or there. If an adversary gains nothing in return (e.g. by exchanging coins for another currency or goods and services), all they do is send their own coins in circles.

Put differently, the moment you start a 51% attack, your adversarial transactions will likely get detected and ignored (again, outside the protocol. on the protocol level the coins will end up either here or there, but that doesn't gain you anything if your counterparty doesn't honor your transaction).

The moment you're not running a 51% attack... you're simply a miner that could spell trouble. But you're not actively hurting the network itself.

In the end it would be just like that Bank Heist sketch by Key & Peele:
https://www.youtube.com/watch?v=jgYYOUC10aM

Edit:
How about this: The vote in such a case is not distributed to the miners, but rather to the investors, who pay the miners (and other bitcoin owners) for their coin. Could this principle be enough to prevent a hard fork?

There's already a mechanism for that, though maybe not as you imagine: A hard fork resulting in two separate coins, with the market deciding which coin is the more valuable one.

The more extreme example of this may even sound familiar to you: Abandon all principles of decentralization and somehow kludge a rollback. Not something I'd personally like to see, but amazingly even coins that pulled tricks like this have done pretty well.


---


One last thing, maybe it's been brought up before, but it seems rather relevant:

At the heart of the attack scenario you describe is the assumption that Bitcoin and Ethereum investors are mutually exclusive groups with purely adversarial incentives.

I don't think that's the case.

While most investors will be more exposed to one coin than the other, I'm pretty certain that almost everyone in crypto has a stake in both coins, especially whales. Accordingly I don't think any one side would have much of an incentive to strike the other, even assuming that an attack in either direction were feasible.

[franky1]

I also need some clarification if we are to continue with the discussion about the supposed lower threshold on the Bitcoin price. Am I understanding you right that you are saying that the price of Bitcoin is dependent on the work it takes to mine a coin? And if so, do you not agree that Bitcoin investors potentially thereby have a complete money machine?

priceof bitcoin dependant on mining?.. no
dont confuse PRICE with value/premium

lets translate it to another commodity.. lets use milk as an example

lets say 2litre of milk costs at the farm $0.50 to produce(mine) at the most efficient farm on the planet
last year there were 2x more cows so was $0.25.. and in 2021-22 before inflation was about $0.15 minimum global cost to produce at globel efficient farms

now lets say the most expensive farms on the planet at a cost from the farm of
2021-22 $0.75
2022-23 $0.95
2023-24 $1.45
2024-25 $3.00

now this is the costs at the farms around the globe.. current production range of $0.50-$3

now knowing that the retailers then resell milk to the general public from different sources and may have freeze dried some milk from earlier supplies
what price range do you think RETAILERS(exchange users) would want to sell their milk for today in 2024

do you really think they want to sell it for <$0.15 of 2022's min cost today.. or would they see that no one can even produce milk in 2024 for less than $0.50 and set that as the benchmark as even current producers cannot produce for less so so it currently retails for $0.60-$0.75 with a potential that it could reach $3 if there is a economic event next year

lower threshold value is $50k(bottom support barrier) but the market PRICE is $60-$75 this year with potential to go to $300k next year if a ATH pump even occurs

[mjdamgaard]

Circling back a bit, because I just noticed I never got around answering:

Either way, as interesting as I find this whole discussion to be, there are probably cheaper and more effective ways to sway the market in one way or another.

Imagine what you could do with even the low end of $6 billion. That's 17 times the budget of Avengers: Endgame, except it's a whole cinematic universe about crypto (tacky, I know, please don't do this). 8 stadiums like the crypto.com arena, except the crypto-community builds and owns it, instead of merely sponsoring it. Provide UBI for a small town of 1,500 people (named after the cryptocurrency of your choice), each receiving a yearly income of 50k over a lifespan of 80 years.

Or, you know, just buy a handful of politicians.

I believe either of these would probably more effective than attempting a 51% attack on Bitcoin.

I'm sure that you are right to some extent, but then again, by that logic, the Ethereum investors, as well as Bitcoin investors, should then all pursue these ventures and make their fortunes double in no time.

1) Who says they aren't? (buying politicians, I mean)

2) Bitcoin and Ethereum investors haven't used their money to attack each other's network either. That is to say, I said these examples would be probably cheaper and more effective than the attack scenario you describe. They're still bad ideas, just slightly less bad.

I wouldn't pretend to know what the ultra-rich do to grow their fortunes. But keep in mind, if for instance Ethereum grows by 200%, then all the investors will see that growth including the small ones. Those could easily make up more than 5%, couldn't they? So even if we somehow assume that the very rich will just shrug at an opportunity to grow a part of their fortune by up to 200%, there could still be plenty of Ethereum investors who are willing to participate.

Hm, maybe you are right..! It actually does sound quite simple when you put it like that.

It sort of brings into question why we bother so much with consensus mechanisms at all, then, but still...

Because in the end you still need consensus on where the coins of a transaction should end up.

... Yeah, so maybe a mitigation strategy could simply be to add to the protocol: 'If a chain is the result of a reorg that has allowed double spending, then it should be regarded as invalid.' Could that work?

No. Double spends are not detectable on a protocol level. They also don't need to be. But they are pretty obvious to outside observers, e.g. non-adversarial miners that could then direct their hashrate accordingly or exchanges that would ignore the double spends until matters are settled.

Yes, there of course still needs to be an everyday consensus mechanism, you're right. It seems that we are both thinking more about what potential fail safe mechanism Bitcoin could have (if any) in order to mitigate the effects of an attack after it has happened, and somehow getting a consensus to ignore the "attack chain."

PoW is the voting power.

But any merchant, exchange, counterparty that an adversary would transfer coins to can just ignore whatever looks like a double spend. In the end the coins will end up either here or there. If an adversary gains nothing in return (e.g. by exchanging coins for another currency or goods and services), all they do is send their own coins in circles.

Put differently, the moment you start a 51% attack, your adversarial transactions will likely get detected and ignored (again, outside the protocol. on the protocol level the coins will end up either here or there, but that doesn't gain you anything if your counterparty doesn't honor your transaction).

The moment you're not running a 51% attack... you're simply a miner that could spell trouble. But you're not actively hurting the network itself.

In the end it would be just like that Bank Heist sketch by Key & Peele:
https://www.youtube.com/watch?v=jgYYOUC10aM

Edit:
How about this: The vote in such a case is not distributed to the miners, but rather to the investors, who pay the miners (and other bitcoin owners) for their coin. Could this principle be enough to prevent a hard fork?

There's already a mechanism for that, though maybe not as you imagine: A hard fork resulting in two separate coins, with the market deciding which coin is the more valuable one.

Yes, that was also what I was getting at: Could Bitcoin survive unscathed by an attack without implementing any fail safe mechanism other than the fact that 'new investors wouldn't want to buy into a blockchain that is the result of a malicious reorg?'

I've come to think that there is a problem with this strategy, however. I fear that there could easily be times where double spends are not easy to detect. Not for long-range attacks, of course, but if the attackers deliberately targets the very edge of the current confirmation period, and thus try to hit exactly the threshold for when a reorg is considered normal activity and when it is considered malicious, then this could cause disagreement about whether a chain is invalid or not. And without some predetermined voting system, this could result in a hard fork. What's more, the attackers (backed by Ethereum investors) could also try to drum up hubbub by pretending to be disgruntled traders on both sides of the argument, who each claim to be the victim of a double spend (or nullified spend) if the other chain is declared as the valid one.

As a new investor, it might become hard to determine which chain is the "non-malicious" one. And as a result, we might get a hard fork of Bitcoin in the end after all.

As far as I can see, a much easier solution would be to just implement a fail safe PoS system to determine which is the valid chain in such a case. It wouldn't require that much effort to implement, compared to how much money is on the line. And it would also only be a soft fork to the Bitcoin protocol, presumably, since if one of the chains is unambiguously declared the invalid one, then the miners will stop working on it at some point, even the Ethereum-backed ones. What do you think?

One last thing, maybe it's been brought up before, but it seems rather relevant:

At the heart of the attack scenario you describe is the assumption that Bitcoin and Ethereum investors are mutually exclusive groups with purely adversarial incentives.

I don't think that's the case.

While most investors will be more exposed to one coin than the other, I'm pretty certain that almost everyone in crypto has a stake in both coins, especially whales. Accordingly I don't think any one side would have much of an incentive to strike the other, even assuming that an attack in either direction were feasible.

No, this point has actually not been brought up so far. It's a good point. However, if the Goldfinger attack truly only requires a fraction of the investors in order for it to be profitable, then it might still be a possibility. Especially since there is also the risk that investors who wants to participate in the whole "venture" can then simply start moving their assets from Bitcoin to Ethereum in the lead-up to the attack. This movement might then also cause the value of Ethereum to grow relative to Bitcoin already, but this would only aid the would-be attackers.

[d5000]

And the difference in the core concepts just lies in the fact that for PoS the voting power is directly proportional to the amount of stake you have in the blockchain, whereas for PoW the power is instead distributed according to the hash rate an individual controls

That's a quite naive understanding of the differences between both consensus methods.

PoS is a bit of a circular logic: consensus determines stakeholders, and stakeholders determine consensus. I hope you know about the Nothing-at-stake problem. The root of that problem is that in PoS there is no way to determine objectively in a decentralized setting if a certain entity is "staking coins" and has thus the right to be a validator. For this reason, you have to be sure that the node you connect to when you re-sync the chain has the correct information. This is different in PoW (see below).

Empirically it seems that PoS blockchains have stood the test of the time and "just work". This however doesn't mean that the Nothing at stake problem has been "solved". Instead some mitigation strategies, including BFT principles, were applied which make it more difficult to attack the PoS consensus. But the problem is: These strategies depend on a certain grade of centralization. Weak subjectivity means approximately: If everybody agrees that the nodes by the Ethereum Foundation and some big exchanges are authoritative for the state of the blockchain, then most nodes will follow their nodes and we have a stable "state". So it "looks" like the chain is safe.

And still, as the consensus lacks objectivity, it is not impossible the find a loophole to attack. A complex attack involving hacking of the servers of "authorities" like exchanges and foundations and perhaps even identity theft (imagine Vitalik's node and his social media accounts being hacked and luring users to the attack chain) could reduce the cost of an attack to a fraction of 34% or 50% (depending of the attack's goal) of the staked coins.

In a PoW blockchain, you don't need to trust other nodes. If you are eclipsed for some time by an attacker, then you may think for a moment that you are following a wrong chain, but as long as you are not 100% eclipsed (which is nearly impossible) and can connect to at least one node with the real "longest" chain, then you're fine. In PoS, you need to find an authority.

We could argument for example, with the same validity than your assumptions about "Ethereum attacking Bitcoin", that Bitcoiners could fund an AI to discover loopholes in the PBFT PoS mechanism of Ethereum and attack it in a similar way I described above. Is this case contemplated in Ethereum's security policy?

I personally don't see 'weak subjectivity' as ever truly becoming a problem for the consensus on a blockchain like Ethereum. The point is: Why would the Ethereum stakeholders ever allow an attack to finalize for good when that would undermine their currency?

In the attack I mentioned you wouldn't know who is a legitimate stakeholder and could vote. Thus every time the blockchain is attacked a hard fork would have to occur. That's the same as in PoW.

But I don't see why it wouldn't be even better, perhaps very much so, for the Bitcoin community to try to come to agreement on this in advance. Then it would be seen as much less of a capitulation in the hypothetical event that an attack happens, and it would perhaps not be seen as 'the "little brother," Ethereum, bullying Bitcoin into submission.'

Who would sign this agreement? Bitcoin's CEO and the CTO?

Of course a developer group could prepare such a fork in advance, but that would only be necessary once really such an attack was going on, for example if a smart contract like the one you propose appears on ETH's blockchain and gets some traction. Such an attack would probably take months to materialize. Enough time to create a PoS "final last resort" fork.

Bitcoiners of course would probably first try a Scrypt/some-other-algo "last resort" fork, and such ideas have already been discussed for years (maybe even decades ... I remember the so-called "nuclear option" in 2017, I think there was even usable code). The oh so rational Ethereum attacker group would then have to repeat the attack and waste the same resources again in Scrypt hardware. There may be even more algos to try. And "changing the algorithm" is something that happened a lot of times in the altcoin world, and is thus not really an experimental thing one has to pray that there's a 1% probability that it works

Since the topic of the discussion is the security of Bitcoin, it is okay to speculate about what could potentially happen.

No, you are trying to promote a "paper". I'm heavily suspecting from your behaviour that it's a pseudoscientific "paper" to disseminate FUD and try to establish some "PoS is better than PoW and Ethereum will be flippening!" narrative. Prove me wrong

The only "novelty" your "paper" offers (the rest is only "with much money you can 51% attack bitcoin" - even Satoshi knew that) is that you claim that Ethereum owners could profit from the attack, but you have not apported a (falsifiable) hypothesis to back this claim. And I don't see a question mark in your thread title either, which would be the way a serious researcher would go if they wanted to start an open-ended discussion. This post adds to the "strange smell" in this thread.

If I'm wrong and you're really concerned about Bitcoin's security without trying to install the PoS > PoW narrative, you could for example research similar attacks in the real world. There are numerous cases where companies with predatory behaviour tried to attack and kill their competitors. But not all cases are useful. Here I jump to the "market cap" vs "sales" issue.

Your hypothesis that a smaller coins' stakeholders could profit if a bigger competitor is successfully attacked, is based on the assumption that the cryptocurrency market works like a market of goods (say: apples) where sales are the figure to analyze. This means: there is a "static" necessity creating a demand, which is fulfilled by several competitors with a certain market share, and if one of them sells less, then the others normally sell more.

The crypto market however doesn't behaved like that historically. The "competitors" are often dependant one from another (one crashes, the others crash too, or vice versa). And there are also other products outside the crypto space (gold, stocks, bonds, "speculative assets" in general) partially covering the same demand. This means that while a "market" exists, if one competitor loses market cap, other coins in most cases do not benefit directly from that. Instead there is a very complex interdependence with dependencies to the outside world (e.g. vs the bonds market via the interest rate). And the market for strange reasons in some years contracts 70% and then again expands 500% ...

You would have to find cases in the real world where a similarly complex market exists and then such a predatory attack was successful, to support your claim.

Let's continue speculating in this direction. Imagine a ETH->BTC attack occurs. How can you prevent that people flee in extreme numbers from the whole crypto space because trust has been eroded, and instead invest again in what they have invested until Bitcoin appeared in 2009? Then Bitcoin, Ethereum and most other coins would crash.

In addition: If the Ethereum->Bitcoin attack works, then that means probably that also a Solana -> Ethereum attack would work, and I already wrote that the Solana and Ethereum markets are more similar than the BTC-ETH markets.

I can also imagine Bitcoin holders invested in also Ethereum (not a rare case absolutely, see HeRetiK's last post) in the case of an ETH whales ->BTC attack push an Ethereum competitor to harm the ETH whales. Bitcoin holders would then be selling their Ethereum (crashing it) and instead buying Solana. Solana in this case could emerge as the winner surpassing ETH's market cap, and if the ETH whales having tried to attack BTC would score huge losses. If the ETH whales due to this failed experiment would have to stop their BTC attack then even BTC could recover, and ETH would be the only loser.

Well, here you are actually contradicting your earlier point somewhat, aren't you, namely that PoS and PoW (and in particular Ethereum and Bitcoin) are not in direct competition?

Perhaps slightly, but in the PoW/PoS comparison it isn't relevant that the market is similar to a "sales" market of goods with exactly the same type of demand. In your "attackers benefit from competitor market share" scenario it is much more relevant.

[mjdamgaard]

I also need some clarification if we are to continue with the discussion about the supposed lower threshold on the Bitcoin price. Am I understanding you right that you are saying that the price of Bitcoin is dependent on the work it takes to mine a coin? And if so, do you not agree that Bitcoin investors potentially thereby have a complete money machine?

priceof bitcoin dependant on mining?.. no
dont confuse PRICE with value/premium

lets translate it to another commodity.. lets use milk as an example

lets say 2litre of milk costs at the farm $0.50 to produce(mine) at the most efficient farm on the planet
last year there were 2x more cows so was $0.25.. and in 2021-22 before inflation was about $0.15 minimum global cost to produce at globel efficient farms

now lets say the most expensive farms on the planet at a cost from the farm of
2021-22 $0.75
2022-23 $0.95
2023-24 $1.45
2024-25 $3.00

now this is the costs at the farms around the globe.. current production range of $0.50-$3

now knowing that the retailers then resell milk to the general public from different sources and may have freeze dried some milk from earlier supplies
what price range do you think RETAILERS(exchange users) would want to sell their milk for today in 2024

do you really think they want to sell it for <$0.15 of 2022's min cost today.. or would they see that no one can even produce milk in 2024 for less than $0.50 and set that as the benchmark as even current producers cannot produce for less so so it currently retails for $0.60-$0.75 with a potential that it could reach $3 if there is a economic event next year

lower threshold value is $50k(bottom support barrier) but the market PRICE is $60-$75 this year with potential to go to $300k next year if a ATH pump even occurs

Thank you very much for clarifying this point.

I will say, I'm inclined to believe that this theory might not be fully applicable for Bitcoin at all times due to some differences, namely that bitcoin isn't a consumable or degrading product: When you buy milk it needs to come from the producers, whereas bitcoin is a finite and non-degrading resource. Also the cost of mining depends on how many miners there are, as opposed to producing milk. (Edit: And in fact, the amount of produced bitcoin does not depend at all on the number of "producers.") But it does seem that the average transaction volume is currently not much larger than the mined bitcoin, so maybe you are right that this theory is roughly applicable at the moment.
(2nd Edit: My mistake, the daily transactions is currently around $15B, meaning that only around 0.1% of the traded bitcoin are the newly minted bitcoin. So never mind, I don't believe that the theory is applicable here at all.)

Let me then ask you, in regards to the topic of this discussion, do you then think that a 51% attack wouldn't cause any severe damage to the value of Bitcoin? Not even in the scenario where the attacking miners can keep making as many long-range attacks as they want once they have already paid the CapEx, i.e. as long as the price of Bitcoin stays afloat?

[DaveF]

Just as another thought experiment would be how much would it cost to get enough ETH while people are selling theirs to do this to launch your own 51% attack on ETH.

The fact that there is no real work involved just having enough money to buy enough of a specific coin has always been a weakness of all POS coins.
And now that there are ETH ETFs there is an incentive for people to be able to short the ETFs if they think their value will go down.

Think about it, get enough funds to buy the companies I discussed above that host a bunch of the ETH staking nodes, while simultaneously buying ETH and spinning up your own nodes and then a simple 51% attack against ETH.

-Dave

[mjdamgaard]

And the difference in the core concepts just lies in the fact that for PoS the voting power is directly proportional to the amount of stake you have in the blockchain, whereas for PoW the power is instead distributed according to the hash rate an individual controls

That's a quite naive understanding of the differences between both consensus methods.

PoS is a bit of a circular logic: consensus determines stakeholders, and stakeholders determine consensus. I hope you know about the Nothing-at-stake problem. The root of that problem is that in PoS there is no way to determine objectively in a decentralized setting if a certain entity is "staking coins" and has thus the right to be a validator. For this reason, you have to be sure that the node you connect to when you re-sync the chain has the correct information. This is different in PoW (see below).

Empirically it seems that PoS blockchains have stood the test of the time and "just work". This however doesn't mean that the Nothing at stake problem has been "solved". Instead some mitigation strategies, including BFT principles, were applied which make it more difficult to attack the PoS consensus. But the problem is: These strategies depend on a certain grade of centralization. Weak subjectivity means approximately: If everybody agrees that the nodes by the Ethereum Foundation and some big exchanges are authoritative for the state of the blockchain, then most nodes will follow their nodes and we have a stable "state". So it "looks" like the chain is safe.

And still, as the consensus lacks objectivity, it is not impossible the find a loophole to attack. A complex attack involving hacking of the servers of "authorities" like exchanges and foundations and perhaps even identity theft (imagine Vitalik's node and his social media accounts being hacked and luring users to the attack chain) could reduce the cost of an attack to a fraction of 34% or 50% (depending of the attack's goal) of the staked coins.

In a PoW blockchain, you don't need to trust other nodes. If you are eclipsed for some time by an attacker, then you may think for a moment that you are following a wrong chain, but as long as you are not 100% eclipsed (which is nearly impossible) and can connect to at least one node with the real "longest" chain, then you're fine. In PoS, you need to find an authority.

We could argument for example, with the same validity than your assumptions about "Ethereum attacking Bitcoin", that Bitcoiners could fund an AI to discover loopholes in the PBFT PoS mechanism of Ethereum and attack it in a similar way I described above. Is this case contemplated in Ethereum's security policy?

I personally don't see 'weak subjectivity' as ever truly becoming a problem for the consensus on a blockchain like Ethereum. The point is: Why would the Ethereum stakeholders ever allow an attack to finalize for good when that would undermine their currency?

In the attack I mentioned you wouldn't know who is a legitimate stakeholder and could vote. Thus every time the blockchain is attacked a hard fork would have to occur. That's the same as in PoW.

I think you are right, at least in principle, about this problem with PoS. This also mirrors my original concern about PoS, it sounds like, namely that earlier stakeholders can just make a long-range attack by creating a seemingly legitimate chain. And you are right that they could in principle try to flood (and/or hack) the network in order to actually convince other users that their new reorganized chain is actually the honest one that has been used all along.

However, since traders are actively following the ledger, and since a part of the community is following the ledger as well, I think this might be nearly impossible to pull off in practice—similarly to how the Bitcoin community would also easily be able to at least detect the long-range attack, as I'm currently discussing with @HeRetiK.

But you're right that Ethereum has flaws and vulnerabilities (e.g. the whole DAO mess-up). And you're right that any opportunistic Ethereum stakeholders who toys with the idea of a Goldfinger attack would certainly at least consider the potential for Bitcoin retaliating in one way or the other.

If the Bitcoin community chooses to rely on this fact, however, it would technically mean relying on the belief that Ethereum is vulnerable in order to feel safe that Bitcoin is not.

[mjdamgaard]

Since the topic of the discussion is the security of Bitcoin, it is okay to speculate about what could potentially happen.

No, you are trying to promote a "paper". I'm heavily suspecting from your behaviour that it's a pseudoscientific "paper" to disseminate FUD and try to establish some "PoS is better than PoW and Ethereum will be flippening!" narrative. Prove me wrong

I think you misunderstood me: I was talking about the field of IT Security in general. Here it doesn't work to only think about what is the most likely thing to happen; you need to speculate at least a bit beyond that.

Well, your not wrong in that I am trying to promote my discovery, and hoping that it will be seen as an interesting an useful contribution to the field. In terms of "FUD," I don't think you really need to be too worried about that. I'm quite certain that there are ways for Bitcoin to mitigate the attack vector, as long as the community doesn't completely dismiss it as being impossible, and ignores it. (I could imagine that this might only make any would-be attackers more bold, by the way.)

In my preprint, I suggest that Bitcoin might switch to PoS. But as you rightly point out, there's no central authority, and this move could therefore potentially cause a hard fork. Although, if PoW is deemed insecure, then it is not unrealistic that by far the majority of Bitcoin investors would choose to invest in the new version.

However, I've also recently come to think that there might be a middle-ground solution where Bitcoin adopts PoS only as a soft fork. This is also what I've talked about recently in my discussion with @HeRetiK above.

Personally, I don't see why Bitcoin would then want to also cling to PoW necessarily, and to the fact that their users and investors have to continue carrying the daily electricity bill of the miners (ultimately), now and in perpetuity, but that's just my own personal view; you seem to think that this bill is worth it, and I'm sure that there are a great number of other people who do.

[franky1]

ok lets tell you what mitigates 51% attack

a 51% attack just means that 51% of the network is malicious and plans to edit blockdata either in the past or ongoing
which can cause lots of orphans(re-orgs) if the honest network then wins a block and retains its own blocks

so lets deal with the details AGAIN
to be at 51% of the network does not mean 100% control it means equalish opportunity with a slight lead to make blocks. but the other side can also get lucky.. yes this means that the other pools can still have luck to produce blocks faster and orphan the blocks that were the dis-honest pools blocks

the chances of a malicious pool to make for instance 6 blocks in a row before the honest network makes a block to re-org back to blocklist of honest blocks is marginally small. thus for years now many people have had the strategy that for high sat amount transactions being at risk of being re-round and unconfirmed is for services and recipients to wait 6 confirms, as the 51% is more likely to make one or 2 blocks before the honest network gets its block

its like a 600m olympic relay race
if there are 2 relay teams competing. one team that on average runs at 10sec and the other at 9.98 seconds average. its not a guarantee that the slightly faster team will always win every race/every 100m batton passing point in the race.
its also not a guarantee that if its a relay race of passing the batton of 2 competing teams that if one team went back 100m and started again the team would be able to go back 1-6 lengths of 100m and then catch up to overtake the honest running team that always went forward

just imagine it in your head for one second. a relay team where one member drops the batton, has to turn around and go grab it and start running again the team needs to be way more then a 0.02sec advantage per 100m to catch up if they wasted 10seconds picking the batton back up whilst the honest team just moved forward with that advantage


in most cases if dis-honest racers were running for 50 lengths on a different asphalt ring(edited chain) trying to catch up, and none of their blocks are yet to be seen by the olympic officials (network) even malicious miners with their livelyhood at risk will jump teams and want to just race on the asphalt WITH the honest runners

aswell as the wait X confirms if receiving high amount transactions,  there is also the fact that the network wont let any mining pool spend the block reward for 100 confirms. meaning an attacker would need to sustain their block list for 101 blocks to be able to spend their first block win. that means having 100 blocks of their preference be the 'mainchain'

and if they just showed up with race results to the officials that they are ahead(with a list of more then 2 blocks that dont match the honest network), the officials will see the latest block ID of dishonest teams 'previous block' does not contain the ID of the lastblock of the honest list

now its for you to actually not dismiss the math and mitigations of bitcoin risk. and actually run real scenarios of how bitcoin actually works rather then side step things just to promote your bias for ethereum
and not dont be silly and decide to rather talk about "milk is consumable" to avoid the point that production cost is different than retail cost
you went too literal about the word milks to talk about it a consumable rather then realise i was talking about any product has a real production cost and a separate retail price

[mjdamgaard]

Just as another thought experiment would be how much would it cost to get enough ETH while people are selling theirs to do this to launch your own 51% attack on ETH.

The fact that there is no real work involved just having enough money to buy enough of a specific coin has always been a weakness of all POS coins.
And now that there are ETH ETFs there is an incentive for people to be able to short the ETFs if they think their value will go down.

Think about it, get enough funds to buy the companies I discussed above that host a bunch of the ETH staking nodes, while simultaneously buying ETH and spinning up your own nodes and then a simple 51% attack against ETH.

-Dave

In theory, a 51% attack on Ethereum would cost > $300B × 50% = $150B. (Bitcoin and Ethereum have apparently just dropped 11% and 21%, respectively, in this past 24 hours.)

And a 34% attack would cost > $300B × 33.3% = $100B.

The stakers would lose that money (in a Rival Goldfinger attack), and they would only be able to gain $300B, and only when assuming that the Bitcoin investors share the costs equally. If not, it would thus take at least 33.3% of the Bitcoin investors to participate in an attack in order to break even in terms of costs and gains. (And for a 51% attack, it would require at least 50%.)

Now, if the Bitcoin investors is somehow able to keep their attack a secret, they would in theory not need to beat 33.3%, but only ~0.01% (in the current moment), which is the actual fraction of staked Ether compared to what's in circulation. But on top of the need to keep it a secret, this theory also assumes that safe guards like described in https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/#finality isn't implemented or doesn't work.
(Edit: Sorry, my mistake! I mistook 33M ETH for 33M USD when I looked up the amount. The amount of staked Ether is currently 28%, not 0.01%. x))

Last but not least, in order for the steal to be finalized for good, the attackers would also need to confuse the Ethereum community of whether the reorg was malicious or not, assuming that the remaining 66.6% of the Ethereum stakeholders would otherwise just revert the attack afterwards. (Edit: Think of what happened with the Ethereum Classic fork.)

For a 51% attack, the attackers would be able to force a hard fork when the "honest" stakeholders revert the attack. But unless again the attackers can succeed in confusing the whole community, the community and investors will know which of the two chains they ought to support, if they don't want to support the chain that actively tries to undermine its own currency.

[Wind_FURY]

Just as another thought experiment would be how much would it cost to get enough ETH while people are selling theirs to do this to launch your own 51% attack on ETH.

The fact that there is no real work involved just having enough money to buy enough of a specific coin has always been a weakness of all POS coins.

And now that there are ETH ETFs there is an incentive for people to be able to short the ETFs if they think their value will go down.

Think about it, get enough funds to buy the companies I discussed above that host a bunch of the ETH staking nodes, while simultaneously buying ETH and spinning up your own nodes and then a simple 51% attack against ETH.

-Dave

The problem of most Proof Of Stake networks is the ledger will be open to attacks if there's isn't any check-points implemented. But if there are check-points being done, then the network is reduced to a "consensus" through "ask a friend", and not from the staking of the tokens itself.

[mjdamgaard]

The problem of most Proof Of Stake networks is the ledger will be open to attacks if there's isn't any check-points implemented. But if there are check-points being done, then the network is reduced to a "consensus" through "ask a friend", and not from the staking of the tokens itself.

I agree with this statement.

I don't really believe that any attackers would be able to actually confuse the Ethereum community/traders of which is the honest and the malicious chain in practice, however. Do you agree with this?

But it's still a valid point, and why some might choose PoW over PoS. However, if PoW truly has this vulnerability that a rival blockchain could profit from a 51% attack, then its not certain that PoW will remain the more favored protocol, and Bitcoin might want to consider a switch as well.

[mjdamgaard]

ok lets tell you what mitigates 51% attack

a 51% attack just means that 51% of the network is malicious and plans to edit blockdata either in the past or ongoing
which can cause lots of orphans(re-orgs) if the honest network then wins a block and retains its own blocks

so lets deal with the details AGAIN
to be at 51% of the network does not mean 100% control it means equalish opportunity with a slight lead to make blocks. but the other side can also get lucky.. yes this means that the other pools can still have luck to produce blocks faster and orphan the blocks that were the dis-honest pools blocks

the chances of a malicious pool to make for instance 6 blocks in a row before the honest network makes a block to re-org back to blocklist of honest blocks is marginally small. thus for years now many people have had the strategy that for high sat amount transactions being at risk of being re-round and unconfirmed is for services and recipients to wait 6 confirms, as the 51% is more likely to make one or 2 blocks before the honest network gets its block

A "51% attack" is actually somewhat of a misnomer. It should actually be called a ">50% attack" if we wanted to be more precise. If the attacking miners controls 60%, 80%, 99%, etc., then it is still known as a "51% attack."

If one team of relay runners runs even just 6/4 = 150% the speed of the competition (in case they control 60% of the hash rate), then the would be able to overtake their opponents at some point, even if they start from a distance significantly behind them.

in most cases if dis-honest racers were running for 50 lengths on a different asphalt ring(edited chain) trying to catch up, and none of their blocks are yet to be seen by the olympic officials (network) even malicious miners with their livelyhood at risk will jump teams and want to just race on the asphalt WITH the honest runners

Ah, something just clicked. Maybe we have discussed two different things all along.

A '51% attack' refers to several kinds of attacks, both in how its executed and how the attackers gain a profit from it. In some versions, we are talking about miners who tries to collude in order to gain a larger share of the newly minted coin for themselves. And you are right, in this case, unless the attacking miners are very cohesive as a group, then it would be enticing for each individual miner to break ranks and join the honest miners.

This is not the kind of 51% attack that I'm talking about. I'm talking about an attack that targets the traders, more so than the miners, namely by rewriting a recent part of the ledger in order to steal bitcoin.

They can in principle steal a lot of bitcoin thereby. However, it is typically assumed that the value of bitcoin would crash as a result, meaning that such 51%-attackers would need to very quickly trade that bitcoin for other assets/commodities in order to make it profitable for them.

And then in a Goldfinger attack, the attack is then furthermore orchestrated by someone with a reverse stake in the blockchain (and I point to the fact that this opponent could in theory be a rival blockchain), which means that in case of a crash, their losses is covered by the gains from the reverse stake. 

aswell as the wait X confirms if receiving high amount transactions,  there is also the fact that the network wont let any mining pool spend the block reward for 100 confirms. meaning an attacker would need to sustain their block list for 101 blocks to be able to spend their first block win. that means having 100 blocks of their preference be the 'mainchain'

I have addressed this point earlier. My counterpoint is that increasing the confirmation period would already damage Bitcoin's utility as a cryptocurrency quite a lot, especially since we are potentially talking months here. And they unfortunately can't extend the confirmation period retrospectively (relying purely on PoW). So they have to extend it continuously in anticipation of an attack if this is their mitigation strategy.

and not dont be silly and decide to rather talk about "milk is consumable" to avoid the point that production cost is different than retail cost

You seemed to argue that Bitcoin's price have a lower threshold that it can never fall below, and that the fact that Bitcoin miners spend a lot of money in the "production"/minting of new bitcoin somehow will always keep its price up. (And your milk example seemed to double down on that claim, unless I am mistaken?) By that logic, Bitcoin's price will rise towards infinity once the amount of newly minted coins drops to near zero, don't you agree?

you went too literal about the word milks to talk about it a consumable rather then realise i was talking about any product has a real production cost and a separate retail price

Oh, I've asked about clarification on this point earlier. Do you mind? Are you really saying that miners are able to sell their minted bitcoin at a higher price than the "retail" market price? Or perhaps the other way around: that the miners are only able to sell it at a lower price than the "retailers," similar to most other real-world cases, like the milk example?

[Wind_FURY]

The problem of most Proof Of Stake networks is the ledger will be open to attacks if there's isn't any check-points implemented. But if there are check-points being done, then the network is reduced to a "consensus" through "ask a friend", and not from the staking of the tokens itself.

I agree with this statement.

I don't really believe that any attackers would be able to actually confuse the Ethereum community/traders of which is the honest and the malicious chain in practice, however. Do you agree with this?

In theory, there are some attacks in POS chains that would make the malicious chain indistinguishable from the honest chain, therefore they need check-points. But the problem - how do you decentralize check-pointing. And for those projects that claim they have, they are hard to analyze.

But it's still a valid point, and why some might choose PoW over PoS. However, if PoW truly has this vulnerability that a rival blockchain could profit from a 51% attack, then its not certain that PoW will remain the more favored protocol, and Bitcoin might want to consider a switch as well.

To find out is simple - Attack Bitcoin. If the attackers are successful with that, then Bitcoin has no right to exist.

[franky1]

Ah, something just clicked. Maybe we have discussed two different things all along.

A '51% attack' refers to several kinds of attacks, both in how its executed and how the attackers gain a profit from it. In some versions, we are talking about miners who tries to collude in order to gain a larger share of the newly minted coin for themselves. And you are right, in this case, unless the attacking miners are very cohesive as a group, then it would be enticing for each individual miner to break ranks and join the honest miners.

This is not the kind of 51% attack that I'm talking about. I'm talking about an attack that targets the traders, more so than the miners, namely by rewriting a recent part of the ledger in order to steal bitcoin.

They can in principle steal a lot of bitcoin thereby. However, it is typically assumed that the value of bitcoin would crash as a result, meaning that such 51%-attackers would need to very quickly trade that bitcoin for other assets/commodities in order to make it profitable for them.

firstly if your a malicious pool with lots of hashpower you own to match/beat honest network of pools and miners.. or even if you collude or intice many individuals to collude with you to get hash power.
even if you reversed old confirmed transactions. YOU can only then respend the transactions no longer confirmed if you own the private keys to the funds of the transactions that you edited out of the blockchain that you re-orged.. you cant just steal other peoples transaction value. you can only make their transaction no longer exist by going back. this means its only financially viable to do block re-orgs if YOUR transactions you signed previously and got confirmed to spend with a service, got reversed for you to then spend that amount again..
but you would only be able to do this effectively if you when spending first, received goods or services or another currency to keep that value. to then reverse the transaction to then spend the transaction amount again to double your value.
if you deposited funds into an exchange. and then bought ethereum again. but didnt withdraw it and just had it as exchange database balance. if you reversed your btc deposit tx. the exchange can just change its database balance of the eth to not give you the eth.. you would have needed to withdraw the eth to then not allow the service to react.

this means spending alot first(significant amount worthy of doing a re-org), waiting for the service to accept the amount is settled(significant amount would be 6confirms+), release their goods/service/other currency to you, wait for you to deem that other value type as received and then edit the blockchain to double spend the initial transaction amount to then be edited out the blockchain

this is not something you can do within just a couple blocks of the honest network.

meaning honest network then gets a blockheight headstart of 7 blocks ahead of dishonest pool, which then have to build on to catch up*
this 7 block difference takes time for the dishonest pool to catch up
(reality is if an exchange service does fiat withdrawal from your initial btc deposit you are not only waiting 6 confirms for the deposited to be accepted but then waiting for X time(can be 72hours(432 blocks)) for the fiat to clear your bank on withdrawal request)
(reality is if you buy goods with your initial btc spend, you have to wait for delivery of goods which would be alteast next day(144blocks))

so for you to then go back and then undo- your confirmed deposit/goods spend tx.. you then need to catch up x fold of time

now lets again ask you to do the math using jsut a small headstart
a 51% of honest network(2% advantage) is not enough hashpower to race against the honest network that is minimum 6confirm ahead
work out using math how many blocks it would take before the dishonest network can overtake the honest network

hint if just 6 confirm lead. the dishonest network with a 10% advantage(55% network) would need atleast ~44 blocks just to re-org a block that was initially just 6 blocks behind honest pools when the attack was initiated* and would need over 55 to be then 1 block ahead of the honest pools

* this is just a 6 block re-wind/re-org timeframe with a 10% lead(55% of network)


the more blocks a malicious pool need to go back. the more speed blocks it would require to build on from its edited block to then catch up
so if the service had a next day-72 hour goods/fiat delivery time.. the networks catchup time would be multiple factors longer to catch up

what you also find out is during those missing time blocks of dishonest catch-up time. there may be some miners working on that dishonest pool seeing that although it aided in building XX+ blocks for its pool for the pool manager to double spend pool managers funds. the miners are not seeing their attempted blocks ID and previous block ID visibly on the honest network YET, thus think they are running on some altcoin, so they would want to protect their investment, would jump to a honest pool whos blocks are visible

again the dishonest pool wont show results instantly. but would take time to get ahead of honest network to have results seen and the more blocks it has to go back the longer it takes to catch up to show results

run the math

as a separate argument about the effect of the malicious pool having on the market price
if a malicious pool were to be winning blocks(half of the blocks) where then the honest pools have competition.. the cost of mining for the honest side and malicious side doubles as they would only be winning half as many blocks compared to pre-attack. thus they wont want to sell at a loss and so the market speculation would be like the hashrate has doubled which is like a halving of rewards per mining pools competing. and so the market would actually want to go up as less would be willing to sell for less

just note how when the hashrate was half as much the bottomline of market value was half as much
(2022 bottomline hashrate tested $15k and now hashrate is X more the market is testing ~$50k bottom)

even the dishonest miners will want to recoup ROI from their investments and not sell rewards at a loss 2x loss and so they too wont want to crash the market and due to the competition on the hashrate causing mining costs to double for the network as a whole, they too wont sell cheap but instead push the market up

[franky1]

you went too literal about the word milks to talk about it a consumable rather then realise i was talking about any product has a real production cost and a separate retail price

Oh, I've asked about clarification on this point earlier. Do you mind? Are you really saying that miners are able to sell their minted bitcoin at a higher price than the "retail" market price? Or perhaps the other way around: that the miners are only able to sell it at a lower price than the "retailers," similar to most other real-world cases, like the milk example?

im saying if production cost of most efficient asics is $48k/btc COST..  only those at $48k+ would sell at $48k+ to break even/profit. no one likes to sell at a loss

those with higher costs would just retain coin and wait for the market to rise before selling
this causes a lack of supply on the market

also those with coin from say 2012 ($6/btc cost) may have sold to someone else in 2017 at $20k, where that buyer of that coin has a now $20k min break even so wont sell for $6 even if that coins origins had a mining cost initially of $6.. if then the guy that bought the $6 mined coin for $20k then sells that coin to someone else in 2021  ATH for $70k. the new buyer sets their break even at $70k so wont be selling their stash for under $70k
thus although the coin mined in 2012 had a mining cost of just $6 it has a current break even cost of $70k thus wont be on the market when the market price is $50k.. and would be retaining the coin off the market and wait for the market to reach their desired amount..
so again less supply willing to sell at <$50k

i for instance am one of the rare ones with coins still held from 20212($6/btc). however im not ready to sell and no i wont be interested in selling at <$50k even if my initial cost was just $6/btc..
those that do panic about markets more than likely already have sold and as such the new buyer sets the new break even amount

when you look at the mining costs and the coin acquisition costs of coin movements (realised value) you start to build a picture of how much coin is supporting certain price levels

if people are willing to sell at a loss. they probably already have. EG those that bought at $70k in 2021 and panicing in the 2022 $15k price range. if stupid enough to sell at a loss. they already have. meaning the new buyer at $15k+ in 2022+ may have more control of emotion to not sell at a loss.
which reciprocally they would sell at profit only in the $15k-$75k range of 2022-2024. where the next buyer then sets their break even above the $15k range. again strengthening the periodic bottoms of 2023-2024 of $25k- ~$50k

and no..its not about the market being $50k today and people are finding ways to sell coin today for $70k-$300k. its about people setting limits of break even to decide to sell now at $50k today OR hold onto coin because its not yet time to sell, they wait for the market to rise to sell when the market price is right

if people have no intention to sell in the 2024 period of $50k-$70k they wont put their coin into the market, they obviously want to wait for more then $75k before selling so are just holding onto coin and not putting it on the market

then you have to look at the other side of the market.. when there are regions of the planet where it costs $300k to mine (they assess cost before actually investing) they see its not worth mining at $300k a coin and would happily buy coin at $50k+ from the market. which also supports the market and the underlying value because they know chances of getting coin via any market for less is extremely thin, because even trying to get coin via OTC hidden markets of the most efficient mining pools will still have those efficient miners not wanting to sell below $50k today

[mjdamgaard]

In theory, there are some attacks in POS chains that would make the malicious chain indistinguishable from the honest chain, therefore they need check-points. But the problem - how do you decentralize check-pointing. And for those projects that claim they have, they are hard to analyze.

Yeah, there seems to be no way to do this algorithmically, i.e. with pure PoS. So the system in principle relies on the fact that people, not computers, are able to collectively remember some sort of checkpoints (albeit with the help of computers/servers). And it of course also relies on the fact that stakers/stakeholders won't risk the punishment associated with trying an attack.

To find out is simple - Attack Bitcoin. If the attackers are successful with that, then Bitcoin has no right to exist.

Ha, that's pretty cold.

[Wind_FURY]

In theory, there are some attacks in POS chains that would make the malicious chain indistinguishable from the honest chain, therefore they need check-points. But the problem - how do you decentralize check-pointing. And for those projects that claim they have, they are hard to analyze.

Yeah, there seems to be no way to do this algorithmically, i.e. with pure PoS. So the system in principle relies on the fact that people, not computers, are able to collectively remember some sort of checkpoints (albeit with the help of computers/servers). And it of course also relies on the fact that stakers/stakeholders won't risk the punishment associated with trying an attack.

In some POS blockchains/networks, there's check-pointing that's signed by a centralized entity - usually the developers - every X blocks to ensure that that is the real history to be followed.

To find out is simple - Attack Bitcoin. If the attackers are successful with that, then Bitcoin has no right to exist.

Ha, that's pretty cold.

If an attacker/attackers could be successful in getting more than 51% of the Hashing Power behind him/her/them, AND overcome the network's army of full nodes, then that would prove that Bitcoin has failed and therefore it has no reason to exist.