Bitcoin’s Collusion Problem - by Timothy B Lee

[PHPAdam]

http://timothyblee.com/2011/04/19/bitcoins-collusion-problem/

If a group of nodes colluded to change the rules (say, awarding themselves 100 Bitcoins rather than 50 for “winning” a round), the result would be a “fork” of the Bitcoin network. Nodes that enforced the original rules would reject blocks with the higher rewards, effectively expelling them from their network. The “rogue” nodes would recognize one another’s blocks, and would effectively establish a second, rival Bitcoin network. Theoretically, these different networks could continue in parallel indefinitely, but it’s likely that relatively quickly one of them (probably the larger one) would come to be regarded as the “real” Bitcoin network and cash spent on the other network would become worthless.

Does Timothy B Lee raise a good point here? We don't want splinter networks do we?

[1715112796]

1715112796

[1715112796]

1715112796

[1715112796]

1715112796

[Insti]

Splinter networks are good if you already hold bitcoins because you can spend them once on each branch!

[kiba]

Not new nor brilliant. Discussed months ago back in December.

http://inertia.posterous.com/bitcoin-mining-cartels-a-total-non-threat

[stillfire]

A few days ago I described a similar idea in "How a social attack could defeat a prosperous Bitcoin network".

I don't think Mr. Lee's idea of a few rich people getting together to change the client software for their benefit would work well. It would be hard to spread the corrupted client to a broad enough user base. Remember that today every single client verifies that the rules are being followed, and people usually don't update often. So in the beginning while the client was spreading, its transactions would be considered faulty and they'd be ignored. This would give everyone a good incentive /not/ to use the client - including the rich bankers.

In my scenario the client software is more slowly replaced with a corrupted version using a combination of social and legal powers. Its malicious effects are concealed during the transitionary period. I believe this to be a more realistic attack. http://bitcointalk.org/index.php?topic=6007.0

[kiba]

Not new nor brilliant. Discussed months ago back in December.

http://inertia.posterous.com/bitcoin-mining-cartels-a-total-non-threat

I rescind my criticism. I need to reread the critic's article.

[rezin777]

What about the mining pool.

The current top two pools combined would account for close to half the network hashrate.

Isn't this basically two miners with lots of workers?

Do pools make collusion too easy?

Would it be wise to have some of the more efficient miners in the pools branch out to smaller pools or go solo?

By the way, I'm not making any accusations, just questioning!

[ByteCoin]

There are two distinct issues being discussed here:
The original article discusses a fork caused by a substantial fraction of the network suddenly adopting an incompatible set of rules.
The recent observation is that a relatively small number of miners control a large fraction of the hashing power and could plausibly form a cartel.
Both are worth discussing in their own right but the share little commonality.

I believe that both problems would leave clear evidence on aggregate although the fault in individual instances could probably not be decided. There seems to be no evidence to suggest that either is a problem at the moment.

The success or failure of a rule-change bitcoin fork will be determined by similar factors as the success/failure of an open-source software fork as similar pressures operate. The fork has to be adopted and the new code base must be maintained. A lack of adoption causes a lack of incentive to maintain and develop the code. Eventually, one or other version has fewer bugs, is easier to use, has better features or becomes a standard for some other reason unrelated to its quality.

On the topic of mining cartels: I believe that as the value of bitcoin rises and the ability to quickly convert bitcoins into cash improves, the incentive to develop the programming and organizational infrastructure to enable mining cartels will become hard to resist.
Much of the essential infrastructure development could be rationalized by the major miners in positive terms as an improvement to the stability and robustness of the network. A similar development has occurred in the conventional banking/financial sector over the last hundred years or so.
 
ByteCoin

[fetokun]

He is also proposing that if more and more people start using services like "MyBitcoin" and alike, these services could just get together and change the protocol... especially if the majority adopts this kind of usage instead of running the clients themselves.

This sounds at least theoretically possible

[FreeMoney]

He is also proposing that if more and more people start using services like "MyBitcoin" and alike, these services could just get together and change the protocol... especially if the majority adopts this kind of usage instead of running the clients themselves.

This sounds at least theoretically possible

That's absolutely possible, but it's equivalent to those services just stealing your Bitcoins. If they take valid Bitcoins from you with the promise to return them and then deliver Pesos or Rubles or SnapCoins instead they are just thieves and they don't need to collude to do that.
 

[grondilu]

I'm afraid we are doomed to see always the same newbies who try to appear smart by bringing always the same arguments against bitcoin.

We very much need to have a good FAQ in order to answer to these guys with a simple link.

[Mike Hearn]

There isn't really a single answer. What he says is quite possible.

I don't think it's likely because if you look at other successful protocols on the internet, they ossify very quickly. Just because most email users are on {gmail,hotmail,yahoo} doesn't mean the rules of email can suddenly be forked (bitter experience spells this out). Merchants in particular are likely to run their own nodes and that means a few miners upgrading along with MyBitcoin wouldn't work. It'd have to be nearly everyone. That's hard to do even when there's universal agreement, let alone when the changes are controversial!

[MoonShadow]

If online wallet sites similar to Mybitcoin were to collude to attack the system this way, what happens to them once the depositors get wind of it?

What would an online Bitcoin bank run look like?  And why wouldn't the threat of same limit collusion to start with?

[Jim Hyslop]

He is also proposing that if more and more people start using services like "MyBitcoin" and alike, these services could just get together and change the protocol... especially if the majority adopts this kind of usage instead of running the clients themselves.

This sounds at least theoretically possible

The important thing to remember is that the block chain is what determines the rules. If a transaction doesn't get into the block chain, it's not valid. Since the miners determine what goes into the block chain, the miners are the ones who can change the rules.

[Mike Hearn]

That's not quite correct. Miners can include whatever stuff they want into a block and solve it. Broadcasting it does not mean it will be accepted by other nodes. Bitcoin verifies the blocks follow the rules regardless of whether they are mining or not.

[xf2_org]

That's not quite correct. Miners can include whatever stuff they want into a block and solve it. Broadcasting it does not mean it will be accepted by other nodes. Bitcoin verifies the blocks follow the rules regardless of whether they are mining or not.

Yes.  This was the key point that Tim B. Lee missed.  If a miner includes a 100 BTC generation inside a block, rather than the normal 50, all bitcoin nodes except that miner would reject the block as invalid.  If several miners collude to create 100 BTC blocks, everyone else -- namely people holding bitcoins, an audience that matters to miners -- would reject those blocks.

Like a democracy, people would have to vote for a bitcoin change by downloading and running the new software.

The miners cannot go completely "off the reservation" without agreement from users.

[MoonShadow]

That's not quite correct. Miners can include whatever stuff they want into a block and solve it. Broadcasting it does not mean it will be accepted by other nodes. Bitcoin verifies the blocks follow the rules regardless of whether they are mining or not.

Yes.  This was the key point that Tim B. Lee missed.  If a miner includes a 100 BTC generation inside a block, rather than the normal 50, all bitcoin nodes except that miner would reject the block as invalid.  If several miners collude to create 100 BTC blocks, everyone else -- namely people holding bitcoins, an audience that matters to miners -- would reject those blocks.

Like a democracy, people would have to vote for a bitcoin change by downloading and running the new software.

The miners cannot go completely "off the reservation" without agreement from users.

And even clients that do not generate get a vote, by simply refusing to propagate rejected blocks to their peers.  Much of the network wouldn't even see those modified blocks.

[Jim Hyslop]

There's something you're all overlooking.

The eventual goal is to have the majority of the network running light clients, which only have the block headers - no transactions. So (once light clients are the norm) the majority of the network won't even notice if miners overpay themselves. All they'll get is the block hash and the Merkle tree.

Suppose we have a cartel of miners (I am, of course, referring to a hypothetical cartel of unscrupulous miners, and in no way implying that any of the current miners or pools would try this).

Suppose the cartel members decide to change the rules, and agree that they will pay themselves a 100BTC bounty per block. As soon as they implement this, of course, their blocks will be rejected by miners that follow Satoshi's rules (I'll call these miners "orthodox miners"). We will then have a block chain split. Orthodox miners will continue to build on the one side, and the cartel will continue to build on the other side.

Both the orthodox miners and the cartel miners will confirm new transactions, and will continue to protect against double-spend attacks, so it doesn't matter which chain the users follow. Observant users might notice that the confirmations are taking longer than usual, but that's about all they will see.

If the cartel controls a sufficient portion of the mining power, then eventually their block chain will be recognized by all the light clients on the network as the main chain, and the light clients will abandon the orthodox chain.

Now, of course there will likely still be "heavy" clients out there, i.e. clients that for one reason or another do reject non-conforming transactions or blocks. They will, of course, reject the cartel's block chain, and continue to support the orthodox miners.

100 blocks after the split, the coins generated on either side of the split will mature, and the miners will want to start spending them. The cartel miners will only be able to spend their coins with light clients, and the orthodox miners will only be able to spend their coins with the heavy clients. And therein lies the key to whether the cartel succeeds or fails: how many heavy clients will there be, and how many light clients?

I can see three possible outcomes:
1) The heavy clients don't have enough influence, so the orthodox miners have nowhere to spend their money, and are forced to give in and accept the new rules; at this point the heavy clients will have no choice but to follow;

2) There are sufficient heavy clients, and the orthodox miners can get a patched light client out to enough general users that there is a permanent split in the block chain;

3) There are enough heavy clients that someone notices an unusually large number of "invalid" blocks being generated, and the orthodox miners get a patched client out quickly enough to foil the cartel.

So, it may be difficult, but not impossible, for a determined set of miners who control a sufficiently large portion of the network processing power to change the rules. Some of the rules, anyway.

Now, if we ensure that the light clients get the block and the first transaction (i.e. the miner's payout) then this attack will be more difficult. Still possible, but more difficult. In that case, the cartel has to provide its own client which ignores the payout rules, and entice enough of the users to install their client. Once they have enough installed, then they can try the coup d'etat.

[grondilu]

Does everybody realise how easy it would be to detect such an "unorthodox miner" ??

The software THAT YOU HAVE INSTALLED on your computer does it, and even you can do it "manually".

The reward transaction is the first one in the block:  you just have to look at it.

After block 210,000, If the reward is greater than 25BTC (apart from transaction fees), then you have been silly enough to install the cartel's version of the software.   In that case, all you have to do is uninstall this software and reinstall Satoshi's or Gavin's version.

End of story.

How hard is that?

To me, this Timothy Lee's article has been given way too much credit.  It's not a new idea, and it's not even smart.

Bitcoin is not a democracy:  nobody has to suffer from the stupidity of the majority of people.

[Jim Hyslop]

Does everybody realise how easy it would be to detect such an "unorthodox miner" ??

The software THAT YOU HAVE INSTALLED on your computer does it, and even you can do it "manually".

You've missed my point. Yes, the CURRENT software will detect it. But FUTURE versions that use the block-header-only protocol WILL NOT.

[grondilu]

You've missed my point. Yes, the CURRENT software will detect it. But FUTURE versions that use the block-header-only protocol WILL NOT.

Ok I confess I don't know much about this light version of the protocol.  I'll have to read more about that.