50% attack for ~800 BTC after block reward halving

[trout]

[not sure if this is technical enough, but I find this subforum more sensible. If the mods find it too light, please feel free to move to the general discussion]

Assume that, close to the block reward halving, the following conditions hold:
1) mining technology is saturated, so that no significantly improvement in efficiency happens nor is expected to happen soon
2) the price is relatively "stable" and no major jumps are expected soon
3) tx fees make for but a small part of the block reward


As a consequence, miners operate on a very small margin, spending most  of the reward on electricity.

Then after the block halving, mining profitability nearly halves, and many miners have to switch off their equipment. The equilibrium is reached when half the miners switch off.

The market of mining equipment is over-supplied, the prices drop to almost zero. Thus one can buy all those switch-off miners - that represent half the network hash power-  for a very small cost.
I don't know what's "very small" (there are always at least shipping or acquisition  expenses to consider), but
let's just call it N for now.

Assume an attacker acquires all this equipment. Now that he  has 50%  hashing power, what's the cost of running the attack?

Let's say he wants to mine k consecutive blocks. With 50% power he should
expect to wait 2^k blocks before he gets these.  Running half the network for that long costs (since we assumed miners operated on low margin before the halving)  1/2 2^k BR in electricity where BR is the block
reward before halving.   Since during this time he also gets half of the new block rewards,  the total  cost is 3/4 2^(k-1) BR + N

Putting some numbers here: current BR=25 BTC;  we can take k=6 (now some big exchanges accept as little as 3 confirmations, I guess all the big ones accept less than 6), we get 3/4 * 800 BTC + N.   Now given the discussion above I think it's not unreasonable to assume N<200BTC, bringing the total to 800BTC.

Note that the last time the block reward halved, assumptions 1 and 2 were not satisfied, while 3 was.
Next time 1 and 2  are quite likely to be satisfied, and 3 is satisfied currenlty. One can also calculate waht is the effect of the tx fees; but it's easy to see that for it has to be of the same order as block reward to be significant.


what do you guys think? Did I make any major mistake in this calculation? Has this been discussed and dismissed before?

[nomadcrypto]

The major flaw I see with this is the fact that being able to hold 3 or more blocks before someone else solves them is pretty unlikely. This would work for a p2p trade if you were able to hold a block and get away before someone else solved it

[seabass1985]

I've always wondered what is a 50 or 51% attack?

[cr1776]

I've always wondered what is a 50 or 51% attack?

Here is one explanation:
https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_computing_power

[Remember remember the 5th of November]

I've always wondered what is a 50 or 51% attack?

Here is one explanation:
https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_computing_power

I've always wondered what is a 50 or 51% attack?

The gist of it is that if someone has too many miners, he can chargeback(reverse) his own transactions, plus other unsuspecting people's transactions too. Only if he's a bad guy/woman though

[Alix Istek]

EDIT: inefficient -> efficient, whoops

This is interesting, and gets more interesting if there is an efficient rental market for cloud hashing.

The attacker doesn't need to actually buy the hardware, they just need to rent it for a few hours or a day or whatever - just long enough to launch a 51% attack and steal money from a major exchange.

1. Rent enough hardware to create a temporary 51% pool.
2. start mining a private fork that gets ahead
3. Send in $X worth of currency A to the exchange (darkcoin say)
4. sell all of the A-coin for $X worth of B-coin (BTC)
5. withdraw all of the B-coin and wait for that to clear on the B-network
6. reveal your private fork to roll back the transactions and get all of your A-coin back

The attacker nets: $X + mining_revenue - mining_rental

In an efficient market, the mining rental cost becomes the same as mining revenue, so this scheme almost doubles the attacker's money.

The somewhat good news for bitcoin is that this attack is still easier for smaller market-cap coins, which would presumably start suffering from it first.

[caga]

I've always wondered what is a 50 or 51% attack?

Its basically, a single pool mining most the coins, and having very high hashing power ,
more than 50% of the total hashing power used.

[seabass1985]

All I can say is WOW! it is absolutely crazy how people come up with this kind of stuff.  Another question,  I heard a story about someone using miners to hack into I think it was home depot system.  Would this attack method be the same for something like that?

[crazyearner]

lol good luck at 50%ing BTC need much power for that and at least 50% of intir network hash and then some. People tried and failed many times before and more hash coming on would be a mission imposable to do such an attack unless you had a big massive amount of people to follow it but highly doubtful. Maybe the government and NSA might able pull something off like that but still I doubt would happen as Bitcoin getting very big now.

[trout]

...

In an inefficient market, the mining rental cost becomes the same as mining revenue, so this scheme almost doubles the attacker's money.

...

I think this is and interestin idea. However, while I find it easy to agree with the quoted assumption when we are speaking about small amounts of hash power, once it's about half the network it becomes dubious. No matter how efficient the  market is,  if you want to buy half of all the supply you'd be moving the price a lot.

That's why my original argument involves a mojor external event: block reward halving.

[gmannnnn]

In an inefficient market, the mining rental cost becomes the same as mining revenue, so this scheme almost doubles the attacker's money.

i think you mean efficient market

[edmundedgar]

It's worth adding that since miners' costs basically track USD, the conditions described by the OP don't just hold on the reward halving, they also hold when the value of bitcoin takes a dive, as it does every now and then.

If there's really some kind of network-weakening incentive-breakage under these conditions then a price dive seems like a more likely trigger than the block reward halving, because the risk of incentive-breakage could reduce the usefulness of bitcoins, and feed back into an ever-lower bitcoin price.

[bcearl]

Note that the 51 % attack only allows you to double spend or to invalidate other people's transactions. It does not enable you to steal any coins from other people's addresses.


So the real risk for 800 BTC (now around $300k) here is not people using this to steal money, but big players (governments) trying to DoS the network.

[Alix Istek]

...

In an inefficient market, the mining rental cost becomes the same as mining revenue, so this scheme almost doubles the attacker's money.

...

I think this is and interestin idea. However, while I find it easy to agree with the quoted assumption when we are speaking about small amounts of hash power, once it's about half the network it becomes dubious. No matter how efficient the  market is,  if you want to buy half of all the supply you'd be moving the price a lot.

That's why my original argument involves a mojor external event: block reward halving.

I think your idea is interesting, the rental idea is orthogonal and could be combined with it.

I agree that in the current market, renting half of the hashing power for Bitcoin would be really tough.  But that is only because the Bitcoin ASIC market is inefficient in the economic sense.

The rental attack idea probably already works - and may have already been used - for GPU mining coins.  Even there though there really isnt yet an efficient market for GPU computation - at least not yet.

An efficient market for GPU computation would be the situation where almost everyone runs some smart app on their GPU which is intelligent about earning money through any means - renting out compute time for any of a wide variety of coins/projects/etc when they are asleep/away, but only when the pay is worth the power cost, etc.

I think that market efficiency will tend to increase over time.

[DannyHamilton]

Then after the block halving, mining profitability nearly halves

I think you meant to say that mining revenue halves.  If they were already operating on a tight margin, then profitability is eliminated and until enough hash power is shut off, everyone is operating at a loss.

and many miners have to switch off their equipment. The equilibrium is reached when half the miners switch off.

Actually, equilibrium will be reached when half of the hash power is shut off.  This could be more than half the miners, it could be less than half the miners.  Since the most inefficient mining equipment is most likely to be shut off the earliest, the number of "miners" will largely depend on how many miners are running older more inefficient equipment.

The market of mining equipment is over-supplied, the prices drop to almost zero. Thus one can buy all those switch-off miners - that represent half the network hash power-  for a very small cost.

Except that if a single person is trying to buy ALL the available mining power, this would be a huge increase in DEMAND.  So, while the supply would increase, the demand would be increasing along with it.  This huge demand would drive prices for the equipment through the roof and make it extremely expensive to purchase this left over equipment.  Those with access to extremely cheap electricity would also be competing with the potential attacker to purchase this equipment, making it exceedingly difficult for a single entity to gain control of 100% of the equipment that was shut off.  I think you'll find that acquiring more than 50% of the entire global hash power will not be a "very small cost".  Furthermore, the equipment that is available to purchase will be the most inefficient (and therefore most expensive to actually operate).

Let's say he wants to mine k consecutive blocks. With 50% power he should
expect to wait 2^k blocks before he gets these.  Running half the network for that long costs (since we assumed miners operated on low margin before the halving)  1/2 2^k BR in electricity where BR is the block
reward before halving.

Remember that the equipment that was sold off was the most inefficient equipment.  The more efficient equipment would still be in the hands of the original owners and still running in locations with competitive electricity costs.  Therefore, the cost to operate the most inefficient 50% of the pre-halving hash power should be significantly more than 1/2 2^k BR.

Since during this time he also gets half of the new block rewards,  the total  cost is 3/4 2^(k-1) BR + N

You are mistaken.  In order to successfully perform a 50%+1 attack, the attacker would receive 100% of the new blocks during the attack.

Therefore, the attacker would gain 1/2(2^k)(BR) in revenue. Theoretically, if the attacker wasn't running inefficient equipment, this would exactly offset the 1/2(2^k)(BR) in operating costs.  In addition to the fact that the attacker is running inefficient equipment, an additional catch is that the costs would be incurred at the time that the equipment is running, and the revenue wouldn't be available until the attack was over.  Once the attack is over, the revenue is worth significantly less (due to loss of faith in bitcoin security).  The attacker will still need to pay for their operating costs in non-BTC currency, but will not have earned enough BTC value to cover those costs.

Putting some numbers here: current BR=25 BTC;  we can take k=6 (now some big exchanges accept as little as 3 confirmations, I guess all the big ones accept less than 6), we get 3/4 * 800 BTC + N.   Now given the discussion above I think it's not unreasonable to assume N<200BTC, bringing the total to 800BTC.

As we've already explained, your "3/4 2^(k-1) BR + N" is incorrect.  Even if it was correct, you got the math wrong:

2⁶ = 64
64 * 25 = 1600 (not 800)
3/4 * 1600 = 1,200
If we are willing to accept your unlikely prediction of N<200, you are still looking at a total cost (using your formula) of nearly 1,400 BTC.

This means that the attacker would need to successfully complete an attack that allows them the opportunity to steal at least 1,400 BTC and would need to cash out those 1,400 BTC before the attack was noticed and the exchange rate crashed.  This overlooks all the logistics costs of transporting, housing, and connecting all that equipment.

what do you guys think? Did I make any major mistake in this calculation? Has this been discussed and dismissed before?

50%+1 attacks are a common concept re-introduced by people that don't take the time to consider all the ramifications.  It's been discussed in hundreds of ways.  You made some mistakes in your calculations, and you made some very unlikely assumptions.

[trout]

Except that if a single person is trying to buy ALL the available mining power, this would be a huge increase in DEMAND.

not all, but one half. The half that was switched off and that is not worth switching on, so its cost is near 0.

 Furthermore, the equipment that is available to purchase will be the most inefficient (and therefore most expensive to actually operate).

assuming the mining market was in a state of equilibrium, all the running equipment would be equally efficient

You are mistaken.  In order to successfully perform a 50%+1 attack, the attacker would receive 100% of the new blocks during the attack.

Therefore, the attacker would gain 1/2(2^k)(BR) in revenue. Theoretically, if the attacker wasn't running inefficient equipment, this would exactly offset the 1/2(2^k)(BR) in operating costs.

This is already accounted for in my calculations. I think what you are missing is that
the cost of running the equipment is that from before the halving, but the rewards are halved.

50%+1 attacks are a common concept re-introduced by people that don't take the time to consider all the ramifications.  It's been discussed in hundreds of ways.  You made some mistakes in your calculations, and you made some very unlikely assumptions.

I think the only new part in my post was to consider the 50% attack near  block reward halving.
The rest is indeed well-discussed

[DannyHamilton]

Except that if a single person is trying to buy ALL the available mining power, this would be a huge increase in DEMAND.

not all, but one half. The half that was switched off and that is not worth switching on, so its cost is near 0.

That is all the "available" mining power. ("available" meaning available to be purchased) Cost is determined by both SUPPLY and DEMAND.  You are assuming that the price will drop to zero because there will be a sudden increase in supply.  You are ignoring the fact that the attacker is creating a sudden increase in demand.  You are also assuming that there will only be a single person in the entire world that will be willing to buy any of the turned off equipment.  If there is even one other person (and there will certainly be more than that) that is interested in buying some of the equipment that is turned off, then there is competition that will drive the price up.

Furthermore, the equipment that is available to purchase will be the most inefficient (and therefore most expensive to actually operate).

assuming the mining market was in a state of equilibrium, all the running equipment would be equally efficient

That is not true. Even at equilibrium:

• Some miners have access to cheaper electricity.
• Some miners are willing and able to operate with slightly smaller profit margins.
• Some miners are hobbyists that are willing to operate at a slight loss for the sake of their hobby.
• Some miners gain an "economy of scale" for larger operations

You are mistaken.  In order to successfully perform a 50%+1 attack, the attacker would receive 100% of the new blocks during the attack.

Therefore, the attacker would gain 1/2(2^k)(BR) in revenue. Theoretically, if the attacker wasn't running inefficient equipment, this would exactly offset the 1/2(2^k)(BR) in operating costs.

This is already accounted for in my calculations. I think what you are missing is that
the cost of running the equipment is that from before the halving, but the rewards are halved.

I don't see where it is accounted for in your calculations. I was aware that the cost if from before the halving, I just don't see where you accounted for it in your revenue calculations.

You use 1/2 (2^k)(BR) in costs (where BR is the pre-halving block reward).  The 1/2 is because the miner is running half of the network, right?

But the revenue is also 1/2 (2^k)(BR), because the attacker gets to keep 100% of the blocks, and each block reward is 1/2(BR).

50%+1 attacks are a common concept re-introduced by people that don't take the time to consider all the ramifications.  It's been discussed in hundreds of ways.  You made some mistakes in your calculations, and you made some very unlikely assumptions.

I think the only new part in my post was to consider the 50% attack near  block reward halving.
The rest is indeed well-discussed

And I'm confident that market forces will make an attack near  block reward halving prohibitively expensive as I've already pointed out.

[spin]

Another way to think of it is that if mining is in a pure equilibrium the mining ongoing cost and equipment cost will equal the value of the coins to produced over time as well.  Or put differently in the run up to the halving the halving would be factored into miner planning and production/ordering.  My point is this won't be a singular event but would start affect decision making well in advance of the event.  Older equipment won't be replaced, less new equipment ordered etc.  

So in the run up to the halving you'd see a combination of:
- reduction in price of mining equipment of specified efficiency (or being taken off the market)
- improvement in hardware efficiency
- reduction in overall hash rate
- reduction in the number of miners with higher electricity costs, reducing the average miner electricity cost

You need all or some of these to happen to maintain the equilibrium.

A combination of the above seems most likely, so you are unlikely to see 50% reduction in the hash rate over months.  Not to speak about fast enough to enable an attack in quick enough way to be effective.

Some of the bitcoin crashes have effectively (in USD terms) halved the block reward.  This should be far more catastrophic as these are not possible to plan for and are thus more likely to result in potential for a hash rate take-over. edit: and this hasn't resulted in massive hash rate drop (or a 50% attack).

[instagibbs]

This attack will probably always be viable in some sense once the rapid pace of ASIC development slows down to a (relative) crawl.

When dark hashpower is >> hashrate, anyone can buy and spin up hardware, with the marginal cost being electricity.

Groups will most likely hold onto miners even if they aren't being used in case the hashrate dips too much or they get invested in a block race.

[MrTeal]

I don't think the costs will be quite as low as you expect. Even if the cost of the miners themselves drops to 0, there could still be significant other costs involved with bringing that hardware back online. If a company owns its facility and is solvent at the time it wants to shut off, the attacker might just be able to buy it out and seamlessly change over to a different fork. That's not guaranteed to happen though, many of the failed companies might end up like Cointerra where they have not paid their bills and the hosting company is in the possession of the equipment. Even if they own their own buildings and the equipment is ready to turn back on, you might have pushback from the power utility if the previous owner has stuck them with an unpaid 6 figure power bill.

No numbers to back it up, but I would guess to costs related with gaining control of half the network hashrate would be significantly higher than the actual market value of the XXX PH/s you're buying.