Topic: 50% attack for ~800 BTC after block reward halving (Read 5296 times)

You're premise that miners can be expected to idle their machines when the reward halves is wrong.

With miners needing to sell most of 3600 new coins per day, the only thing that keeps the price of bitcoin even relatively stable at a given price point is a roughly equal rate of new money flowing in. When the price holds for a stretch you can bet the reason is that at least one whale feels the current price can be sustained by the incidental rate of incoming new money plus their own willingness to buy at that level. They view the need to buy mined bitcoin each day as an obligation, since failure to do so will cost them even more in terms of a falling price.

Anyone who's wrestled with the decision of how much more money to invest in Bitcoin to support the current price level should have realized that there's a balance to be struck between how many bitcoins are mined each day and how many bitcoins are purchased by new money each day.

The long price decline since Q4 2013 shows that bitcoin holders would rather be pushing $0.8M of new money into bitcoin each day than $4M (if the price were to go back to $1000). Think of it as the savings rate of the true bitcoin believers of which there are probably between 250,000 and 500,000 globally at the moment (https://bitscan.com/bitnews/item/how-many-people-really-own-bitcoins-and-why-does-it-matter). Most of these people are limited in how much new money they can pump into bitcoin each day by their ability to earn non-bitcoin money each day.

Back to your premise: When the block reward halves, all other things remaining equal, you should expect the price to double. More specifically, if the price at the time of the halving truly reflects the savings rate of bitcoin holders, then the price should double.

Why? Because the savings rate is the sustainable rate of new money flowing in to buy mined bitcoins. The same amount of new money after the halving will buy half as many bitcoin at twice the price. Miners should just hold off selling until the price rises to that level. They should absolutely NOT turn off their equipment.

Of course when the price level is rising during a span of excessive exuberance, or falling due to a contagion of anxiety, what will determine the new price level once the dust settles is the new savings rate of the new/remaining pool of bitcoin holding believers.

Take another look at the premises here.
At reward halving, when the reward comprises >99% of the mining income, if price is stable or declining...  then we may see a lot of miners idling equip.
Thus if reward halves, and idle equipment is roughly 50% of the equipment before the reward halving, it may be rented and an attack launched.

If the premise conditions are met, it would not take a massive amount of people, or a government.  It would merely require a great concentration of wealth.  If other resources are added to this (force of law, hacking, massive data centers, governments, etc)  That just makes it easier to reach the threshold.

One method to defend against this, major commercial stakeholders (exchanges, etc) ought require more confirmations around this time.  Many exchanges are also limiting transactions, and requiring identifications so even if it is attempted and successful, the malicious miners may not 'get away' with it.

Other alt coins have more advanced coinbase reward systems that smoothly adjust rather than halving to accommodate for this.

i think thats really hard to believe when DoS attack has been begin

You are pretty close with your analysis but there are a few practical flaws which you are overlooking.

One, you have to assume that the miners that are switched off are also being sold.

Two, the switched off miners that make up the total 50% of the entire mining force are allocated in one place of at least geographically near to each other.

Three, the 'attacker' will be buying all the switched off miners from wherever they maybe located in the world - which is practically impossible.


This single purposed functionality of ASIC hashers have always been concerning to me as they become nothing more than paperweights once their mining days are over, at least with older FPGA units you could repurpose them for other encryption and decryption tasks.

That is the important fact. Satoshi's system has a lot of incentives and disincentives that make it logical to game. For example, people sometimes are concerned about some actor "buying all the coins cheap". Of course the more aggressively one buys, the more expensive each coin becomes.

I still didn't get something on that link , why do they mean by "An attacker that controls more than 50% of the network's computing power" , what does it mean ?
Means he have a lot a lot a lot of Miners and he have more then 51% ? don't get it

I don't think the costs will be quite as low as you expect. Even if the cost of the miners themselves drops to 0, there could still be significant other costs involved with bringing that hardware back online. If a company owns its facility and is solvent at the time it wants to shut off, the attacker might just be able to buy it out and seamlessly change over to a different fork. That's not guaranteed to happen though, many of the failed companies might end up like Cointerra where they have not paid their bills and the hosting company is in the possession of the equipment. Even if they own their own buildings and the equipment is ready to turn back on, you might have pushback from the power utility if the previous owner has stuck them with an unpaid 6 figure power bill.

No numbers to back it up, but I would guess to costs related with gaining control of half the network hashrate would be significantly higher than the actual market value of the XXX PH/s you're buying.

This attack will probably always be viable in some sense once the rapid pace of ASIC development slows down to a (relative) crawl.

When dark hashpower is >> hashrate, anyone can buy and spin up hardware, with the marginal cost being electricity.

Groups will most likely hold onto miners even if they aren't being used in case the hashrate dips too much or they get invested in a block race.

Another way to think of it is that if mining is in a pure equilibrium the mining ongoing cost and equipment cost will equal the value of the coins to produced over time as well.  Or put differently in the run up to the halving the halving would be factored into miner planning and production/ordering.  My point is this won't be a singular event but would start affect decision making well in advance of the event.  Older equipment won't be replaced, less new equipment ordered etc.  

So in the run up to the halving you'd see a combination of:
- reduction in price of mining equipment of specified efficiency (or being taken off the market)
- improvement in hardware efficiency
- reduction in overall hash rate
- reduction in the number of miners with higher electricity costs, reducing the average miner electricity cost

You need all or some of these to happen to maintain the equilibrium.

A combination of the above seems most likely, so you are unlikely to see 50% reduction in the hash rate over months.  Not to speak about fast enough to enable an attack in quick enough way to be effective.

Some of the bitcoin crashes have effectively (in USD terms) halved the block reward.  This should be far more catastrophic as these are not possible to plan for and are thus more likely to result in potential for a hash rate take-over. edit: and this hasn't resulted in massive hash rate drop (or a 50% attack).

That is all the "available" mining power. ("available" meaning available to be purchased) Cost is determined by both SUPPLY and DEMAND.  You are assuming that the price will drop to zero because there will be a sudden increase in supply.  You are ignoring the fact that the attacker is creating a sudden increase in demand.  You are also assuming that there will only be a single person in the entire world that will be willing to buy any of the turned off equipment.  If there is even one other person (and there will certainly be more than that) that is interested in buying some of the equipment that is turned off, then there is competition that will drive the price up.


That is not true. Even at equilibrium:

• Some miners have access to cheaper electricity.
• Some miners are willing and able to operate with slightly smaller profit margins.
• Some miners are hobbyists that are willing to operate at a slight loss for the sake of their hobby.
• Some miners gain an "economy of scale" for larger operations

I don't see where it is accounted for in your calculations. I was aware that the cost if from before the halving, I just don't see where you accounted for it in your revenue calculations.

You use 1/2 (2^k)(BR) in costs (where BR is the pre-halving block reward).  The 1/2 is because the miner is running half of the network, right?

But the revenue is also 1/2 (2^k)(BR), because the attacker gets to keep 100% of the blocks, and each block reward is 1/2(BR).


And I'm confident that market forces will make an attack near  block reward halving prohibitively expensive as I've already pointed out.

not all, but one half. The half that was switched off and that is not worth switching on, so its cost is near 0.

assuming the mining market was in a state of equilibrium, all the running equipment would be equally efficient




This is already accounted for in my calculations. I think what you are missing is that
the cost of running the equipment is that from before the halving, but the rewards are halved.


I think the only new part in my post was to consider the 50% attack near  block reward halving.
The rest is indeed well-discussed

I think you meant to say that mining revenue halves.  If they were already operating on a tight margin, then profitability is eliminated and until enough hash power is shut off, everyone is operating at a loss.


Actually, equilibrium will be reached when half of the hash power is shut off.  This could be more than half the miners, it could be less than half the miners.  Since the most inefficient mining equipment is most likely to be shut off the earliest, the number of "miners" will largely depend on how many miners are running older more inefficient equipment.


Except that if a single person is trying to buy ALL the available mining power, this would be a huge increase in DEMAND.  So, while the supply would increase, the demand would be increasing along with it.  This huge demand would drive prices for the equipment through the roof and make it extremely expensive to purchase this left over equipment.  Those with access to extremely cheap electricity would also be competing with the potential attacker to purchase this equipment, making it exceedingly difficult for a single entity to gain control of 100% of the equipment that was shut off.  I think you'll find that acquiring more than 50% of the entire global hash power will not be a "very small cost".  Furthermore, the equipment that is available to purchase will be the most inefficient (and therefore most expensive to actually operate).




Remember that the equipment that was sold off was the most inefficient equipment.  The more efficient equipment would still be in the hands of the original owners and still running in locations with competitive electricity costs.  Therefore, the cost to operate the most inefficient 50% of the pre-halving hash power should be significantly more than 1/2 2^k BR.


You are mistaken.  In order to successfully perform a 50%+1 attack, the attacker would receive 100% of the new blocks during the attack.

Therefore, the attacker would gain 1/2(2^k)(BR) in revenue. Theoretically, if the attacker wasn't running inefficient equipment, this would exactly offset the 1/2(2^k)(BR) in operating costs.  In addition to the fact that the attacker is running inefficient equipment, an additional catch is that the costs would be incurred at the time that the equipment is running, and the revenue wouldn't be available until the attack was over.  Once the attack is over, the revenue is worth significantly less (due to loss of faith in bitcoin security).  The attacker will still need to pay for their operating costs in non-BTC currency, but will not have earned enough BTC value to cover those costs.


As we've already explained, your "3/4 2^(k-1) BR + N" is incorrect.  Even if it was correct, you got the math wrong:

2⁶ = 64
64 * 25 = 1600 (not 800)
3/4 * 1600 = 1,200
If we are willing to accept your unlikely prediction of N<200, you are still looking at a total cost (using your formula) of nearly 1,400 BTC.

This means that the attacker would need to successfully complete an attack that allows them the opportunity to steal at least 1,400 BTC and would need to cash out those 1,400 BTC before the attack was noticed and the exchange rate crashed.  This overlooks all the logistics costs of transporting, housing, and connecting all that equipment.


50%+1 attacks are a common concept re-introduced by people that don't take the time to consider all the ramifications.  It's been discussed in hundreds of ways.  You made some mistakes in your calculations, and you made some very unlikely assumptions.

I think your idea is interesting, the rental idea is orthogonal and could be combined with it.

I agree that in the current market, renting half of the hashing power for Bitcoin would be really tough.  But that is only because the Bitcoin ASIC market is inefficient in the economic sense.

The rental attack idea probably already works - and may have already been used - for GPU mining coins.  Even there though there really isnt yet an efficient market for GPU computation - at least not yet.

An efficient market for GPU computation would be the situation where almost everyone runs some smart app on their GPU which is intelligent about earning money through any means - renting out compute time for any of a wide variety of coins/projects/etc when they are asleep/away, but only when the pay is worth the power cost, etc.

I think that market efficiency will tend to increase over time.

Note that the 51 % attack only allows you to double spend or to invalidate other people's transactions. It does not enable you to steal any coins from other people's addresses.


So the real risk for 800 BTC (now around $300k) here is not people using this to steal money, but big players (governments) trying to DoS the network.

It's worth adding that since miners' costs basically track USD, the conditions described by the OP don't just hold on the reward halving, they also hold when the value of bitcoin takes a dive, as it does every now and then.

If there's really some kind of network-weakening incentive-breakage under these conditions then a price dive seems like a more likely trigger than the block reward halving, because the risk of incentive-breakage could reduce the usefulness of bitcoins, and feed back into an ever-lower bitcoin price.

i think you mean efficient market

I think this is and interestin idea. However, while I find it easy to agree with the quoted assumption when we are speaking about small amounts of hash power, once it's about half the network it becomes dubious. No matter how efficient the  market is,  if you want to buy half of all the supply you'd be moving the price a lot.

That's why my original argument involves a mojor external event: block reward halving.

lol good luck at 50%ing BTC need much power for that and at least 50% of intir network hash and then some. People tried and failed many times before and more hash coming on would be a mission imposable to do such an attack unless you had a big massive amount of people to follow it but highly doubtful. Maybe the government and NSA might able pull something off like that but still I doubt would happen as Bitcoin getting very big now.

All I can say is WOW! it is absolutely crazy how people come up with this kind of stuff.  Another question,  I heard a story about someone using miners to hack into I think it was home depot system.  Would this attack method be the same for something like that?

Its basically, a single pool mining most the coins, and having very high hashing power ,
more than 50% of the total hashing power used.