Topic: Bitcoin transactions can be reversed if . . .! (Read 287 times)

Sure, a 51% attack does not allow the attacker to "create value out of thin air" or "take money that never belonged to the attacker", as the whitepaper puts it, but it is still worth bearing in mind. Maybe if all you are doing with bitcoin is trading it on a centralized exchange (and therefore not actually making any transactions with it anyway) then you don't need to think about it, but a 51% attack is important to consider if you are trading directly with another user or selling any goods or services for bitcoin. As I explained above, even with a proportion of the hashrate far below 51%, an attacker still has a chance to reverse a transaction, but this chance becomes exponentially smaller with each further confirmation. It is the entire reason behind why lots of places wait for 6 confirmations before confirming funds or deposits.

This is a pretty cool discussion. I must go through the white-paper one more time to understand gravity of the "calculations". Surely Satoshi might have thought of every other possibility of so called categorical theft!

Now I understand how the honest chain could be escape for an attacker to reverse or may be "capture" bitcoins from other individual. However, this would take lot of efforts and obviously freakishly high 51% hash power. The later seems to be almost impossible for any mining firm on the current network difficulty (Hope so!)

Thanks for the great output guys.

In the past, this has in fact happened. For example, in 2014, the GHash pool controlled 51% of the hashrate, although they quickly and voluntarily reduced this. It is worth noting though that in 2014 the total hashrate was around 0.08% of what it is now, so a comparatively tiny amount of hash power was enough to be 51% of the total hash power.

It is entirely possible (and very easy if RBF is enabled) to reverse transactions with zero confirmations. It is also theoretically possible to reverse transactions without having 51% of the hashrate if you were to get lucky when mining your secret chain. You can read the relevant calculations as detailed in the whitepaper as I said above. For example, someone with 10% of the hashrate would still have a 20% chance of being able to reverse a transaction with 1 confirmation, although this drops to 0.02% after 6 confirmations.

You can play around with the numbers yourself here: https://web.archive.org/web/20200502141047/https://people.xiph.org/~greg/attack_success.html

The halving has no direct effect on the difficulty. The halving affects the block reward. The amount of hash power affects the difficulty.

No single entity can own 51% of hash power. So though in theory it is possible to reverse Bitcoin transaction, in practice it can never happen. Increasing rate of difficulty to solve the block makes it more impossible with every halving.

Thank you, the whole scenario is way more clear now. For BTC is pratically impossible to do that, unless a quantum computer breaks out of the sudden with enough hash power to be bigger than the current hash rate, which I find ... quite unlikely.

I'm also with another notion regarding the safety of the other coins, so that's a win-win scenario, so thank you for both detailed explanations mate!

Sure, but you don't need to since many altcoins have already been successfully 51% attacked. BCash, for example, has been successfully 51% attacked on more than one occasion:
https://www.coindesk.com/bitcoin-cash-miners-undo-attackers-transactions-with-51-attack
https://decrypt.co/49819/bitcoin-cash-rebels-launch-51-attack-to-destroy-bch-hard-fork

The buyer would keep the BTC, by sending it back to another address they control.

Let's say I have 100 BTC in address A, and I send it to address B, which belongs to you. I broadcast that transaction to the network, you see it, and it gets its first confirmation in block 669,301. In secret, I write a new transaction which would send the same coins from address A to address C, which belongs to me. I include this new transaction in a block which I mine, also at height 669,301, but I don't tell anyone else about my block. I continue to mine in secret, and because I have >51% of the hashrate, I can mine blocks faster than the main honest chain which everyone else in the world is looking at. You see first transaction on the main chain, which sends 100 BTC to address B, gain 2 confirmations at block 669,302. Then 3 confirmations at block 669,303. Meanwhile, and still in secret, I'm mining my own chain of blocks 669,302, 669,303, and so on, which are building on top the transaction which sent 100 BTC to myself and have no knowledge of the transaction which sent 100 BTC to you. At some point, you are happy with the number of confirmations you see and you release the goods I am buying. At that point, I publish my secret chain all at once. Since my secret chain has more proof of work than the honest chain everybody else is looking at, it replaces the honest chain as the main chain. The transaction which sent 100 BTC to you now only exists in the old honest chain which has now been replaced. The new main chain, made up of my secret chain, contains the transaction which sends 100 BTC back to myself.

Transactions don't get "embedded into nodes", nodes store unconfirmed transactions in their mempools to help these transactions to propagate through the network to eventually reach miners, so that they can include it in next block.

Miners don't "keep confirming" a transaction, the first confirmation happens when a transaction gets included in the most recent block that became a part of the blockchain, all other confirmations are just the number of blocks mined after that one block.

That's mind blowing. Could I extrapolate the same basis / calculation to other coins (mainly altcoins) to show that someone could easily exploit this? I thinking in making some informative thread about it, since it brings attention to an overlooked factor in other coins....

Just a final question : From what I understood, one would do this just to basically deny the BTC to the other party right? The buyer wouldn't receive their BTC back as well, they would simply be "erased" right? Or they would rest in some sort of transaction limbo?

It's not a flaw in the blockchain code. It is how it is designed to be. Bitcoin is decentralized and 51% means more than half of the miners consider it to be true.
Now if the attacker has the 51% hashing power as an individual, that's something which shouldn't have happened at first place.
For bitcoin to be truly decentralized, one entity should never have more than 51% hashing power at all.

The other party would initially receive the bitcoin. As the honest chain built up more and more blocks, they would see the transaction which sends them bitcoin receive 1, then 2, then 3, and so on confirmations. If a 51% attacker then published a longer chain which did not include that transaction, then that transaction (and the bitcoin in the recipient's wallet) would simply disappear.[/quote]

Would the transactions simply disappear from our wallets or be marked as invalid transactions ?
I think the transactions should be marked as invalid ones, not sure though.

Well, it depends. There are no laws against the act of reversing a bitcoin transaction, and indeed, using something like RBF could be thought of as reversing a transaction (albeit it one with zero confirmations!) when you replace a transaction with another sending the coins back to yourself instead. But if you have paid someone in bitcoin and received goods or services in return for that payment, and you later reverse that payment, then that is categorically theft.

The other party would initially receive the bitcoin. As the honest chain built up more and more blocks, they would see the transaction which sends them bitcoin receive 1, then 2, then 3, and so on confirmations. If a 51% attacker then published a longer chain which did not include that transaction, then that transaction (and the bitcoin in the recipient's wallet) would simply disappear.

Not at all. It is necessary given the way that bitcoin works. Indeed, Satoshi outlined how an attack would work and how it becomes exponentially more unlikely with every additional confirmation in section 11 of the whitepaper entitled "Calculations".

That explanation is amazing. More facts are cleared with this however few more gained in the process.

Like, you said they would do this in secrete chain and then publish the proof of work later on to claim the 100 BTC example.

So it’s more or less illegal way to do so ?

I mean if they claim by your procedure then they would end up “stealing” the bitcoins from broadcaster. On the other hand receiving party would never receive the bitcoins!!

But what happens to recipient end since bitcoin address was entered but they never reached the address.  

---

Is it a flaw in the blockchain code ?
Is it really a reversal or stealing ?

Certainly.

If we take a look at a graph such as https://bitinfocharts.com/comparison/bitcoin-hashrate.html, we can see that for the last few days the average hashrate has been sitting around 130 exahashes per second. An adversary who is not currently mining would need to, therefore, be able to sustain 130 exahashes per second.

If we take the most recent Antminer - the S19 Pro - as a benchmark, then each ASIC device will produce 110 terahashes per second for 3,250 watts of electricity. Given that 130 exahashes per second is equivalent to 130,000,000 terahashes per second, then the attacker would need to be running around 1.18 million Antminer S19 Pros. With a cost per unit of around $4,000, then the cost just for the ASICs required would be $4.7 billion, never mind the infrastructure to house, power, and cool them all, and the 3.8 million watts of electricity to keep them running.

Attackers can only revert their own transactions but they can not revert our bitcoin transactions. To revert transactions, they need to have sign a valid signature and they don't own private keys of our bitcoin wallets so that they can not produce valid signatures that not belong to them.

I used to misunderstand 51% attack too when I think if it happened, my bitcoin will be stolen by attackers. In fact, if I don't have any related transactions with attackers, I am fine.

You can read more
Source: https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch10.asciidoc

This is a really good insight that I wasn't aware of, thank you for this information o_e_l_e_o! I wonder if one could hypothetically translate the 51 % hashrate into actual numbers such as number of GPU's that would need to be working, electricity that one had to "waste" in order to revert the attack. I wonder, at the present time, how many hashrate would have to be employed to revert a transaction in BTC? Is there any graph that I could use to extract this information from?

Yes. This is termed a 51% attack.

Any adversary with 51% of the network's hashrate can, over time, out-mine all honest miners who will possess 49% of the hashrate. This means that the adversary can build a longer chain of blocks, and those blocks can contain any transactions they choose. If they want to censor everyone else's transactions, they could. If they want to include a transaction which sends coins previously sent to a merchant back to themselves, they could.

For example, lets say the 51% attacker makes a transaction in which sends 100 BTC to a third party. The third party will obviously wait for 6 or more confirmations before considering that "final". While waiting for those confirmations, the attacker starts mining their own blocks, in secret, which instead of including the transaction sending 100 BTC to the third party, instead includes a transaction which sends that 100 BTC back to themselves. Since they have more hashrate than the honest chain, then at some point after the honest chain has mined 6 blocks, the attacker will have mined 1 more block than the honest chain, still in secret. Once the third party releases the goods or services which cost 100 BTC, the attacker publishes their secret chain which, since it has more proof of work, now becomes the main chain. This new chain no longer includes the transaction sending 100 BTC to the third party, but instead includes the transaction sending 100 BTC back to the attacker. The transaction is effectively reversed.

Note that such an attack becomes more and more difficult as the transaction to be reversed gains more and more confirmations (hence why people say to wait for at least 6 confirmations on larger amounts), and such an attack on bitcoin requires an enormous and sustained amount of hashrate, which no one entity has ever come close to possessing in recent times. This is not true of other coins, however, and many other coins (including major bitcoin forks) have been successfully 51% attacked in the past.

It is written in that article
It is not 100% the same but as in bank transfer, do you receive your money if you did not see credited amount of fiat in your account?

1 confirmation means one layer of protection for your confirmed transaction. The more confirmations your transaction has, the more layers of protection it has, the more safety you have.

Irreversible transactions. What you asked is Race attack and the fraudulent senders will do 2 conflict transactions (on to you as receiver and one to himself).

---

I invite you to read a chapter 9, The blockchain in Mastering bitcoin

Just came across one of the article ^[1] which states that a bitcoin transaction can be reversed if you have got 51% hash power from the entire mining network.

It seems to me a false information but wanna know is it really possible to do so?

At least I know one thing for sure when a transaction is broadcasted it gets embedded into nodes, to create a block. As the different miners keep confirming the transaction it’s confidence increases and it sticks around “permanently”.

So why this article claims reversal is possible?

---

Reference:
[1] How does mining works