Author

Topic: Bitcoin transactions can be reversed if . . .! (Read 295 times)

legendary
Activity: 2268
Merit: 18771
February 10, 2021, 05:51:52 AM
#17
and as the attacker "can influence only on his own transactions, for which the attacker can produce a valid signature", there's nothing to worry about.
Sure, a 51% attack does not allow the attacker to "create value out of thin air" or "take money that never belonged to the attacker", as the whitepaper puts it, but it is still worth bearing in mind. Maybe if all you are doing with bitcoin is trading it on a centralized exchange (and therefore not actually making any transactions with it anyway) then you don't need to think about it, but a 51% attack is important to consider if you are trading directly with another user or selling any goods or services for bitcoin. As I explained above, even with a proportion of the hashrate far below 51%, an attacker still has a chance to reverse a transaction, but this chance becomes exponentially smaller with each further confirmation. It is the entire reason behind why lots of places wait for 6 confirmations before confirming funds or deposits.
hero member
Activity: 2114
Merit: 603
This is a pretty cool discussion. I must go through the white-paper one more time to understand gravity of the "calculations". Surely Satoshi might have thought of every other possibility of so called categorical theft!

Now I understand how the honest chain could be escape for an attacker to reverse or may be "capture" bitcoins from other individual. However, this would take lot of efforts and obviously freakishly high 51% hash power. The later seems to be almost impossible for any mining firm on the current network difficulty (Hope so!)

Thanks for the great output guys.
legendary
Activity: 2268
Merit: 18771
No single entity can own 51% of hash power.
In the past, this has in fact happened. For example, in 2014, the GHash pool controlled 51% of the hashrate, although they quickly and voluntarily reduced this. It is worth noting though that in 2014 the total hashrate was around 0.08% of what it is now, so a comparatively tiny amount of hash power was enough to be 51% of the total hash power.

So though in theory it is possible to reverse Bitcoin transaction, in practice it can never happen.
It is entirely possible (and very easy if RBF is enabled) to reverse transactions with zero confirmations. It is also theoretically possible to reverse transactions without having 51% of the hashrate if you were to get lucky when mining your secret chain. You can read the relevant calculations as detailed in the whitepaper as I said above. For example, someone with 10% of the hashrate would still have a 20% chance of being able to reverse a transaction with 1 confirmation, although this drops to 0.02% after 6 confirmations.

You can play around with the numbers yourself here: https://web.archive.org/web/20200502141047/https://people.xiph.org/~greg/attack_success.html

Increasing rate of difficulty to solve the block makes it more impossible with every halving.
The halving has no direct effect on the difficulty. The halving affects the block reward. The amount of hash power affects the difficulty.
sr. member
Activity: 897
Merit: 284
Just came across one of the article [1] which states that a bitcoin transaction can be reversed if you have got 51% hash power from the entire mining network.

It seems to me a false information but wanna know is it really possible to do so?

At least I know one thing for sure when a transaction is broadcasted it gets embedded into nodes, to create a block. As the different miners keep confirming the transaction it’s confidence increases and it sticks around “permanently”.

So why this article claims reversal is possible?


Reference:
[1] How does mining works
No single entity can own 51% of hash power. So though in theory it is possible to reverse Bitcoin transaction, in practice it can never happen. Increasing rate of difficulty to solve the block makes it more impossible with every halving.
legendary
Activity: 1148
Merit: 3117
Could I extrapolate the same basis / calculation to other coins (mainly altcoins) to show that someone could easily exploit this?
Sure, but you don't need to since many altcoins have already been successfully 51% attacked. BCash, for example, has been successfully 51% attacked on more than one occasion:
https://www.coindesk.com/bitcoin-cash-miners-undo-attackers-transactions-with-51-attack
https://decrypt.co/49819/bitcoin-cash-rebels-launch-51-attack-to-destroy-bch-hard-fork

The buyer wouldn't receive their BTC back as well, they would simply be "erased" right? Or they would rest in some sort of transaction limbo?
The buyer would keep the BTC, by sending it back to another address they control.

Let's say I have 100 BTC in address A, and I send it to address B, which belongs to you. I broadcast that transaction to the network, you see it, and it gets its first confirmation in block 669,301. In secret, I write a new transaction which would send the same coins from address A to address C, which belongs to me. I include this new transaction in a block which I mine, also at height 669,301, but I don't tell anyone else about my block. I continue to mine in secret, and because I have >51% of the hashrate, I can mine blocks faster than the main honest chain which everyone else in the world is looking at. You see first transaction on the main chain, which sends 100 BTC to address B, gain 2 confirmations at block 669,302. Then 3 confirmations at block 669,303. Meanwhile, and still in secret, I'm mining my own chain of blocks 669,302, 669,303, and so on, which are building on top the transaction which sent 100 BTC to myself and have no knowledge of the transaction which sent 100 BTC to you. At some point, you are happy with the number of confirmations you see and you release the goods I am buying. At that point, I publish my secret chain all at once. Since my secret chain has more proof of work than the honest chain everybody else is looking at, it replaces the honest chain as the main chain. The transaction which sent 100 BTC to you now only exists in the old honest chain which has now been replaced. The new main chain, made up of my secret chain, contains the transaction which sends 100 BTC back to myself.
Thank you, the whole scenario is way more clear now. For BTC is pratically impossible to do that, unless a quantum computer breaks out of the sudden with enough hash power to be bigger than the current hash rate, which I find ... quite unlikely.

I'm also with another notion regarding the safety of the other coins, so that's a win-win scenario, so thank you for both detailed explanations mate!
legendary
Activity: 2268
Merit: 18771
Could I extrapolate the same basis / calculation to other coins (mainly altcoins) to show that someone could easily exploit this?
Sure, but you don't need to since many altcoins have already been successfully 51% attacked. BCash, for example, has been successfully 51% attacked on more than one occasion:
https://www.coindesk.com/bitcoin-cash-miners-undo-attackers-transactions-with-51-attack
https://decrypt.co/49819/bitcoin-cash-rebels-launch-51-attack-to-destroy-bch-hard-fork

The buyer wouldn't receive their BTC back as well, they would simply be "erased" right? Or they would rest in some sort of transaction limbo?
The buyer would keep the BTC, by sending it back to another address they control.

Let's say I have 100 BTC in address A, and I send it to address B, which belongs to you. I broadcast that transaction to the network, you see it, and it gets its first confirmation in block 669,301. In secret, I write a new transaction which would send the same coins from address A to address C, which belongs to me. I include this new transaction in a block which I mine, also at height 669,301, but I don't tell anyone else about my block. I continue to mine in secret, and because I have >51% of the hashrate, I can mine blocks faster than the main honest chain which everyone else in the world is looking at. You see first transaction on the main chain, which sends 100 BTC to address B, gain 2 confirmations at block 669,302. Then 3 confirmations at block 669,303. Meanwhile, and still in secret, I'm mining my own chain of blocks 669,302, 669,303, and so on, which are building on top the transaction which sent 100 BTC to myself and have no knowledge of the transaction which sent 100 BTC to you. At some point, you are happy with the number of confirmations you see and you release the goods I am buying. At that point, I publish my secret chain all at once. Since my secret chain has more proof of work than the honest chain everybody else is looking at, it replaces the honest chain as the main chain. The transaction which sent 100 BTC to you now only exists in the old honest chain which has now been replaced. The new main chain, made up of my secret chain, contains the transaction which sends 100 BTC back to myself.
legendary
Activity: 3038
Merit: 2162
At least I know one thing for sure when a transaction is broadcasted it gets embedded into nodes, to create a block. As the different miners keep confirming the transaction it’s confidence increases and it sticks around “permanently”.

Transactions don't get "embedded into nodes", nodes store unconfirmed transactions in their mempools to help these transactions to propagate through the network to eventually reach miners, so that they can include it in next block.

Miners don't "keep confirming" a transaction, the first confirmation happens when a transaction gets included in the most recent block that became a part of the blockchain, all other confirmations are just the number of blocks mined after that one block.
legendary
Activity: 1148
Merit: 3117
Is there any graph that I could use to extract this information from?
Certainly.

If we take a look at a graph such as https://bitinfocharts.com/comparison/bitcoin-hashrate.html, we can see that for the last few days the average hashrate has been sitting around 130 exahashes per second. An adversary who is not currently mining would need to, therefore, be able to sustain 130 exahashes per second.

If we take the most recent Antminer - the S19 Pro - as a benchmark, then each ASIC device will produce 110 terahashes per second for 3,250 watts of electricity. Given that 130 exahashes per second is equivalent to 130,000,000 terahashes per second, then the attacker would need to be running around 1.18 million Antminer S19 Pros. With a cost per unit of around $4,000, then the cost just for the ASICs required would be $4.7 billion, never mind the infrastructure to house, power, and cool them all, and the 3.8 million watts of electricity to keep them running.
That's mind blowing. Could I extrapolate the same basis / calculation to other coins (mainly altcoins) to show that someone could easily exploit this? I thinking in making some informative thread about it, since it brings attention to an overlooked factor in other coins....

Just a final question : From what I understood, one would do this just to basically deny the BTC to the other party right? The buyer wouldn't receive their BTC back as well, they would simply be "erased" right? Or they would rest in some sort of transaction limbo?
hero member
Activity: 2702
Merit: 716
Nothing lasts forever

That explanation is amazing. More facts are cleared with this however few more gained in the process.

Like, you said they would do this in secrete chain and then publish the proof of work later on to claim the 100 BTC example.

So it’s more or less illegal way to do so ?

I mean if they claim by your procedure then they would end up “stealing” the bitcoins from broadcaster. On the other hand receiving party would never receive the bitcoins!!

But what happens to recipient end since bitcoin address was entered but they never reached the address.  



Is it a flaw in the blockchain code ?
Is it really a reversal or stealing ?

It's not a flaw in the blockchain code. It is how it is designed to be. Bitcoin is decentralized and 51% means more than half of the miners consider it to be true.
Now if the attacker has the 51% hashing power as an individual, that's something which shouldn't have happened at first place.
For bitcoin to be truly decentralized, one entity should never have more than 51% hashing power at all.

On the other hand receiving party would never receive the bitcoins!!
The other party would initially receive the bitcoin. As the honest chain built up more and more blocks, they would see the transaction which sends them bitcoin receive 1, then 2, then 3, and so on confirmations. If a 51% attacker then published a longer chain which did not include that transaction, then that transaction (and the bitcoin in the recipient's wallet) would simply disappear.[/quote]

Would the transactions simply disappear from our wallets or be marked as invalid transactions ?
I think the transactions should be marked as invalid ones, not sure though.
legendary
Activity: 2268
Merit: 18771
So it’s more or less illegal way to do so ?
Well, it depends. There are no laws against the act of reversing a bitcoin transaction, and indeed, using something like RBF could be thought of as reversing a transaction (albeit it one with zero confirmations!) when you replace a transaction with another sending the coins back to yourself instead. But if you have paid someone in bitcoin and received goods or services in return for that payment, and you later reverse that payment, then that is categorically theft.

On the other hand receiving party would never receive the bitcoins!!
The other party would initially receive the bitcoin. As the honest chain built up more and more blocks, they would see the transaction which sends them bitcoin receive 1, then 2, then 3, and so on confirmations. If a 51% attacker then published a longer chain which did not include that transaction, then that transaction (and the bitcoin in the recipient's wallet) would simply disappear.

Is it a flaw in the blockchain code ?
Not at all. It is necessary given the way that bitcoin works. Indeed, Satoshi outlined how an attack would work and how it becomes exponentially more unlikely with every additional confirmation in section 11 of the whitepaper entitled "Calculations".
hero member
Activity: 2114
Merit: 603

That explanation is amazing. More facts are cleared with this however few more gained in the process.

Like, you said they would do this in secrete chain and then publish the proof of work later on to claim the 100 BTC example.

So it’s more or less illegal way to do so ?

I mean if they claim by your procedure then they would end up “stealing” the bitcoins from broadcaster. On the other hand receiving party would never receive the bitcoins!!

But what happens to recipient end since bitcoin address was entered but they never reached the address.  



Is it a flaw in the blockchain code ?
Is it really a reversal or stealing ?
legendary
Activity: 2268
Merit: 18771
Is there any graph that I could use to extract this information from?
Certainly.

If we take a look at a graph such as https://bitinfocharts.com/comparison/bitcoin-hashrate.html, we can see that for the last few days the average hashrate has been sitting around 130 exahashes per second. An adversary who is not currently mining would need to, therefore, be able to sustain 130 exahashes per second.

If we take the most recent Antminer - the S19 Pro - as a benchmark, then each ASIC device will produce 110 terahashes per second for 3,250 watts of electricity. Given that 130 exahashes per second is equivalent to 130,000,000 terahashes per second, then the attacker would need to be running around 1.18 million Antminer S19 Pros. With a cost per unit of around $4,000, then the cost just for the ASICs required would be $4.7 billion, never mind the infrastructure to house, power, and cool them all, and the 3.8 million watts of electricity to keep them running.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
This is a really good insight that I wasn't aware of, thank you for this information o_e_l_e_o! I wonder if one could hypothetically translate the 51 % hashrate into actual numbers such as number of GPU's that would need to be working, electricity that one had to "waste" in order to revert the attack. I wonder, at the present time, how many hashrate would have to be employed to revert a transaction in BTC? Is there any graph that I could use to extract this information from?
Attackers can only revert their own transactions but they can not revert our bitcoin transactions. To revert transactions, they need to have sign a valid signature and they don't own private keys of our bitcoin wallets so that they can not produce valid signatures that not belong to them.

I used to misunderstand 51% attack too when I think if it happened, my bitcoin will be stolen by attackers. In fact, if I don't have any related transactions with attackers, I am fine.

You can read more
Quote
One attack scenario against the consensus mechanism is called the "51% attack." In this scenario a group of miners, controlling a majority (51%) of the total network’s hashing power, collude to attack bitcoin. With the ability to mine the majority of the blocks, the attacking miners can cause deliberate "forks" in the blockchain and double-spend transactions or execute denial-of-service attacks against specific transactions or addresses. A fork/double-spend attack is where the attacker causes previously confirmed blocks to be invalidated by forking below them and re-converging on an alternate chain. With sufficient power, an attacker can invalidate six or more blocks in a row, causing transactions that were considered immutable (six confirmations) to be invalidated. Note that a double-spend can only be done on the attacker’s own transactions, for which the attacker can produce a valid signature. Double-spending one’s own transactions is profitable if by invalidating a transaction the attacker can get an irreversible exchange payment or product without paying for it.

See example if you are interested in
Source: https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch10.asciidoc
legendary
Activity: 1148
Merit: 3117
It seems to me a false information but wanna know is it really possible to do so?
Yes. This is termed a 51% attack.

Any adversary with 51% of the network's hashrate can, over time, out-mine all honest miners who will possess 49% of the hashrate. This means that the adversary can build a longer chain of blocks, and those blocks can contain any transactions they choose. If they want to censor everyone else's transactions, they could. If they want to include a transaction which sends coins previously sent to a merchant back to themselves, they could.

For example, lets say the 51% attacker makes a transaction in which sends 100 BTC to a third party. The third party will obviously wait for 6 or more confirmations before considering that "final". While waiting for those confirmations, the attacker starts mining their own blocks, in secret, which instead of including the transaction sending 100 BTC to the third party, instead includes a transaction which sends that 100 BTC back to themselves. Since they have more hashrate than the honest chain, then at some point after the honest chain has mined 6 blocks, the attacker will have mined 1 more block than the honest chain, still in secret. Once the third party releases the goods or services which cost 100 BTC, the attacker publishes their secret chain which, since it has more proof of work, now becomes the main chain. This new chain no longer includes the transaction sending 100 BTC to the third party, but instead includes the transaction sending 100 BTC back to the attacker. The transaction is effectively reversed.

Note that such an attack becomes more and more difficult as the transaction to be reversed gains more and more confirmations (hence why people say to wait for at least 6 confirmations on larger amounts), and such an attack on bitcoin requires an enormous and sustained amount of hashrate, which no one entity has ever come close to possessing in recent times. This is not true of other coins, however, and many other coins (including major bitcoin forks) have been successfully 51% attacked in the past.
This is a really good insight that I wasn't aware of, thank you for this information o_e_l_e_o! I wonder if one could hypothetically translate the 51 % hashrate into actual numbers such as number of GPU's that would need to be working, electricity that one had to "waste" in order to revert the attack. I wonder, at the present time, how many hashrate would have to be employed to revert a transaction in BTC? Is there any graph that I could use to extract this information from?
legendary
Activity: 2268
Merit: 18771
It seems to me a false information but wanna know is it really possible to do so?
Yes. This is termed a 51% attack.

Any adversary with 51% of the network's hashrate can, over time, out-mine all honest miners who will possess 49% of the hashrate. This means that the adversary can build a longer chain of blocks, and those blocks can contain any transactions they choose. If they want to censor everyone else's transactions, they could. If they want to include a transaction which sends coins previously sent to a merchant back to themselves, they could.

For example, lets say the 51% attacker makes a transaction in which sends 100 BTC to a third party. The third party will obviously wait for 6 or more confirmations before considering that "final". While waiting for those confirmations, the attacker starts mining their own blocks, in secret, which instead of including the transaction sending 100 BTC to the third party, instead includes a transaction which sends that 100 BTC back to themselves. Since they have more hashrate than the honest chain, then at some point after the honest chain has mined 6 blocks, the attacker will have mined 1 more block than the honest chain, still in secret. Once the third party releases the goods or services which cost 100 BTC, the attacker publishes their secret chain which, since it has more proof of work, now becomes the main chain. This new chain no longer includes the transaction sending 100 BTC to the third party, but instead includes the transaction sending 100 BTC back to the attacker. The transaction is effectively reversed.

Note that such an attack becomes more and more difficult as the transaction to be reversed gains more and more confirmations (hence why people say to wait for at least 6 confirmations on larger amounts), and such an attack on bitcoin requires an enormous and sustained amount of hashrate, which no one entity has ever come close to possessing in recent times. This is not true of other coins, however, and many other coins (including major bitcoin forks) have been successfully 51% attacked in the past.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
So why this article claims reversal is possible?

Reference:
[1] How does mining works

It is written in that article
Quote
Payments with 0 confirmations can still be reversed! Wait for at least one.
It is not 100% the same but as in bank transfer, do you receive your money if you did not see credited amount of fiat in your account?

1 confirmation means one layer of protection for your confirmed transaction. The more confirmations your transaction has, the more layers of protection it has, the more safety you have.

Irreversible transactions. What you asked is Race attack and the fraudulent senders will do 2 conflict transactions (on to you as receiver and one to himself).


I invite you to read a chapter 9, The blockchain in Mastering bitcoin
Quote
One way to think about the blockchain is like layers in a geological formation, or glacier core sample. The surface layers might change with the seasons, or even be blown away before they have time to settle. But once you go a few inches deep, geological layers become more and more stable. By the time you look a few hundred feet down, you are looking at a snapshot of the past that has remained undisturbed for millions of years. In the blockchain, the most recent few blocks might be revised if there is a chain recalculation due to a fork. The top six blocks are like a few inches of topsoil. But once you go more deeply into the blockchain, beyond six blocks, blocks are less and less likely to change. After 100 blocks back, there is so much stability that the coinbase transaction—the transaction containing newly mined bitcoin—can be spent. A few thousand blocks back (a month) and the blockchain is settled history, for all practical purposes. While the protocol always allows a chain to be undone by a longer chain and while the possibility of any block being reversed always exists, the probability of such an event decreases as time passes until it becomes infinitesimal.
hero member
Activity: 2114
Merit: 603
Just came across one of the article [1] which states that a bitcoin transaction can be reversed if you have got 51% hash power from the entire mining network.

It seems to me a false information but wanna know is it really possible to do so?

At least I know one thing for sure when a transaction is broadcasted it gets embedded into nodes, to create a block. As the different miners keep confirming the transaction it’s confidence increases and it sticks around “permanently”.

So why this article claims reversal is possible?


Reference:
[1] How does mining works
Jump to: