Topic: Blockchain rollback limit? (Read 4699 times)

An attacker don't need to do a double spend with his own coins. All mined coins from the rolled back blocks will disappear, making all transaction that can be traced back to these coins invalid.

You're assuming an attacker trying to discredit Bitcoin who doesn't actually do anything to discredit Bitcoin!

A realistic attacker would deposit a large number of Bitcoins to Mt. Gox and then wait. When he introduces his own rollback chain, it will include a double spend of that deposit to Mt. Gox. This will invalidate all transactions that re-spend those coins, all transactions that re-spend outputs of transactions that spend those coins, and so on. With just a bit of effort, he can invalidate a significant fraction of the transactions that occurred in that time period. He could probably invalidate more than half of them with moderate effort.

He doesn't even need a lot of money to do this. He can deposit, withdraw different coins, and deposit again. He can then double spend both of those deposits, doing double damage with the same coins. (Assuming that double-spending his first deposit doesn't contaminate his own withdrawal. But if it does, then he's already doing major damage.)

You have not properly stated what would happen during the rollback. Let me explain.

Your scenario involves the good chain and a bad chain. The good chain is the one that manually gets checkpoints in the Satoshi client. Checkpointing is not part of the Satoshi white paper. It is just a way for the devs to tell us what chain they use and to put a limit (like u r demanding) on a rollback. It goes against the theory and is only not controversial because Satoshi went along with it.

During a rollback that goes back to the last Gavin checkpoint the attacker with the bad chain can only double spend coins that he owned before Gavin's checkpoint. He can also exclude everyone's transactions from the block chain that happened since the chechpoint. Or maybe he won't exclude people's transactions therefore most won't care which chain is good or bad. Let's assume this is a none monetary attacker where the goal is to discredit Bitcoin. So we will assume he has excluded ever transaction he doesn't own. Every node on the network will still know about these transactions they will just become unconfirmed... that is the WORST case scenario. Once the attack is over those transactions can be reconfirmed. Also everyone will still have the shorter good chain on disk it is not like it would be deleted.

Time will tell...

(Time to go to bed.)

When the original blockchain is rolled back 12 months, people will jump over to my blockchain 

Nope, but I and all the other bitcoin users won't be using your client.  So if a reorganization occurs that puts the rest of the bitcoin world on a different blockchain than you, then you'll just have to accept the world's blockchain anyhow, defeating the purpose of your client.

So, if I change my client so it does this, would you abandon bitcoin?

No one can stop me

How do you tell how many users are using a particular fork?

User base... fewest users. Sorry for my bad English.

What I'm suggesting isn't perfect. But if you set the rollback limit big enough, it can't be worse than how it is today.



They need a decent percent of the users on each fork if they shall succeed.

(Start by getting into Ripple just in case!)

I suspect that there is a reason that none of the many attempts to create a crypto-currency succeeded until Satoshi put together the idea of a proof-of-work transaction ledger.  Attempting to short-circuit this solution simply results in a currency that becomes more and more like the many that failed in the past, and more and more likely to fail for the same reasons.  There is enough risk with the checkpoints that are already coded into the clients.  Trying to create a moving checkpoint that tries to actively keep up with the blockchain as it grows sounds like a disaster to me.  If it was implemented, I'd probably abandon bitcoin and look for something else.

What's a user base? How can you tell whether people trust A-Bitcoins or B-Bitcoins or R-Bitcoins or... et cetera et cetera? Today, we trust a hashrate-weighted poll of miners; whichever branch has the most hashing power determines the "true" blockchain. If you have a better proposal for choosing which ledger is communally accepted, let's hear it, because if it's good enough to solve this problem it's good enough to use instead of mining.

They have more hashing power than the rest of the network put together, or they couldn't execute a 51% attack to begin with. Thus, by definition, they can mine in parallel with the rest of the network and keep up. So however many branches exist with someone else mining on them, this adversary is able to equally mine a branch of it.

Well, I suppose since it's all software anyway, a single client could be modified to just include all the chains in an array of sorts (not sure what the space/calculating requirements would be for that though) and just automatically update your account as such, and use the chain-specific addresses as you specific from a dropdown (or potentially automatic). Why do I suspect this is the future of bitcoin once the governments get involved? We all agree that they can't stop bitcoin, but governments never really stop anything, they just screw things up, and they do that very well.

How easy is there for an attacker to keep the forks separated from each other for days so they get past the "rollback limit"? Each fork needs a decent percent of the user base. That would be hard to manage.

Theoretically. But if someone wants bitcoins, do you send them A-Bitcoins, or B-Bitcoins? Don't you have to send them both? If so, if the attacker is intelligent and hasn't pawned its mining equipment, why should they stop at two chains? If you define the maximum reorg as 288 blocks (two days), then the attacker can double the number of chains every three days. A month down the road, you would have to be running 1000 clients just to unambiguously send a coin.

I know, right!

That makes everyone who held bitcoins before and through the split twice as wealthy!

I believe the chain with the smallest user base will die...

Could you just run 2 clients using different chains and live in both worlds?

True however it sets up a prisoner's dilema type situation.  Also I would point out there is no "majority rule" while a Democracy is one method of achieving a consensus the anonymous nature of Bitcoin makes any democratic method to select the best blockchain doomed.  Also an active attack likely wouldn't be just a binary decision but rather a series of double spends on various forks creating new forks and a chaotic mess of conflicting priorities and viewpoints.

There is a reason that the blockchain was designed to be deterministic.  All nodes everywhere in the world regardless of being online or offline can via communication with other nodes reach a single consensus view of the blockchain.  Once you introduce the need for humans to "pick the winner" it becomes very easy to both game the system and crush any resistance by creating dissent.  The users who believe blockchain A is the "correct" one have no mechanism to prevent those who believe blockchain B is "correct" from continuing that fork.  An attacker just has to continually fork the forks over and over to divide and conquer.  Also the attacker wouldn't be foolish to always put "good tx" on one side of the fork and "double spends" on the other side of the fork.  Remember this is a non-economic attacker.  Far better to continually and randomly place the spend and double spend so that no matter which fork is chosen there is always a victim.

I think most 51% attack "solutions" niavely assume that the "attacker" will do something as stupid as just make a single obvious attack.  Something like fork the blockchain back 500+ blocks and then continue on that game plan blindly without reacting to the actions of defenders.  The reality is any entity which has the millions of dollars to acquire that amount of hashing power isn't going to use it like a club.  It would be far more effective to hire some smart minds to devise a continually adjusting attack pattern.  Any "solution" which requires humans to determine in real time the "correct" blockchain AND always do the right thing for the public even at personal consequence to him/herself is not a solution.