Topic: Could code be changed quickly if vulnerability found? - page 3. (Read 3174 times)

Remember, this was intended to be a hypothetical question.  Either there is or is not a serious flaw in Bitcoin; if there is, wouldn't it be better to discuss how to deal with it now rather than wait for something to happen?


At first I thought if I were to find such a flaw, I could go ahead and mine what I wanted -- and get rich, with money created out of nothing, so nobody would get hurt.  But then I realized, of course, that doing so would have the effect of taking money away from miners who have spent good money on mining hardware.  And if I were to cash out, knowing that the value of BTCs could go down as a result of what I discovered, I would effectively be stealing from the people buying the bitcoins.

Interestingly, everyone seems to be steering me to quietly take advantage of any secrets I may discover (or to spill the beans, that could allow someone else to take advantage of it -- as you said, "I really wonder how many would pass on that opportunity to print money.").

If you were serious, you would've double checked before opening a thread. I really wonder how many would pass on that opportunity to print money.

"a hash well exceeding the current difficulty level" was used to show that the attack could continue.  If I said "a hash just below the current difficulty level," the response is that after a few adjustments to the difficulty, the attack would no longer work.  So let's assume it is near what other people would get.


I first have to do testing of my results, which will likely take a few days.  If I still think I'm on to something, I'll see what seems safe to share.

People would notice blocks with "a hash well exceeding the current difficulty level".

Why don't you slowly give more and more information, until you've convinced people you know what you're talking about.
For example, first state the class of bug. Are you saying you found a way to generate hashes far exceeding the current difficulty level?

I am aware that it will take proof to convince people of a flaw, and that I likely have not discovered a flaw worthy of people dealing with.

As for PM'ing -- therein lies the chicken and egg problem.  If there is a serious flaw, what prevents the person from taking advantage of it?  We're not talking about the cash register at the local burger joint being open in an unlocked building at night, we're talking about the safe deposit box at the bank being open in an unlocked building at night -- in a jurisdiction where the penalty for getting caught is that you had to give up what you took.

Let's say that I found that whatever the block header, a nonce of 0x12345678 would generate a hash well exceeding the current difficulty level (of course it isn't really that simple).  Wouldn't it be very tempting for the person I tell to take advantage of that?  Perhaps generate a block an hour for half a day, selling for fiat every hour, and walk off with $250K of cash?

Now perhaps the code could be changed quickly if someone took advantage and started created new blocks once a minute, hoping to raise a quick $40M.  It's decided to go back to the block before they started, and they have no bitcoins (except perhaps the few they were able to sell).  But what if the miner knew that was a possibility, and created a new block say every 4 hours, generating $100K a day.  How would that even be detected?

As I have said several times, I'm not asking if I have discovered a vulnerability.  I'm asking a what-if question, stating what I have to help give a warning.  In other words, it may not end up being a hypothetical question.  You're welcome to let me know that it is very unlikely that I found something important (like the poor guy who picks up the lottery ticket that has the winning numbers, but doesn't realize that they have to be in the right order).  But since you are evading the questions, it sounds like your vote (and that of empoweoqwj) is that if I did discover a vulnerability, I should take advantage of it and retire, and give no regard as to whether Bitcoin or individuals using it are.  If that's the ultimate answer, I'm OK with that!

If you look on here you will see many people coming in saying "I have found a flaw, but can't give you details" and it turns out that they didn't understand something, so everyone is very skeptical when someone comes in and won't give out any details.

PM someone with development experience on here with the details - in exacting detail showing where in the code their is a problem, in the math, or in the design.  If it is a vulnerability, you'll hear back quite quickly if you have actually provided enough details and if there is a problem.

The link above shows how quickly the code can be changed if needed, so the answer to the question is, YES.

The way you phrased certain things I would be prepared against it. Yeah, have your go at the worlds largest supercomputing network. Let me guess: you've programmed an Artificial General Intelligence and asked it how to break SHA256?

I am reasonably familiar with how open source is structured.  And I'm not asking if I have found a vulnerability (I know what I have found, and that I need to do more work to determine if there truly is a vulnerability, and if so, how severe it is).

Each open source product is different; I'm asking about this specific one.  Essentially, could a change be made reasonably quickly, and if so, how to deal with the chicken-and-egg problem?

Either Bitcoin has one or more serious vulnerabilities, or it does not.  The problem is that there is no way to know for sure whether or not it does unless/until one is discovered.  So is it best to hide our heads in the sand and hope there is none, or be prepared?

That's the $50 million question.  If I enlighten here, depending on whether or not I am right and how severe the issue is, things could get chaotic.  And, I need a bit more time to try to figure out how severe it really is.


Ah, I should see if I can change my handle to "random guy23".  :)

For the time being, I am assuming I am just random guy23, and that I'm seeing things that aren't there.  But I want to be prepared, just in case.  The idea of striking it rich certainly is appealing, but doesn't seem ethical.

See BIP50: https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki

Very interesting questions/speculations. However the scenario you described is not realistic. Why should progress of mining capability be so sudden? Reminds me of all the atttempts at proving P=NP and questions around quantum computing. If somebody discovers such a technique it will likely be discovered by others. Moore's law graph is very smooth.

An attack on bitcoin is very similar to what happened to the fiat system in 2008. I think such an event in the fiat world is quite likely (see N. Taleb's writings). I hope that at the least bitcoin is a backup system, because such events could be quite catastrophic.

There are many scenarios which are unlikely, which does not mean they are not going to happen. I speculated there could be an attack insurance, so that the values would be frozen before the attack and then distributed during the fix. Analogous to bankruptcy proceedings. But if the fix would have been anticipated it would have been there in the first place (as you said chicken egg problem).

Say the exchange value would drop to zero. The "attacker" (in your scenario he is just an honest miner) has lost his money as well. Instead he could mine. If nobody has ever heard of this technique he would accumulate a lot of hashing power. Such an event is possible, and one of the weakness of the algorithm. One would hope by that time there are solutions. In the end nobody says it can't happen. It just seems a lot of people are betting their money that it won't. The exchange rate is the present value over the lifetime of the coin. If every cryptographer on the planet has analysed bitcoin and not found a vulnerability, its unlikely random guy23 will find one.

Enlighten us on the vulnerability.

I am fairly certain that I have found a vulnerability in Bitcoin, just not yet sure yet how serious it is.

For now, though, let's just assume I'm clueless newbie or a crackpot, and I'm wrong.

In theory, though, if someone discovered such a vulnerability -- serious enough that without fairly quick action (and/or detection), the survival of Bitcoin could be potentially be jeopardized -- is there a plan in place to put in a fix?  Let's say, for example, a miner discovered a way to solve blocks in a minute or two at the current difficulty level, on a standard CPU.  By waiting until the difficulty was re-calculated, they could rack up some 50,000BTC before the difficulty changed again.  And that would cause the new difficulty to skyrocket, , and making it nearly impossible for anyone else to mine blocks (perhaps there are safeguards in place for that).  Or the person who discovers it is benevolent and tells the world, and the network hash rate goes berserk.  Or they are more nefarious and use it to double-spend, reverse transactions, whatever.  Or they quietly mine bitcoins at a rate slower than the biggest miners, not drawing attention to themselves.

If a fix could be identified quickly, could it be coded/tested/distributed in a reasonable amount of time?  What about the "chicken and egg" problem: if the details of the vulnerability are disclosed before the fix, someone could abuse it before the fix, but if the details are not disclosed before the fix, changes to Bitcoin could be made that would be unnecessary (and it would open up the door to people making wild claims).

I've read the "Dealing with SHA-256 Collisions" thread; Bitcoin has become much, much bigger since then, and the potential problems much harder to deal with.

FWIW, I'm confident that there is a problem -- I just haven't yet figured out if it is serious enough to be concerned about at this point.  But I thought it couldn't hurt to have a fresh "what if?" discussion.