Author

Topic: Does pre-mining generate "false coins"? (Read 4247 times)

jr. member
Activity: 39
Merit: 13
Last of the freelance physicists
December 24, 2013, 11:42:58 PM
#1
A bit/altcoin client verifies that it's at the end of the blockchain based on a maximum-chain-length consensus between nodes the client has connected to.  This is the why people worry about the "51% attack" on Bitcoin, right?  Because if 51% of the nodes were "bad", they could generate a new blockchain which would eventually overtake the "real" one.

If I understand correctly, each node's report of the max-chain-length is weighted by its hash power.  This is what prevents someone from creating a huge number of low-power nodes, seeding them off-line with a small piece of the real blockchain, and then turning them on and creating a new, false consensus.

However, the max-chain-length consensus requires nodes to have actually caught up to the blockchain.  Most nodes need to report a mostly-correct blockchain length for this consensus to work.  Normally, this isn't a problem, because the end of the chain is an absorbing boundary condition -- downloading the blockchain is much faster than creating it to begin with, so most nodes are at the end.  A just-released "fair coin" (i.e., no pre-mine) should also be fine, for the same reason -- nodes just reach the end of the chain much faster than they extend it by mining.

How about new coins that have been pre-mined?  In this case, you have:

(1) an initial blockchain of nonzero -- sometimes very nonzero -- length
(2) a very small number of seed nodes (in the limiting case, just one)
(3) a lot of new clients who are initially at block zero

Ok, so first, this seems like it would cause lots and lots of orphan blocks to be incorrectly accepted, generating "false coins" for the client, which will ultimately be invalidated once the network figures out the real blockchain length.  Empirically, this seems to happen -- when a new pre-mined coin is released, there is always a flood of complaints about orphan blocks that follows.

So what?  Well, a malicious attacker could force newly-released, pre-mined coins onto a new blockchain simply by overwhelming the seed nodes with a false consensus.  In fact, I wonder if if this could be used to "un-pre-mine" coins by the general community, by forcibly forking their blockchains?  In fact, this may be what happened (unintentionally) to Molecule when it was first released with a massive pre-mine -- the blockchain randomly forked, confusing everyone, including the developer.

TLDR: Don't pre-mine.  If you absolutely have to pre-mine, make your users download the pre-mined blockchain with the client -- don't just give them the client and a seed node to connect to!
Jump to: