Author

Topic: Does pre-mining generate "false coins"? (Read 3122 times)

jr. member
Activity: 39
Merit: 13
Last of the freelance physicists
December 25, 2013, 01:03:26 AM
#1
(Hope it's ok for me to post about altcoin-related stuff here.  I posted on the alt board, but it got lost in the flood of "giveaway" threads...  Hoping for some feedback, even if it's just feedback exposing any misunderstandings I have!)

A bit/altcoin client verifies that it's at the end of the blockchain based on a maximum-chain-length consensus between nodes the client has connected to.  This is the why people worry about the "51% attack" on Bitcoin, right?  Because if 51% of the nodes were "bad", they could generate a new blockchain which would eventually overtake the "real" one.

If I understand correctly, each node's report of the max-chain-length is weighted by its hash power.  This is what prevents someone from creating a huge number of low-power nodes, seeding them off-line with a small piece of the real blockchain, and then turning them on and creating a new, false consensus.

However, the max-chain-length consensus requires nodes to have actually caught up to the blockchain.  Most nodes need to report a mostly-correct blockchain length for this consensus to work.  Normally, this isn't a problem, because the end of the chain is an absorbing boundary condition -- downloading the blockchain is much faster than creating it to begin with, so most nodes are at the end.  A just-released "fair coin" (i.e., no pre-mine) should also be fine, for the same reason -- nodes just reach the end of the chain much faster than they extend it by mining.

How about new coins that have been pre-mined?  In this case, you have:

(1) an initial blockchain of nonzero -- sometimes very nonzero -- length
(2) a very small number of seed nodes (in the limiting case, just one)
(3) a lot of new clients who are initially at block zero

Ok, so first, this seems like it would cause lots and lots of orphan blocks to be incorrectly accepted, generating "false coins" for the client, which will ultimately be invalidated once the network figures out the real blockchain length.  Empirically, this seems to happen -- when a new pre-mined coin is released, there is always a flood of complaints about orphan blocks that follows.

So what?  Well, a malicious attacker could force newly-released, pre-mined coins onto a new blockchain simply by overwhelming the seed nodes with a false consensus.  In fact, I wonder if if this could be used to "un-pre-mine" coins by the general community, by forcibly forking their blockchains?  In fact, this may be what happened (unintentionally) to Molecule when it was first released with a massive pre-mine -- the blockchain randomly forked, confusing everyone, including the developer.

Possible ways to secure a pre-mined blockchain, assuming you don't have access to lots of computing power:

(1) hard-code a minimum blockchain length (i.e. the number of blocks you pre-mined)
(2) peg your coin's block generation time to the size (in hash power) of the consensus node pool
(3) make your users download your blockchain, rather than just giving them a wallet and a seed node and saying "have fun with this, hope you make me rich"...
Jump to: