Topic: Finney Attack against SatoshiDice or how to get 250 BTC per solved block. - page 4. (Read 6147 times)

They have tiny fees, which likely don't pay for the marginal increase in the odds that the block gets orphaned due to its increase propagation/validation time.

Those transactions are insanely inefficient— half of them are pure messaging and not really a monetary transaction— they make it much more costly to run a Bitcoin node— they're burning up our technical startup capital without adding new users to the bitcoin economy (or at least not many). The bitdust outputs they create will likely never be rational to spend and are rapidly inflating the UTXO set— unprunable data. Across the board they're bad they're bad for the ecosystem... and they're ever so easily blocked, basically a one line patch.  So, even if it wasn't net-profitable to block them I'm sure some would.

Fees are still pretty tiny in comparison to the block reward, and some people are willing to pay that small price because they don't like Satoshidice.

Don't assume everyone is a perfectly rational economic actor, or even that perfectly rational actors are using the same set of assumptions that you are.

Why would miners drop transactions for SD? That makes no sense. Sure they might de-prioritize them but no need to drop them, especially if they have fees (do they?)

Indeed, and I wasn't actually able to tell you what the exact threshold is— since it doesn't even appear to be documented!

One of the reasons they have to do this is that its really really easy to double spend against SD because some pools will not mine transactions paying them. So you can make a bet, if it loses, make a double spend to a non-sd address and give it to miners that ignore SD transactions. They may not solve the next block— but it still makes your expected return positive.  Another variation is to make the txn paying SD have an input that is part of a really long unconfirmed chain which will take a long time to confirm... and double spend that, giving more time for the conflict to get confirmed. etc.

Ohh! It's a pity they don't said that on the web page, it would have saved me and you time. They clearly said the response is immediate, probably for  marketing.

They wait for 1 confirmation on bets over a couple BTC. This has been discussed before, and a variation (that doesn't require hash power) of it performed in the past.

How can someone not know that evoorhees owns Satoshi Dice?

There has been some discussion regarding Double Spend against a Satoshidice loss, but it seems that no one has seriously considered Finney Attack against SatoshiDice. This attack is both simple and (IMHO) very easy to mount by an attacker-miner.

The idea is simple: Suppose a miner has any percentage of the network hashing power, say 1%.
Suppose a miner has 241 BTC in an previous output X.
This miner creates a block containing ONLY a single transaction TxWhenLost that pays 241 from X to a new address he owns.

Then the attacker starts mining as normal (and updates the special block to a new parent whenever a new block is solver by the network).
After 16.6 hours on average, his solves a block. Then instead of broadcasting it, he first creates a transaction TxTest that bets the 241 BTC in X against SatoshiDice. Suppose the bet is:

TxTest bets 241 BTC against less than 6000
(address 1dice6wBxymYi3t94heUAG6MpG5eceLG1).
The winning probability is 9.1553% and the multiplier is 10.666x.
That means that approximately every 7 days the attacker wins SatoshiDice.

Now he sends TxTest to SatoshiDice. SatoshiDice replies broadcasting the result TxResult (they say this is almost instantaneously).  Now the attacker decides:

if he has won, he discards the solved block without broadcasting.
If he has lost, he broadcasts the block as soon as possible. Since the block has very few bytes, it will propagate fast. The attacker may also have many nodes in the network to propagate faster the block.

Analysis

9.1553% of the times the attacker wins 241*10.666-25=2545.506 BTC
90.8447% of the times the attacker wins 25 BTC

So the expected income PER SOLVED BLOCK is 233.04+22.71=255.75 BTC !!

That 10x more the 25 BTC a miner normally receives.

Even if 1/10 times the attack fails, the expected income is notably higher than normal.
This is not the best possible attack: if the attacker has greater hashing power or doesn't mind to wait more, he can try bets to "lessthan 1500". In this case the earnings 3 times more (750 BTC per solved block).

The only assumption I'm making is that SatoshiDice responds with TxResult within a short time interval (say 30 seconds).

The only way I think SatoshiDice can protect from this attack is by waiting for 1 confirmation from the transactions they receive or by delaying TxResult 5 minutes or so.

I haven't  contacted the owner of SatoshiDice since there is no contact information in the web page. If you know who the owner is, please tell him to follow this thread.

Disclaimer: as always, I haven't test the attack, so I may be wrong.
Think for yourself.

Best regards,
 Sergio