Pages:
Author

Topic: [HOWTO] kill any 100% PoS coins owning less than 1% of all coins. (Read 13454 times)

sr. member
Activity: 393
Merit: 250
Just a hint: as you further split your coins, the computational effort to search them all becomes non-trivial.

Otherwise, I will leave you to live in your fork of mathematics, high or higher and logic.
hero member
Activity: 686
Merit: 500
Updated top post with new vulnerabilities.
hero member
Activity: 686
Merit: 500
Then, with a simple calculation, you get a weight in coins*days. Given the above reference numbers, your 'staking chance' ranges between 30 and 90 coin*days for a 1 coin amount. The rest is pure luck, random numbers.

Yeah, see that's exactly what I said. The probability of a single coin staking is 1/x (where x is your calculated coin weight). So the probability of a million coins is 1,000,000/x.

From what I understand what you say, as per your logic, a graphs card should never be able to mine any coin and a single core CPU is infinite times after than the GPU when it comes to mining. Cause if a graphics chip has 1500 stream processes; each core will have negligible hash rate, so the probability of a core to mine a block is negligible.  Tongue

In fact, by this I've uncovered another vulnerability using this calculator.

As the no. of coins increases, the probability of hitting a block does not increase linearly; it decreases. So the network difficulty is lower.

But if you've split your stake, the probability of staking a block will increase linearly, cause each coin has it's own instance. It's stake is calculated separately.

That means the network hash rate of genuine PoS miners will lower, helping the attacker more.

Quote
Also, in your invention, you claim that "Each block gives the miner variable rewards depending on the current difficulty" -- which is essentially not true, at least for most PoS coins. The 'difficulty' in PoS is merely multiplied with coin*age to produce your chance to participate in PoS. The PoS reward is strictly dependent on coin*age*interest and 'difficulty' is nowhere in that calculation.

Difficulty=coin*age
coin = Difficulty/age

PoS reward = coin*age*interest
PoS reward = Difficulty*interest

Quote from: dE_logics
Similarly if the difficulty is high the block reward will increase cause...

As I said, rudimentary question. I'm not answering any of these rudimentary questions in the future. I'll just put a notice and link this this conversation.

Please you should know high school mathematics to understand this vulnerability. And of course have some common sense (to understand what's a 51% attack in the 1st first place).
sr. member
Activity: 393
Merit: 250
That part was not really for you.

So you have a bunch of small amounts you wish to stake. How do you manage to guess the stake modifiers to be able to create these PoS blocks in a row?

The "probability" formula in most coins is this:

    int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)nStakeMaxAge) - nStakeMinAge;
    CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);

(in some coins it's re-arranged, in some this code is refactored partially into a function -- but it is essentially the same everywhere).

This code is very easy to decipher. The time weight is the difference between the coin age, capped at nStakeMaxAge (reference 90 days) minus nStakeMinAge (reference 30 days). Of course, before doing this calculation nStakeMinAge is checked etc so it cannot come negative.

Then, with a simple calculation, you get a weight in coins*days. Given the above reference numbers, your 'staking chance' ranges between 30 and 90 coin*days for a 1 coin amount. The rest is pure luck, random numbers.

There used to be bug in the protocol, fixed in v0.3 -- that permitted coin stake to be burned in high pace and then, your suggestion to burn smaller amounts makes sense. But that bug has been fixed long ago.

Also, in your invention, you claim that "Each block gives the miner variable rewards depending on the current difficulty" -- which is essentially not true, at least for most PoS coins. The 'difficulty' in PoS is merely multiplied with coin*age to produce your chance to participate in PoS. The PoS reward is strictly dependent on coin*age*interest and 'difficulty' is nowhere in that calculation.

The PoS 'difficulty' is used to pace the creation of PoS blocks (too). Which essentially means, that if you ever succeed to make your too many small amounts stake in a row, you will need to be able to find good enough hashes to prove you solved the difficulty part.
hero member
Activity: 686
Merit: 500
For 0.01 TX fee, the attack will be made just 1% more expensive.

So it doesn't matter.

It does matter. The 0.01 PPC tx fee will dramatically limit your attack power. You have to pay 0.01PPC tx fee for each smaller unit of PPC when you divide each PPC into smaller unit of PPC, so you can't divide one PPC into unlimited smaller unit of PPC.

That comes out as 1% overhead. 0.01/1*100 = 1%

You cant stake mine with balance under 1 coin, so that's the minimum you need to split.

You can't assume the minimum would be adequate.  You may need to subdivide into millions of separate transactions to provide enough leverage for this to work.  And then whether it will work depends on the specific implementation of proof of stake you're talking about.

Assume? It's the reality. In PPcoin (and in most PoS cryptos), you're not eligible for PoS mining if the coin's quantity is less than 1. They attacker may use 2 even, but there's no point in doing that.


Do you have code references to support this claim?

It is amazing how little people know about the PoS mechanics off ppcoin and descendants. It is true, that some coins are very poorly configured, but let me give you an example and ask you to re-play your attack logic there. The current version of Diamond, has minimum stake time of 7 days and maximum stake time of 30 days. It also has a combine threshold of 100. What those numbers mean is this:

1. You DMD can't stake while younger than 7 days.
2. If your DMD happen to stake between 7 and 30 days (because of sheer luck, or because of too much coin age), it will be subject to splitting. The amount plus reward will be split in two almost equal pieces.
3. If your DMD happens to stake, when it is older than 30 days - for example, you kept your wallet locked for way too long, or the amounts are too small they can't be lucky enough -- then the amount is not split. Instead, the combining routine is invoked. What it does, is find other DMD amounts older than 30 days, and combining them all untill they all are not over the combine threshold (100) in this case. Then all these amounts stake together and create one new amount or around 100 DMD + reward.

Now, say you have 10,000 amounts of 1 DMD which you let age enough and you hope could help you create such an attack. Tough luck... If they are all aged over 30 days, when they start to stake, each of the stakes will group 100 of them into one amount. You will end up with 100 stake events, instead of 10,000 as you had hoped. Caveat emptor.

Are you still convinced this "attack" could succeed?

If you want something like this to succeed, you need big piles of coins, large number of them, sitting with PoS disabled for a very long time, in order to be able to execute an attack like this. Which brings us back to the original PoS claims... more or less.

To PoS coin developers/maintainers: You guys should look at this line in your code:

int64 nCombineThreshold = GetProofOfWorkReward(GetLastBlockIndex(pindexBest, false)->nBits) / 3;

This thing is usually improper. You are confused by the "do not touch this, we invented it right" comments around it, but in fact, what it does is limit the combine threshold to 1/3 of your PoW reward. You disabled PoW, perhaps, or reduced it's reward too much?  The nCombineThreshold sets the upper limit of how big a pile of coins PoS will create for older coins. You want this to work! Mostly because the endless splitting that is done by PoS otherwise will create too small coin piles to stake often. Using Coin Control for this task is pretty much pathetic -- it is already built in your PoS code, use it.

You might want to thank me, or not ;-)

I would only like to answer the other half of your post -- the others being too rudimentary to answer (please ponder on your own).

The coin control you're talking about can be easily disabled. It doesn't break the protocol and there's no way to know if the stake was generated by a single person or not.
sr. member
Activity: 393
Merit: 250
For 0.01 TX fee, the attack will be made just 1% more expensive.

So it doesn't matter.

It does matter. The 0.01 PPC tx fee will dramatically limit your attack power. You have to pay 0.01PPC tx fee for each smaller unit of PPC when you divide each PPC into smaller unit of PPC, so you can't divide one PPC into unlimited smaller unit of PPC.

That comes out as 1% overhead. 0.01/1*100 = 1%

You cant stake mine with balance under 1 coin, so that's the minimum you need to split.

You can't assume the minimum would be adequate.  You may need to subdivide into millions of separate transactions to provide enough leverage for this to work.  And then whether it will work depends on the specific implementation of proof of stake you're talking about.

Assume? It's the reality. In PPcoin (and in most PoS cryptos), you're not eligible for PoS mining if the coin's quantity is less than 1. They attacker may use 2 even, but there's no point in doing that.


Do you have code references to support this claim?

It is amazing how little people know about the PoS mechanics off ppcoin and descendants. It is true, that some coins are very poorly configured, but let me give you an example and ask you to re-play your attack logic there. The current version of Diamond, has minimum stake time of 7 days and maximum stake time of 30 days. It also has a combine threshold of 100. What those numbers mean is this:

1. You DMD can't stake while younger than 7 days.
2. If your DMD happen to stake between 7 and 30 days (because of sheer luck, or because of too much coin age), it will be subject to splitting. The amount plus reward will be split in two almost equal pieces.
3. If your DMD happens to stake, when it is older than 30 days - for example, you kept your wallet locked for way too long, or the amounts are too small they can't be lucky enough -- then the amount is not split. Instead, the combining routine is invoked. What it does, is find other DMD amounts older than 30 days, and combining them all untill they all are not over the combine threshold (100) in this case. Then all these amounts stake together and create one new amount or around 100 DMD + reward.

Now, say you have 10,000 amounts of 1 DMD which you let age enough and you hope could help you create such an attack. Tough luck... If they are all aged over 30 days, when they start to stake, each of the stakes will group 100 of them into one amount. You will end up with 100 stake events, instead of 10,000 as you had hoped. Caveat emptor.

Are you still convinced this "attack" could succeed?

If you want something like this to succeed, you need big piles of coins, large number of them, sitting with PoS disabled for a very long time, in order to be able to execute an attack like this. Which brings us back to the original PoS claims... more or less.

To PoS coin developers/maintainers: You guys should look at this line in your code:

int64 nCombineThreshold = GetProofOfWorkReward(GetLastBlockIndex(pindexBest, false)->nBits) / 3;

This thing is usually improper. You are confused by the "do not touch this, we invented it right" comments around it, but in fact, what it does is limit the combine threshold to 1/3 of your PoW reward. You disabled PoW, perhaps, or reduced it's reward too much?  The nCombineThreshold sets the upper limit of how big a pile of coins PoS will create for older coins. You want this to work! Mostly because the endless splitting that is done by PoS otherwise will create too small coin piles to stake often. Using Coin Control for this task is pretty much pathetic -- it is already built in your PoS code, use it.

You might want to thank me, or not ;-)
legendary
Activity: 1400
Merit: 1050
you don't need to kill PoS coins, they die on their own...
hero member
Activity: 686
Merit: 500
Since I'm not a developer nor a hacker I cant modify wallets to do such an attack, but here's the concept, which may not be right, but crackers may try.


We're going to exploit low PoS difficulty and prominently it's low for even 100% PoS coins. Like for mintcoin it's 0.243, even for popular and old coins like PPC, the difficulty is 10.

First let me explain the significance of difficult in PoS which's very much similar to difficulty in PoW. But don't assume low PoS difficulty means higher rate of returns. Each block gives the miner variable rewards depending on the current difficulty which predicts the probability of the coins to mint a PoS block. A low difficulty means the coins will easily be able to mint PoS blocks, since the number of PoS blocks generated by coins are frequent, the block reward will drop cause the interest rate is capped. In other words, when difficulty is low, the coins will have to wait less to generate a block reward, i.e. the coin will have less age so the block reward will be low. Similarly if the difficulty is high the block reward will increase cause the probability of the coins to make a PoS block will be less, so PoS blocks generated by the coins will be less but the interest rate has to be maintained at 20%; so to compensate for the lower block rate, the block reward will increase.

In PoS, when a node receives a number of coins all in 1 transaction (call this transaction X and the no. of coins in the transaction as A), all of these coins will be used to mine a block. The more the no. of coins in X, the higher the chance of hitting a block. The older transaction X goes the higher the chance of hitting a block. For coins which were received in another transaction (apart from X, call this transaction Z) but to the same address will try to mine a block separately from Z; the wallet will use Y along with X independently to mine blocks.

Suppose the probably of mining a block for X is within x days, after mining, the coin age renews to 0, making it ineligible to mine a block till it's old enough to mine blocks again.

We're going to compare the set of coins X which were received with in a single transaction to a no. of transactions the size of each being 1 coin, but the no. of transactions is such that it results in A no. of coins (i.e. A no. of transactions). This mean for each of these coins, the wallet will try to generate a block using them separately. Let's call this set of coins Y.

The probability of one coin to generate a block is x/A (since X has A no. of coins); for all of  A no. of coins used together, the probability to generate a block is (x/A)*A = x. So Y has the same probability to generate a block as compared to X. Once a block has been mined, the age of the single coin used to mine a block becomes 0 and it comes ineligible for mining, but all other coins are still eligible for mining. Now the probability of Y to generate another block is (x/A)*(A-1) which is almost x (call this changing value y, i.e. y is the current mining power of Y after a no. of coins's age has been reduce to 0). Depending on the size of A, the this value of y will almost be the same as x for (x/A)*(A-1), (x/A)*(A-2), (x/A)*(A-3)... (x/A)*(A-100). The larger the value of A, the closer is the mining power to x as a single coin will be less significant for a large value of A.

So Y has lot more power to generate blocks as compared to X with the same no. of coins. The attacker with possession of Y can wait for an attack till the coins become older which yields better probability of blocks.

In a 51% attack, you need exactly that. You try to fork the block chain and try to make the forked chain longer than the main chain and once that happens all valid transactions in those chains will be lost (double spending). So when it comes to hashing power, PoS is more vulnerable to PoW.

It's a fallacy that you need most of the coins in a PoS coin to attack it; it all depends on the difficulty. You can do an attack even if you have less than 1% of the coins. It's all on the difficulty.

If you do a mindless criticism (criticizing me without any reason or calling the whole text gibberish without stating a reason), realize that it's clear that you own a huge stake in a 100% PoS crypto and are planning to dump it at a pump which this article may reduce the probability of (if it is true).

If you don't believe me, very well. I got no issues, but I'm always open for constructive discussion. As of attackers, they may try this and succeed while you believe this's a lie.

just seeking clarification here. but would this "theoretical exploit" still apply if a coin had a low inflation? such as 1-5%? meaning.. not 100%POS?

Yes, but to a limited extent. The more the PoS block, the more insecurity will be added.
hero member
Activity: 686
Merit: 500
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.

If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers?

There are hardly any successful PoS coins. Especially the ones which have been mined.

There's more profit in finding vulnerabilities in Microsoft software and selling/exploiting them for botnets.
hero member
Activity: 658
Merit: 500
Since I'm not a developer nor a hacker I cant modify wallets to do such an attack, but here's the concept, which may not be right, but crackers may try.


We're going to exploit low PoS difficulty and prominently it's low for even 100% PoS coins. Like for mintcoin it's 0.243, even for popular and old coins like PPC, the difficulty is 10.

First let me explain the significance of difficult in PoS which's very much similar to difficulty in PoW. But don't assume low PoS difficulty means higher rate of returns. Each block gives the miner variable rewards depending on the current difficulty which predicts the probability of the coins to mint a PoS block. A low difficulty means the coins will easily be able to mint PoS blocks, since the number of PoS blocks generated by coins are frequent, the block reward will drop cause the interest rate is capped. In other words, when difficulty is low, the coins will have to wait less to generate a block reward, i.e. the coin will have less age so the block reward will be low. Similarly if the difficulty is high the block reward will increase cause the probability of the coins to make a PoS block will be less, so PoS blocks generated by the coins will be less but the interest rate has to be maintained at 20%; so to compensate for the lower block rate, the block reward will increase.

In PoS, when a node receives a number of coins all in 1 transaction (call this transaction X and the no. of coins in the transaction as A), all of these coins will be used to mine a block. The more the no. of coins in X, the higher the chance of hitting a block. The older transaction X goes the higher the chance of hitting a block. For coins which were received in another transaction (apart from X, call this transaction Z) but to the same address will try to mine a block separately from Z; the wallet will use Y along with X independently to mine blocks.

Suppose the probably of mining a block for X is within x days, after mining, the coin age renews to 0, making it ineligible to mine a block till it's old enough to mine blocks again.

We're going to compare the set of coins X which were received with in a single transaction to a no. of transactions the size of each being 1 coin, but the no. of transactions is such that it results in A no. of coins (i.e. A no. of transactions). This mean for each of these coins, the wallet will try to generate a block using them separately. Let's call this set of coins Y.

The probability of one coin to generate a block is x/A (since X has A no. of coins); for all of  A no. of coins used together, the probability to generate a block is (x/A)*A = x. So Y has the same probability to generate a block as compared to X. Once a block has been mined, the age of the single coin used to mine a block becomes 0 and it comes ineligible for mining, but all other coins are still eligible for mining. Now the probability of Y to generate another block is (x/A)*(A-1) which is almost x (call this changing value y, i.e. y is the current mining power of Y after a no. of coins's age has been reduce to 0). Depending on the size of A, the this value of y will almost be the same as x for (x/A)*(A-1), (x/A)*(A-2), (x/A)*(A-3)... (x/A)*(A-100). The larger the value of A, the closer is the mining power to x as a single coin will be less significant for a large value of A.

So Y has lot more power to generate blocks as compared to X with the same no. of coins. The attacker with possession of Y can wait for an attack till the coins become older which yields better probability of blocks.

In a 51% attack, you need exactly that. You try to fork the block chain and try to make the forked chain longer than the main chain and once that happens all valid transactions in those chains will be lost (double spending). So when it comes to hashing power, PoS is more vulnerable to PoW.

It's a fallacy that you need most of the coins in a PoS coin to attack it; it all depends on the difficulty. You can do an attack even if you have less than 1% of the coins. It's all on the difficulty.

If you do a mindless criticism (criticizing me without any reason or calling the whole text gibberish without stating a reason), realize that it's clear that you own a huge stake in a 100% PoS crypto and are planning to dump it at a pump which this article may reduce the probability of (if it is true).

If you don't believe me, very well. I got no issues, but I'm always open for constructive discussion. As of attackers, they may try this and succeed while you believe this's a lie.

just seeking clarification here. but would this "theoretical exploit" still apply if a coin had a low inflation? such as 1-5%? meaning.. not 100%POS?
legendary
Activity: 2268
Merit: 1092
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.

If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers?

I agree with your sentiment, but in practice if there is no possible fix (or way to protect yourself) then revealing details will just accelerate the 'mischief.' As mentioned I have discussed it with Sunny King but I think he's more concerned about looking after his own coin, and PPC currently has sufficient strength for it to be an irrelevant issue. In hindsight, I probably shouldn't have posted anything at all.
sr. member
Activity: 274
Merit: 250
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.

If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers?
sr. member
Activity: 465
Merit: 250
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.


I'd be glad to know more details about this issue. Would you mind to share some info with me perhaps via PM if you prefer?

There are so many coins with low PoS difficulty.  Therefore even there's no easy permanent fix, we better come together to find a way to at least minimize the possible impacts it may arise
legendary
Activity: 2268
Merit: 1092
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
legendary
Activity: 1764
Merit: 1006
Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.

for teh lulz.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
hero member
Activity: 686
Merit: 500
Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.

There's profit in killing a popular coin with low difficulty.

You can double spend.
full member
Activity: 168
Merit: 100
Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.
hero member
Activity: 686
Merit: 500
Yes, you got it right.


Apart from that, I see PoS as a flaw in the economic model also.

See point 2) C) from http://delogics.blogspot.com/2013/12/the-ultimatebest-cyrptocurrency.html
sr. member
Activity: 274
Merit: 250
I haven't read the entire thread, but if I understand the OP correctly, then I think this is known by some of the more knowledgeable people. Just not discussed much these days. The main point as I understand it is splitting your stake means minting some POS blocks doesn't significantly reduce your chance of minting the next blocks.

For example, if you look at Balthazar's (Novacoin's developer) formula below, he already implicitly assumed this.
https://bitcointalksearch.org/topic/m.3104704

That post is also very illustrative of the challenges POS systems face.
hero member
Activity: 966
Merit: 1003
There's also a "PoS 2.0" that's supposed to be coming out in a while for BlackCoin that addresses some PoS security issues, but not sure in particular what those issues are.  Might be more info coming out later.

https://bitcointalksearch.org/topic/ann-blackcoin-bcblk-pos-blackhalo-smart-contracts-anonymous-599299
http://www.blackcoin.co/blackcoin-pos-protocol-v2-whitepaper.pdf
Pages:
Jump to: