Topic: [neㄘcash, ᨇcash, net⚷eys, or viᖚes?] Name AnonyMint's vapor coin? - page 39. (Read 95256 times)

If my prior explanation was confusing, let me explain it carefully one more time.

On typical PoW coins such as Bitcoin, Monero, etc, a Finney attack is when a miner finds a block solution that contains a double-spend, but waits to announce it after the 0-confirmation transaction was already accepted by the merchant, thus the merchant loses the money because the 0-confirmation transaction ends up being included later in the block chain. That only works if the merchant accepts the 0-confirmation transaction.

On Dash the situation is much worse because Dash guarantees to the merchant that an InstantX transaction is confirmed. So the attacker can release the block with the double-spend at the same time the InstantX transaction is confirmed, and there will be randomized ambiguity about which of the two events occurred first since both will propagate over the network and some mining nodes will see one or the other first as the two competing choices propagate at the same time over the P2P network. This is not even factoring in any Sybil attack on propagation by the attacker which isn't typically necessary to make the attack work (but can also be used to amplify the harm of the attack if desired).

This is a major flaw because all mining nodes are required by the InstantX protocol to reject any block chain that contains the opposite ordering as compared to the ordering the node's observed on the propagation. Thus when mining nodes disagree about ordering of this (as they are required by the protocol to do!), they will partition into two forks, refusing to mine the fork of the other fork. These are totally honest miners forced to disagree with each other due to a flawed InstantX protocol. It is really hilarious. This is the kind of technical design error made by amateur who refuses to follow standard peer view and open source protocols (which would prevent such an egregious design flaw) that is utterly embarrassing and should be enough to make Dash the laughing stock of the crypto world.

One might propose to fix this by forcing all mining nodes to wait some specified number of seconds or minutes or hours (choose one it doesn't matter) for the propagation of the InstantX transaction. If there is any conflicting block during this required wait, then both transactions are invalid. For the simpleton mind, that seems to solve the problem because the attacker can't attain a double spend, because the merchant will wait for this required duration. But for the clever mind, you realize there is still a flaw because the attacker can just wait to announce his block right at the edge of that wait duration, so then mining nodes will have randomly different observations as to whether both are invalid or whether the InstantX transaction is valid. So then the same result that the block chain is forked. This is very counterintuitive to most people. Because they think you can just choose the InstantX transaction if the wait duration is long enough. But the protocol can't be ambiguous and it must be specific.

Realize that each time the block chain is forked this way, it will randomly split the mining nodes into two more forks. So the number of forks will be 2^N where N is the number of times the attack was employed. Do the attack 100 times, and you'll have 2¹⁰⁰ = 1,267,650,600,000,000,000,000,000,000,000 forks or the number of mining nodes as the number of forks which ever is less. In other words, perform this attack just a few times and you can make all the mining nodes mine separate chains all by their lonesomes. The attacker can then spend his coins on every fork, i.e. multiplying the money supply by 1,267,650,600,000,000,000,000,000,000,000 .

Lol.

Am I the only person who finds that incredibly funny? A designed feature to force all mining nodes to mine alone masquerading as an instant confirmation feature. Lol. I still can't stop laughing.

Dash supporters you might want to find a rock to hide under about now, because there are more flaws coming...

Take away is don't go messing with Satoshi's design if you haven't expended an immense amount effort to make sure you haven't opened Pandora's box.

Edit: I was just informed that Tacotime raised this forking attack issue in the past. I remember some publicity long ago about InstantX being flawed. If anyone can point me to Tacotime's post, I will add a link to it here. I would also like to read his explanation to see if there are any differences in our conceptualization of it.

I was too lazy to go re-read the InstantX paper, so I was saying that Finney attack would work even if Dash was designed such that it required pre-assigning UTXO to specific set of masternodes via a block chain transaction. But I checked again and Dash doesn't require an enabling block chain transaction because it uses a deterministic algorithm to select the set of masternodes that must sign the instant transaction (this is called a "lock"):

https://www.dash.org/instantx/

You can see the paper doesn't even explain anything about how to distinguish between the conflicting block chain transaction and the locked instant transaction, because as smooth and I have explained, propagation is not something that can be guaranteed to be consistent for all P2P nodes.

Thus as I wrote upthread, the mining nodes can disagree about the ordering of the conflicting block chain transaction and the locked instant transaction. Once they disagree, they can never agree again. You have a fork with some honest miners on one fork and other honest miners on the other fork. The merchant loses the funds on one of the forks. Do this enough times, and you fork the coin as many times as you want to end up with a coin that has 1000 competing forks, lol. That would be really funny. I'd like to do that attack on Dash just for the Lolz.



It is as simple as no one (including the merchant and the honest mining nodes) can be sure which of the conflicting block chain transaction and the locked instant transaction occurred first. If we stipulate that everyone must wait 10 seconds before making a decision (i.e. meaning any conflict within the 10 second window causes both to be rejected) so that the instant transaction can propagate to more nodes, then the attacker can wait until 9.999 seconds to release his conflicting block announcement thus some of the nodes will reject both and some of the nodes will accept the instant transaction. Thus disagreement and a fork. If you don't provide any window then the attacker can release his block at same time, thus same result of ambiguity and a fork result.

This is what I was explaining to monsterer the prior day about the edge of any window/period being an attack vector if all chains aren't merged. I figured out how to solve that issue. It is fundamental and Dash is flawed.

The same issue occurs when the deterministic algorithm for selecting the quorums changes the quorum. Then there can be ambiguity (between two orphaned chains) in terms of which quorum is active for propagation. There is an inconsistency between what is happening with propagation and what is happening on the block chain. This ordering ambiguity for propagation is the reason we needed PoW in the first place, otherwise we could just use propagation and discard PoW (which is the reason that other designs such as eMunie, VanillaCoin, etc are probably flawed although I can't comment on eMunie yet because the design is still somewhat inaccessible to me).


You can understand it. I just need to explain it better. I am quite sleepy again already so my eludication capability is tailing off accordingly.

Yes! And please don't take my "defending" of DASH as anything else than being curious of the current shortcomings as the attack vectors presented didn't seem to make sense to me but now it's getting above my paygrade and all I can add for now is noise so I will stop.

I have to understand the problem before I can appreciate the solution. So we have work to do. You to create the solution, and the laymen like me to learn to understand it.

It also isn't true that physical coins have to back a short, even on exchanges (but certainly not off exchanges or on derivative exchanges where people may simply owe coins or have negative exposure to the price of coins they don't have, by whatever mechanism).

When you lend coins on an exchange the borrower sells them to short. Now the buyer of those coins may lend them out again. Collateral margin requirements limit overall leverage but the collateral need not be in the same coin. Leverage of a particular coin is unbounded i.e. an arbitrary short interest may be rooted in a limited (much smaller) amount of physical, as long as sufficient physical exists to settle the largest individual trade.

There is no realistic possibility to enumerate potential incentives that exist outside the system.

Szabo:

Before reading your post, I had written in another thread:


An illiquid coin not used as a currency with all the coins locked up as a pump and dump game for speculators is already an attack. 

Point is that if you have a widely used currency, shorting will be possible.

We are talking about what sort of design should we all support that can scale up and be used by millions of users. That is our goal right?

If the lock can't be acquired within 20 seconds iirc it will lapse. Can't find a link to back my memory though. And I don't know how and by whom it is canceled either.



It's starting to get too complex for me for now, I guess I'll need to draw a picture of a forking network to understand the implications. Thanks for being patient with me and trying to explain.

No.

Do masternodes have a monopoly on propagation to mining nodes in Dash?

I was thinking of a propagation network like Bitcoin where anyone can join if they behave. In Dash only masternodes can propagate? If yes, that seems to make the potential to attack propagation much greater.

The attack I described for the Finney attack didn't even require conflicting InstantX announcements, rather the conflicting announcement of the transaction being spent on the block versus on the instantx permissioned masternode. Even if InstantX are prelocked to a specific masternode, it must be possible to unlock the funds back to the general UTXO otherwise that would be a risk of losing funds to a masternode that refuses to sign. So thus the Finney attack can just unlock the funds in that case to create the double-spend of the InstantX transaction (by unspending it). No matter how it is designed, it can be attacked. I don't even need to know which way it is designed. I can reason it is flawed in any way.

Don't think only of the merchant (payee). Think of the consistency of the block chain. Pay attention to the issue of forking (disagreement between mining nodes which leads to them refusing to mine each others' chains), which afaics is the main threat (other than when masternodes can lie and get away with it, which is another attack vector monsterer caused me to realize I need to explain because I did also consider that attack vector in my design).

This is what the IX white paper says:

"If attackers gain control of the 10 Masternodes for a given block and propagate multiple conflicting messages, the network must appropriately handle the conflict. For example, an attacker that controls a large portion of masternodes might propagate a message to Merchant B and nowhere else ,while propagating a messages to many other nodes spending the inputs back to himself.
In this case it is suggested that conflicting messages will cancel each other out and clients wait for normal block confirmation."

Controlling the 10 masternodes is not implausible at all (and doesn't necessarily require a "large portion" as the paper claims), since the attacker gets to choose the time of the attack, and may also be able to game the selection somehow.

In general you can't assume that everyone sees everything at the same time, or even that people know they haven't seen something they haven't seen. When there is wording like "propagate to all nodes" or "all nodes will do X" in the description, you can be sure that issues are being missed, ignored, or papered over.

I don't know the exact details but this seems non-issue to me. If the merchant receives the false block before he gets to know about the IX lock, his wallet will display only one standard confirmation, and he should therefor await for more confirmations (it's displayed differently than a successful IX). But he won't get more confirmations as the network elsewhere has rejected the block and won't mine on top of it.

If most of the selected masternodes see the block solution first however, they won't sign the IX lock and the transaction falls back to standard confirmations.

I was thinking of a point like that too. Proportional is clearly not correct.

+1 on the Shapley–Shubik reference.

Note that reaffirms the point that the cost in paid only once in PoS instead of unbounded, unless of course PoS devolves to PoW as you contemplate below...


That is the "nothing-at-stake" issue.

Or competing on propagation and P2P Sybil attack advantages? In any case, still not proportional since distribution of wins is not likely uniform w.r.t. to resources applied given that the longest (or what ever attribute) chain wins in capitulation by the lesser resources, i.e. by definition a chain is asymptotically (some where near majority) a winner-take-all paradigm and it is as you point out non-linear due to Shapley-Shubik.

Astute insight. Thanks. I probably would have thought of that too had I focused on it. I haven't expended much effort thinking in detail about how PoS works in its many variants.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

Some might argue that attack seems solvable by making the delay on instantX confirmations a sufficient number of seconds (or what ever is the maximum propagation to every PoW mining node). But the problem is that P2P network for propagation can be Sybil attacked so some nodes could be isolated and controlled as to which announcement they receive first. So it is possible to use this as an amplification attack on PoW resources so as to effectively control much more PoW resources than you do control.

It isn't necessary to isolate propagation to a majority of nodes. The rule about propagation for InstantX is supposed to be cast in iron, meaning that any node what has seen a certain propagation order will forever ignore the chain that has decided the opposite ordering, thus you end up with massive forking. An attacker could force Dash into an unlimited number of forks and kill the coin. The only solution is my invention mentioned below. But in Dash's design that would require adandoning instant confirmations (for the reasons I explained upthread to monsterer ... or wait for the white paper for diagrams and eloquent explanation).

I am also concerned about Evolution and that the quorum must change periodically, so if on the next block the quorums are changing then an attacker can construct a spend on one chain with one quorum, and then on a hidden chain on another quorum, which is not illegal as the quorums have changed and the miners who are mining on that hidden chain are thus ignoring the announcements on the quorum which from their perspective no longer has permission to sign the transaction. The basic problem is that around the time of changing quorums, there is no objectivity as to which quorums are authorized. Thus two chains can spend twice. And so then the hidden chain is announced later and it is longer so it wins and the double spend has been achieved. Since Evolution promises these to be instant confirmations, the merchant will have long since assumed the transaction was irreversible and not have waited for 6 blocks or what ever is safe (assuming the attacker doesn't have 50% of hash power). Remember that hidden chains can be created with less than 50% of the hash rate. The basic problem is that propagation is misaligned with orphaning. There is only one way to solve this fundamental issue about ambiguity and that is my invention I published in 2014 to defeat selfish mining by including all the chains but you can't do that in Dash's design for the reasons I explained to monsterer.

Dash has more attack holes than Swiss cheese. And I will be explaining more of them which monsterer inspired me to realize. I use that euphemism because I want to spank speculators who think they know what they know. They don't. These technologies are much too complex for speculators to have any reliable clue about what is what. Illodin you are reasonably informed being a programmer yourself, but still you will miss some of the finer details because this stuff is not easy. It requires a lot of experience and thought to master. I even messed on these at times. It is quite complex.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And yes you're thinking more broadly than just double spends, I will await for further attack vectors.

Yes I claim Satoshi pitted the collective against the individual whether he realized it or not. And I aim to correct that flaw in his design, because the correct idealism is about liberating the individual not subjecting us to the will of the majority (which turns out to be the complacency and natural corruption of the masses who are the majority).

I am challenging the fundamentals that Satoshi set up. I don't know if "Satoshi" intended that evil or just couldn't figure out how to improve the design.

I would trust "Satoshi" more had he admitted that issue instead of just claiming 50% is the barrier of correct functionality. In effect he pitted the individual against the collective as the long-term outcome. I doubt very much the group that was "Satoshi" didn't know that. This was a clever plot foisted on us. I am not undiscerning enough to be fooled.

Hiding the evil in the feigned idealism of "a better gold that has 21 million supply forever". Not to mention that means the supply will collapse to 0 over time.  

Satoshi was a clever marketer. That faux idealism of a better gold was put there very intentionally to blind men to the truth by their greed and love of stacking.

Lots of gullible geeks fell for it "hook, line, and sinker". Not me (links to the essay I wrote in 2013, Bitcoin : The Digital Kill Switch).

I've not moved the goalposts. The goalposts say very clearly that if one entity controls 50% then the system has largely failed (at least temporarily I suppose). I didn't say that, satoshi did. The premise in his design (whitepaper) is that it is not 50% controlled.

If you think that premise of satoshi's design is implausible, fair enough, but now you have deviated off into assumptions about world view, not the design or functioning of the system itself.

Those are his words: "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network ..."

If they are, then all (or at least most) bets are off.

That is not a definition of permissionless that applies to me when I am trying to get my transaction on a block chain that is controlled by 50% of the miners who are beholden to the State which has regulated that I must put KYC on my transaction and I refuse to. Or which has banned me from transacting because I refuse to sign the document that says Man-made Global Warming is a not a hoax (the status of which is stored in a database for my national id in the coming 1984). Or because I refused to show up for Putin's military parade last Sunday and the State's computer has decided to spank me. Or because Trump has banned Muslims from transacting and due to some glitch my national id confirms that I am Muslim who was born in Islambad.

You have moved the goalposts (constructed a strawman) based on moving the definition of permissionless. I don't find your variant of the definition of permissionless very relevant or useful in the threat scenario of a 50% attack. Because precisely that scenario is an asymmetry between the power of the individual and power of the collective (50% being the collective, e.g. one scenario is the masses being complacent against blacklisting which Satoshi's protocol doesn't prevent). Decentralization and end-to-end principle of networks is precisely removing the power of the collective (infrastructure) to dictate to the individual.

So sorry I must disagree even though you made a mathematical point worth reading and factoring into thoughts.

It's difficult to say exactly since we can't really consider all exploit strategies nor external factors.

But taking the model of "honest" staking at face value, at 49% you can only hope to maintain control for a limited number of blocks. At 50%+, you control the chain forever. That's clearly more than 4% increase.

Again assuming an "honest" staking model you can consider stake as votes and look to voting coalition models such Shapley–Shubik, where staking is viewed as voting between competing chains, and that is trivially superlinear in terms of voting power relative to stake share.

Of course we know that most (all?) PoS systems allow voting on multiple chains, so this may break down. Such systems tend to devolve to PoW though, since stakers are then competing with other stakers to find the combinatorially most-favorable chain state, in which case again control is superlinear in hash power. So I think it is correct.

Very interesting - can you prove it?

Your degree of control is superlinear in the amount of your stake.

TPTB, satoshi's system is permissionless period, for two reasons, one being that control of <50% (or maybe some lower threshold with later analysis) is an axiom. The second being that permission isn't necessary to break someone's 50% monopoly (unless the monopoly controls 50% of the energy in the universe or something), similar to the above argument.

This may seem useless in the real world, but that's a different question from the mathematical properties of the system itself. We start with a clear description of the mathematical properties and then apply to the real world. In the process of doing the latter various additional assumptions are inevitably made.