Topic: Pools With a Significant Hashrate: A Realistic Double Spend Attack Taking 2 Hr - page 3. (Read 11743 times)

You don't have to maintain the forgery sequentially.

You misunderstand the math that explains why this specific number of confirmations was chosen by some exchanges/merchants.

Read the original Bitcoin whitepaper http://bitcoin.org/bitcoin.pdf (section 11). If an attacker possesses 10% of the global hashrate (q = 0.1), in order to reduce the probability of a double spend to less than 0.1%, you should wait for 6 confirmation, ie. force the attacker to fork the chains from 5 blocks behind, that's the z=5 quoted in this section. These are the design parameters that the 6 confirmations are supposed to protect against.

If an attacker has 50% of the hashrate (q = 0.5), then the math is completely off. No amount of confirmations is going to protect you against that.

As a side node, I think there is an approximation error, or rounding error when running the sample code with q = 0.5, because it shows the attacker would have a 100% success rate (it should be 50%).

In that case:

I don't think that you have 2 hours before anybody notices. The blocks will be generated at half the speed after you split off. And the miners themselves will see that their blocks are not in the legit chain.

You have to make sure that the miners know the illegitimate blockchain only, that's way harder than getting 50 % of mining power. This is the internet. Everybody connects to anybody.

But even if it worked, it looks like way too costly for the risk. Besides the risk of detection there is the thing that MtGox will know that your address with the 10k BTC has reverted a transaction. They won't take any more coins associated with that address.

Be creative: you could double your gains by robbing the pool and performing a double spend on this money!

No. The probability of outpacing the legitimate chain after N blocks, no matter what N is, is always 50%.

Think about it. You don't need to outpace every single block. Only the last one matters.

No. The probability of outpacing the legitimate chain with exactly 50% of the hashrate is 50%.

What is worse is the pool within the pool things going on.  I think people will see there is no benefit for themselves to keep mining in a pool overall.  I mean, I can only understand if you think in short term goals with Bitcoin, and especially if you don't give a crap about the other benefits of this specific digital currency.

I agree with you on many points, but I can't stop using a pool. Statistically, I'm never going to hit a block (assuming continued 30% difficulty increases). A pool is the only way I get paid. As difficulty continues to increase, this will be true for more and more people.

The solution is: fix the way pools work so that this attack doesn't exist. People are working on that.

See this thread for more info:

http://forum.bitcoin.org/index.php?topic=9137.0;topicseen

Look guys, you are thinking about this all wrong.  Security is about how to protect yourself.  The best way to protect yourself is to find that part of your protection that is most at risk and fix it.  

Arguments such as "why would anyone want to break bitcoin", or "you still only have 50/50 chance of double spending" are meaningless in this debate.  These are not factors to what your weakest vector of attack is.  

This is only a simple example, but what if a state actor wished to see the devaluation of bitcoin?  What would they do?  The easiest thing I can think of is a rubber hose attack against the operators of the top n pools.  Now with control of 75% or more of the hash rate the design of bitcoin IS COMPROMISED.  Creative people *will* figure out what the best way to take advantage of that compromise is.  Double spend, ruin the credibility of bitcoin, buy WMD, whatever is the most value to that actor.  Never argue "why would...", "how" is the only argument and if there is a how you ARE vulnerable in that direction.

POOLS ARE BAD!  They make a system that has demonstrable cryptographic security into a "I don't think that guy is cheating, why would he" security.  FAIL!

STOP USING POOLS, or use one of the systems that make pools safe.  If you argue that pools are safe then you are uninformed, or an NSA/CIA/North Korean/Al Qaeda/mobster shill.

If you truly want bitcoin to succeed, then this is a fundamental issue that should be addressed. Risk factors of bitcoin should be evaluated analytically and solved, not justified.

Yes, but the evil pool would not release the "bad" block chain until the first spend already had 6 confirmations, got sold, and sent to dwolla. Then the new block chain would roll it all back.

Yes, but deepbit mines about 3,600 a day total, all of which has to be available if his users withdraw. I bet at least some uses don't withdraw everyday (although I do). It could easily have 5,000 in it.

I wonder what exchange would allow for such a mass transaction of funds to cash if it were sourced from this way, it would cause the exchanges to no longer exist, I don't think there would be a person to give the cash over for this Bitcoin.  Whoever controlled it would have to make sure it has value.

It is still a double spend, and it is even more obvious if you spend on the main chain first and then try to reverse it.  Check your debug log.  The node already flags chain reversions and double spends.  Sites that wait for multiple confirmations can (should) be watching.

Correct. The 500 BTC txfer to the exchange would need to be in the "legit" chain. I fixed my original post.

Yes, you are correct. My mistake. Thank you for pointing out that misconception.

You can never move backwards through the chain.  The best you can do is pick a spot in the past and try to catch up.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

The block data is actually pre-hashed when given to miners in a pool. We have no idea what we are working on. This is the main problem, and various solution have been floated / are being worked on.

You could check your successful blocks, but I don't think many people do. I don't even know of any mining programs that inform you.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.