Pages:
Author

Topic: Reminder: zero-conf is not safe; $1000USD reward posted for replace-by-fee patch - page 2. (Read 18314 times)

legendary
Activity: 1708
Merit: 1020
Last time I checked, the top 3 pools and the top 4 Chinese pools had ~55% of the total hashpower.  The top 5 pools (the Chinese one plus the Ukranian BitFury) had over 70%.

Objectively, bitcoin failed.  Users and holders must trust that those top 5 miners will not do anything nasty.  If they conspired to put all other miners out of business, they could do it.  If they agreed to block an account forever, they could do it.
It seems you are mixing miners and pools? Pools have only short term power because miners will leave fishy pools. RBF in F2Pool was a good example for that.

Quote
Satoshi was quite upset when someone published the first GPU mining program
Do you have a link? I'm honestly interested.

Quote
Obviously this snowball rolling cannot go on forever, and it can only end in tears.
As it did with gold?

hero member
Activity: 910
Merit: 1003
I think that it is very likely that, sooner or later, the miners will use their power to force changes to the protocol. 

Since we are predicting the future, I'm going to run with this...

...And some users won't agree with those changes. And those user will want to make transactions on the original Bitcoin block chain. And they will pay handsomely to do so. And some miners will want to earn those transaction fees so they will mine on the "old" chain. And we will have a fork. And we will have two functioning yet distinct block chains. And everyone who controlled private keys before the fork will have coins on both chains. And some exchanges will see an opportunity to gather fees on the exchange of fork coins and original bitcoins. And ultimately, the chains will survive depending on whether or not people value the properties of the protocols which produce those chains.

Personally, I can't want to see it all unfold, and I really, really want to trade some fork coins for original bitcoins.

Well, forking bitcoin would be a simple and natural solution to the scaling problem. 

However, the changes that the cartel may want to make will be such that they increase their revenue, or bring some other benefit.  In that case, the compensation that the orhodox users would be willing to pay may not be enough for the cartel to tolerate the old branch.

For example, suppose that the cartel wants to postpone the next halving for 2 years.  They could let the old chain prosper, and put some of their miners to work on it.  However, in my math, that would give them tens of millions of dollars less revenue that if they kill the old chain immediately at the fork, and put all miners to work on the new one.
hero member
Activity: 910
Merit: 1003
You keep using the word "could" as if it implies 'likely' or 'easily and without consequences.'

I think that it is very likely that, sooner or later, the miners will use their power to force changes to the protocol. 

It will not be totally trivial, but it will be much easier and quicker than the BIP66 or BIP100/BIP101 changes.  There would be no lengthy discussion on forums, blockchain voting, etc.  They cartel will just announce their decision to change the protocol with a couple of months in advance, with a suitable "for the good of bitcoin" spin.  They will put up the modified programs for download, that trigger a hard fork at a specified block number.  They will warn everybody that those who fail upgrade before the deadline will be unable to use their coins until they do.

Knowing that the cartel means what it says, most clients, nodes, services, and non-cartel miners will upgrade before the fork, and will sail smoothly through it.   The cartel will use their hashpower to kill the old branch, if some recalcitrant miners will insist on mining it; then any clients still running the old version will be unable to move their coins.  Those laggards will either upgrade (and find their coins still where they left them) or lose their coins.  And that will be it.

Quote
bitcoin is working perfectly.  I can easily and securely and almost instantly transfer value equivalent to millions of dollars to anyone anywhere, all for about the price of a 1st class postage stamp.

Indeed, I am convinced that most bitcoiners will not care about a protocol change imposed by a mining cartel, if it does not affect them directly.  In fact they will support the cartel and pretend that they approve the change, to preserve the value of their coin.  I am pretty certain that you will be among them.  If you don't have a problem with 5 pools having 70% of the power, or with the 5$ cost of your transaction being subsidized by investors, or with the growing pyramid of "debt" -- then you surely will not have a problem with a mere postponement of the next halving, or with the extinction of independent relay nodes, for example.
legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
Last time I checked, the top 3 pools and the top 4 Chinese pools had ~55% of the total hashpower.  The top 5 pools (the Chinese one plus the Ukranian BitFury) had over 70%.

Objectively, bitcoin failed.  Users and holders must trust that those top 5 miners will not do anything nasty.  If they conspired to put all other miners out of business, they could do it.  If they agreed to block an account forever, they could do it.  If they agreed to make some change to the protocol, they could easily force everybody do accept it.



You keep using the word "could" as if it implies 'likely' or 'easily and without consequences.'

The sun "could" suddenly/irrationally/maliciously explode and destroy all copies of the blockchain: ZOMG BITCOIN HAS OBJECTIVELY FAILED!!1!

Bitcoin, unlike Petrobras or UA or the NY/Shenzhen/Greek stock exchanges, is working perfectly.  I can easily and securely and almost instantly transfer value equivalent to millions of dollars to anyone anywhere, all for about the price of a 1st class postage stamp.

Sure, I don't have metaphysical certainty that nothing "could" possibly go wrong, but then again I'm not an obsessed try-hard buttcoiner either.   Cool
hero member
Activity: 910
Merit: 1003
It's an illusion to believe Bitcoin is a completely trust less system. We need a majority of miners to act responsibly. This has shown in the 2013 database fork and recently with the lazy block validating.

There is no problem trusting the miners - only with pools controlling too much mining power.

Last time I checked, the top 3 pools and the top 4 Chinese pools had ~55% of the total hashpower.  The top 5 pools (the Chinese one plus the Ukranian BitFury) had over 70%.

Objectively, bitcoin failed.  Users and holders must trust that those top 5 miners will not do anything nasty.  If they conspired to put all other miners out of business, they could do it.  If they agreed to block an account forever, they could do it.  If they agreed to make some change to the protocol, they could easily force everybody do accept it.  There would be much cursing ang grawing of teeth, but the only choices for all users and holders would be to either accept the change, of lose their coins.  Since the whole point of bitcoin was to eliminate the need to trust an intermediary, the system has become pointless.

It is often stated that miners don't have that power, and it is the "economic majority" that matters; or that they will never want to do it because "it would destroy the value of their investment".  That is bullshit, it is the fairy tale that has been spun to hide a problem that has no solution.  Indeed, if the miners do force a change in the protocol, those same people will spin the tale that it was no big deal, that the change was in fact approved by the majority, that it is in fact "good for bitcoin" etc. -- because, like now, the value of their investment will depend on preserving the public image of security and stability.

By the way, we know that the Chinese miners can get together and agree to a common policy, with a document signed and stamped with red stars.

This is not the way that bitcoin was supposed to be.  Implicit in the original design was the assumption that, while full relaying nodes might end up restricted to businesses that could afford to run a server 24/7,  mining would be done by ordinary clients, as an alternative to buying coins.  As long as that was the case, having the integrity of the system depend on a mining majority would actually ensure the independence and security of the system.

Satoshi was quite upset when someone published the first GPU mining program, because such greedy miners would invalidate mining by ordinary clients.  That problem unfortunately got worse and worse, ending with the current situation -- where the network is just one small step away from being run and controlled by a closed consortium of private miners.

The immediate cause of the problem was the disparity between the fixed block reward (currently 25 BTC/bk) and the market price of the coin (currently 270 USD/BTC).  That combination made mining into a business with an extremely large revenue stream, now still ~1 million USD/day  By comparison, BitPay, the largest bitcoin payment processor in 2014, processed less than 0.5 million USD/day during that year -- including payments related to mining (i.e., internal to the bitcoin system as a whole) and purchase of precious metals (which was basically investors switching from bitcoin to another investment asset).  Even assuming that BitPay processed only a fraction of all the e-payments using bitcoin, the cost of maintaining the network (including or excluding the miner's profit) is totally out of proportion to the actual use of bitcoin as a currency -- the purpose for which it was designed and implemented.

The high price of bitcoin, in turn, resulted from speculative investment, fueled by expectations of extremely high value in some vague future, based in turn on its alleged scarcity, "deflationary" character, and dreams of it capturing a significant slice of the credit card market.  While the future may still bring surprises, those claims have been largely debunked since the crash of the 2013 bubble.

Another consequence of this overvaluation of the coin is that the huge cost of mining is not borne by the users of the coin, or by its current investors, but by the new investors who are buying the coin today.  Theirs is the only money flowing into the bitcoin system: that money flows out of the system as miners' revenue (1 million USD/day), the payoff of the early investors who are reducing their holdings (an unknown amount) and part of the fees of bitcoin exchanges, payment processors, and other bitcoin services (also an unknown amount, but probably much less than 1 million USD/day).

Because of this unhealthy economic structure, the bitcoin system is creating an increasing mountain of "moral debt": the money that people have invested in bitcoins, and expect to get back with at least some profit.  Of course, there is no entity guaranteeing to pay this debt.  It is not possible to compute this "Bitcoin National Debt" (BND), because there is no way to know the price that each bitcoin holder paid for his coins; but we can tell that it is somewhere between 400 million and 17 billion USD.  The only way the current holders can recover their investment is by selling their coins to new investors; but that will only increase the BND...  Obviously this snowball rolling cannot go on forever, and it can only end in tears.
legendary
Activity: 1708
Merit: 1020
Quote
Peter Todd Fri, 19 Jun 2015

Yesterday F2Pool, currently the largest pool with 21% of the hashing
power, enabled full replace-by-fee (RBF) support after discussions with
me. This means that transactions that F2Pool has will be replaced if a
conflicting transaction pays a higher fee. There are no requirements for
the replacement transaction to pay addresses that were paid by the
previous transaction.
Haha, that went well.


It's an illusion to believe Bitcoin is a completely trust less system. We need a majority of miners to act responsibly. This has shown in the 2013 database fork and recently with the lazy block validating.

There is no problem trusting the miners - only with pools controlling too much mining power.

IMHO something like a mining codex will be established sooner or later.
legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
Reality check - when I look around at the complaints people have about Bitcoin, merchants constantly being double spent doesn't come up. It isn't "snake oil" to point this out and you should give the people actually using Bitcoin more credit - they know how to avoid losses.

Your double-spending wallet edition is just theoretical - you have to find miners that will take your double spends, and then you have to find users who are willing to accept that most often their attempts to double spend will fail because the bad miners won't find the next block. And then people who use it will discover that if they aren't perfectly anonymous then they will get taken to court for wire fraud, and most likely they will lose.

So there are lots of reasons why people might not do this. And that may explain why this topic is so old and stale. It was being brought up back in 2010 and here we are, years later, people still arguing about this topic and yet there are many more thousands of merchants still accepting these transactions and not losing money.

I remember another topic that used to create endless raging arguments, the 10 minute block interval. Eventually that was solved by Charlie creating Litecoin and now people who hate the 10 minute wait can just go use that instead of creating endless forum threads. I think it's a good way to resolve such disputes - go set up an alt coin that works the way you think it should and then let the market figure it out. Or maybe the Litecoin guys would be willing to incorporate such a change.

Update: [email protected]'s FUD and bitchcraft has failed; RBF isn't old and stale any more.

Quote
Peter Todd Fri, 19 Jun 2015

Yesterday F2Pool, currently the largest pool with 21% of the hashing
power, enabled full replace-by-fee (RBF) support after discussions with
me. This means that transactions that F2Pool has will be replaced if a
conflicting transaction pays a higher fee. There are no requirements for
the replacement transaction to pay addresses that were paid by the
previous transaction.


Instead of creating endless forum threads about 1MB blocks, why don't you go set up an alt coin that works the way you think it should and then let the market figure it out?
newbie
Activity: 20
Merit: 0
-1
IMHO, this breaks far more than it fixes.
legendary
Activity: 1204
Merit: 1015
The reality is that miners could already offer this 'service', but if it was 'built-in' then everyone would be able to take advantage of 'trx replacement' as a SOLUTION to fraud/theft instead of just a way to commit fraud/theft.
No. Anybody spending money that is willing to defraud the receiver of the money would be willing to spend up to all but one satoshi in fees to commit a double-spend, unless they are an uneconomic attacker. Since we're assuming the worst in this thread, we must assume this to always be the case. Therefore, the only defense to this attack is for the victim of the double-spend to re-spend the entirety of the transaction to fees, preventing the attacker from winning most of the time. Therefore, the best SOLUTION to fraud/theft is the current one, because honest nodes would ignore BOTH transactions with larger fees (the re-spend to fees on the merchant side could be a replacement of a send-to-self transaction broadcast when the initial transaction was received), meaning that attackers would almost never win (they could still win thanks to propagation delay) and merchants would not lose in proportion to how many honest nodes there are.
legendary
Activity: 1106
Merit: 1004
The only way to shutdown this 'unethical' pool / client would be for everyone to wait one confirmation *or* to know your customer.

You could also try to blacklist fraudsters' address with this technique.
Additionally, merchants willing to accept 0-conf transactions from unknown customers could also subscribe to insurance contracts that would reimburse the merchant in case of loss. To decrease the chances of fraud, these insurers could directly finance miners (send a part of their premium to "honest" miners which don't accept double-spends, at least not for insured transactions). The insurers could also make assurance contracts, but I'm not sure if you can select a minimal transaction-set you want to assure, would need to reread about it.

Considering such an attack could be setup and launched today, we are really operating under a false sense of security to accept 0 confirmation transactions from anonymous sources.

Given that this is possible today, everyone should *assume* it is going on. 

Perhaps. On the other hand... it's not really happening. There are other things at play. For significant amounts, people don't accept 0-conf from unknown customers. And for cheap transactions.. is it really worth trying to defraud the merchant? Also... most people are honest and wouldn't steal.
So, maybe it's just too early to start worrying about this.

Suppose a thief stole your bitcoins, you could have an alarm triggered the moment you saw a transaction on the network.

Yes, clients should sound alarms if they detect a double-spend attempt. Also, if eventually this "malicious pool" is created, merchants' clients should even try to subscribe to it in order to known if they are under attack. The only problem is that the pool could easily disconnect those that don't submit a minimum amount of shares.

You could then quickly issue a 'lock-down' transaction that would send the coins to a 'dispute mediation' address and include a higher fee.   Honest miners would then see the 'conflict' and prefer the transaction to the dispute mediator over the earlier transaction for 2 reasons:  1) reputation and 2) financial incentive. 

I wouldn't call that "dispute mediation" but yeah, that's a good idea. Insurers could also attempt that. (you should not expect merchants themselves to take all these measures... merchants don't want to worry with these technicalities... they have their own business to focus on)
hero member
Activity: 770
Merit: 566
fractally
So here is a business model for an unethical company:

1) Invest in a large amount of mining hardware and create a p2pool mining pool.
2) Create a bitcoin client with a checkbox for 'attempt double spend'
3) Anytime the user checks the 'attempt double spend', one trx is sent to the general network, and
    another is sent to the mining pool where the fee is 50% of the 'double spend'.
4) Anytime a double spend is 'successful' (this pool finds a block) it has a high-payout due to extra fees.

Miners who join this 'unethical' company will see more $$ than those who mine under existing pools.  Scammers of the world would have an 'easy-to-use' way to 'double-spend' some fraction of the time. 

The only way to shutdown this 'unethical' pool / client would be for everyone to wait one confirmation *or* to know your customer.

Considering such an attack could be setup and launched today, we are really operating under a false sense of security to accept 0 confirmation transactions from anonymous sources.

Given that this is possible today, everyone should *assume* it is going on.  Turning an attack into a 'feature' could have added benefits.  For example:

Suppose a thief stole your bitcoins, you could have an alarm triggered the moment you saw a transaction on the network.  You could then quickly issue a 'lock-down' transaction that would send the coins to a 'dispute mediation' address and include a higher fee.   Honest miners would then see the 'conflict' and prefer the transaction to the dispute mediator over the earlier transaction for 2 reasons:  1) reputation and 2) financial incentive. 

The reality is that miners could already offer this 'service', but if it was 'built-in' then everyone would be able to take advantage of 'trx replacement' as a SOLUTION to fraud/theft instead of just a way to commit fraud/theft.
legendary
Activity: 1120
Merit: 1164
Is it conceivable that a judge could conclude that because the miner was running this replace-by-fee code and received compensation for doing this that the miner could liable for losses by the merchant? [Edit: or charged as an accessory to the crime of fraud even?]

Sure.  But it would be silly to do so.

The blockchain is what defines the order that transactions happen.  If a miner can be liable for replacing a transaction, why not for failing to replace it?  The network makes no promises to deliver transactions to nodes in some magically special order, except when that delivery is as a block.  What if the miner gets the replacement first?  How do you prove otherwise?

+1
kjj
legendary
Activity: 1302
Merit: 1026
Is it conceivable that a judge could conclude that because the miner was running this replace-by-fee code and received compensation for doing this that the miner could liable for losses by the merchant? [Edit: or charged as an accessory to the crime of fraud even?]

Sure.  But it would be silly to do so.

The blockchain is what defines the order that transactions happen.  If a miner can be liable for replacing a transaction, why not for failing to replace it?  The network makes no promises to deliver transactions to nodes in some magically special order, except when that delivery is as a block.  What if the miner gets the replacement first?  How do you prove otherwise?

Judges, in general, aren't stupid, and this is simple stuff, easily explained.
legendary
Activity: 2506
Merit: 1010
Is it conceivable that a judge could conclude that because the miner was running this replace-by-fee code and received compensation for doing this that the miner could liable for losses by the merchant? [Edit: or charged as an accessory to the crime of fraud even?]
legendary
Activity: 1232
Merit: 1094
Also, your comment about blacklisting is really not the same at all (nor feasible).  Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.  That's not the same as blacklisting, which needs 100% miner participation to work. 

No, it doesn't even require > 50%.

For example, assume 75% of the miners are profit seeking and 10% of the miners said that they won't build on blocks with any of of transactions for at least 2 blocks.

If you add a block containing one of those transactions, then there is a 10% chance that the alternative miners will get the next block.  Rational miners would then switch to that block, since if it wins, it get 100% of the hashing.  If the other block wins, it still only gets 90% of the hashing, since the "bad" transaction has to be buried two deep.

The effect is that 85% of the miners end up supporting the blacklisting.

Mine a "clean" block
- you get 100% of miners to build on yours

Miner a "tainted" block
- you get at most 90% of the miners to build on yours

If the 10% find another block
- there are 2 equal POW blocks
-- miners following the rules stay on the first block (15%)
-- taint enforcers stay on alt branch (10%)
-- rational miners switch to alt branch (75%)

If the 90% find the next block
-- all switch to that chain

So, if you mine a "bad" block, you have a 10% chance of it being matched by the taint enforcers and then an 85% of it then be superseded.  This gives an 8.5% chance of you losing your tx and minting rewards. 

As long as only a small number of transactions are tainted, it isn't worth including them.

The defense would be to have lots of p2p mixing operations.  If most coins are tainted, then none are.
legendary
Activity: 1652
Merit: 2311
Chief Scientist
Security in this context is being inappropriately treated like a binary concept.


+1
legendary
Activity: 1400
Merit: 1013
Security in this context is being inappropriately treated like a binary concept.

There's an entire consumer economy out there based around charge cards which, in bitcoin terms, take 90 days to confirm transactions. Trillions of dollars are being transacted out in the real world via payment methods that are no less insecure than zero-confirmation Bitcoin transactions.

Accepting zero-conf transactions is an issue of risk management and business planning, not a case of "secure" vs "insecure".
legendary
Activity: 1204
Merit: 1015
Of course not. Until bitcoins become commonplace, the most common user of zero-confirmation transactions - brick and mortar businesses - won't really exist. If this change is inevitable like you guys claim, why not wait for it to happen naturally?

False sense of security.

The point of all this is that zero-conf tx should not be used for zero-trust situations.
Why are you on the internet right now? After all, it is impossible* to get a virus if you don't have an internet connection.

*Yeah, there are other ways, but ignore that for now.

What about your money? I suspect that you have it all in gold (because USD can't be trusted) stored in a vault that you personally designed (because someone else may have put a backdoor in their design) stored under your personal supervision. After all, every action you ever take must require zero-trust, right?

Please tell me that you get where I'm going with this. This is a problem that should be solved through general education, not reducing effective security. Also, stores don't even need to ask for ID - they just need to have a camera, which is something that they should have to prevent general shoplifting anyway.

Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.

I don't think that's right - people accepting zero-confirmation transactions are already playing the odds. 1% of mining power taking the later arrival with the higher transaction fee still leaves you getting the payment 99% of the time, so in a lot of cases it would still be worth it for the extra sales.

Double-spend attackers welcome, buy 99 pizzas and get one free...
And that's worst case, when every order is made by an attacker.
sr. member
Activity: 352
Merit: 250
https://www.realitykeys.com
Zero-conf replacement requires only a few miners to participate for it to make zero-conf transactions pretty much useless in zero-trust transactions.

I don't think that's right - people accepting zero-confirmation transactions are already playing the odds. 1% of mining power taking the later arrival with the higher transaction fee still leaves you getting the payment 99% of the time, so in a lot of cases it would still be worth it for the extra sales.

Double-spend attackers welcome, buy 99 pizzas and get one free...
sr. member
Activity: 352
Merit: 250
https://www.realitykeys.com
And convincing miners to not mine the top block is going to cost you a $#!+load of money...every 10 minutes...forever.

I shouldn't need to do this forever, because, once I set up a reasonable assumption that I can keep this thing going (remember I'm the DEA, I just seized a shedload of bitcoins in a drug bust) it's in everyone's interests not to mine that block. They want to mine on top of the longest chain because everyone else wants to mine on top of the longest chain, but given purely rational economic actors who don't care about Bitcoin, that rule, like everything else, is up for sale.

Hell, I may not even need to spend any money - I just need to convince all these rational economic actors that I could and would spend that money if necessary, then it'll be in the interests of each individual miner to start following my rules, not Satoshi's.

Edit: "in the network's interests" -> "in the interests of each individual miner" to distinguish from the interests of miners in general, which are different here because it's a classic Tragedy of the Commons situation.
Pages:
Jump to: