Topic: Reminder: zero-conf is not safe; $1000USD reward posted for replace-by-fee patch - page 2. (Read 18302 times)

It seems you are mixing miners and pools? Pools have only short term power because miners will leave fishy pools. RBF in F2Pool was a good example for that.

Do you have a link? I'm honestly interested.

As it did with gold?

Well, forking bitcoin would be a simple and natural solution to the scaling problem. 

However, the changes that the cartel may want to make will be such that they increase their revenue, or bring some other benefit.  In that case, the compensation that the orhodox users would be willing to pay may not be enough for the cartel to tolerate the old branch.

For example, suppose that the cartel wants to postpone the next halving for 2 years.  They could let the old chain prosper, and put some of their miners to work on it.  However, in my math, that would give them tens of millions of dollars less revenue that if they kill the old chain immediately at the fork, and put all miners to work on the new one.

I think that it is very likely that, sooner or later, the miners will use their power to force changes to the protocol. 

It will not be totally trivial, but it will be much easier and quicker than the BIP66 or BIP100/BIP101 changes.  There would be no lengthy discussion on forums, blockchain voting, etc.  They cartel will just announce their decision to change the protocol with a couple of months in advance, with a suitable "for the good of bitcoin" spin.  They will put up the modified programs for download, that trigger a hard fork at a specified block number.  They will warn everybody that those who fail upgrade before the deadline will be unable to use their coins until they do.

Knowing that the cartel means what it says, most clients, nodes, services, and non-cartel miners will upgrade before the fork, and will sail smoothly through it.   The cartel will use their hashpower to kill the old branch, if some recalcitrant miners will insist on mining it; then any clients still running the old version will be unable to move their coins.  Those laggards will either upgrade (and find their coins still where they left them) or lose their coins.  And that will be it.


Indeed, I am convinced that most bitcoiners will not care about a protocol change imposed by a mining cartel, if it does not affect them directly.  In fact they will support the cartel and pretend that they approve the change, to preserve the value of their coin.  I am pretty certain that you will be among them.  If you don't have a problem with 5 pools having 70% of the power, or with the 5$ cost of your transaction being subsidized by investors, or with the growing pyramid of "debt" -- then you surely will not have a problem with a mere postponement of the next halving, or with the extinction of independent relay nodes, for example.

You keep using the word "could" as if it implies 'likely' or 'easily and without consequences.'

The sun "could" suddenly/irrationally/maliciously explode and destroy all copies of the blockchain: ZOMG BITCOIN HAS OBJECTIVELY FAILED!!1!

Bitcoin, unlike Petrobras or UA or the NY/Shenzhen/Greek stock exchanges, is working perfectly.  I can easily and securely and almost instantly transfer value equivalent to millions of dollars to anyone anywhere, all for about the price of a 1st class postage stamp.

Sure, I don't have metaphysical certainty that nothing "could" possibly go wrong, but then again I'm not an obsessed try-hard buttcoiner either.   

Last time I checked, the top 3 pools and the top 4 Chinese pools had ~55% of the total hashpower.  The top 5 pools (the Chinese one plus the Ukranian BitFury) had over 70%.

Objectively, bitcoin failed.  Users and holders must trust that those top 5 miners will not do anything nasty.  If they conspired to put all other miners out of business, they could do it.  If they agreed to block an account forever, they could do it.  If they agreed to make some change to the protocol, they could easily force everybody do accept it.  There would be much cursing ang grawing of teeth, but the only choices for all users and holders would be to either accept the change, of lose their coins.  Since the whole point of bitcoin was to eliminate the need to trust an intermediary, the system has become pointless.

It is often stated that miners don't have that power, and it is the "economic majority" that matters; or that they will never want to do it because "it would destroy the value of their investment".  That is bullshit, it is the fairy tale that has been spun to hide a problem that has no solution.  Indeed, if the miners do force a change in the protocol, those same people will spin the tale that it was no big deal, that the change was in fact approved by the majority, that it is in fact "good for bitcoin" etc. -- because, like now, the value of their investment will depend on preserving the public image of security and stability.

By the way, we know that the Chinese miners can get together and agree to a common policy, with a document signed and stamped with red stars.

This is not the way that bitcoin was supposed to be.  Implicit in the original design was the assumption that, while full relaying nodes might end up restricted to businesses that could afford to run a server 24/7,  mining would be done by ordinary clients, as an alternative to buying coins.  As long as that was the case, having the integrity of the system depend on a mining majority would actually ensure the independence and security of the system.

Satoshi was quite upset when someone published the first GPU mining program, because such greedy miners would invalidate mining by ordinary clients.  That problem unfortunately got worse and worse, ending with the current situation -- where the network is just one small step away from being run and controlled by a closed consortium of private miners.

The immediate cause of the problem was the disparity between the fixed block reward (currently 25 BTC/bk) and the market price of the coin (currently 270 USD/BTC).  That combination made mining into a business with an extremely large revenue stream, now still ~1 million USD/day  By comparison, BitPay, the largest bitcoin payment processor in 2014, processed less than 0.5 million USD/day during that year -- including payments related to mining (i.e., internal to the bitcoin system as a whole) and purchase of precious metals (which was basically investors switching from bitcoin to another investment asset).  Even assuming that BitPay processed only a fraction of all the e-payments using bitcoin, the cost of maintaining the network (including or excluding the miner's profit) is totally out of proportion to the actual use of bitcoin as a currency -- the purpose for which it was designed and implemented.

The high price of bitcoin, in turn, resulted from speculative investment, fueled by expectations of extremely high value in some vague future, based in turn on its alleged scarcity, "deflationary" character, and dreams of it capturing a significant slice of the credit card market.  While the future may still bring surprises, those claims have been largely debunked since the crash of the 2013 bubble.

Another consequence of this overvaluation of the coin is that the huge cost of mining is not borne by the users of the coin, or by its current investors, but by the new investors who are buying the coin today.  Theirs is the only money flowing into the bitcoin system: that money flows out of the system as miners' revenue (1 million USD/day), the payoff of the early investors who are reducing their holdings (an unknown amount) and part of the fees of bitcoin exchanges, payment processors, and other bitcoin services (also an unknown amount, but probably much less than 1 million USD/day).

Because of this unhealthy economic structure, the bitcoin system is creating an increasing mountain of "moral debt": the money that people have invested in bitcoins, and expect to get back with at least some profit.  Of course, there is no entity guaranteeing to pay this debt.  It is not possible to compute this "Bitcoin National Debt" (BND), because there is no way to know the price that each bitcoin holder paid for his coins; but we can tell that it is somewhere between 400 million and 17 billion USD.  The only way the current holders can recover their investment is by selling their coins to new investors; but that will only increase the BND...  Obviously this snowball rolling cannot go on forever, and it can only end in tears.

Haha, that went well.


It's an illusion to believe Bitcoin is a completely trust less system. We need a majority of miners to act responsibly. This has shown in the 2013 database fork and recently with the lazy block validating.

There is no problem trusting the miners - only with pools controlling too much mining power.

IMHO something like a mining codex will be established sooner or later.

Update: [email protected]'s FUD and bitchcraft has failed; RBF isn't old and stale any more.



Instead of creating endless forum threads about 1MB blocks, why don't you go set up an alt coin that works the way you think it should and then let the market figure it out?

-1
IMHO, this breaks far more than it fixes.

No. Anybody spending money that is willing to defraud the receiver of the money would be willing to spend up to all but one satoshi in fees to commit a double-spend, unless they are an uneconomic attacker. Since we're assuming the worst in this thread, we must assume this to always be the case. Therefore, the only defense to this attack is for the victim of the double-spend to re-spend the entirety of the transaction to fees, preventing the attacker from winning most of the time. Therefore, the best SOLUTION to fraud/theft is the current one, because honest nodes would ignore BOTH transactions with larger fees (the re-spend to fees on the merchant side could be a replacement of a send-to-self transaction broadcast when the initial transaction was received), meaning that attackers would almost never win (they could still win thanks to propagation delay) and merchants would not lose in proportion to how many honest nodes there are.

You could also try to blacklist fraudsters' address with this technique.
Additionally, merchants willing to accept 0-conf transactions from unknown customers could also subscribe to insurance contracts that would reimburse the merchant in case of loss. To decrease the chances of fraud, these insurers could directly finance miners (send a part of their premium to "honest" miners which don't accept double-spends, at least not for insured transactions). The insurers could also make assurance contracts, but I'm not sure if you can select a minimal transaction-set you want to assure, would need to reread about it.


Perhaps. On the other hand... it's not really happening. There are other things at play. For significant amounts, people don't accept 0-conf from unknown customers. And for cheap transactions.. is it really worth trying to defraud the merchant? Also... most people are honest and wouldn't steal.
So, maybe it's just too early to start worrying about this.


Yes, clients should sound alarms if they detect a double-spend attempt. Also, if eventually this "malicious pool" is created, merchants' clients should even try to subscribe to it in order to known if they are under attack. The only problem is that the pool could easily disconnect those that don't submit a minimum amount of shares.


I wouldn't call that "dispute mediation" but yeah, that's a good idea. Insurers could also attempt that. (you should not expect merchants themselves to take all these measures... merchants don't want to worry with these technicalities... they have their own business to focus on)

So here is a business model for an unethical company:

1) Invest in a large amount of mining hardware and create a p2pool mining pool.
2) Create a bitcoin client with a checkbox for 'attempt double spend'
3) Anytime the user checks the 'attempt double spend', one trx is sent to the general network, and
    another is sent to the mining pool where the fee is 50% of the 'double spend'.
4) Anytime a double spend is 'successful' (this pool finds a block) it has a high-payout due to extra fees.

Miners who join this 'unethical' company will see more $$ than those who mine under existing pools.  Scammers of the world would have an 'easy-to-use' way to 'double-spend' some fraction of the time. 

The only way to shutdown this 'unethical' pool / client would be for everyone to wait one confirmation *or* to know your customer.

Considering such an attack could be setup and launched today, we are really operating under a false sense of security to accept 0 confirmation transactions from anonymous sources.

Given that this is possible today, everyone should *assume* it is going on.  Turning an attack into a 'feature' could have added benefits.  For example:

Suppose a thief stole your bitcoins, you could have an alarm triggered the moment you saw a transaction on the network.  You could then quickly issue a 'lock-down' transaction that would send the coins to a 'dispute mediation' address and include a higher fee.   Honest miners would then see the 'conflict' and prefer the transaction to the dispute mediator over the earlier transaction for 2 reasons:  1) reputation and 2) financial incentive. 

The reality is that miners could already offer this 'service', but if it was 'built-in' then everyone would be able to take advantage of 'trx replacement' as a SOLUTION to fraud/theft instead of just a way to commit fraud/theft.

+1

Sure.  But it would be silly to do so.

The blockchain is what defines the order that transactions happen.  If a miner can be liable for replacing a transaction, why not for failing to replace it?  The network makes no promises to deliver transactions to nodes in some magically special order, except when that delivery is as a block.  What if the miner gets the replacement first?  How do you prove otherwise?

Judges, in general, aren't stupid, and this is simple stuff, easily explained.

Is it conceivable that a judge could conclude that because the miner was running this replace-by-fee code and received compensation for doing this that the miner could liable for losses by the merchant? [Edit: or charged as an accessory to the crime of fraud even?]

No, it doesn't even require > 50%.

For example, assume 75% of the miners are profit seeking and 10% of the miners said that they won't build on blocks with any of of transactions for at least 2 blocks.

If you add a block containing one of those transactions, then there is a 10% chance that the alternative miners will get the next block.  Rational miners would then switch to that block, since if it wins, it get 100% of the hashing.  If the other block wins, it still only gets 90% of the hashing, since the "bad" transaction has to be buried two deep.

The effect is that 85% of the miners end up supporting the blacklisting.

Mine a "clean" block
- you get 100% of miners to build on yours

Miner a "tainted" block
- you get at most 90% of the miners to build on yours

If the 10% find another block
- there are 2 equal POW blocks
-- miners following the rules stay on the first block (15%)
-- taint enforcers stay on alt branch (10%)
-- rational miners switch to alt branch (75%)

If the 90% find the next block
-- all switch to that chain

So, if you mine a "bad" block, you have a 10% chance of it being matched by the taint enforcers and then an 85% of it then be superseded.  This gives an 8.5% chance of you losing your tx and minting rewards. 

As long as only a small number of transactions are tainted, it isn't worth including them.

The defense would be to have lots of p2p mixing operations.  If most coins are tainted, then none are.

+1

Security in this context is being inappropriately treated like a binary concept.

There's an entire consumer economy out there based around charge cards which, in bitcoin terms, take 90 days to confirm transactions. Trillions of dollars are being transacted out in the real world via payment methods that are no less insecure than zero-confirmation Bitcoin transactions.

Accepting zero-conf transactions is an issue of risk management and business planning, not a case of "secure" vs "insecure".

Why are you on the internet right now? After all, it is impossible* to get a virus if you don't have an internet connection.

*Yeah, there are other ways, but ignore that for now.

What about your money? I suspect that you have it all in gold (because USD can't be trusted) stored in a vault that you personally designed (because someone else may have put a backdoor in their design) stored under your personal supervision. After all, every action you ever take must require zero-trust, right?

Please tell me that you get where I'm going with this. This is a problem that should be solved through general education, not reducing effective security. Also, stores don't even need to ask for ID - they just need to have a camera, which is something that they should have to prevent general shoplifting anyway.

And that's worst case, when every order is made by an attacker.

I don't think that's right - people accepting zero-confirmation transactions are already playing the odds. 1% of mining power taking the later arrival with the higher transaction fee still leaves you getting the payment 99% of the time, so in a lot of cases it would still be worth it for the extra sales.

Double-spend attackers welcome, buy 99 pizzas and get one free...

I shouldn't need to do this forever, because, once I set up a reasonable assumption that I can keep this thing going (remember I'm the DEA, I just seized a shedload of bitcoins in a drug bust) it's in everyone's interests not to mine that block. They want to mine on top of the longest chain because everyone else wants to mine on top of the longest chain, but given purely rational economic actors who don't care about Bitcoin, that rule, like everything else, is up for sale.

Hell, I may not even need to spend any money - I just need to convince all these rational economic actors that I could and would spend that money if necessary, then it'll be in the interests of each individual miner to start following my rules, not Satoshi's.

Edit: "in the network's interests" -> "in the interests of each individual miner" to distinguish from the interests of miners in general, which are different here because it's a classic Tragedy of the Commons situation.