After the multimillion dollar Bitcoin Gold 51% attack a few weeks ago, I was curious what an attack like this costs against other currencies. I calculated the cost of renting hashing power from NiceHash to complete an attack.
I found it surprising that it is possible to rent enough hashing power for many of the smaller currencies, which makes me question the use of PoW for smaller coins.
Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.
Nice work. Its really important to consider this for those buying/holding crypto currency. Consider all coins using the same function to be the same family and the one with the most work and power to be the most valid. So there are sha256 coins, scrypt coins, equihash coins, etc. In the case of sha256 the most immune to attack is bitcoin. Everything else is massively vulnerable. In the case of scrypt, it’s litecoin. Everything else you should not hold because it can be swamped by the hashing power mining litecoin atm. So on.
This is a little different from how people have been told to think about it before which is just focusing on the blockchain itself rather than the mining power behind any given variation/fork/whatever of block chain.
Ps. And that probably should be taken a step further. If you have families of coins that are all GPU mined, then you need to consider the tota GPUs mining them and the hashing power of those GPUs and the ability for them to switch functions. Now GPUs are a blip on ASICs so for the predominantly asic mined coins this doesn’t matter.
Exactly. This is also why I think the trend to be "ASIC-resistant" is misguided and should be considered harmful.
All GPU-mined coins (except the hashrate-dominant one: Ethereum) are massively vulnerable to majority attacks because of the huge pre-existing installed based of GPU miners.
As I said in https://news.ycombinator.com/item?id=17173774 the only solid defense is for each coin to implement an ASIC-friendly algorithm that is unique to this coin, so there is no risk of 51% attacks from a pre-existing installed based of miners.
I've yet to see anything other than PoW that's got all four;
* genuine decentralization
* reliably generates a concensus with global supermajority, little or no forking (objective chain selection)
* fault tolerant network, minimal fragility / auto recovering, can't be permanently crashed / hijacked
* requires no human intervention
Everything I've seen so far in terms of PoS violates at least one of the above.
Hashgraph doesn't deal with concensus (it offload that to other layers), Ripple doesn't really deal with decentralization, Algorand is fragile, most PoS require human intervention besides often having several other faults.
Also there's probably more criteria like these that matter.
"Genuine decentralization" / and "consensus" are not necessary to make a useful currency.
There's also massive cost and risk with the currencies that do implement those criteria.
We should all be open to different alternatives that WORK, and not reject them out of hand just because they're not implemented in such a way that they have attributes we LIKE.
Dropping global concensus means you're back to small regional currencies. With centralization you get things like Ripple. Both problematic / unstable in the long term.
> Consider all coins using the same function to be the same family and the one with the most work and power to be the most valid. So there are sha256 coins, scrypt coins, equihash coins, etc. In the case of sha256 the most immune to attack is bitcoin. Everything else is massively vulnerable.
This is a really good point, and part of what I am hoping people come to understand from this website. Ignoring the risk of renting power from NiceHash to launch an attack, large existing miners could easily switch to a smaller coin for a few hours to attack it, and typically it would be very profitable.
I wonder whether the indirect benefits of discouraging competing coins would outweigh the costs of loss of confidence in crypto currency is in general (and the computer cost).
Just want to note that there’s no risk in holding a token due to 51% attacks (except for the external issues such as loss of value and hard fork proposals). No one can spend your assets, it’s just another transaction may double spend (so you could lose incoming tokens).
One of the questions I've been chewing on is whether the supply of *coins is effectively infinite. (If it is, that means substantial downward pressure on prices, as available speculative capital gets smeared out over the various options.) This seems like a pretty clear limitation: if a bad actor can crush a small currency, then we should see a lot fewer small currencies.
Do you (or others) have a sense of where the equilibrium might be? Clearly if an attack can be mounted for a few hundred bucks, jerks will do it just for the lulz, which suggests that there won't be a long tail of cryptocurrencies. But is it also plausible that a major Bitcoin player might try to smash something like Bitcoin Cash just to drive activity back to a more major currency, thereby benefiting their holdings?
Supply in token count is effectively infinite, yes. But what's the supply in VALUABLE tokens?
The availability of gold in the galaxy Andromeda doesn't affect gold prices on earth. Not equivalent analogy, but related - your market will only be hurt if there's economically accessible supply of equivalent or competing assets that fulfills the same need.
The page mentioned lists 79 tokens with a nominal value, 65 of them over $1m. All of these tokens were valueless at one point. Another site lists 862 coins with nominal values of over $1m: https://coinmarketcap.com/
This suggests there's no obvious limitation on the creation of economically unproductive speculative instruments. Even though they all start at $0, any new token has an unknown upside, as the price can only go up. For some that's apparently a compelling bet.
Will this process only stop when people stop looking for the next Bitcoin? Because for them, a valueless token definitely fills a "get in on the ground floor" need. And there are a lot of people doing that right now: https://www.google.com/search?q="the+next+bitcoin"
This does something interesting to the incentives surrounding hard forks. If someone wants to hard fork e.g., ETH, they either (1) need to abandon ethash altogether for a different hashing function, or (2) be very very certain that their hard fork will capture a large fraction of the hash power of the original chain. Otherwise the forked coin can be targeted as soon as it's created.
And of course the new coin needs to maintain its share of that hashpower indefinitely to survive.
This seems like a bad thing, since it weakens the implicit threat of hard forking that keeps BDFLs in (non crypto) open source projects from acting too strongly against community consensus.
This is very interesting - I was wondering about this too. Assumed it was too high to be reasonable but guess I'm wrong. The question is: what's the cost vs acquiring the same qty of $ by being a good citizen. I suppose first you need to have a lot of crypto to double spend it.
you can't easily make a million from a single dollar that you can double spend. having lots of crypto surely helps reduce the time it takes to satisfy your greed.
>Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.
If mining is supposed to be profitable, shouldn't it be profitable to control 51% of the network? Seems like economies of scale should lead to a clear industry leader. Whats stopping this from being the natural progression of bitcoin?
Right now there are 3-4 parties that together control more than 51% of mining power. I believe they've avoided merging because if there is a single entity openly controlling a majority of mining power it undermines trust in bitcoin, devaluing the currency.
People tend to forget about this possibility with so many new coins out there. When talking about PoW's problems, most people get hooked on discussing the inefficiency of power these days and the costs that has on the network. Great work.
You can't directly steal or create coins. Except for the coins you get for your branch of the blockchain if it becomes accepted. The trick is that you can double-spend.
The downsides? You need capital to spend and double-spending is fraud.
Who are you defrauding? Under what jurisdiction? The ability to be 51% attacked is a feature of the design. You expect all the actors to commit enough computing capacity to prevent such an attack as it’s in their own best interest.
If I find a funny-looking stone, and promise to give it to you in exchange for goods, it would be fraud to give the funny-looking stone to somebody else instead. Cryptocurrencies are no more "money" than the funny-looking stone, but one could still commit fraud with them.
> I calculated the cost of renting hashing power from NiceHash to complete an attack.
I think the major caveat here is that it only takes ~35% hashing power to pull off a 51% attack, assuming you leveraging block withholding and other strategies.
Selfish/stubborn mining isn't applicable here, since the double spender has to fork and withhold all blocks from the point where their honest transaction is included in a block until the victim sends them the goods/exchange withdrawal/whatever, at which point they need to eventually mine a longer chain and reveal.
At ~50% hash power and with a victim who waits <10 confirmations you still only have a ~1/2+o(1) probability of mining a longer private chain. The point is if you can maintain the 50% long enough, you can expect to eventually have the longer chain.
You can also have <50% hash power and double spend, it is just progressively less likely to succeed. The calculations in the Bitcoin whitepaper (p.7) for choosing a transaction confirmations threshold assume the attacker can maintain their attack indefinitely [1].
To clarify, the whole point of selfish/stubborn mining is to increase your mining profit by wasting the honest miners' time when you withhold new blocks (so they unknowingly mine on a shorter chain) and then trying to propagate your withheld block faster when you see an honest miner release a new block. Therefore you get a greater effective proportion of the network's hash power. Of course if you're more than one block ahead of the honest chain, you can just propagate the next block in your withheld chain. But, when you're attempting a double spend, your withheld chain has to remain private the entire time otherwise the victim would see the honest transaction invalidated and cancel the e.g. exchange withdrawal.
There's a cool paper on some extended selfish mining strategies combining eclipse attacks [2].
Also interesting to note is that selfish mining is only profitable if only a few miners are using it, like a kind of prisoner's dilemma [3].
> I think the major caveat here is that it only takes ~35% hashing power to pull off a 51% attack, assuming you leveraging block withholding and other strategies.
Interesting. I'm curious to hear more about how this strategy works.
Yes, that is correct. If it is > 100%, there is enough hashing power available to complete the attack, but you could be outbid during the attack. NiceHash has the concept of fixed contracts that allow you to lock in a price for up to 24 hours and no one can outbid you. Typically ~30% of the hashing power is available this way.
Could you please add another column stating income from mining fees, you should have if having specific hashing power. Important: calculate mining fees FROM hashing speed, not from money.
It would be a kind of an alternative benefit comparison.
The cost for Dash is listed as $11,291, and that's assuming there is enough hash power available via NiceHash (there isn't). These attacks are only possible for coins where the last column is > 100%.
This has been said elsewhere, but for your benefit, you can't steal anything with a 51% attack, it just allows you to defraud others by double-spending coins you already control (and do other less-directly-profitable things like "unconfirming" transactions when the blockchain reorganizes).
Of course, you could also just nuke the entire network by not confirming any transactions. But you can't steal from people directly.
when states issue more currency to buy bonds, do you call that stealing?
This clearly inflation and possibly fraud (depending on what claims were made when you bought the crypto coin), but I don't think you can call it theft (unless you think all inflation is theft).
> when states issue more currency to buy bonds, do you call that stealing?
Nope, definitely not stealing without question. It's economic policy which is a lot more nuanced. Not saying it's never stealing, but issuing more currency has been happening for decades and it's no surprise to anyone.
---
Your example and double spending are definitely not the same: with double spending you are basically giving coins to an exchange, which you later "steal" back via forking the chain. This is against everyone's expectations AND against the ToS of all exchanges (which you break if you double spend deposited coins).
Issuing more FIAT currency is very similar to mining (pumping more money into the economy) which I don't think anyone considers stealing. Double spending however..
> I get how block rewards bring the net cost down, but where does the 80% number come from?
It's a rough number - In the case of Bitcoin, the miner receives 12.5 BTC (+ transaction fees that I will ignore for now) per block, with a block time of 10 minutes, so they will receive 75BTC per hour, or $544,275. In this case it wouldn't be possible to actually rent anywhere near this much hash power at this price, but for smaller coins it would be possible to do so.
The elephant in the room is that with the exception of Ethereum, all GPU-mined coins can relatively easily be "51%-attacked" by a small fraction of GPU miners.
There are ~10 million GPUs mining cryptocurrencies in the world today. Because the majority of them mine Ethereum (5-10 million are needed to generate 250 TH/s), it means the other coins can easily be overpowered and attacked if a small fraction of GPU miners decided to do so. For example look at Monero: 400 MH/s of CryptoNightV7 hashrate means there are 400k-800k GPUs behind it, therefore only 4-8% of the pre-existing worldwide GPU mining capacity is needed to attack it.
In a way we could say Monero is vulnerable to a "4-8% attack!"
The best way to defend a coin from this scenario is for it to implement a unique PoW algorithm that is very ASIC-friendly so that GPU miners couldn't overpower it. Of course the same attack scenario would exist if there is a large pre-existing installed based of this ASIC, so the PoW algorithm must be unique. For example Bitcoin Cash could currently be attacked by 10% of Bitcoin miners as they are both mined by the same SHA-256 ASICs.
The irony is that the misguided trend to try to be "ASIC-resistant" is actually worsening the value proposition of all these GPU-mined coins as it makes them more vulnerable to the very real possibility of 51% attacks...
Having a unique ASIC algo would raise the problem of the traditional 51% attack though.
Whichever fab produced it would have a huge hardware advantage in mining. They would mine themselves and just use 51% of their physical units (versus renting on a time-slot market) to do the attack.
...which kills the whole point of the attack. you already poured hundreds of thousands of dollars into fabbing those ASICs, which only work for that specific cryptocurrency. why would you do a 50% attack and tank its price? the only reason 50% attacks like on BTG is viable is that you can rent hashpower (no investment!).
Price crashes do seem to be a disincentive for a 51% attack for owned miners. How much would the price tank versus the gain possible with an attack? The two don't seem interlinked strongly.
The price-tank disincentive is multiplied by the block reward size -- the lower the reward, the the less the miner would care. The price-tank disincentive also is attenuated by future equilibrium mining. If you make the first ASIC and don't attack, future manufacturers will pop up as mining becomes more profitable. If you tank the price, mining profits may become low, but you thwart competition.
Attack gains are not connected strongly to the above disincentives. Attack gains are higher the more often you can cycle the coin -- you can actually steal way more than the market cap of the coin theoretically by cycling exchanges / other mechanisms of payment. Then you start running your 51% attack and reverse hours, days, weeks of transactions.
I see your point that there is some disincentive for a 51% attack, but I'm not sure that's enough.
This point doesn't seem to make sense. If you have 25 potential attackers, then for there to be an actual 51% attack, more than half of them (13/25) would have to band together to actually reach 51%. Unless the assumption is that the 25 parties buy chips and sit on them indefinitely without contributing to the network hash rate.
I'd guess they mean "better to have one potential attacker because of the centralization that mining with a unique ASIC would tend to cause, than to have 25 potential attackers because you're vulnerable to an attack by 1/25 of worldwide GPU power (which is normally used for other coins but could be briefly repurposed)".
This is a totally misleading calculation for the largest currencies. It's literally quoting the spot price for what's available on NiceHash and then dividing by the fraction you'd have of the total hash rate.
In reality, as you continued buying up hashing power, the price of the remaining hashing power would go up precipitously. This is basic supply and demand.
It's still a good proxy for how easy it is to do. The attacker could buy hardware, rent from people not on nicehash, etc.
It's like how companies' market caps are determined by the the last few trades, even though the last few trades probably represent .01% (or less) of the shares in the company.
Probably best to read the numbers a bit qualitatively. A coin that is 2% nicehashable would require substantial efforts (probably negotiating with a few private pools) to mount an attack; perhaps impossible for a not-connected miner. Wheres coins approaching the double digit percents probably is quite possible if you have even lukewarm connections. And those near 100% or above are likely super vulnerable.
There's already a GPU and ASIC shortage with prices skyrocketing - even without someone attempting a 51% attack. Being a PC gamer is tought right now - you often can't even find a GPU in stock!
Can't imagine how difficult it would be to hoard a ton of hardware.
That is why I included the NiceHash % for each coin. NiceHash offers fixed price contracts, typically for ~30% of their supply that you can lock in for up to 24 hours.
It's definitely a lot less do-able for the larger currencies - I still think PoW is a good option for them honestly. This was more to show that 51% attack risk is problematic for smaller coins, and I'd love to hear a discussion on the best way to fix this.
> I'd love to hear a discussion on the best way to fix this.
Proof of stake (still problematic for very small cap) or proof of ID (my favorite) using something like the e-estonia crypto ID system. You can prove every miner is a unique person, award them coins on a deterministic pseudo-random order.
If you're going to use proof of ID, doesn't that kind of remove any need for a blockchain?
How do you suppose you can have a censorship resistant currency if all a bad state actor has to do is punish anyone who mines a transaction they don't like.
I like crypto, but the greatest danger of it seems to be the potential for economic enslavement(we don't like you, therefore you can't buy bread anymore) through censorship and oppression.
Centralized government only provide means for a person to ID themselves, possibly through pseudonymous means.
If you are worried about targeted censorship, I seem to recall from the first days of BTC that there are ways to "shuffle" IDs: participate in a pool P, get a new ID that is untraceable to the original one but that is traceable to pool P and offers the guarantee that there are no duplicates.
But note that no cryptocurrency is "censorship-resistant" (I am of the opinion that financial transactions are not free speech, so calling it censorship is not the appropriate word and confuses issues). BTC can be (and has, in China) be forbidden. Forbid mining, jail people who do it. Easy in a country that bans also VPNs and Tor.
BTC is only as strong as Tor is and Tor is dependent on the governmental goodwill to let people use strong crypto. Keep in mind that until 2000 US companies were banned from exporting crypto tools that the NSA could not break [1] and even to this date, restrictions exist for some material and countries. USA is just one executive order away from making Tor, VPNs, and thus, anonymous BTC mining, illegal.
And I think that many countries will ban BTC. China is more energy-constrained than most of us, but the energy needs of the BTC netword is gargantuan. I think they have a year to solve that issue (I think they will use proof-of-stake) before states starts pulling the plug.
And always remember that as cool as crypto is as a tech, it does not exist in the vacuum. While it allows to navigate against an incompetent but permissive state, it does not fare well against a competent hostile one.
A part of the problem of maintaining cryptocurrencies (or anonymous networks) is political, not just technical. I too, as a geek, love the prospect of being able to solve political problems with technical solutions, but it only works up to a certain point.
Something like proof of ID would be amazing, but like you said it requires a secure digital id system to exist first, which few countries have. Is there anyone building something like this?
E-estonia will provide a certificate to anyone presenting themselves to an Estonian embassy with a valid passport (and, IIRC, $300). They thought many other nations would provide this service but to my knowledge they are still alone.
Estonian citizenship is not required. May crypto-geeks have an estonian ID certificate. If I were still into crypto I would have made one for myself I think.
For ID systems, I have yet to find a way to do registration in a decentralized way. Until we get cheap unspoofable genome sequencing devices (which may never be a thing), we will have to trust some authorities.
Once registered, you don't need to trust the Estonian government at all: you get an IC card and a reader (all open source IIRC) and you can autonomously authenticate. If memory serves, you can even authenticate pseudonymously.
Note that you don't have to trust everyone, you have to trust the e-ID registration system as a whole. That is, a single flawed individual won't be enough to corrupt the whole thing.
Which is fine, but than don't talk about cryptocurrencies. These are supposed to be trustless, not trustless-except-we-all-have-to-trust-the-government. Just talk about some new state system that uses some cryptography somewhere.
I wonder if we could see a spiral that effectively kills off smaller coins?
> Exchanges respond to these `weak` coins by increasing their confirmation requirements. Some of the really small coins would probably need huge numbers of confirmations.
> Lots of confirmations, which would likely damage the value of the coin.
> Lower price would reduce the miner hashrate
> Lower hashrate would further lower cost of 51% attack.
> Exchanges increase confirmations further
>This is a totally misleading calculation for the largest currencies.
That's not the only way it's misleading. Peercoin is listed as 8,559% available on nicehash, but peercoin is a proof of stake coin. It doesn't use hashpower to secure it's transactions, so it's not vulnerable to a 51% hash power attack (although it is vulnerable to other kinds of 51% attack).
Doing a 51% attack on a major coin, and actually profiting from it, is much more complicated than this chart implies. Here are some of the problems you'll run into:
1. NiceHash doesn't have anything like the hashpower you need to attack a major coin such as BTC or ETH. The chart admits that NiceHash has only 2% of the capacity you need to accomplish this on Bitcoin. You'll need to start buying ASIC hardware or graphics cards to cover the other 98%. Both of those are hard to obtain in very large quantities quickly.
2. Since you have to buy the hardware, you can expect to pay much more than the NiceHash prices imply. Bitmain is one of the major suppliers of such hardware, so let's use their prices as an example. One of their top Bitcoin ASICs is a 14 TH/s unit that costs about $1,000 [1]. So you need about 2.5 million of these units at a cost of 2.5 billion dollars. Not that Bitmain has the capacity to fill such an order.
3. The cost of those ASICs is just the beginning. Have you seen photos of those Chinese data centers that have racks of mining ASICs on shelves? Each of those data centers has maybe a few percent of Bitcoin's hash rate, so you'll need to build something at least 30x larger. Your electric bill alone will exceed the GDP of some small countries. Since you've already spent billions of dollars on ASICs, hopefully you have some money left to pay it and hire a data center ops team.
4. How fast can you build all this out? Bitcoin's hash rate has grown 30% over the last month[2]. You might sink billions of dollars into this project only to discover that you've come up short.
5. Congratulations, you can now make a few million dollars by 51% attacking the blockchain. You would, for example, deposit some bitcoins with a bunch of exchanges, sell them, withdraw dollars, and then use your hashpower to unwind those deposits and put the bitcoins back into your own wallet. It'll take a few hours (or less) for every exchange to notice what you're doing and freeze withdrawals. The bitcoin price will free-fall as everyone wonders about how to prevent this next time. You may or may not be arrested and charged with wire fraud. You're done!
The interesting thing is that the Chinese government could theoretically nationalize all those data centers and be very close to (or far beyond) 51% on any proof-of-work-based cryptocurrency [0]. This would, of course, be a one-way street, immediately lead to a price crash, and likely be unprofitable... but it might be viable, say, as part of a scorched-earth cyberattack to cause chaos and wipe out international wealth parked in Bitcoin.
It's heartening to see things like Ethereum moving in a proof-of-stake direction [1], and there's a lot of hope for a lot of the new cryptocurrencies out there. But Bitcoin itself is far more centralized and government-controlled than a lot of people think.
Given that money laundering is a significant use of Bitcoin, and given China's extensive history with capital controls [1] and their willingness to execute people for corruption [2], it would not shock me much to see them do this for purely internal reasons. Chinese leaders are historically not big fans of things they can't control.
China's [...] willingness to execute people for corruption
I read a fascinating (although very cynical) book a few months ago, and it said something very interesting about corruption.
If an autocracy needs to buy the loyalty of the army/police/government officials, instead of paying them cash the autocracy can simply turn a blind eye to corruption. That means you don't need to spend your own money to bribe them - and if any of them display disloyalty, you can simply have them executed... for corruption!
So you always have to be wary when you hear a regime is cracking down on corruption - it may be they're simply cracking down on disloyalty, while retaining their private pro-corruption stance.
That has definitely been a commonly deployed trick throughout historical Chinese dynasties. However there are always two sides to it and nothing can be regarded simplistically, especially if you're talking about Xi's anti-corruption campaign. While Xi might be consolidating power with the corruption crackdown, the general welfare of Chinese civil servants have indeed been reduced a lot, to the extent that many of them simply quit and started their own businesses indeed.
Whether one likes it or not, Xi is genuinely trying to make China more like the US and letting the private market play a much bigger role while reducing government support. He's just like Reagan.
Oh, yeah, I'd believe there's some of that going on here. Although I'd also believe that the real rule isn't "don't steal", it's "don't steal too much". With "too much" being defined by some combination of "more than those superior to you in the pecking order" and "in a way that causes public upset".
That has definitely been a commonly deployed trick throughout historical Chinese dynasties. However there are always two sides to it and nothing can be regarded simplistically, especially if you're talking about Xi's anti-corruption campaign. While Xi might be consolidating power with the corruption crackdown, the general welfare of Chinese civil servants have indeed been reduced a lot, to the extent that many of them simply quit and started their own businesses indeed.
Whether one likes it or not, Xi is genuinely trying to make China more like the US and letting the private market play a much bigger role while reducing government support. He's just like Reagan.
I don't understand the question. Bitcoin's aim was to be international electronic cash. People use actual cash for money laundering. Why wouldn't they use electronic cash?
I think your mistake stems from holding too tightly to the term "cash" used in the original Bitcoin paper.
>People use actual cash for money laundering. Why wouldn't they use electronic cash?
I'll help you to the conclusion without googling. Actual cash is not electronic, and thus tracing efforts are much harder. Electronic cash can be traced near instantly.
I really don't see why you had to have this PA tone on your comment? Could you elaborate more on your stance?
As for Bitcoin, people can always fork it. Remember to ask the question, "What is money?" I think it's in the interest of the Chinese gov't to extract value from Bitcoin, not destroy it.
A massive bitcoin mining virus wouldn't help. Let's say there are 2 billion PCs in the world, as this random site estimates[1]. Let's say each of them has a high-end graphics card.. say, a GTX 1060 that can do 20 MH/s. Let's say your virus can break into every single computer in the world, and run all those graphics cards at 100% without being noticed.
Now your mining power is: 20 MH/s * 2 billion = 40000 TH/s, or 0.1% of Bitcoin's hash power.
Hence my specification for industrial scale. More likely: a corrupt data centre system admin or government official. In any case, if you’re taking on the Bitcoin network, doing it with fairly-obtained resources would be silly.
A corrupt data center official has much easier options to attack bitcoin at the network level. For example, a rogue sysadmin at a major Tier 1 ISP could use BGP hijacking to mount a partitioning attack against the network.
See the paper “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies” [0] for more details on this.
It seems very implausible. Anyone with that level of sophistication may as well look for exploits in bitcoin exchanges and steal the bitcoins directly.
Yeah, this isn't the last season of Silicon Valley, you've explained it really well. Theoretically it's very dangerous vector of attack, however, in practice seems impossible seeing how big Bitcoin is over all.
And if you try to attack one of the smaller coins, odds are it'll just get forked. Which is a risk with big coins too, but at least there's a chance the original chain retains some value.
Not sure what you mean? Wouldn't the double spender immediately tumble them by exchanging them for other coins across a bunch of different exchanges making a fork to fix it nigh impossible?
Most smallcaps have tiny volumes and aren't traded on many exchanges. Getting the coins into (and out of) an exchange isn't immediate. Even worse most of the volume is likely to be on a trustworthy exchange that does some basic KYC (and extended KYC for withdrawals). Basically, for most $1M cap coins, you'd be lucky to get $5k out if all goes well.
I mean, I guess it's still viable. It's just street-robbery-viable.
Yeah, for profit miners have a built in incentive against doing such an attack, since it destroys the value of their own assets. But there’s still a danger from a well funded government or corporation willing to take a loss to destroy one of the currencies.
Rent-a-miner attacks seems to be another amusing example of when the existence of a market can break the system.
For example, voting works well in a democracy, but if we can sell votes, democracy would likely collapse because rich organizations would buy it up and control all politics. (Some say this is already true; but you know it would be way worse if votes were openly sellable).
Satoshi foresaw people trying to mount a 51% attack by buying a ton of machines, and so he went to great lengths to ensure this was unlikely using mining. I don't think Satoshi foresaw the liquid AWS-like market for instant hashing power. The ability to mount a limited-time 51% attack makes the attack literally 1000x easier than a buy-machine 51% attack.
It's bizarre to me that rent-a-miner is a viable business at all. Why don't the owners just set the miners to mine whatever the most profitable coin is at the moment?
The "owners" of the hardware are private miners. The rent-a-miner business (NiceHash) just connects sellers of hashrate (miners) with buyers of hashrate. The miners don't care what they are mining, and they get paid in BTC regardless of what their hardware actually mines. NiceHash is just a marketplace that automatically mines the most profitable coin by what people are willing to pay for hashrate. None of the hardware belongs to NiceHash.
Your question is still valid and good, but not in the way you have phrased it. The real answer is: laziness. NiceHash is easy and steady. If you have a nice gaming rig, you can make a few extra bucks a day by selling your hashing power while it's idle. If you are a serious miner, you probably don't use NiceHash.
Aren't the owners doing exactly that? Whatever is the most profitable coin is determined by the buyers of the rent-a-miner market and the sellers get paid that, less the cost to the market-maker for that discovery. How else could it be?
It would be helpful to expand on how many blocks can be reversed given only one hour of hash rate.
Many wallets, exchanges, etc require a minimum number of confirmations before allowing you to spend the coins to handle reorgs that happen naturally.
For example, in Bitcoin this is often around 6. With 1hr of hash rate you might be able to get 7 blocks but likely you’ll actually need more time to get enough blocks or successfully attack. Accounting for this would increase the cost substantially.
I don't think it is particularly useful to talk about blocks reversed in this context.
In all cases, you can reverse about 1 hour worth of blocks. In practice, when wallets/exchanges/etc pick a minimum number of confirmations, they are really picking a minimum time. So, if bitcoin had double the blockrate, they wouldn't say 'well, we only require 6 blocks, so you only need ~30 minutes of an attack', but rather, 'we require ~1 hour, so you need 12 blocks of confirmation'.
Yeah it’s sort of time based assuming consistent blocks, but it would still based on confs. If the hash rate doubled then one would only require 30 minutes until the difficulty adjustment kicked in.
The main purpose of my post is that to actually pull off a successful attack you probably need more than an hour, so the numbers are making it look like it’s cheaper than it would be in practice (ignoring other factors other commenters have shared about acquiring ASICS, data centers, and such).
You can’t 51% attack Bitcoin for $611K, but your site says you can. While the site can’t be perfect, it would be helpful to make it more realistic. If a news site picks this up and doesn’t understand the nuances they’ll accidentally spread FUD and mislead a lot of people.
Yes, I’m saying that rather than needing an hour to get 6 blocks if the hash rate doubled, you’d only need 30 mins _until_ the adjustment occurs. Then it would be an hour again.
This is incredible! What actually stops me from launching such an attack on something like Einsteinium?
One problem I found w/ the website: you have included Peercoin, even though Peercoin uses PoW only for initial coin distribution and not block validation. Block validation is done through PoS.
This! Einsteinium would apparently cost $33 to attack? Even if it's off by an order of magnitude or two (as some of the other comments seem to suggest), this _still_ seems like something a security researcher could/should try.
(Not to steal peoples' money but rather just to prove security or lack of it!)
This is why a POW based cryptocurrency can never handle a significant amount of money.
Suppose you're Coinbase. The way you protect yourself is on large transactions, waiting for more confirmations. This increases the amount an attacker must spend to do a 51% attack. If you wait long enough, it's not worth it. But wait! The attacker can use multiple accounts and multiple exchanges, so now Coinbase has to look at the total volume of newish transactions on the blockchain in order to know when it is guaranteed to be safe.
The upshot of this is that a POW blockchain cannot securely transact more money per hour than the 51% attack number. That's also approximately the amount of money miners spend per hour.
Total world payment volumes are on the order of a quadrillion dollars per year. Unfortunately world GDP is only $80 trillion. Even if we reoriented our entire economy to do nothing but mining, we could only protect about 10% of all of the transactions.
An exchange could mitigate this attack by also monitoring the outflow by 'age'. Delaying any large withdrawal of 'new' coins.
* AGE: i mean, how recent was the deposit of any coins involved in any transaction. So if I send a large quantity of Bitcoin Gold to an exchange (they are marked as 'new'), then if I immediately exchange them to Ethereum, the Ethereum is now also considered 'new'. If I try to withdraw the Ethereum the exchange delays withdrawal.
If this graph were true wouldn't we be seeing attacks all the time? If coins could be exploited for just hundreds of dollars they'd be rendered useless pretty quickly. This can't possibly be accurate.
It is true and mostly accurate by some back of the napkin math I've done. What stops people from doing 51% attacks is a few factors:
1) If you can pull off an attack for a few hundred bucks, it's probably on a coin that will only net you a few hundred bucks. Remember, these coins are thinly-traded altcoins, many of which only do a few hundred bucks worth of volume on exchanges in the first place.
2) Once you pull off your attack and people realize what happened, the "free" coins you get back will be worth shit because nobody will want that coin.
It's not as much of a free lunch as it might seem at first blush. I most certainly possess the domain knowledge and skill to pull off a 51% attack, as I have contributed code to Bitcoin and many other cryptocurrencies, written open source mining software, etc. But I would need several million dollars in starting capital to make the kind of money that would make me even consider it. That time would be better spent hacking away on a project with the potential to make me sustainable income, or a client project where I'm paid by the hour.
On point 1 take for example Ubiq, it'll cost you say 10x the 1h rate or $4.7k, and the 24 hour volume is 130k, that seems like a pretty good ratio to me. Or Bytecoin - let's say 100x since it's harder to get the capacity - cost $50k, 24h volume - $18m.
On point 2 I thought the entire point was to double spend - so you have 1 einsteinium or whatever, you put it in the exchange, you use it to buy bitcoin. You re-spend it at another exchange buying bitcoin. You got twice as much bitcoin as you paid for. As long as you're out before it becomes obvious what you've done you make profit.
The cost and market cap estimates are probably both not good measures of how things would work out in practice on that scale, but even so- it looks like someone with a couple million dollars to invest could plausibly extract several billion from BTC via a 51% attack. It would cost substantially more than the estimate on here (since even non-NiceHash cloud GPU services probably wouldn't fully cover the required hashpower), and require substantial technical expertise, and decently-connected people would probably see it coming at least days in advance due to the movements of GPUs and GPU-power involved, and be pretty definitely illegal, and BTC's market value would be crumbling underneath you as you tried to sell out... but, the sheer profitability of such a scheme should seriously worry people with a stake (finanical or emotional) in BTC. A dollar bill sitting on the sidewalk doesn't stay there long.
I go into more detail in this [0] comment, but it would be substantially more expensive to pull off an attack if the hashing power was not available to rent from NiceHash. The 'nicehash-able' column is meant to represent how much hashing power is available - if it is > ~300%, an attack would be fairly do-able from just renting hash power.
Bytecoin looks remarkably easy to attack. If we filter to currencies that can easily be NiceHashed and have decent market caps, and then sort by cost/mktcap, the top 5 look pretty juicy.
This math is based on having 100% of the existing hash power (the network is 500H/s, you would need 500H/s) - in most cases you would probably purchase enough to give yourself a decent buffer above the existing hashing power. The numbers are meant as very rough estimates to give people a better idea of the costs.
With so many actors it could be very steep. Like 51% capacity has 99% chance of success and 49% has 1% of success and 40% has practically zero chance (these are made up numbers).
It could also be quite shallow as in 1% capacity gives you 1% of success... that would actually be quite bad and invite malicious actors to test the system with regular attacks.
It's a race of who can get to N blocks first. The higher N the "steeper" it is. N is set by the merchant so as to balance security with quick transactions
I'm curious were Cardano ADA would be on this list. It seems to be one of the more thoughtful designs, and also a recent addition to the list of coins.
That is disturbingly easy. Of the top 20 currencies by market cap 10 of them can be attacked with a NiceHash purchase. Representing over $2 billion in market cap. Bytecoin is a higher market cap coin that is almost as vulnerable as Bitcoin Gold. If a 51% attack also hits Ethereum classic (89% purchaseable), there will be market chaos.
I'd offer to buy the companies or groups controlling most of the mining power. Even paying off individual executives to cut deals to lower the price. The resulting buy would probably be way, way, way less than $100 billion for Bitcoin. Hell, it might be less than a billion.
Does nicehash let you run custom mining software to make adjustments to how it handles your transactions (permit double spend) or change the algorithm (like the verge attack)?
Edit: or would the malicious code live in a mining pool that you direct the nicehash hashing power to?
Mayor players (exchanges, bitpay) could decide to just ignore the dominated branch of the blockchain, by requiring that block n has hash h. This would lead to a fork similar to etherium vs etherium classic.
Alternatively they could start not to accept the spoiled coins. If account a double spends x, they track where the coin goes, let’s say b accepts y:=x-? coin then a still has x-y spoiled coins and b now has y spoiled coins. Now you just don’t accept transactions from accounts that have spoiled coins. Would work with bitcoin.
Also the government can come up with similar regulations to crack down on bitcoin.
> If account a double spends x, they track where the coin goes, let’s say b accepts y:=x-? coin then a still has x-y spoiled coins and b now has y spoiled coins. Now you just don’t accept transactions from accounts that have spoiled coins.
That would be a perfect way to lock another user's account out of exchanges. Care to give me your address? I'd like to send you some spoiled bitcoins I have lying around... ;)
As for the government, you can be sure they are already tracking all of the transactions. Bitcoin is far from anonymous - cash is a better alternative if you need anonimity, and even that can be traced easily nowadays.
Well, if you attack me like that I can always pass on the spoiled coins to a newly created account. Once I got rid of the spoiled coins my account would be clean again.
In a regalutory framework there could also be filter addresses that launder your coins for a high price (99%).
But how fast can you do that? Wouldn't the double spender immediately tumble them by exchanging them for other coins across a bunch of different exchanges making a fork to fix it nigh impossible.
I don't think multi-algorithm is taken into account for multi-algorithm coins. Several coins have multiple independent mining algorithms each with their own difficulty, and need to be attacked simultaneously.
Yes, this is correct - I wasn't actually aware that there were multi-algorithm coins, but I'm assuming there aren't very many. I will go through the list and try to update this, but let me know if there are any that you know of that I should update.
It would be interesting to add the currency rewards the attackers would gain from the hashing process. I bet the cost may be greatly reduced, and may even make the operation profitable, without much illegality...
Even if the 51% attack by itself might not be illegal, using it to double spend almost certainly is. On the civil side I'd expect you to be liable to pay the receiver in order to fulfill the contract you made when you exchanged the coins deposited on the old chain. Plus I'd expect criminal fraud charges.
The attack itself is legal. Sure you will cause some property damage if you split and roll back an hour worth of transactions. People might try and bring a civil suit against you. That would be interesting.
Of course, if you try to double-spend as part of the attack: it's fraud!
You'd get perhaps ~51% of the blocks over a one hour period, though that's an average on a bell-curve. With only about six blocks in play for Bitcoin you could hope to score three at best. That's a $361K average gain.
You'd make way more money on some kind of double-spend attack. If you've got 51% for sure you would probably hit up multiple exchanges at the same time to magnify your reward.
Yeah, no. 51% means just that, 51% of getting a block.
If you control more than half you can dictate terms, you can fight back against the other miners, and in a protracted battle you will ultimately prevail. With 49% they can always eventually override you.
Suppose you control 51% of the network and want to do a double spend against a merchant requiring 6 blocks of confirmation. To do that, you make the spend and allow the chain to operate normally. While it is doing so, you work on your own chain. After the main chain achieves 6 blocks, you wait until you have more than the main chain, then publish your chain. Now, everyone switches over to your chain. In particular, the last 6 blocks (or more, if you had to wait longer to overtake the main chain) are all your's because you were the only one working on your chain during that time.
If someone else has a block in those last 6, it would mean that someone else (who I assume is an honest node) saw your block. At this point, your entire chain will be published and likely overtake the mainline (otherwise, the honest miner wouldn't have bothered with it). Now, it appears to the merchant that your transaction has not yet made it onto the chain, so you have to wait for another 6 blocks confirming the transaction.
The only way I see around this is if you can partition the network. However, not only is this difficult, if you can partition the network, then you no longer require 51% to do an attack. In fact, if you can assure that the target is on the smaller partition, you require 0 mining power to do the attack.
EDIT: Essentially, at 51% you can make a "rule" that all blocks must be yours.
51% of the network means you singlehandedly get to decide consensus. And if you decide that consensus is that every new block in the chain is yours, then who's going to stop you?
I did some back of the napkin math for a few coins, and this reduced the cost Ip-90% in some cases. I couldn't find a consistent place to get this data from for all coins, but I may manually go through and add it, since it can reduce the cost substantially as you noted.
To be honest, I think you could even reap the benefits of arbitraging hash difficulty. Eg. just as a new difficulty level is set, flood the network with additional nodes and hash away till the next difficulty update. Then kill the nodes, and wait for difficulty to adjust up and then back down, and then attack again.
Is it? Say you control 51 percent of the mining capacity. How do you profit from it in such a way that you don't tank the value of the good you're stealing?
Shorting it is the obvious way. You borrow a bunch of that currency, sell it, then use the money to buy hashing power, and steal it back to cover your shorts.
You have to short it by billions and billions of dollars.
Bitmain, alone, made 3-4 billion dollars in PROFIT last year. And they don't control even close to 51%.
Bitmain would have to make enough money off of a single attack so as to cover all it's FUTURE profits.
And then it would also have to not be noticed.... Do you really think all these exchanges would just suffer under an attack that loses them many billions of dollars, without retaliating? No, they wouldn't. And then people would end up in jail.
This comment [0] has a better explanation, but this is the theoretical cost - per the 'nicehash-able' column, NiceHash only has 2% of the necessary hashing power available for rent, so an attack like this is most do-able and problematic for smaller coins.
Just curious - excuse my ignorance - wouldn't there be a high level of chance involved in that you might actually win, that would cause the cost to rocket way up for you to succeed in that double spend? Eg you'd have to keep trying before you got a hash that would cause you to need to actually spend a lot more.
This is for 1h of compute in the calculation so would you not actually need to run for a very long time, and also be spending in each and every one of those blocks?
Again sorry for my ignorance - hoping for some insight.
I guess what's amazing about this is that a 51% attack on Bitcoin could be achieved by a relatively modestly sized company. More worrying I guess is the prospect of somebody with a suitably powerful botnet attacking the network for 'free'.
It would be interesting to have some summary on different types of PoW algorithms, which of them have the highest durability. Does for example memory constrained PoW have an advantage over one that simply burns CPU cycles?
Crypto currencies seem to have this sort of ethos where nobody controls the currency and that is great .... except for what seems like a baked in ability for a single entity to do exactly that....
You will need > 2x that amount of money to begin with to profit, in order to have enough coin to double spend, and cover for the cost of the privilege.
Nice collection, OP. Though the page is hypothetical it does show some viability of the cost of 51% attack, something which many people deny as uneconomical without proof.
But I am sure there will be people who will deny saying miners can refuse mined blocks and create a branch. And others who will deny this by talking up game theory mechanic of 51% attack - if someone does get 51% power then the rational thing to do is to not harm the coin. This obviously doesn't hold true for an irrational person.
And given the concerns raised for PoW for small coins, I can only say this - "Those Who Do Not Learn History Are Doomed To Repeat It." Here's one of my favorite stories from Nathaniel Popper's Digital Gold about a coin which was very small back in the day called - Bitcoin:
Laszlo’s CPU had been winning, at most, one block of 50 Bitcoins each day, of the approximately 140 blocks that were released daily. Once Laszlo got his GPU card hooked in he began winning one or two blocks an hour, and occasionally more. On May 17 he won twenty-eight blocks; these wins gave him fourteen hundred new coins that day.
Satoshi knew someone would eventually spot this opportunity as Bitcoin became more successful and was not surprised when Laszlo e-mailed him about his project. But in responding to Laszlo, Satoshi was clearly torn. If one person was taking all the coins, there would be less of an incentive for new people to join in.
“I don’t mean to sound like a socialist,” Satoshi wrote back. “I don’t care if wealth is concentrated, but for now, we get more growth by giving that money to 100% of the people than giving it to 20%.”
As a result, Satoshi asked Laszlo to go easy with the “high powered hashing,” the term coined to refer to the process of plugging an input into a hash function and seeing what it spit out.
But Satoshi also recognized that having more computing power on the network made the network stronger as long as the people with the power, like Laszlo, wanted to see Bitcoin succeed.”
Is this really accurate? So 51% attack on bitcoin is around 100btc? Given the advantage of such an attack, won't more users want to do it? Also, won't nation states easily come in on this and attack the integrity of these coins?
This isn't possible for larger coins like Bitcoin because it assumes you can get a short-term rent of enough hardware to carry out the attack for exactly the amount of time it takes to carry out at the NiceHash market rate. Most of the Bitcoin mining hardware is not available for rent in this way and its owners have a financial incentive not to allow this because it'll wipe out the value of their hardware.
Sure, the owners of the mining hardware could be on the other end, but that puts up the cost of the attack substantially - instead of depending on the cost of renting an hour's mining time, it now depends on the total lifetime value of the equipment used. There's also the rather large problem of how they could convert enough double-spent Bitcoins to something else before the price tanks; it'd have to be a very big heist to make the math work out.
This is the theoretical cost of a 51% attack if there is enough hashing power available via NiceHash. If the Nicehash-able column is >> 100%, this is very do-able. I go into more detail on the about page [0].
this isn't correct.proof: the ongoing war between btc and bch has people holding millions in btc. they didn't even try to attack. you can't attach bch with 70k or you would have attacks everyday forever from old btc holders.
Whoever wrote this must be totally oblivious. The hardware costs alone to attack bitcoin are likely in the hundreds of millions. Beside that, think you can rent that much hash power at the spot price is hilariously naive and ignores the fact that this is a supply and demand driven market.
I found it surprising that it is possible to rent enough hashing power for many of the smaller currencies, which makes me question the use of PoW for smaller coins.
Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.