After the multimillion dollar Bitcoin Gold 51% attack a few weeks ago, I was curious what an attack like this costs against other currencies. I calculated the cost of renting hashing power from NiceHash to complete an attack.
I found it surprising that it is possible to rent enough hashing power for many of the smaller currencies, which makes me question the use of PoW for smaller coins.
Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.
Nice work. Its really important to consider this for those buying/holding crypto currency. Consider all coins using the same function to be the same family and the one with the most work and power to be the most valid. So there are sha256 coins, scrypt coins, equihash coins, etc. In the case of sha256 the most immune to attack is bitcoin. Everything else is massively vulnerable. In the case of scrypt, it’s litecoin. Everything else you should not hold because it can be swamped by the hashing power mining litecoin atm. So on.
This is a little different from how people have been told to think about it before which is just focusing on the blockchain itself rather than the mining power behind any given variation/fork/whatever of block chain.
Ps. And that probably should be taken a step further. If you have families of coins that are all GPU mined, then you need to consider the tota GPUs mining them and the hashing power of those GPUs and the ability for them to switch functions. Now GPUs are a blip on ASICs so for the predominantly asic mined coins this doesn’t matter.
Exactly. This is also why I think the trend to be "ASIC-resistant" is misguided and should be considered harmful.
All GPU-mined coins (except the hashrate-dominant one: Ethereum) are massively vulnerable to majority attacks because of the huge pre-existing installed based of GPU miners.
As I said in https://news.ycombinator.com/item?id=17173774 the only solid defense is for each coin to implement an ASIC-friendly algorithm that is unique to this coin, so there is no risk of 51% attacks from a pre-existing installed based of miners.
I've yet to see anything other than PoW that's got all four;
* genuine decentralization
* reliably generates a concensus with global supermajority, little or no forking (objective chain selection)
* fault tolerant network, minimal fragility / auto recovering, can't be permanently crashed / hijacked
* requires no human intervention
Everything I've seen so far in terms of PoS violates at least one of the above.
Hashgraph doesn't deal with concensus (it offload that to other layers), Ripple doesn't really deal with decentralization, Algorand is fragile, most PoS require human intervention besides often having several other faults.
Also there's probably more criteria like these that matter.
"Genuine decentralization" / and "consensus" are not necessary to make a useful currency.
There's also massive cost and risk with the currencies that do implement those criteria.
We should all be open to different alternatives that WORK, and not reject them out of hand just because they're not implemented in such a way that they have attributes we LIKE.
Dropping global concensus means you're back to small regional currencies. With centralization you get things like Ripple. Both problematic / unstable in the long term.
> Consider all coins using the same function to be the same family and the one with the most work and power to be the most valid. So there are sha256 coins, scrypt coins, equihash coins, etc. In the case of sha256 the most immune to attack is bitcoin. Everything else is massively vulnerable.
This is a really good point, and part of what I am hoping people come to understand from this website. Ignoring the risk of renting power from NiceHash to launch an attack, large existing miners could easily switch to a smaller coin for a few hours to attack it, and typically it would be very profitable.
I wonder whether the indirect benefits of discouraging competing coins would outweigh the costs of loss of confidence in crypto currency is in general (and the computer cost).
Just want to note that there’s no risk in holding a token due to 51% attacks (except for the external issues such as loss of value and hard fork proposals). No one can spend your assets, it’s just another transaction may double spend (so you could lose incoming tokens).
One of the questions I've been chewing on is whether the supply of *coins is effectively infinite. (If it is, that means substantial downward pressure on prices, as available speculative capital gets smeared out over the various options.) This seems like a pretty clear limitation: if a bad actor can crush a small currency, then we should see a lot fewer small currencies.
Do you (or others) have a sense of where the equilibrium might be? Clearly if an attack can be mounted for a few hundred bucks, jerks will do it just for the lulz, which suggests that there won't be a long tail of cryptocurrencies. But is it also plausible that a major Bitcoin player might try to smash something like Bitcoin Cash just to drive activity back to a more major currency, thereby benefiting their holdings?
Supply in token count is effectively infinite, yes. But what's the supply in VALUABLE tokens?
The availability of gold in the galaxy Andromeda doesn't affect gold prices on earth. Not equivalent analogy, but related - your market will only be hurt if there's economically accessible supply of equivalent or competing assets that fulfills the same need.
The page mentioned lists 79 tokens with a nominal value, 65 of them over $1m. All of these tokens were valueless at one point. Another site lists 862 coins with nominal values of over $1m: https://coinmarketcap.com/
This suggests there's no obvious limitation on the creation of economically unproductive speculative instruments. Even though they all start at $0, any new token has an unknown upside, as the price can only go up. For some that's apparently a compelling bet.
Will this process only stop when people stop looking for the next Bitcoin? Because for them, a valueless token definitely fills a "get in on the ground floor" need. And there are a lot of people doing that right now: https://www.google.com/search?q="the+next+bitcoin"
This does something interesting to the incentives surrounding hard forks. If someone wants to hard fork e.g., ETH, they either (1) need to abandon ethash altogether for a different hashing function, or (2) be very very certain that their hard fork will capture a large fraction of the hash power of the original chain. Otherwise the forked coin can be targeted as soon as it's created.
And of course the new coin needs to maintain its share of that hashpower indefinitely to survive.
This seems like a bad thing, since it weakens the implicit threat of hard forking that keeps BDFLs in (non crypto) open source projects from acting too strongly against community consensus.
This is very interesting - I was wondering about this too. Assumed it was too high to be reasonable but guess I'm wrong. The question is: what's the cost vs acquiring the same qty of $ by being a good citizen. I suppose first you need to have a lot of crypto to double spend it.
you can't easily make a million from a single dollar that you can double spend. having lots of crypto surely helps reduce the time it takes to satisfy your greed.
>Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.
If mining is supposed to be profitable, shouldn't it be profitable to control 51% of the network? Seems like economies of scale should lead to a clear industry leader. Whats stopping this from being the natural progression of bitcoin?
Right now there are 3-4 parties that together control more than 51% of mining power. I believe they've avoided merging because if there is a single entity openly controlling a majority of mining power it undermines trust in bitcoin, devaluing the currency.
People tend to forget about this possibility with so many new coins out there. When talking about PoW's problems, most people get hooked on discussing the inefficiency of power these days and the costs that has on the network. Great work.
You can't directly steal or create coins. Except for the coins you get for your branch of the blockchain if it becomes accepted. The trick is that you can double-spend.
The downsides? You need capital to spend and double-spending is fraud.
Who are you defrauding? Under what jurisdiction? The ability to be 51% attacked is a feature of the design. You expect all the actors to commit enough computing capacity to prevent such an attack as it’s in their own best interest.
If I find a funny-looking stone, and promise to give it to you in exchange for goods, it would be fraud to give the funny-looking stone to somebody else instead. Cryptocurrencies are no more "money" than the funny-looking stone, but one could still commit fraud with them.
> I calculated the cost of renting hashing power from NiceHash to complete an attack.
I think the major caveat here is that it only takes ~35% hashing power to pull off a 51% attack, assuming you leveraging block withholding and other strategies.
Selfish/stubborn mining isn't applicable here, since the double spender has to fork and withhold all blocks from the point where their honest transaction is included in a block until the victim sends them the goods/exchange withdrawal/whatever, at which point they need to eventually mine a longer chain and reveal.
At ~50% hash power and with a victim who waits <10 confirmations you still only have a ~1/2+o(1) probability of mining a longer private chain. The point is if you can maintain the 50% long enough, you can expect to eventually have the longer chain.
You can also have <50% hash power and double spend, it is just progressively less likely to succeed. The calculations in the Bitcoin whitepaper (p.7) for choosing a transaction confirmations threshold assume the attacker can maintain their attack indefinitely [1].
To clarify, the whole point of selfish/stubborn mining is to increase your mining profit by wasting the honest miners' time when you withhold new blocks (so they unknowingly mine on a shorter chain) and then trying to propagate your withheld block faster when you see an honest miner release a new block. Therefore you get a greater effective proportion of the network's hash power. Of course if you're more than one block ahead of the honest chain, you can just propagate the next block in your withheld chain. But, when you're attempting a double spend, your withheld chain has to remain private the entire time otherwise the victim would see the honest transaction invalidated and cancel the e.g. exchange withdrawal.
There's a cool paper on some extended selfish mining strategies combining eclipse attacks [2].
Also interesting to note is that selfish mining is only profitable if only a few miners are using it, like a kind of prisoner's dilemma [3].
> I think the major caveat here is that it only takes ~35% hashing power to pull off a 51% attack, assuming you leveraging block withholding and other strategies.
Interesting. I'm curious to hear more about how this strategy works.
Yes, that is correct. If it is > 100%, there is enough hashing power available to complete the attack, but you could be outbid during the attack. NiceHash has the concept of fixed contracts that allow you to lock in a price for up to 24 hours and no one can outbid you. Typically ~30% of the hashing power is available this way.
Could you please add another column stating income from mining fees, you should have if having specific hashing power. Important: calculate mining fees FROM hashing speed, not from money.
It would be a kind of an alternative benefit comparison.
The cost for Dash is listed as $11,291, and that's assuming there is enough hash power available via NiceHash (there isn't). These attacks are only possible for coins where the last column is > 100%.
This has been said elsewhere, but for your benefit, you can't steal anything with a 51% attack, it just allows you to defraud others by double-spending coins you already control (and do other less-directly-profitable things like "unconfirming" transactions when the blockchain reorganizes).
Of course, you could also just nuke the entire network by not confirming any transactions. But you can't steal from people directly.
when states issue more currency to buy bonds, do you call that stealing?
This clearly inflation and possibly fraud (depending on what claims were made when you bought the crypto coin), but I don't think you can call it theft (unless you think all inflation is theft).
> when states issue more currency to buy bonds, do you call that stealing?
Nope, definitely not stealing without question. It's economic policy which is a lot more nuanced. Not saying it's never stealing, but issuing more currency has been happening for decades and it's no surprise to anyone.
---
Your example and double spending are definitely not the same: with double spending you are basically giving coins to an exchange, which you later "steal" back via forking the chain. This is against everyone's expectations AND against the ToS of all exchanges (which you break if you double spend deposited coins).
Issuing more FIAT currency is very similar to mining (pumping more money into the economy) which I don't think anyone considers stealing. Double spending however..
> I get how block rewards bring the net cost down, but where does the 80% number come from?
It's a rough number - In the case of Bitcoin, the miner receives 12.5 BTC (+ transaction fees that I will ignore for now) per block, with a block time of 10 minutes, so they will receive 75BTC per hour, or $544,275. In this case it wouldn't be possible to actually rent anywhere near this much hash power at this price, but for smaller coins it would be possible to do so.
I found it surprising that it is possible to rent enough hashing power for many of the smaller currencies, which makes me question the use of PoW for smaller coins.
Please note that the attack costs do not include the money you earn in the form of block rewards, so in many cases the costs will actually be substantially lower.