The paper outlines two attacks that a hash rate majority can undertake: (1) double-spending; and (2) sabotage (force a decline in exchange rate).
But there is a far more benign and profitable attack: collect all of the block reward. No need to tell anybody, and no need to upset users by double-spending. Business as usual.
In other words, establish a benevolent mining monopoly:
The hash rate majority becomes an effective monopoly by censoring blocks from outside the cartel. The incentive is equal to half the block reward. If done properly and gradually, few users would notice. Nor would many care. Those who did would simply leave.
I suspect there's even a version of this attack in which a cartel makes public threats to censor blocks it disapproves of. This is, after all, what BIP-9 does:
Using this approach, a cartel may be able to leverage a hash rate below 50% to 100%.
There's some precedent for this with UASF. The hash rate of the group threatening to censor blocks there was quite small (certainly below 50%). Depending on who you talk to, the threat of block censorship by this group was enough to shut down segwit2x.
Looking at hash rate shares historically, it is incomprehensible that market share would remain so stable through several generations of mining tech. So the existing system is precisely a cooperative benevolent monopoly, albeit an informal one. My guess as to why the miners don't just turn off their equipment and threaten to overturn any non-monopoly block mining is that they just don't know how much of the speculative bubble is based on their behavior, and acting that way might pop it.
You dumb, "benevolent monopoly", not even close, miners are selfish and greedy, far from benevolent. If it was more profitable to attack the network with their hash power they would, but they would be essentially scrapping the $millions they put into the hardware.
Due to the non-linearity of block rewards -- reward as a function of time spent working on a block is not constant -- an individual miner is always incentivized to pool hop after a certain point [1].
In theory, if all members of the cartel were to follow the rules, then yes.
However, Bitcoin mining suffers from the same problem that Californian farmers face when there's a drought -- the tragedy of the commons [1].
In both scenarios, there is an individual incentive to deviate from the rules set: with Bitcoin, it would be with people secretly mining; with farmers, it would be with people secretly taking more water than their allotment.
The "losing" miners would continue mining on a separate chain (e.g. Monero Classic) as long as it was marginally profitable. They wouldn't just throw away their hardware.
Only until someone does the same thing to the other chain. The logical next step is for the miners leaving the biggest chain to concentrate on a chain where they can successfully pull off the same attack that just drove them away, and on down the line until all chains have been taken over by one large participant each.
The steady-state is a reduction in mining activity across all public blockchains by ~50% or so, although that's probably an upper bound that wouldn't actually be reached.
Based on a quick first read, and ignoring numerous important details, the main argument boils down to this: "mining" costs (i.e., the computational and other costs of processing transactions) in the network must be greater than the profits that could be obtained by compromising or sabotaging the network. Otherwise, it becomes profitable to compromise or sabotage the network. For example, if the cost of mining is lower than the one-time profit that could be made by betting a large sum against the price, it becomes profitable to bet such a large sum against the price and then investing a smaller sum necessary to acquire a majority of the computing power to sabotage the network.
This is correct... but only if there is a zero-profit condition among miners -- i.e., if the Bitcoin network behaves like a standard theoretical rent-seeking tournament that reaches and settles into a classical equilibrium, instead of behaving like a distributed transaction processing network that produces profits for the parties that process transactions (AKA "miners"). I have not seen a good study (or actually any study) on the profitability of miners, but many miners claim to be making money by processing transactions!
If mining is profitable, as miners claim, we have to add another condition: the net present value of the profits that could be obtained from compromising or sabotaging the network would need to exceed the net present value of the profits that could be obtained in perpetuity from behaving honestly. If the value of the profits that could be obtained in perpetuity by behaving honestly are greater, there would be no incentive to compromise or sabotage the network.
Those are my initial thoughts, based on a quick first read. But I'm barely doing justice to the paper, which I found to be well-written and easy-to-follow. I've downloaded it to read it (and think about it) more carefully.
Highly recommended reading if you have an interest in cryptoassets!
> If mining is profitable, as miners claim, we have to add another condition: the net present value of the profits that could be obtained from compromising or sabotaging the network would need to exceed the net present value of the profits that could be obtained in perpetuity from behaving honestly.
This is really why I don't think that 51% attacks are a problem for Bitcoin (and only Bitcoin). As soon as one is shown, the network's value will be destroyed. And if you're already on the gravy train through cheap power and cheap asics, why would you give that up?
> As soon as one is shown, the network's value will be destroyed.
I don't believe this to be accurate statement. Looking at two other cryptocurrencies -- Verge and Bitcoin Gold -- which have undergone 51% attacks, neither of them have experienced a collapse in value as a result.
It seems that the institutional banking industry is taking note of cryptocurrencies as a potential threat. And so there is an incentive there by some players to want to destroy coins without direct reward. But even this scenario is I think somewhat guarded against. Attacks on networks are completely visible to everybody. In light of an attack, a network could be forked, illicit transactions rolled back, a new proof method adopted if necessary, but otherwise keep the entire ledger intact. And indeed if/when this happens, there will likely be numerous forks that try to become the new standard. And this could actually end up being, in net effect, profitable for holders.
Think about Bitcoin vs Bitcoin Cash. Bitcoin Cash was a somewhat controversial fork that some feared would split Bitcoin to unknown effect, but in the end it's only effect was giving all bitcoin holders an additional $754/coin (price as of today). In a time when a network was compromised, there would be a large market incentive to takeup the forks which would send their prices skyrocketing. Coins may end up being like the hydra. You slice off one head only for 10 to take its place. In a way this seems to be true of decentralized systems in general. Each time e.g. a major torrent site is taken offline, a dozen more come to try to fill that vacuum that's been created.
You could make secondary money by first selling all the ASICs that is needed to do the 51% attack, but before delivery you execute the attack, making the ASICs you will deliver next week worthless.
IIRC all mining ASICs have been continuously sold out throughout the history of mining; this can explain profitability if miners are trying to drive the market towards equilibrium but there isn't enough supply. But even if mining is profitable today, miners might discount the NPV of future profits due to various massive risks (like the price dropping 70%).
> we have to add another condition: the net present value of the profits that could be obtained from compromising or sabotaging the network would need to exceed the net present value of the profits that could be obtained in perpetuity from behaving honestly.
I think you have hidden one interesting assumption there. You assume there exists a relatively low upper limit for the interest rate used in npv calculations for all investors. In other words, if there is even one investor at any point of time that needs the money really badly very soon, your argument breaks down.
The author claims Satoshi Nakamoto's vision was that miners would use repurposable chips ("one-CPU-one-vote") but this is false. Satoshi correctly envisioned mining farm would eventually use specialized hardware:
There was a paper last week pointing out how cost effective 51% attacks are on the lesser cryptocurrencies.
Proof of work has become very expensive. Proof of stake has another set of problems.
How about proof of geographical distribution? If each node had to be a minimum physical distance from another node, that would put a big crimp into mining farms.
Distance can be verified. You can use speed of light lag to verify that two nodes are not further apart than some distance. So set up a mesh network. If you claim to be at a location, others in the mesh can verify that it's roughly correct by pinging it and measuring the round trip time. You can fake a longer distance, but not a shorter one. You might be able to do something in the WiFi bands in the 100m - 1KM range. Require that each node be at least a few hundred meters from any other node. Give an advantage to suburbs and rural areas.
Interesting article. Related, this site attempts to track the cost of majority hash power for various blockchains, and how much is rent-able via NiceHash.
This reminds me of another paper about proof-of-work blockchains called The Blockchain Folk Theorem [0], which has a similar conclusion (aside from the main conclusions):
> Another issue relates to the negative externalities arising in proof-of-work blockchains. First, as shown above, when choosing individually optimal computing capacity, miners fail to internalise the negative externality their investment generates for other miners by increasing difficulty. This implies that equilibrium capacity acquisition in proof-of-work mining is excessive. Second, proof-of-work mining generates greenhouse-effect negative externalities, whose order of magnitude is significant. As of January 2018, the electricity consumed for Bitcoin mining was equal to the electricity consumption of over 3,400,000 US households, with an average consumption per transaction of around 300 KWh. Pigovian taxation could curb overinvestment in mining, but it might also be difficult to put in place, given the international decentralisation of mining.
The crux of the below paper, though, is that actual game theory shows that miners are incentivized to create and persist alternative histories of the blockchain, thus jeopardizing the blockchain's key function, that is to produce a stable and immutable history of transactions. We've seen this in practice with the dozens of Bitcoin forks and with Ethereum Classic, and how unstable exchanges were during the forking process (eg. lost customer funds, double spending, replay attacks, etc.).
While the attacker A is racing to build a heavier chain than honest miners H, A is not profiting, on the contrary. He must hold the costs until he finishes the race for the next B blocks.
If A was honest beforehand, everyone will notice the higher delay for block mining. Two things follows:
(1) B could easily increase, since those would be "dangerous times".
(2) Mining-related investors on standby may jump-in and participate, increasing H since.. A's hashrate would suddenly vanish on the public's perspective.
So while A is eating [temporary] loss, other miners are eating [temporary] profit from block rewards (since equilibrium was assumed). B (for particular receivers, those involved in high-valued transactions) may be arbitrarily increasing while the mining delay is unstable. THat instability would reduce while other participants enter the mining game.
But for how long would A hold it's [temporary] loss?
Also, if and after he wins the race, it's not like people can't ignore his chain with a temporary hard-fork. If they do ignore it for a while, sooner or later A's chain must get weaker, and that temporary hard-fork could be erased.
For the incentives for such temp hard-fork.. remember those temporary profit and temporary loss during the race period? The attacker would need to happily turn his losses into other miners losses, and their profits into his profit (regarding block rewards). Also, standard users could be, very, negatively impacted by such chain change. This impact could be reduced if the attacker replicated the transactions in his private chain while racing, but some transactions may be specific to the block height, so.. to replicate the transactions, he can't be much faster than H chain.
So counting the chances of investors coming into mining field, temporary losses that could least longer than expected due to block mining instability, the possibility of a temporary fork..
I mean, I didn't get the paper's math nor read it fully, but I think that there are more variables.
I think we should be specific about the time scale here. In the case of Bitcoin a 6-confirmation double spend would only take 2-3 hours which doesn't leave much time for the community to even notice, let alone coordinate a response. I won't even consider the case where the community has been force-fed a "never ever hard fork ever under any circumstances" message.
You can't assume that equilibrium holds since the difficulty only adjusts every two weeks. (Even in cryptocurrencies with continuous difficulty adjustment, 51% of the hashrate missing for 2-3 hours would not cause a noticeable drop.) Because the difficulty does not adjust during the attack, honest miners would be producing blocks at half rate (every 20 minutes) and thus would still appear to get their fair share of the block reward; they wouldn't get more.
For ASIC-based cryptocurrencies I don't think there's much if any hashrate sitting on the sidelines and the attack would probably be over by the time miners noticed.
Yes, you are correct. New miners should not appear until difficulty recalculation. But given this fact, depending on the intensity of the block mining rate change and how far the next recalculation is, the network could easily notice such changes. I don't just mean they "could", but they probably "would" as well. The world's economy heartbeat h-a-l-v-i-n-g 6 times in a row? (this drama is how critical I think that would be)
I don't know if an effective and immediate response could be taken place, but this sort of monitoring could be anticipated, and also, they would probably store the old chain's backup (just in case). I mean that if they do a rapid decision, it's not necessarily final (although this would cost the whole world economy a lot).
Only newcomers fullnodes, during the racing period, couldn't know which chain actually appeared first, but all other fullnodes and miners do know which one did, and that the alternative chain came at once and out of nowhere. This is an easy target for an "temporary chain force-choosing" algorithm. And again, this could be coded before the attack -try itself.
So I don't mean that this surely would be a "forced" (rushed) code-fork. On the other hand, without such a thing, everyone would enter a rushed data-fork, which probably will also be viewed as something risky and some costs may be applied (prepared in antecedence).
You are assuming that A was acting as a good faith miner before the attack, they could have been a non participant or be continuing their regular mining as well as their attack.
I found this to be very interesting. FWIW the author Eric Budish is one of the top economic theorists. Whether or not that means you should trust his analysis is left as an exercise to the reader.
well to be honest you know what top Nobel economic laureates said about the internet so be careful of the "authorities" dipping their toes in unknown and groundbreaking technologies
This article is assumes that attacking a blockchain would be just the classical 51% attack scenario of bitcoin. Innovation from coins such as Decred show an evolution in blockchain technology that makes a 51% attack exceedingly more challenging to pull off.
"Apples to apples, Decred is 20x more expensive to attack than Bitcoin"
https://blog.usejournal.com/apples-to-apples-decred-is-20x-m...
It would be more convincing, or at least easier to take this comment in good faith, if you were to provide some part of your understanding of the innovation rather than to simply name drop a token and a link to a blog.
The paper does mention "But, the use of “stakes” instead of computational work may open new possibilities for thwarting
attacks, e.g., confiscation of an attacker’s stake".
It looks like Decred doesn't use slashing, so I don't know if it's accurate to include the size of stake in the cost of an attack since the attacker would still have that stake afterwards; the price might go down but it might not be much if people say "that wasn't my money that was stolen; I didn't see anything".
the document says that governments have bettrr ways than to spend money for this expensive luxury. But governments worldwide would never agree on a common platform and that is the innovation itself and the paper misses this important insight. Also let's all remember that this is a first itetation of a global innovation.
But there is a far more benign and profitable attack: collect all of the block reward. No need to tell anybody, and no need to upset users by double-spending. Business as usual.
In other words, establish a benevolent mining monopoly:
https://bitzuma.com/posts/bitcoins-end-game-the-benevolent-m...
The hash rate majority becomes an effective monopoly by censoring blocks from outside the cartel. The incentive is equal to half the block reward. If done properly and gradually, few users would notice. Nor would many care. Those who did would simply leave.
I suspect there's even a version of this attack in which a cartel makes public threats to censor blocks it disapproves of. This is, after all, what BIP-9 does:
https://github.com/bitcoin/bips/blob/master/bip-0009.mediawi...
Using this approach, a cartel may be able to leverage a hash rate below 50% to 100%.
There's some precedent for this with UASF. The hash rate of the group threatening to censor blocks there was quite small (certainly below 50%). Depending on who you talk to, the threat of block censorship by this group was enough to shut down segwit2x.