There is absolutely no way to 51% attack a major coin like Bitcoin for as little as $700k an hour. They are extrapolating from Nicehash's mining rental prices, but Nicehash doesn't have anything like the capacity you'd need.
You can see here[1] that nicehash has about 500 PH/s (500,000 TH/s) available for rent. However, Bitcoin's total hash rate right now is 100,000,000 TH/s[2]. This means that if you rented out the entire nicehash market, you'd have 0.5% of the hash rate you need.
Could you get the other 99.5% by buying lots of mining hardware? Theoretically yes, but realistically no. Bitmain is a major supplier of this kind of hardware, so let's use their prices as a reference. They're currently promoting a 67 TH/s unit for $1585 [3]. You would need more than 1.4 million of these units, at a cost of over $2.2 billion dollars. Not that any supplier can fill an order like that quickly.
And we haven't even gotten to the power and operations costs. You'd need dozens of huge data centers to run all this hardware, each one consuming astronomical amounts of electricity. You'd probably pick your data center locations based on availability of cheap power and labor, and you'd become a major commercial presence in each of those towns. The local papers would have photos of you shaking hands with the mayor as your data centers open up. Everyone would know what you're doing, including the FBI.
> There is absolutely no way to 51% attack a major coin like Bitcoin for as little as $700k an hour. They are extrapolating from Nicehash's mining rental prices, but Nicehash doesn't have anything like the capacity you'd need.
You are correct - the nicehash-able column represents the amount of necessary hash power that is available via nicehash. If it's below 100% the attack cost is also greyed out.
the grey you picked is pretty hard to distinguish from the black. The italics are nice though. Maybe add a little icon like this "no power" one: https://thenounproject.com/term/no-power/632253/
Nicehash has .99% of what you need to have 51% of the hashrate, not .5%. But that's still too tiny.
However.
You don't need 51% of the hashes to have the longest chain. The longest chain is a lottery. If you had 25% of the TH/s out there, there are 3x as many hashes you don't control as do. The odds are 1:3 that you will still find the next hash. If that weren't the case, there'd be no point at all in me having .0001% of the TH/s. I'd be better off setting the money on fire to heat my house.
Bitcoin doesn't have a consensus algorithm on two counts. The obvious one is that everyone takes the longest chain, regardless of whether everyone already agreed to a shorter chain. In Raft, your history can roll back if there's a partition. In Bitcoin, things can be rolled back even if everyone is online. I need one attack (rewrite history), not two (rewrite history + DOS attack), and because of that, nobody but my pocketbook notices if I try and fail.
The second one is that there is no consensus on what transactions to include in the next hash. Any hasher could blacklist transactions that are unfavorable to them without really affecting their odds of finding the next hash. I think it's assumed that it's not in the interest of either mining hardware owners or frequent cryptocurrency spenders to do this, as they would destabilize their own investment. That only borrowed hardware would be used that way, and on short bursts of purchases. But is that really true? Or is there a zero-day attack out there already being used or waiting to be found?
I'm thinking of the epic embezzling scandals that have turned up. How many people out there were never caught, or were insufficiently prosecuted? Employees are usually subject to the laws where the office is located. These people could be on the other side of the world.
If you had 1/4 the hash power, it's true that you have 1/4 chance of creating a block before anyone else, but to be clear, doing that once isn't enough to do a double-spend attack of a transaction with some N confirmations (usually people would aim for N=6). There's only a 2% chance an individual attempt would pull that off for 6 confirmations in a row when using 1/4 the global hash power, and the whole time you're attempting this, your hash power isn't making money mining unless you succeed. On average, you would make $144,000 just from the block rewards from mining for that much time with 1/4 global hashpower, so the expected amount of failures are very expensive in opportunity costs. If I'm doing probability right, then at a 2% chance, you could expect to fail about 25 times on average before succeeding, so 25 failures adds up to $3.6 million of expected opportunity cost. (This isn't counting the cost in acquiring 1/4 global hashpower to begin with.) You would have to double-spend a lot of transactions to make that worth it, and people are probably going to wait for more than 6 confirmations on bigger transactions, which means a much larger attack would have to be done to target those.
If you add opportunity cost and renting cost, you are double counting.
Assuming you can repeat your "totally legit" setup transactions until you succeed, with minimal cost other than rent, you would need to take more than either the opportunity cost (otherwise it's better to just mine), or the renting cost (otherwise you're still losing money).
Adding opportunity cost and renting cost isn't double counting.
Opportunity cost is the foregone block rewards that you lose because you didn't submit your blocks, because you were holding them hoping to build a long enough chain to double spend. When you fail, that reward that you would have earned is gone forever.
Renting cost is the actual $ outlay that it costs you to rent the hash power necessary to perform the attack.
So I have a fun thought. You can cantrip your ill gotten coin into more compute. Assuming you could work your way up and own every exchange before anyone caught on (not realistic), could you work up enough funds to buy enough general cloud compute to overtake BTC?
Can you clarify what you mean by hijacking mining traffic? If you mean the traffic of mining pools communicating their solutions to the pool's "mother brain", those are already cryptographically attached to a solution that pays out to specified addresses. You can't substitute the transactions in the block/solution without redoing the PoW.
That's why miners can't steal a pool's solutions to begin with.
All miners connect to pools using a protocol called stratum. This is JSON piped over TCP with newline terminations. There is no authentication for this protocol and no encryption. You can simply intercept the communication here and have all the miners on a pool actually mine for your replacement pool, and nobody will ever catch on until its far too late.
> If you mean the traffic of mining pools communicating their solutions to the pool's "mother brain", those are already cryptographically attached to a solution that pays out to specified addresses.
That's not correct in practice. There's no authentication of the work going to the miner at all, so an attacker can just change the destination before the miner even sees the work.
When I was toying around with mining some alt coins with GPUs a few years back I had the thought when joining a mining pool on say supernova, what is to prevent someone from doing an attack and convincing the pool to send my coins to them instead at a level 'under the hood' and beyond my understanding. Or get the entire pool to act in a way that is for their own personal gain.
I know there had been guides on how to set up your mining rigs, setup the batch files etc. These were all guides written by other people and I could see how in this newly created space there was room for nefarious actors to try to convince people to mine in a pool, but not give them the rewards they deserved or scammed them in some other way.
I also thought about someone hacking entire pools' hash-rates to be used for their own purposes rather than trying to figure out the next block on whatever chain it was running. This would allow someone to 'steal' the hash power of expensive rigs and redirect the power to their own wallets.
My understanding of all these protocols is very limited to what is regurgitated from others. When it comes to reading the bitcoin whitepaper I was only able to comprehend up until section 11 on page 6 where it got into the calculations, at which point I got lost as I am not that good at math.
Not going to claim they aren't skimming, but is it not possible to calculate expected number of blocks from declared GH/s, expected earnings from user provided MH/s and tell if the pool is excessively "unlucky"?
Yeah I thought of that too after posting. I think it comes down to how transparent the pool is with their data.
The obvious thing to do would be to tell everyone that my 500 GH/s pool is 400 GH/s, and reward everyone an 80% share on every hash. If you're sophisticated enough you might notice that my pool is mining blocks about 25% above what you'd expect, but how many data point do you need for that, and it's statistical, so I'll have runs of good or bad luck.
Another option is to dilute the pool of contributors, but again you might be able to detect that either I'm misreporting your hash rate, or the sum of all contributions doesn't line up.
Assuming I give you enough tools to figure any of this out.
If you report the pool's hash rate as lower, the users should demand a higher fair share, as they know their own hash rate.
Either way, if a user knows his hash rate, he can calculate expected earnings and their presumed share. You could fudge a bit, but go too much, especially on a large pool, and it will be apparent. There are probably lots of users doing calculations, willing to call you out.
err, right. If you want to convince people they're getting a fair share, you have to downplay their contributions, and since they know what they did you have to make the pool bigger, not smaller. How long would it take to notice someone was fluffing the pool by 10%?
Yeah that’s what I meant by the statistical comment.
My hardest class in college was statistics, and mostly I learned that humans suck at them.
I was binging math videos recently and I got to one where one guy made a list of “random” heads or tails, and then the other guy guessed them and got like 60% right. He was disappointed because he often does better.
Humans, he asserted, will never write more than 3 (or was it 4?) heads in a row because they feel they aren’t random enough. And because if this, over half of the possible patterns are never seen.
Which is also why, when a test that’s failing 10% of the time, my coworker who thinks he just fixed it will run the new version five, ten times and claim victory... only for it to fail four times in a row the next day.
Okay I see what you mean about replacing the work assignments going to the miners -- if you could tell them to solve a different block/fingerprint (hash of new block + previous block) and receive their output, then you can steal their hashing power. But I'm still not sure what you mean here:
>>If you mean the traffic of mining pools communicating their solutions to the pool's "mother brain", those are already cryptographically attached to a solution that pays out to specified addresses.
>That's not correct in practice. There's no authentication of the work going to the miner at all, so an attacker can just change the destination before the miner even sees the work.
I was referring here to the solutions the miners send out. That does not need to be authenticated because it's already attached to the block they were solving for -- i.e. it is a proof of work valid only for a specific block. If they received the correct block and nonce range to check, then the solutions are useless to anyone else. Diverting their traffic would just reduce the mining pool's hash power, not give it to anyone else.
So yes, I see how you could steal the miner's hash power if you could replace the assignment the pool head was giving them, and then see the output, but I don't think it's correct to say that solutions are vulnerable to being stolen after getting the correct assignment "because they don't authenticate" -- the proof of work is only valid for that block, and so could only be destroyed, not stolen.
When you connect to a pool, you give them absolute trust over what you're mining using your hardware with the expectation that they will pay you for it later. In a route hijack, an attacker can replace the pool and announce their own work to you, and receive all results you produce. You can not distinguish this with the normal behavior of the pool and will be robbed, and your work can be used to do whatever the attacker wishes.
The output of the work being loosely "authenticated" with the pool by virtue of the work being non-transferable is entirely orthogonal. Nobody is going to be taking that because it's worthless, as you correctly point out. They're going to replace the work that's sent to you in the first place, because that's what makes sense.
Pretty sure I'm not missing the point, because that's exactly what I said, in different words.
I specifically agreed that, if you can replace the assignment given to the miners ("replace the pool and announce their own work to you"), and see the output, then you can steal the work. It was in this paragraph:
>>Okay I see what you mean about replacing the work assignments going to the miners -- if you could tell them to solve a different block/fingerprint (hash of new block + previous block) and receive their output, then you can steal their hashing power.
That is an agreement with your:
>In a route hijack, an attacker can replace the pool and announce their own work to you, and receive all results you produce.
That is me communicating agreement that that's the attack that "makes sense" as in your sentence here:
>They're going to replace the work that's sent to you in the first place, because that's what makes sense.
I made my original because it sounded like you were saying a miner not (separately) authenticating their output to the pool would be an issue, which I now see you (always) agreed is orthogronal; my only objection in the follow-up was that your comment was addressing something different than I originally raised:
>>>That's not correct in practice. There's no authentication of the work going to the miner at all, so an attacker can just change the destination before the miner even sees the work.
>>I was referring here to the solutions the miners send out.
So, if I agree with you on every question of what and where the threat is and is not, and said so with slightly different words than you did, what point do you think I'm fundamentally missing?
(I am not informed about what the typical arrangement is to spread out the stochastic reward a pool earns over its members, so I am making no claims on this front)
But if the (non-principled) value of mining 20 blocks is 20 block rewards, then there we have the cost of buying 20 blocks (assuming miners non-ideologically sell out).
Assume they would not voluntarily sell out, then any flaw in the pooling mechanism (by which miners dilute the rewards into a steady income) which allows 1) other work to be assigned to the miner 2) while still receiving their intended addresses, would allow an attacker who is able to hijack the work assignments, to buy those 20 blocks for the price roughly on the order of ~ 20 block rewards, by 1) hijacking the work assignments 2) payout out the miners the correct expected amounts so that they hopefully don't notice
> You can simply intercept the communication here and have all the miners on a pool actually mine for your replacement pool, and nobody will ever catch on until its far too late.
Depending on what you consider fat too late, doesn't the pool verify the solutions, and provide OOB statistics, where people would notice over time that they get 0 credits?
Yes. The response time to that will be much less than the time to perform an attack with that hash rate though. We’ve seen people mine for literally 4 months on a broken pool that produced no income before they noticed.
An attack like this could be repurposed to perform reorgs with 51% of the mining power as the stratum pool server decides what previous block to mine on. No idea if mining pools or the stratum protocol has added countermeasures to prevent such an attack in the future.
> No idea if mining pools or the stratum protocol has added countermeasures to prevent such an attack in the future.
Not really. There's some discussion about Stratum2 having stronger authentication, and systems like BetterHash to take away a lot of the centralizing impacts of pools by having people create their own work, and only centralizing the payouts for that work. It's a bit of a challenge because there's such a huge range of hardware out there with incomplete implementations of stratum in closed source forks of mining software. You basically have to wait for it to just be obsolete and replaced because there will never be updates.
That's not how any of this works. There's no massive mining traffic. Most of the mining is done in private data centers. They only broadcast their transactions when they "solve" the hash.
These private mining datacenters typically get their block templates from pool servers. Miners communicate with the pool servers over the internet. Control the pool server control the mining power.
This is exactly how it works! Most miners are connected to pools like slushpool, f2pool, etc over unencrypted an unauthenticated links. If you can modify this traffic you can steal the hashrate, because you can modify the work being sent to the miners before they do any hashing.
Computational power is not a good proof of anything. It devours energy and disproportionately rewards weird market actors (like people with custom mines ASICs).
I always wondered whether storage could be used as proof of stake. It might use less energy and it probably will have much better effect on the IT industry as a whole. First, mining ASICs are not general computational devices and cannot be used for anything useful. On the other hand, storage is storage and can be repurposed. Second, it will up the prices for storage hardware, but that is probably a good thing in the long run. (Consider how super-cheap storage enabled unlimited surveillance and software bloat, for example.)
I don't know whether access to storage can solve all the problems a blockchain solves, but it can solve some. Like proving that you're a real actor in the system, rather than a temporary fake.
Some random ideas I had about how this could work:
If you want to transact with someone, they send you a challenge that consists of a set of addresses in a large file. You must respond with a hash of data at those addresses, problematically proving that you have the entire file.
This is the foundation. There are obvious challenges to how useful this is. Many of them are solvable.
There are some IPFS people who talk about proof of having stored files, but I was never satisfied with their fraud detection techniques.
Can you prove that one copy of your data is being stored? Yes.
Can you prove that three copies of your data are being stored? I haven't seen any scheme that can detect if I'm pretending to be multiple people, serving files from the same disk array over multiple network connections.
> Can you prove that three copies of your data are being stored?
In the context of IPFS, I'm not sure.
If you want to use the (crypto) network as distributed storage, you can shard and encrypt the data (at you 3x or whatever redundancy) and the storage provider is forced to store all of it, at least once.
Some incentives on data durability and availability may be enough to get a reasonable baseline.
If I didn't care how complicated the client is, sure.
I can do something reminiscent of "m of n" control tools, FEC or striping algorithms, but now the client is doing multiple fetches and matrix multiplication on every single request.
If I'm just trying to make sure there are 3 copies of my home page on IPFS, then I need 3 copies of the same file in three locations. And those locations all need to be online when I want to challenge them.
The Bitcoin protocol is designed around low availability of individual nodes and inference of consensus. Any 'proof' has to be uploaded while you're connected. Uploading a proof (of work, stake, whatever) to the network proves you did something, there is no need to challenge that fact, and you can disappear for hours or forever. No voting, no challenges.
Proof of storage requires challenges, which requires availability (well, storage also requires availability, otherwise what's the point?). If you insist that almost everyone is online, then you open the door to other consensus algorithms. Ones that can, for instance, handle non-repudiation.
I wasn't thinking of IPFS, rather a way to have a proof-of-stake storage system doing actually useful work. I think I've seen at least one, though I'm not sure of it's current state.
The question is not whether it's possible to pretend to be multiple people. The question is whether storing a large file places some fundamental restriction on how much activity a node can conduct on the network. (I.e. is there a cost of doing business that limits your from just spamming transactions at nearly infinite rate.)
> Computational power is not a good proof of anything. It devours energy and disproportionately rewards weird market actors (like people with custom mines ASICs).
It's literally what it says it is, proof of work. Consumption of electrical power in a way that can't be re-used for anything else.
> If you want to transact with someone, they send you a challenge that consists of a set of addresses in a large file. You must respond with a hash of data at those addresses, problematically proving that you have the entire file.
I'll cheat by making my "large file" the output of a PRNG, meaning I don't have to store any of it, but other people do because they don't know the seed.
> I'll cheat by making my "large file" the output of a PRNG, meaning I don't have to store any of it, but other people do because they don't know the seed.
This will work, but only until the file is sufficicently changed/expanded by the networks as the result of transactions.
(I probably should have said it explicitly: the file would be shared by all participants.)
You can also generate the file by recording something random everyone can observe, like records of a stock market, temperature of some location, etc. I don't see any reason it would have to be perfectly, cryptograhically random.
And yes, a single participant could "help" other nodes by responding to challenges instead of them. But think about the economics of how that would work over time.
I'm not saying that what I described is a full, working, tamper-proof protocol, but I think something interesting can be built based on the core idea.
If you're capable of playing a long con, it costs much less than the stated dollar prices.
With Bitcoin, for example, a smart malicious actor could infiltrate the Core development team and through their social capital make certain malicious pull requests get merged. This way, if the chain ever splits (let's say, due to a bug you planted), you can actually also influence miners to hop onto a minor chain without you ever owning any hashing power!
The only counter-argument to this is how code reviews should catch this, but history has clearly shown that bugs (including supply-inflation-causing ones) make it into cryptocurrencies all the time: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu...
The most recent bug (that we know of) that allowed double-spend was in production for over a year [0] (~Sept 2017 to ~Sept 2018). I don't think it is possible to accurately determine the probability of this bug being exploited (because you are right, it is "all probabilistic"), but this inability to determine the probabilities is precisely why PoW is security theatre. PoW has always been painted as a mathematical model of the security of the system (see featured article), but in reality this model is not accounting for the much more realistic attack vectors. Hence it fails to be an accurate model.
If you're just saying that PoW isn't painting the whole picture, I agree with you.
By definition, to execute a 51% attack on Bitcoin, you would need to buy computing power greater than 100% of the entire network's current computing power. In other words, you would single-handedly double the global demand for computing power in this market.
Is there enough supply readily available to satisfy a doubling of global demand? How much would it cost to bring such computing power online? How quickly could it be done? Wouldn't the price of computing power skyrocket?
> If a big crypto-community notices an attack, the cost of a 51% attack would rise
Would it though, really? Why?
On the contrary, someone performing a 51% attack can and will freeze out all other miners, leaving them operating at a pure loss. If the attacker manages to keep up the attack, he will be able to bankrupt the competing miners, forcing them to turn off their hash power, and thus lowering the cost for himself.
The number of transactions that can be altered from a sustained 51% attack would be so few and recent (last 10 minutes) in comparison to cost that it makes it not worth it
Can someone ELI5 how these numbers fit together? It costs me $3/hr to 51% DeepOnion, which has a market cap of $1.95M. In practical terms, what does that mean?
The market cap does not fit into the equation on how an attack works ; it just gives you idea on how big/small is this blockchain
Blockchain don't have a centralized entity to "validate" and secure each transaction, so had to come with a solution to securely do so in a decentralized manner... Most blockchain use Proof of Work to do so : to participate on the validation process you have to "pay", by working on some mathematical problem... If you control more than 50% of the working power you can "control" the validation process...
In the case of DeepOnion, it costs $3 to buy enough computer power to control the validation process for one hour(by controlling more than 50% of the working power). You can use it to rewrite some transaction, and spend 2 times the same crypto.
Because the volume of transaction for these currencies is too low for the market cap to mean anything. Imagine if there are, say, 1 million fancycoins in existence, all owned by me. I manage to convince you to buy one fancy coin for $1. Does it means that I now have $999,999 left in fancycoins "market cap"? In theory maybe, in practice I'll almost certainly never manage to liquidate them at this price.
For these small coins like DeepOnion you'll crash the market completely if you try to sell even a moderate amount of coins. There's simply not enough demand to move a big amount of coins at this price.
Because the market cap of the tiny "currencies" is total bullshit and is based on two guys trading with each other, it's like me buying 0.0001% of your company for $1 and then you claiming it's worth $1M.
Bitcoin Gold is not seriously used by anyone.
The larger currencies are slightly more reasonable but even then the valuation is unhinged because, for example, a lot of Bitcoin has probably been permanently lost.
This is enough to do some double spending (= you won't get much here!)... if no one is noticing (if hey notice they can increase the cost / decrease the reward).
I guess some people still think DeepOnion have potential in the future...
The thing is, what you can do with a 51% attack is very limited and the big services are probably going to be aware of it. Best case scenario is that you halt transactions for a few hours. This will cost a few million dollars with, maybe, no possible reward.
The next problem is that this calculation is based on the current hash-rate cost. However, you don't have that much hardware and it'll be close to impossible to rent half of bitcoin mining rate. So such an attack will be order of magnitudes more expensive if even possible.
You can do much better than that! The simplest way to profit from a 51% attack is to send some coins to a crypto exchange, wait for the required 'n' blocks to confirm your deposit, then 51% attack the chain to remove your original payment. At the same time, you can either withdraw your ill-gotten coins from the exchange, or trade them for something else and withdraw onto a different blockchain entirely.
This mechanism lets you double your money (minus the cost of the 51% attack)
But don't most exchanges have a bigger delay for withdrawing? In order to escape with anything, you would have to withdraw before the exchange was aware of the double-spend, and at that point, they'd freeze your account. The exchange might be on the hook for honoring the phantom coins other users think they bought, but you haven't profited. Am I missing something?
All true, but it is exactly what happened in this latest attack!
And yes, reportedly exchanges have increased the number of confirmations required to confirm a deposit as a result. But it's too late for the ones who got ripped off by the double spend!
From my understanding this is not a 51% attack but rather a chain-rewrite which require significantly way more hash rate than the bitcoin network has. (which is why exchanges consider 3-6 confirmations as the safe number).
For all the big cryptocurrencies, the price assume that you can buy unlimited hashing power if you have the money. That's obviously not true. Once you have rented all available hardware, having more money to spend won't help.
That's what the "NiceHash-able" column is for. To put it simply, if it is less than 100%, you are going to have trouble renting enough hashing power, and conducting the attack will be impossible in practice, or at least much more expensive than the listed price.
51% isn't all powerful. It would mean you could chose what transactions to process and you could potentially (and very visibly) reverse transactions that happen while you have that much hashing power. That's it, you can't transfer money to you.
Merchants who worry about reversing transactions are advised to wait for a few hours before transferring the thing of value, this reduces the ability for someone to deploy a 51% attack and if they did, it would be pretty visible.
The issue with saying how much a 51% attack "costs" is that ALL cryptocurrencies (and, really, ANY currency) is just based on the trust that the currency has "value", meaning that it would be accepted as payment for real goods and services.
A 51% attack on bitcoin would be easily noticeable. If a 51% attack was really "viable", it means that essentially bitcoin would have $0 value, because all of its value is based on the trust that the blockchain is real and verified. The community at large would essentially just ignore the rogue chain, or rather probably boost other existing resources to back it out.
How would the community collectively agree to ignore the rogue chain in a timely fashion? If a client announcement is sent out, that'd help, but there'd still be a lot of people stuck on the original chain (for example, some people on vacation or something). For at least a few days, there'd probably still be a lot of trust to capitalize on, and they could possibly get away with a few big heists (e.g. making a big purchase with BTC and then reversing the transaction after you've received the items).
Also, if the community does ignore the rogue chain, what's to stop the attackers from switching their attack to the other non-rogue chains as soon as they seem to gain traction? If they can hypothetically reliably sustain 51%+ power for weeks, they could potentially perform a DoS on an entire currency. And you're right, Bitcoin would probably soon reach close to $0 (though would probably slowly bounce back once/if the attack seems to be permanently thwarted).
If I'm understanding your last sentence right ("probably boost other existing resources to back it out"), then I also think that'd be the most likely scenario. A serious sustained 51% attack (lasting beyond several days) would turn into a Dragonball Z-like battle, with both sides firing continuous energy beams at each other in parallel. Each side would be trying to increase the magnitude of their beams to keep the other side's beam from collapsing theirs. I think the legitimate mining team would have a lot more energy in reserve (e.g. good samaritans who start mining for the first time to help push away the attackers - kind of like Goku's Spirit Bomb, which Frieza can't replicate) and would probably win. However, if for some reason the attackers can win for weeks at a time, then it'd be a serious DoS.
Disclaimer: I might be misunderstanding something important here. Not a cryptocurrency expert whatsoever.
These numbers are based off the current price of hashrate. As soon as you try to buy significant amounts for larger currencies like Bitcoin, the numbers skyrocket.
The nice-hashable column on the site shows how much hash power is available for purchase.
To read the page naively would be a little like claiming one could hoard 51% of the oil supply given today's price at the pump. In reality, as soon as you started buying in large quantities, the price would skyrocket (making that attack very much more costly), suppliers would cut you off, and others would notice.
I pointed this out elsewhere in this comment thread, but resurfacing here since it's perhaps not as clear as it should be: The attack cost is based on the the extrapolated cost of attacking the given coin based on the current hashing price on nicehash. If < 100% of the necessary hashing power is available via nicehash, it's greyed out, and the nicehash-able column shows a value of < 100%.
Another caveat: It's potentially cheaper to attack these coins than the number shown on this site since you receive block rewards from the time period when you attack a coin. In a lot of cases this will recover a majority of the money you spend on the attack. That said, this isn't guaranteed, and you are forced to put up this amount of money in order to carry out the attack.
Since it took a while for me to understand this. A 51% attack doesn’t let you steal money from anyone. It essentially lets you block all transactions from making it to the blockchain. Nodes will still verify all transactions and ignore transactions that are invalid.
Edit: you can also create multiple forks and switch between them. External viewers will see both forks and if they don’t or can’t handle the difference they could experience a double spend.
That being said any miner has the ability to sort transaction any way they want which can give them an advantage. So if someone has a lot of hashing power they can use that ability to delay certain transactions or to give preference to others.
Yeah exchanges and all other external systems need to handle this. Effectively they should look at the possibility of a deep reorg and the potential cost to them and use that to adjust how many transactions they require until the risk is mitigated.
A presumably legal and profitable 51% attack can be to simply ignore other miners. Effectively someone with 45% hashing power get’s 45% of the block rewards + fees. However someone with 55% hash power can get 100% of the rewards plus fees a significant bonus. Alternatively, double spends let someone sell the same coins to multiple people though at legal risk for doing so while also theoretically collecting all block rewards.
However, the largest risk is from the software side. The physical owner of the hardware spends money, a hacker only spends their opportunity costs.
> However someone with 55% hash power can get 100% of the rewards plus fees a significant bonus.
Note that, until the 2-week boundary where difficulty adjusts, they only get 100% of the roughly 45% less frequent rewards, since the 45% orphan rate will slow down overall progress.
If you can hash faster than everyone else combined you can re-write history. So you could make a transaction and then re-write that transaction out of history allowing you to spend that money again.
When you make a valid transaction, you have the necessary details for both that valid transaction and no transaction at all. Just because you can't make invalid transactions doesn't mean you can't effectively steal.
This is why lightning network is a shitshow, because you have to be constantly alert for that behaviour.
You can transact off chain. You just have to calculate the likelihood that your transaction will go through, and adjust accordingly. The cost of a 51% attack for 24 hours is a lot higher than the cost for one hour, so if you want for 24 hours the likelihood goes way up.
It does, however, allows "double spending" attacks. In such attacks the attacker first spends a coin to buy some real goods from the victim. She then launches a 51% attack on the blockchain and "rewrites" the ledger to remove the transaction to the victim. Now the attacker gets back her money, plus the goods from the victim.
Yeah stores that accept crypto
Currency need to understand this, or use an underlying abstraction that does. Of course for most chains this would make transactions very slow which is not good for commerce.
My understanding is that the goal is double-spending. The attacker will make a transaction to a victim. The victim would be convinced it owns the coins, as the transaction appears in the chain. The attacker will then start mining a new chain (starting at a block before the transaction) which does not contain the transaction to the victim. If the attacker has enough computing power, it will be able to make the new chain the "official" one, invalidating the first chain.
As far as the block chain is concerned they cannot. No single branch can have a double spend. But of course with deep reorgs they can defraud exchanges or other parties who end up on the wrong branch.
As far as the block chain is concerned they cannot... when they are not under attack. The attack can rewrite part of the history to double spend some crypto
As I recall, last time this was posted, Monero was still on this list. Now it is not. Did the new PoW algorithm for Monero essentially remove the 'rentable hashing power' available?
There are no ASICs known to work on Monero anymore. As a brief summary, the new algorithm (RandomX) uses a bespoke virtual machine that requires 2GB of memory, and programs are randomly generated until the opcodes take in an input (previous block hash) and have an output (new hash with required difficulty) that pass the requirements. It is very interesting.
A GPU is an ASIC, which can mine RandomX. The idea that you could make something that's able to only be computed by a general purpose GPU, and not something more specialized, is just absurd. Even if that's just removing the unnecessary display hardware from the GPU and whatever parts of the shaders aren't being used, you still have an advantage.
ASIC-resistant specifically applies when you're talking about using ASICs as ASICs. If you're using ASICs to emulate CPUs (soft microprocessors), that is usually much less efficient than what the ASIC is capable of.
That sounds fantastically complex. I don't know anything about Monero but I'm already wary that there might be a way to hack the VM to spit out hashes without doing as much work as a stock VM.
Anyone know how to calculate the revenue side of these attacks? E.g. if it costs 700k to attack the bitcoin network for 1 hour, how much money could you make in that hour (say based on average transaction volumes)?
(Largest transaction you can cash out at exchanges) * (1 - (The decrease in value of the currency you attacked)) + (Block rewards earned).
Basically you get someone to give you cash in return for your cryptoX and then the attack lets you undo the transaction that gave them the cryptoX (but you still have the cash you got). The second term handles the fact that the attack may have cause the value of cryptoX to decrease which hurts you since you still hold the cryptoX you double spent.
> The hash rate is currently about six exahashes per seconds. Considering the most efficient ASIC miner with a hash rate of about 13,000 GHS (using the SHA-256 algorithm) being sold for about $2,100, an attacker will require about 500,000 hardware units and this will amount to about $1,005,000,000. When we factor in the cost of electricity and cooling daily, this figure rises to $1,006,000,000.
> To successfully conduct a 51 percent attack on the Bitcoin network would cost an incredible $1.4 billion. This massive network supports over 5 million specialized ASIC mining computers, consuming a total of 29 Terawatt hours of electricity a year—as much as the entire country of Morocco. One of the underpinnings of the Bitcoin network is...
The calculations you cite and what the linked page are fundamentally different. The numbers you're citing are roughly what it would cost to buy hardware that would continuously be capable of mounting a 51% attack. The linked site is estimating how much it would cost to rent existing capacity to mount an hour-long 51% attack.
I think the site assumes you already have the hardware, and is just calculating the OpEx of the attack, not the CapEx. Like, if a major mining pool decided to 51% attack a coin.
If you follow the 'about' link, it explains that any mining rewards are _not_ included, and that including them would reduce the cost 'somewhere around 80%' (not sure where that number is derived from but it sounds plausible).
There's no way I believe $705k would work. The company they're pricing that off of don't have the computational ability to run a 51% attack. I'd be interested to know how the entire power of the bitcoin network compares to say AWS or Azure?
AWS and Azure would be using CPUs, GPUs, and FPGAs, which have nowhere near the sort of speeds as dedicated hardware. It's something in the order of a trillion desktop CPUs to equal the same hashrate as the bitcoin network is currently.
$705k/hr is so low as to be unbelievable. You need to at least temporarily out-compute everyone else in the world, and there's a lot of horsepower behind Bitcoin.
Only of those blocks are accepted by the chain in the future. Zero transaction blocks or blocks with invalid transactions could easily be ignore by the next miner.
Nah, the reason is to split the head of the chain for a period of time, and do different things in each chain. Then when one of the heads is declared "true", you gain advantage (typically you spend the same coins twice, once in each head).
If you are considering the recipient a human interpreting the results, then this is a failure of their wallet UI. The block chain is a tree not a log. The views that show it as a log are just showing you the statistically most likely outcome. If you look at the raw data you see all possibilities.
So 7$ is the nicehash cost? But isn't nicehash an out of the box solution? So if I wanted to actually execute a 51% attack I'd have to deploy my own malicious mining software to the nodes, that then issued an invalid transaction and forced consensus on it ... is that the idea? Can someone who knows a little bit more about this fill me in?
I believe this is the basic idea. Let's say on QKC.
1. Buy a whole bunch of QKC and wait for your receipt of the QKC to clearly be part of the winning chain.
2. Make a copy of the blockchain. Keep it to yourself.
3. Start adding mining blocks* to your copy, in private; do not release your private copy of the chain at all, just keep piling on mining blocks. You must outpace the world's ('public chain') rate at which they are piling blocks on, hence why you need over 50% of total hashing power to do this and guarantee that your private copy ends up with more mining blocks than the public copy.
4. Whilst you are mining your own private copy, spend spend spend. Spend ALLLLL your QKC, getting goods and services in return, or simply other cryptocurrencies.
5. Eventually, when you've spent all your QKC and your private copy clearly has more mining blocks on it than the fork of the public chain everyone currently agrees upon... release it.
6. The protocols and papers all state that now your erstwhile secret, private copy is now the new consensus view; after all, it has the most mining blocks on it.
7. That means that none of your QKC is actually spent. Effectively you get all your spent QKC back. In addition, whatever wallet has been doing all that mining just earned a bunch of QKC as a reward for doing all that mining effort, so you now have more QKC than you started with, AND you have all the goods (or other cryptocurrencies, or services, or whatnot) that you bought with your QKC whilst you were secretly mining.
Exactly how much time you need to spend all your QKC and ensure that your private copy of the chain definitely will win any consensus fight with any other fork is beyond my understanding of cryptocurrencies.
There are out-of-band mitigations possible; if it is abundantly clear what's going on and sufficient amounts of those who control major nodes all agree to just hardcode in their copy of the software that your chain, no matter how many blocks it has, is never selected as the consensus, then all your work is for naught. Etherium has run into a variant of this problem (it wasn't a 51% attack but something else). Everything happened just as I write: the majority of ethereum network movers and shakers chatted on forums and the like and decided to update their software (and their personal 'belief' of which of the many forks is the consensus fork) to disregard the one where a lot of eth was 'stolen'. But not quite everybody; a few decided not to update their software and stick with the rule that the one with the most is the consensus. That is now called 'etherium classic'.
*) Mining blocks are just blocks confirming all is well; they contain a proof of work which involves a random number added to the message. A mining block is valid if, when you hash it, the hash ends in a whole bunch of zeroes. The idea is that the only way to do this is to generate billions of random numbers, keep hashing the results, until you hit the jackpot and your hash ends up by sheer coincidence to end in the desired # of zeroes. At which point you publish this mining block on the chain. As part of doing that, the 'network' itself gives you some coin to pay you for your efforts, and the 'fork' that you put this block on is now more robust, in that the rule is that the consensus block is the one with the most mining blocks on it.
Also, Ethereum is transitioning to proof of stake which will make attacks much more expensive because an attacker must acquire large amounts of ETH for each attack.
You can see here[1] that nicehash has about 500 PH/s (500,000 TH/s) available for rent. However, Bitcoin's total hash rate right now is 100,000,000 TH/s[2]. This means that if you rented out the entire nicehash market, you'd have 0.5% of the hash rate you need.
Could you get the other 99.5% by buying lots of mining hardware? Theoretically yes, but realistically no. Bitmain is a major supplier of this kind of hardware, so let's use their prices as a reference. They're currently promoting a 67 TH/s unit for $1585 [3]. You would need more than 1.4 million of these units, at a cost of over $2.2 billion dollars. Not that any supplier can fill an order like that quickly.
And we haven't even gotten to the power and operations costs. You'd need dozens of huge data centers to run all this hardware, each one consuming astronomical amounts of electricity. You'd probably pick your data center locations based on availability of cheap power and labor, and you'd become a major commercial presence in each of those towns. The local papers would have photos of you shaking hands with the mayor as your data centers open up. Everyone would know what you're doing, including the FBI.
[1] https://www.nicehash.com/my/marketplace/SHA256 [2] https://www.blockchain.com/en/charts/hash-rate [3] https://shop.bitmain.com/product/detail?pid=0002020011715132...