The chart is misleading for most cryptocurrencies.
The "1h Attack Cost" is calculated from the rentable hashrate from NiceHash, but you should pay attention to the "NiceHash-able" column that says how much hash you can actually rent.
While you'd think you could attack Ethereum for only 1.5 million dollars, you can only rent 7% of that hashrate, so you can't get the required >50% you'd need to pull of the attack.
Requires machines with strong GPUs, which are probably very limited, even for big cloud providers.
Also, using cloud hardware for mining is against most terms of services, and I guess they can figure out and stop it fairly quickly.
Even if you cannot conveniently rent the required hardware from a provider, it still seems rather concerning that behemoths like Ethereum could be brought down rather easily with an investment of a few million dollars (especially by government actors for example).
Perhaps I misunderstand the table in the article or the impact of a 51% attack however.
They could not. Rent price on NiceHash is a market price. Even if it is not, when you'd try to buy the remaining 44% you'd have to turn to the market. Do you know what happens to the market price of something when you try to buy half of the worldwide supply?
For chains that have a broad adoption of validating nodes often called full nodes (check validity of produced blocks but not mining), a 51% attack is not enough because the bad blocks would not widely propagate. The bad blocks would be ignored.
This is why a reasonable size of the state, to allow many many to have affordable nodes which validate and check the rules, is so important. These are not the so-called miners, yet they are critical for the integrity of these distributed systems for preventing nation-state attacks.
It can't, this website is crap. Getting control of enough hardware to successfully attack Ethereum is going to be a multi billion dollar ordeal, and probably take 6+ months.
> you can only rent 7% of that hashrate, so you can't get the required >50% you'd need to pull of the attack.
Is this 7% per customer or aggregate per blockchain? Ie could I set up a dozen or so companies to each have a few percent of NiceHash and obtain the 51% that way?
It's total availability from NiceHash per POW algorithm (some blockchains share the algorithm). If you want to get 51% you need to find it from somewhere else.
I see a lot of people saying that there aren't a lot of attacks that having a 51% enables. I'd like to understand that a little bit better. Are there markets where you can short-sell cryptocurrencies? If so, mightn't you be able to turn a good profit by shorting one of these smaller coins (say Quarkchain at $30/hour with a market cap of $116M), then launching a 51% attack for a week or two, in the hopes of tanking the coins value? That would only cost you $5k per week.
Previous discussion from the posting of this site three years ago (including by the dev who built this website). Some of which covers NiceHash topic and also other problems you're going to phase when trying to do a 51% attack + profit out of it.
For the upcoming POS Ethereum chain (which is still being worked on!), the current cost is around $15 billion. And that increases as more stakers get online.
Vitalik Buterin just explained that a few days ago and provided that number.
So I'm very sceptical of these numbers on that website or I'm not able parse what it tries to say.
A very different number for a 51% attack against a completely different consensus mechanism does not seem like it should provoke skepticism. Especially since resistance against 51% attacks is a specific benefit of that new mechanism. Are you proposing that the website plops down that $15B number for a consensus mechanism that isn't even operational yet?
(I think there are other things that are misleading, notably that it measures what Nicehash could do, but not all of its capacity is actually for rent at any given time.)
I wonder how he sleeps at night, given how juicy he is as a target for organized crime and North Korea. $1B + the benefit you'd get from shorting ethereum just before selling (and the collapse that would follow), sounds really appealing.
That’s a small sum for many nation states but good to know we only have to worry about nations or conspiracies. Do you have a link to more information about this?
This is the Proof of Stake Ethereum explorer. There is over 5 M ETH staked at thr moment which gives the value given above at current market prices.
In truth, that's more of a lower bound because you would have to buy that same amount of ETH in the market which would raise the price.
Additionally, Ethereum's PoS algorithm contains slashing penalties that are used to burn the ETH of an attacker. So a 51% attack may occur once, the attacker then gets slashed, loses his stake and the chain continues without the attacker's stake. Read further: https://cointelegraph.com/news/vitalik-buterin-reveals-why-a...
As some point out this is based on the price of buying hashing power from NiceHash, which in case of Ethereum can at most cover 7% of Ethereums hashing power. And costs are different if you need to buy/invest in the hardware to pull a 51% attack furthermore even if you "could just rent more" you would be adding hashing power to the Ethereum network increasing when 51% is hit as you don't replace hashing power, and then the more you buy the more "pricey" hashing power becomes... that is if you can even get the required amount of hashing power in current economics. (E.g. if Etherums current hashing power is 100 then you need >50 hashing power, but you need to get >50 hashing power OF that 100 hashing power if you just add 50 hashing power you now have a total hashing power of 150 and as such need 75. So if you control 0 of the current hashing power and have no way to reduce that you need to add >100% of the hashing power to controll >50% of the final hashing power...).
The 51% attacks only allow double spend attacks, you can't "steal" money and the attacks sooner or later will be noticed and might be reversed.
Then even if you run a 51% attack it's still a crime in more or less any country and controlling 51% of hashing power and staying truly anonymous isn't easy, given how much electricity and hardware PoW consumes. (But it's viable, through maybe only if you are state backed.)
The most feasible way to pull of a 51% attack on a larger network IMHO is by hacking multiple hashing pools.
Through like the article mentions it's a completely different thing for smaller networks. It also shows nicely why you need increasingly more hashing power the more value moves through your network (it's a counter argument to people defending PoW by saying you could just do more transactions per block).
It's also why some new chains which use PoS start out with "a farming game" where people already "stack" money before the crypto currency is worth any money (and get money based on that when "it goes live"). Because with that you can start with a already reasonable secure system.
> I'm not able parse what it tries to say.
1. Small crypto currencies are not so secure (if not build on another chain).
2. PoW is not as grate as some people make it out to be (IMHO PoW a terribly solution but it probably was the best terrible solution when Bitcoin was made).
3. And I would add: PoW based Currencies hashing cost and marked value needs to be in balance. (For PoS it's the stacked amount and marked value, which is IMHO easier to archive as it doesn't require additional factors like access to hardware and cheap electricity.)
Would a 1 hour attack have any long-term effect though? Once the attack stops, won't the legitimate chain catch up to and surpass the one that contains the false transactions? If the only effect of the attack is to have some false transactions be on the dominant chain for a few hours, the damage isn't that much different than Visa being down for a few hours, so long as you are able to either detect that the attack is happening, or just always be aware you need to wait a few hours for things to fully settle.
Isn't the entire point of blockchain to automatically prove what the consensus is? If there is a fool-proof off-the-chain way to figure out which is the "legitimate" fork, what is the point of blockchain?
The legitimate fork will take over because honest nodes will reject the illegitimate one because it contains double-spends. So as long as the majority of nodes are honest it will eventually take over.
No fork can "contain double-spend". The idea of a double-spend is to spend once in two separate forks, e.g. taking back your money and spending it again even though you have received a service or good in exchange of it already.
Interesting, so basically no transactions are illegitimate they are just wiping out old ones by publishing a longer chain? In that case, could you protect yourself against an x hour attack by waiting x hours to consider a transaction confirmed?
You can't rent that algorithm on the market they are calculating the spot rates for this from; you can come at this in another direction by asking "how much profit would I have to buy off of someone else to convince them to lend me their mining equipment", and we could quibble over whether that would provide more accurate results (I think it would), but I appreciate where the author of this site is coming from: this is how much it might cost to rent this much power off an existing open market for algorithms (which doesn't bother with Bitcoin as that is mined with specialized hardware and this kind of spot market doesn't apply very well).
That's not accurate. You can definitely buy hashing power for BTC on NiceHash[1]. Bitcoin is just SHA-256. The more likely explanation (given that this is the crypto space) is that the author is a BTC bagholder.
Bitcoin equipment is specilaised to mining. You'd have to rent 51% of all mining eqipment for an attack, at which point you wouod destroy the value of bitcoin and make the mining eqipment you've just rented worthless. Why would anyone rent to you in that case?
So you'd have to buy the equipment, which is a gradual process, would be extremely expensive and would be noticed.
Bitcoin uses a SHA-256 hash algo, you definitely don't need specialized hardware to compute SHA-256 hashes. Yes, the competitive miners have ASICs which get you many more hashes per joule, but you can definitely rent hashing power that could 51% attack BTC without renting ASICs, it would just cost you more than if you could easily rent the most competitive hardware (obviously).
Its also more hashes per $1. If you are renting general purpose compute to beat ASIC compute you will need like 50x advantage.
That's probably more than a single AWS datacenter can provide
But that number is super misleading - you cant actually get that much compute from nicehash, you would struggle to get that much compute even from aws.
You real costs are going to be much higher, it would probably take you more than an hour to spin it all up and execute the attack. I feel realistic number is 10x to 100x higher
Because the attack surface is low. You can only stop transactions from happening (by mining an empty blog). You can’t change the past. Hence not worth it? Unless you can make a big purchase using the coin and then change history? There are still checkpoints implemented by clients so forcing the network to go backwards might be hard. So yeah POW doesn’t give you much attack scenarios after all.
This + the honest miners would just fork the chain. Your double spend would only apply on your fork. But before it even gets to that point anyone smart enough to get that much hash power up and running would realize it’s more profitable to simply honestly mine, because for a sufficiently mature coin you’ll be found out and forked off quickly.
If you want to do the double-spend really badly, would people actually react in time? Is there some precedent for the reaction time? Most big services wait to 3 confirmations, so assuming you find someone accepting 1 confirmation, network has ~20min to revert to a different chain before a rollback is just not feasible. (For BTC anyway)
You wouldn’t have to roll back. It would become apparent to honest miners that there is an invalid block, and the chain would split with the dishonest blocks you mined in your version of the chain, and the honest blocks mined before the 51% attack started in another. It would be a hard fork, similar to the BTC / BCH split, where the nodes not following the protocol are on their own chain doing whatever they want, and the honest nodes carry on following the protocol as usual.
Ok, so now I am a crypto exchange, which credited peoples' accounts based on expected safe finalization (which arguably doesn't exist: that's the core issue here... these kinds of services are arguably impossible); and your hard fork is effectively happening in the past which is unlike any normal hard fork (which is always scheduled in the future). The term "roll back" absolutely applies here.
FWIW, I expect most exchanges to grind to a complete halt upon noticing this much chain reorganization (enough to break their finalization assumptions) and so the entire ecosystem would have to sit around and figure out what to do manually, with different participants having noticed at different moments and with different losses due to already-spent debts... it would be a complete mess to repair.
But in the 51% attack (or at least in most cases of it) both blocks are completely valid. You're just racing your original spend with a pre-mined alternative and hope that the alternative will collect confirmations earlier. One of the blocks is dishonest only in outside world terms, not in data validity. I.e. an outside observer who doesn't know you doesn't know which spend is beneficial to you. Or am I missing something here?
In practice wouldn’t any fork mean that any and all transactions carried out in the response time are lost?
Or would you somehow rebuild those honest transactions? (I assume you can’t because of the chain). It’s pretty worrying if a 51% attack could happen, any transactions happening at the same time could be reverted, especially because there is no dispute resolution or guarantee that the person you traded with will resend the funds.
If miners picked a shortest chain over a longer one because they suspect a double-spend, wouldn't that make them dishonest vis-a-vis the blockchain rules? Isn't the entire point of proof-of-work that the longest chain can be trusted?
Well, the whole point of this is that you aren't having to do anything special to "get that much hash power up and running": you just rent it off NiceHash; all you provide is the cash. Responding to your attack with a network fork isn't going to happen in the course of an hour, so the issue is "can I convince someone to sell me something--or swap me money on a different chain--worth more than the cost of this attack".
It's not just convincing someone to buy from you - there has to be enough volume available on exchanges to fulfill your order. I posit this is the real reason why nobody has tried attacking low difficulty coins. You probably wouldn't be able to sell off enough coins to justify the total attack cost. Not to mention the coins have to actually be listed on an exchange in the first place, and whatever exchanges they are listed on have to be legally available within your country or else the government will steal your profits and throw you in jail anyways. And the exchanges have to be legitimate enough for you to consider doing business with them or else you'll get Mt. Gox'd ;)
You're missing some details about how mining works. "Miners" don't produce blocks; they just do hashing; the mining pools generate the blocks. When you rent mining capacity from NiceHash you can point it to your own pool (full node) to do whatever you want.
Just because people try to be decoupled from the government doesn't mean laws don't apply to them.
Also as a side not operating a mixer without taking protocol about who used it when in which way is pretty clear cut money laundering. Hence why mixers are either exchanges which take your personalities or operated as much anonymous as possible and from countries in which they believe they can avoid the law. (EDIT: Yes there probably are people which operate a mixer without such precautions, and they might end up pretty bad if a country purses money laundering charges and it doesn't even need to be their country.)
"How is the attack cost calculated?
Using the prices NiceHash lists for different algorithms we are able to calculate how much it would cost to rent enough hashing power to match the current network hashing power for an hour. Nicehash does not have enough hashing power for most larger coins, so we also calculated what percentage of the needed hashing power is available from Nicehash.
Note that the attack cost does not include the block rewards that the miner will receive for mining. In some cases this can be quite significant, and reduce the attack cost by up to 80%."
it’s basically impossible to sustainably 51% Bitcoin or ETH at this point.
You could 51% for an hour (maybe, if you can get that hash rate from nicehash for that long, but I doubt you actually can), but what happens at the end of that hour? Would everyone simply throw their hands up, allow your double spend, and keep mining your chain? Likely not.
It is interesting that it is no longer an algorithmic consensus among machines but rather a consensus among humans. Could anyone comment on how such "reversal" type discussions take place and how many actors are involved? If power is sufficiently concentrated the fact that this can occur is a bit of a concern in itself.
good remark, as a 51% attack does does not let you do many things. An attack does not mean, that you can pull off anything.
For example with most cryptocurrencies even with an 51% attack you can't change "from who", "to who" (destination) and also not the "sending amount".
Requirement:
- most (or enough) people do run a validating node (and not just a SPV wallet)
=> That is why Bitcoin proponents to insist so much on keeping the main blockchain small and therefore secure (other solutions like lightning, ... can then be level 2 built on the secure layer. But without secure layer 1, you have nothing secure to begin with / built less upon... like less decentralised but more scalable solutions)
You can change your own transactions which is usually the idea behind 51% attacks. You could deposit coins into an exchange then rewrite that transaction.
yes that’s why less secure (economicly game theoric wise) blockchains need longer confirmations (of course, it is also dependent of other factors like time to produce a block), as the probability of it happening with longer confirmation times decreases
very little, once you prove that an attack of those characteristics is feasible, the entire house of cards where the “value” of those coins is stored, would collapse, and you would gain nothing from it.
Basically this. I think the more interesting question is how it might be possible to extract value from dominating log writes in more subtle ways. If stock market HFT can be a entire industry, what might be possible by tipping the scales of transaction latency?
The "1h Attack Cost" is calculated from the rentable hashrate from NiceHash, but you should pay attention to the "NiceHash-able" column that says how much hash you can actually rent.
While you'd think you could attack Ethereum for only 1.5 million dollars, you can only rent 7% of that hashrate, so you can't get the required >50% you'd need to pull of the attack.