Because the attack surface is low. You can only stop transactions from happening (by mining an empty blog). You can’t change the past. Hence not worth it? Unless you can make a big purchase using the coin and then change history? There are still checkpoints implemented by clients so forcing the network to go backwards might be hard. So yeah POW doesn’t give you much attack scenarios after all.
This + the honest miners would just fork the chain. Your double spend would only apply on your fork. But before it even gets to that point anyone smart enough to get that much hash power up and running would realize it’s more profitable to simply honestly mine, because for a sufficiently mature coin you’ll be found out and forked off quickly.
If you want to do the double-spend really badly, would people actually react in time? Is there some precedent for the reaction time? Most big services wait to 3 confirmations, so assuming you find someone accepting 1 confirmation, network has ~20min to revert to a different chain before a rollback is just not feasible. (For BTC anyway)
You wouldn’t have to roll back. It would become apparent to honest miners that there is an invalid block, and the chain would split with the dishonest blocks you mined in your version of the chain, and the honest blocks mined before the 51% attack started in another. It would be a hard fork, similar to the BTC / BCH split, where the nodes not following the protocol are on their own chain doing whatever they want, and the honest nodes carry on following the protocol as usual.
Ok, so now I am a crypto exchange, which credited peoples' accounts based on expected safe finalization (which arguably doesn't exist: that's the core issue here... these kinds of services are arguably impossible); and your hard fork is effectively happening in the past which is unlike any normal hard fork (which is always scheduled in the future). The term "roll back" absolutely applies here.
FWIW, I expect most exchanges to grind to a complete halt upon noticing this much chain reorganization (enough to break their finalization assumptions) and so the entire ecosystem would have to sit around and figure out what to do manually, with different participants having noticed at different moments and with different losses due to already-spent debts... it would be a complete mess to repair.
But in the 51% attack (or at least in most cases of it) both blocks are completely valid. You're just racing your original spend with a pre-mined alternative and hope that the alternative will collect confirmations earlier. One of the blocks is dishonest only in outside world terms, not in data validity. I.e. an outside observer who doesn't know you doesn't know which spend is beneficial to you. Or am I missing something here?
In practice wouldn’t any fork mean that any and all transactions carried out in the response time are lost?
Or would you somehow rebuild those honest transactions? (I assume you can’t because of the chain). It’s pretty worrying if a 51% attack could happen, any transactions happening at the same time could be reverted, especially because there is no dispute resolution or guarantee that the person you traded with will resend the funds.
If miners picked a shortest chain over a longer one because they suspect a double-spend, wouldn't that make them dishonest vis-a-vis the blockchain rules? Isn't the entire point of proof-of-work that the longest chain can be trusted?
Well, the whole point of this is that you aren't having to do anything special to "get that much hash power up and running": you just rent it off NiceHash; all you provide is the cash. Responding to your attack with a network fork isn't going to happen in the course of an hour, so the issue is "can I convince someone to sell me something--or swap me money on a different chain--worth more than the cost of this attack".
It's not just convincing someone to buy from you - there has to be enough volume available on exchanges to fulfill your order. I posit this is the real reason why nobody has tried attacking low difficulty coins. You probably wouldn't be able to sell off enough coins to justify the total attack cost. Not to mention the coins have to actually be listed on an exchange in the first place, and whatever exchanges they are listed on have to be legally available within your country or else the government will steal your profits and throw you in jail anyways. And the exchanges have to be legitimate enough for you to consider doing business with them or else you'll get Mt. Gox'd ;)
