Yep. Monero is explicitly designed to remain CPU mineable, so that theoretically it remains more decentralized and mined by individuals rather than an industrial complex like bitcoin and ethereum have become.
Counterintuitively, I think this also makes it more susceptible to nation state attacks, since you can easily deputize fleets of existing CPUs to 51% attack the network, whereas no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin, not even accounting for the enormous electricity requirements to sustain a destructive attack.
Then again, the consolidation of bitcoin mining as an industry is also a systemic risk compared to millions of individuals in the network mining. Tradeoffs.
Supposedly one of the "worst kept secrets" of Monero is that a lot of the network is being "secured" by, essentially, botnets. Miners who are unaware that they are participating in the network.
I guess the controllers of these botnets seem to agree that there's no reason to kill the cash cow and (aside from the fact that they're running a botnet) don't tend to act maliciously towards the network.
Yeah, this is one of the big advantages of bitcoin's ASIC race that has long ago obsoleted CPUs and GPUs for mining. It means that bitcoin doesn't economically incentivize botnets stealing valuable generic computation cycles that could actually be put towards better use. Although you could still argue that it's crowding out chip foundries that could otherwise be producing different chips. But you could also argue it's funding greater economies of scales of chip foundries, making chip production cheaper for everyone in the long run.
It also means that bitcoin miners are completely tied to the success or failure of the bitcoin network, since their hardware is worthless for any other application, and therefore can't be easily coerced to harm the network. A network of miners who have generic chips could be more easily coerced to harm the network since their hardware wouldn't be a complete sunk cost.
ASICs have a hardware hash/watt race issue that GPUs (with memory hard algos) don't have (older GPUs are actually more ROI efficient). GPUs are also easier for a wider range of people to get with a much lower cost of entry. I'd argue that GPUs are still a better solution than ASICs, but this is an age old battle full of opinions.
Bitcoin hardware isn't worthless for any other application, any other sha256 based network works just fine (see BCH). The problem there is that it is just ripe for 51 attack because there can only be one top coin on each algo/compute layer. BTC = ASIC, ETH = GPU, Monero = CPU. The rest of them are all interesting datapoints on https://www.crypto51.app/
What's that attack cost supposed to represent? Just the electricity?
Seems like a misleading comparison, to get into a position to be able to do this you'd need significant investments in specialized hardware for the likes of Bitcoin and Ethereum. I've seen estimates of multiple billions of USD. And keep in mind that should the attack be discovered, which with coins running on open ledgers seems likely sooner rather than later, the price is going to tank, trust in Bitcoin will be broken and your special-purpose hardware will likely massively lose value. You'd have successfully destroyed billions of your own money.
On the other hand, the real cost of attacking some smaller coins may be even lower than that, because botnets are free or the electricity may simply be stolen, which happens a lot and can easily be done in less developed countries where the utility companies don't have sophisticated meters keeping track of where it all goes in the neighborhoods.
The site details the cost to attack using rented 3rd party compute. For some of the coins, there is enough compute out there that can simply be rented with no upfront capex/opex involved on the part of the person doing the renting.
The problem with that is that the rental market is an open bid supply/demand market. The second you start to rent out enough hashrate, the rental price also increases. That isn't factored into the numbers.
You are correct that the cost of capex/opex for ETH/BTC is in the billions, which is also what makes them so secure and attacking the network would also destroy the network. It is a brilliant feedback loop.
>Monero is explicitly designed to remain CPU mineable
You're not wrong, but it can be and is mined on GPUs. Not sure about the payback period though because it is very CPU sensitive and the top benchmarks are for AMD's EPYC processors which don't come cheap. An i9-12k handily mines several times more than an Nvidia GPU so GPU mining payback is also potentially slow.
At least according to the online guides it's also a losing proposition relative to the costs of electricity. So then allegedly the only way to profitably mine it is on someone else's energy and maybe their hardware too. For anyone truly seeking anonymity it seems like far less work to buy Monero from a localcoin vendor rather than mint your own, unless you have a lot of free time and hardware on your hands. Which may explain why antivirus software assumes if you're mining with xmrig, you've been pwned.
> no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin
What if you set up several sock puppet mining pools, all supposedly independent and in competition with each other, and beat the existing pools on fees by enough that miners join you en masse? That would take some investment on your end as you would have to run pool infrastructure at a loss. But if you are a nation state, it's not a huge investment. You don't need to have any mining hardware of your own if you offer miners better returns for the use of their hardware than the other pools do.
Once your pools, taken together, have a dominant share of miners, I would think you could run a 51% attack without ever acquiring a single ASIC. The reputation of your pools will not survive but I think you could complete a 1 hour attack (reversing 6-conf transactions) before you lose the miners.
You're still relying on this pool of independent miners to not defect after you initiate your attack.
Also a 6 block re-org is not unheard of and does happen naturally with the standard consensus rules on rare occasion. That's not enough to cause massive destruction of confidence. Security and confidence in your transaction's immutability has always been a continuous function of how much work has been piled on top of it, and how much energy it would take to redo that work. If you are transacting a very large amount of money, it behooves you to give it even more than 6 blocks for real confidence.
If a pool were withholding blocks to attempt this the miners would notice super quickly, they would stop making money long before your attack was successful.
Even if this was a realistic way to cause a 6 block re org..it seems like tons of work for a relatively small attack
51% just doesn't feel like a meaningful threat model when governments can instead prevent exchanges offering monero pairs from accessing banking services in their country/currency.
The next natural step in that direction would be banning all exchanges from banking in hard money.
It would push people to p2p, at the expense of cryptocurrency prices. Big win for the environment and people hoping to use crypto as currency. Big loss for people holding for speculative gains.
That's based on the pretty big assumption that there's a lot of under-utilized hardware being slaved to some central government authority, which by definition it probably isn't.
I would bet more on cloud infrastructure providers being able to do better than nation-states in a CPU takeover of an ASIC-resistant network like Monero.
Motivations aside, it still comes down to cost though, and without any handwaving, Monero just isn't that important to take over.
I agree. If anything, a nation state would likely have to deputize AWS to run the attack.
But also, this would a purely destructive attack. A 51% attack isn't something that would ever allow a single entity to actually take control of the network, because you either a) obliterate public confidence and crash the value of the token, making mining a pure cost and the network worthless, or b) you incentivize the honest network participants to fork the network away from your computational dominance, leaving you with a ton of wasted money and possibly a worthless fleet of miners.
Counterintuitively, I think this also makes it more susceptible to nation state attacks, since you can easily deputize fleets of existing CPUs to 51% attack the network, whereas no nation state on the planet can easily get enough sha256 ASIC miners to attack bitcoin, not even accounting for the enormous electricity requirements to sustain a destructive attack.
Then again, the consolidation of bitcoin mining as an industry is also a systemic risk compared to millions of individuals in the network mining. Tradeoffs.