Downplaying statistically possible double-spending risks

My LTB article yesterday spawned a number of comments.  A few notable ones are discussed below.

One interesting proposal came from Zooko Wilcox O’Hearn (inventor/innovator/guru):

One thing that you could do to strengthen this argument is to broaden the discussion of “things a Dominant Miner (or coalition of miners) could do” from just double-spending.

From the perspective of a Dominant Miner who wants to maximize profits, there are a lot of downsides to double-spending as a strategy. To double-spend profitably requires victim-specific manipulation surrounding the double-spent transaction itself. Double-spends are eminently detectable by the public. They defraud a particular set of victims, who are motivated to defend and retaliate. Finally, double-spends also dramatically demonstrate to everyone else that they are in danger of being defrauded in the same way. This could galvanize opposition.

What else could you do if you were a Dominant Miner or a coalition that collectively has dominance? (Note: I’m saying “Dominance” instead of saying “51%” here because of the “self mining attack” from Sirer et al. which allows effective dominance at 34% with some assumptions.)

Another possibility would be to start giving a 50ⓑ reward to the miner instead of 25ⓑ (or 12.5ⓑ), every 10th block. This would increase the rate of wealth transfer from all holders of Bitcoin to the miners, but it would be a small cost against any individual holder of Bitcoin, thus taking advantage of the “dispersed costs and concentrated benefits” effect to blunt opposition.

It would also be hard to oppose this with any patch to the protocol. Instead, the opposition would probably simply have to effectively abandon the concept of mining and adopt a centralized+federated model, like Ben Laurie’s design for a Bitcoin alternative (… ), the “Sovereign Keys” design from Peter Eckersley (… ), the “Agile Tokens” idea from Joe Bonneau (… ), etc.

Basically, a handful of the largest Bitcoin companies (in terms of number of users and in terms of amount of Bitcoin controlled) would agree to form a coalition to sign the blockchain, to refuse to sign blocks that violate certain rules (such as the size of the block reward differing from the original Satoshi plan), and to use Bitcoin clients that treat signatures from a majority of that coalition as over-riding the “longest chain” rule.

This is perhaps the protocol-layer change that matches the business and governance layer change which you’re suggesting (embracing the trusted third parties who represent large numbers of users).

If the opposition couldn’t muster that massive, system-wide change and bring a critical mass of the economy along with them, then instead the Bitcoin (BINO) economy would settle into the “new normal” where miners effectively get to choose the rate at which they siphon wealth from Bitcoin holders.

There are even subtler attacks that a Dominant Miner could do. Here’s one that is so subtle that it may even be below the threshold of unambiguously detectable: start requiring an extra “transaction fee” as a side-payment directly to you (not to “whoever mines this transaction first”), and discriminate against payers who refuse to play ball. Your discrimination could even include small forks, e.g. starting a fork one block back from the current head because the current head has a transaction from one of your intended victims who didn’t pay you the side payment. Those are more detectable, but you may be able to do only a few of them to prove the point to your victims without exposing your existence to the world.

You might be able to get away this while staying completely under the radar — effectively extorting a few of the richest and most vulnerable payers while maintaining deniability or even secrecy from the public. You can layer on the secrecy and extortion by punishing your victims if they try to expose you, or if you detect that they have attempted to evade your net by submitting their transactions directly to other miners (not part of your coalition) without first paying you your extortionate extra transaction fee. appears to have indicated a possible future strategy that would be compatible with this extortion, when they announced escrow, micro-payment aggregation, and low- or no- confirmation transactions in the same breath as admitting to controlling 51% of the mining power:…

I haven’t spent that much time trying to figure out all the evil things that a Dominant Miner could do, so there may well be other strategies available beyond these ones.

P.S. I got the “big players sign the blockchain” idea from L.M. Goodman. The Tezos inventor, not the journalist.


Stephen Gornick (@bitcoinminer), who actually emailed me a few things back in April about ArtForz, disagreed with my position stating:

Tim, you ignorant slut.

That’s like saying that to rob a bank you simply just get yourself inside the bank vault, stuff your bag full of the loot, and voila — you’ve robbed a bank! Double spending of confirmed transactions, too, is just not that simple.

Just having 51% of all mining capacity that exists doesn’t help you until you apply that capacity to a separate, private fork of the Bitcoin blockchain. Additionally to succeed a number of conditions need to exist and certain actions taken need to have a successful outcome.

To begin with, let’s consider that a pool (or cartel of pools) wants to attempt this attack. Doing so will be something nearly instantly obvious to anyone observing the blockchain. Suddenly blocks on the Bitcoin blockchain begin taking at least twenty minutes (as at least 50% of the hashing capacity has stopped mining on the public blockchain) and, coincidentally, none of the new blocks solved will be solved by the attacking pool (or cartel members). This is because the hashing capacity they have available will be used for mining on the private fork.

Now with most medium and larger Bitcoin businesses (e.g., exchanges, payment processors, hosted E-Wallets, etc.) there are business rules that complicate things for the attacking pool (or cartel). What the attacker wants is to be able to succeed at double spending. This is attempted by sending one transaction on the public Bitcoin blockchain and including a double spend of that transaction on the attacker’s private fork of the blockchain. The attacker would need to do this, upon commencing the mining on the private fork, immediately by sending transactions on the public Bitcoin blockchain with large amounts of coins going to exchanges, E-Wallets, and other targets. This attack only works if these exchanges, E-Wallets and other targets actually credit the attacker’s account for those Bitcoin deposit transactions once they confirm and then in turn also allows those newly deposited funds to be withdrawn in another form of value that too is non-reversible. So after the attacker broadcasts the first transactions a waiting game begins. With less than 50% of the hashing capacity remaining on the public Bitcoin blockchain, more than two hours will pass before the attacker’s transactions will confirm (assuming six block confirmations).

So, for this attack to be successful:

– Individuals and organizations doing the hashing work for the attacking pool (or cartel) need to continue doing the hashing work even though the signature of an attack underway is apparent (due to blocks slowing to 20 minutes each and none of them are from the leading pool or cartel members).

– Exchanges, payment processors, and hosted E-Wallets actually credit the attacker’s accounts with these large deposits, allow these funds to be converted to some other form of value, and then the value post-conversion be withdrawn (e.g., sell bitcoins, buy litecoins and then withdraw them).

If the attacker can’t get the non-reversible funds out of the exchanges, payment processors, E-Wallets, etc. then ultimately that’s a failed double spend attempt — regardless of how many confirmations the Bitcoin transactions that were “reversed” had gotten. That’s probably why Gavin Andresen suggested 120+ confirmations as the number necessary for a “huge amount of value” [where you don’t have recourse]:…

A response to Gornick

Generally speaking today, Gornick is correct: executing a double-spend attack is not a trivial task and on the surface might not be economically feasible (this is assuming that an attack costs more than what will be gained).

However, economic feasibility is a floating target: an attacker might execute it at a loss, because a target’s competitor compensated for the difference.  An attacker might also execute it to create market panic, while holding leveraged short position in BTC.
I am not saying that the double-spend problem is a mortal blow to the Bitcoin model, it is just one of many things that are downplayed by some Bitcoin proponents (as an aside, three months ago, Gornick incidentally argued that 51% attacks on Dogecoin were relatively trivial).  Yet as Zooko pointed out above, having more than 25% of the hash rate is a problem (which I discuss at length in chapter 6).

It also bears mentioning that in that same article I actually did mention a long wait workaround (tens of confirmations), and that actual attack with small number of confirmation actually happened at least once, when a user on attacked Satoshi Dice last November.

Additionally, even with 5-6 confirmations, a double-spend is still possible with non-negligible success rate with something like 30% of hash rate.  For instance, in chapter 14, I point out that Greg Maxwell, a Bitcoin core developer, created a probability of attack success calculator that illustrates the concern of one entity having certain large portions of the hashrate and its ability to successfully conduct a double-spend attack:

  • 40% of hashrate, successful probability of ~50%
  • 49% of hashrate, successful probability of ~96%
  • 51% of hashrate, successful probability of 100%

And a hash rate failure of 30% will not be immediately visible on short intervals because block timings deviate.  So basically if I make a series of deposits and withdrawals, and my fees are negligible, there could be a non-negligible amount of profit (though in a 30% attack, and 13.2% success rate, the cost of lost opportunities might be higher).

Most businesses have some mitigation mechanisms in place (e.g. multiple confirmations).  These mitigation’s hopefully lower the risks enough, for these businesses to exist.  Yet the attack is probabilistic by definition, Gornick implies that in his current situation this attack will not make money for an attacker.  But this is not so straight forward.  Let us assume that Bob can double-spend and that it will cost him 1000 BTC, but Bob will only recover 800, so he is at a 20% loss if this attack plays out.  However, he could find another party (Alice) that wants to inflict a 1000 BTC damage to Bob’s target, and pay Bob 200 BTC (e.g., if Bitfinex wants to ‘attack’ BTC-e, they could spend 200 bitcoins to inflict 1000 bitcoins in damage).

If and when bitcoin-based ETFs are approved, short-term sabotage and other types of economic attacks on network participants (pools, exchanges, large merchants) could
be executed if there was an option to create a short big enough with a reliably trusted counterparty.  It could even become formalized through multisig and smart contracts — a “51% attack contract” (to my knowledge, Virgil Griffith is the one who suggested this first).

Other comments

Anton Bolotinsky (a developer) suggested that “Proof of Idle” probably has at least one vulnerability:

The part with “I’ll pay you if you don’t mine” is exploitable by unrelated miner which starts mining and invalidates payout for others. And proof if mining capacity: me and my friend collude, and we both show twice the capacity we actually have. If I have a lot of friends, we show enormous hashing capacity together. Basically, if my friends and I, each has 1Th/s, I show 1*number of friends, and each of my friends show 1*number of friends. To disprove, system will have to force us to mine in parallel.

Jae Kwon, author of the Tendermint whitepaper, posted another possible attack on a blockchain such as Bitcoin:

You don’t even need major pools to subvert the security of the blockchain and double spend. Let’s say that you want to doublespend a transaction that was included at height H. Simply put out a bounty for more than the mining reward for the first miner to mine an alternative block at height H. Then, you reward the (traitor) miner on the existing blockchain. As long as the instigator is trustworthy, rational greedy miners would switch because the expected reward is higher. Then you do the same for height H+1 and so on, until the fork wins.

A few readers may also be interested in a short debate between myself and Peter Todd on Twitter yesterday that covers economies of scale and killer apps.

4 thoughts on “Downplaying statistically possible double-spending risks

  1. Hi I’m the guy in the proof of idle video.
    I might not have made it clear enough in the video (really need to get a fleshed out paper out) but any miner presenting a challenge to other miners must do so to all miners simultaneously. This prevents the problem of miners leasing out their power to each other to appear more powerful to temporally distinct challenges.

    I’m also aware that new mining power coming online during the contract period can negate the idling of a participant. This newcomer, however, would have done better to participate in the proof of idle contracts that they were potentially not around for / not aware of. The whole system only works in a much more stable ecosystem than we have today, with relatively stable mining efficiency, hash rates, and even bitcoin prices — clearly not the case today.

    Maybe in a year or two though it could become a reasonable strategy.

    • Thanks for your reply Tadge.
      The idea deserves a proper white-paper, the only document I was able to find so far was
      Disruption of idle period can be performed to bankrupt specific player: if we run evil miner only during a period when miner C should receive a compensation, we are earning some coins and killing miner C, thus reducing total number of competitors.

      Amount of total hashing power is not constant, so periodically we’d need to perform recalibration, when all available hardware is running. Frequency and length of these calibrations reduce scheme efficiency.

      While currently miners spend most of their money on electricity, in a new model they’ll spend more on a hardware, while still maintaining MV=MC state. The drawback in this state is reduced flexibility for miners, their hardware is a sunk cost. So miner won’t be able to reduce losses by darkening part of his infra, it’s already off.

  2. Thanks for considering my argument, Tim.

    The reason a 51% attack against Dogecoin is trivially easy to carry out is because the hashrate there is so low that even just a single, non-wealthy party even could fund and carry out the attack. Of course, if Dogecoin does indeed switch to using merge-mining with Litecoin then the resource requirements for the attacker changes significantly.

    With Bitcoin the same approach for an attack (where the attacker controls the equipment used for the attack) would require the use of hundreds of millions of dollars worth of hardware — assuming there was that much hardware available for sale and ready to be shipped.

    Such an attack is brutal — as nobody would know an attack was underway until after the damage had already been done.

    The attack by a pool is different because it requires its pool members to not defect and for exchanges, E-Wallets, etc, to continue allowing cashouts even once it becomes clear that an attack could very well be underway.

    As far as the double spending attacks by that occurred some time ago — that was a Finney attack involving unconfirmed transactions. The 51% attack is a completely different animal.

  3. ‘Another possibility would be to start giving a 50ⓑ reward to the miner instead of 25ⓑ (or 12.5ⓑ), every 10th block. This would increase the rate of wealth transfer from all holders of Bitcoin to the miners, but it would be a small cost against any individual holder of Bitcoin, thus taking advantage of the “dispersed costs and concentrated benefits” effect to blunt opposition.’

    This would actually not be possible with any amount of hashing power. A block with too much reward would be invalid, and thus would be rejected by everyone other than the pool mining it. And no amount of extortion of miners would help in this case, as the entire chain from that block would also be rejected.

Leave a Reply

Your email address will not be published. Required fields are marked *