Bitcoin 100x less secure than commonly believed

[r0ach]

This is kind of a strange discussion because Satoshi always made these assumptions saying most of the network will be honest miners, but this seems to make the opposite assumption, that everyone, or a significant portion of the network will coalesce into this strategy.

For example, when faking shares vulnerabilities are discovered for pools, the majority of the entire network is not doing it, just a small percent of people (usually Russians)

https://bitcointalk.org/index.php?topic=224019.0

I guess the summary of this thread is saying that since a financial motive exists, eventually it will occur.  This isn't like stake grinding though, where you can absolve yourself of responsibility by claiming it's a victimless optimization, this is an actual attack where you can probably identify who is attacking you and take counter measures.

This seems like it's only game over for Bitcoin if you own the largest pool and your pool is not composed of transient miners, otherwise the miners would just play musical chairs until they reach consensus on which honest pools exist at the time.  If you own the largest pool and it's not full of transient miners, you would likely just lure miners to your pool to perform a 51% attack instead of this strategy.

I think the problem that Satoshi didn't solve Byzantine generals and Bitcoin is wide open to Sybil attack is a worse problem than the one brought up in this thread:

https://bitcointalk.org/index.php?topic=1183043

[bytemaster]

Conclusion:  The Bitcoin network is only as secure as the profit margins on mining, not the cost of mining.   The lower the profit margins fall the cheaper it becomes to perform the negative mining attack.

Does "negative mining" ever become a profitable attack, in and of itself? I thought I recalled seeing a paper on that in the past months, describing how a pool could increase income by this method, allocating a portion of its hashing against an enemy pool.

Suppose mining profit margin is 5%
Suppose you have a mining pool with 20% of the hash power, you would normally produce 70 blocks per day and if you charge a 1.5% fee your pool profit would be 26.5 BTC per day and your pools revenue would be 1750 BTC
Suppose you direct 25% of your hash power (5%) of the total at all competing pools, you will now produce 52 blocks per day directly, and 17.1 blocks per day indirectly (from other pools) and your pools revenue would be 1727.5 a reduction in revenue of  22.5 BTC which means your pool would STILL be profitable even while performing this attack.

After you have performed this attack your competitors start losing miners and you start gaining miners.  If you grow your pool from 20% to 40% as a result of this attack then it is clearly a net gain because your final profit will be 30.5 BTC per day, an increase in profit of 15%.   

However, as your pool grows from 20% to 40% the amount of negative mining you must do decreases by 50% while keeping your competitors operating at a loss.  This means your costs fall by 11.25 and your final net profit is 41.75 an increase in profit of 57%.

If your competitors attempt to use negative mining against you then it is simply a matter of redirecting their negative mining back at them.   What we can conclude from this is a race to the bottom where the largest starting pool wins all.

[Chronos]

Conclusion:  The Bitcoin network is only as secure as the profit margins on mining, not the cost of mining.   The lower the profit margins fall the cheaper it becomes to perform the negative mining attack.

Does "negative mining" ever become a profitable attack, in and of itself? I thought I recalled seeing a paper on that in the past months, describing how a pool could increase income by this method, allocating a portion of its hashing against an enemy pool.

[Murderistic]

http://bytemaster.github.io/update/2015/09/29/Bitcoin-is-100x-less-secure-than-commonly-believed/

Shared on Linkedin and Facebook

[bytemaster]

So my point remains that until a solution is found and implemented negative mining remains a problem. 

And my point remains that this problem is probably lower on the priority scale right now.  Right now, if you really want to attack bitcoin, your best bet is to attempt to prevent raising the block size limit by spoofing core nodes, DDOSing XTnodes, and spreading fud about a blocksize limit increase.  Bitcoin is not going anywhere with just 3-4tx/sec even if lighting network, side chains, or any other scaling solutions are implemented.  So your attack is essentially free and the attackers seem to be doing a pretty good job so far.  You won't destroy bitcoin but you can prevent it from growing.  I would argue that the attackers are winning in bitcoin as we speak for neligible cost.

Perhaps, the goal of my attack isn't to STOP bitcoin, but to take it over and profit by taking it in a new direction.   

Those that want a larger block size simply need to start executing the negative mining attack against any pool that does not support the change.

[Helikopterben]

So my point remains that until a solution is found and implemented negative mining remains a problem. 

And my point remains that this problem is probably lower on the priority scale right now.  Right now, if you really want to attack bitcoin, your best bet is to attempt to prevent raising the block size limit by spoofing core nodes, DDOSing XTnodes, and spreading fud about a blocksize limit increase.  Bitcoin is not going anywhere with just 3-4tx/sec even if lighting network, side chains, or any other scaling solutions are implemented.  So your attack is essentially free and the attackers seem to be doing a pretty good job so far.  You won't destroy bitcoin but you can prevent it from growing.  I would argue that the attackers are winning in bitcoin as we speak for neligible cost.

[bytemaster]

The first argument everyone makes is that miners would switch pools if any pool started censoring transactions. This may be true, but to keep an objective measure of security we must assume they would only switch if it were profitable to do so.

With that objective measure of security, what about this attack?

1) Create n new pools
2) Provide a 0.1% subsidy for blocks found by each of the new pools
3) By definition, all miners would switch to one of your new pools, because they would maximize profit by doing so
4) ? ? ?
5) Profit

The attacker would have 100% of the hash rate, for a cost of $8640/day. It sounds absurd because it is. Or is it?

Also, what about this bounty to Bitcoin XT blocks, currently 1.3 BTC? https://cryptoplay.net/vote/ Why hasn't it been snapped up? The "objective measure" rule would say this free money should not remain on the table.

Or this bounty? https://www.bigblockbounty.com/ Would this line of thinking predict that the 4+ BTC reward for 100 XT blocks would be quickly claimed?

There are several things going on here:

1. The rewards offered are driven by donations and not a long-standing and sustainable offer
2. The cost to update the mining pool software is greater than the one time reward.

If those bounties were a promise of $8700/day divided among conforming blocks and you have a mining pool that finds 1 block per day on average, then you will double your money by conforming.  Except that it is not just doubling the money earned by this miner (assuming 5% margins) this particular bounty would be increasing the profits of the first miner to switch from $300 to $9000 which represents a 30x increase in profitability by switching.

So clearly someone will take that bate and produce 0.7% of the blocks.   The market never likes to leave anyone with such high margins, so miners will switch from the main network to the conforming network (merging mining) until the profit from mining under the alternative rules falls to some threshold.   If you assume miners will continue switching so long as it doubles their margin from $300/block to $600/block then an attacker will have gain 20% of the miners for the cost of 0.7% of the hash power.

The market will then provide feedback to the attacker which can increase their daily pay until all miners switch.

Providing incentives to attack only makes sense to the extent that it is cheaper than than undermining the support of the main chain.   Stated another way, offering to double your salary may not get as many defectors as threatening to make your salary negative.  So long as you are earning a safe income and able to pay your bills you can entirely ignore the attacker.   

Enter negative mining.    For $8000 per day spent on negative mining you can reduce the income of everyone else mining in public pools by 50%.   (For $5000 per day you can cut income by 20%)  Such a huge decline in income would cause almost all other miners to be operating at a loss.  Once this happens these miners  turn off their equipment.  They have no financial incentive to SPEND money to defend the network. 

So if your ONLY goal was to stop block production, then it would only cost you between $5000 and $8000 per day.   

Now if you have a lot of mining equipment and no longer had the ability to mine in the pools and the attacker offers you your old job back *IF* you mine for them now it is a question of 0 income and a complete loss on your capital investment or some income.  It now becomes clear that not joining the attacker is irrational from a profit-seeking point of view.  You could walk away in protest (not wanting to take dirty money) but that only harms you and doesn't help the network.

Now this is where it gets really interesting... an attacker can approach the largest mining pool and make them an offer they cannot refuse,  "You can either censor transactions and make more money, or suffer a negative mining attack that will put you out of business".    Once a single pool caves into the demands, the that pool can be used against the other pools.  If no pools cave, then the attacker needs to rent hashing power for his attack.

Conclusion:  The Bitcoin network is only as secure as the profit margins on mining, not the cost of mining.   The lower the profit margins fall the cheaper it becomes to perform the negative mining attack.

Mining pools would have to come up with a defense against negative mining which is not trivial. 

[Pheonike]

Assuming they could do it, why would you expose yourself and let everyone know you are? It's more profitable to not tell anyone what you are doing than expose yourself.

[Chronos]

The first argument everyone makes is that miners would switch pools if any pool started censoring transactions. This may be true, but to keep an objective measure of security we must assume they would only switch if it were profitable to do so.

With that objective measure of security, what about this attack?

1) Create n new pools
2) Provide a 0.1% subsidy for blocks found by each of the new pools
3) By definition, all miners would switch to one of your new pools, because they would maximize profit by doing so
4) ? ? ?
5) Profit

The attacker would have 100% of the hash rate, for a cost of $8640/day. It sounds absurd because it is. Or is it?

Also, what about this bounty to Bitcoin XT blocks, currently 1.3 BTC? https://cryptoplay.net/vote/ Why hasn't it been snapped up? The "objective measure" rule would say this free money should not remain on the table.

Or this bounty? https://www.bigblockbounty.com/ Would this line of thinking predict that the 4+ BTC reward for 100 XT blocks would be quickly claimed?

[bytemaster]

Solutions to negative mining:

1. change the POW algorithm to one that requires the miner to have the private key that will receive the block reward
2. provide access controls to your pool and do Know your Miner verification
3. have the mining hardware itself report directly to the pool and only allow hardware that implements a proprietary protocol.   Effectively the mining pool must have full control over the entire connection.

So my point remains that until a solution is found and implemented negative mining remains a problem. 
Short selling isn't even necessary for the attack, it is just a bonus.

[Helikopterben]

What are the chances that mining pools come up with a fix or workaround for the negative mining problem?  Also, I think your assumptions that price will drop solely because this attack is being attempted is flawed.  To get a guaranteed drop in price, you will have to be certain that your attack will prove catastrophic, or nearly catastrophic to the Bitcoin network, with very little possibility of recovery. 

IMO this is another one of your bad PR/FUD threads.  I could be wrong, but I think there is a good chance that the bitcoin community could find a solution to this avenue of attack.  I find it hard to believe that they would let a $3 bil industry go down the drain.  I think its a good idea to identify problems in the industry, but you should portray it as a possible attack vector that the bitcoin community may want to explore, instead of a guaranteed failure like this:

"Once someone develops a business plan that can benefit from gaining control of Bitcoin’s block production it will be done and no amount of hash power will be able to prevent it."

because there is no guarantee that this attack will work in practice.  It hasn't happened for bitcoin's nearly seven years in existence. 

[xeroc]

Shot through the heart and you're to blame
DAN you give BITCOIN... a bad name

Bitcoin is awesome .. what is bad is *pooled* mining.

[roadscape]

Shot through the heart and you're to blame
DAN you give BITCOIN... a bad name

An angel's SHARE is what you sell
You promise me heaven then put me through hell
Chains of love got a hold on me
When passion's a prison you can't break free

https://www.youtube.com/watch?v=S9tKwSboJeg

[bytemaster]

http://bytemaster.github.io/update/2015/09/29/Bitcoin-is-100x-less-secure-than-commonly-believed/