Godzilla vs. the 51% Attack

Sometimes we need to stare down the monster and say bring it on. If you ask me, there aren't enough mad 51% attackers.

OK so most people start their discussion of a 51% attack by looking at ASIC prices. We are going to take a different tack here. How much does it cost to mine a block of bitcoin classic? Let's use the easy answer: 25 BTC. Using this approach we can say that if you are starting from scratch it will cost you about 25 BTC every 10 minutes to maintain a 50% attack. This assumes a “perfectly liquid market in hashing” and various other things but we might get closer to the truth with this estimate than an hour of googling mining hardware scams.

So using this logic how much does it cost to reverse a transaction (double spend a TX) with one confirmation? 25 BTC. How much does it cost to reverse a transaction with no confirmations? This is a Finney attack and the cost according to my estimation method here is 0 BTC. Please note that this doesn't mean you shouldn't accept zero confirmation payments. Various services like Coinbase, Satoshidice, and lots of Restaurants and Bars and other point of sale merchants accept zero confirmation payments and with good reasons you can figure out for yourself.

But lets continue with double spend boogey man talk and look at a few coins and see how much we can trust to nameless faceless payers after an hour of confirmations. In other words, how much value can you accept from somebody and be confident that they are losing money if they make the effort to reverse the transaction?

(Exchange Prices June 2014)

Coin         Blocks/Hr Reward  Exchange        Safe Maximum / hr (BTC)

Bitcoin Classic      6       25          1                     150

Litecoin             24      50         0.017                  20.4

Dogecoin             60    125,000     0.0000006               4.5

Maxcoin              120     48         0.00012                0.7

42Coin               86   0.000042        12                  0.042

Darkcoin             24       4         0.017                  1.63

Bytecoin (BCN)       30   110,000      0.00000004              0.132

Monero               60      16.4       0.0025                 2.46

The right most column here is my estimate of how much it would cost somebody to reverse an hour of transactions. Exchange operators and anonymous auction providers be advised! Some anonymous services require three BTC confirmations. According to this research, these services should have a maximum immediate actionable credit upon deposit of 75 bitcoin.

Remember that in practice, as Bruce Schneier might say, most commerce is heavily robust against security bugs such as this one. In other words, people want to pay.  They are not prepared from any angle to carry out this perfectly liquid attack.  That's one reason it's OK that you don't secure finalized and irreversible payment for your customers before you even bring them menus.

A couple related points come up here:

Reward Schedule.

Notice that as the reward goes down, the security goes down. This is pretty straightforward. How much are you paying your banker to stamp your transactions as official? If it's not enough, a customer might pay the banker more to screw you over. Satoshi figured that in 210,000 blocks the real value of a bitcoin would be at least double. Many coins are going to have some trouble because they have a tight reward schedule. In my opinion, 4 years is tight already for BTC but some developers disagree and have set reduction schedules on the order of months or even quicker (AKA instamine). If the value of the coin has not increased increased enough due to adoption when the reward drop comes, this means the double spend security will decrease. This could be trouble for some struggling coins.

Team double spend

Here's a fun one. So you are operating an anonymous exchange and you have placed some limits on deposits (or rather, on withdrawals following deposits) according to my above guidelines. Traffic goes up a bit, and a ton of folks are depositing Foocoins to your service, selling them, and then withdrawing Barcoins, each one in amounts under the limits you have set of course. Yes, you know where this is going already. Suddenly a longer Foocoin chain emerges and the Foocoins see a chain reorg. The deposits you thought you received no longer exist. Your barcoins are already gone. You just got robbed by Sybil. Sounds bad? It gets worse. It turns out even putting limits on global deposit/withdraws (that is, treating all your customers as a single customer) won't solve this problem completely. The double spending team could divvy up it's resources amongst several exchanges.  So, you only saw 100 foocoin go in and it would cost 200 foocoin for a double spend? Guess what. The team also put 100 foocoin into 9 other exchanges. They paid 200 foocoin for a double spend attack that netted 1000 foocoin. How do you protect against that?

Scary stuff isn't it. But is this really so scary? It poses a theoretical risk to a certain class of large automated businesses that operate anonymously. Perhaps this is the kind of risk such businesses should be facing. While KYC might get a bad rep when it is imposed by uniformed gang members, it might work a little better when it is self imposed.  In practice, people with the wherewithal to perform such an attack have much sweeter and lower fruit available to them.

Some people say proof of stake is a possible answer to the double spend attack but I don't see it. If you have stake as something that enables a double spend in addition to hashing power then people will make a market for stake and we have essentially the same calculation: only trust in one block amounts less than the total block reward.

the psychopath

But we haven't yet touched on the real monster: the psychopath. This 51% attacker is so insane, they don't care how much they lose. They simply want to see you suffer. Great movie plot eh? Well, rather formulaic really. Usually this character is played by some national government agencies, because of course, we know from history these names attract the most psychopathic. Lets just assume that they are psychopathic enough to not only lose tons of money for themselves and their organization, but also to give up the opportunity to gain tons of new money and power (remember that's what they seem to like). Just or fun lets assume also that despite this obvious mental illness they have enough skills to organize and produce hash and valid blocks. They pay 25 coins every 10 minutes just to DDOS the network.

No Txs go through! At this point we have seige warfare. Real miners pull out the stops and try to compete with the attacker. Mempools fill up. Exchanges shut down. Panic in the streets, as people dump bitcoins off-chain for satoshis on the coin. The psycho can continue this for a month for only 100 million dollars. By that point, many of the miners will have given up, tired of seeing all their profits go orphan.

So what happens? Well the ending of this fake story is of course obvioius. This is not a sustainable role taken on by our psycho. Eventually they will run out of resources and hey presto, the coin is back.  Prices bounce back up (well actually they didn't go down, as no transactions went through).  Basically this is a hurricane power outage scenario.