One of Bitcoin’s core security guarantees is that, for an attacker to be able to successfully interfere with the Bitcoin network and block and reverse transactions, they need to have more computing power than the rest of the Bitcoin network combined.The reason for this is that the Bitcoin network builds up its transaction history in the form of a “blockchain”, with a random node adding a new block on top of the previous block every ten minutes.To reverse a transaction, an attacker would need to make a transaction and then “fork” the blockchain one block behind the block the transaction was included in – from which point the attacker would be in a computation race against all of the other miners combined as he attempts to catch up.A new paper by Cornell University researchers Ittay Eyal and Emin Gun Sirer, however, significantly reduces Bitcoin’s security guarantee by introducing another type of attack – an economic attack.The economic attack does not allow hostile miners to mount successful attacks against Bitcoin unilaterally, but it does change the incentives such that normally honest, profit-maximizing nodes would want to join the attacker’s coalition, potentially allowing for 51% attacks as a second stage.The high-level overview of the attack is this: rather than acting as a normal miner and publishing blocks to the network immediately upon finding them, the attacker selectively publishes blocks, sometimes sacrificing his own revenue but also often publishing many blocks all at once and thus forcing the rest of the network to discard blocks and lose revenue.

This does reduce the attacker’s revenue in the short term, but it reduces everyone else’s revenue even more, so neutral nodes now have the incentive to join the attacker’s coalition to increase their own revenue.Eventually, the attacker’s coalition would expand to above 50% in size, potentially giving the attacker a high degree of control over the network.The attacker’s precise strategy is as follows.bitcoin danske kronerThe attacker keeps track of its own “private chain”, which is separate from the “public chain” that the rest of the network works on.bitcoin usb asic minerAt first, the private chain and the public chain start out the same.bitcoin cudaThe attacker always mines on the private chain and keeps any blocks that he finds private.free bitcoin cheat engine

The strategy dictates exactly when the attacker should publish blocks.Suppose the attacker’s portion of the network hashpower is X, and when there are two competing public chains the portion of the network that picks up on the attacker’s chain is Z.To see why this strategy works, suppose that Z is close to one.bitcoin core stuckIn this case, there is never any chance that the attacker has to discard a block; the only time that might happen is from state 0′, and if Z ~= 1 almost all of the network, attacker and other nodes included, is mining on the attacker’s block so the attacker’s block will not be discarded.bitcoin farm redditThus, the attacker is mining at full efficiency.However, the public network might see blocks discarded at state 0′ and state 2, so the public network is mining at partial efficiency.Thus, neutral (profit-maximizing) nodes have the incentive to join the attacker’s coalition to increase their revenue.

As Z decreases, the attacker’s advantage goes down; at Z = 0.5, Eyal and Sirer showed that the attacker becomes more efficient than the public network at X > 1/4, and if X > 1/3 the attacker is more efficient than the public network at any Z.So how do we calculate Z?Currently, the Bitcoin network is set to follow a simple rule: every node only mines and propagates the first block that it sees.Against attackers with only mining power, this is a successful defense; because the attacker’s strategy is reactive, publishing blocks only after the public network does, Z is close to zero.However, well-funded attackers (or attackers controlling botnets) can mount a “Sybil attack”, creating millions of nodes and inserting them into the network in as many places as possible.During an attack, the Sybil nodes would propagate only the attacker’s blocks.In this case, the Eyal and Sirer conjecture, Z can potentially get very close to one.In reality, that is not quite true; at the minimum, every mining pool will be the first to hear about its own blocks, so Z <= 0.8 is essentially guaranteed, but it is a matter of debate just how much a Sybil attack can do.

To make Bitcoin secure against Sybil attacks, Eyal and Sirer argue, honest miners should switch to the strategy of propagating all blocks and if they receive multiple competing chains of the same length mining on a random one.If all miners implement this, we would have Z = 0.5, creating a reasonably threshold of X >= 1/4 for this attack to work.Is this a fatal threat to Bitcoin?The idea behind the attack is not new; very similar attacks were theorized about on the Bitcoin forums as early as 2010, and lead Bitcoin developer Gavin Andresen himself participated in the discussion.However, at the time no action was taken – largely because everyone at the time considered the attack to be not worth worrying about compared to the other threats that Bitcoin has to face.In practice, most Bitcoin miners act altruistically to support the network, both out of ideological considerations and because they do not want to destabilize the source of their own revenue.Such higher-level economic concerns are beyond the scope of Eyal and Sirer’s paper, but they seriously reduce the chance that this economic attack will work in practice.Furthermore, unlike a standard 51% attack, which only becomes obvious after the fact, this economic attack would need to be announced in advance to let neutral miners know that they have the opportunity to join the attacking coalition for their own benefit.