- A "double spend" attack, in which an attacker spends cryptocurrency to obtain goods, then makes the spend disappear in order to spend the cryptocurrency again.
- A "sabotage" attack, in which short-sellers discredit the cryptocurrency to reduce its value.
Cost-Benefit Analysis Of 51% AttackBudish starts by over-simplifying, showing that if all things were equal competition among miners would erode the returns from mining to zero:
assume that it takes one chip and one unit of electricity to produce one unit of computational power, a chip costs C, the per-block cost of capital (including depreciation) is r, and the per-block cost of one unit of electricity is e; then we have:This is Equation 1. A "51% attack" on this simplified network from an outsider who controls none of the "honest" mining power would cost at least:
c = rC + eAssume for now that this cost is symmetric across all participants and that the chips are easily repurposable, so we do not have to worry about sunk costs, adjustment costs, etc. ... If there are N units of computational power in the network, then each unit has a 1/N probability of winning the prize Pblock. Under standard free entry logic — any entity that likes can add computational power to the network — the equilibrium amount of computational power devoted to blockchain mining, N*, is thus characterized by:
N*c = Pblock
N*c + εAn attacker who already controlled half the mining power could pay as little as:
(N*c)/2 + εAn outside attacker could pay A>1 times as much and gain a super-majority of A/(A+1). To ensure that there is no incentive for outsiders to attack the network, the cost of the attack has to be greater than the potential gain from the attack, Vattack, which leads to Budish's Equation 2:
α⋅N*c > VattackWhere, if t is the duration of the attack in block times:
α = (A-1)tLike Radia Perlman, Budish notes that:
From a computer security perspective, the key thing to note about (2) is that the security of the blockchain is linear in the amount of expenditure on mining power, i.e., linear in N*c ... In contrast, in many other contexts investments in computer security yield convex returns (e.g., traditional uses of cryptography) — analogously to how a lock on a door increases the security of a house by more than the cost of the lock.One problem with this over-simplified model is that it applies to outsiders. For insiders, an attack is much cheaper, so Equation 2 should be:
α⋅N*c > 2⋅Vattack
|Mining power 25 June 2018|
Budish combines Equations 1 & 2 to get Equation 3:
Pblock > Vattack⁄αThis inequality expresses the honest equilibrium condition for deterring an outsider's 51% attack (to deter insiders, Pblock has to be twice as big):
the equilibrium per-block payment to miners for running the blockchain must be large relative to the one-off benefits of attacking it. Equation (3) places potentially serious economic constraints on the applicability of the Nakamoto (2008) blockchain innovation. By analogy, imagine if users of the Visa network had to pay fees to Visa, every ten minutes, that were large relative to the value of a successful one-off attack on the Visa network.What is Vattack, the potential gain from an attack? That depends on the kind of attack.
Double SpendingA 51% attacker can add blocks to the chain, and prevent others doing so, enabling "double spending":
The most widely discussed manipulation a majority attacker can engage in is known in the literature as “double spending”. An attacker could (i) spend Bitcoins, i.e., engage in a transaction in which he sends his Bitcoins to some merchant in exchange for goods or assets; then (ii) allow that transaction to be added to the public blockchain (i.e., the longest chain); and then subsequently (iii) remove that transaction from the public blockchain, by building an alternative longest chain, which he can do with certainty given his majority of computing power. The merchant, upon seeing the transaction added to the public blockchain in (ii), gives the attacker goods or assets in exchange for the Bitcoins, perhaps after an escrow period. But, when the attacker removes the transaction from the public blockchain in (iii), the merchant effectively loses his Bitcoins, allowing the attacker to “double spend” the coins elsewhere.As a worst case, the attacker can fill the blocks he adds to the chain with large transactions, so if there are k transactions per block and the maximum permitted value is Vmax:
As should be clear, while this problem is called the “double spending” problem, the “double” part is a misnomer — the attacker can re-spend his Bitcoins arbitrarily many times.
Vattack ≤ k⋅VmaxThus, from Equation 3, in the worst case the block reward per transaction must exceed Vmax divided by α, which is my re-statement of Budish's Equation 4. The limited block size causes high and volatile transaction fees, and uncertain delay in transaction confirmation, making Bitcoin useless for small transactions. This is the problem the Lightning network is attempting (unsuccessfully) to solve. Equation 4 means it is unsafe for the Bitcoin blockchain to allow large transactions. But the problem for Bitcoin is worse. The major attraction of Bitcoin for devotees of Austrian economics is that there will never be more than 21M Bitcoins. To ensure this, Pblock decreases with time, eventually becoming zero. And so does the largest transaction it is safe to allow.
Budish ran simulations exploring "double spend" attacks against the current Bitcoin blockchain, and shows the results in Table 1. For the canonical case of waiting six blocks for confirmation (t = 6) and assuming A = 1.25, the attack lasts less than 14 block times and has an expected cost net of block rewards of 3.35 times Pblock, or under 42BTC ($248K, if you believe "market prices").
David Gerard points to this table of the cost of a 1-hour 51% attack on a range of cryptocurrencies, using prices from NiceHash (of course, NiceHash would not actually be able to sell you this much mining power). Attacking Bitcoin would cost $424,469, less than a factor of two away from an estimate from Budish's work. Note that only Bitcoin and Ethereum among cryptocurrencies with "market cap" over $100M would cost more than $100K to attack. The total "market cap" of these 8 currencies is $271.71B and the total cost to 51% attack them is $1.277M or 4.7E-6 of their market cap.
[Special Agent in Charge Angel] Melendez emphasized that the open nature of the blockchain made it difficult to hide drug money. “The biggest selling point for the blockchain is that it’s transparent. Everybody can see it. And we can see it, too.” Melendez was announcing that more than 40 alleged dark-web drug dealers had been arrested. (Source)The downside for an insider 51% attacker is that, after the fact, the attack would likely be detected, discrediting the cryptocurrency and thus reducing its value, and the insider's investment.
Budish analyzes this case (I have changed the symbols slightly for ease of understanding):
Formally, let us assume that the double-spending attack analyzed in Section 2.1 causes a proportional decline in the value of Bitcoin of ∆attack, and that the attacker holds the minimum amount of Bitcoin necessary to conduct the attack, namely k⋅Vmax worth. ... The ∆attack decline in the value of Bitcoin modifies equation (4) to be Equation 4′:Experience tends to show that the Bitcoin market is sufficiently manipulated that ∆attack would be small. But this may no longer be the case. Olga Kharif's Crypto Collapse Spreads With Hundreds of Coins Plunging in Value reports that:
Pblock > k⋅Vmax⋅(1 - ∆attack)/(A -1 + ∆attack)The larger is ∆attack, the smaller is the implicit tax on the system necessary to deter the majority attack, i.e., the level of [block reward per transaction] necessary to support a given [Vmax]. For example, if ∆attack = 1, i.e., if the attack causes a total collapse of the value of Bitcoin, the attacker loses exactly as much in Bitcoin value as he gains from double spending; in effect, there is no chance to “double” spend after all. ... However, ∆attack is something of a “pick your poison” parameter. If ∆attack is small, then the system is vulnerable to the double-spending attack ... and the implicit transactions tax on economic activity using the blockchain has to be high. If ∆attack is large, then a short time period of access to a large amount of computing power can sabotage the blockchain.
Over 80 percent of 1,586 digital coins Finder.com tracks in a weekly survey decreased in price in the past seven days. The tokens fell 19 percent on average, Finder.com found in the week ended June 25.
Trading volume dropped as well, declining by 6 percent from the previous week, Finder.com said. Bitcoin, Tether, Ether, EOS and Bitcoin Cash were the top five traded cryptocurrencies. Volume was half of what it was at the end of April, when Finder.com first started releasing its Weekly Coin Analysis.
|1-yr BTC-USD "Price"|
- Recently, the financial wizards who brought us the 2008 global financial crisis have started Bitcoin Futures markets, which enable shorting of BTC. Shorting BTC has been a very profitable trade this year, as BTC's "market price" has declined from $19,499 on 15th December 2017 to, as I write this, $5,890. Further sharp declines would be in the short-sellers' interest.
- Governments dislike the major uses for cryptocurrencies, unregulated speculation, money laundering, ransomware, and trade in illicit goods. They would be happy to see cryptocurrency values crash.
More Realistic ModelsTo this point, Budish's analysis has made a set of assumptions that don't hold in the real Bitcoin mining market:
Assume for now that [mining] cost is symmetric across all participants and that the chips are easily repurposable, so we do not have to worry about sunk costs, adjustment costs, etc.In Section 3 Budish examines lifting these assumptions:
The analysis in Sections 1-2 assumed that the attacker’s cost of waging the majority attack was proportional to the per-block “flow” cost of mining the block chain. ... However, if both (i) the technology necessary for mining the blockchain is specific (i.e., non-repurposable), and (ii) the attack harms the subsequent value of that technology, then it may be appropriate to charge the attacker a stock cost rather than a flow cost. Importantly, (i) and (ii) seem likely to hold for the Bitcoin blockchain at present.For the details, you need to read the paper, but the TL;DR is in Section 3.3, Collapse Scenarios. There are three:
- Ultra-cheap specialized ASICs. Given the huge advantages enjoyed by mining chip manufacturers, outlined by David Vorick in The State Of Cryptocurrency Mining, even large manufacturers' "slow AIs" would find it hard to give up the margins they can extract from miners. So I don't see this case as realistic.
- Efficient-enough repurposable chips. David Vorick argues, and I agree, that custom ASICs will always greatly out-perform general-purpose ones. The risk is that BTC gets cheap enough that the mining market can no longer support the development of new generations of custom ASICs. A decline like the one so far this year would do the trick.
- Economic sabotage becomes sufficiently tempting. These are the two cases I outlined above, and both are realistic.
PostscriptI can't resist noting that the double spend attack is related to an attack on an early version of Andries Brouwer's Hack game. The first thing Andries added to the Lincoln-Sudbury Regional High School original was a little dog that accompanied the player; I never saw Andries without his dog.
The Dutch have a long history of commerce, so as I recall the next thing Andries added was a shop, well-stocked with valuable items, and a shop-keeper. A player could enter the shop via the door, and exchange gold for items and vice versa. The shop-keeper was friendly unless attacked, or the player exited the door without settling up, when he became extremely violent.
One night in the fall of 1982 my second-year CS students at the Universiteit van Amsterdam discovered that it was possible to use a Wand of Digging to open a passage into the back of the shop. The player could enter the shop this way, grab as many items as he could carry, and exit the shop via the newly created passage. Since they had not exited via the door, there was no need to pay for the items. Next, the player could enter the shop via the door and sell the loot to the shop-keeper. After exiting the shop empty-handed via the door, the player could repeat the process. And, because Andries had omitted to provide the shop-keeper with a budget, the process could be repeated ad infinitum. My students had discovered an unlimited supply of gold!
Don't try this at home, kids! Andries quickly made entering the shop other than via the door a