0

I've read the following:

transaction is “confirmed” once it is buried 6 blocks into the blockchain. This is taken to be a sufficient proof of work such that reversing 6 blocks to double spend coins in a specific transaction is infeasible. As we mentioned

Let's say Alice's blocks(honest node) is A->B->C and I included my transaction into that node which transforms 1BTC to starbucks to buy some coffee. (I am a malicious node), so my local chain is A->B->C' (note: It's C' and not C, and C' doesn't include my starbucks transaction, since i am trying to use 51% attack and double spend).

Now, Alice and other nodes do append blocks to their chain. Let's say A->B->C->D->E->F->G->H->I->J. That's great C block is already more than 6 deep into the blockchain. While Alice and others were building this chain, I am also building my chain(I have 51% hash rate power). and My local chain now looks like this A->B->C'->D'->E'->F'->G'->H'->I'->J' . Now, I solved one more and now after J', I also got K'...

If I now broadcast this, Alice is gonna accept this(longest) and I still double-spent it...

So, how does 6 confirmation really help at all? if someone has 51% power, 6 confirmation really doesn't matter. Any easy and good explanations about this?

My observation and answer IMHO: I think 6 confirmation doesn't solve double spend or 51% attack. It's for the situation when blocks get mined at the same time. If that's the case,it's possible that someone's transaction might get slashed since other longest chain will appear after blocks don't get mined anymore at any given point. So 6 confirmation means that blocks don't get mined at the same time for 6 times sequentially. Correct ?

UPDATE: @murch This is what you're saying:

Generally, requiring more confirmations before considering a transaction reliable makes reorganization attacks more expensive

And This is the only thing I don't understand.

If a malicious user has 51% attack power, why would more confirmations make it harder for him to attack ?

  • HN(honest Node) - A->B->C
  • AN(Attacker Node) - A-B-C

Attacker makes a transaction to HN (sending 5BTC to some merchant). but not in his own node, since it's local and doesn't broadcast. So we have the following:

  • HN(honest Node) - A->B->C->D(includes 5btc transaction)
  • AN(Attacker Node) - A-B-C->D' (note D' , it's different from D - because it doesn't include the 5BTC transaction).

Scenario 1) HN just mines nodes, and AN also mines nodes. Let's say they mined E and E' respectively. Now the 5BTC transaction has the confirmation of 2 block. Attacker mined one more block F' and broadcasted it. HN will reorganize chain. and 5BTC is not in AN's chain anymore... So attack successfully happened.

Scenario 2) While AN mines nodes, HN also mines nodes. attacker is faster, so AN mined 10 blocks starting at D'. HN mined 5 blocks starting at D. Now even though HN's D block has 6 confirmations, AN now broadcasts its longer chain and reorganization will happen on HN (removing D block, which consists of 5BTC transaction). so attack succeded.

So, we have 2 scenarios, one with 2 confirmations, one with 6 confirmations. How did 6 help at all in these cases, or at least cease the danger ?

Nika Kurashvili
  • 421
  • 2
  • 6
  • related: https://bitcoin.stackexchange.com/q/658/5406, https://bitcoin.stackexchange.com/q/75884/5406, https://bitcoin.stackexchange.com/q/1093/5406 – Murch Sep 27 '20 at 11:55
  • I read those, but still doesn't help. If attacker and honest have the same chain (A->B->C) and now, someone made a transaction, so honest added it in D block (A->B->C->D), attacker didn't and attacker has (A->B->C->D'), now attacker will mine one more block faster and share it and honest node's D block which had a transaction of someone is still gone. – Nika Kurashvili Sep 27 '20 at 12:02
  • 1
    Luckily, I'm already working on a fully fledged answer. :) – Murch Sep 27 '20 at 12:03
  • Re your update: it's not harder, but it takes longer and is uneconomic. The attacker loses more money by creating the attacking chain than they gain by swindling the victim out of 5 BTC. Generally, if the attacker has a sustained majority of the mining power and starts using it maliciously, it's pretty much game over for Bitcoin. – Murch Sep 27 '20 at 12:44
  • How does the attacker lose more money(except the electricity cost ? ) and i am sure electricity cost will be lower than 5BTC which he gets back. – Nika Kurashvili Sep 27 '20 at 12:45
  • The mining power doesn't appear from thin air. Someone has to stop trying to mine honest blocks for revenue and instead try to reorganize the chaintip. If the attack succeeds they will make back the lost revenue in block rewards, but if it fails they get zilch. Additionally, a successful majority attack may damage the long term value of Bitcoin which is highly unattractive to miners who have made an enormous hardware investment that can only be used to mine bitcoins. – Murch Sep 27 '20 at 12:53
  • Generally, the cost of mining tends towards the value of the mining reward: https://bitcoin.stackexchange.com/q/2154/5406. Each block's reward is currently about 6.5 BTC. To reorganize a n-block chaintip, someone is losing n block rewards. Unless the attacker can make this risk/loss worth the participating miner's costs, they are not going to have miners participating willingly. – Murch Sep 27 '20 at 12:53
  • 1) i guess by lost revenue you meant electricity + mining costs. 2) That still doesn't answer the question why 6confirmations are better than 2. if i am an attacker and i don't care about economy or loss, in this case, it doesn't make any easier if bitcoin has 2 or 6 confirmations. right ? – Nika Kurashvili Sep 27 '20 at 13:16
  • Maybe you need to clarify how the miner acquires the mining power in order to attack. Regardless, six block take roughly three times as long to discover as two blocks, so it gives other participants more time to react to the attack. – Murch Sep 27 '20 at 13:34
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/113443/discussion-between-murch-and-nika-kurashvili). – Murch Sep 27 '20 at 13:38

1 Answers1

1

Generally, all confirmations are relativistic: any chaintip could still be replaced with a heavier chain! However, reorganizations become increasingly costly and unlikely the more proof of work is piled on a block.

You are right, an attacker exerting a can censor or rollback any transactions, and thus perform a to return a payment they previously made to another party to themselves (also see What can an attacker with 51% of hash power do?). If you are receiving payments that are orders of magnitudes larger than block rewards, you should consider additional precautions (e.g. KYC, collateral, waiting for more confirmations). The occurrence of a sustained majority attack on Bitcoin could be considered a fatal scenario for Bitcoin: no transaction could be trusted anymore at any number of confirmations.

You may have read that Bitcoin requires the majority of the hashrate to be "honest" to work. Honest in this context means "not collaborating to attack the network" or "independently creating good-faith blocks". Fortunately, it is rather expensive to control the majority of the hashrate. Each block reward is currently worth about $70,000, so a six block majority attack would likely cost $350,000+ in electricity cost alone. Additionally, it would require access to a majority of highly coveted and expensive hardware. Industrial Bitcoin miners have made enormous investments into application specific integrated circuits (ASICs), which can be used for nothing else than SHA-256d mining. The most likely way for a majority attack to come to pass on Bitcoin would be for someone to take over the mining controllers of multiple of the largest mining pools. I would hope that this would be discovered and remedied quickly.

That is not to say that your majority attack scenario hasn't come to pass before. Especially minority forks of larger networks, or other coins that use the same hashing algorithm than bigger networks have been majority attacked in the past. For example Bitcoin Gold was attacked with a 1,300 block reorganization in January 2020.

Murch
  • 71,155
  • 33
  • 180
  • 600
  • I am so sorry , but still one thing is vague to me. I updated the answer. Could you take a look at it ? That's the most important thing I am trying to grasp. you will find UPDATED word in my question.. – Nika Kurashvili Sep 27 '20 at 12:42
  • Hi Murch, I'd appreciate it if you could take a look at those: 1) https://bitcoin.stackexchange.com/questions/99386/how-does-merkle-root-actualy-send-proof-to-light-node. 2) https://bitcoin.stackexchange.com/questions/99385/how-transactions-work-in-bitcoin THANK YOU IN ADVANCE – Nika Kurashvili Oct 08 '20 at 22:54