Wide And Shallow Double-Spend Attacks On Bitcoin (+ Why Hardware Cost Is Not A Reliable Deterrent)
This is a follow-up to my last post which was about understanding how double-spend attacks work in practice and why they matter.
tl;dr — 1) Nakamoto consensus via proof-of-work doesn’t provide meaningful assurances around double-spends. The proof-of-work your full node sees guarantees almost nothing about the finality of transactions. 2) It’s not a safe assumption that the sunk cost of ASICs (non-repurposable mining equipment) represents a fixed deterrent to attacks.
To my knowledge, every article and economics paper that has looked at majority-hashrate attacks and the security of Bitcoin’s proof-of-work mining game has assumed single transaction attacks, overlooking the following “wide and shallow” strategy which:
- Makes attack size undetectable.
- Makes the cost of attack orders of magnitude smaller.
This article assumes the reader is already familiar with the concept of probabilistic settlement assurances (i.e. transaction finality) on the Bitcoin blockchain and the real costs involved in ‘undoing’ transactions. If not, I recommend Nic Carter’s article on the subject: ‘It’s The Settlement Assurances, Stupid’ and/or my last post.
In short, under the single transaction attack model, the idea is that — as the receiver — you can know that your transaction is really settled by looking at its value vs. the cost of ‘undoing’ it via 51% attack. If the cost of undoing the transaction is greater than its value, an attack would be economically irrational, so you know you’re safe.
The naive rule of waiting for six confirmations was wrong, and this article will show why the rule of calculating value vs. cost-to-undo is also wrong.
How To Double-Spend On Bitcoin
In short, split up your attack into many smaller transactions made to many targets all at the same time. It’s massively more effective and efficient to attack multiple targets simultaneously than to attack just one.
Here’s a simple example using round numbers to illustrate: if 10 colluding bad guys each attack 10 targets for $10 million, ultimately undoing all 100 transactions, it’s a $1 billion attack, but only the bad guys know it.
All targets calculate the finality of their transaction based on just $10 million, off by a factor of 100. In other words, if the targets use ‘value vs. cost-to-undo’ settlement logic, each considers their $10 million transaction permanently settled after 100 blocks at today’s prices ($8k/BTC & 12.5BTC reward per block = $100k per block).
The cost of executing a $1 billion attack this way — i.e. the necessary proof-of-work expenditure in $ to double-spend all 100 transactions — is therefore in the region of just $10 million (realistically much less).
The attack only takes a few hours, not 40+ days as Nick Szabo describes here for a single $1 billion transaction, and the bad guys only hold $10 million in block rewards afterwards, so their downside with respect to a potential crash in the price of BTC is dramatically reduced vs. the single transaction model.
If they can use a financial instrument to short BTC, then the exploit is even more effective, but we’ll leave that out for now.
NB: More on the important question of mining equipment & sunk costs further down this page.
Worst Case Outcome
In the 10x10x$10m (=125,000BTC) example described above, the worst-case outcome (for the bad guys) is that the value of BTC completely crashes to zero as a result of the attack, and they now have in their possession:
- $1 billion worth of goods that were bought (e.g. US dollars, other crypto, gold, guns, drugs, etc.)
- 126,250 BTC (including 1,250 BTC block rewards) now worth $0
- Lots of mining equipment now worth $0
Max overall loss = $10 million (+ any outstanding cost of their equipment which had not yet been recovered via honest mining before launching the attack).
Best Case Outcome
The best-case outcome is that the value of BTC doesn’t crash at all, it holds its value as though nothing happened, and they now have in their possession:
- $1 billion worth of goods that were bought
- 126,250 BTC worth $1 billion
- Lots of mining equipment worth the same as before
Max overall gain = $1 billion.
In other words, the bad guys are risking just $10 million to potentially gain anywhere up to $1 billion (e.g. if it crashed 50% they’d be +$500 million, a 50x return on investment), and — a lot like 2008 and the message in the genesis block — the risk transfer is ridiculous: it’s mainly everyone else’s money that’s at stake if the value does crash.
The 10x10x$10m example above is just using round numbers, but obviously you can move the numbers around however you want, e.g. 50 bad guys each doing 50 transactions with an average value of $200k is a $500 million attack that only requires a 6 block re-org and could be completed in an hour.
20 bad guys each doing 100 transactions with an average value of $100k is a $200 million attack that potentially requires as little as a 2–3 block re-org and could be completed in 30 mins.
In practice, many people stick (unscientifically) to Bitcoin’s famous rule-of-thumb of waiting for 6 confirmations, so these attacks would probably end up needing e.g. 7-8 blocks, but you get the idea.
As soon as the last ~$100k transaction is considered settled by its target and the attackers have all $200 million of goods in hand, that’s when they pull the trigger, announcing their secret chain to the network, undoing all the transactions and reclaiming the spent coins.
Note: Network Capacity
While you can apply enormous leverage with this method, you do run into transaction capacity limits at some point — there are limits on how “wide and shallow” you can go. Blocks can only take around 3000 transactions each, so you have to adjust the number of transactions and average transaction size with that in mind.
Pro tip: best to front-load the larger transactions since they take longer to clear under conventional Bitcoin/proof-of-work settlement logic.
Why Has No-one Done It Then?
It would be unexpected today because:
- An attack of worthwhile scale isn’t really possible. The Bitcoin economy is still extremely limited in size and scope, so as it stands there simply aren’t that many targets available to attack
- There’s no strong privacy. The world isn’t very anonymous right now, thanks to governments and their pesky AML/KYC regulations
- No-one that deeply involved in Bitcoin would be looking to do it. Miners so far tend to be Bitcoin enthusiasts and believers, expecting that everything will work out and that the value of bitcoin will be much higher in future (it’s hard to justify the outlay otherwise). Attacking the network today would undermine those expectations
- It’s a big operation. The 12.5BTC block reward currently generates total mining revenues of ~$6 billion/year. So only very wealthy individual miners colluding, large orgs, and governments could realistically afford to operate at the necessary scale
These factors mean that, at least as it stands right now, you wouldn’t expect miners to have done it.
The question is the future. And given the future that the crypto economy aspires towards, both in terms of scale and privacy, (1) and (2) aren’t reliable factors, and miner goodwill/altruism in (3) isn’t a stable assumption going forwards either. You have to assume adversarial conditions, strong privacy, and widespread use — i.e. a much larger attack surface.
So that leaves the practical difficulty of execution (4) as the only real barrier. As we’ll see in a minute, the sunk cost of hardware turns out to be a non-factor (contrary to popular belief) and can’t be relied on as a disincentive. But the straightforward scale of the operation required is nonetheless still an obstacle. The bottom line is that it must always be impracticable to execute an attack, including for large actors and governments. And on that front, $6 billion/year isn’t enough.
If the value of BTC being transacted across the network gets much larger, at the same time as the value of block rewards (in $) stays the same or shrinks — due to the exponential decay of the block subsidy over time — the opportunity to execute a wide and shallow attack of worthwhile scale is probably going to present itself.
The risk and cost of executing an attack is relatively tiny vs. the potential payoff, and with a healthy derivatives market — especially one that’s decentralised and private — the attackers can short BTC to (more than) offset what little downside risk there is.
Fundamentally, the point here is that the assurances you get as an end user of Bitcoin are supposed to come from the protocol, not from a lack of privacy, or from governments and their laws.
Bitcoin is supposed to act like a naturally occurring commodity, as stable in its existence as gold, that just happens to be digital. And at the extremes, it should be possible for North Korea or Iran, for example, to transact with confidence, no matter how well-resourced their enemies are.
Bitcoin developer Greg Maxwell recently said:
“If you’re worried someone might reorder history using a high hash-power collusion — just wait longer before you consider your transactions final.”
But you can’t wait forever. And as shown, it’s impossible to calculate the finality of your transaction simply by looking at its value and how much proof-of-work has accumulated. Number of confirmations doesn’t indicate anything meaningful unless you know the potential scale of an attack you might be part of, which is unknowable.
So, two conclusions:
- Under private, trustless conditions (i.e. ‘currency of enemies’ style), proof-of-work provides no meaningful assurances around double-spends. Your full node can’t really infer anything useful from the proof-of-work it sees.
- If what is thought to be the primary economic disincentive towards double-spending is real, and the value of BTC would crash to zero following an attack, then all holders are at constant risk of such a crash from just 1 bad/compromised act, the cost of which is dramatically lower than previously imagined.
Note: Time Taken
In reality, the amount of time taken for an attack will depend in part on how much hash power you remove from the network to make your attack. Ideally you’d remove none.
As an example, let’s say your attack removes 33% of the active hash power from the network. The rest of your attack is made up of currently inactive equipment which you bring online, plus maybe 5% rented hash power that you keep on standby — enough to give you a solid 60% majority overall so your secret chain will reliably grow at e.g. 1.5x the speed of the honest chain.
Suddenly removing 33% hash power from the network will affect block times on the honest chain: i.e. 6 blocks will take longer — 1 hour and 30 mins instead of 1 hour, on average.
Pro-tip: don’t suddenly remove that much hash power from the network. Taper off, let the difficulty re-target, and let other miners come online, so there won’t be a steep, easy-to-detect drop in average block times.
You want to build your inactive/offline stack as large as possible leading up to the attack. Importantly: it’s fine to use old, below-market-leading-performance equipment since the attack is so highly leveraged. I.e. Any extra cost incurred due to chip or energy inefficiency is insignificant in the big picture. If it costs you $700k in energy expenditure instead of $600k to execute a $500 million attack, it’s not a big deal.
All of that being said, hash power leaving the network is indistinguishable from natural variance in block times, and Bitcoin devotees are remarkably relaxed about sudden drops.
Myth: Sunk Costs Of Hardware
Claim: The real cost of attack is in all the specialised mining hardware which typically makes up as much as 50-70% of miner costs and can’t be repurposed for anything else. Miners wouldn’t do it because if the value of BTC crashes, it makes all of this equipment worthless!
What if it’s already worthless, or virtually worthless, before the attack is started? Old, no-longer-profitable hardware is still perfectly viable to use in attacks like these. Given how leveraged the attack is, any extra cost caused by inefficiency vs. premium-condition hardware is merely a rounding error.
Old hardware (which literally has no other valuable purpose) can be picked up on the cheap directly, or you can just wait for your expensive new hardware to gradually recover its cost over time, via mining, before it eventually becomes old hardware — meaning that the net cost of acquiring it is $0, or even a slight profit.
In other words, if you buy $1 billion of equipment and mine with it until it’s no longer profitable, you’ll end up with just over $1 billion worth of BTC *and* $1 billion worth of just-below-market-performance equipment which can still be used in attacks.
Note that ASICs are the only part of the equation that is non-repurposable and tied to the value of the network.
Economic models of mining security tend to assume that the cost of mining hardware represents a fixed deterrent to attacks, but that’s not a safe assumption. Like the wide and shallow strategy described above, the hidden value of no-longer-profitable hardware has been overlooked.
Myth: ASIC resistance
Claim: We can make an ASIC-resistant proof-of-work algorithm!
Proof-of-work mining all comes down to energy efficiency, so at the end of the day the economics are still the same and it will always lead to centralisation/cartelisation due to physics, government action, and economies of scale. The problem is in the world of atoms, not bits, and there’s no protocol change or “ASIC-resistant” algorithm you could make to overcome that:
Plus when you force people to use general purpose hardware for mining, you remove a different disincentive to attack, making it so an attacker doesn’t need to navigate the sunk cost of hardware. General purpose hardware has other valuable uses, so if someone uses it to attack the network, harming the currency, they can then just re-sell or repurpose the hardware for something else. You can’t do that with ASICs; they’re not repurposable to anything else so their value is tied completely to the network.
Myth: The ‘Social Layer’
Claim: The fall back option of social consensus ensures any attack will not succeed!
Firstly, a social consensus re-org which rolls back the chain, overriding the authority of proof-of-work, is not ensured. There is a small probability that it happens, but — by design — social consensus re-orgs are incredibly difficult to organise, and they become increasingly difficult to organise as the network scales (especially as it begins to include enemies… North Korea, Iran, drug cartels, etc… at the same time).
Secondly, if it is easy to engineer social consensus re-orgs, Bitcoin has already failed.
The entire point of Bitcoin is being able to resist organised social attempts at control. Any system of governance, outside the protocol, that has the power to undermine the neutrality and immutability of the blockchain destroys the only reason to be using a blockchain in the first place.
As soon as such a social mechanism/governance structure is introduced, you’ve invited a world of trust-related problems which Bitcoin was built specifically to eliminate. It incurs significant operational costs in its design for no other purpose than eliminating those problems. There’s no point constantly going through the extraordinarily expensive process of proof-of-work mining if it’s ultimately just security theatre.
Claiming that immutability of the blockchain isn’t of paramount importance does not go down well with the Blockfather: