BITCOIN IS (possibly) BEING 51% ATTACKED
An Imperfect Understanding
Ask the first three DuckDuckGo results what a 51% attack, and you will receive, likely, a familiar answer - an answer which is nonetheless incomplete:
“They would also be able to reverse transactions that were completed while they were in control… Attacks Are Prohibitively Expensive” - Investopedia
“Successful attackers gain the ability to block new transactions from being confirmed as well as change the ordering of new transactions… leading to an issue known as double spending… A 51% attack, however, is theoretically limited in the amount of disruption it can cause.” - Coindesk
“An attacker could double-spend through a "51% attack" in which the attacker amasses a majority of the hashrate on the target cryptocurrency… Satoshi Nakamoto assumed… that acquiring 51% of Bitcoin's hashrate would be impossible…” - MIT Digital Currency Initiative
These, and most ‘authorities’ on the subject tend to focus on the ability for a malicious majority, 51%, of miners to reverse a transaction: you trade the attacker your car, they give you 1 BTC which is about to be reverted after they drive away.
These sources, even Satoshi Nakamoto himself, hand-wave the possibility of such an attack based on the premise of insurmountable expense.
Ask most Bitcoiners to explain further, and they will cite the immense irrationality involved in spending all those resources to be the largest miner only to so obviously and detectably scam someone such that the market loses faith in The Bitcoin Network, tanking its price along with the attacker’(s’) mining investment.
But a 51% attack is broader than double-spending a transaction; double-spends are simply one of the new powers a 51% attacker gains. A more sophisticated use of a malicious majority can earn far more rewards and remain undetected indefinitely.
“Who’s In Charge Here?”
It helps to have a rock-solid understanding of the basics of Nakamoto Consensus. Anyone can create the next block in Bitcoin, so long as it doesn’t include invalid transactions (rejected by sensible nodes).
Since there is no central coordinator in Bitcoin (this is the whole point), any individual node alone in the forest of network-anarchy must have a method of choosing between two or more new blocks (or chains of blocks) which it knows every other node in the network will also select against (the beauty of this is full coordination without actually requiring every node to check-in with every other node). This is called ‘fork-choice.’
In Bitcoin, this objective measure for fork-choice is hashpower the longest-chain; should a disagreement be received, choose the side which has the longer chain of new, valid blocks built on top of it. In a perfect world, the longer chain is longer because it includes more genuine transactions from demanding users - in practice, it is very cheap to make a block sending money to oneself to abuse this system and fabricate very long chains.
Hashing for the privilege to produce a valid block fixes this. The computational power required to abuse the system by creating 100,000 junk blocks is compressed into a single 256 bit ‘Proof of Work (cost).’ The space requirements have shrunk infinitely, but the computational energy requirement remains.1 The longest chain now has a cost associated with its production and cannot be frivolously produced.
But the consensus mechanism is still, fundamentally: longest chain of blocks wins. Since Bitcoin nodes are required to spend resources to produce blocks, they must be paid. A sophisticated 51% attack abuses this necessary reward scheme of blockchain.
51% of Work; 100% of Rewards
It stands to reason that rational economic miners will not spend more on hashing than they stand to gain in block rewards (which take the form of newly minted BTC, and eventually just the BTC transaction fees). Thus the total amount of resources one can expect is being spent to mine BTC is around the quantity of total rewards available, over a given period.
Hashing in an effort to produce a valid block is not much different than buying lottery tickets - it is fair in the sense that energy spent is theoretically proportional to one’s chance at reward. But this fairness breaks down completely should any party have 51% control over total hashpower. In practice, Selfish Mining2 Attacks (a relatively cheap attack) can reduce the required hash to as low as 33% in order to produce 51% of accepted blocks, but that’s another story.
Once an attacker has the ability to make blocks faster than the rest of the network (51% > 49%), they can always produce the longest-chain solely through their own work - this is where the ability to double-spend comes from: at any point the attacker can make a longer chain and make certain to not to include (or even better, include one which usurps) the transaction which they exchanged for some external good or service.
Once they’ve reverted their payment by making a new longest-chain, the network accepts it and… their work is complete? Why should it be?
The attacker has just made a massive investment which allows them to always make the longest chain - to receive every single block reward - and their master plan is to double-spend large transactions until everyone realizes it, and then go broke as the price of BTC tanks?
Here’s a better idea for the attacker: mine every single block and earn 100% of Bitcoin block rewards. If they paid the market rate for hashpower, they gain the ability to double their income once they begin 51% attacking. Double-Spending is child’s play, the true 51% attack grants 100% control over block production - a doubling of potential rewards up to all the rewards (though blocks and their transactions must still be valid to be accepted by independent nodes).
Sure, this control also grants the ability to double-spend, to censor transactions at will, but it more notably grants the ability to produce 100% of blocks at will and earn 100% of rewards. No rational attacker will fail to act on this.
Getting Away With It
Of course, the instant inability of 49% of network miners to ever produce a block, much like a blatant double-spend, will not go unnoticed - such disclosures risk tanking the price of Bitcoin and attacker’(s)’ investment. But fortunately for the attacker, unlike a double-spend attack, stealing each and every block will not require them to rewrite (industry term is “re-org”) several blocks at a time - a feat which will sound the alarms.
All it requires to usurp the most recent block is to release one’s own blocks before anyone else does. In the unfortunate scenario of a tie with an honest block producer, the attacker then must release their following block atop their attacking chain, not the honest minority chain. The addresses which receive the rewards of these attacking blocks can be changed at will. The attacking miners need not identify themselves; the honest network cannot discern the attacking majority from honest miners.
As long as the 51% attacker begins by producing, say, 55% of blocks, rather than 100%, the honest network will have no credible suspicion that an attack is taking place - they will simply see a decline in mining profitability, no different than if upgraded ASICs (mining computers), more efficient energy sources, or any other superior, but honest, competitor came online.
So rather than take 100% of blocks from the get-go, the attacker can slowly squeeze the margins of all other miners - as honest minority’s ability to earn Bitcoin through mining sinks below their cost, they are forced to drop out completely, reducing competition and making the 51% cheaper to continue and harder to recover from - why would honest miners waste money to protect Bitcoin?
From there the path to ‘earning’ all block rewards is paved. Detection is impossible - the largest miners may be colluding to appear as distinct, while using their majority to oust competition. A 51% attack is credible, rational, achievable and invisible.
Bitcoin is Possibly Being 51% Attacked
And so I say it again, without humour: Bitcoin is possible being 51% attacked.
Even assuming the attacker had to spend a premium to collect the block production power, the reward for doing so, potentially 100% of block rewards for the indefinite future, means the premium they paid could in theory be quite steep while still a rational expenditure.
One of two peices of evidence on-chain of their malicious behavior would be miners sometimes creating blocks at the same time - but this is expected to happen in normal conditions, and could be adjusted by the attacker to reduce suspicion until other miners drop out. Under a 51% attack the attacker could consistently ensure that their block wins the tie-breaker. There is no way to tell that a single entity is in fact the sole receiver of those victories.
Eventually, as the cost of mining is inflated for all but the attacker, they reduce the need to even produce tie-breaking blocks - they would win outright as costs are driven up for everyone else - allowing them to earn more rewards with less forking. As forking is the only possible evidence of attack, (a poor one at that), the attacker actually becomes more covert as they progress their power.
The other evidence would be a decline in hashpower. Since Bitcoin measures hashpower as ‘difficulty,’ 51% of the network removing 49% of hash would halve the difficulty. It is not unheard of that market conditions may do this without any dishonest behavior, but it would be quite the event, either as a cause for suspicion or a sharp decline in the value of Bitcoin and the attackers’ investment values.
However, assuming the goal is to maximize money gained, not blocks produced, the attacker may keep other miners around and simply reduce their margins so they are barely incentivized to stick around - just enough to avoid suspicion of their majority control.
This attacker never double-spends, because double-spending is conspicuous. They wouldn’t censor transactions at all, they would only censor blocks in favor of their own, something which can be done undetectably. They want Bitcoin to remain healthy for as long as they can extract block rewards from it, and this of course means covering their tracks.
Contrary to popular belief, there is a will and a way to 51% attack sustainably and at profit.
Mining Pools
But what are the chances of this taking place in practice? Well, in practice, it’s worse: block production is not handled by thousands of distinct mining operations, it is handled by several large mining pools of which two or three could collaborate to 51% attack Btc.
Of course, Bitcoiners say that if they tried this, miners would abandon them immediately and drain them of their power - but Bitcoiners too often mistakenly believe that a 51% attack is just the subset of malicious majority attacks that one can detect.
If two or three mining pools began collaborating to arbitrarily break ties in favor of forks which paid them, and were doing so as to match the normal fork-rate of Bitcoin, no one but them would ever need to know. Eventually, as other miners not apart of their cabal suffered worse margins, they would drop out. The cabal then earns more without even needing to take advantage of forking.
But forking will happen in an honest network anyways, and attackers can control their rate of forks to avoid suspicion. Mining pools may be forced to identify themselves at block production, but 51% attacking certainly need not be performed in a way which offers solid evidence.
Miners may be able to detect it by comparing their relative returns for different mining pools whilst contributing the same hash (adjusting for differing reward schemes), but they would not have a rational incentive to whistleblow, as they would be profiting alongside the attacking pool(s), and the advantages of one pool over another may have less malicious explanations, offering plausible deniability.
Stockholm Syndrome
But if the most sophisticated attacker has an incentive not to censor transactions and not to double spend, are they truly a threat? If we answer ‘yes’ to this, is Bitcoin any better than a central bank?
It is, yes, in the ability to audit the protocol and the total supply and to continue validating the rules by volunteer nodes - it keeps the attackers in check to an extent, but is not a desirable outcome.
Could we all just wrap our Bitcoin and switch to Ethereum? It’s a tangential point - Ethereum makes its own trade-offs and is not itself safe from malicious majorities. Social consensus is their answer to attacks and opens the door to other problems (do a search for “social” on the linked page to get an idea for how reliant Ethereum security truly is on it).
The Practical Threat
Fundamentally, a 51% attack (not a double-spend) removes the ability for networks to remain open, that is, the ability for anyone to participate in consensus at a fair price.
There is no reason the attacker should ever concede this power should they acquire it, and acquiring the necessary hashpower at a high premium is worth it since they get a 50% discount if they choose to mine 100% of blocks and can drive competitors out long-term.
Attackers would not desire to reveal the loss in the fundamental value Bitcoin which comes from them holding that power, and they would not be required to. This is the real threat, that some coalition may, with rational incentives and plausible deniability, may at any point begin working towards a 51% attack and sustain it without any trace.
If Bitcoin ever did go on to become a global money, then the value of holding a majority of block production power would grow so large that revealing oneself in the performance of some international financial attack could easily outweigh the costs. Intelligence agencies would be chomping at the bit to discover and collaborate, possibly to double-spend, sanction, censor enemies or MITM attack enemies.
At this point a fork in the network will fail; the attacker need not follow the fork, and they may just as easily 51% that fork, actively and publicly destroying it. The only solution would be to switch to another hashing algorithm which ultimately may fall to the same fate and will have piss-poor initial economic-security to defend against that fate - same applies to a retreat to Proof of Stake.
At this point, Bitcoin has become a central bank. When the profit of block rewards are outweighed by the allure of absolute power over the network, and after mass adoption ties the global population to Bitcoin (as is alleged inevitable by Bitcoiners), the reward for blatant tyranny through majority control will finally outweigh the costs.
But for now, a 51% attacker will play smart by lying low, reaping their outsized rewards in secret. The existence of such an attacker right now or at any time cannot be disproven - but the incentives certainly encourage powerful block producers to pursue it.
As time goes on, government powers will have cheap avenues of pursuing it themselves through Selfish Mining Attacks and sophisticated infiltration of mining pool operations. The supposed high cost of this attack is grealy supplemented by more clever approaches - if intelligence agencies are adept at anything, it is replacing brute-force with tact.
How To Prove a Chain is not Being 51% Attacked
It would be sad to have written such an article without remorse - and while the Bitcoin Maximalist will gain no respite, the world at large will:
The only way to prove a blockchain is not being 51% attacked is for it to be provably impossible to sustain a 51% attack.
It must be the case that no matter how powerful the block producer is, they always lose money as the attack carries on.
The way you do this is not by judging valid blocks by the amount of hashpower which went into them, which is ossified and destroyed when a competing block is created and accepted - instead, the work required to build a valid block comes from transaction fees.
When transaction fees are the fuel required to produce a valid block, and, the block producer can earn at most half those fees back as a reward for collecting those transactions (and some other holes are plugged) the ability to destroy the work of block producers who have been outcompete is removed.
The Basic Idea; A Simple Example
Consider you are a node which collects transactions for Alaska, and you compete against a node which collects transactions for China. The Chinese node has access to about 80% of the global transaction fee volume and your Alaskan node has the remaining 20% of fee volume.
In Bitcoin this split of block production power would mean China could always produce a longer chain, overwriting your own blocks at any point it desires, but not when when transaction fees rather than hashpower determine valid blocks. China can produce four blocks for every one you produce, and when you produce a block they can exclude your block and outpace you to make the longer chain that does not include you.
But when the network rejects your block, your ‘work’ within that block is not destroyed - in Bitcoin it is, because the work depends on the previous block, but those transactions which you’ve collected, which remain unincluded, remain valid forms of work until they finally are included. So as the Chinese node continues to overwrite blocks you attempt to add, you continuously build up a pool of censored transactions, censored transactions which can still be used to produce a valid block.
Since you have 1/4 the block producing power of the Chinese node, after it censors you four times, you now have four blocks worth 1/4 the ‘work’ of that Chinese node, and for every block it builds you gain 1/4 of another block. The more censored you are, the larger the pool of transactions and ‘work’ you possess. As your pool grows, the tables turn, suddenly you have the power to produce blocks at a faster rate than the node which is censoring you.
If the Chinese node wants to keep censoring you, they must spend money to make their own transaction fees to match your ever-growing stash. The more they censor, the larger your stash, the more they must pay to keep overwriting your greater and greater ability to produce blocks.
Censoring blocks, the crucial step in a 51% attack, is no longer free, no matter how powerful you are.
Cut to the Chase
Of course, this example relies on some sense of ownership over Alaskan transaction fees, so that the Chinese node cannot steal them. And in order to not begin a new chapter of this article which need not reiterate existing material, I will reveal less discreetly what most are likely interested in:
The consensus-protocol design which solve the generalized 51% attack exists: Its name is Saito.
Following the basic example above, and plugging some important holes (like the concept of ‘transaction fee ownership’), Saito is the first blockchain which provably solves the 51% attack outright - because it does not permit the free destruction of the work of others, no matter how large of a majority an attacker holds - even up to 100%.
The theory behind this is deeply abstract, but at the same time does not qualify as moon math of the contrived sort which many attempt to employ to solve more fundamental problems.
The theory is economic - there are no tricks or concealed fundamental compromises, but it often takes time to wrap one’s heads completely around the truth. This piece is only meant to offer a more complete view of the problem of 51% attacks and an invitation to the reality that the problem is indeed mathematically solvable.
It’s time to wake up.
A notable realization here is this: Proof of Work is a compression of adding useless blocks. That the energy requirement remains speaks to the fact that the mining in PoW essentially funds the creation of useless data to fight attackers doing the same - only now those extraneous blocks can be represented as the succinct output of a SHA-256 hash.