It looks like a result with complex implications - eg, maybe making it impossible for new miners to set up unless they have a meaningful advantage in operating costs instead of just parity with the entrenched players. It is hard to tell because market reality is a mess but if there is a meaningful strategic choice to be made beyond simply announcing a block when it is mined then there is a lot of room for weird equilibriums even if the paper's specific analysis turns out to have flaws.
How is it wasted if they work on the current chain? If they find a block during those X seconds, they'll propagate it before the waiting pool does. The waiting pool will then just lose the revenue from the block they put on hold. They're the ones wasting mining time when that happens, while the others never do.
1. They don't have to wait until another miner finds a block, they can just wait "for some time" and then release their block. All that time gives them the edge for the next block.
2. My understanding is that if two different blocks are found concurrently for the same head, then the network waits for the next block to select which "new head" is accepted. I.e. when there are competing chains, the longer chain wins. So I could imagine that a strategy could be to wait until some other miner announces their block and release yours precisely at that time, hence creating two competing chains. But you presumably have an edge because you have already been mining for a while on top of your block.
It's a race. Starting earlier obviously gives an advantage?!
It would be like saying you've an edge if you start earlier at the roulette.
In a lottery, the more tickets you buy, the higher your chances to have the winning number.
If we played with a roulette and said "the goal is to be the first to have a winning number at the roulette" and I could try 50 times before you started, obviously I would be more likely to win our game, wouldn't I?
Yes, and it's exactly the same in bitcoin with the hashing power. Each hash is a ticket.
> If we played with a roulette and said "the goal is to be the first to have a winning number at the roulette" and I can try 50 times before you start, obviously I am more likely to win our game, am I not?
In bitcoin the goal is not to be the first. The goal is to find a winning hash that's on a chain that will not be abandoned. As soon as a new block is propagated you start mining on the new head. It doesn't change anything that you previously worked on another chain. The time spent on the previous chain is not wasted, unless finding a block wouldn't have got you the reward.
There is a kind of a race if 2 blocks are found simultaneously. But that's not really what this discussion is about, and in this case the outcome depends mostly on network connectivity.
> The key idea behind this strategy, called Selfish Mining, is for a pool to keep its discovered blocks private, thereby intentionally forking the chain. The honest nodes continue to mine on the public chain, while the pool mines on its own private branch. If the pool discovers more blocks, it develops a longer lead on the public chain, and continues to keep these new blocks private. When the public branch approaches the pool's private branch in length, the selfish miners reveal blocks from their private chain to the public.
> In bitcoin the goal is not to be the first. The goal is to find a winning hash that's on a chain that will not be abandoned.
The goal is to be the first (or very close to the first), because it makes it much more likely that your chain will not be abandoned. If you wait 2 days before you reveal your block, obviously it will be abandoned...
I don't understand how this scenario is beneficial. If the selfish miner doesn't have 51% of the hashing power, they can discover more blocks than the public chain only if they are very lucky. They don't know in advance that they will be that lucky. Withholding blocks in hope of this luck means putting these blocks at a very high risk of being discarded and losing the rewards. Why would they do that, exactly? If they get lucky, they get the rewards of their chain, and discard the rewards of the other miners. If they don't, they lose a lot of rewards. On the other hand, if they just publish the blocks they find, they're almost guaranteed to get the rewards. Why take the risk? It sounds like putting your own rewards at risk just to put others' rewards at risk. It looks like the risks even out.
> The goal is to be the first (or very close to the first), because it makes it much more likely that your chain will not be abandoned.
Yes, if there are blocks that are found at almost the same time. But that's not the situation discussed here.
In other situations, being first doesn't matter. If a miner finds a block before you do, then you just start mining on top of their block. You haven't lost anything.
It VERY MUCH is.
Of course if you take another scenario that doesn't make sense, then it doesn't make sense :-).
> They don't know in advance that they will be that lucky.
Whenever you find a block, you know you are one of the first to find it. It's obvious because nobody else has published a block. So you know you are lucky right now. You can decide to wait 1, 2, 5, X seconds before you reveal your block and start mining the new block in the meantime.
Maybe you just mine for 5 seconds before revealing the block, and that's the winning strategy. Maybe you wait until someone else publishes their block and you immediately reveal yours, ending up with two competing chains but knowing that you had a headstart with yours.
The detail of whether or not this is profitable, and how exactly you should do it (Wait X seconds? Wait until someone publishes a block?) is statistics and game theory ("What if the others are also withholding their blocks now? What is their strategy?"). The whole question is whether or not there is a practical, profitable strategy doing that.
So you can get a head start on the next block from the likely new head block you've found.
It only works on average of course, you might be the one wasting resources if someone else published a block while you're withholding yours, but the trick is for you to gain an edge on average.
Now what happens if everyone is doing that calculation? That's where you need to do the game theory analysis (which I haven't and don't claim to understand).
Finding a block relatively early doesn't affect the odds of others finding a block soon. The odds are always the same, each hash is an independent event.
I don't see why withholding would get you an edge on average. If the others find a block while you're withholding, you lose your reward. If you find another block before them, you get the rewards of 2 blocks, exactly like if the same happened but you didn't withhold.
The only way for you to have an advantage is if you find a 2nd block at the same time as another one finds one on the other chain. You can then publish a height of 2 vs a height of 1, so you win. But to do that you have to first put your first block reward at high risk by withholding it. I don't think the odds are in your favor here.
Edit: I think the strategy does work, but a little differently: if you withhold a block and someone else finds one while you do so, you can still publish yours and win a race with a certain probability, i.e. the expected loss is not as high as one might think.
Then, if you do that and if you have enough hash power, you can end up mining a private chain ahead of the public one often enough, so that the loss you take is less than the loss others take through the hash power they are wasting because of you doing this.
A finds a block after 1 minute, then powers off and waits for another minute. They reveal the block after 2 minutes.
B searches for the block for 2 minutes.
After 2 minutes, A has used 1 minute of their compute, and B has used 2.
The benefit there is that if another miner released a block before that 3 minutes this miner still can release their first block and has already spent 2 minutes working on a block that could better validate their first block now that there are competing chains.
If B finds a block between minute 1 and 2, they start working on their competing chain, but A is already working on theirs. And A had a headstart because it started working on it somewhere between minute 1. So it's more likely that A's fork wins the race in the end.
I'd even say that B is slightly more likely to keep their reward because they started propagating their block earlier, so it's more likely other miners are mining on this block.
If A finds a second block between minute 1 and 2, then they win, but it would be the same if the didn't withhold their block.
When A is mining on their hidden block, they mine for a potential height of 2 that would win against a miner only able to push a height of 1. But by doing that they put the block they found at risk of being abandoned because another miner found a block in the meantime.
So if you find a block, you get almost 100% chance it'll stay if you publish it immediately. If you withhold it and find another one you get 100% chance of keeping your 2 blocks. If you don't find that 2nd one, you get <50% chance of your block to be the main chain (depending on time of reaction of another block being published, and connectivity). On the other hand, if you don't withhold it and find 2 blocks in a row, you also get almost 100% chance of keeping your 2 blocks. I fail to see how withholding is profitable.
Because you keep ignoring the part where it is profitable :-).
> If A finds a second block between minute 1 and 2, then they win, but it would be the same if the didn't withhold their block.
Except that by withholding their block, they got a headstart so they are more likely to find the second block. So it's not the same.
And you keep ignoring the fact that they don't necessarily have to wait until someone else finds a competing block. Maybe a winning strategy is to always withhold the block for 5 seconds. If you slightly increase your likelihood to find the winning block, you increase your profit, and that's the whole point.
With the interesting consequence (and that's the game theory part) where if everybody starts withholding their block for 5 seconds, then it changes the winning strategy.
Withholding their block (5s or whatever) doesn't make them more likely to find the second block. The probability of finding a block is always the same, given a hashrate.
They are the only ones mining on this particular chain, but that's not an advantage either. How mining on a hidden chain is an advantage?
On the other hand, withholding certainly makes them more likely to lose the reward of the block.
I don't know if I have a good comparison here, but maybe something like "if the bank keeps your money for a little longer before validating your transaction, they can use your money for a little longer and make more money from it". Of course if your bank says that a transaction takes 1 year, you will go to another bank. But if they say it takes a day...
There’s nothing inherently valuable about crypto beyond what value people assign to it in their minds.
The answer is "no, it's not the same". The attack does not require everybody to agree that the bitcoin is worthless.
Obviously if everybody agrees that the bitcoin is worthless, then it is worthless. But that's a separate topic.
Ultimately the populace could repudiate the whole social contract, which is also just consensus, but that's a far bigger deal than mere money.
What are you referring to with “research more”?
But I do wonder if the abstract nature of it will forever hinder its ability to do so universally.
I’m also interested why Bitcoin Cash wasn’t more successful after the fork.
If it wasn't radioactive, poisonous and pyrophoric people would probably all just leap into the Neptunium market.
If it were only worth pennies an ounce, numerous industries wouldn't be paying what they do for it. The fact that many industries value it at several thousand dollars an ounce is self-evident from their continued use of it.
Some bitcoin advocates will talk about how useful it is as a currency, and I wonder how much bitcoin is actually used for purposes other then to hope you can sell it to someone else for more than you paid.
For most people the value is what they can receive for it in trade. Which holds for all money.
However, as Bitcoin's security inevitably weakens over the coming years due to diminishing miner rewards (denominated in BTC), I believe this "6-confimation" acceptance policy will change to include not only the number of confirmations, but the timing of those confirmations as well. Consider a scenario where an exchange deciding whether a tx with 6-confirmations that took 4 hours to arrive (this happens occasionally) is safe to consider finalized/settled. Even though 6-confimations may be considered safe by today's acceptance policies, this tx would still have a high probability of double spend due to the assumed 4-hour long wait for the 6 confirmations (as the attacker would have 4 hours to produce 7 blocks instead of the normal/expected 1 hour). Instead of ignoring block interarrival timing, it may make sense to include block timing as part of an acceptance policy.
So, going forward Bitcoin acceptance policies may change from today's 6-confirmation standard to something more complicated that involves the amount of time those blocks took to arrive. This would significantly enhance Bitcoin's double spending resistance without adding/altering any code and may give the network a much needed security boost in the coming years to prevent the attack discussed in the post.
I don't see how it could be profitable. If it can't be profitable, then the risk of someone doing it is pretty low. If they already have the necessary hardware, they'd be much better off mining.
I would have expected such security rules are part of the miner code, no? Don't they need to consider rules related to the comparative security level of a chain when decided which chain to follow when multiple exist?
That's incorrect. Security scales with USD-denominated rewards, not BTC-denominated. And there are 16 years of real-world data showing they have been generally increasing, so a healthy sign that the Bitcoin experiment is working:
https://newhedge.io/bitcoin/block-reward-per-block
And not only that, but rewards are still expected to stabilize even when measured in BTC (thereby not relying on an increase of BTC's price) as they are progressively composed more and more of tx fees instead of newly mined BTC.
It's puzzling to me why some still don't understand the systemic incentives that make all this work as it has for 16 years and counting...
Then I guess you're the type who will be really surprised to learn that with diminishing rewards comes increasing consolidation.
> ... that make all this work as it has for 16 years and counting...
That's convenient way to memory hole the market flash crashes, network forks, the blocks mined without consensus, and everything bad that happened over that timeframe.
Says you, without a hint of a rationale backing your argument.
It seems to me that the historical hashing rate curve tells a different story.
And block rewards have been diminishing regularly (and very predictably) pretty much since day one.
> block rewards have been diminishing regularly
That's exactly what the poster you're replying to argued; the BTC denominated block subsidy halves every 4 years, and so without a corresponding doubling in price, the bitcoin security budget keeps diminishing, at least until tx fees start to dominate the subsidy.
--- Starting in late 2020, as shown in The Economist's graphic, the spot market in Bitcoin became dwarfed by the derivatives markets. In the last month $1.7T of Bitcoin futures traded on unregulated exchanges, and $6.4B on regulated exchanges. Compare this with the $1.8B of the spot market in the same month. ---
If you can make a gigantic bet on the price going up and then buy a large amount of Bitcoin that moves the price up you can win from that. See the Jane street India derivatives market issue.
If I'm buying futures I can enter into a contract that says "I'll buy a contract for 1BTC that says BTC is going to go from $88.5k to $98.5k in 1 year." I don't actually hand over any money. In a year's time, if BTC is now $100k the person who agreed on the contract gives me $10k. If it doesn't go up then I owe the seller $10k. The futures contract is settled in cash - no BTC is involved.
Right now though, I don't have a $88.5k to spend on BTC, so the spot market isn't an option. I probably could find $10k in a year's time so a bet on a BTC future might be viable. The actual derivative 'value' isn't real though. The only money changing hands is the delta of the change in value when the contract is settled.
(Caveat: I am a total noob at finance stuff so this could be quite wrong. One of the many reasons I will not be buying that futures contract. :) )
In ~6 more years, Bitcoin will undergo two more halvings, so if the price of BTC is not ~400k by then, then attack will have become more feasible.
Yeah yeah, I've read the arguments about liquidity issues, shutting down the rails, making it illegal to trade, etc. but that's beside the point and depends on a thousand future variables to play out. So I don't know if btc will make it or not, but I do know property rights mean everything to humans. They literally determine whether not one is a slave (I am my own property). So just the ability to have a technology enables pure property rights to a world where nobody really has enforceable property rights over anything seems pretty interesting to me.
Bitcoin doesn't enforce property rights. The only thing you own is your bitcoin. The fact that I "own" my house and the land it is built on is enforced by the state with guns.
It's more like saying a hypothetical car which moves itself by using gasoline as a propellant rather than fuel for its combustion engine would have negative value.
Sure, using fuel (of all things) for propulsion would be one way to move a vehicle, but it would be inefficient by design.
Bitcoin, at least, was created during a time where there was no alternative to security-by-inefficency, but PoS and other consensus mechanisms are pretty battle-tested now
The Monero PoW community has had to deal with such nonsense, as have other smaller PoW coins.
With ε=1e-3, the expected number of 6 confirmations works only so long as the largest pool size does not exceed 12%. For a pool size of 30%, at least 24 confirmations should be required in Bitcoin, but 49 in Monero with its stricter ε=1e-6. You can see the table and the math at https://gist.github.com/impredicative/0907e1699f5ff97a9fed5d... and again it's all cleanly reproducible from the whitepaper. Anyone who is still requiring only 6 confirmations then will be setting themselves up for a risk of reversal.
Perhaps this is more suitable as a response over months or years to a long-term shift in the composition of Bitcoin miners than as a short-term measure when it appears that someone has suddenly acquired 30% of mining capacity today.
So 240 minutes for Bitcoin, and 98 minutes for Monero.
So even though Monero is more strict, it is still "faster".
EDIT: For comparison: https://gridwatch.co.uk/
There are a lot of ifs and buts here ... but the amount of power used to support the BT mechanism worldwide is roughly the same as the power consumption of the entirety of the UK.
The vast majority of transactions are speculation on what other people might pay for a bitcoin (i.e., a line on a spreadsheet). And even then, that speculation and trading often occurs on secondary markets which rely on trusted third parties - thus rendering the entire ordeal even more pointless.
(*) Approaching no-one on a global scale.
If we ever get to the point where bitcoin or what people are doing on servers is the most pressing problem in the world worthy of our outrage, I will cheer you on.
"Anon yells at cloud" isn't worth anyone's effort or time.
Burning firewood actually immediately releases an extensive set of carcinogens, also causing depression.
"Today, Hedera is performing the equivalent of over 10,000,000 transactions and 788,000 transactions for the same amount of energy it takes Bitcoin and Ethereum to process 1, respectively."
[0]: https://hedera.com/blog/going-carbon-negative-at-hedera-hash... [1]: https://discovery.ucl.ac.uk/id/eprint/10160701/
Unlike AI, there's a strong incentive to find the cheapest electricity possible. Because that's what everyone else is doing. With Bitcoin, you now exactly what your costs are and what your yields are. There's a clear threshold, when power in an area becomes too expensive there's no reason left to mine.
AI, on the other hand, is a bet on the future - infinite gains. No matter how much power costs, it's worth it to keep using as much as possible. We can't know how much power AI uses. Unlike Bitcoin, there aren't any metrics from which to extrapolate. But we do know that AI uses more power than Bitcoin already. We just have no idea how much more.
Funny thing about that. Civilized governments put a stop to that, by fining flare-offs to make it economical to not do that.
WTF? Hydro is rarely wasted because it's so dispatchable. Typically, it can only happen during high water seasons. Same for the gas power plants.
> Unlike AI, there's a strong incentive to find the cheapest electricity possible.
Like coal.
7 transactions per second is NOT a sure bet.
Cmon you remember supply and demand right
I have nothing against bitcoin being the money of the future, but if it is to become that, this is the sort of trial by fire that it should endure.
Shakeeb Ahmed was convicted of wire fraud for exploiting a smart contract bug.
Avi Eisenberg was also convicted for exploiting a smart contract bug, but he had his conviction overturned on appeal.
The Peraire-Bueno brothers were in court for exploiting a bug in the MEV mechanism but it ended in a mis-trial so we're going to have to wait to find out.
Not legal advice ;-)
That said, authorization implies an entity with ownership rights granting some kind of limited license to others to interact with the owner's property.
For a permissionless decentralized network with no owner, where the attack is against the consensus of which chain is valid, I'd have a hard time arguing that "authorization" as a concept is even applicable or relevant.
As wmf suggested, market manipulation laws may still apply, but I'm not sure traditional CFAA "without authorization" / "exceeding authorized access" hacking charges could apply, though I'd be willing to bet a prosecutor could make a case for wire fraud - a scheme to defraud using interstate communications.
But who ultimately controls Bitmain? The Chinese state.
So, by extension, bitcoin is controlled by the CCP.
What a shitshow. Crypto needs to move on from bitcoin already, pick something better... anything better. There are so many options, and bitcoin is the worst of all of them.
Heck, they can embed CSAM into the Bitcoin blockchain and that won't stop anyone from using it, because above all else, line must go up.
"Democratizing finance" my a**.
Fortunately I'm not prone to refer to the green site.
0000FF gang, unite!
The real trojan horse is the 3% inflation each year that the government subjects us to with their moneyprinting. It compounds one's savings into nothingness. That's before it ultimately blows up altogether with hyperinflation which is its only possible long-term outcome given the exponential debt that doesn't scale with GDP.
In fact, wiping out the derivative markets would be seen as a net-postive by most individual hodlers.