Irreversible Transactions: Difference between revisions
→See Also: added link to bram cohen's blog post discussion of zeroconfirm |
m →How many confirmations are required: edited ref |
||
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
When used correctly, Bitcoin's base layer transactions on the [[blockchain]] are irreversible and final. It's no exaggeration to say that the entirety of bitcoin's system of [[blockchain]], [[mining]], [[proof of work]], [[difficulty]] etc, exist to produce this history of transactions that is computationally impractical to modify. | |||
In the literature on electronic cash, this property was often refer to as "solving the double-spending problem". Double-spending is the result of successfully spending some money more than once. Bitcoin users protect themselves from double spending fraud by waiting for [[confirmation|confirmations]] when receiving payments on the blockchain, the transactions become more irreversible as the number of confirmations rises. | |||
Other electronic systems prevent double-spending by having a master authoritative source that follows business rules for authorizing each transaction. Bitcoin uses a decentralized system, where a [[Full node#Economic_strength|consensus]] among nodes following the same protocol and [[proof of work]] is substituted for a central authority. This means bitcoin has special properties not shared by centralized systems. For example if you keep the [[private key]] of a bitcoin secret and the transaction has enough confirmations, then nobody can take the bitcoin from you no matter for what reason, no matter how good the excuse, no matter what. Possession of bitcoin is not enforced by business rules and policy, but cryptography and game theory. | |||
Because bitcoin transactions can be final, merchants do not need to hassle customers for extra information like billing address, name, etc, so bitcoin can be used without registering a real name or excluding users based on age, nationality or residency. Finality in transactions means [[Contract|smart contracts]] can be created with a "code-is-law" ethos. | |||
==Attack vectors== | ==Attack vectors== | ||
Line 9: | Line 11: | ||
===Race attack=== | ===Race attack=== | ||
Traders and merchants who accept a payment immediately on seeing "0/unconfirmed" are exposed to | Traders and merchants who accept a payment immediately on seeing "0/unconfirmed" are exposed to the transaction being reversed. An attempt at fraud could work that the fraudster sends a transaction paying the merchant directly to the merchant, and sends a conflicting transaction spending the coin to himself to the rest of the network. It is likely that the second conflicting transaction will be mined into a block and accepted by bitcoin nodes as genuine. | ||
Merchants can take precautions (e.g., disable incoming connections, only connect to well connected nodes) to lessen the risk of a race attack but the risk cannot be eliminated. Therefore, the cost/benefit of the risk needs to be considered when accepting payment on 0/unconfirmed when there is no recourse against the attacker. | Merchants can take precautions (e.g., disable incoming connections, only connect to well connected nodes) to lessen the risk of a race attack but the risk cannot be eliminated. Therefore, the cost/benefit of the risk needs to be considered when accepting payment on 0/unconfirmed when there is no recourse against the attacker. | ||
The [[research]] paper [http://eprint.iacr.org/2012/248.pdf Two Bitcoins at the Price of One] finds that the protocol allows a high degree of success by an attacker in performing race attacks. The method studied in the research paper depends on access to the merchant's Bitcoin node which is why that even prior to this paper, recommendations for merchants include disabling incoming connections and to choose specific outgoing connections<ref>[http://bitcointalk.org/index.php?topic=79090.msg881283#msg881283 BitcoinTalk Thread - Two Bitcoins at the Price of One]</ref> | The [[research]] paper [http://eprint.iacr.org/2012/248.pdf Two Bitcoins at the Price of One] finds that the protocol allows a high degree of success by an attacker in performing race attacks. The method studied in the research paper depends on access to the merchant's Bitcoin node which is why that even prior to this paper, recommendations for merchants include disabling incoming connections and to choose specific outgoing connections.<ref>[http://bitcointalk.org/index.php?topic=79090.msg881283#msg881283 BitcoinTalk Thread - Two Bitcoins at the Price of One]</ref> | ||
===Finney attack=== | ===Finney attack=== | ||
Another attack the trader or merchant is exposed to when accepting payment on 0/unconfirmed. The Finney attack is a fraudulent double-spend that requires the participation of a miner once a block has been mined<ref>[http://www.bitcointalk.org/index.php?topic=3441.msg48384#msg48384 Best practice for fast transaction acceptance - how high is the risk?]</ref> | Another attack the trader or merchant is exposed to when accepting payment on 0/unconfirmed. The Finney attack is a fraudulent double-spend that requires the participation of a miner once a block has been mined.<ref>[http://www.bitcointalk.org/index.php?topic=3441.msg48384#msg48384 Best practice for fast transaction acceptance - how high is the risk?]</ref> The risk of a Finney attack cannot be eliminated regardless of the precautions taken by the merchant, but some miner hash power is required and a specific sequence of events must occur. Just like with the race attack, a trader or merchant should consider the cost / benefit when accepting payment on just one confirmation when there is no recourse against the attacker. | ||
A Finney attack works as follows: Suppose the attacker is generating blocks occasionally. in each block he generates, he includes a transfer from address A to address B, both of which he controls. To cheat you, when he generates a block, he doesn't broadcast it. Instead, he opens your store web page and makes a payment to your address C with his address A. You may wait a few seconds for double-spends, not hear anything, and then transfer the goods. He broadcasts his block now, and his transaction will take precedence over yours. | |||
===Vector76 attack=== | ===Vector76 attack=== | ||
Also referred to as a one-confirmation attack, is a combination of the race attack and the Finney attack such that a transaction that even has one confirmation can still be | Also referred to as a one-confirmation attack, is a combination of the race attack and the Finney attack such that a transaction that even has one confirmation can still be reversed. The same protective action for the race attack (no incoming connections, explicit outgoing connection to a well-connected node) significantly reduces the risk of this occurring. | ||
It is worth noting that a successful attack costs the attacker one block - they need to 'sacrifice' a block by not broadcasting it, and instead relaying it only to the attacked node. | It is worth noting that a successful attack costs the attacker one block - they need to 'sacrifice' a block by not broadcasting it, and instead relaying it only to the attacked node. | ||
Line 27: | Line 31: | ||
See on [http://bitcointalk.org/index.php?topic=36788.msg463391#msg463391 BitcoinTalk] or further [http://www.reddit.com/r/Bitcoin/comments/2e7bfa/vector76_double_spend_attack/cjwya6x example of an attack scenario]. | See on [http://bitcointalk.org/index.php?topic=36788.msg463391#msg463391 BitcoinTalk] or further [http://www.reddit.com/r/Bitcoin/comments/2e7bfa/vector76_double_spend_attack/cjwya6x example of an attack scenario]. | ||
=== | === Blockchain reorganization attack=== | ||
Also called alternative history attack. This attack has a chance to work even if the merchant waits for some confirmations, but requires relatively high hashrate and risk of significant expense in wasted electricity to the attacking miner. | |||
The attacker submits to the merchant/network a transaction which pays the merchant, while privately mining an alternative blockchain fork in which a fraudulent double-spending transaction is included instead. After waiting for ''n'' confirmations, the merchant sends the product. If the attacker happened to find more than ''n'' blocks at this point, he releases his fork and regains his coins; otherwise, he can try to continue extending his fork with the hope of being able to catch up with the network. If he never manages to do this then the attack fails, the attacker has wasted a significant amount of electricity and the payment to the merchant will not be reversed. | |||
===[[Majority attack]]=== | |||
Also referred to as a 51% attack or >50% attack. If the attacker controls more than half of the network hashrate, the previously-mentioned Alternative history attack has a probability of 100% to succeed. Since the attacker can generate blocks faster than the rest of the network, he can simply persevere with his private fork until it becomes longer than the branch built by the honest network, from whatever disadvantage. | |||
No amount of confirmations can prevent this attack; however, waiting for confirmations does increase the aggregate resource cost of performing the attack, which could potentially make it unprofitable or delay it long enough for the circumstances to change or slower-acting synchronization methods to kick in. Bitcoin's security model relies on no single coalition of miners controlling more than half the mining power. A miner with more than 50% hash power is incentived to reduce their mining power and reframe from attacking in order for their mining equipment and bitcoin income to retain it's value. | |||
== How many confirmations are required == | |||
The | The probability of success is a function of the attacker's hashrate (as a proportion of the total network hashrate) and the number of confirmations the merchant waits for. An online calculator can be found here: https://people.xiph.org/~greg/attack_success.html | ||
For example, if the attacker controls 10% of the network hashrate but the merchant waits for 6 confirmations, the success probability is on the order of 0.1%.<ref>[https://bitcoil.co.il/Doublespend.pdf Analysis of hashrate-based double-spending]</ref> Because of the opportunity cost of this attack, it is only game-theory possible if the bitcoin amount traded is comparable to the block reward (but note that an attacking miner can attempt a brute force attack against several counterparties at once). | |||
If the bitcoin amount being transacted is so large that it is comparable to the block reward, then merchants should wait 100 confirmations for their incoming transactions to be irreversible. | |||
=== Bribing miners to reorg a confirmed [[transaction]] === | |||
In the past after large bitcoin thefts, it has been suggested that the theft victim attempts to bribe miners into reversing the confirmed transaction. This does not work because the thief can easily outbid with their own bribe. The thief gets a head-start as the transaction would already have confirmations. Every block that gets mined adds a block reward amount of bitcoins more that the attacker could keep while still paying more than the victim, as is every percentage of hashpower that doesn't go along with it. Such a reorg attempt, if successful, would also cause massive disruption in the bitcoin network and open the reorganizing miners and victim to litigation. | |||
Examples: | |||
* In August 2016 the Bitfinex exchange suffered a hack of 120000 bitcoins. Here is a reddit discussion involving bitcoin experts about bribing miners to reorg and why that's a bad idea: https://archive.is/S2fBH | |||
* In May 2019 the Binance exchange was hacked for 7000 bitcoins and a similar suggestion was made: https://twitter.com/JeremyRubin/status/1125919526485254144 | |||
==Successful Double-Spends in Practice== | |||
* In November 2013 it was discovered that the GHash.io mining pool appeared to be engaging in repeated payment fraud against BetCoin Dice, a gambling site<ref>[https://bitcointalk.org/index.php?topic=327767.0 BitcoinTalk Thread - GHash.IO and double-spending against BetCoin Dice]</ref>. Dice sites use one transaction per bet and don’t wait for confirmations. GHash.io claimed they had investigated and found a rogue employee who had been doing the double spending, who was fired. However no evidence supporting this was provided and the incident left a permanent cloud hanging over the pool. Regardless, it didn’t seem to hurt their market share much: most miners probably never heard about the incident at all. | |||
==Consumer Protection== | |||
Although bitcoin's base layer blockchain transactions are irreversible, consumer protection can be implemented on a layer on top. | |||
For example [[Secure_Trading#Use_an_Escrow_Service|using an escrow agent]] is a powerful technique especially when combined with [[Multisignature|multisignature smart contracts]]. Also bitcoin sites such as online casinos rely on their long-standing reputation and some regulated brokers and exchanges simply rely on the legal system. | |||
See also: [[Myths#Bitcoin_has_no_built-in_chargeback_mechanism_and_this_is_bad]] | |||
==See Also== | ==See Also== | ||
* [[Weaknesses]] | * [[Weaknesses]] | ||
* [[Bitcoin as a medium of exchange]] | |||
* [http://codinginmysleep.com/bitcoin-attacks-in-plain-english Bitcoin Attacks in Plain English] by David Perry | * [http://codinginmysleep.com/bitcoin-attacks-in-plain-english Bitcoin Attacks in Plain English] by David Perry | ||
* [https://medium.com/@bramcohen/the-inevitable-demise-of-unconfirmed-bitcoin-transactions-8b5f66a44a35 Thorough discussion of zero-confirm on-chain transactions in bitcoin] by Bram Cohen | * [https://medium.com/@bramcohen/the-inevitable-demise-of-unconfirmed-bitcoin-transactions-8b5f66a44a35 Thorough discussion of zero-confirm on-chain transactions in bitcoin] by Bram Cohen | ||
* [https://bitcoin.stackexchange.com/questions/87652/51-attack-apparently-very-easy-refering-to-czs-rollback-btc-chain-how-t/87655#87655 stackexchange discussion on exchanges bribing miners to reverse transactions] | |||
* [https://pooldetective.org/ MIT DCI’s pool detective app monitors various mining pools for odd behaviour like censorship, selfish mining or reorg attempts] | |||
[[de:Doppelausgaben]] | [[de:Doppelausgaben]] |
Latest revision as of 16:39, 8 April 2022
When used correctly, Bitcoin's base layer transactions on the blockchain are irreversible and final. It's no exaggeration to say that the entirety of bitcoin's system of blockchain, mining, proof of work, difficulty etc, exist to produce this history of transactions that is computationally impractical to modify.
In the literature on electronic cash, this property was often refer to as "solving the double-spending problem". Double-spending is the result of successfully spending some money more than once. Bitcoin users protect themselves from double spending fraud by waiting for confirmations when receiving payments on the blockchain, the transactions become more irreversible as the number of confirmations rises.
Other electronic systems prevent double-spending by having a master authoritative source that follows business rules for authorizing each transaction. Bitcoin uses a decentralized system, where a consensus among nodes following the same protocol and proof of work is substituted for a central authority. This means bitcoin has special properties not shared by centralized systems. For example if you keep the private key of a bitcoin secret and the transaction has enough confirmations, then nobody can take the bitcoin from you no matter for what reason, no matter how good the excuse, no matter what. Possession of bitcoin is not enforced by business rules and policy, but cryptography and game theory.
Because bitcoin transactions can be final, merchants do not need to hassle customers for extra information like billing address, name, etc, so bitcoin can be used without registering a real name or excluding users based on age, nationality or residency. Finality in transactions means smart contracts can be created with a "code-is-law" ethos.
Attack vectors
Race attack
Traders and merchants who accept a payment immediately on seeing "0/unconfirmed" are exposed to the transaction being reversed. An attempt at fraud could work that the fraudster sends a transaction paying the merchant directly to the merchant, and sends a conflicting transaction spending the coin to himself to the rest of the network. It is likely that the second conflicting transaction will be mined into a block and accepted by bitcoin nodes as genuine.
Merchants can take precautions (e.g., disable incoming connections, only connect to well connected nodes) to lessen the risk of a race attack but the risk cannot be eliminated. Therefore, the cost/benefit of the risk needs to be considered when accepting payment on 0/unconfirmed when there is no recourse against the attacker.
The research paper Two Bitcoins at the Price of One finds that the protocol allows a high degree of success by an attacker in performing race attacks. The method studied in the research paper depends on access to the merchant's Bitcoin node which is why that even prior to this paper, recommendations for merchants include disabling incoming connections and to choose specific outgoing connections.[1]
Finney attack
Another attack the trader or merchant is exposed to when accepting payment on 0/unconfirmed. The Finney attack is a fraudulent double-spend that requires the participation of a miner once a block has been mined.[2] The risk of a Finney attack cannot be eliminated regardless of the precautions taken by the merchant, but some miner hash power is required and a specific sequence of events must occur. Just like with the race attack, a trader or merchant should consider the cost / benefit when accepting payment on just one confirmation when there is no recourse against the attacker.
A Finney attack works as follows: Suppose the attacker is generating blocks occasionally. in each block he generates, he includes a transfer from address A to address B, both of which he controls. To cheat you, when he generates a block, he doesn't broadcast it. Instead, he opens your store web page and makes a payment to your address C with his address A. You may wait a few seconds for double-spends, not hear anything, and then transfer the goods. He broadcasts his block now, and his transaction will take precedence over yours.
Vector76 attack
Also referred to as a one-confirmation attack, is a combination of the race attack and the Finney attack such that a transaction that even has one confirmation can still be reversed. The same protective action for the race attack (no incoming connections, explicit outgoing connection to a well-connected node) significantly reduces the risk of this occurring.
It is worth noting that a successful attack costs the attacker one block - they need to 'sacrifice' a block by not broadcasting it, and instead relaying it only to the attacked node.
See on BitcoinTalk or further example of an attack scenario.
Blockchain reorganization attack
Also called alternative history attack. This attack has a chance to work even if the merchant waits for some confirmations, but requires relatively high hashrate and risk of significant expense in wasted electricity to the attacking miner.
The attacker submits to the merchant/network a transaction which pays the merchant, while privately mining an alternative blockchain fork in which a fraudulent double-spending transaction is included instead. After waiting for n confirmations, the merchant sends the product. If the attacker happened to find more than n blocks at this point, he releases his fork and regains his coins; otherwise, he can try to continue extending his fork with the hope of being able to catch up with the network. If he never manages to do this then the attack fails, the attacker has wasted a significant amount of electricity and the payment to the merchant will not be reversed.
Majority attack
Also referred to as a 51% attack or >50% attack. If the attacker controls more than half of the network hashrate, the previously-mentioned Alternative history attack has a probability of 100% to succeed. Since the attacker can generate blocks faster than the rest of the network, he can simply persevere with his private fork until it becomes longer than the branch built by the honest network, from whatever disadvantage.
No amount of confirmations can prevent this attack; however, waiting for confirmations does increase the aggregate resource cost of performing the attack, which could potentially make it unprofitable or delay it long enough for the circumstances to change or slower-acting synchronization methods to kick in. Bitcoin's security model relies on no single coalition of miners controlling more than half the mining power. A miner with more than 50% hash power is incentived to reduce their mining power and reframe from attacking in order for their mining equipment and bitcoin income to retain it's value.
How many confirmations are required
The probability of success is a function of the attacker's hashrate (as a proportion of the total network hashrate) and the number of confirmations the merchant waits for. An online calculator can be found here: https://people.xiph.org/~greg/attack_success.html
For example, if the attacker controls 10% of the network hashrate but the merchant waits for 6 confirmations, the success probability is on the order of 0.1%.[3] Because of the opportunity cost of this attack, it is only game-theory possible if the bitcoin amount traded is comparable to the block reward (but note that an attacking miner can attempt a brute force attack against several counterparties at once).
If the bitcoin amount being transacted is so large that it is comparable to the block reward, then merchants should wait 100 confirmations for their incoming transactions to be irreversible.
Bribing miners to reorg a confirmed transaction
In the past after large bitcoin thefts, it has been suggested that the theft victim attempts to bribe miners into reversing the confirmed transaction. This does not work because the thief can easily outbid with their own bribe. The thief gets a head-start as the transaction would already have confirmations. Every block that gets mined adds a block reward amount of bitcoins more that the attacker could keep while still paying more than the victim, as is every percentage of hashpower that doesn't go along with it. Such a reorg attempt, if successful, would also cause massive disruption in the bitcoin network and open the reorganizing miners and victim to litigation.
Examples:
- In August 2016 the Bitfinex exchange suffered a hack of 120000 bitcoins. Here is a reddit discussion involving bitcoin experts about bribing miners to reorg and why that's a bad idea: https://archive.is/S2fBH
- In May 2019 the Binance exchange was hacked for 7000 bitcoins and a similar suggestion was made: https://twitter.com/JeremyRubin/status/1125919526485254144
Successful Double-Spends in Practice
- In November 2013 it was discovered that the GHash.io mining pool appeared to be engaging in repeated payment fraud against BetCoin Dice, a gambling site[4]. Dice sites use one transaction per bet and don’t wait for confirmations. GHash.io claimed they had investigated and found a rogue employee who had been doing the double spending, who was fired. However no evidence supporting this was provided and the incident left a permanent cloud hanging over the pool. Regardless, it didn’t seem to hurt their market share much: most miners probably never heard about the incident at all.
Consumer Protection
Although bitcoin's base layer blockchain transactions are irreversible, consumer protection can be implemented on a layer on top.
For example using an escrow agent is a powerful technique especially when combined with multisignature smart contracts. Also bitcoin sites such as online casinos rely on their long-standing reputation and some regulated brokers and exchanges simply rely on the legal system.
See also: Myths#Bitcoin_has_no_built-in_chargeback_mechanism_and_this_is_bad
See Also
- Weaknesses
- Bitcoin as a medium of exchange
- Bitcoin Attacks in Plain English by David Perry
- Thorough discussion of zero-confirm on-chain transactions in bitcoin by Bram Cohen
- stackexchange discussion on exchanges bribing miners to reverse transactions
- MIT DCI’s pool detective app monitors various mining pools for odd behaviour like censorship, selfish mining or reorg attempts