A 6 re-org does not mean a '51% attack' was successful. In that case, we'd see unbounded-depth re-orgs/no blocks mined by any other mining pool (assuming the adversary censors other mining pools, as this one does).
It does mean an adversary with a high amount of hash got lucky. I noted there's a discrepancy between their claimed network hashrate and pools' claimed network hash rate.
They may not be including their own hash rate in the network's, in which case they'd need to exceed it. Having 51% would only be 34% of total.
They're an unreliable narrator and I wouldn't trust any data from them. There's insufficient evidence to claim they have 51% of the network's hash power.
I am not that well versed in crypto. I understand the concept of a blockchain and what an n block reorg is, but what is the downside of a reorg? Like who can profit financially and why?
I'm a little rusty with the terminology, but in a blockchain, the canonical current block is the one that has the greatest amount of proof of work (I think they call this the heaviest chain). Typically, each new block is the descendant of the most recent block. But it is possible to create a heavier chain from an earlier block. This invalidates any transactions on what was previously known to be the heaviest chain, and is called a reorg.
The farther back, the less likely a reorg is, so to have a reorg that invalidates is blocks is extremely unusual.
If one entity has a majority of the hash power, they gain the ability to try to force reorgs with a likelihood that increases with their advantage in hash power.
I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
"They" refers to Qubic (by Sergey Ivancheglo), a blockchain network that uses a "Useful Proof-of-Work" system, so it is not built for traditional cryptocurrency mining that solves arbitrary puzzles. Instead, it uses the collective processing power of its miners to train an AI. Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
Qubic was able to orchestrate its network of miners to temporarily halt their AI-related tasks and redirect their collective CPU power to mine on the Monero network instead.
Also, Qubic has implemented an economic strategy that involves selling the Monero it mines for a stablecoin like USDT and then using those funds to benefit its own ecosystem and attract more miners, and renting hardware to gain more hash power. The proceeds from the sale of XMR are used to buy Qubic's native token (QUBIC) from exchanges. These purchased tokens are then "burned" or permanently removed from circulation.
I've looked into the "source code", and it doesn't. There is no such thing as useful PoW. Qubic isn't actually a decentralized cryptocurrency. It's closed source, runs as a EFI executable, and is only accessible from their discord channel.
The attack is no different than paying miners to join a malicious pool. It works as long as money flows in.
There is such a thing as useful proof of work. Qubic may not be doing it but it does exist. The linked papers [1][2] are examples of way to do it. They aren't 100% "useful" but rather achieve partial efficiency by essentially forcing miners down random paths in a manner that limits the ability to complete work ahead of time or otherwise "cheat".
I mean that's just proof of work. PoUW is just an attempt at converting some of that work into something worthwhile and not pointless hash grinding.
There's a lot of re-inventing the wheel in the cryptocurrency space but on the formal academics side of the space people are very cognizant of what they are working on and their work is focusing on improving very specific properties of consensus algorithms.
I will have to read these papers then. My intuition is that it's impossible to usefully use PoW to train neural networks because you have to rely on user-submitted training data in order to work which allows you to cheat by pre-determining the solution to your own work.
It's not a terrible idea, but I've yet to see it be inplemented. Gridcoin is one typical example where it's just PoS with "useful PoW" tacked on for token distribution, and doesn't actually use PoW for security.
* One actor in the space appears to have done a proof of concept takeover of 51%.
* It’s not clear there was any malicious action nor intent in doing so.
* Performing something like this is definitely expensive.
* The potential impact of doing so is disputed.
* Whether or not it was achieved is also disputed
However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this.
> Whether this is an issue is a matter for debate.
Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here.
In Proof-of-Work the cost of the work is what keeps the network honest. If the work has value then an attacker is free to invest as many resources as I want into subverting the network. Even a failed attack can still be profitable, just less so.
In another scenario, where the works value is less then the cost you're still hoping that at no point in the future will an attacker figure out a way to do the work at a net profit.
The only way the network can be trusted is if the work has definitely now and always, 0 value.
Not littering has value. However, if I don't litter, it doesn't benefit me, and I cannot profit off of it; no matter how eco-friendly I am, I get no value from it.
Since ASICs are built for mining one specific algorithm and no other, ASIC miners are invested in the survival of "their" mining algorithm.
If there are several competing coins using the same algorithm, it may be possible to incentivize ASIC miners to destroy one of them if it benefits the others, but even then it's risky.
CPUs in contrast can be used for a million different things, CPU miners are not incentivized to support any given crypto project. It's also much easier to rent large amounts of CPUs than of ASICs.
PoS is the obvious choice now that ETH has had a bit of time to run. But, I remember when they went through the switch (before ETH PoS). Doing some sort of variation on GPU memory hard mining would have been a smart choice (ethash, progpow, etc), knowing full well that ETH would eventually go PoS. It would have given all the miners something to switch to, instead of just shutting down entirely, because there wasn't anything but ghost chains.
I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"?
Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way.
*: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners)
EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain.
>Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose.
You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose.
KAS is PoW, at ~240 times the hash-rate of LTC, ~120 000 000 times the hash-rate of XMR, and 0.0007 times the hash-rate of BTC. Obviously not really comparable...
In fact, Litecoin has an optional privacy feature called MWEB, which is probably why Litecoin too got kicked off of being named on some conventional news sites.
That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason.
BTC will have to move to a proof of stake design to survive. It's unavoidable.
That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen
In the end state (after ~2140), mining rewards just come from TX fees. But true, it is possible you could just redistribute TX fees to stakers.
Post-merge ethereum is designed so that the gas fees and the staking rewards roughly cancel out on balance (so overall inflation is around zero), but they are decoupled so even if nobody is using the network you still get a staking yield
Pedantic point: monetary inflation is around zero, not necessarily price inflation (which is what people typically mean when they just say "inflation").
I think they mean the manufacturer would just keep most of the stock for themselves. Reminds me of that famous Scarface quote: "You should get high on your own supply, it's a great idea that won't end horribly."
"Performing something like this is definitely expensive"
That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins.
If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority.
Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap).
You can only do that on centralized exchanges, which would mean that you effectively doxx yourself by shorting. Also the exchange will most probably seize your funds before you are able to withdraw them.
You'd have to spend $30M per day in order to control 51% of XMR, and then you'd YOLO your life savings (which would have to be another couple hundred million dollars) on centralized exchanges without anyone noticing?
I'm not sure I'd call this risk. Risk would be "you can invest the money, but you might not get it back" however the above is referring to the "a 51% attack absolutely works but you need a shit ton of money to do it" aspect instead. This makes it capital intensive, not (necessarily) risky.
It is absolutely risky. Your facilities can burn down once the ASICs arrive and before they are turned on, or your employees simply steal them for their own uses. Heck, you can have a fire once they get powered-on, because a power cable was poorly made. You might get sent the wrong product, or you could be ghosted without a delivery.
Expensive is a better fit than capital intensive, because there are massive ongoing costs to actually perform the attack, electricity for one.
If you want to understand the risks for a project, pretend you are at arms length and are being asked to fund the project 100% up-front. You'll find a huge list of risks very soon.
This is why I didn't say it made the investment risk free, I said being capital intensive does not make something (inherently) risky. There is no such thing as an investment without risk, but how risky it is is largely orthogonal to how capital intensive it is, and the above was talking about the latter so using the term "risk" for that half is not a great correction.
The fact that it succeeds does not mean that you get the money back (eg the price of monero could drop if that happens). You may also have miscalculated some parameters in all this or something unexpected happens (where human factor is involved). So there should always be risk involved imo. Otherwise I agree, even in a probability 1 success situation this would still not be called "cheap".
Having the power to deny others to mine blocks does not mean that you can obtain the tokens from their wallets. Miners can't sign transactions on users' behalf. You can rewrite all of history but then no exchange will accept your version of it to let you exchange the tokens for fiat. Also this will almost certainly crash the price of XMR substantially. And later people will be able to fork/restore the original version. The technological side of the blockchain is only part of the consensus/trust/market/popularity. People are the other part, and people will not pay the attacker for their successful attack.
The attacker doesn't need to steal tokens. They just need to short the token while they sufficiently disrupt the network to drive down the price. They get the money and your tokens become worthless.
Controlling 51% of XMR costs ~$30M per day, you'd have to short a huge amount of XMR to make that worthwhile. Who would be the counter party and how would you do that anonymously?
The attack itself is unprofitable, the "profit" for Qubic is the publicity they get. (or at least that's what they're betting on)
In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right?
- The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power.
- The attacker can prevent other transactions from landing in a block, as long as they have majority
- But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions
- And the attacker can also not steal your money, because they don't have your private keys
In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain).
My understanding is limited. But in addition to not making transaction "not happen". It is better to make new transaction for money. As the transaction would still be valid later and could be included later. Thus "double spend".
That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much?
More or less, but the private chain doesn't need to contain empty blocks.
A more sophisticated attack would include all the legitimate transactions on the network except for their own transaction(s) which they're trying to double spend. That way the network isn't disrupted apart from the parties you're double spending against.
If you control 51% of the hashing power, that means you can solve more blocks than the entire rest of the network combined. Even if other nodes on the network solve a couple blocks before you, statistically, you will eventually create a longer chain of blocks and the network will switch to your chain.
But your chain has every block solved by you, giving you all the block rewards.
That's the magic of the 51% attack. You gain control of the blocks. Because that extra 1% isn't a HUGE margin, it may take a while for your chain to become the winning chain, but theoretically, it will happen.
You only mine blocks on top of your previous blocks, ignoring blocks produced by the 49%. Since you have 51%, your chain is the longest over time, so you have 100% of the mining rewards.
You can't do that with 25% (or even 40%) hashrate.
dumb question: i took a look at https://miningpoolstats.stream/ethereumclassic for ethereumclassic and f2pool.com seems to have ~64% of the total hashrate... is that a takeover as well ?
The thing about 51% attacks is they're hard to pull off in secret. And once they happen, who's going to accept the coin anymore? Plenty of potential for sheer destruction, but it seems pretty counter-productive to value.
Reminder: if you want to bet on an asset's demise (i.e. short it), you don't need a derivatives market, you just need to be able to borrow the asset and sell it. So you could accomplish the goal there by borrowing Monero and converting it to USD. A lot of smartcontract platforms let you do this -- including on other chains, where they hold a token convertible into the original chain's native unit.
I bring this up because people are always asking what platforms are allowing me to short cryptocurrencies, which seems to miss that it's enough to just have a debt denominated in what you want to bet against.
It's Game Theory problem. If you are getting more value out of the system by maintaining it in the long-run, it would make no sense to attack it and destroy its value. However, once you can extract more value in the short-term through the attack than by being a long-term participant, it becomes attractive.
With BTC's block reward continually being reduced, TX fees will have to increase in order to avoid reaching the point where large miners could become tempted to attack the network.
Monero has been under constant attack from its inception. It’s one of the only truly anonymous, untraceable payment systems so there has been a huge push to make it unviable. It was unexplainably delisted from major crypto exchanges in the past and now is under direct attack.
It's not inexplicable, they just don't want to explain that their asset listings are effectively beholden to banking partners in the same way that steam was forced to remove certain games because of Visa and Mastercard.
Unknown crypto vulnerabilities and 51% attacks are crypto currency risks that are theoretically out there, but we mostly haven't seen play out.
At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin. You're right that it destroys confidence in the coin, so if you short Bitcoin futures before the attack, you might make money.
> At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin.
This is electrically impossible for Bitcoin specifically, modern ASICs exceed 3 orders of magnitude more hashes/Joule and hashrate/chip than a RTX5090 and cost $2-40 retail per chip.
Unless I'm missing something, this doesn't pass the sniff test. If a 51% attack was successful, every other miner could easily spot this and would stop mining. The fact that this has not happened is more trustworthy than a random guy on Twitter.
Unless the attacker was actively choosing to exploit the 51% hashrate power they have then it would still make economic sense for remaining minority miners to keep mining.
Why would every other miner stop mining, making it a 100% attack?
Yesterday I was running a Monero node and looking at it, and got an unusually very high number of chain reorganization messages. I could believe a 51% attack happened.
You could do it with a whitelist. If there is a fork, give disproportionate weight to blocks mined by a whitelisted participant when doing the longest-chain calculation. Ideally you should include the proof of being on the whitelist in the block itself, but if that's not possible for some reason you could always send the information off-chain.
That's centralization, which is the opposite of what's intended and has its own risks. Most blocks are mined by pools, so you'll have to whitelist them, and while you might trust the pool operators now, will you forever? You'll be making the cost of an attack significantly cheaper for them (or someone who steals their magic key, or tricks you into adding them to the blessed list).
I agree that it is not ideal. But addressing some of the specific point brought up:
1. a) The list doesn't need to be hardcoded, it could be a configuration. b) So trust doesn't need to be permanent. c) It could be decentralized in the sense of allowing different people to have configs 2. Miners not on the list can still participate just with lower weight in the case of a fork. And they still get full reward.
1. A cryptocurrency requires consensus, so no, you can't have different configs for determining the validity of a chain. Making it a config variable only makes it faster to close the barn door after the horse has bolted.
2. Has no bearing on any point I made.
What will likely happen is a PoS BFT layer on top of PoW, although there are other options being considered:
As long as people eventually reach the same conclusion about which chain is the legit one it's fine that they use different reasoning to arrive at that conclusion.
If they fail to ever converge there is probably such a large disagreement in the community that a fork is for the best anyway.
> As long as people eventually reach the same conclusion about which chain is the legit one it's fine
What? No, it very much it isn't. Consensus needs to be ongoing, within a handful of blocks (Monero locks transfers for 10 blocks for this reason, called "confirmations").
Firstly, I think you underestimate how quickly good faith actors with slightly different configs would come to agree. A handful of blocks should be enough. Secondly, if reorgs start becoming a problem, exchanges and merchants could monitor for a situation with two competing chain and temporarily suspend processing. There is still the possibility that some one will suddenly reveal a long chain they had kept secret, but anyone doing such a thing is very suspicious.
Depends what the goal is. A state that wants to break the anonymity of the system doesn't care about $75m per day, specifically a state that can just print that...
The problem is not that the system is constantly under attack. It's that it can no longer be trusted to be secure. Nobody with money on chain will say 'oh well, probably nobody will steal my money today'.
It absolutely does, just not directly. Say that you have 100k fiat equivilent in monero and I demonstrate a successful monero double-spend attack. How much do you think your monero is worth?
>Did Qubic really attack Monero ? No, according to official statements, it was a planned stress test to identify vulnerabilities in the Monero network.
"not really a nefarious attack" is an insane summation of this article. There's zero way for someone outside of qubic to verify that they didn't do something nefarious while controlling the network. Stated another way- anyone could call their 51% attack a "stress test"
This man is a true poet, just beautiful look at this quote found on his exTwitter:
(quote starts here)
"""Writing this date here to memorize when the concept of Decentralized Artificial Intelligence (#DAI) got its final shape.
Not bullshit like "It runs on a #blockchain so it must be decentralized". In this concept each entity holds a secret know-how which modifies #IntelligentTissue (in cooperation with other know-hows owned by other entities, if needs to solve a complex task). Secrecy of each know-how ensures nobody can copy it, others can only attempt to create something similar by spending computational resources.
Each #AI is an original object, #IntelligentTissue is its hologram. #Qubic is the platform for AI creation, their convergence and intelligent tissue hosting"""
If you exchange Bitcoin for cash, the IRS can retroactively look at every wallet that this money originated through. If they decide that they don’t like how certain coins were earned, they can mark them and any wallet they touched as poisoned, and put you in jail if you try to exchange them further.
Monero transactions are inherently obfuscated, which solves this problem. If you want more details, the Monero whitepaper is well written to be accessible for the common reader.
> Monero transactions are inherently obfuscated, which solves this problem.
It solves the problem by making all participants culpable. The blockchain community is very good at imagining they have technical solutions to social problems.
I think speech is not the same money, and that any kind of property you expect others to respect comes with obligations. Why should I respect your property claims if you can't show me you didn't steal your property?
But that's really beside the point, because it isn't me who will come after you, it's the IRS (or equivalent). If you spend a lot of money, you're in trouble if you can't explain how you got it. And if you explain that you participated in a network which has as its only purpose to destroy evidence of how you got it, you're usually in extra big trouble.
There's a little bar in Cupertino, Paul & Eddie's Monta Vista Inn. They only accept cash. Should they be shut down and have their assets seized? After all, what possible reason could they have to operate as cash only, in Silicon Valley, other than that they want to destroy evidence of how they earned it?
Again, it's beside the point what they should. Small businesses have "know your customer" requirements too, and if this little bar made suspiciously much money from cash sales, the government will come looking to make sure it isn't a money laundering operation.
If you think it shouldn't be that way, you are faced with a problem. A social political problem. Which Monero does nothing to solve. Which is the point.
Sidenote: IDK how is Ledger, a French company, still in business after compromising ~300k users' physical addresses[1] amongst other PII, ~5 years ago.
Gamification. They are supposedly offered some other shitcoin in return for the monero that they mine. I've tried it myself some months ago, it is noticeable that they were lying about the number of miners on that platform.
One of the major things that has always bothered me about crypto: if an economically "irrational" large player wanted to 51% something like Bitcoin, they could.
I am thinking of, for example, a nation-state. Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin. This could happen if an adversary like Russia or its allies were using Bitcoin for funding and there was a war or a major Cold War style struggle. Such players could afford to purchase and build, in secret, a huge mining farm, and then suddenly turn it on, not caring about the cost because the goals are strategic. It would be massively expensive but it doesn't matter for this case.
I'm also curious about an attack vector whereby if a coin has a single reasonably well-installed mining software stack, this effectively gives the developers of that stack control over any miner, which could easily add up to 51% if there's only a few mining software options. Sneaking in a backdoor is well within the capabilities of any developer; do the mining companies compile from source?
While that's certainly possible with a large enough expenditure, they'd also have to have the miners be sufficiently indistinguishable that they couldn't easily be denylisted with an update to the official codebase.
State entities can also destroy real banks with all sorts of means if they really want. The vulnerability is real, but beyond the scope of discussion because then it's war we're talking about.
But states generally like having a financial system, and don't like (or are at least annoyed and worried by) cryptocurrencies, so the incentives aren't the same.
A more economical version of the same thing is to engage in honest mining through several front companies that together have 51%. Until a strategic opportunity presents itself and they start colluding.
For monero and other smaller chains maybe, but for BTC this is already at the point of being quite difficult (the intelligence agency really would have to be quite large).
The money is one thing, you also have to somehow acquire a huge % of the ASIC supply over years, and the not insignificant amount of energy to run them
What really happens to a crypto coin if trust in the ledger is shattered?
Does the coin stay alive purely because people still speculate on hype or does everyone try to cash out simultaneously and send price into a death spiral?
Maybe Black Owl is finishing off APT29's remaining part of the former Mirai botnet?
I'm just saying that this might be a state sponsored actor fighting another one, given that Mirai was primarily hosting XMR miners, and given that they lost 3.5 Mio bots overnight in 2023.
You: "Post seems confused. A 51% attack doesn't allow the attacker to sign transactions with someone else's key."
Maybe you misread, the post says this: "With its current dominance, Qubic can rewrite the blockchain, enable double-spending, and censor any transaction."
All of which are possible if someone has that level of control, and none of which involve signing with other people's keys.
(As some people seem confused about the impact of 51% attacks: Of course you can't double-spend in a single blockchain, as that is prevented. But the nature of these attacks is that there's no longer one true blockchain. You can create one fork of the blockchain where you send the money to someone, receive goods in return, and then afterwards switch to a longer fork of the blockchain where the money was never sent.)
Doing this requires massive tangible infrastructure subject to seizure to pay your new bad debts as you become subject to arrest in a lot of the places one may want to spend time in.
This doesn't seem like as much of an actual risk. A better way to make money would be to create a perception that the value of the coin is at risk before buying it cheap.
Actually devaluing it doesn't seem worthwhile financially.
A couple researchers have told me that it's not necessary to even reach 51%. It's probably something closer to 35% to maintain the ability to perform censorship etc
Not quite. You can make selfish mining economically viable below 51%, which eats into the profitability of the majority, but it's not possible to sustain a long term censorship attack with that.
With PoS protocols, >33% is usually when you have the ability to inhibit finality, which may be what you're thinking of.
You are not only appealing to the imaginary authority of someone that you talked to while demanding that someone else cite sources, but you also seem neither to understand the subject you're talking about nor able to accurately recall the hearsay you're offering as evidence. When you are lost in the woods, seek out a map!
The ridiculousness of cryptocurrency reminds me of the ridiculousness of the stock market. Both are absolutely batshit insane ways to maintain a global monetary system, yet people keep investing their fortunes in both.
Going by the definition given in the wiki you’ve linked, a Sybil attack is about creating many fake identities to gain disproportionate influence in a network. A 51% attack in blockchain terms is specifically about controlling the majority of the network’s mining/staking power to override consensus.
Someone amassing 51% of the network would probably want to do so under some fake identities so others don't realize what's about to happen. Not the same, but probably related.
It's the same failure mode as a Sybil attack, but it's called a 51% when there's the additional assumption of the hashrate being hard to obtain and evenly-enough distributed to mitigate sybiling, and that assumption is being violated.
A Sybil attack is about having many identities in systems which make such identities count for something, blockchains are designed to avoid that attack by saying "identities don't matter for consensus, only raw 'work' does". a 51% attack is therefore analogous to a Sybil attack but not the same thing.
A 6 re-org does not mean a '51% attack' was successful. In that case, we'd see unbounded-depth re-orgs/no blocks mined by any other mining pool (assuming the adversary censors other mining pools, as this one does).
It does mean an adversary with a high amount of hash got lucky. I noted there's a discrepancy between their claimed network hashrate and pools' claimed network hash rate.
They may not be including their own hash rate in the network's, in which case they'd need to exceed it. Having 51% would only be 34% of total.
They're an unreliable narrator and I wouldn't trust any data from them. There's insufficient evidence to claim they have 51% of the network's hash power.
(https://nitter.net/kayabaNerve/with_replies)
Qubic never actually hit 51% btw. Don't fall for it.
However they do have a large enough hashrate to perform multi-block re-orgs with their selfish mining strategy.
They disabled API hashrate reporting so that they could lie about it.
Keep mining and ignore the noise.
(https://nitter.net/tuxpizza/status/1955191610410401816#m)
I am not that well versed in crypto. I understand the concept of a blockchain and what an n block reorg is, but what is the downside of a reorg? Like who can profit financially and why?
You get all the money from the block rewards for those blocks if you reorg other miners blocks out.
What's a "6 re-org"?
I'm a little rusty with the terminology, but in a blockchain, the canonical current block is the one that has the greatest amount of proof of work (I think they call this the heaviest chain). Typically, each new block is the descendant of the most recent block. But it is possible to create a heavier chain from an earlier block. This invalidates any transactions on what was previously known to be the heaviest chain, and is called a reorg.
The farther back, the less likely a reorg is, so to have a reorg that invalidates is blocks is extremely unusual.
If one entity has a majority of the hash power, they gain the ability to try to force reorgs with a likelihood that increases with their advantage in hash power.
I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
> I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
Please don't. This would be useless spam, and is completely rude. Do we tell people to "Just google it?" here?
User skarz did indeed ask an LLM, which got [flagged] since the LLM gave a distinctly worse answer. Expand the [9 more] below to see it.
This was a great answer. I'm glad you spent the time on it. Though I am curious what the 6 indicates.
Six blocks
America would be screwed if owning 51% of its value meant you could rewrite ownership.
*gestures wildly*
Good thing you need 30 percent, a larger number
Didn't know ChatGPT was on HN
who are "they" you're talking about?
"They" refers to Qubic (by Sergey Ivancheglo), a blockchain network that uses a "Useful Proof-of-Work" system, so it is not built for traditional cryptocurrency mining that solves arbitrary puzzles. Instead, it uses the collective processing power of its miners to train an AI. Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
Qubic was able to orchestrate its network of miners to temporarily halt their AI-related tasks and redirect their collective CPU power to mine on the Monero network instead.
Also, Qubic has implemented an economic strategy that involves selling the Monero it mines for a stablecoin like USDT and then using those funds to benefit its own ecosystem and attract more miners, and renting hardware to gain more hash power. The proceeds from the sale of XMR are used to buy Qubic's native token (QUBIC) from exchanges. These purchased tokens are then "burned" or permanently removed from circulation.
This seems oddly similar to the whole IRON/TITAN thing years back, but with extra steps.
What's their objective?
My guess would be to turn the crank of a ponzi scheme until it falls off.
However,
> Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
I don't understand how this makes any sense at all.
I've looked into the "source code", and it doesn't. There is no such thing as useful PoW. Qubic isn't actually a decentralized cryptocurrency. It's closed source, runs as a EFI executable, and is only accessible from their discord channel.
The attack is no different than paying miners to join a malicious pool. It works as long as money flows in.
There is such a thing as useful proof of work. Qubic may not be doing it but it does exist. The linked papers [1][2] are examples of way to do it. They aren't 100% "useful" but rather achieve partial efficiency by essentially forcing miners down random paths in a manner that limits the ability to complete work ahead of time or otherwise "cheat".
1. https://eprint.iacr.org/2021/1379
2. https://eprint.iacr.org/2023/1059
Proof of useful work feels like it's one and a half steps removed from discovering seigniorage and reinventing money.
I mean that's just proof of work. PoUW is just an attempt at converting some of that work into something worthwhile and not pointless hash grinding.
There's a lot of re-inventing the wheel in the cryptocurrency space but on the formal academics side of the space people are very cognizant of what they are working on and their work is focusing on improving very specific properties of consensus algorithms.
I will have to read these papers then. My intuition is that it's impossible to usefully use PoW to train neural networks because you have to rely on user-submitted training data in order to work which allows you to cheat by pre-determining the solution to your own work.
It's not a terrible idea, but I've yet to see it be inplemented. Gridcoin is one typical example where it's just PoS with "useful PoW" tacked on for token distribution, and doesn't actually use PoW for security.
Gain media attention and pump their coin.
To summarise:
* One actor in the space appears to have done a proof of concept takeover of 51%.
* It’s not clear there was any malicious action nor intent in doing so.
* Performing something like this is definitely expensive.
* The potential impact of doing so is disputed.
* Whether or not it was achieved is also disputed
However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this.
> Whether this is an issue is a matter for debate.
Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here.
CPU was a terrible choice.
why? what's better?
It would be interesting if a "coin" were tied to protein folding prediction or something else useful.
Proof-of-Work fails if the work has value.
why?
In Proof-of-Work the cost of the work is what keeps the network honest. If the work has value then an attacker is free to invest as many resources as I want into subverting the network. Even a failed attack can still be profitable, just less so.
In another scenario, where the works value is less then the cost you're still hoping that at no point in the future will an attacker figure out a way to do the work at a net profit.
The only way the network can be trusted is if the work has definitely now and always, 0 value.
Not littering has value. However, if I don't litter, it doesn't benefit me, and I cannot profit off of it; no matter how eco-friendly I am, I get no value from it.
Am I wrong in saying that the work has negative value? And there are different degrees of that. Bitcoin's negative value is larger.
You are not wrong, the output has no value. The work then being Value Out - Value In.
I don't think it's true, look up Proof of Useful Work
Which, ironically, is used by the attacker in this case.
Isn't that what GridCoin is?
https://gridcoin.us/
Since ASICs are built for mining one specific algorithm and no other, ASIC miners are invested in the survival of "their" mining algorithm.
If there are several competing coins using the same algorithm, it may be possible to incentivize ASIC miners to destroy one of them if it benefits the others, but even then it's risky.
CPUs in contrast can be used for a million different things, CPU miners are not incentivized to support any given crypto project. It's also much easier to rent large amounts of CPUs than of ASICs.
Disclaimer: ran a 150k GPU eth mining operation
PoS is the obvious choice now that ETH has had a bit of time to run. But, I remember when they went through the switch (before ETH PoS). Doing some sort of variation on GPU memory hard mining would have been a smart choice (ethash, progpow, etc), knowing full well that ETH would eventually go PoS. It would have given all the miners something to switch to, instead of just shutting down entirely, because there wasn't anything but ghost chains.
I'm still a fan of PoW. PoS incentivizes centralization.
Hilariously posting in a thread about a 51% attack happening, because of miner centralization.
>until now, no-one has chosen to flex like this.
The two networks have wildly different proof-of-work algorithms, they're incompatible. A BTC ASIC will never mine Monero, ever.
I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"?
Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way.
*: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners)
EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain.
>Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose.
You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose.
> Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
asic does not mean turing complete
good luck simulating a von neumann machine on a sha256 accelerator
That's not true for all altcoins however
Pretty much everything other than bitcoin, monero, and dogecoin are running proof of stake these days anyhow, so it kind of doesn't matter.
KAS is PoW, at ~240 times the hash-rate of LTC, ~120 000 000 times the hash-rate of XMR, and 0.0007 times the hash-rate of BTC. Obviously not really comparable...
https://poolbay.io/coins
Litecoin goes in that PoW group too.
In fact, Litecoin has an optional privacy feature called MWEB, which is probably why Litecoin too got kicked off of being named on some conventional news sites.
Its always hilarious when someone launches an L1 with an algorithm everyone can already dominate and it gets attacked immediately
Last time I saw that was on photonics processor blockchains
That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason.
BTC will have to move to a proof of stake design to survive. It's unavoidable.
That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen
why would staking rewards be any more necessary than mining rewards?
In the end state (after ~2140), mining rewards just come from TX fees. But true, it is possible you could just redistribute TX fees to stakers.
Post-merge ethereum is designed so that the gas fees and the staking rewards roughly cancel out on balance (so overall inflation is around zero), but they are decoupled so even if nobody is using the network you still get a staking yield
>so overall inflation is around zero
Pedantic point: monetary inflation is around zero, not necessarily price inflation (which is what people typically mean when they just say "inflation").
Yes sorry, important clarification.
In theory if the entire world was on an ethereum standard with a steady state population, price inflation would also average out to zero
BTC can't move to proof of stake because religious zealots would keep their money in the old fork.
It's doomed in general, see the cash fork.
Tokenized bitcoin.
> It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash
The ASIC manufacturer would also need a backdoor. ASIC manufacturers don't control mining.
Large miners are unlikely to allow backdoors into their mining network.
I think they mean the manufacturer would just keep most of the stock for themselves. Reminds me of that famous Scarface quote: "You should get high on your own supply, it's a great idea that won't end horribly."
ASIC miners often do control mining. They often mine with chips before they drop them in the public market
>ASIC manufacturers don't control mining.
I dont think you understand the BTC mining ecosystem
"Performing something like this is definitely expensive"
That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins.
If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority.
Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap).
I guess the clearer term for that would be "capital intensive".
surely the fall in value of XMR caused by such an attack would make it unprofitable as well
You could just short XMR heavily and profit that way.
You can only do that on centralized exchanges, which would mean that you effectively doxx yourself by shorting. Also the exchange will most probably seize your funds before you are able to withdraw them.
Not sure how are you doxxing yourself, what stopping me from YOLOing my life savings into this short after reading a few comments in this thread?
You'd have to spend $30M per day in order to control 51% of XMR, and then you'd YOLO your life savings (which would have to be another couple hundred million dollars) on centralized exchanges without anyone noticing?
I meant I, as someone that is aware of attempt to take over, not as an attacker.
It's only doxxing if you can, you connect that large transaction to the attacker, but you can't unless I'm missing something.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed.
There is a word for this. We call it risk.
I'm not sure I'd call this risk. Risk would be "you can invest the money, but you might not get it back" however the above is referring to the "a 51% attack absolutely works but you need a shit ton of money to do it" aspect instead. This makes it capital intensive, not (necessarily) risky.
It is absolutely risky. Your facilities can burn down once the ASICs arrive and before they are turned on, or your employees simply steal them for their own uses. Heck, you can have a fire once they get powered-on, because a power cable was poorly made. You might get sent the wrong product, or you could be ghosted without a delivery.
Expensive is a better fit than capital intensive, because there are massive ongoing costs to actually perform the attack, electricity for one.
If you want to understand the risks for a project, pretend you are at arms length and are being asked to fund the project 100% up-front. You'll find a huge list of risks very soon.
This is why I didn't say it made the investment risk free, I said being capital intensive does not make something (inherently) risky. There is no such thing as an investment without risk, but how risky it is is largely orthogonal to how capital intensive it is, and the above was talking about the latter so using the term "risk" for that half is not a great correction.
The fact that it succeeds does not mean that you get the money back (eg the price of monero could drop if that happens). You may also have miscalculated some parameters in all this or something unexpected happens (where human factor is involved). So there should always be risk involved imo. Otherwise I agree, even in a probability 1 success situation this would still not be called "cheap".
Agreed, no such thing as a real-world investment with truly 0 risk.
Having the power to deny others to mine blocks does not mean that you can obtain the tokens from their wallets. Miners can't sign transactions on users' behalf. You can rewrite all of history but then no exchange will accept your version of it to let you exchange the tokens for fiat. Also this will almost certainly crash the price of XMR substantially. And later people will be able to fork/restore the original version. The technological side of the blockchain is only part of the consensus/trust/market/popularity. People are the other part, and people will not pay the attacker for their successful attack.
The attacker doesn't need to steal tokens. They just need to short the token while they sufficiently disrupt the network to drive down the price. They get the money and your tokens become worthless.
Controlling 51% of XMR costs ~$30M per day, you'd have to short a huge amount of XMR to make that worthwhile. Who would be the counter party and how would you do that anonymously?
The attack itself is unprofitable, the "profit" for Qubic is the publicity they get. (or at least that's what they're betting on)
Unless they drive the price into the ground.
Right? If an attack like this is successful _and_ obvious/detectable, then it _should_ drive the price into the ground.
Shades of the Hunt brothers attempt to corner the silver market in the 80's [1].
[1] https://en.wikipedia.org/wiki/Silver_Thursday
When people say foo is expensive, they mean the gross cost not the net profit.
If I buy a yacht for $2 millón and sell it for $4 million, it’s still an expensive yacht. Profit doesn’t make it less expensive.
In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right?
It's worth being precise here:
- The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power.
- The attacker can prevent other transactions from landing in a block, as long as they have majority
- But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions
- And the attacker can also not steal your money, because they don't have your private keys
In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain).
My understanding is limited. But in addition to not making transaction "not happen". It is better to make new transaction for money. As the transaction would still be valid later and could be included later. Thus "double spend".
That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much?
Maybe there's more resilience to prevent chain swaps now, but my understanding of the original blockchain algorithm is that:
At block N someone could start to privately mine (empty) blocks.
They keep mining in private until block N+x is public, at which time the private (51%) chain is length N+x+1.
They then announce their longer chain.
By the protocol, this longer chain (technically "most work" chain) is the more trusted one, and undoes any transactions in N+1 through N+x.
More or less, but the private chain doesn't need to contain empty blocks.
A more sophisticated attack would include all the legitimate transactions on the network except for their own transaction(s) which they're trying to double spend. That way the network isn't disrupted apart from the parties you're double spending against.
Indeed, but I was arguing that the parent claim that "only your transactions" could be affected was false.
It's true that you can't synthesise false transactions, but you can undo anyone's transactions, not just your own.
That way you can also claim 100% of mining rewards with 51% hash rate.
How? If that were true you’d also be able to get 50% of block chain rewards with 25.1% of the hashing power. But you can’t because it isn’t true.
If you control 51% of the hashing power, that means you can solve more blocks than the entire rest of the network combined. Even if other nodes on the network solve a couple blocks before you, statistically, you will eventually create a longer chain of blocks and the network will switch to your chain.
But your chain has every block solved by you, giving you all the block rewards.
That's the magic of the 51% attack. You gain control of the blocks. Because that extra 1% isn't a HUGE margin, it may take a while for your chain to become the winning chain, but theoretically, it will happen.
You only mine blocks on top of your previous blocks, ignoring blocks produced by the 49%. Since you have 51%, your chain is the longest over time, so you have 100% of the mining rewards.
You can't do that with 25% (or even 40%) hashrate.
Yes.
Newb question, but why's it expensive, aren't they mining the whole time and can therefore make the usual money from that mining?
You are correct. It's expensive if you want to go rewrite history. 51% is when that becomes economically viable to do on its own.
Way more context here https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
No one is spending $75M a day to do a proof of concept. There's obviously some kind of intent to profit.
Qubic aims to profit from the publicity
This is odd. The current hash rate is around its nominal 5 GH/s, and neither any pool nor individual seems to be above 50%:
https://miningpoolstats.stream/monero
This Qubic group claims to concentrate 3 GH/s of hashing power, yet there has been no increase in the global hash rate either:
https://www.coinwarz.com/mining/monero/hashrate-chart
Could this be just a bait?
Peek the % of unknown miners in the pie chart at the bottom
Also https://moneroconsensus.info/
dumb question: i took a look at https://miningpoolstats.stream/ethereumclassic for ethereumclassic and f2pool.com seems to have ~64% of the total hashrate... is that a takeover as well ?
I mean, it means that eth classic's ledger is rewritable on a whim by that that pool, if it has central control.
The thing about 51% attacks is they're hard to pull off in secret. And once they happen, who's going to accept the coin anymore? Plenty of potential for sheer destruction, but it seems pretty counter-productive to value.
If only someone offered derivatives contracts that could be used to make money from destruction...
https://www.kraken.com/en-ca/features/derivatives/monero
Reminder: if you want to bet on an asset's demise (i.e. short it), you don't need a derivatives market, you just need to be able to borrow the asset and sell it. So you could accomplish the goal there by borrowing Monero and converting it to USD. A lot of smartcontract platforms let you do this -- including on other chains, where they hold a token convertible into the original chain's native unit.
I bring this up because people are always asking what platforms are allowing me to short cryptocurrencies, which seems to miss that it's enough to just have a debt denominated in what you want to bet against.
Yeah, but the moment that happens they will confiscate/block the funds of the shorters.
Based on which specific law or rule?
It's Game Theory problem. If you are getting more value out of the system by maintaining it in the long-run, it would make no sense to attack it and destroy its value. However, once you can extract more value in the short-term through the attack than by being a long-term participant, it becomes attractive.
With BTC's block reward continually being reduced, TX fees will have to increase in order to avoid reaching the point where large miners could become tempted to attack the network.
Maybe destruction is their goal.
A lot of people would like to see Monero burn.
Monero has been under constant attack from its inception. It’s one of the only truly anonymous, untraceable payment systems so there has been a huge push to make it unviable. It was unexplainably delisted from major crypto exchanges in the past and now is under direct attack.
It's not inexplicable, they just don't want to explain that their asset listings are effectively beholden to banking partners in the same way that steam was forced to remove certain games because of Visa and Mastercard.
Unknown crypto vulnerabilities and 51% attacks are crypto currency risks that are theoretically out there, but we mostly haven't seen play out.
At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin. You're right that it destroys confidence in the coin, so if you short Bitcoin futures before the attack, you might make money.
> At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin.
This is electrically impossible for Bitcoin specifically, modern ASICs exceed 3 orders of magnitude more hashes/Joule and hashrate/chip than a RTX5090 and cost $2-40 retail per chip.
People haven't mined Bitcoin on GPUs in over 10 years.
https://xcancel.com/p3b7_/status/1955173413992984988
https://nitter.net/tuxpizza/status/1955191610410401816#m
Looks like they are winning.
Looking at that website I see that the unknown pool keeps getting a longer chain and it switches to it
Unless I'm missing something, this doesn't pass the sniff test. If a 51% attack was successful, every other miner could easily spot this and would stop mining. The fact that this has not happened is more trustworthy than a random guy on Twitter.
Unless the attacker was actively choosing to exploit the 51% hashrate power they have then it would still make economic sense for remaining minority miners to keep mining.
Why would every other miner stop mining, making it a 100% attack?
Yesterday I was running a Monero node and looking at it, and got an unusually very high number of chain reorganization messages. I could believe a 51% attack happened.
A network might collectively just fork the chain and blacklist the attacker in that fork.
That isn't possible - miners don't have an "identity" to blacklist.
You could do it with a whitelist. If there is a fork, give disproportionate weight to blocks mined by a whitelisted participant when doing the longest-chain calculation. Ideally you should include the proof of being on the whitelist in the block itself, but if that's not possible for some reason you could always send the information off-chain.
That's centralization, which is the opposite of what's intended and has its own risks. Most blocks are mined by pools, so you'll have to whitelist them, and while you might trust the pool operators now, will you forever? You'll be making the cost of an attack significantly cheaper for them (or someone who steals their magic key, or tricks you into adding them to the blessed list).
I agree that it is not ideal. But addressing some of the specific point brought up:
1. a) The list doesn't need to be hardcoded, it could be a configuration. b) So trust doesn't need to be permanent. c) It could be decentralized in the sense of allowing different people to have configs 2. Miners not on the list can still participate just with lower weight in the case of a fork. And they still get full reward.
1. A cryptocurrency requires consensus, so no, you can't have different configs for determining the validity of a chain. Making it a config variable only makes it faster to close the barn door after the horse has bolted. 2. Has no bearing on any point I made.
What will likely happen is a PoS BFT layer on top of PoW, although there are other options being considered:
https://github.com/monero-project/research-lab/issues/136
As long as people eventually reach the same conclusion about which chain is the legit one it's fine that they use different reasoning to arrive at that conclusion.
If they fail to ever converge there is probably such a large disagreement in the community that a fork is for the best anyway.
> As long as people eventually reach the same conclusion about which chain is the legit one it's fine
What? No, it very much it isn't. Consensus needs to be ongoing, within a handful of blocks (Monero locks transfers for 10 blocks for this reason, called "confirmations").
https://en.wikipedia.org/wiki/Double-spending#Decentralized_...
https://www.getmonero.org/get-started/accepting/
Firstly, I think you underestimate how quickly good faith actors with slightly different configs would come to agree. A handful of blocks should be enough. Secondly, if reorgs start becoming a problem, exchanges and merchants could monitor for a situation with two competing chain and temporarily suspend processing. There is still the possibility that some one will suddenly reveal a long chain they had kept secret, but anyone doing such a thing is very suspicious.
Please post your suggestion in the issue I linked.
If you're doing a whitelist of trusted parties you might as well do classical BFT without the mining.
>Sustaining this attack is estimated to cost $75 million per day.
This is how proof of work systems operate.
They are very expensive to attack but very cheap to recover from.
$75m per day is clearly unstainable.
Soon they will give up and the network will recover cheaply.
The attack is more of a nuisance than the end of Monero.
> $75m per day is clearly sustainable.
Is this a typo or am I misunderstanding something?
I’m guessing it’s implied that the return would be higher than $75m a day.
Thanks.
"unsustainable"
now it says unstainable
Also true!
Depends what the goal is. A state that wants to break the anonymity of the system doesn't care about $75m per day, specifically a state that can just print that...
I'm not familiar with Monero's privacy system, so I can't say for sure, but it is very, very unlikely that a reorg could in any way break anonymity.
Reorgs dont break anonyminity
The problem is not that the system is constantly under attack. It's that it can no longer be trusted to be secure. Nobody with money on chain will say 'oh well, probably nobody will steal my money today'.
A 51% attack doesn't let you steal random people's money.
It absolutely does, just not directly. Say that you have 100k fiat equivilent in monero and I demonstrate a successful monero double-spend attack. How much do you think your monero is worth?
My man. What do you think the word "steal" means? You can't just redefine words because you don't like new technology.
Do we need to drop down to 1st grade story problems?
---
Alice has 1 apple. Eve has 0 apples.
Eve steals Alice's apple.
Now Alice has 0 apples. Eve has 1 apple.
---
Alice has 1 XMR. Eve has 0 XMR.
Eve 51% attacks Alice's network.
How many XMR does Alice have? How many XMR does Eve have? Show your work.
Much better link - https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
Appears to be legit, but not really a nefarious attack.
>Did Qubic really attack Monero ? No, according to official statements, it was a planned stress test to identify vulnerabilities in the Monero network.
"not really a nefarious attack" is an insane summation of this article. There's zero way for someone outside of qubic to verify that they didn't do something nefarious while controlling the network. Stated another way- anyone could call their 51% attack a "stress test"
That entire article reads like propaganda/doublespeak.
"Planned test". Planned by whom? Planned by the attackers. The reorg did happen.
This is a bot hoax. The only news here is that twitter still hasn't fixed its insane spam account problem
Qubix(group performing attack) founder x post
https://x.com/c___f___b/status/1955158154213220492
This man is a true poet, just beautiful look at this quote found on his exTwitter:
(quote starts here)
"""Writing this date here to memorize when the concept of Decentralized Artificial Intelligence (#DAI) got its final shape.
Not bullshit like "It runs on a #blockchain so it must be decentralized". In this concept each entity holds a secret know-how which modifies #IntelligentTissue (in cooperation with other know-hows owned by other entities, if needs to solve a complex task). Secrecy of each know-how ensures nobody can copy it, others can only attempt to create something similar by spending computational resources.
Each #AI is an original object, #IntelligentTissue is its hologram. #Qubic is the platform for AI creation, their convergence and intelligent tissue hosting"""
Psychosis or marketing scheme? Who can even tell the difference anymore...
He's a bit insane. I did the same thing to the iota Network and brought it down to 0% confirmation for a month
Trust me he did not like it
100% a fed action. Government influence has been pushing Monero off of exchanges and now this. Why? Because Monero has true anonymity.
Interesting, I don’t disagree but would like to learn more.
If you exchange Bitcoin for cash, the IRS can retroactively look at every wallet that this money originated through. If they decide that they don’t like how certain coins were earned, they can mark them and any wallet they touched as poisoned, and put you in jail if you try to exchange them further.
Monero transactions are inherently obfuscated, which solves this problem. If you want more details, the Monero whitepaper is well written to be accessible for the common reader.
The tldr is it works atop ring signatures: https://en.m.wikipedia.org/wiki/Ring_signature
> Monero transactions are inherently obfuscated, which solves this problem.
It solves the problem by making all participants culpable. The blockchain community is very good at imagining they have technical solutions to social problems.
I don’t believe US courts would see it the same way, if you use Monero for legitimate transactions you will not go to jail.
By your logic, anyone using cash would be culpable for illegal transactions. Same with VPNs/Tor.
I think speech is not the same money, and that any kind of property you expect others to respect comes with obligations. Why should I respect your property claims if you can't show me you didn't steal your property?
But that's really beside the point, because it isn't me who will come after you, it's the IRS (or equivalent). If you spend a lot of money, you're in trouble if you can't explain how you got it. And if you explain that you participated in a network which has as its only purpose to destroy evidence of how you got it, you're usually in extra big trouble.
There's a little bar in Cupertino, Paul & Eddie's Monta Vista Inn. They only accept cash. Should they be shut down and have their assets seized? After all, what possible reason could they have to operate as cash only, in Silicon Valley, other than that they want to destroy evidence of how they earned it?
Again, it's beside the point what they should. Small businesses have "know your customer" requirements too, and if this little bar made suspiciously much money from cash sales, the government will come looking to make sure it isn't a money laundering operation.
If you think it shouldn't be that way, you are faced with a problem. A social political problem. Which Monero does nothing to solve. Which is the point.
Can you elaborate?
fiat money has to be a monoply
specially given its only backing is "trust" (trust that you won't get invaded or overthrown)
anonymous alt coins, real digital cash, are competition to the monetary system. there can be only one.
I am way OOTL with crypto drama.
Anyone have any context about who Qubic are, and what their deal is?
It's a long story, I wrote a blog about it here: https://rdrama.net/h/slackernews/post/385556/chud-chudsmug-u...
Thanks!
Sidenote: IDK how is Ledger, a French company, still in business after compromising ~300k users' physical addresses[1] amongst other PII, ~5 years ago.
[1]: https://www.reddit.com/r/ledgerwalletleak/
What is qubic offering to miners that other pools can't?
Gamification. They are supposedly offered some other shitcoin in return for the monero that they mine. I've tried it myself some months ago, it is noticeable that they were lying about the number of miners on that platform.
Reminds me of the old IRC Channel takeover
One of the major things that has always bothered me about crypto: if an economically "irrational" large player wanted to 51% something like Bitcoin, they could.
I am thinking of, for example, a nation-state. Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin. This could happen if an adversary like Russia or its allies were using Bitcoin for funding and there was a war or a major Cold War style struggle. Such players could afford to purchase and build, in secret, a huge mining farm, and then suddenly turn it on, not caring about the cost because the goals are strategic. It would be massively expensive but it doesn't matter for this case.
I'm also curious about an attack vector whereby if a coin has a single reasonably well-installed mining software stack, this effectively gives the developers of that stack control over any miner, which could easily add up to 51% if there's only a few mining software options. Sneaking in a backdoor is well within the capabilities of any developer; do the mining companies compile from source?
While that's certainly possible with a large enough expenditure, they'd also have to have the miners be sufficiently indistinguishable that they couldn't easily be denylisted with an update to the official codebase.
The moment anyone does this, people will notice, and the coin plummets.
Yep. From the comment you replied to:
> Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin.
Which is what they want.
at 75 million a day what is the motive?
They could borrow 1 Billion in Monero and sell it. Then they would only have to pay back a fraction and keep the rest.
> a nation-state. Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin
Irrelevant and impossible to "know", given that it hasn't happened yet (if it ever does)
State entities can also destroy real banks with all sorts of means if they really want. The vulnerability is real, but beyond the scope of discussion because then it's war we're talking about.
But states generally like having a financial system, and don't like (or are at least annoyed and worried by) cryptocurrencies, so the incentives aren't the same.
A more economical version of the same thing is to engage in honest mining through several front companies that together have 51%. Until a strategic opportunity presents itself and they start colluding.
Sure, and this is well within the capabilities of any competent large intelligence agency.
It's only a secure system if adversaries are either small or economically rational.
For monero and other smaller chains maybe, but for BTC this is already at the point of being quite difficult (the intelligence agency really would have to be quite large).
The money is one thing, you also have to somehow acquire a huge % of the ASIC supply over years, and the not insignificant amount of energy to run them
What really happens to a crypto coin if trust in the ledger is shattered?
Does the coin stay alive purely because people still speculate on hype or does everyone try to cash out simultaneously and send price into a death spiral?
Maybe Black Owl is finishing off APT29's remaining part of the former Mirai botnet?
I'm just saying that this might be a state sponsored actor fighting another one, given that Mirai was primarily hosting XMR miners, and given that they lost 3.5 Mio bots overnight in 2023.
Post seems confused. A 51% attack doesn't allow the attacker to sign transactions with someone else's key.
You: "Post seems confused. A 51% attack doesn't allow the attacker to sign transactions with someone else's key."
Maybe you misread, the post says this: "With its current dominance, Qubic can rewrite the blockchain, enable double-spending, and censor any transaction."
All of which are possible if someone has that level of control, and none of which involve signing with other people's keys.
(As some people seem confused about the impact of 51% attacks: Of course you can't double-spend in a single blockchain, as that is prevented. But the nature of these attacks is that there's no longer one true blockchain. You can create one fork of the blockchain where you send the money to someone, receive goods in return, and then afterwards switch to a longer fork of the blockchain where the money was never sent.)
Doing this requires massive tangible infrastructure subject to seizure to pay your new bad debts as you become subject to arrest in a lot of the places one may want to spend time in.
This doesn't seem like as much of an actual risk. A better way to make money would be to create a perception that the value of the coin is at risk before buying it cheap.
Actually devaluing it doesn't seem worthwhile financially.
> become subject to arrest in a lot of the places
I have an idea for a much cheaper way to store and transfer money that also relies on the existence of a police.
Totally agree I just specifically doubt the virtue of stealing with extra steps which involves such obviously tangible assets.
A couple researchers have told me that it's not necessary to even reach 51%. It's probably something closer to 35% to maintain the ability to perform censorship etc
Not quite. You can make selfish mining economically viable below 51%, which eats into the profitability of the majority, but it's not possible to sustain a long term censorship attack with that.
With PoS protocols, >33% is usually when you have the ability to inhibit finality, which may be what you're thinking of.
they ran numbers on it. Do you have any references to support what you're saying?
You are not only appealing to the imaginary authority of someone that you talked to while demanding that someone else cite sources, but you also seem neither to understand the subject you're talking about nor able to accurately recall the hearsay you're offering as evidence. When you are lost in the woods, seek out a map!
Replies seem to be arguing that this wasn't a 51% attack and was something else. I don't know crypto well enough to verify their claims, though.
The ridiculousness of cryptocurrency reminds me of the ridiculousness of the stock market. Both are absolutely batshit insane ways to maintain a global monetary system, yet people keep investing their fortunes in both.
Seems to not be the case, a real 51% attack would need 10 blocks at the very least, because that's when Monero transactions get confirmed.
See e.g. https://x.com/kayabaNerve/status/1955173552363016434
https://x.com/kayabaNerve/status/1955228805598966258
"of a 51% attack", it's called a sybil attack
https://en.wikipedia.org/wiki/Sybil_attack
Btw, here's the alternative link https://xcancel.com/p3b7_/status/1955173413992984988
Going by the definition given in the wiki you’ve linked, a Sybil attack is about creating many fake identities to gain disproportionate influence in a network. A 51% attack in blockchain terms is specifically about controlling the majority of the network’s mining/staking power to override consensus.
So I'd say they're not exactly the same.
Someone amassing 51% of the network would probably want to do so under some fake identities so others don't realize what's about to happen. Not the same, but probably related.
Lol, there's no such thing as "fake identities" here. You just run more miners with different payout addresses for mining. But there is no "fake"
> You just run more miners with different payout addresses for mining.
That it's dramatically easier to conceal your identity doesn't mean concealing your identity isn't useful.
It's the same failure mode as a Sybil attack, but it's called a 51% when there's the additional assumption of the hashrate being hard to obtain and evenly-enough distributed to mitigate sybiling, and that assumption is being violated.
A Sybil attack is about having many identities in systems which make such identities count for something, blockchains are designed to avoid that attack by saying "identities don't matter for consensus, only raw 'work' does". a 51% attack is therefore analogous to a Sybil attack but not the same thing.
Byzantine Failure seems more appropriate.