When Bitcoin ceases to be Bitcoin (the 2nd death)

When Bitcoin ceases to be Bitcoin (the 2nd death)

The post originally appears on Medium and we republished with permission.

On the 18th of November, 2018, deadalnix pushed the following commit to the bitcoin-abc repository which was publicly released yesterday: https://github.com/Bitcoin-ABC/bitcoin-abc/commit/917d65774c40c6bfad500a660e581c8ea5e20df0

The theory behind this is a defense against hostile reorganizations (there is no actual evidence of such actions having been taken) with a rolling checkpoint system. A block was finalized once it had received ten confirmations — even if an alternate chain had more proof-of-work, if it conflicted with a checkpoint, the node would not switch over to the longest chain.

In doing do Amaury Sechet has not only abandoned any pretense of Bitcoin ABC following the Bitcoin model of blockchain security. He has opened it up to new attacks that require centralised decision-making to engage in permissioned mining by ignoring the longest chain to defend against. If the below attacks are carried out it will not be miners that decide which transactions are considered canonical according to bitcoin rules, but a central committee most likely made up of Amaury, Jihan and Roger.

It is important to note that at this time none of the other ABC compatible implementations include this change. It appears that it was implemented unilaterally and without consultation by Amaury Sechet in a continuation of a well established pattern. This is the past, present and future of ABC coin.

If ABC want to go down this road and implement the rest of their roadmap that is their prerogative. But please do not try to call it Bitcoin whilst undermining the most fundamental principles that make Bitcoin what it is.

Overview of the Commit

There are two chains — an honest chain (that follows the majority of the mining consensus), and a shadow chain (that follows the attacker).

The game theory behind the defense is that if a hostile miner produces the shadow chain, once it diverges from the honest chain by more than ten blocks it is considered useless, as it cannot reorganize the honest chain — even if it has more work. The attacker would give up and stop extending the shadow chain.

Checkpoints are maintained by node operations themselves, and this behavior of checkpointing is enabled on all nodes by default.


The Double-Spend Attack

If an attacker controls more than 50 percent of the processing power driving the ABC blockchain, they can submit a set of 10 blocks to the network by reorganizing the ten honest blocks. If this attack is executed at the same time as the network finds the 10th block in that submitted a sequence (and thereby selecting it as an honest checkpoint), it can cause ABC to suffer a chain split. ABC is currently open to being maliciously hard forked.

Since not all information gets propagated over the network at the exact same time, some nodes will see a 10-block reorganization — which they will reject — and others will see a 9-block reorganization, which they will accept. The network will then fork into two.

If there is two exchanges on different forks, an attacker is able to sell the same coin twice on both exchanges for a double-spend attack.

The Sybil Attack

Cost of Attack: ❤0K (Rental Hash)

minority hash rate miner can perform a network attack. Normally, if they mine ten blocks in a sequence and submit their own blocks for processing while ignoring other miner’s blocks, it becomes a minority chain split that nodes (who only recognize the longest chain) will inevitably ignore. However, if a node that is out of sync reconnects to the network — for instance, if it has gone offline for a few hours — it could receive data related to the wrong blockchain first, leading to the real chain being rejected from that point onward. The attacker would then have full control over what transaction a node accepts, and what can be exploited to execute double-spend attacks.

As a rule of thumb in developing node infrastructure, you cannot rely on the timestamped data to be synced with other nodes.

Note: The original white paper appeared to imply that the ability for nodes to be switched off, and then verify what happened when it was offline, was important:

“Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone.”

BCHABC requires a node to be online 24×7.


FURTHER GAME THEORY

Bob and Alice are trading BTC for BCH.

Bob says he sent Alice the BTC, so Alice should send the BCH. Alice starts up her full node that has been online during the day and syncs the latest blocks. When her node has stopped syncing, it says that Alice received BTC — she then sends Bob BCH. Later, she finds out that she has synced a malicious 10-block fork that has become immutable, and the actual BTC she received were spent on something else on the main chain.

While the attack relies on Bob getting the malicious 10-block fork to Alice before another honest miner has sent her the real chain, there are ways to optimize this scenario. For instance, he may be spawning Sybil nodes to maximize his odds of this happening.

In a typical Bitcoin scenario, Sybil attacks are hard to perform because just one of the nodes you connect to needs to be honest for the attackers to fail. In this case, an attacker just has to get to you first. Furthermore, if an attacker is able to place his node in closer proximity to you or the seed nodes, he can optimize his chances of you getting a response from him faster than the honest nodes. This attack doesn’t need to rely on partitioning to work. Bob could be the owner of several block explorers, too, so even if Alice double-checked, Bob could still be able to trick her.

Bob may have even generated more blocks than 10. He could have 16 blocks. He would feed Alice 6 others using a 10-minute average Poisson distribution.

While this attack is in theory absurd, with enough money on the line, this attack could be executed.


Solution

Disable finalizing during the initial block download, and only enable it after the most active chain has been fully synced for x amount of hours.

Conclusion

The most fundamental principle of Bitcoin confirmation is proof of work, that is underpinned by proof of investment. By enabling the investment of miners to be sidestepped that fundamental principal is thrown out the window. It is now up to a central authority to decide and once you take that step there is no longer any need for a block chain. A MySQL database will achieve the same result.

This is an ill thought out change executed in an incredibly rushed and reckless manner with almost zero chance it was properly tested. The fact that a new consensus rule can be introduced in such a unilateral manner by a single developer is alarming. What is more alarming is that one developer can throw out the entire foundation of Bitcoin security without opposition. This is the future of ABC coin. In August last year Bitcoin died on the BTC chain with the introduction of Segwit. It survived in the form of Bitcoin Cash until yesterday when it was killed off again by Bitcoin ABC. If Bitcoin SV had not stood it’s ground and preserved the rules of Bitcoin in SV, yesterday would have been the last day Bitcoin existed in this world.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.