Follow up: Bitcoin Cash has 51% attack vulnerability double jeopardy

Yesterday I wrote about how Bitcoin Cash (also bcash/BCH) has a major vulnerability that because it is running far ahead of the bitcoin blockchain, it is going to have a window at the next halvening where it is susceptible to a heavily discounted 51% attack, the mere threat of which could end up being self fulfilling.

After reading my article, some people speculated that Bitcoin Cash has a new difficulty adjustment algorithm (DAA) that is targeted to ‘just over 10 minute blocks’, slightly slower than Bitcoin, meaning that it will have caught up by 2020.

Those people are wrong. Both Bitcoin and BCH have the same 10 minute target difficulty.

They are right that BCH has been producing blocks more slowly, but the reason for this is because it has been losing mineing hashpower to Bitcoin, coinciding with a relative fall in its value.

At the time of the new DAA on 13 November 2017, BCH was trading at around 0.2 BTC. Since then, with a couple of suspiciously brief pumps along the way, that figure has gradually halved and BCH is now trading at under 0.1 BTC.

That means the only way BCH can avoid being vulnerable to a period of heavily discounted 51% attack (other than through yet another hard fork), is by hoping its value continues to fall in relation to Bitcoin, so miners continue to switch away and the network continues producing blocks at a slightly slower speed.

The DAA hard fork on the BCH chain took place at block #504031, while the next Bitcoin block to be found was #494238, a difference of 9,793 blocks.

As of yesterday, that gap had fallen to 6,844 blocks, those pointing out BCH has been catching up were correct, they’ll just be disappointed by the reason why. That difference means in the last 8.5 months (259 days), it has gained back 2,949 blocks while its relative market value has roughly halved.

I’m not quite sure or whether it’s even possible to sufficiently correlate or calculate the fall in price required to catch up, since there is so much variance, but if we use incredibly rough figures that BCH gaining 2,949 blocks requires roughly losing half its value to BTC, the value needs to halve another 2.3x, taking the value of BCH to somewhere around 0.02, or 2% the value of BTC, by which point it would have long been vulnerable to 51% attacks anyway.

The worst case scenario for Bitcoin Cash would be that it’s value continues to slide, but just not quite enough for the Bitcoin blockchain to catch up, since a successful and damaging attack could take place with a window of just hours, far less than the current rough 48 day estimate.

Actually, I guess the other and more likely worst case scenario is that just continues its slide into irrelevant obscurity, but only time will tell. My previous post on this vulnerability was downvoted to oblivion on the /r/btc subreddit, the echo chamber would prefer to bury its head in the sand so I’m sceptical any solution will be forthcoming. I kind of hope it does remain unfixed, it would create a fascinating opportunity for miners as an observer, a potentially magnificent demonstration of game theory in action.

Bitcoin rival has a major vulnerability which could help Bitcoin miners to destroy it in 2020

TLDR: Due to a flawed emergency difficulty adjustment at its creation, Bitcoin Cash is now running ahead of the Bitcoin blockchain. Since future supply ‘halvenings’ should occur around 48 days before the Bitcoin network, it creates a window where it is ‘half price’ to 51% attack the network. The mere threat could cause the value to fall in anticipation, creating a feedback loop that makes such an attack increasingly inevitable and its outcome even more devastating.

Supporters of Bitcoin Cash (also called BCH and bcash) love to talk about a hypothetical “flippening”, a scenario in which a rise in the value of BCH would see miners switch away from the main Bitcoin blockchain causing the block production speed there to slow. They believe that with the Bitcoin blockchain operating at capacity, the network performance would suffer thus further reducing the value of Bitcoin and increasing the value of BCH which has a higher onchain capacity.

This, they speculate, would create a feedback loop, ultimately resulting in the Bitcoin blockchain completely grinding to a halt as miners jump ship for the more profitable BCH chain which would rise triumphant and replace Bitcoin as #1 cryptocurrency.

This is all pie in the sky fantasy, completely misunderstanding the complex and mature ecosystem that has formed and the incentives of those who operate within it. It simply will not happen. I am simultaneously amused by and feel bad for those who invest heavily in altcoins in the naive hope a flippening in value will occur.

However, there is a flippening of sorts looming for BCH that I have not yet noticed any consideration given towards.

One of the rules of the Bitcoin network, that BCH also inherited, is that every 210,000 blocks (approx 4 years) the supply of new coins created with each block is halved, in a much celebrated event known as “the halvening”. This also causes the profitability of mining to halve since in 2020 the supply of new coins created will fall from 12.5 to 6.25 per block.

To uncover why this may create a problem for BCH we must look back to its creation. In order to deviate from the Bitcoin network and create a new version, it underwent a process known as a hard fork.

The main rule change was to increase the block size, however as the BCH developers knew there would likely not be much support for their fork they also added a bit of code called an emergency difficulty adjustment (EDA). This is because the difficulty determines how frequently new blocks are created. If you reduce the volume of miners without reducing the difficulty, block creation can take a much longer time. Losing 80% of the mining hashrate would result in blocks only being created every 50 minutes instead of 10, and consequently the mechanism to readjust difficulty every 2016 blocks could take as long as 10 weeks instead of the usual 2. The EDA meant that instead of adjusting the difficulty every 2016 blocks it could readjust down based on just the last 6 blocks.

As with many ‘simple’ changes, this had major unintended consequences as it created an incentive for miners to collectively hold off on mining until the difficulty was really low, and then suddenly start mining blocks again really quickly at high profitability. This caused huge fluctuations in difficulty and at times made the BCH network grind to a halt while no blocks were being created, while at other times they were being churned out in seconds.

The BCH network had no choice but to introduce yet another hard fork to fix the difficulty adjustment algorithm. Hard forks require that every single participant on the network upgrades their software or gets kicked off, so handing them out like Oprah gives away cars is not ideal.

Oprah hard fork giveaway

By the time the problem was resolved, the BCH block count had rocketed ahead of the main Bitcoin blockchain.

At the time of writing, BCH is on block #541236 while Bitcoin is on block #534392, a difference of 6,844 which at 10 minutes on average means that the BCH halvening is currently expected to occur approximately 48 days before it does on the Bitcoin blockchain.

At that point, the reward for creating a new BCH block will fall to 6.25, while on the Bitcoin blockchain it will remain at 12.5 (plus higher fees).

The market currently values BTH at around 10% the value of a Bitcoin and the hashrate roughly correlates with the price.

That would mean, at current prices, to mount a 51% attack on BCH would require just over 11% of the Bitcoin hashrate switching over to make that attack.

For a 48 day window in 2020 (and then every 4 years) that dynamic will change, and the cost to attack the network will suddenly halve. Suddenly just 6% of the Bitcoin hashrate would be sufficient to mount a 51% attack against BCH, well within the capabilities of a number of mining pools.

There are a number of ways to ‘short’ cryptocurrencies. Shorting is basically betting that a value will fall, and profiting if it does. Anyone mounting a 51% attack successfully would cause the value of that cryptocurrency to fall, with shorting creating an easy opportunity for them to profit.

A 51% attack itself provides other opportunities for an attacker to profit, most notably through a double spend attack. This could be achieved by depositing a large quantity of BCH onto an exchange, converting and withdrawing them as something else, and then reversing the original transaction so the exchange is out of pocket and the attacker keeps their original BCH.

However an attacker chooses to profit from a 51% attack, the outcome will almost always be a fall in value of the cryptocurrency as people lose both trust in its security and their money.

These rough figures are based on a BCH/BTC rate of 0.1 and ignore the even higher fees available on the Bitcoin network. Since the value of BCH has already been falling for some time it could easily be much lower by 2020. This means an attack would become even cheaper and even more likely.

The increased risk of a 51% attack during period is likely to decrease the price in anticipation of it. This could create a feedback loop where the increased risk caused by the price falling causes the price to fall even further. Miners could engage in all kinds of game theory here: merely hinting they are considering attacking the network would likely cause a downward pressure on price making the cost of an attack even lower.

In summary, hard forks are risky and can introduce a whole host of unintended consequences. While the BCH community may now think their difficulty adjustment woes are behind them, there may be other nasty surprises lurking ahead.

Let’s talk hard forks: the most exciting area of cryptocurrency?

In my last article I outlined the difference between and soft and hard fork. Now, I will switch my focus to the different types of hard fork.

Not all hard forks are born equal

A hard fork is when a blockchain splits into two separate and incompatible versions. The reasons for this happening and the consequential fallout are varied.

At the uncontentious end of the spectrum, you have essential hard forks. In its early days, a simple overflow bug in the then not properly audited Bitcoin code allowed somebody to create 184 billion Bitcoin out of nothing in a single block. The protocol allows a maximum of 21 million Bitcoin to ever be produced, and so this bug violated the protocol and rendered that version of the software useless. Bitcoin basically crashed. An update was essential to fix the problem, and a new version was released within hours.

Fixing critical bugs is as uncontroversial as it gets – since crypto economics assumes every participant should rationally act in their own self interest there were no participants who would benefit from Bitcoin remaining broken and the forked blockchain quickly became the dominant one.

Also uncontentious is an upgrade hard fork. Bitcoin hasn’t had one of these yet, but Ethereum has. These involve improvements to the protocol. In the case of Ethereum it was established from the beginning that the protocol would hard fork 3 times, gradually introducing new features. Those using Ethereum accept as part of its use they will need to upgrade their software in order to stay on the main blockchain, and since they are integral and promised improvements they are eagerly anticipated.

The next type of hard fork gets a little more ambiguous. There is consensus in the Bitcoin community that the 1MB block size needs increasing through the use of a hard fork. Where the level of contentiousness exists is when and by how much this increase to the transaction capacity needs to be. There have already been a few failed attempts to hard fork to a bigger block size. Most recently Bitcoin Classic failed to gain enough support to introduce a 2MB block size hard fork, requiring but not obtaining support of 75% of miners be running the new software in order for it to be activated.

Since even Bitcoin Core has an increase to 2MB blocks on its scaling roadmap for the future, it is very unlikely that if such a fork had been activated, the other 25% would have remained on the old blockchain stubbornly insisting that they didn’t want to upgrade ‘yet’, as they would simply be left behind as the wider community accepted consensus had been reached.

If a fork to permit a 100GB block size increase had been successfully activated things would be different. There are many people who are strongly opposed to the increased centralisation, reduced protection from DoS/spam attacks and lack of fee incentive that larger blocks could bring. It is likely that no matter what a portion of the community would reject the fork and continue to participate on the original blockchain.

Here, we have reached the crux of what a contentious hard fork is: ideological.

Sometimes, consensus is simply impossible to achieve. If you passionately and ideologically believe something is right, you’d rather continue using and supporting the vision you believe in, even if you’re in a minority of <1%.

The ‘worst’ type of contentious fork would involve a community truly split down the middle, 50/50, as neither chain could be said to have won, and you’d find yourself with a format war, two competing and widely used solutions waiting for a winner to emerge. Many view this as undesirable.

There is no reason two sides of a hard fork cannot coexist peacefully, and both can be traded on exchanges with people free to use whichever fork they believe in. There are some complications though.

In the event of a hard fork, anybody who owns coins at the time the hard fork occurs will own those coins on both blockchains.

A hard fork will probably seen as a negative initially and so cause the value of the coins to be lower, though this will probably be priced in once it is apparent the hard fork will occur. Then, after the split, the value of each set of coins would reflect the mining and community support for each side of the fork.

If you log into an exchange which has decided to support both sides of the fork, you will find you have two balances. If you’re with an exchange that has decided to support only one side of the fork, you’re possibly going to miss out and lose some coins that could hold, even if small, a future value. I wouldn’t be surprised if those exchanges left themselves open to legal action over the missing coins.

It is a simplistic and highly speculative example, but let’s say a hypothetical $100 coin splits into two blockchains with a 75%/25% hashing power split, you may see the overall value drop 80% leaving the coins valued at $60 and $20 on each side of the fork respectively.

While it will be immediately obvious how the miners have split their support between the chains, it is a lot more difficult to estimate community support. If you had a majority of miners in favour of fork A, and a majority of the community in favour of fork B, you’d likely see a quick swing in price with fork B overtaking A in value. There will likely be arbitrage opportunities for anybody who is able to identify the likely disparity between miner support and community support which is impossible to see until left to the market to decide at the exchanges.

Cryptoeconomics anticipates that people will act in their own self interest. If someone genuinely believes in one side of the fork ideologically, it is likely they will ‘dump’ their coins on the losing side of the chain in order to lower its value and in theory increase the value and the likelihood of success on the chain they believe in.

This is a gamble, they could dump all the coins they don’t believe in, and then find out the community valued that side of the fork more highly leaving them ultimately with a lot of highly devalued coins. It is also possible such a devaluation would be temporary, and if people persist to support the ‘losing’ side its value could recover.

In the case of Ethereum, which is about to undergo the first ever contentious hard fork, there are people who strongly believe in both sides of the fork and would be prepared to gamble dumping the coins they oppose to negatively influence the price.

Hard forks also create an unintended problem, replay attacks. If you have two almost identical protocols, the format of the transactions you submit to the network are identical. If you see a transaction on one side of the fork sending money from X to Y, anybody can view it and submit that same transaction to the other blockchain so that it occurs there too, even if the people initiating the transaction don’t want that to happen.

There are ways to try and prevent this, but it adds a layer of complexity and is a barrier to peaceful coexistence. If you have a lower value coin you want to send to somebody, you could ‘lose’ your higher value coins in the event of a replay attack, so this factor likely favours the most popular (highest value) side of the fork, as people want to minimise the risk of losing their more valuable coins.

Ultimately, the safest reaction and likely most common response to a contentious hard fork is to wait and see how it all plays out.

If you had $100 coin, that split to $60 and $20, it may be that if you wait a week the coins are worth $79 and $1 – overall you’ve not lost anything. The sooner you move your coins, the bigger the risk you face, but also the bigger the potential reward.

Many people will expect that on the smaller side of a fork there will be a huge dump of coins from people who only want to hold a balance on the ‘winning’ side of the chain. This could have a knock on effect on the viability of mining, with only those of the strongest ideological resolve mining at a loss in the hope of future returns.

Let’s look at Ethereum’s imminent hard fork as an example, which will be fascinating to observe. The community is split following an attack where an individual was able to steal a large number of tokens from a smart contract called the DAO that huge swathes of the community had invested in. This was no fault of the protocol or Ethereum itself, but rather a badly coded contract. Ethereum has marketed itself as immutable and “contract is law”, so there is an ideological argument that a hard fork to return the stolen funds from a badly coded contract undermines the entire project, which is why a number of the community are so strongly opposed.

Once the hard fork takes place, there are many people who oppose the hard fork and want to remain on the original chain who do so acknowledging there is a possibility the vast majority of the community will dump their coins causing its value to plummet. This seems in violation of the principle that people would always act in their self interest as they could see the value of their own coins diminish and mining become unprofitable.

Rather than a bad thing, many of these people see the dump as a great time to buy these coins at a heavily discounted price, with the opinion that if something like the DAO hack has happened before, it will likely can happen again. They envisage a future where the community accepts sacrificing its immutability was a mistake and hard forking to solve problems is not viable, and that people will abandon the compromised chain and come back to realise the value of the original immutable, “contract is law” blockchain and the value of their holdings will increase finally allowing them to profit. It’s a long term hedge.

A contentious hard fork outcome is so hard to predict, they’re quite a lot like an election. There are certain indicators, but until it happens there’s always the possibility of a surprise. In reality nobody knows what will happen, but they are not the end of the world, and they are rather exciting.

Understanding Bitcoin: what’s the difference between hard and soft forks?

It occurred to me at a Bitcoin meetup the other week that forks are one of the concepts of cryptocurrency that can be a source of confusion, so I thought I’d have a go at explaining the basics. It is a particularly interesting time for forks as the Ethereum network looks set to go through the uncharted process of a contentious hard fork, but more on that another time.

What is a fork?

Bitcoin and other cryptocurrencies are distributed networks.

What’s incredible about them is that they operate on thousands of different machines with nobody in charge, but are still able to reach a consensus.

Bitcoin is basically a giant list of transactions – every transaction that has ever taken place on the network in fact. Every 10 minutes, all the transactions from the previous 10 minutes are collected together into a block, and then this block is added to the end of the chain of all the other blocks which contain all the previous transactions – the blockchain.

There are two roles involved in distributing the network, miners and nodes. Nodes basically just connect to the network and share blocks and transactions with other nodes. Miners have the additional responsibility of creating blocks, and are rewarded with new Bitcoins for doing so. (For an explanation on how the network decides which miner will create the next block, see my article on proof of work.)

In order for all the machines to work together, they have to operate according to a strict series of rules. This particular group of rules together are known as the protocol.

An example rule of the Bitcoin protocol is that a block can contain a maximum of 1MB worth of transactions.

Remember, every participant on the network has a copy of exactly the same rules/protocol. If a miner tried to create a block that contained more than 1MB of transactions and then sent that to other nodes, they would simply say nope, that’s not valid – and then they would discard it instead of passing it on so it can propagate around the network. It would be completely pointless to create such a block, a waste of processing power.

Sometimes people believe improvements can be made by changing some of the rules. Some people in the Bitcoin community would like the block size increased from 1MB to 2MB so that the number of transactions can double. This would require a change to the rules of the Bitcoin protocol and could only be achieved through what’s called a hard fork – everyone would have to upgrade their software to the new protocol rules.

There are other changes that can be made that involve the enforcement of new rules, but the changes do not require a change to the protocol that everybody agrees upon. For example, if all the miners said they were going to mine blocks with a maximum size of 0.5MB – everybody on the network would accept these blocks as valid since they fall within the protocol’s 1MB allowance.

If over 51% of miners all agree to a maximum block size of 0.5MB they can force this change upon the entire network without anybody else having to change their software. This is called a soft fork. Every node and miner will accept the blocks as valid and build on top of them.

You might think if 49% of miners were still creating 1MB blocks, surely the blockchain would have some 0.5MB blocks and some 1MB blocks, since they are all technically valid within the protocol and recognised by all participants as legitimate.

It could work like that, but in the case of a soft fork it doesn’t. 51% is the magic number at which point the majority of miners can force all other miners to limit themselves to 0.5MB blocks. Since miners get to choose which blocks they build upon, the 51% of miners could simply ignore any blocks they no longer considered valid within the new rules they have implemented, and so only 0.5MB blocks would ever be included in their blockchain.

Some people argue a soft fork is a confusing term because the network itself doesn’t really fork (split in two), and all software would still follow the same blockchain. It is however a fork in the sense that miners who hadn’t upgraded their software would find themselves building incompatible (forked) blocks, it’s just that those blocks would be ignored and consequently orphaned by other miners and would quickly become irrelevant.

Technically, a soft fork is exactly the same as a 51% attack, and some argue it should be described as such. I think the big distinction is that soft forks generally have a social consensus and are accepted as improvements to the network, while a 51% attack is widely considered to be harmful. An example 51% attack would be to include no transactions (0MB) in any blocks, as is permitted, and cause the network to grind to a halt. In fact, many would argue the example I gave of of lowering the block size to 0.5MB and consequently halving transaction volume is better described as a 51% attack than a soft fork, but it was easier to explain than actual soft forks widely considered improvements such as P2SH and Segregated Witness.

In summary, a soft fork involves a change to the rules that only minors must agree upon and implement, a hard fork involves a change to the protocol that every participant must agree upon and implement.

There are currently over 5,600 Bitcoin nodes, while only 14 different mining pools have found blocks in the last month. This means soft forks are a lot easier to implement, 400x easier in terms of a rather simplistic count of the number of installations that need their software upgraded.

It’s not quite that simple though, consensus is a lot more fuzzy and complicated. In my next article I will talk more about hard forks, which open up a whole new jumble of exciting possibilities and unintended consequences. Stay tuned.

photo credit: Fork via photopin (license)