| ▲ | moomin 4 days ago |
| To summarise: * One actor in the space appears to have done a proof of concept takeover of 51%. * It’s not clear there was any malicious action nor intent in doing so. * Performing something like this is definitely expensive. * The potential impact of doing so is disputed. * Whether or not it was achieved is also disputed However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this. |
|
| ▲ | nickysielicki 4 days ago | parent | next [-] |
| > Whether this is an issue is a matter for debate. Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here. |
| |
| ▲ | latchkey 4 days ago | parent [-] | | CPU was a terrible choice. | | |
| ▲ | pas 4 days ago | parent [-] | | why? what's better? | | |
| ▲ | JKCalhoun 4 days ago | parent | next [-] | | It would be interesting if a "coin" were tied to protein folding prediction or something else useful. | | |
| ▲ | MadnessASAP 4 days ago | parent | next [-] | | Proof-of-Work fails if the work has value. | | |
| ▲ | ssd532 4 days ago | parent [-] | | why? | | |
| ▲ | MadnessASAP 3 days ago | parent | next [-] | | In Proof-of-Work the cost of the work is what keeps the network honest. If the work has value then an attacker is free to invest as many resources as I want into subverting the network. Even a failed attack can still be profitable, just less so. In another scenario, where the works value is less then the cost you're still hoping that at no point in the future will an attacker figure out a way to do the work at a net profit. The only way the network can be trusted is if the work has definitely now and always, 0 value. | | |
| ▲ | chipsrafferty 3 days ago | parent | next [-] | | Not littering has value. However, if I don't litter, it doesn't benefit me, and I cannot profit off of it; no matter how eco-friendly I am, I get no value from it. | |
| ▲ | OldfieldFund 3 days ago | parent | prev [-] | | Am I wrong in saying that the work has negative value? And there are different degrees of that. Bitcoin's negative value is larger. | | |
| ▲ | MadnessASAP 3 days ago | parent [-] | | You are not wrong, the output has no value. The work then being Value Out - Value In. |
|
| |
| ▲ | red-iron-pine 2 days ago | parent | prev | next [-] | | because Proof-of-Work only generates value for an arbitrary, made up coin if it has no other real value. Otherwise you're making money that way, and the value of the coin is tied to the work that you did. until recently gold was a pretty but mostly useless metal. too heavy for practical uses, too melty for industrial uses, too soft for weapons, etc. but it didn't rust and was a good medium of exchange because it had no other real value. once it has value outside of being currency it's less useful in that capacity, since now its value is tied to how much you can get for it by utilizing it in computers, chemical reactions, etc.... same basic idea with PoW | |
| ▲ | 4gotunameagain 4 days ago | parent | prev [-] | | I don't think it's true, look up Proof of Useful Work | | |
| ▲ | moomin 3 days ago | parent [-] | | Which, ironically, is used by the attacker in this case. | | |
| ▲ | OneDeuxTriSeiGo 2 days ago | parent [-] | | It's worth noting that lots of projects claim to be "Proofs of Useful Work" without the academic rigor to actually prove so. The attacker of course being one of those who has failed to do so. 1. Their paper has not been accepted by any conference or journal. 2. Neither author on their paper is an academic (or practicing engineer or researcher) in the fields of computer science, economics, game theory, or cryptography (or any maths in general). The one is a C-level exec with what seems to be minimal CS experience and the other is a psychology professor. Neither author appears to have qualifications to be able to assume some level of rigor (before looking at the underlying work). 3. The paper is a bunch of text and buzzwords about AI and AGI intermixed with some academic history and some discussions on psychology. Of the 47 pages of the paper, only about 1-2 pages are semi-technical in major with an additional ~3 pages of code included to show their algorithm. There are two graphs relevant to the protocol on those 1-2 pages and neither one addresses any security aspects, instead showing it's performance at doing the "useful" part. So again to reiterate, their "academic paper" on the security of their PoUW algorithm includes no rigorous analysis of the protocol. TLDR They aren't doing PoUW. They are doing cooperative compute with a centralised or federated coordinator dishing out rewards. Proofs of Useful Work do actually exist and are an interesting field but they take a lot of rigor and analysis to be accepted and not immediately ripped to shreds. What the attacker claims is not even close to meeting that bar. |
|
|
|
| |
| ▲ | jayknight 4 days ago | parent | prev [-] | | Isn't that what GridCoin is? https://gridcoin.us/ |
| |
| ▲ | subsistence234 3 days ago | parent | prev | next [-] | | Since ASICs are built for mining one specific algorithm and no other, ASIC miners are invested in the survival of "their" mining algorithm. If there are several competing coins using the same algorithm, it may be possible to incentivize ASIC miners to destroy one of them if it benefits the others, but even then it's risky. CPUs in contrast can be used for a million different things, CPU miners are not incentivized to support any given crypto project. It's also much easier to rent large amounts of CPUs than of ASICs. | |
| ▲ | latchkey 4 days ago | parent | prev [-] | | Disclaimer: ran a 150k GPU eth mining operation PoS is the obvious choice now that ETH has had a bit of time to run. But, I remember when they went through the switch (before ETH PoS). Doing some sort of variation on GPU memory hard mining would have been a smart choice (ethash, progpow, etc), knowing full well that ETH would eventually go PoS. It would have given all the miners something to switch to, instead of just shutting down entirely, because there wasn't anything but ghost chains. | | |
| ▲ | subsistence234 3 days ago | parent [-] | | I'm still a fan of PoW. PoS incentivizes centralization. | | |
| ▲ | latchkey 3 days ago | parent [-] | | Hilariously posting in a thread about a 51% attack happening, because of miner centralization. | | |
| ▲ | subsistence234 3 days ago | parent [-] | | It's mainly an argument against CPU/GPU mining. If you have invested in specialized hardware that can mine only one coin, you're strongly incentivized to protect trust in that coin. An attacker like Qubic would need to pay you a lot more than they need to pay a CPU miner. | | |
| ▲ | latchkey 3 days ago | parent [-] | | So then, _centralize_ around an ASIC? Tell me, how well did that work for Grin? | | |
| ▲ | subsistence234 3 days ago | parent [-] | | >Tell me, how well did that work for Grin? Crypto projects succeed/fail for all kinds of reasons that are completely unrelated to de-/centralization. You'll have to be more specific about what Grin's case should teach us. >So then, _centralize_ around an ASIC? ASICs are commodities. For BTC (SHA-256) there are at least 8 different companies producing ASICS, and even a smaller project like KAS (kHeavyHash) has >4 competing companies. Not much centralization risk on that side, at least not for mature projects (which a hypothetical ASIC-XMR would be by now). The main challenge for ASIC-miners is the same as for CPU- and GPU-miners: cheap electricity -- and that's not something that can easily be centralized. |
|
|
|
|
|
|
|
|
|
| ▲ | lagniappe 4 days ago | parent | prev | next [-] |
| >until now, no-one has chosen to flex like this. The two networks have wildly different proof-of-work algorithms, they're incompatible. A BTC ASIC will never mine Monero, ever. |
| |
| ▲ | soganess 4 days ago | parent | next [-] | | I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"? Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way. *: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners) EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain. | | |
| ▲ | tux3 4 days ago | parent | next [-] | | >Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose. | |
| ▲ | BoppreH 4 days ago | parent | prev | next [-] | | You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose. | |
| ▲ | blibble 4 days ago | parent | prev [-] | | > Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine asic does not mean turing complete good luck simulating a von neumann machine on a sha256 accelerator |
| |
| ▲ | rokkamokka 4 days ago | parent | prev | next [-] | | That's not true for all altcoins however | | |
| ▲ | yieldcrv 4 days ago | parent | next [-] | | Its always hilarious when someone launches an L1 with an algorithm everyone can already dominate and it gets attacked immediately Last time I saw that was on photonics processor blockchains | |
| ▲ | scyclow 4 days ago | parent | prev [-] | | Pretty much everything other than bitcoin, monero, and dogecoin are running proof of stake these days anyhow, so it kind of doesn't matter. | | |
| ▲ | OutOfHere 4 days ago | parent | next [-] | | Litecoin goes in that PoW group too. In fact, Litecoin has an optional privacy feature called MWEB, which is probably why Litecoin too got kicked off of being named on some conventional news sites. | |
| ▲ | subsistence234 3 days ago | parent | prev [-] | | KAS is PoW, at ~240 times the hash-rate of LTC, ~120 000 000 times the hash-rate of XMR, and 0.0007 times the hash-rate of BTC. Obviously not really comparable... https://poolbay.io/coins |
|
| |
| ▲ | idiotsecant 4 days ago | parent | prev [-] | | That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason. BTC will have to move to a proof of stake design to survive. It's unavoidable. | | |
| ▲ | ifwinterco 4 days ago | parent | next [-] | | That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen | | |
| ▲ | ChadNauseam 4 days ago | parent [-] | | why would staking rewards be any more necessary than mining rewards? | | |
| ▲ | ifwinterco 4 days ago | parent [-] | | In the end state (after ~2140), mining rewards just come from TX fees. But true, it is possible you could just redistribute TX fees to stakers. Post-merge ethereum is designed so that the gas fees and the staking rewards roughly cancel out on balance (so overall inflation is around zero), but they are decoupled so even if nobody is using the network you still get a staking yield | | |
| ▲ | eurleif 4 days ago | parent [-] | | >so overall inflation is around zero Pedantic point: monetary inflation is around zero, not necessarily price inflation (which is what people typically mean when they just say "inflation"). | | |
| ▲ | ifwinterco 3 days ago | parent [-] | | Yes sorry, important clarification. In theory if the entire world was on an ethereum standard with a steady state population, price inflation would also average out to zero |
|
|
|
| |
| ▲ | LikesPwsh 4 days ago | parent | prev | next [-] | | BTC can't move to proof of stake because religious zealots would keep their money in the old fork. It's doomed in general, see the cash fork. | | | |
| ▲ | robocat 4 days ago | parent | prev [-] | | > It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash The ASIC manufacturer would also need a backdoor. ASIC manufacturers don't control mining. Large miners are unlikely to allow backdoors into their mining network. | | |
| ▲ | fruitworks 4 days ago | parent | next [-] | | ASIC miners often do control mining. They often mine with chips before they drop them in the public market | |
| ▲ | passivegains 4 days ago | parent | prev | next [-] | | I think they mean the manufacturer would just keep most of the stock for themselves. Reminds me of that famous Scarface quote: "You should get high on your own supply, it's a great idea that won't end horribly." | |
| ▲ | idiotsecant 4 days ago | parent | prev [-] | | >ASIC manufacturers don't control mining. I dont think you understand the BTC mining ecosystem |
|
|
|
|
| ▲ | mattwilsonn888 4 days ago | parent | prev | next [-] |
| "Performing something like this is definitely expensive" That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins. If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority. |
| |
| ▲ | hombre_fatal 4 days ago | parent | next [-] | | Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money. Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap). | | |
| ▲ | marcosdumay 4 days ago | parent | next [-] | | I guess the clearer term for that would be "capital intensive". | |
| ▲ | ozlikethewizard 4 days ago | parent | prev | next [-] | | surely the fall in value of XMR caused by such an attack would make it unprofitable as well | | |
| ▲ | jcfrei 4 days ago | parent [-] | | You could just short XMR heavily and profit that way. | | |
| ▲ | loxs 4 days ago | parent [-] | | You can only do that on centralized exchanges, which would mean that you effectively doxx yourself by shorting. Also the exchange will most probably seize your funds before you are able to withdraw them. | | |
| ▲ | 0x457 4 days ago | parent [-] | | Not sure how are you doxxing yourself, what stopping me from YOLOing my life savings into this short after reading a few comments in this thread? | | |
| ▲ | subsistence234 3 days ago | parent [-] | | You'd have to spend $30M per day in order to control 51% of XMR, and then you'd YOLO your life savings (which would have to be another couple hundred million dollars) on centralized exchanges without anyone noticing? | | |
| ▲ | 0x457 3 days ago | parent [-] | | I meant I, as someone that is aware of attempt to take over, not as an attacker. It's only doxxing if you can, you connect that large transaction to the attacker, but you can't unless I'm missing something. | | |
|
|
|
|
| |
| ▲ | blantonl 4 days ago | parent | prev [-] | | Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. There is a word for this. We call it risk. | | |
| ▲ | zamadatix 4 days ago | parent | next [-] | | I'm not sure I'd call this risk. Risk would be "you can invest the money, but you might not get it back" however the above is referring to the "a 51% attack absolutely works but you need a shit ton of money to do it" aspect instead. This makes it capital intensive, not (necessarily) risky. | | |
| ▲ | freehorse 4 days ago | parent | next [-] | | The fact that it succeeds does not mean that you get the money back (eg the price of monero could drop if that happens). You may also have miscalculated some parameters in all this or something unexpected happens (where human factor is involved). So there should always be risk involved imo. Otherwise I agree, even in a probability 1 success situation this would still not be called "cheap". | | |
| ▲ | zamadatix 4 days ago | parent [-] | | Agreed, no such thing as a real-world investment with truly 0 risk. |
| |
| ▲ | IncRnd 4 days ago | parent | prev | next [-] | | It is absolutely risky. Your facilities can burn down once the ASICs arrive and before they are turned on, or your employees simply steal them for their own uses. Heck, you can have a fire once they get powered-on, because a power cable was poorly made. You might get sent the wrong product, or you could be ghosted without a delivery. Expensive is a better fit than capital intensive, because there are massive ongoing costs to actually perform the attack, electricity for one. If you want to understand the risks for a project, pretend you are at arms length and are being asked to fund the project 100% up-front. You'll find a huge list of risks very soon. | | |
| ▲ | zamadatix 3 days ago | parent [-] | | This is why I didn't say it made the investment risk free, I said being capital intensive does not make something (inherently) risky. There is no such thing as an investment without risk, but how risky it is is largely orthogonal to how capital intensive it is, and the above was talking about the latter so using the term "risk" for that half is not a great correction. |
| |
| ▲ | loxs 4 days ago | parent | prev [-] | | Having the power to deny others to mine blocks does not mean that you can obtain the tokens from their wallets. Miners can't sign transactions on users' behalf. You can rewrite all of history but then no exchange will accept your version of it to let you exchange the tokens for fiat. Also this will almost certainly crash the price of XMR substantially. And later people will be able to fork/restore the original version. The technological side of the blockchain is only part of the consensus/trust/market/popularity. People are the other part, and people will not pay the attacker for their successful attack. | | |
| ▲ | MadnessASAP 4 days ago | parent [-] | | The attacker doesn't need to steal tokens. They just need to short the token while they sufficiently disrupt the network to drive down the price. They get the money and your tokens become worthless. | | |
| ▲ | subsistence234 3 days ago | parent [-] | | Controlling 51% of XMR costs ~$30M per day, you'd have to short a huge amount of XMR to make that worthwhile. Who would be the counter party and how would you do that anonymously? The attack itself is unprofitable, the "profit" for Qubic is the publicity they get. (or at least that's what they're betting on) | | |
| ▲ | MadnessASAP 3 days ago | parent [-] | | Monero has a theoretical market cap of $4.7B USD and daily volumes >$100M USD. I wouldn't recommend taking that short position in one go but over a few days and a few exchanges I wouldn't see a problem acquiring a very large short of the token. |
|
|
|
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | devmor 4 days ago | parent | prev | next [-] | | If I buy a yacht for $2 millón and sell it for $4 million, it’s still an expensive yacht. Profit doesn’t make it less expensive. | |
| ▲ | dumbfounder 4 days ago | parent | prev | next [-] | | Unless they drive the price into the ground. | | |
| ▲ | ethagnawl 4 days ago | parent [-] | | Right? If an attack like this is successful _and_ obvious/detectable, then it _should_ drive the price into the ground. | | |
| |
| ▲ | bawolff 4 days ago | parent | prev [-] | | When people say foo is expensive, they mean the gross cost not the net profit. |
|
|
| ▲ | apercu 4 days ago | parent | prev | next [-] |
| In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right? |
| |
| ▲ | PhilippGille 4 days ago | parent | next [-] | | It's worth being precise here: - The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power. - The attacker can prevent other transactions from landing in a block, as long as they have majority - But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions - And the attacker can also not steal your money, because they don't have your private keys | | |
| ▲ | apercu 4 days ago | parent [-] | | In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain). | | |
| ▲ | Ekaros 3 days ago | parent [-] | | My understanding is limited. But in addition to not making transaction "not happen". It is better to make new transaction for money. As the transaction would still be valid later and could be included later. Thus "double spend". |
|
| |
| ▲ | corimaith 4 days ago | parent | prev | next [-] | | That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much? | | |
| ▲ | xnorswap 4 days ago | parent [-] | | Maybe there's more resilience to prevent chain swaps now, but my understanding of the original blockchain algorithm is that: At block N someone could start to privately mine (empty) blocks. They keep mining in private until block N+x is public, at which time the private (51%) chain is length N+x+1. They then announce their longer chain. By the protocol, this longer chain (technically "most work" chain) is the more trusted one, and undoes any transactions in N+1 through N+x. | | |
| ▲ | SamPatt 4 days ago | parent [-] | | More or less, but the private chain doesn't need to contain empty blocks. A more sophisticated attack would include all the legitimate transactions on the network except for their own transaction(s) which they're trying to double spend. That way the network isn't disrupted apart from the parties you're double spending against. | | |
| ▲ | xnorswap 4 days ago | parent | next [-] | | Indeed, but I was arguing that the parent claim that "only your transactions" could be affected was false. It's true that you can't synthesise false transactions, but you can undo anyone's transactions, not just your own. | |
| ▲ | LikesPwsh 4 days ago | parent | prev [-] | | That way you can also claim 100% of mining rewards with 51% hash rate. | | |
| ▲ | _3u10 4 days ago | parent [-] | | How? If that were true you’d also be able to get 50% of block chain rewards with 25.1% of the hashing power. But you can’t because it isn’t true. | | |
| ▲ | Sohcahtoa82 4 days ago | parent | next [-] | | If you control 51% of the hashing power, that means you can solve more blocks than the entire rest of the network combined. Even if other nodes on the network solve a couple blocks before you, statistically, you will eventually create a longer chain of blocks and the network will switch to your chain. But your chain has every block solved by you, giving you all the block rewards. That's the magic of the 51% attack. You gain control of the blocks. Because that extra 1% isn't a HUGE margin, it may take a while for your chain to become the winning chain, but theoretically, it will happen. | |
| ▲ | dbdr 4 days ago | parent | prev [-] | | You only mine blocks on top of your previous blocks, ignoring blocks produced by the 49%. Since you have 51%, your chain is the longest over time, so you have 100% of the mining rewards. You can't do that with 25% (or even 40%) hashrate. |
|
|
|
|
| |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | the_sleaze_ 4 days ago | parent | prev [-] | | Yes. |
|
|
| ▲ | nomilk 4 days ago | parent | prev | next [-] |
| Newb question, but why's it expensive, aren't they mining the whole time and can therefore make the usual money from that mining? |
| |
| ▲ | subsistence234 3 days ago | parent | next [-] | | AFAIK Qubic (the company) is paying people extra to mine XMR through Qubic (if you mine $1 worth of XMR, you get $1.50 worth of QUBIC (the coin) which you can then sell). Qubic (indirectly) loses those extra $0.50. If on average the miners sell too much (more than two thirds of the rewards), then Qubic has to buy their own coins back in order to keep the price stable. Qubic bets on their coin pumping from the publicity. | |
| ▲ | treyd 4 days ago | parent | prev [-] | | You are correct. It's expensive if you want to go rewrite history. 51% is when that becomes economically viable to do on its own. |
|
|
| ▲ | soared 4 days ago | parent | prev | next [-] |
| Way more context here https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t... |
|
| ▲ | mvdtnz 4 days ago | parent | prev [-] |
| No one is spending $75M a day to do a proof of concept. There's obviously some kind of intent to profit. |
| |
