A 6 re-org does not mean a '51% attack' was successful. In that case, we'd see unbounded-depth re-orgs/no blocks mined by any other mining pool (assuming the adversary censors other mining pools, as this one does).
It does mean an adversary with a high amount of hash got lucky. I noted there's a discrepancy between their claimed network hashrate and pools' claimed network hash rate.
They may not be including their own hash rate in the network's, in which case they'd need to exceed it. Having 51% would only be 34% of total.
They're an unreliable narrator and I wouldn't trust any data from them. There's insufficient evidence to claim they have 51% of the network's hash power.
Qubic never actually hit 51% btw. Don't fall for it.
However they do have a large enough hashrate to perform multi-block re-orgs with their selfish mining strategy.
They disabled API hashrate reporting so that they could lie about it.
Keep mining and ignore the noise.
I am not that well versed in crypto. I understand the concept of a blockchain and what an n block reorg is, but what is the downside of a reorg? Like who can profit financially and why?
You get all the money from the block rewards for those blocks if you reorg other miners blocks out.
America would be screwed if owning 51% of its value meant you could rewrite ownership.
*gestures wildly*
Good thing you need 30 percent, a larger number
Didn't know ChatGPT was on HN
GPT has been shaping conversations on HN, directly or indirectly, since GPT-1 mate.
Reasonably creditable studies put 30-40% of social media having some sort of AI or automation. This is just the low hanging fruit.
What's a "6 re-org"?
I'm a little rusty with the terminology, but in a blockchain, the canonical current block is the one that has the greatest amount of proof of work (I think they call this the heaviest chain). Typically, each new block is the descendant of the most recent block. But it is possible to create a heavier chain from an earlier block. This invalidates any transactions on what was previously known to be the heaviest chain, and is called a reorg.
The farther back, the less likely a reorg is, so to have a reorg that invalidates is blocks is extremely unusual.
If one entity has a majority of the hash power, they gain the ability to try to force reorgs with a likelihood that increases with their advantage in hash power.
I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
> I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
Please don't. This would be useless spam, and is completely rude. Do we tell people to "Just google it?" here?
It's different in that there's no need to go hunting through search results. This is what Claude responded when I just asked it: https://claude.ai/share/684fa294-ee35-4044-8344-99e1ceb2e643
I don't think that's spam at all, and I don't think I did anything special in my prompt that someone with less background knowledge could have done.
User skarz did indeed ask an LLM, which got [flagged] since the LLM gave a distinctly worse answer. Expand the [9 more] below to see it.
This was a great answer. I'm glad you spent the time on it. Though I am curious what the 6 indicates.
Six blocks
who are "they" you're talking about?
"They" refers to Qubic (by Sergey Ivancheglo), a blockchain network that uses a "Useful Proof-of-Work" system, so it is not built for traditional cryptocurrency mining that solves arbitrary puzzles. Instead, it uses the collective processing power of its miners to train an AI. Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
Qubic was able to orchestrate its network of miners to temporarily halt their AI-related tasks and redirect their collective CPU power to mine on the Monero network instead.
Also, Qubic has implemented an economic strategy that involves selling the Monero it mines for a stablecoin like USDT and then using those funds to benefit its own ecosystem and attract more miners, and renting hardware to gain more hash power. The proceeds from the sale of XMR are used to buy Qubic's native token (QUBIC) from exchanges. These purchased tokens are then "burned" or permanently removed from circulation.
This seems oddly similar to the whole IRON/TITAN thing years back, but with extra steps.
What's their objective?
My guess would be to turn the crank of a ponzi scheme until it falls off.
However,
> Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
I don't understand how this makes any sense at all.
I've looked into the "source code", and it doesn't. There is no such thing as useful PoW. Qubic isn't actually a decentralized cryptocurrency. It's closed source, runs as a EFI executable, and is only accessible from their discord channel.
The attack is no different than paying miners to join a malicious pool. It works as long as money flows in.
There is such a thing as useful proof of work. Qubic may not be doing it but it does exist. The linked papers [1][2] are examples of way to do it. They aren't 100% "useful" but rather achieve partial efficiency by essentially forcing miners down random paths in a manner that limits the ability to complete work ahead of time or otherwise "cheat".
Proof of useful work feels like it's one and a half steps removed from discovering seigniorage and reinventing money.
I mean that's just proof of work. PoUW is just an attempt at converting some of that work into something worthwhile and not pointless hash grinding.
There's a lot of re-inventing the wheel in the cryptocurrency space but on the formal academics side of the space people are very cognizant of what they are working on and their work is focusing on improving very specific properties of consensus algorithms.
I will have to read these papers then. My intuition is that it's impossible to usefully use PoW to train neural networks because you have to rely on user-submitted training data in order to work which allows you to cheat by pre-determining the solution to your own work.
It's not a terrible idea, but I've yet to see it be inplemented. Gridcoin is one typical example where it's just PoS with "useful PoW" tacked on for token distribution, and doesn't actually use PoW for security.
> There is such a thing as useful proof of work.
Not really-- or, rather, the security provided by proof of work is only proportional to the part of the cost above the fair value of the useful work.
One of the main idea behind POW security is that you spend energy and the thing you get for it is income in the blockchain. And so if you mine unfaithfully your work will end up on a chain of debased value or won't end up in the eventual consensus chain at all.. so your effort is burnt out.
Now imagine a POW that costs $5 in energy and does $5 in "useful work" --- well in that system you can now attack for 'free'. Or say it costs $6 in energy to mine plus due $5 in "useful work". There your security is related to the $1, the $5 is mostly coming along for a ride.
There are other problems with "useful" proof of work: e.g. A POW function should ideally be approximation free and optimization free... if an attacker invents a better version they gain an advantage. So e.g. if the miner detects that this particular work instance is 'hard' they can just discard it and try another. This makes it really hard to do much of anything 'useful' except the most contrived kinds of 'useful' without creating vulnerabilities.
But difficulties aside, the fact that outside benefits don't contribute to security (or at least don't contribute much) makes the whole idea space kind of unexciting.
> Not really-- or, rather, the security provided by proof of work is only proportional to the part of the cost above the fair value of the useful work.
This is only partially true for a number of reasons.
> Now imagine a POW that costs $5 in energy and does $5 in "useful work" --- well in that system you can now attack for 'free'. Or say it costs $6 in energy to mine plus due $5 in "useful work". There your security is related to the $1, the $5 is mostly coming along for a ride.
This is one aspect however you make assumptions about the rewards that are not necessarily true. If rewards only payout on a cycle or if the rewards have a locking/"vesting" schedule before they become accessible. There's a lot of ways to make attacks more expensive/nonviable but without the "useful work" aspect, they've not provided meaningful benefits to the protocol and therefore haven't been integrated.
> There are other problems with "useful" proof of work: e.g. A POW function should ideally be approximation free and optimization free... if an attacker invents a better version they gain an advantage. So e.g. if the miner detects that this particular work instance is 'hard' they can just discard it and try another. This makes it really hard to do much of anything 'useful' except the most contrived kinds of 'useful' without creating vulnerabilities.
Now with this you'd see that the research papers explicitly were tackling this problem. The one is implementing an SMT solver/optimizer for large, expensive problems. It uses random walks (forcing the miner to bias their choices in specific random ways) based on a VRF or their results are invalid. The efficiency is only 50% of course however that doesn't mean the price is 50%, just that the energy efficiency is 50%. The market on problems to be solved of course will still be priced on supply/demand (give or take parameters) and if there is insufficient utilization, mining falls back to a traditional PoW algorithm.
So in a sense what PoUW is attempting to do is to supplement the valuation of the underlying tokens via production/cash inflow rather than purely relying on demand for tokens to pay the transaction fees.
Also I do want to point out that those papers aren't just making claims, they include a lot of verification and proofs to demonstrate the functionality of the systems in question.
> But difficulties aside, the fact that outside benefits don't contribute to security (or at least don't contribute much) makes the whole idea space kind of unexciting.
The interest is in being able to produce a digital resource (that can be used for consensus) from a physically hard task while actually producing something of value as a side effect.
Gold and other metals were valuable as currency because they were difficult to mine however their value increased because practical uses for the metals increased demand beyond the synthetic demand as a currency. That increased incentives for mining which led to more mining. Eventually it reached equilibrium.
Also notably outside of a given PoUW algorithm's viability as a PoW, it's still important research because every PoUW algorithm that is game theoretically sound is viable as a decentralised market for computation/work where cheating is effectively non-viable.
Gain media attention and pump their coin.
To summarise:
* One actor in the space appears to have done a proof of concept takeover of 51%.
* It’s not clear there was any malicious action nor intent in doing so.
* Performing something like this is definitely expensive.
* The potential impact of doing so is disputed.
* Whether or not it was achieved is also disputed
However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this.
> Whether this is an issue is a matter for debate.
Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here.
CPU was a terrible choice.
why? what's better?
It would be interesting if a "coin" were tied to protein folding prediction or something else useful.
Proof-of-Work fails if the work has value.
why?
In Proof-of-Work the cost of the work is what keeps the network honest. If the work has value then an attacker is free to invest as many resources as I want into subverting the network. Even a failed attack can still be profitable, just less so.
In another scenario, where the works value is less then the cost you're still hoping that at no point in the future will an attacker figure out a way to do the work at a net profit.
The only way the network can be trusted is if the work has definitely now and always, 0 value.
Not littering has value. However, if I don't litter, it doesn't benefit me, and I cannot profit off of it; no matter how eco-friendly I am, I get no value from it.
Am I wrong in saying that the work has negative value? And there are different degrees of that. Bitcoin's negative value is larger.
You are not wrong, the output has no value. The work then being Value Out - Value In.
because Proof-of-Work only generates value for an arbitrary, made up coin if it has no other real value.
Otherwise you're making money that way, and the value of the coin is tied to the work that you did.
until recently gold was a pretty but mostly useless metal. too heavy for practical uses, too melty for industrial uses, too soft for weapons, etc. but it didn't rust and was a good medium of exchange because it had no other real value. once it has value outside of being currency it's less useful in that capacity, since now its value is tied to how much you can get for it by utilizing it in computers, chemical reactions, etc.... same basic idea with PoW
I don't think it's true, look up Proof of Useful Work
Which, ironically, is used by the attacker in this case.
It's worth noting that lots of projects claim to be "Proofs of Useful Work" without the academic rigor to actually prove so. The attacker of course being one of those who has failed to do so.
1. Their paper has not been accepted by any conference or journal.
2. Neither author on their paper is an academic (or practicing engineer or researcher) in the fields of computer science, economics, game theory, or cryptography (or any maths in general). The one is a C-level exec with what seems to be minimal CS experience and the other is a psychology professor. Neither author appears to have qualifications to be able to assume some level of rigor (before looking at the underlying work).
3. The paper is a bunch of text and buzzwords about AI and AGI intermixed with some academic history and some discussions on psychology. Of the 47 pages of the paper, only about 1-2 pages are semi-technical in major with an additional ~3 pages of code included to show their algorithm. There are two graphs relevant to the protocol on those 1-2 pages and neither one addresses any security aspects, instead showing it's performance at doing the "useful" part. So again to reiterate, their "academic paper" on the security of their PoUW algorithm includes no rigorous analysis of the protocol.
TLDR They aren't doing PoUW. They are doing cooperative compute with a centralised or federated coordinator dishing out rewards.
Proofs of Useful Work do actually exist and are an interesting field but they take a lot of rigor and analysis to be accepted and not immediately ripped to shreds. What the attacker claims is not even close to meeting that bar.
Isn't that what GridCoin is?
Disclaimer: ran a 150k GPU eth mining operation
PoS is the obvious choice now that ETH has had a bit of time to run. But, I remember when they went through the switch (before ETH PoS). Doing some sort of variation on GPU memory hard mining would have been a smart choice (ethash, progpow, etc), knowing full well that ETH would eventually go PoS. It would have given all the miners something to switch to, instead of just shutting down entirely, because there wasn't anything but ghost chains.
I'm still a fan of PoW. PoS incentivizes centralization.
Hilariously posting in a thread about a 51% attack happening, because of miner centralization.
It's mainly an argument against CPU/GPU mining. If you have invested in specialized hardware that can mine only one coin, you're strongly incentivized to protect trust in that coin. An attacker like Qubic would need to pay you a lot more than they need to pay a CPU miner.
So then, _centralize_ around an ASIC?
Tell me, how well did that work for Grin?
>Tell me, how well did that work for Grin?
Crypto projects succeed/fail for all kinds of reasons that are completely unrelated to de-/centralization. You'll have to be more specific about what Grin's case should teach us.
>So then, _centralize_ around an ASIC?
ASICs are commodities. For BTC (SHA-256) there are at least 8 different companies producing ASICS, and even a smaller project like KAS (kHeavyHash) has >4 competing companies. Not much centralization risk on that side, at least not for mature projects (which a hypothetical ASIC-XMR would be by now).
The main challenge for ASIC-miners is the same as for CPU- and GPU-miners: cheap electricity -- and that's not something that can easily be centralized.
Since ASICs are built for mining one specific algorithm and no other, ASIC miners are invested in the survival of "their" mining algorithm.
If there are several competing coins using the same algorithm, it may be possible to incentivize ASIC miners to destroy one of them if it benefits the others, but even then it's risky.
CPUs in contrast can be used for a million different things, CPU miners are not incentivized to support any given crypto project. It's also much easier to rent large amounts of CPUs than of ASICs.
>until now, no-one has chosen to flex like this.
The two networks have wildly different proof-of-work algorithms, they're incompatible. A BTC ASIC will never mine Monero, ever.
I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"?
Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way.
*: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners)
EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain.
>Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose.
You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose.
> Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
asic does not mean turing complete
good luck simulating a von neumann machine on a sha256 accelerator
That's not true for all altcoins however
Its always hilarious when someone launches an L1 with an algorithm everyone can already dominate and it gets attacked immediately
Last time I saw that was on photonics processor blockchains
Pretty much everything other than bitcoin, monero, and dogecoin are running proof of stake these days anyhow, so it kind of doesn't matter.
Litecoin goes in that PoW group too.
In fact, Litecoin has an optional privacy feature called MWEB, which is probably why Litecoin too got kicked off of being named on some conventional news sites.
KAS is PoW, at ~240 times the hash-rate of LTC, ~120 000 000 times the hash-rate of XMR, and 0.0007 times the hash-rate of BTC. Obviously not really comparable...
That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason.
BTC will have to move to a proof of stake design to survive. It's unavoidable.
That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen
why would staking rewards be any more necessary than mining rewards?
In the end state (after ~2140), mining rewards just come from TX fees. But true, it is possible you could just redistribute TX fees to stakers.
Post-merge ethereum is designed so that the gas fees and the staking rewards roughly cancel out on balance (so overall inflation is around zero), but they are decoupled so even if nobody is using the network you still get a staking yield
>so overall inflation is around zero
Pedantic point: monetary inflation is around zero, not necessarily price inflation (which is what people typically mean when they just say "inflation").
Yes sorry, important clarification.
In theory if the entire world was on an ethereum standard with a steady state population, price inflation would also average out to zero
BTC can't move to proof of stake because religious zealots would keep their money in the old fork.
It's doomed in general, see the cash fork.
Tokenized bitcoin.
> It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash
The ASIC manufacturer would also need a backdoor. ASIC manufacturers don't control mining.
Large miners are unlikely to allow backdoors into their mining network.
ASIC miners often do control mining. They often mine with chips before they drop them in the public market
I think they mean the manufacturer would just keep most of the stock for themselves. Reminds me of that famous Scarface quote: "You should get high on your own supply, it's a great idea that won't end horribly."
>ASIC manufacturers don't control mining.
I dont think you understand the BTC mining ecosystem
"Performing something like this is definitely expensive"
That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins.
If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority.
Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap).
I guess the clearer term for that would be "capital intensive".
surely the fall in value of XMR caused by such an attack would make it unprofitable as well
You could just short XMR heavily and profit that way.
You can only do that on centralized exchanges, which would mean that you effectively doxx yourself by shorting. Also the exchange will most probably seize your funds before you are able to withdraw them.
Not sure how are you doxxing yourself, what stopping me from YOLOing my life savings into this short after reading a few comments in this thread?
You'd have to spend $30M per day in order to control 51% of XMR, and then you'd YOLO your life savings (which would have to be another couple hundred million dollars) on centralized exchanges without anyone noticing?
I meant I, as someone that is aware of attempt to take over, not as an attacker.
It's only doxxing if you can, you connect that large transaction to the attacker, but you can't unless I'm missing something.
Oh yeah for sure.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed.
There is a word for this. We call it risk.
I'm not sure I'd call this risk. Risk would be "you can invest the money, but you might not get it back" however the above is referring to the "a 51% attack absolutely works but you need a shit ton of money to do it" aspect instead. This makes it capital intensive, not (necessarily) risky.
The fact that it succeeds does not mean that you get the money back (eg the price of monero could drop if that happens). You may also have miscalculated some parameters in all this or something unexpected happens (where human factor is involved). So there should always be risk involved imo. Otherwise I agree, even in a probability 1 success situation this would still not be called "cheap".
Agreed, no such thing as a real-world investment with truly 0 risk.
It is absolutely risky. Your facilities can burn down once the ASICs arrive and before they are turned on, or your employees simply steal them for their own uses. Heck, you can have a fire once they get powered-on, because a power cable was poorly made. You might get sent the wrong product, or you could be ghosted without a delivery.
Expensive is a better fit than capital intensive, because there are massive ongoing costs to actually perform the attack, electricity for one.
If you want to understand the risks for a project, pretend you are at arms length and are being asked to fund the project 100% up-front. You'll find a huge list of risks very soon.
This is why I didn't say it made the investment risk free, I said being capital intensive does not make something (inherently) risky. There is no such thing as an investment without risk, but how risky it is is largely orthogonal to how capital intensive it is, and the above was talking about the latter so using the term "risk" for that half is not a great correction.
Having the power to deny others to mine blocks does not mean that you can obtain the tokens from their wallets. Miners can't sign transactions on users' behalf. You can rewrite all of history but then no exchange will accept your version of it to let you exchange the tokens for fiat. Also this will almost certainly crash the price of XMR substantially. And later people will be able to fork/restore the original version. The technological side of the blockchain is only part of the consensus/trust/market/popularity. People are the other part, and people will not pay the attacker for their successful attack.
The attacker doesn't need to steal tokens. They just need to short the token while they sufficiently disrupt the network to drive down the price. They get the money and your tokens become worthless.
Controlling 51% of XMR costs ~$30M per day, you'd have to short a huge amount of XMR to make that worthwhile. Who would be the counter party and how would you do that anonymously?
The attack itself is unprofitable, the "profit" for Qubic is the publicity they get. (or at least that's what they're betting on)
Monero has a theoretical market cap of $4.7B USD and daily volumes >$100M USD. I wouldn't recommend taking that short position in one go but over a few days and a few exchanges I wouldn't see a problem acquiring a very large short of the token.
If I buy a yacht for $2 millón and sell it for $4 million, it’s still an expensive yacht. Profit doesn’t make it less expensive.
Unless they drive the price into the ground.
Right? If an attack like this is successful _and_ obvious/detectable, then it _should_ drive the price into the ground.
Shades of the Hunt brothers attempt to corner the silver market in the 80's [1].
When people say foo is expensive, they mean the gross cost not the net profit.
In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right?
It's worth being precise here:
- The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power.
- The attacker can prevent other transactions from landing in a block, as long as they have majority
- But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions
- And the attacker can also not steal your money, because they don't have your private keys
In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain).
My understanding is limited. But in addition to not making transaction "not happen". It is better to make new transaction for money. As the transaction would still be valid later and could be included later. Thus "double spend".
That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much?
Maybe there's more resilience to prevent chain swaps now, but my understanding of the original blockchain algorithm is that:
At block N someone could start to privately mine (empty) blocks.
They keep mining in private until block N+x is public, at which time the private (51%) chain is length N+x+1.
They then announce their longer chain.
By the protocol, this longer chain (technically "most work" chain) is the more trusted one, and undoes any transactions in N+1 through N+x.
More or less, but the private chain doesn't need to contain empty blocks.
A more sophisticated attack would include all the legitimate transactions on the network except for their own transaction(s) which they're trying to double spend. That way the network isn't disrupted apart from the parties you're double spending against.
Indeed, but I was arguing that the parent claim that "only your transactions" could be affected was false.
It's true that you can't synthesise false transactions, but you can undo anyone's transactions, not just your own.
That way you can also claim 100% of mining rewards with 51% hash rate.
How? If that were true you’d also be able to get 50% of block chain rewards with 25.1% of the hashing power. But you can’t because it isn’t true.
If you control 51% of the hashing power, that means you can solve more blocks than the entire rest of the network combined. Even if other nodes on the network solve a couple blocks before you, statistically, you will eventually create a longer chain of blocks and the network will switch to your chain.
But your chain has every block solved by you, giving you all the block rewards.
That's the magic of the 51% attack. You gain control of the blocks. Because that extra 1% isn't a HUGE margin, it may take a while for your chain to become the winning chain, but theoretically, it will happen.
You only mine blocks on top of your previous blocks, ignoring blocks produced by the 49%. Since you have 51%, your chain is the longest over time, so you have 100% of the mining rewards.
You can't do that with 25% (or even 40%) hashrate.
Yes.
Newb question, but why's it expensive, aren't they mining the whole time and can therefore make the usual money from that mining?
You are correct. It's expensive if you want to go rewrite history. 51% is when that becomes economically viable to do on its own.
AFAIK Qubic (the company) is paying people extra to mine XMR through Qubic (if you mine $1 worth of XMR, you get $1.50 worth of QUBIC (the coin) which you can then sell). Qubic (indirectly) loses those extra $0.50. If on average the miners sell too much (more than two thirds of the rewards), then Qubic has to buy their own coins back in order to keep the price stable. Qubic bets on their coin pumping from the publicity.
Way more context here https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
No one is spending $75M a day to do a proof of concept. There's obviously some kind of intent to profit.
Qubic aims to profit from the publicity
This is odd. The current hash rate is around its nominal 5 GH/s, and neither any pool nor individual seems to be above 50%:
https://miningpoolstats.stream/monero
This Qubic group claims to concentrate 3 GH/s of hashing power, yet there has been no increase in the global hash rate either:
https://www.coinwarz.com/mining/monero/hashrate-chart
Could this be just a bait?
dumb question: i took a look at https://miningpoolstats.stream/ethereumclassic for ethereumclassic and f2pool.com seems to have ~64% of the total hashrate... is that a takeover as well ?
I mean, it means that eth classic's ledger is rewritable on a whim by that that pool, if it has central control.
Peek the % of unknown miners in the pie chart at the bottom
You don't mean to suggest that a scammy cryptocurrency entity that is currently bragging about attacking a competing system might ... lie to people???? Is that possible?
The thing about 51% attacks is they're hard to pull off in secret. And once they happen, who's going to accept the coin anymore? Plenty of potential for sheer destruction, but it seems pretty counter-productive to value.
If only someone offered derivatives contracts that could be used to make money from destruction...
Reminder: if you want to bet on an asset's demise (i.e. short it), you don't need a derivatives market, you just need to be able to borrow the asset and sell it. So you could accomplish the goal there by borrowing Monero and converting it to USD. A lot of smartcontract platforms let you do this -- including on other chains, where they hold a token convertible into the original chain's native unit.
I bring this up because people are always asking what platforms are allowing me to short cryptocurrencies, which seems to miss that it's enough to just have a debt denominated in what you want to bet against.
Yeah, but the moment that happens they will confiscate/block the funds of the shorters.
Based on which specific law or rule?
Based on how the crypto world works 100% of the time.
It's Game Theory problem. If you are getting more value out of the system by maintaining it in the long-run, it would make no sense to attack it and destroy its value. However, once you can extract more value in the short-term through the attack than by being a long-term participant, it becomes attractive.
With BTC's block reward continually being reduced, TX fees will have to increase in order to avoid reaching the point where large miners could become tempted to attack the network.
Monero has been under constant attack from its inception. It’s one of the only truly anonymous, untraceable payment systems so there has been a huge push to make it unviable. It was unexplainably delisted from major crypto exchanges in the past and now is under direct attack.
It's not inexplicable, they just don't want to explain that their asset listings are effectively beholden to banking partners in the same way that steam was forced to remove certain games because of Visa and Mastercard.
Maybe destruction is their goal.
A lot of people would like to see Monero burn.
Unknown crypto vulnerabilities and 51% attacks are crypto currency risks that are theoretically out there, but we mostly haven't seen play out.
At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin. You're right that it destroys confidence in the coin, so if you short Bitcoin futures before the attack, you might make money.
> At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin.
This is electrically impossible for Bitcoin specifically, modern ASICs exceed 3 orders of magnitude more hashes/Joule and hashrate/chip than a RTX5090 and cost $2-40 retail per chip.
People haven't mined Bitcoin on GPUs in over 10 years.
Looks like they are winning.
Looking at that website I see that the unknown pool keeps getting a longer chain and it switches to it
What percentage of unknown miners is Qubic?
Unless I'm missing something, this doesn't pass the sniff test. If a 51% attack was successful, every other miner could easily spot this and would stop mining. The fact that this has not happened is more trustworthy than a random guy on Twitter.
Why would every other miner stop mining, making it a 100% attack?
Yesterday I was running a Monero node and looking at it, and got an unusually very high number of chain reorganization messages. I could believe a 51% attack happened.
A network might collectively just fork the chain and blacklist the attacker in that fork.
That isn't possible - miners don't have an "identity" to blacklist.
You could do it with a whitelist. If there is a fork, give disproportionate weight to blocks mined by a whitelisted participant when doing the longest-chain calculation. Ideally you should include the proof of being on the whitelist in the block itself, but if that's not possible for some reason you could always send the information off-chain.
That's centralization, which is the opposite of what's intended and has its own risks. Most blocks are mined by pools, so you'll have to whitelist them, and while you might trust the pool operators now, will you forever? You'll be making the cost of an attack significantly cheaper for them (or someone who steals their magic key, or tricks you into adding them to the blessed list).
I agree that it is not ideal. But addressing some of the specific point brought up:
1. a) The list doesn't need to be hardcoded, it could be a configuration. b) So trust doesn't need to be permanent. c) It could be decentralized in the sense of allowing different people to have configs 2. Miners not on the list can still participate just with lower weight in the case of a fork. And they still get full reward.
1. A cryptocurrency requires consensus, so no, you can't have different configs for determining the validity of a chain. Making it a config variable only makes it faster to close the barn door after the horse has bolted. 2. Has no bearing on any point I made.
What will likely happen is a PoS BFT layer on top of PoW, although there are other options being considered:
As long as people eventually reach the same conclusion about which chain is the legit one it's fine that they use different reasoning to arrive at that conclusion.
If they fail to ever converge there is probably such a large disagreement in the community that a fork is for the best anyway.
> As long as people eventually reach the same conclusion about which chain is the legit one it's fine
What? No, it very much it isn't. Consensus needs to be ongoing, within a handful of blocks (Monero locks transfers for 10 blocks for this reason, called "confirmations").
https://en.wikipedia.org/wiki/Double-spending#Decentralized_...
Firstly, I think you underestimate how quickly good faith actors with slightly different configs would come to agree. A handful of blocks should be enough. Secondly, if reorgs start becoming a problem, exchanges and merchants could monitor for a situation with two competing chain and temporarily suspend processing. There is still the possibility that some one will suddenly reveal a long chain they had kept secret, but anyone doing such a thing is very suspicious.
Please post your suggestion in the issue I linked.
If you're doing a whitelist of trusted parties you might as well do classical BFT without the mining.
Unless the attacker was actively choosing to exploit the 51% hashrate power they have then it would still make economic sense for remaining minority miners to keep mining.
>Sustaining this attack is estimated to cost $75 million per day.
This is how proof of work systems operate.
They are very expensive to attack but very cheap to recover from.
$75m per day is clearly unstainable.
Soon they will give up and the network will recover cheaply.
The attack is more of a nuisance than the end of Monero.
The problem is not that the system is constantly under attack. It's that it can no longer be trusted to be secure. Nobody with money on chain will say 'oh well, probably nobody will steal my money today'.
A 51% attack doesn't let you steal random people's money.
It absolutely does, just not directly. Say that you have 100k fiat equivilent in monero and I demonstrate a successful monero double-spend attack. How much do you think your monero is worth?
My man. What do you think the word "steal" means? You can't just redefine words because you don't like new technology.
Do we need to drop down to 1st grade story problems?
---
Alice has 1 apple. Eve has 0 apples.
Eve steals Alice's apple.
Now Alice has 0 apples. Eve has 1 apple.
---
Alice has 1 XMR. Eve has 0 XMR.
Eve 51% attacks Alice's network.
How many XMR does Alice have? How many XMR does Eve have? Show your work.
The only reason this seems like an unusual definition to you is that you haven't thought about it very hard, yet. The critical thing is not how many XMR you have. It's what value those XMR carry. If I create from thin air 1000 XMR and it's known to the market I didn't just 'make' a certain amount of value, I made myself richer by making a lot of people less so. I stole value from them and gave it to myself, just like someone stealing a ham at the market. The only difference is that instead of burning one ham of value for one ham of benefit, I burn many ham of value for one ham of benefit.
This is an excellent explanation and I'd also point out that it generalizes to fiat not just crypto. But its nice not to think about that too much.
> $75m per day is clearly sustainable.
Is this a typo or am I misunderstanding something?
I’m guessing it’s implied that the return would be higher than $75m a day.
Thanks.
"unsustainable"
now it says unstainable
Also true!
Depends what the goal is. A state that wants to break the anonymity of the system doesn't care about $75m per day, specifically a state that can just print that...
I'm not familiar with Monero's privacy system, so I can't say for sure, but it is very, very unlikely that a reorg could in any way break anonymity.
Reorgs dont break anonyminity
Much better link - https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
Appears to be legit, but not really a nefarious attack.
>Did Qubic really attack Monero ? No, according to official statements, it was a planned stress test to identify vulnerabilities in the Monero network.
"not really a nefarious attack" is an insane summation of this article. There's zero way for someone outside of qubic to verify that they didn't do something nefarious while controlling the network. Stated another way- anyone could call their 51% attack a "stress test"
That entire article reads like propaganda/doublespeak.
"Planned test". Planned by whom? Planned by the attackers. The reorg did happen.
This is a bot hoax. The only news here is that twitter still hasn't fixed its insane spam account problem
Qubix(group performing attack) founder x post
This man is a true poet, just beautiful look at this quote found on his exTwitter:
(quote starts here)
"""Writing this date here to memorize when the concept of Decentralized Artificial Intelligence (#DAI) got its final shape.
Not bullshit like "It runs on a #blockchain so it must be decentralized". In this concept each entity holds a secret know-how which modifies #IntelligentTissue (in cooperation with other know-hows owned by other entities, if needs to solve a complex task). Secrecy of each know-how ensures nobody can copy it, others can only attempt to create something similar by spending computational resources.
Each #AI is an original object, #IntelligentTissue is its hologram. #Qubic is the platform for AI creation, their convergence and intelligent tissue hosting"""
Psychosis or marketing scheme? Who can even tell the difference anymore...
He's a bit insane. I did the same thing to the iota Network and brought it down to 0% confirmation for a month
Trust me he did not like it
One of the major things that has always bothered me about crypto: if an economically "irrational" large player wanted to 51% something like Bitcoin, they could.
I am thinking of, for example, a nation-state. Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin. This could happen if an adversary like Russia or its allies were using Bitcoin for funding and there was a war or a major Cold War style struggle. Such players could afford to purchase and build, in secret, a huge mining farm, and then suddenly turn it on, not caring about the cost because the goals are strategic. It would be massively expensive but it doesn't matter for this case.
A more economical version of the same thing is to engage in honest mining through several front companies that together have 51%. Until a strategic opportunity presents itself and they start colluding.
Sure, and this is well within the capabilities of any competent large intelligence agency.
It's only a secure system if adversaries are either small or economically rational.
For monero and other smaller chains maybe, but for BTC this is already at the point of being quite difficult (the intelligence agency really would have to be quite large).
The money is one thing, you also have to somehow acquire a huge % of the ASIC supply over years, and the not insignificant amount of energy to run them
While that's certainly possible with a large enough expenditure, they'd also have to have the miners be sufficiently indistinguishable that they couldn't easily be denylisted with an update to the official codebase.
State entities can also destroy real banks with all sorts of means if they really want. The vulnerability is real, but beyond the scope of discussion because then it's war we're talking about.
But states generally like having a financial system, and don't like (or are at least annoyed and worried by) cryptocurrencies, so the incentives aren't the same.
I'm also curious about an attack vector whereby if a coin has a single reasonably well-installed mining software stack, this effectively gives the developers of that stack control over any miner, which could easily add up to 51% if there's only a few mining software options. Sneaking in a backdoor is well within the capabilities of any developer; do the mining companies compile from source?
The moment anyone does this, people will notice, and the coin plummets.
Yep. From the comment you replied to:
> Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin.
Which is what they want.
at 75 million a day what is the motive?
> a nation-state. Let's say the US, EU, or China decided for some reason that it was in their national interest to blow up Bitcoin
Irrelevant and impossible to "know", given that it hasn't happened yet (if it ever does)
They could borrow 1 Billion in Monero and sell it. Then they would only have to pay back a fraction and keep the rest.
Imagine if you will that the Russian economy ran on Bitcoin or whatever.
75 million a day to destroy the Russian financial system is less than half of what Ukraine currently spends on their defence budget.
100% a fed action. Government influence has been pushing Monero off of exchanges and now this. Why? Because Monero has true anonymity.
Interesting, I don’t disagree but would like to learn more.
If you exchange Bitcoin for cash, the IRS can retroactively look at every wallet that this money originated through. If they decide that they don’t like how certain coins were earned, they can mark them and any wallet they touched as poisoned, and put you in jail if you try to exchange them further.
Monero transactions are inherently obfuscated, which solves this problem. If you want more details, the Monero whitepaper is well written to be accessible for the common reader.
The tldr is it works atop ring signatures: https://en.m.wikipedia.org/wiki/Ring_signature
> Monero transactions are inherently obfuscated, which solves this problem.
It solves the problem by making all participants culpable. The blockchain community is very good at imagining they have technical solutions to social problems.
I don’t believe US courts would see it the same way, if you use Monero for legitimate transactions you will not go to jail.
By your logic, anyone using cash would be culpable for illegal transactions. Same with VPNs/Tor.
I think speech is not the same money, and that any kind of property you expect others to respect comes with obligations. Why should I respect your property claims if you can't show me you didn't steal your property?
But that's really beside the point, because it isn't me who will come after you, it's the IRS (or equivalent). If you spend a lot of money, you're in trouble if you can't explain how you got it. And if you explain that you participated in a network which has as its only purpose to destroy evidence of how you got it, you're usually in extra big trouble.
There's a little bar in Cupertino, Paul & Eddie's Monta Vista Inn. They only accept cash. Should they be shut down and have their assets seized? After all, what possible reason could they have to operate as cash only, in Silicon Valley, other than that they want to destroy evidence of how they earned it?
Again, it's beside the point what they should. Small businesses have "know your customer" requirements too, and if this little bar made suspiciously much money from cash sales, the government will come looking to make sure it isn't a money laundering operation.
If you think it shouldn't be that way, you are faced with a problem. A social political problem. Which Monero does nothing to solve. Which is the point.
Can you elaborate?
fiat money has to be a monoply
specially given its only backing is "trust" (trust that you won't get invaded or overthrown)
anonymous alt coins, real digital cash, are competition to the monetary system. there can be only one.
I am way OOTL with crypto drama.
Anyone have any context about who Qubic are, and what their deal is?
It's a long story, I wrote a blog about it here: https://rdrama.net/h/slackernews/post/385556/chud-chudsmug-u...
Thanks!
Sidenote: IDK how is Ledger, a French company, still in business after compromising ~300k users' physical addresses[1] amongst other PII, ~5 years ago.
What is qubic offering to miners that other pools can't?
Gamification. They are supposedly offered some other shitcoin in return for the monero that they mine. I've tried it myself some months ago, it is noticeable that they were lying about the number of miners on that platform.
What really happens to a crypto coin if trust in the ledger is shattered?
Does the coin stay alive purely because people still speculate on hype or does everyone try to cash out simultaneously and send price into a death spiral?
Shattered is the trust in transactions that happened during the time period where the attacker controlled >51%, from addresses that the attacker also controlled. AFAIK so far they haven't controlled 51% for any amount of time, though they did control more than 33% for a short while, which is enough for "selfish mining." Either way, the attack did illustrate that a government could easily take over XMR if they wanted to. The impact of that, we'll have to wait and see.
Reminds me of the old IRC Channel takeover
Maybe Black Owl is finishing off APT29's remaining part of the former Mirai botnet?
I'm just saying that this might be a state sponsored actor fighting another one, given that Mirai was primarily hosting XMR miners, and given that they lost 3.5 Mio bots overnight in 2023.
The ridiculousness of cryptocurrency reminds me of the ridiculousness of the stock market. Both are absolutely batshit insane ways to maintain a global monetary system, yet people keep investing their fortunes in both.
Post seems confused. A 51% attack doesn't allow the attacker to sign transactions with someone else's key.
You: "Post seems confused. A 51% attack doesn't allow the attacker to sign transactions with someone else's key."
Maybe you misread, the post says this: "With its current dominance, Qubic can rewrite the blockchain, enable double-spending, and censor any transaction."
All of which are possible if someone has that level of control, and none of which involve signing with other people's keys.
(As some people seem confused about the impact of 51% attacks: Of course you can't double-spend in a single blockchain, as that is prevented. But the nature of these attacks is that there's no longer one true blockchain. You can create one fork of the blockchain where you send the money to someone, receive goods in return, and then afterwards switch to a longer fork of the blockchain where the money was never sent.)
> You can create one fork of the blockchain where you send the money to someone, receive goods in return, and then afterwards switch to a longer fork of the blockchain where the money was never sent.
Why would you do this double spend attack with goods (and I assume you mean physical goods) and not for example a swap to ETH?
Doing this requires massive tangible infrastructure subject to seizure to pay your new bad debts as you become subject to arrest in a lot of the places one may want to spend time in.
This doesn't seem like as much of an actual risk. A better way to make money would be to create a perception that the value of the coin is at risk before buying it cheap.
Actually devaluing it doesn't seem worthwhile financially.
> become subject to arrest in a lot of the places
I have an idea for a much cheaper way to store and transfer money that also relies on the existence of a police.
Totally agree I just specifically doubt the virtue of stealing with extra steps which involves such obviously tangible assets.
A couple researchers have told me that it's not necessary to even reach 51%. It's probably something closer to 35% to maintain the ability to perform censorship etc
Not quite. You can make selfish mining economically viable below 51%, which eats into the profitability of the majority, but it's not possible to sustain a long term censorship attack with that.
With PoS protocols, >33% is usually when you have the ability to inhibit finality, which may be what you're thinking of.
they ran numbers on it. Do you have any references to support what you're saying?
You are not only appealing to the imaginary authority of someone that you talked to while demanding that someone else cite sources, but you also seem neither to understand the subject you're talking about nor able to accurately recall the hearsay you're offering as evidence. When you are lost in the woods, seek out a map!
Replies seem to be arguing that this wasn't a 51% attack and was something else. I don't know crypto well enough to verify their claims, though.
Seems to not be the case, a real 51% attack would need 10 blocks at the very least, because that's when Monero transactions get confirmed.
See e.g. https://x.com/kayabaNerve/status/1955173552363016434
"of a 51% attack", it's called a sybil attack
https://en.wikipedia.org/wiki/Sybil_attack
Btw, here's the alternative link https://xcancel.com/p3b7_/status/1955173413992984988
Going by the definition given in the wiki you’ve linked, a Sybil attack is about creating many fake identities to gain disproportionate influence in a network. A 51% attack in blockchain terms is specifically about controlling the majority of the network’s mining/staking power to override consensus.
So I'd say they're not exactly the same.
Someone amassing 51% of the network would probably want to do so under some fake identities so others don't realize what's about to happen. Not the same, but probably related.
Lol, there's no such thing as "fake identities" here. You just run more miners with different payout addresses for mining. But there is no "fake"
> You just run more miners with different payout addresses for mining.
That it's dramatically easier to conceal your identity doesn't mean concealing your identity isn't useful.
It's the same failure mode as a Sybil attack, but it's called a 51% when there's the additional assumption of the hashrate being hard to obtain and evenly-enough distributed to mitigate sybiling, and that assumption is being violated.
A Sybil attack is about having many identities in systems which make such identities count for something, blockchains are designed to avoid that attack by saying "identities don't matter for consensus, only raw 'work' does". a 51% attack is therefore analogous to a Sybil attack but not the same thing.
Byzantine Failure seems more appropriate.