51% Attack! – FACILELOGIN
What will happen if most of the miners in the bitcoin network are cheaters — or the bad guys? That really does not matter given that all those bad guys do not work together. But, in case if all those bad guys work together or in other words, at least 51% (more than 50%) of the total computational power of the bitcoin network is owned by one or a single group of miners, that’s not a healthy situation for bitcoin. In practice, it’s a huge investment to gain 51% of the total computational power of the bitcoin network. Let’s say someone still does it — what would happen next?
Before answering the above question, I guess it’s worth looking at what is actually meant by this 51% ownership of total computational power of the bitcoin network. In the above diagram, let’s assume the total bitcoin network, with all the miners (4 in this case) can generate 100,000 hashes per second. That’s the total computational power of the network. For the simplicity, let’s say all the miners start mining at the same time — and each miner has it’s own computational power. The first miner can generate 25,000 hashes per second, while the second miner can generate 40,000 hashes per second. Now all these miners are in a race to find the magic number to solve the difficulty puzzle. What is the chance each miner has? The first miner has 25% of probability, while the second miner has 40% of probability. To make it much simpler, in a lottery ticket draw, if we own more tickets, you have a higher probability to win the prize — but it’s just probability — even a person who has bought just one ticket can win the prize.
The total computational power of the bitcoin network is expressed in terms of the number of hashes generated by all the nodes per second. At the time of this writing it was around 5.6 million tera-hashes per second. One tera hash is equivalent to 1,000,000,000,000 hashes. The figure below shows how the total computational power of the bitcoin network increased over the time. 51% of the total computational power means, one single mining node (or a group) should be able to generate more than 2.8 million tera-hashes per second. In other words this guy can mine the blocks faster than all the others in the network together — so he/she has a higher chance of producing the longest blockchain.
What kind of an impact this will have on the bitcoin network?
If the owner of the 51% of the total computational power decides to cheat, can he/she change the value of the bitcoin reward (say from 12.5 to 1000 bitcoins) and add them under his account? The value of the bitcoin reward and how it changes with time is defined in the bitcoin mining software. Each miner runs a copy of this. The attacker can change his copy to generate more bitcoins for the reward and possibly add that to the blockchain. But, once that block is sent to other nodes of the network — the miners who are working with the legitimate software — and who follow the right rules, will reject accepting that block. So the blockchain behind those nodes are not updated with this block, which will result in a fork.
When there is a fork, all the nodes in each branch of the fork is keen to know whether they are in the longest branch. Since the bad guy has control over the computational power, he/she can generate more blocks and possibly would own the longest blockchain. Now what would happen, the good guys attempt to switch to the bad guy’s longest blockchain?
Miners can find that there is another branch of the blockchain, which is longer than what they are working on currently by observing the block height property of the blocks they receive. The block height is the number of blocks preceding a particular block on the blockchain — and the value of the block height is included in the block header itself. Once a mining node receives the block, it will validate it and if it conforms to the accepted rules in the bitcoin network, then it will look at the block height. If the block height is higher than the latest block being mined at this node, then there is another branch of the blockchain which is longer than the one known to it. So it can traverse back in the blockchain (via the reference to the previous block) and update its own copy by requesting the latest from its peers. Keep in mind this complete process will only happen, if the the block it receives is valid.
In case of the 51% attack, since the block generated by the bad guy is invalid (in this case), even though its blockchain is longer, the other legitimate nodes in the bitcoin network will not shift to it. This will make the attacker isolated in its own branch. He or she can accumulate more and more bitcoins, but no one outside his/her branch will accept those.
But, there are other things an attacker can do if he/she owns 51% of the total computational power. Double spending is one option. For example you buy something for 1 bitcoin — and post the transaction to the bitcoin network. The attacker mines a block with that transaction, and updates the blockchain. Now after the merchant confirms that transaction, the attacker can re-mine that block with a new transaction using the same inputs, but outputs the amount to the buyer’s bitcoin account. Now that block is a valid block, and the attacker can mine more blocks on top of that to make it the longest blockchain, with its dominance in computational power.
Also, the attacker can block some transactions being added to the blockchain. The attacker can have his/her own preferences and keeps-on mining the blocks with the set of transactions he/she wants. This will delay certain transactions — even though they happened quite earlier in time. Satoshi has suggested a way here to prevent such occurring, but he himself concludes that there will not be a need to do such, where a miners want to explicitly drop some transactions.
If necessary I can write code to make nodes prefer not to use a block if it doesn’t contain enough of the transactions they know about. A discouraged block would almost always fail to be included in the main chain, but would be accepted if it did get in. I doubt this will be necessary, since there’s no real advantage for nodes not to include all transactions. — Satoshi Nakamoto [ref]
By the time of this writing, nearly all the miners are mining through pools, very few miners solo any more. A mining pool lets miners from different parts of the world together to contribute their computational power — and paid to each miner based on the hash rate they contribute. The Stratum mining protocol is used to facilitate communication between the mining pool and its participants. There are other alternative protocols too. In June 2014, GHash.IO, one of the largest mining pools, got so big that it actually had more than 50% of the entire capacity of the bitcoin network. This is something that community had feared for a long time, and it led to a backslash against GHash. By August, GHash’s market share went down, as the pool stopped accepting new participants. The following figure shows the percentage hash rate generated by popular mining pools at the time of this writing.
Despite its name, the 51% attack scenario doesn’t actually require 51% of the hashing power. In fact, such an attack can be attempted with a smaller percentage of the hashing power. The 51% threshold is simply the level at which such an attack is almost guaranteed to succeed. A consensus attack is essentially a tug-of-war for the next block and the stronger group is more likely to win. With less hashing power, the probability of success is reduced, because other miners control the generation of some blocks with their honest mining power. One way to look at it is that the more hashing power an attacker has, the longer the fork he can deliberately create, the more blocks in the recent past he can invalidate, or the more blocks in the future he can control. Security research groups have used statistical modeling to claim that various types of consensus attacks are possible with as little as 30% of the hashing power [ref].