It's worth pointing out that just getting 51% hash rate isn't enough to steal money. It's really just the entry point at which you _might_ be able to steal money.
To actually steal money you need to falsify at least six blocks, which in turn means you need to mine six blocks in a row (roughly speaking). The probability of this being successful is (1.0-0.51)^6 - ie. about 1.5% chance of being successful. You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.
> You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.
I'm not sure this is accurate. You don't need to mine 6 blocks in a row on the existing chain. Clients are programmed to recognize the longest chain, so you just need to silently mine new blocks (and not share them with anyone) until you have more blocks than the main chain. Then publish these new blocks, and existing clients will recognize your chain of blocks as being the correct ones.
You can double spend by making a transaction on the public chain while you quietly mine your own blocks on your private chain. Send the coins to an exchange on the public chain, but send them to your own address on your unpublished chain. After you steal funds from the exchange, publish your privately mined blocks.
The six-blocks-in-a-row problem seems less of an impedence to me - because the "legitimate" blocks are still available to the malicious actor.
Therefore, if our malicious miner identifies that they have had poor luck and begun to fall behind the "legitimate" chain by a block or two they can start the make-a-longer-competing-chain process over again from the legitimate head with -as far as I can see- no downsides except for some lost time/resources; the main risk to them isn't really there until they commit by initiating their double-spend, something they would almost surely not do until they're confident they've acquired their own, longer competitor to the "legitimate" chain.
They don't need to get ahead by six blocks. They need to get ahead, with at least six blocks mined on the public chain. There's a massive difference there!
The chain starts at block 1000, and you make a spend that will be included at block 1001 on the public chain. At the same time, you start mining your private chain from block 1000 (and you don't include that transaction in it). Now, the exchange you're using requires 6 blocks of confirmation, so you need to wait until block 1006 on the public chain before you can actually take delivery. Now that you've done that, you can publish your private chain at block 1007 (or 1008, etc) and since it's the longest chain, it'll be accepted by the public.
You didn't have to get 6 blocks before the public chain got 1 - you only needed to get 1 more block than the public chain, at some point after the public chain has mined 6 more blocks.
We're saying the same thing, but I see now that this was unclear.
The point of this sub-thread is that 51% doesn't give you a guarantee you'll mine faster than the 49%, just an edge, and that edge narrows as more blocks are required.
A casino with a 1% house advantage would have days when it was in the red, around 178 of them in fact. By analogy, you need to line up six days in the black, in a row.
And I'm saying that you're wrong there - the chance of getting more than half of the blocks approaches 1 as the number of blocks increases, given that you have 51% of the hashing power.
You're focused on the chance of getting 6 in a row. But what you should be looking at is the chance of getting at least 7 in 13, which is given by this equation:
P(K>=N) = sum(nCr(M, k) * p^k * (1-p)^(M-k)) from k=N to M
With M=13, N=7 and p=.51 - which works out to about 53%. But 8 in 15 also works, 9 in 17, etc. The limit of that probability (n+1 in 2n+1 as n -> inf) is 1.
Also, a casino is not likely to have many days in the red, just like it won't have many years in the red. (for bets only, ignoring everything else) This is because while the chance on any one bet may only be 51%, the chance of 10,000 bets, or 1,000,000 bets having a majority go south starts to get very, very small. (~27.5% for 1000 bets, ~2.5% for 10,000 bets at 51%, etc)
I'm trying to understand what "cashing out" would look like in an attack like this. One option would be to send coins to an exchange as you mentioned, and I presume cash them out before publishing your longer chain.
However, after the attack wouldn't it be easy to compare both chains and see which coins were double spent? Wouldn't you obviously be the perpetrator, having both double spent, as well as having cashed out a large amount of money? Or is the idea that you'd be able to cash out to a bank account not tied to your real identity?
It absolutely would be easy to compare both chains and see exactly which coins were double spent, and you'd obviously be the perpetrator. Not that I advocate it, but if you wanted to carry out an attack, you'd likely target an exchange that didn't require verification, and you might exchange and withdraw under another coin (ex: trade ETC for ETH).
Genuine question, forgive me if it's stupid: what happens immediately after you publish the blocks? Maybe I've misunderstood a step, but I think at this point you're in possession of a) whatever real-world goods or other currencies you bought with your bitcoins from the old chain, plus b) the same number of bitcoins on the new chain. Am I right that the value of bitcoin is now likely to crash rather quickly, as people inevitably realise what you've done? Is it just a question of completing the second spend quickly enough, before this happens?
The second spend in your double spend needs to be before the re-org is noticed. Make that spend a swap to Zcash / Monero and you can't be traced. So a full scenario would be:
* Swap coin for Zcash and start mining with 51%.
* Wait until your chain is longer than the main chain, and you actually hold the Zcash.
* Publish the longer chain, and immediately swap your spent coin for Zcash again. (At a different exchange just to be sure).
Now, you got twice the value of Zcash you needed, and due to Zcash shielded transactions can't be traced. You just have to hope that your shenanigans won't tank the value of Zcash.
People reacted in so irrational ways to any BTC news related to crypto (the "this is good for bitcoin" meme), that I am not sure if it would crash the price. On hte other hand a "bank run" on attacked exchange is likely. And the victim of attack will almost always be the exchange. BTW no matter what crypto fans claim ("code is law") getting anything from a service and then canceling transaction that paid for it by 51% attack will be a criminal act under many jurisdictions.
Considering that shorting crypto is probably better solution. Thought I am not sure if it is even possible to borrow required amount of coins.
You cash out by having a vested interest in damaging the exchange or currency in general. Say for example a hedge fund that shorts all crypto exchanges, or a competing cryptocurrency that wants to undermine confidence in their competition.
To actually steal money you need to falsify at least six blocks, which in turn means you need to mine six blocks in a row (roughly speaking). The probability of this being successful is (1.0-0.51)^6 - ie. about 1.5% chance of being successful. You can increase your chances by increasing your mining percentage. Make it a 75% attack and you have an 18% chance of success. To have a 50/50 chance of success you really need to mount about a 90% attack which is pretty ambitious.