Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Mining (Altcoins)
Topic OP
Zero-cost double-spending attacks via merged mining
by
MentalCollatz
on 23/08/2015, 19:19:01 UTC
A double-spending attack can be attempted by an individual with much less than 51% of the network hash power, but it is not guaranteed to succeed, and the odds of success drop exponentially as the number of required confirmations increases. Additionally, after a failed double-spending attack, the attacker's mined blocks become worthless, and he loses the associated revenue. For this reason it is assumed that an attacker with much less than 51% of the network hash power is expected to lose money by attempting to double-spend due to lost mining revenue.

It turns out that for coins that allow merged mining, an attacker can attempt a double-spending attack but retain any mining revenue even if the attack fails. Essentially, there is zero cost to the attacker to attempt an attack.

The attacker takes advantage of merged mining in order to intentionally fork the chain. One fork of the chain will contain the original spend, which will be broadcast to the network. The other fork will contain the double spend and will be kept private. The attacker creates the fork and mines both forks simultaneously by merge mining the coin with itself. The attacker continues to broadcast blocks built on top of the original spend. If the attacker successfully creates enough consecutive blocks for the receiver to consider the transaction "confirmed", then the attacker mines one more block on his private chain, and publishes the private chain, thereby completing the double-spend. If the network mines a block instead, the attacker discards his private chain, keeps his mining revenue from the blocks he published, and no one will ever be the wiser.

Should we be worried?  In a word, no.  Such an attack is very unlikely to succeed. If the attacker controls 30% of the network hash power, then according to Nakamoto's original paper a traditional double-spending attack on 5 confirmations will succeed with 17.7% odds. However, with the attack proposed here, the odds are less than 0.1%. The difference is because in my scenario the attacker must mine 6 consecutive blocks without the rest of the network mining any.

Edit:
The attack can be combined with selfish mining to improve the odds to about the same (or potentially better) as a traditional 51% attack, while remaining mostly cost-free.  If the attacker employs selfish mining, he now has 2 private chains.  He publishes blocks from the "original" private chain whenever the network solves a block, hoping for his block to disperse faster through the network.  Then he publishes the "double spend" branch once it is long enough as before.  There is some risk of lost mining revenue if he loses the block-propagation race, but even if he fails to make enough blocks to succeed in double spending, he keeps the mining revenue from the remaining published blocks.