On The Brink with Castle Island - James Lovejoy on detecting and mitigating double-spends (EP.111)

Episode Date: August 10, 2020

James Lovejoy, recent MEng MIT grad and former graduate researcher at the MIT Digital Currency Initiative, joins the show to talk about his masters thesis and associated project focusing on detecting ...double-spends in proof of work cryptocurrencies. Previously, little data was collected in a systematic way to detect double-spends and reorganizations across many cryptocurrencies. James' project sheds light on previously unknown security properties of PoW. In this episode:  How James came to work on Vertcoin Why James thinks ASIC resistance is valuable James' blockchain monitoring project and why it matters Why reorgs are challenging to detect Why investigating the economic damage of reorgs is difficult How James noticed a 51% attack in progress on Vertcoin and intervened to save Bittrex money – and how this can be replicated Why understanding Nicehash is critical to detecting and dealing with 51% attacks James' critiques of dominant theoretical models of PoW security How James found reorgs and counterattacks happening on BTG in real time Why exchange processes like KYC might actually help protect blockchains from reorgs How permissionless trading and leverage makes certain blockchains more vulnerable to attacks Rules of thumb for confirmation requirements for exchanges The issue with calling coins "Nicehash-able" – and why it's likely a lowball How exchanges can proactively mitigate the risk of 51% attacks and what they should be targeting How BTG developers finally defeated deep reorgs Whether James is confident in the long-term prospects of PoW Whether James still believes in GPU mining Content referenced in this episode James Lovejoy, An Empirical Analysis of Chain Reorganizations and Double-Spend Attacks on Proof-of-Work Cryptocurrencies Raphael Auer, Beyond the doomsday economics of "proof-of work" in cryptocurrencies Eric Budish, The Economic Limits of Bitcoin and the Blockchain Hasu, Prestwich, and Curtis, A model for Bitcoin's security and the declining block subsidy Carlsten, Kalodner, Narayanan, Weinberg, On the Instability of Bitcoin Without the Block Reward Moroz, Aronoff, Narula, Parkes, Double-Spend Counterattacks: Threat of Retaliation in Proof-of-Work Systems Judmayer et al, Pay-To-Win: Cheap, Crowdfundable, Cross-chain Incentive Manipulation Attacks on Cryptocurrencies Liao and Katz, Incentivizing Blockchain Forks via Whale Transactions James Lovejoy and David Vorick, ASICs and cryptocurrencies: benefits and drawbacks  [debate] Nic Carter, It's the settlement assurances, stupid [blog] Elaine Ou, Cryptocurrency Deals can Always be Erased, for a Price [article]

Transcript
Discussion (0)
Starting point is 00:00:00 Hello and welcome back to On the Brink with Castle Island. I was so excited to finally record this episode. I've been trying to do it for a long, long time. It's with my good friend James Lovejoy. Some of you will know him as the lead maintainer of Vertcoin, which is a asic-resistant cryptocurrency in the kind of early Bitcoin tradition. But more saliently, for the last few years, he's been a researcher at the MIT Digital Currency Initiative, which is part of the Media Lab, studying proof of work in the real world. So the performance of proof of work for a couple dozen major blockchains and evaluating whether they've had reorgs
Starting point is 00:00:40 and potentially even malicious 51% attacks. And he's finally published that in the form of his master's thesis, which is a very unique and important source of data on this phenomenon. The thing about catching reorgs in the wild is they're ephemeral. They don't appear in the chain permanently. So you have to be watching for them at the time when they occurred. And that makes analysis of them very difficult. And we've actually seen lots of really high profile reorgs recently on Ethereum Classic,
Starting point is 00:01:10 Bitcoin Gold, a number of other blockchain. So it actually is kind of a chronic issue for a smaller cap per four coins. So James undertook a project to monitor these blockchains and try and tease out how these malicious tax could be detected. and potentially mitigated. And this is actually a very relevant issue for exchanges that might be listing these coins. There are the principal targets of these 51% attacks.
Starting point is 00:01:39 James has also managed to detect long reorgs before they happened through a careful analysis of hash rate marketplaces, namely nice hash. In my opinion, this is hugely valuable and novel work and deserves a wider audience. The thing about proof of work is that there has been a fairly vibrant theoretical debate, but it often seems kind of disconnected from the reality on the ground. And you never really notice these economists who write these analyses
Starting point is 00:02:10 of proof of work, they don't often interface with minors or practitioners. And James is a bridge between those two worlds, understanding directly the performance of these chains and also the relevant economic arguments. So the thing to note about this episode is that it is fairly technical in nature. And if you don't have a strong grounding in proof of work, you might want to check out some of the resources that I've linked in the show notes. Now, your podcast client will have some show notes, but the longer form ones will be on on the brink dash podcast.com to get around the character limit. There's a whole bunch of papers and blog posts that we reference in this episode, and it almost consists of an introductory curriculum on proof of work. Once you've read them all,
Starting point is 00:02:56 you'll be up to date on the state-of-the-art analysis of proof-work and how it works and whether it's sustainable. So this is just such a fun episode. You know, we cover James's research. We cover his views on ASIC resistance. You know, he's famously a proponent of ASIC resistance. And whether he thinks proof-work has a long-term future and what it means for some of these smaller cap, GPU-mind, proof-of-work chains. Let's dive right into it. Brought down by bad mortgage investments, Lehman, which has 25,000 employees will be liquidated. The federal government loans American International Group, AIG, $85 billion. This is a different kind of market, and the Fed is asleep. The federal government
Starting point is 00:03:35 is stepping it to stabilize Fannie Mae and Freddie Mac, the two mortgage giants that have been threatened by the housing crisis. The Bank of England has pumped 75 billion pounds more into Britain's ailing economy with a new round of quantitative easing. You print a couple trillion dollars and all of a sudden people start to worry. So out of this worry, we have something called the Bitcoin, Bitcoin. James Lovejoy, welcome to the show. Thanks for having me on, Nick. So James, you have spent several years at MIT just graduated.
Starting point is 00:04:09 You were part of the digital currency initiative at the Media Lab. How long were you at the DCI for? Was it two years? No, I think it was four years in the end. Yeah, I started sort of a little bit. my sophomore year and then, yeah, went all the way through to do my master's degree there in the end. And how did you get recruited to the DCI in the first place? Well, funnily enough, I actually talked about my work with Vercoyne and my admissions statement.
Starting point is 00:04:41 And when I got admitted, the admissions tutor emailed me and they said, well, you know, there's this thing at the media lab, the DCI. We think that you should probably check that out. So, I mean, it took a little bit, it just like took a little while when I first joined because I was pretty busy with other stuff. But eventually when it cooled down a bit, I reached out to them and got what we call a Europe, which is like undergraduate research opportunities program, which is this cool thing they have at MIT where undergrads can get involved in research. So yeah, I did a Europe for three years, and then eventually, yeah, I did my master's thesis with the DCI. So that's another thing we should mention. So you were, maybe even still are, the lead maintainer of Vertcoin, is that kind of the best way to put it? Yeah, I guess I'm the person who merges the pull requests on the GitHub.
Starting point is 00:05:44 Although you're not the creator of Vertcoin, but you've been very involved. influential in the development of the coin historically. Yeah, that's right. I mean, I joined the project maybe 10 months to a year after it was created. Really, I just got involved because before I was mining Bitcoin and eventually light coin. But, you know, once these projects became sort of overrun by A6 and I had, you know, just a GPU and my gaming rig, I actually saw an ad on the pool that I was using at the time. which said, hey, something like, if the ASICs are ruining your fun, try Vercoyne. That's what I did.
Starting point is 00:06:26 So it's all related, because that's what we're going to talk about today. So that's also the reason that you're involved with Vercoyne is because of the doctrine of ASIC resistance, which pervades that project. Yeah, that's right. Oh, man, that's funny. So this has been a long campaign for you looking at kind of proof of work and trying to evaluate. evaluate, you know, finality, settlement finality. And you've done some pretty impressive research, I must say, I've just read your master's thesis. It's very comprehensive. Is it public? Is it open to the public? I don't think it is right now, but eventually, yes, it totally should be.
Starting point is 00:07:07 I think MIT will post it on their website that aggregates these things at some point. but I think the pandemic has maybe slowed down their internal processes a bit. Okay, but in principle it sort of could be public. Yeah, yeah, exactly. And I think at some point I'm going to convert it into an actual paper that gets submitted to a conference or a journal. Well, I definitely recommend that you do that because it's probably the best thing I've read on proof of work.
Starting point is 00:07:39 And I've read a lot of stuff on proof of work. I can tell I read your tweets We had David Vorek on this podcast before And you know You're like the Joker to his Batman Or maybe vice versa Yeah people who are curious can look up the debate I had with Varek Like two or three years ago
Starting point is 00:08:01 Was that at one of the Bitcoin Expos? No it was a DCI it's moderated by the glorious tatch who would you what did the audience say in terms of who won that debate? I'm not really sure. I mean, I think in the end, David probably turned out to be a little bit more correct than I was. Because when we did that debate, and also, you know, generally when I started this OASIC resistance thing, nice hash wasn't really a thing, you know, abundance of hash rate was not a thing. So it really more was just about ideology. like do you care more about mining decentralization or do you care more about just sort of the natural way things go? You know, at the time David was arguing, well, ASIC resistance is just kind of futile.
Starting point is 00:08:54 And you may as well just embrace ASICs. Then you don't have to hard fork all the time, which I think is a valid argument. But, you know, my counterpoint was I just prefer the idea that someone can walk into a store and buy all the tools they need to mine. But what's transpired in the last two years is that if you have a liquid hash rate market and you're not the biggest coin in your mining class, that is to say, you know, the coin, like the biggest coin with a specific ASIC or the biggest GPU coin, you really are suffering from a total lack of security. A proof of work really doesn't provide you all that much. Yeah, so I've been very sympathetic to David's views historically. I would say my views align with his. I've even advocated for newer coin launches to create bespoke A6 on a kind of custom hash function
Starting point is 00:09:52 so that they would be distinguished from the pool of GPU minable coins from inception. But that does trade off against the mining decentralization 100%. So I guess your point is that GPU mining in particular is very special because it allows for the direct-to-consumer distribution of a coin or an asset or currency with just hardware commodity inputs in a private way without KYC. And also there's the benefit of the mining decentralization. Yeah, and it's very censorship-resistant. I think we haven't really seen much. of this yet, but you know, if you have a total monopolization of mining, there's no reason why those miners can't just prevent certain transactions from ever getting into a block. And with GPU mining, you know, if it truly is decentralized and anyone can do it, then, you know, eventually someone is going to find a block realistically and include your transaction.
Starting point is 00:10:59 I mean, the other thing I thought was really cool and that worked quite well on Bitcoin for a while was P2 Pool. which is like a decentralized pool, sort of a sliding window blockchain that runs on top of the network. And that means that, you know, you don't even need centralized pools or pool operators at that point. But with A6, you know, the margins are so thin that P2Pool is not really efficient enough. And besides, you know, there's probably not super high incentive to use it. P2Pold was used on Bitcoin back in the day, right? Yeah, I mean, that's where it originates from, but yeah, back in the day is the correct term. So let's talk about your research. It's actually you did a whole project. It's much more than a paper.
Starting point is 00:11:50 I've been aware of it for a while. I've been following it pretty closely. It's very cool to see the output. So tell us about the inspiration for the kind of monitoring project and how you, were able to instrumentalize that? Yeah, so I think the main issue was that we were starting to get news reports about 51% attacks occurring without really any empirical data to back it. And what we realized is that it's not really incentive compatible for these things to get reported super diligently, because the victims are usually exchanges. And if an exchange is losing money, in a 51% attack. They're not really incentivized to tell everyone this information because, you know,
Starting point is 00:12:42 it may bring up questions about their solvency or, you know, their competency or any number of things. So what we realized is you need some tool, essentially, to figure out outside of incentives, you know, whether or not attacks are occurring and to study them and find out, you know, how much they cost and so on. the issue with the tax is they are transient events. So, you know, one of the things you hear people say is, oh, well, you know, isn't it stored in the blockchain? But the thing is, with a reorg, unless you're observing it at the time that it happens, you don't, you know, it's gone.
Starting point is 00:13:21 The side of the fork that doesn't end up in the main chain is gone forever. So you need some tool that is constantly monitoring each of the networks that you want to, you know, discover attacks on and then save both sides of the fork in a database so that you can analyze the transactions. I guess the other component you also want to do is try and monitor the pools, I guess specifically the rental markets. So, you know, Nice hash is the biggest sort of crypto hash rate rental market that I'm aware of right now. And people argue that that is the tool that is being used to create these attacks or to acquire the hash rate for the adversary to perform the attack. So by monitoring the sort of market conditions on Nice Hash in real time and correlating that
Starting point is 00:14:17 with observed attacks, the goal of the research was to try and figure out, you know, is Nice hash being used? Are attacks happening? You know, what is the cost? And, you know, as a result, are there really any mitigation strategies that can be used? And so you ran nodes on something like 30 different blockchains, right? Yeah, I think it was like 24 different coins or something. But yeah, you just run a full mode. So, you know, the node software from the coin developers. And then you run a tracking process on top of that that just pings that node, you know,
Starting point is 00:14:55 constantly to try and figure out what the current tip block is. And if you don't get a sort of contiguous sequence of blocks, that implies that some kind of chain reorganization has happened. And then the tracker tries to figure out, you know, what were the two sides of the fork and then save those blocks. I guess the other component is something that then later goes over the two sides of the fork and tries to figure out, you know, where there are any double spans associated with the reorg. And so you found a bunch of both short reorgs, which are based on the probabilistic nature of mining, and some pretty long reorgs too,
Starting point is 00:15:39 which are potentially more malicious in nature, right? Yeah, so we saw, I think it was, was it like three or four different attacks on a bunch of different coins? I think it was, yeah, Lightcoin cash expanse, Vertcoin, Vudge, and Bitcoin gold in the end. Did you have an intuition that Vertcoin might be attacked, you know, especially because it was, you know, meant to be GPU minable and hence, you know, maybe a bit more vulnerable? Yeah, so, I mean, Votcoin was attacked before in 2018, I guess nearly two years before we did this research.
Starting point is 00:16:21 but no one was really tracking at the time and we only heard about it because someone at Coinbase actually I think was running some monitoring software likely associated with their sort of analysis team to figure out what coins are good and so on and so they reported it but
Starting point is 00:16:42 whatever they're running internally is completely proprietary so it was necessary to come up with a more open design and publish the data more widely over a bigger set of coins. Was it kind of disappointing to you that your project, you know, was one of the few coins that was actually attacked during the window in which you were observing the sample? I guess so.
Starting point is 00:17:10 I mean, in a way, I suppose it was sort of inevitable. But, yeah, I guess it's disappointing, but I'm not one to sort of mask over reality. I realize that it's a big problem, but there's also not a lot of really great solutions to the problem right now. And, you know, Virtcoin's whole ethos is about ASIC resistance and, you know,
Starting point is 00:17:35 mining by the masses. And if it ceases to have that property, then Virtcoin doesn't really have much of a purpose anymore. So I don't think the problem space of ASIC resistance has been completely explored yet. And really, you know, you just, you got to treat it like an experiment. I mean, it's, you know, Bitcoin is not Bitcoin. It's not, you know, strategic importance right now to the crypto space.
Starting point is 00:18:03 So, you know, if we can use it to learn things about proof of work security and whether or not, you know, ASIC resistance is even achievable, then I think that's, that's fine. I mean, it's unfortunate that it gets attacked. but it's definitely not the only one. So which was the most kind of severe of the attacks, the longer reorgs that you noticed? Maybe in terms of kind of like the economic losses that you were able to deduce. Well, I think Bitcoin Gold was probably the most severe. I mean, the problem with all these attacks is we don't actually know who the victim was.
Starting point is 00:18:39 So it's really hard to tell how much money was actually stolen. I mean, all we can say is that, you know, there were transactional. that were double spent and those transactions, you know, transacted a certain amount of value. Yeah. So in terms of value transacted as a result of double spends, from what we observed, yeah, Bitcoin had the highest sort of double spent volume. Bitcoin gold did. Yeah.
Starting point is 00:19:06 I mean, I guess sometimes the exchanges admit to having been attacked, but most of the time they actually don't, right? Yeah, and no one owned up to being attacked for any of the attacks that we observed. Although, I guess historically, some exchanges have. Like, I think we know the Bitrex lost money in reorgs. And I guess there was the Ethereum classic 51% attack, which happened in the last couple of days, which maybe targeted OK coin. Yeah, so, I mean, their method was different to deduce that.
Starting point is 00:19:43 They used the various sort of chain analysis technologies to try and figure out, you know, which addresses belong to which entities. But I didn't have that available to me for my research. So that is not included. So kind of separate to this research, you also did detect an attack in real time recently on vert coin, right? You were actually able to notice it before it happened or notice. the likelihood of an attack and then kind of headed off. So tell us about what happened there. Yeah. So what essentially happened is a user in our Discord, the Virtcoin Discord,
Starting point is 00:20:27 posted publicly in one of the mining help and support channels like, hey, you know, I'm mining Vercoyne's algorithm on NICEH right now. And so Stratum is the protocol that is used to communicate with mining pools. And if you're running a GPU miner, you get a nice little console window that tells you the block height that you're currently mining. And he was receiving block heights
Starting point is 00:20:54 that didn't correlate with what the current block height of Virkcoin was. And Virkcoin is, you know, the biggest coin on that particular algorithm. So, you know, we weren't certain, but we were kind of concerned that something strange was going on.
Starting point is 00:21:11 So, you know, I took a screenshot of this and notified BitTRAX, and they closed down their deposits for a while. And then, you know, some sort of 18 hours later or so, yeah, there was a 600 plus block reorg released on the Bitcoin network. So your hypothesis here is that somebody was constructing along Reorg, they were going to deposit coins on an exchange. and then release this hidden chain, which they'd been working on, and basically steal the money back. Yeah, that's correct. And I guess we have other evidence for it, because at the same time, we were recording the market conditions on Nice Ash.
Starting point is 00:21:57 So both the bid price for hash rate in the market, as well as the total available capacity in the market. And what you see is almost directly associated with the estimated, sort of start time of the reorg, i.e., when we think the adversary started generating their secret chain and the end of the reorg, i.e. when the adversary stopped mining their secret chain and released the alternative fork on the network, is a huge spike in available capacity on nice ash associated with an equally huge spike in the bid price. So it seems highly likely that someone was bidding up the price on NICEH in order to acquire the necessary hash rate to generate
Starting point is 00:22:44 the alternative for. So the way that attackers actually exploit this is what do they typically do? What's the workflow? I mean, deposit something like Virtcoin on an exchange, trade it for Bitcoin, withdraw the Bitcoin, and then release the hidden chain, which nullifies the deposit. Is that kind of the typical workflow? Yeah, something like that. I mean, there's a slight variation you could do where you just withdraw vert coin again. So you could deposit vert coin, wait for it to confirm, withdraw it, get a withdrawal
Starting point is 00:23:20 transaction issued, and then include that withdrawal transaction in your alternative fork and double spend the deposit transaction. And this works, at least in some cases, because exchanges don't tend to federate deposits and withdrawals. So it's likely your withdrawal coins will come from a different output than the deposit. So that way you can take the deposit back as well as keep the withdrawal. But I guess to be able to really monetize this attack, you have to somehow be signed up to an exchange with no KYC. Because otherwise they know exactly they know who kind of exploited them.
Starting point is 00:24:02 Yeah, I mean, I assume there must be a way around that. I mean, maybe it's easier than we think to get KYC'd on an exchange. And also, it's been suggested to me before that maybe people use stolen accounts. If you're able to get the login information of someone's account that's already KYC'd, you could just use that. Oh, because you don't actually need to steal any coins. All you need is just credentials for potentially an empty account. Right. I mean, the adversary already has the coins. I mean, that's what's so interesting about the Heath Classic attack is it means, or at least it implies that the adversary, you know, already have, you know, $5 million worth of East Classic that they were ready to double spend. Yeah, there is a considerable barrier to entry because you actually do need a fair amount of capital to instrumentalize these.
Starting point is 00:24:55 Yeah, I mean, these people, the adversaries clearly have significant funds. their disposal if they're willing to put this kind of capital at risk to launch an attack. With ETH Classic recently, it was something like they spent $200,000 on Nice Hash and were able to make off with over $5 million from the reorg. But they also had to have a bunch of ETH Classic in the first place, I guess, is what you're saying. Yeah, I mean, they had to have had, I guess, the 200K and Bitcoin to spend on Niceash. Because everything, Nice Ash is denominated in Bitcoins. And then they had to have the ETH classic coins to double spend.
Starting point is 00:25:39 So decent amount of crypto with their disposal. That's a good ROI though, if you can pull it off. It's interesting how much these attacks come back to the existence of Nice Hash. I mean, there's nothing special about Nice Hash. I guess anybody could spin up a proof of work exchange. change, they're just the biggest one by far, right? Yeah, well, it comes down to economies of scale in the end. You know, there's going to be a natural push towards all the hash rate being in one
Starting point is 00:26:10 marketplace just because you're going to get, you know, the best price and the tightest spread and so on. So in your research, you consider some of the kind of formal or theoretical models for Proof-Work security. and what always kind of shocks me is how little we know about proof of work. You know, we're still really learning. I mean, I would say your research is very valuable empirical findings about how proof of work works, you know, what the actual finality guarantees you get from it.
Starting point is 00:26:45 So you refer to the model from Eric Buttish, who has a pretty well-known paper, basically saying that proof of work is probably too expensive to work. There's the Raphael Auer paper who's at the Bank of International Settlements, which is similar. And then there's the kind of James Prestwich Hossu model, which is slightly different. Were any of these models kind of persuasive to you and, you know, do your current sentiments, how did your research kind of change your understanding of the dominance? models. Well, I really like the Hasu and James Presswich model just because of how that document is set out. I think it's just really clear. And I would totally recommend anyone who wants to understand
Starting point is 00:27:37 sort of the current cutting edge of theoretical proof of work security should read that paper. I think it does have definitely some oversights, though. And I think the research that I did sort of bars that out. And the biggest one is that Hsu and Presswitch's paper, their model for security does rely to a large extent on this assumption that if a coin is attacked, the price will decrease significantly. Yeah. But, you know, what we saw and what we're seeing again with these more recent attacks on Bitcoin gold and an Heath Classic that occurred after the conclusion of my research is that
Starting point is 00:28:19 the opposite is actually true. It seems really that especially for smaller coins, you know, and attack it, it's a pump signal because people have maybe not heard of these coins and then all of a sudden there's tons of news articles about them, you know, maybe even some in the mainstream media, and the sort of uncertainty about attacks is completely outweighed by this increased spotlight on the coin itself. And if the price actually goes up as a result of an attack, proof of work actually provides no security at all, literally zero, because the attack is always profitable.
Starting point is 00:29:02 Even if you don't double spend anything, if the act of you attacking and just getting the block rewards from that attack causes the value of those block rewards to increase, you, you know, there is no security. Like, you'll literally incentivize to attack at this point. Yeah. So I think that's the biggest thing.
Starting point is 00:29:24 I mean, Hasu and Prasw, which are talking specifically about Bitcoin. They weren't really considering other coins. But the model applies to any proof of work. You just have to change the parameters. So it's yet to be seen. Obviously, Bitcoin has not been attacked in this way yet. So, you know, perhaps if Bitcoin was attacked, the price of Bitcoin would in fact go down.
Starting point is 00:29:48 But it definitely brings into question, you know, for smaller coins, whether or not this model, you know, can actually be sort of applied in a way that says the proof of work is secure rather than what it seems to be saying, which is that it isn't. Yeah, I guess to summarize their model briefly, the gist of it is that in the case of Bitcoin, to conduct a reorg, you have to acquire a lot of hash rate. you know, through ASICs. And if you do attack Bitcoin and let's say the price of Bitcoin falls, then the value of those ASICs is going to fall dramatically because an ASIC is just an option on a bunch of future coins. And if the spot price decreases the value of the option or the derivative decreases too.
Starting point is 00:30:35 So that's effectively a disincentive to attack the chain. So that's their explanation for why miners, A, don't attack and B, are kind of disincentivized to lend their hardware to people who would attack as well. Right. Yeah, I mean, the ASIC component of it is an addition above and beyond Buddhist and O's model. I mean, there is, according to their model, there is some security provided, even if you don't have ASICs as such. I mean, what they're really talking about is fixed costs. and all miners have fixed costs.
Starting point is 00:31:13 The problem with nice hash is that it allows you to rent hash rate without any fixed cost. So it means you can pay for a hash rate by literally only paying the marginal cost of that hash rate for the time that you rent it for. So that's what makes the sort of the math so challenging when it comes to proof of work security. And that's the risk, is if you make everything liquid, and short term, then the entities that are mining the chain may not actually be positively disposed towards the chain.
Starting point is 00:31:49 They have no reason to be because their relationship with the chain is short term, as opposed to if you just have big industrial miners that own application-specific hardware, they probably have an incentive to be stewards of the chain. Yeah, well,
Starting point is 00:32:09 assuming they're mining the sort of biggest coin in that A6 sort of class. I mean, it's hard to say if miners feel that way about Bitcoin Cash and Bitcoin SV and so on, because although those are Shartu ASIC mined coins in the same way, it would take very little hash rate to be sort of bribed off of Bitcoin mainnet to attack one of those chains with presumably very little hit on their bottom line in the long term. Yeah, you know, the miners I've talked to about it? I've asked them this exact question. Like, you know, why not kill off one of these smaller Bitcoin forks?
Starting point is 00:32:52 Especially if, you know, you could, in theory, take a large derivative position on one of them. Not that I'm suggesting they wouldn't do this, but, you know, just inquiring as to why this doesn't happen. And what they've told me is they actually don't view. them as kind of discrete chains, they just think about it as Shaw 256 as a whole. And Bitcoin is, you know, 96% of that or whatever. But so they are just, they don't want to decrease the market size of the shot to 256 because to them it almost doesn't matter which chain their mining unless they're ideological. They just frictionally switch back and forth between Bitcoin, Bitcoin cash, BSV, etc. Based on kind of relative profitability. So they've told me to,
Starting point is 00:33:36 that they just don't want to reduce the size of the shot 256 market by killing off one of the smaller coins. I guess that's an interesting viewpoint. I just wonder, they must have a price. Like everyone has a price. If you pay them enough money and you find one that
Starting point is 00:33:54 I guess is less amenable to that position, you know, if you can outweigh the long-term expected earnings from being able to mine Bitcoin cash and Bitcoin SV as well. There's no record going to be done. I guess your point is that there's nothing special about ASICs per se, which grants the chain's particular security.
Starting point is 00:34:19 It's just that if you're the dominant algorithm for an ASIC, you're kind of the monopolist, then you have to acquire that hardware in order to attack it or be active on the chain. So the thing that grants you special safety is the alignment that you get from an ASIC, but also being the monopolist on that kind of hardware class, right? But if you're a minority within that particular class, you don't have a lot of protection. Right. I mean, it's funny. I feel like all the analyses of proof of work, maybe up until early 2019, we're all, focused on the sort of computer science aspect of proof of work, you know, like looking at it
Starting point is 00:35:08 from the perspective of a consensus algorithm. But I think, you know, since Buddhist, Alar and Hsu and Presswich and such published their findings and took it from a more economic perspective, what we're realizing is proof of work security, actually it's an economics problem. Yeah. You know, if you're not the biggest, you really don't get much security. And, you know, that's why Heath Classic is vulnerable, because they share an algorithm with Ethereum. And Ethereum is the dominant mined GPU coins still. And so, you know, a very small number of GPUs relative to the total market supply
Starting point is 00:35:51 need to switch in order to launch an attack. Yeah, I would say the two papers that kind of change the game, not including your future paper on this, which would potentially also change the game, would be the Nereyanan paper on the instability and then the Buddhist paper, which was the economic analysis of proof of work. And I think those really crossed the chasm into the brains of the industry folks that think about these questions with the Nureanan paper saying, hey, you know, there's questions about the potential safety of fee security, fee-driven security in the long term. And then Buddhist saying, oh, hey, guys, the security you're getting through proof of work
Starting point is 00:36:44 might not be as good as you think it is or might be more expensive than you think it is. Yeah, I mean, Bitcoin's in a really tough spot, I think, because the inflation progression of Bitcoin is. really central to its design. And I worry that even if it turns out in the future that it's not compatible with proof of work security, that they'll be unable to change it. I mean, I hope that fees end up being enough, but we'll have to see how it goes ultimately. Well, because that's the question is we don't even have a concrete notion of what sufficiency would be. We don't really Because that kind of relies on our model of security in the first place. And so it's hard to even conceptualize a threshold at which we would consider fees to be sufficient,
Starting point is 00:37:43 let alone the problem of actually getting fees up to kind of a stable level. Yeah, right now with Bitcoin security, it seems we're almost completely reliant on the fact that there isn't a liquid hash rate market for Bitcoin. The supply of Shardu A6 that's mining on Bitcoin, you know, that is it. There is no, or at least we believe, there's no nascent hash rate, you know, that's hidden away somewhere ready to come online at a moment's notice. But the sort of activities occurring on these smaller coins are showing what it will be like in a world where there is, you know, a liquid hash rate market for Bitcoin. And at least from what we're seeing so far, it is very consistent.
Starting point is 00:38:27 signing. Yeah, and that's absolutely right. I mean, it really is a function of the fact that once enough hash rate becomes liquid on a secondary market, you know, you're at risk. With Bitcoin, the hash rate progressively grows. So, you know, you're kind of always outpacing the supply of historical units. We've had drawdowns in hash rate, but never really extended ones. But, you know, it's not inconceivable to imagine that maybe after the next halving or something, you would have a glut of miners, which are maybe not active on the network, and they could be leased up by some malicious entity and then used to attack the network. Well, one would hope that the halving is priced in by the miners.
Starting point is 00:39:16 You know, given that they know that it's coming, they shouldn't be sort of over-leveraging themselves on their current amount of hardware that they produce. I mean, I don't know for sure, but I hope that they're thinking about that because, yeah, what we don't want is a massive sort of hash crash. Yeah.
Starting point is 00:39:35 And having all of this hash rate, you know, available to one side for someone to rent for a premium. That was one of the things that I remember Eric did a collaboration after his paper. I don't know if you were there is at MIT with the DCI. It was kind of organized by the DCI. We got some Bitcoiners, some core devs in the room, and some economists, and then Eric Buttish, and then it was basically a discussion of the paper.
Starting point is 00:40:08 And one of the things he said was, you know, it may just be the case that Bitcoin is protected by a quirk of the supply chain for A6, as opposed to anything more fundamental. So, and that can be a highly contingent feature. it's just, well, it just so happens that most of the A6, that the A6 have been growing progressively and they're not very liquid on the secondary market, but that could change at any point. Yeah, I think there's just too much uncertainty right now. I mean, who is to say that A6 for Bitcoin don't become, you know, a commodity hardware in the future? Well, that's quite sobering.
Starting point is 00:40:50 So back to the paper, we've had it kind of a long digression. So something interesting that has been that's popped up in the literature as kind of counterattacks to these reorgs. So this idea that potentially you could fight back. And this popped up, I think, really, you know, in the popular imagination when Binance was hacked. And there was a discussion, I think Presswood was involved. I think Hasi might have been involved too with CZ about potentially kind of hacking back and bribing minors to build on an alternative chain. And then some of that work was formalized in the literature. So can you tell us a little bit about that and what the prospects for those counterattacks are?
Starting point is 00:41:43 Yeah, I'm actually not sure which came first. The Twitter argument with finance or the paper, but there's another great paper that is, worth reading called whale transactions. And it essentially describes this exact situation where there's some incentive you want to create for miners to mine on top of your fork. And, you know, you like your fork for whatever reason. So in the finance case, maybe your fork contains a transaction which double spends a transaction which maliciously withdraws a ton of coins from your exchange that shouldn't have been withdrawn. Or, as in the case of 51% attacks, you want to encourage miners to counterattack. So that's to say reorg the reorg. So if an attacker
Starting point is 00:42:33 can rent a bunch of hash rate to generate a really long reorg, there's no reason why you couldn't also rent a bunch of hash rate to sort of re-extend the original chain and restore it to becoming domain chain. So what you do is you, as in the case of what was suggested in finance and whale transactions is to issue a transaction with a very high minor fee associated with it, though it is only valid on the particular fork that you want to incentivize. So you usually do that by double spending an output such that, you know, that, you know, that. that transaction is only valid on one side of the fork. But, you know, you could just pay the miners out of ban to do this.
Starting point is 00:43:25 I mean, what we noticed in the attacks that occurred is that the minor only, or the adversary, only waits until there are a few blocks ahead of the current main chain before releasing their alternative fork. So it's not like you need to spend, you know, equal to the amount that the adversary has spent. you only need to spend the difference to extend the original chain to be longer, well, longer is the wrong word, but have more total work than the adversary's chain. So some work done by a PhD student at Harvard, he made a game theoretic model where he essentially found that there's a sort of Nash equilibrium associated with no attack occurring if the threat of a counterattack is realistic,
Starting point is 00:44:14 because the game is always worth more to the victim, generally speaking. But it does require, again, that the price to decrease in some way. So, you know, that's a little bit questionable still. But there is something to be said for miners to make an effort to defend themselves in the case of an attack occurring. I guess my research ties into this because we think we observed this behavior on Bitcoin Gold. So what we saw is an adversary creating a reorg, double spending some coins, and then sometime later, the victim returning and extending the original chain to displace the adversary's chain.
Starting point is 00:44:58 And they actually did this in a repeated way. So then the adversary once again extended their fork, returning it to being part of the main chain. and then finally the victim extended that chain, which in the end resulted in the victim winning out and restoring that chain to being part of the main chain. So it does say something for counterattacks being potentially a method to solve this. Do you have any idea who either the adversary or the victims were in this circumstance? Unfortunately, I do not. I only have addresses, which I'm happy to share with people if, you know, they have some way of figuring out who they belong to. But no, I only have on-chain addresses for these.
Starting point is 00:45:47 I guess both the adversary and the victim had to be sophisticated enough and aware of kind of the literature maybe in the discussions around this to design transactions such that they could get involved in this game in the first place. Well, I think they, I mean, so in this case, they didn't use whale transactions. they didn't use the incentive transactions to get a third party to do this mining. They were doing it themselves, at least it seems like. So, you know, maybe they were renting on nice hash or they had a GPU farm of some kind available to them. But yeah, I mean, it seems possible, but what we've seen with Bitcoin gold more recently when they are attacked again is that, you know, the budget of the attacker is far larger than that of the victim.
Starting point is 00:46:38 or the developers. As you said, the attackers had a whole bunch of coin in the first place. So they're well financed. So it only sort of makes sense to do this if you credibly have a large balance sheet. Like maybe you're in exchange with an insurance fund or something. Right. Yeah, I mean, you can imagine, yeah, some kind of insurance company perhaps offering this service in the future where, you know, their resources is just so unmatched. anyone else that no one bothers to attack in the first place because they know that there's a
Starting point is 00:47:14 credible threat to have the reorg displaced. Do you think that it's possible that exchanges would start to contract with miners so that they have hash rate on retainer in the case of these potential hacks? I suppose it's possible, but in my experience, the exchanges aren't super advanced in terms of their thinking. I mean, before we've spoken to exchanges and asked them about, you know, variable confirmation limits, which seems, you know, even easier to implement than that and would mitigate definitely some of the risk. But they seem thus far unwilling to do that, and it seems that it's just easier for them, especially because it's usually only small cap coins that are getting attacked. So just delist the coin and not deal with them.
Starting point is 00:48:05 that problem. Yeah, I heard an interesting analysis somewhere, and I don't remember where it was, that the exchanges might willingly list these coins, or a certain subsector of exchanges might willingly list these kind of risky, low-cap-proof-of-work GPU coins because the trading fees that they make from them existing, especially because other exchanges might shy away from them, those trading fees more than account for the losses that they suffer in kind of periodic reorgs, which was kind of an interesting angle. Yeah, I mean, these things, at least until recently, the last month or so, don't seem to be happening all the time. I mean, over the course of like 10 months of observation,
Starting point is 00:48:49 I only detected, you know, five different deep reorgs, two of which were pretty marginal, depending on the exchange may have actually been below the confirmation limit for that coin. So it doesn't seem like it's something that happens a lot. So yeah, I mean, you may be right. The transaction fees may just outweigh the risk. It's just acceptable risk to them. Would you say that exchanges are actually helping with the security model for these smaller cap coins by imposing stuff like KYC or being more rigid with their user account permissioning
Starting point is 00:49:27 and maybe saying, you know, if you're a new account, you can't deploy. and withdraw on the same day, or just imposing those speed bumps, which make the kind of specific reorg style attack structurally more difficult. Are they actually, is that exchange institutionalization protecting some of these blockchains in a sense? Oh, yeah, I think so. I mean, it's definitely much harder to attack a KYC exchange than it is one that has no way of, you know, tracking down its users. I mean, I would be really interested to see. whether this could be tested in court. You know, if an exchange is able to find out, you know, with reasonable certainty,
Starting point is 00:50:09 who it was that launched an attack against them, you know, could they prosecute that person for, you know, defrauding the exchange? I don't know. I guess I haven't really spoken to many lawyers about it, but people seem skeptical that it would be because they say, oh, well, you know, it's just the way it works. you know, the exchange just made a mistake, but I'm not sure. I mean, you know, when you enter into a contract with the exchange, when you sign their terms and conditions, you know, does it say, like, I agree not to double spend the exchange or, you know, try and reverse my deposits? I don't
Starting point is 00:50:50 actually think it does. So maybe that's sort of a blind spot in that legal thinking that. exchanges if you're listening add to your terms of service is the is the is the corollary to this view that exchange institutionalization kind of somehow protects these coins is the corollary to that that as more kind of on-chain derivatives and more permissionless capital markets on-chain you know defy effectively as that takes off potentially with other blockchains other than just Ethereum, the actual possibility to profit from these blockchain-based attacks is greater again. So you have a larger bounty for attacks and potentially the rise of more sophisticated attackers. Oh yeah. I mean, there's a paper, the name of which I'm completely forgetting right now,
Starting point is 00:51:45 but it literally describes a smart contract that you could deploy on Ethereum that like the whale transactions you can use to incentivize blockchain forks. And the smart contract can even validate that you did the fork the way that the contract was designed. So, yeah, I think it's totally possible that we could see crazy things like that in the future. So on the mitigations front, so, you know, hopefully there's some folks at exchanges listening to this right now. and, you know, I think there has been some evolution in terms of confirmation thresholds in the last year or so.
Starting point is 00:52:29 You know, I wrote a blog about it pointing out crazy inconsistencies in the way that they were doing it. It seemed like a lot of exchanges just had these weird rules of thumb that they were following. Basically inherited a lot of them from Satoshi. You know, it's like you're using a rule of thumb. that was devised before Bitcoin was a production system. Yeah. And just like, almost like, you know, completely made up numbers in terms of confirmation thresholds.
Starting point is 00:53:00 It seems, I don't know if you've noticed as well, that exchanges are slowly beginning to score confirmations kind of more systematically for different coins. Well, I mean, Poloniacs, they listed that coin at one point. And I remember when they increased their confirmation, limit. I think it was from like six up to 2000. You're like, oh, it's quite a recalculation. You've made that. So they're either wrong before, they're wrong after. Yeah, I mean, either way it's bad. But as I say, we just didn't know that this was even a thing. I mean, it wasn't until, you know,
Starting point is 00:53:39 2018 when Valkoin was attacked, an ETH Classic was attacked, that we even knew that 51% attacks were realistic. I mean, before, I remember the argument just being, yeah, well, you know, it's hard to get 51 so it just won't happen. Yeah. And then, you know, the hash rate marketplaces became more liquid. And now the gating factor is the exchanges. I mean, I guess you could have exchanges with really shallow confirmation requirements, but very onerous identity verification requirements. So maybe just one of those would be sufficient to help ward off attacks. Yeah, that would be a really interesting experiment, actually. If someone tried to launch an exchange, it was just like, yeah, we're going to zero conf everything.
Starting point is 00:54:29 But you have to, you know, we have to know with absolute certainty who you are and where you live and all this kind of thing. And then, as I say, you know, put in the terms of service that if you, you know, issue a double spending transaction, that changes a deposit you've issued to us in any way. we're going to come off to you. So in your paper, you float this idea of indexing the time that, you know, the confirmation threshold to a notion of effectively security spend, which I think makes a lot of sense. Elaine Wu has proposed this as well. So basically you wait until the accumulated work, the kind of dollar equivalent of the work
Starting point is 00:55:15 that's happened on chain is matching the size of your transaction as kind of a rule of time. Is that where you had in mind? Right. Yeah, I think that's sensible as a baseline. And for small cap coins, I think there's no reason not to do that. I mean, if you're not doing it, I guess it's as you said before. You've just made the calculation that the added convenience for your customers and getting a quick deposit and the trading fees and deposit fees you're able to get as a result of that. or just outweighs the increased security.
Starting point is 00:55:50 So just running it for Bitcoin, you know, the value of an hour's worth of block rewards in Bitcoin is about $900,000. So using this principle, you would say, any transaction under 900K, you should be, you should consider it settled in about an hour. Yeah, I think that makes sense. I mean, Bitcoin's a little bit different just because, as we've discussed before, the situation is there isn't a liquid market. So the economic confirmations method is not as relevant. But, you know, if you want added peace of mind, I think it's worth doing. I mean, I think with Bitcoin, you probably should be waiting at least two or three anyway, just because, you know, two block. deep reorgs do happen occasionally, you know, once or twice a yet. So doing like zero conf or one conf, I think, is a bit, a bit risky. Yeah, yeah. So we have to add another variable to the analysis. We can't just do the security spend equivalent.
Starting point is 00:57:04 I mean, we have to think about whether the coin is nice hashable or not. And if it's not, then it's probably defamation. facto secure. Yeah, I mean, maybe you don't need a rule. Nice hashable is an interesting metric as well, because if you look at Crypto51. app, which is what a lot of news articles cite about, you know, whether a coin is nice hashable and so on. Well, all it's quoting there in terms of the percentage hash rate available is, is, you know,
Starting point is 00:57:33 the spot capacity at the time that it's called Nice Hash's API. But what we've learned is that, you know, if you bid up the market, more hash rate will come. Nice hash will reallocate GPUs from other hash functions to meet your higher bid. So
Starting point is 00:57:54 what's really the question is how many GPUs are there in the market total or how many ASICs are there in the market total. And I think right now that is just really hard to calculate but that's really the number that you need to know. Yeah, so what you're saying is that the
Starting point is 00:58:13 nice hashable fraction is a way low ball because in theory like any hardware that's kind of like remotely addressable to the algorithm can be brought online for a price right and for bitcoin you have to take into account all the ASICs sitting in warehouses unoperable you know if an attacker was sophisticated enough and well resourced enough they could go around buying up all those old ASICs and so on. And we have no way to quantify that easily. Yeah, I guess the uncertainty with Bitcoin is how much better is each generation of ASIC over the previous one? I mean, if there are a bunch of ASICs that are just switched off because they're no longer profitable, is it the case that if you rounded them all up and used them, you'd be able to compete? Or is it just that the current
Starting point is 00:59:07 generation is, you know, several orders of magnitude faster than the old generation. So even if you got all the old A6 together, you wouldn't be able to meet the 51% threshold. Yeah, that is a underrated thing, which does protect Bitcoin, I would say, is just the progressive increase in the efficiency of A6, because as you say, like, older A6 costs more in electricity to generate the same amount of hash rate. And you would need more older A6 and more electricity to match the modern A6. So those A6... which aren't operated anymore, they're kind of inferior troops in that battle. Yeah, I mean, at least in the case of the small cap coins, and especially if you look at
Starting point is 00:59:54 Heath Classic, I mean, it's this 200K spent on hash rate versus 5 million double spent. You know, the attacker could have, if they needed to, you know, invested way more to get the hash rate they needed and still made a pretty decent profit. So it's definitely a scary prospect. So these attacks work, they seem to work. And maybe we're going to see more frequency now, because I'm sure a lot of people read the news and they think, oh, maybe I can do this on a different coin.
Starting point is 01:00:23 So the sweet spot seems to be coins with relatively low, kind of middling security spend and GPU mine, typically, and are still worth a fair amount. or you know like the actual unit value is decent or the market cap is because Ethereum Classic is worth something like $800 million. So I guess that's why we see Ethereum Classic and Bitcoin Gold being targeted and not these microcaps that it's just much harder to get a payoff. Yeah, I mean you need to have an exchange that has some liquidity to it so that you can actually pull off the double spend. So the other mitigation that you had explored with when you thwarted this purported attack on Verkoyne was just stopping deposits. So I guess that's another thing you could add to your risk model if you're in exchange.
Starting point is 01:01:16 Just if you notice an abnormality, just shut it down. Yeah, I mean, that should be the default case. You know, if something goes wrong, you should stop everything until you can figure out how to fix it. But, I mean, even more advanced than that, ideally as an exchange, you would be monitoring the pools themselves as well as nice hash in real time so that you can figure out, you know, in advance of the fork being deployed, you know, whether or not there is some, you know, reorg activity perhaps being generated. Because then, yeah, I mean, if you stop crediting deposits before the fork is released and therefore, you. theoretically before the attacker's original deposit is credited, then there's no attack at that point. I mean, the only issue with that is it may just be profitable anyway for the attacker without double spending.
Starting point is 01:02:15 I mean, assuming the price goes up, they will make money from just doing the attack without any double spends. So that's the slight caveat with that. So with the recent Bitcoin gold one, which was detected in the same method, they did release the new chain anyway. Is that just kind of for the heck of it at that point? Well, the thing with the most recent Bitcoin Gold attack, as I understand it, is the attacker won. So they were trying to do some kind of counterattack. And the attacker's chain was just still more work than what the defenders could come.
Starting point is 01:02:55 come up with. So what they did in the end is they just released a new wallet, new node software, interestingly privately to the exchanges, that contained a checkpoint, which has said, you know, if this block is not included in the main chain, then it's not a valid chain. So, you know, what it becomes there is it's not really proof of work, it's proof of developer intervention, which, you know, is a slightly different trust model. Yeah, dramatically different. But honestly, that is actually my reaction to the Buddhist paper when it came out. Because what he was proposing was that it's kind of expensive or, you know, symmetrical to defend against an attack.
Starting point is 01:03:42 But my view was always that in a really extraordinary circumstances, you do have this intervention potential. I mean, you even saw it with Bitcoin with the overflow bug. There was kind of a coordinated intervention to overhaul the chain and to restore the kind of correct supply in the longest chain. So given that there's always this possibility for intervention, you could do invalidate block or something, you can have quote unquote cheap defense. And so you can restore that asymmetry, I guess.
Starting point is 01:04:19 Yeah, and if an exchange is a big enough economic actor in the network, they could even do it themselves. I don't think it should be reliant on coin developers to do that because I don't think that's really their responsibility. I mean, I certainly don't think it's something that should be implemented in code. Right. It totally centralizes the coin to whatever the developers decide is the correct chain. And there have been instances where some of these smaller cap coins did insert checkpoints, and they kind of commandeered the consensus. And effectively, those coins, you wouldn't say that they're actually proof of work anymore at that point. Yeah, I just don't think it's worth doing.
Starting point is 01:05:06 I mean, if you have to rely on that, in order to make your coin secure, I'm not really sure what the use case of that coin is anymore beyond just being like a speculative asset. So one last thing I wanted to cover was selfish mining, which is the notion of selectively withholding a block that you've mined in the hopes that you could mine another one. And then if someone else minds a block at that same point, you release both of your blocks and you effectively punish them. And by doing that, you progressively gain more and more market share. And I think it's meant to be operable at maybe, you know, 30% or 33% of hash rate. So if you're sufficiently large, you can do it. So is this something that you kind of checked for in your project? And if so, did you actually find any?
Starting point is 01:06:01 It isn't something I specifically checked for. I mean, the only coin on which I think it's realistic that it could be happening is Ethereum, simply because of the rate of shallow reorgs on that coin. But honestly, it's pretty hard to tell, and I'm not clear what the heuristic would be to figure out whether or not selfish mining is actually happening. One idea I had would be to check the reported hash rate of a pool, i.e. what they say they have, versus what actually ends up in the main chain. And, you know, if a pool that says they have 33% of the hash rate, you know, on their web UI actually gets, you know, 45% percent. of the blocks or something. That might indicate that they're doing some kind of selfish mining.
Starting point is 01:06:49 But, yeah, I personally don't have any evidence for it. Well, I guess what you could do would be to, you know, obviously limit your sample to the largest pools. And then you could look at the rate, the frequency of blocks where they're releasing two or three blocks at a time, as opposed to just one block. And maybe you find an abnerment. there. Maybe their probability distribution is weirdly skewed towards two or three block releases,
Starting point is 01:07:24 which would potentially be an indication, right? Yeah, that's possible, I guess. I think the most optimal way, though, is probably just going to be, I mean, assuming the pool is public, is just by mining in the pool and seeing what work they give you. Because, you know, if you see that, you know, you as a miner have been given a block to mine on top of, that isn't public right now, then they're block withholding, right? Because it's either on the network and in the main chain, or it isn't, you know, unless, of course, you're being eclipsed in some way and you're unable to see it. So I think that is probably the most realistic way to detect it. So, James, with all this in mind, you know, you've spent the last five or so years
Starting point is 01:08:09 looking at mining and proof of work and the last couple years doing this really intensive project on it and surveying all the relevant literature and obviously interfacing with practitioners. So based on all of this, I mean, are you kind of more satisfied or more concerned about proof of work? Where did it kind of shake out for you? Yeah, I would say I'm more concerned. I mean, when I wrote my thesis proposal, you know, one of the main goals, I guess was to try and find a realistic mitigation for 51% attacks. And unfortunately, I just don't think we found one. I mean, there are lots of different ideas, definitely, but they all seem to have flaws with them. And I think what it comes down to at the end of the day is, you know, if you have 51%
Starting point is 01:08:59 of the hash rate, it becomes really messy. And, you know, not being able to acquire 51% of the network cash rate is just critical to proof of work security right now. You know, it's possible that we can use these sort of economic arguments and game theory arguments related to counterattacks or, you know, using big economic actors to influence the state of the chain and so on. But those things will seem incredibly messy and certainly not mature at this point. So, yeah, I mean, as we're seeing more and more attacks occurring with higher and higher values. It does make me pretty worried about where we're going. And in terms of the GPU versus ASIC debate, how have your thoughts evolved on that? I don't think they've really changed as such,
Starting point is 01:09:50 because I think what we've learned is it's not ASICs themselves that solve the problem. It's, you know, whether or not you're the biggest coin and how much money are you giving out for every block, you know, compared to what the market expects from you. So I think that there is still scope for GPU mining. Certainly some coins are GPU mined and they don't get attacked. I mean, you can still mine Ethereum to an extent with GPUs. So it's totally possible. And, you know, if Ethereum goes proof of stake, I think that will be really interesting
Starting point is 01:10:26 because then all of those GPUs will need to find a new home. So there will be a big reallocation of happening within the market. So I think basic resistance is definitely not dead, but it's definitely in a tough spot. And a lot more research is going to be required to try and figure out how to make it work in practice. So lastly, I mean, anybody listening to this will know there's a lot of unanswered questions. And there's a lot of things that we are still ignorant about. You know, your project was designed to gather data. And there's still an extreme paucity of data on these attacks.
Starting point is 01:11:03 and the just performance of proof of work. I mean, if you compare it to, you know, how they, people say we've only explored 10% of the ocean or whatever, how much of the proof of work security model is understood right now? I mean, across academia industry, what is our collective understanding? I would say it's pretty small. I mean, most people have probably not read HASU, ASEU, or Buddhist's paper, and are thus still under the, you know, 51% attack is impossible mindset. And it's interesting, you know, when you read paper reviews and things like this,
Starting point is 01:11:47 you do find that a lot of people who are, you know, pretty well vested in computer science and stuff, they also haven't really progressed past that viewpoint to an extent. So I think general awareness of proof of work security needs to be increased, but also, yeah, more study into potential mitigations or whether they're even possible. You could do maybe more market analysis, figuring out, you know, how much nascent hash rate really is there out there. We just don't really know the answer to any of these things yet. The thing that does surprise me is the unwillingness of exchanges to really investigate this deeply, to set up insurance funds, because a lot of them,
Starting point is 01:12:32 have insurance funds that are designed to compensate investors when there's a loss through some de-leveraging function. But there's no insurance funds which are set out to bribe miners to get them to, you know, mine a longer chain if their funds get hacked. And as we've talked about, you know, exchanges of pretty wacky confirmation requirements. So I have been surprised by their lack of engagement on this subject, given that they're the targets of these attacks. Yeah, I think that's really interesting as well, but I do think it probably comes down to what you said. I mean, they probably just think, you know, this is a difficult problem. We don't really want to deal with it, and we make enough money with the fees to, you know, paper over this problem,
Starting point is 01:13:20 at least in the short term. The question is if it continues to be a big problem, and these attacks become more frequent and with increasing severity, then perhaps they'll be forced to act in some way. Yeah, and I guess the question is, do they invest in monitoring and recovery infrastructure, or did they just delist all of the minor proof of work coins, and then we're left with Bitcoin and Ethereum and a bunch of proof of stake coins and a bunch of ERC20s?
Starting point is 01:13:52 And proof of work starts to go the way of the day. I kind of hope that doesn't happen because I do have a soft spot for a lot of these older proof war coins. Yeah, I think they'll just delist. That's my guess. I mean, it's so easy now to launch an ELC 20 coin, host it on Ethereum, you know, not have to worry about any of this stuff. You know, listing an ERC20 on your exchange is so easy compared to having to like run node software for each coin that you try and support and, you know, keep up to date with the developers. and the node software changes and so on. It just seems like a lot more work for them, but it depends. You know, if the demand is there on behalf of users, then, you know, they'll essentially be forced to put the effort in.
Starting point is 01:14:38 But if the demand subsides for whatever reason, then I think sort of having individual chains besides sort of the big two is going to be pretty hard to justify. for Ethereum as the dominant GPU mine coin, would you consider it effectively safe? I mean, most people consider Bitcoin de facto safe these days. Theorem has maybe a bit more questionable because there are tons of GPUs out there, you know, mostly being used for gaming and rendering and stuff. But do you consider it effectively immune from these attacks because how big it is? I mean, at least right now, you know, in the immediate term, there is not some Big Bank
Starting point is 01:15:20 of GPUs that are ready to be rented and put onto Ethereum. If one day, you know, all of these GPUs that are being used for gaming and rendering are suddenly available for rent and easily coordinated, then perhaps, yeah, it wouldn't be safe. But I don't see how that would happen necessarily unless Nice Hash becomes super popular all of a sudden, or there's a big botnet that's super successful and manages to take over everyone's GPUs. I guess with Ethereum, the fact that the markets, there are extremely liquid decentralized markets with leverage, where you actually don't even need that much collateral to be active in them.
Starting point is 01:16:04 You can take out a flash loan, you know, which you repay in the same block. You know, the kind of maneuvers like that mean that potentially you could exercise one of these attacks without necessarily hitting an exchange per se. You could just hit a pool of liquidity held in a smart contract or something. So that kind of implies to me that there are ways to monetize these things outside of the exchange environment. Oh yeah. I mean, on Ethereum with smart contracts, there's tons of interesting things you could do. I mean, I think with the rise of defy and Daxes and all this kind of stuff, there's no reason why you couldn't, I mean, if you had the ability front run and exchange, right?
Starting point is 01:16:45 One of these decentralized exchanges, see how other people's orders are going to pan out and then reorg the chain to, you know, change your order and so on. So there's lots of scope. And there's no KYC on those platforms. So that isn't a solution either. That's the whole point, I think, is the lack of KYC.
Starting point is 01:17:08 Well, James, this has been really great, I think, extremely fascinating. we couldn't really get to all of your research, but hopefully it emerges in published form soon. Very much looking forward to that. What is the best way for people to follow you, follow your work? Really, the best way is to just follow me on Twitter. I'm at Metallic James with one T. I kind of always wondered where the handle came from.
Starting point is 01:17:37 It comes from my maybe like six or seven-year-old self, not knowing how to spell Metallic. and it's stuck ever since. I guess I kind of figured there was something deeper to it, but that's fair enough. Well, I'm going to see if I can find all the papers that we mentioned and post them in the show notes. I want this to be an educational resource. But James, thank you so much for coming on. This has been great.
Starting point is 01:18:02 Hopefully, you know, we're going to win over some hearts and minds and get people thinking more carefully about this stuff. Yeah, I mean, I think that would be great. And if more people turn their attention to proof of work, research, then, you know, maybe these problems can be solved. And that would be great. Yeah, thank you for having me on. Yeah, my pleasure.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.