7 votes

Bitcoin Is Broken

Bitcoin is broken. And not just superficially so, but fundamentally, at the core protocol level. We're not talking about a simple buffer overflow here, or even a badly designed API that can be easily patched; instead, the problem is intrinsic to the entire way Bitcoin works. All other cryptocurrencies and schemes based on the same Bitcoin idea, including Litecoin, Namecoin, and any of the other few dozen Bitcoin-inspired currencies, are broken as well.

Specifically, in a paper we placed on arXiv, Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues in excess of their fair share, and grow in number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity; it is no longer decentralized; the controlling entity can determine who participates in mining and which transactions are committed, and can even roll back transactions at will. This snowball scenario does not require an ill-intentioned Bond-style villain to launch; it can take place as the collaborative result of people trying to earn a bit more money for their mining efforts.

Conventional wisdom has long asserted that Bitcoin is secure against groups of colluding miners as long as the majority of the miners are honest (by honest, we mean that they dutifully obey the protocol as proscribed by pseudonymous Nakamoto). Our work shows that this assertion is wrong. We show that, at the moment, any group of nodes employing our attack will succeed in earning an income above their fair share. We also show a new bound that invalidates the honest majority claim: under the best of circumstances, at least 2/3rds of the participating nodes have to be honest to protect against our attack. But achieving this 2/3 bound is going to be difficult in practice. We outline a practical fix to the protocol that is easy to deploy and will guard against the attack as long as 3/4ths of the miners are honest.

Trending on the Web

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

atricle's thesis doesn't make sense to me


You're talking about a "51%

You're talking about a "51% attack" which would take an ENORMOUS ammount of CAPITAL to pull off successfully... Probably hundreds of millions atleast...


Read the article. They may be wrong entirely, but if they're right it's not the same thing as a 51% attack.

The success of the attack, and the amount of excess revenue it yields, depends on the size of the selfish mining pool. It will not be successful if the pool is below a threshold size. But this threshold is non-existent in the current implementation -- selfish mining is immediately profitable. Our proposed fix raises the threshold to 25% if universally adopted. And, while there may be other fixes, no fix can raise it above 33%. So, at least 2/3rds of the Bitcoin miners have to be honest. All three of these findings are a far cry from the 50% previously (and falsely) believed to protect the currency.

Actually this article is

Actually this article is talking about the selfish miner's attack, and would only require around 25% of the mining pool to pull off. The problem with this scenario are a few fundamental things. The human factor, the instant a mining pool did this they risk destroying the very goose that lays their eggs. It would not go unnoticed, in fact it would be recognized instantly, and it would destroy mining pool operations. The reason miners would not want to pursue this route,is they are the ones with the most to lose if bitcoin fails, they have invested capital in hopes of a return.

but wouldn't the fiat currency gangsters

want to execute this attack to destroy bitcoin? Seems that is their MO. If they can't control it they destroy it.

What they claim

is that it doesn't require even 25% currently, but their proposed fix could raise the threshold to 25%.

I'm not saying they're right, just that the claim is stronger than what you said.

Also, I don't agree with your argument for why it wouldn't be done. First, if it's a way for someone to destroy the goose that lays the digital eggs, then one possible motive would be to destroy the goose. Suppose the Chinese government gets fed up with people in China using bitcoin to escape governmental control. A lot of the bitcoin mining hardware is made in China. How hard would it be for the government to put together a large enough bitcoin mining operation to make use of this exploit?

However, it's not clear that a pool using the exploit would destroy the goose. The paper explains how a pool using this exploit could keep it a secret but let's assume that over time statistical evidence builds up that a pool is doing this. If you have invested money into mining hardware you can keep mining, and as long as the exchange rate is high enough that you make money, why would you quit? The alternative is to stop mining, making your investment of specialized hardware worthless. So you keep mining, and the exchanges and merchant solutions all work just as before.

There was a discussion on

There was a discussion on this subject on Lets Talk Bitcoin, they laid out the framework on why it wouldnt go unnoticed. The reason was witholding blocks to get a head start would be extremely expensive and everyday more and more unsustainable because you would have to mine the block first, withhold it from the network and then continue mining the next block or two before someone else releases their block they mined. I disagree with gov trying this route because there are too many pools already competing to just jump in without someone knowing whats up. I find the argument interesting and definitely brings some stuff to light, but I'm not too worried about it, if anything it just makes us that much more aware of what can happen and figure out fixes before or in the event of.

I think keeping it secret is irrelevant

Which is why I'm happy to stipulate that it would be detected. That goes for "gov trying this route because there are too many pools already competing to just jump in without someone knowing whats up." Suppose a huge mining pool appears in China. Suppose it's traced to the Chinese govt. Suppose there's evidence that they're using the exploit. Those bitcoins are still bitcoins, because they have the algorithm's blessing, so there's nothing anyone could do about it.

I also don't see why the exploit would be expensive. The block is withheld, but not indefinitely right? You eventually get the credit for it, you just hold onto it long enough to cause other miners to waste their time. Correct me if I'm wrong on that.

Found a much better solution

Reading the Bitcoin development discussion today I came across this proposal:

"Then the simple 'fix' would be for the block-acceptance to take into
account either the total transactions or the total fees, and for the the 'accepted' block for mining the next block to be the one with the lowest hash of one of those values if 2 are released to the network at the same time
That is of of course assuming there is really a problem to fix,
currently I'm not convinced."

This is a very slick and simple to implement with little testing needed. It may not be the perfect fix, but definitely a deterrent.

“I’m fully diversified. I’ve got some under the mattress, some under the floor boards, some in the backyard.”

Just received a new batch of silver coins today

Interesting article tho

People get paid to solve block chain encryption problem.

If the cost of the solution falls overhead decreases.

How is it broken? Supply increases and demand falls.

Free includes debt-free!

As I understand it the

As I understand it the complexity of the problems miners must solve increases as computing power improves. So there is still that.

It's a crypto check clearing system

Miners are paid if they find the maximum compression solution.

Miners do the maintenance the system requires.

Transaction verification is the goal.

Reusable currency simplifies.

Free includes debt-free!


Double Post


For what its worth (all greek to me)

Interesting discussion! I

Interesting discussion!

I read the blog and comments but not the actual research paper as I'm no computer-geek. The first thing that strikes me is that the author claims that a minority of any size (not 25 or 33%) can engage in a "selfish mining strategy" to get more btcs and eventually have more resources and hashing power to rise & become >50%.

Now why wouldn't ALL other pools adopt this "selfish mining" strategy? The author never engages that argument!

He simply claims that one pool will succeed in "selfish mining" and all the other pools will desire to merge with the "selfish mining" pool. I DOUBT that! I would think other established pools would compete and also engage in "selfish mining".

Love to hear other people's thoughts on this.

Very interesting. Thanks for posting

I've been aware of this one for some time and it is a concern. One quick "partial" remedy is for miners to only participate in pools that allow the individual contributors to see the entire block being solved.
That way, the individual can relay a solved block if the pool chooses not too.

There are several solutions to this and think the article does well on describing at least one.

The important thing to note here is it is impossible for a "corrupt" pool to get away with a significant greater share than its contributions without it becoming evident to all miners! Once the problem is on the forefront, any number of solutions could be implemented.

Again, This can only be done by a mining pool with significant share of the overall mining power 25%+.

BTC Guild is the only candidate at this point. That's the current pool I'm using.

“I’m fully diversified. I’ve got some under the mattress, some under the floor boards, some in the backyard.”

Actually, the blog says that

Actually, the blog says that anyone can engage in "selfish mining". His solution will prevent it only so that anyone with minimal hash power couldn't do it and only someone with 25% of network hash power can do it. Increasing the threshold would technically make it easier for the entire network to pin point a pool with over 25% hashing power.

But I think this problem goes away if everyone initiates "selfish" mining resulting in tons of competition. Shouldn't all miners use this selfish technique if it's so profitable?

The "math" may work out in

The "math" may work out in favor of so-called "selfish mining" guilds, but due to the nature of Bitcoin, there are a lot of reasons to not trust others with the task of collecting your 'coin. That taken into account (the human factor, in other words) it tilts the scale back toward the independent miner.

"Obamacare is broken"

There you go. Fixed the headline for you.