[continued from part I]

Attacks and counter-attacks

At least one commentator suggested that affected exchanges immediately respond with a counter-attack, mining with overpowering hash rate on the original chain to undo the revisionist rewrite. Why would an exchange be motivated to behave this way? Because the cost of temporarily renting 51% hash-power to conduct another long reorganization is presumably much lower than the expected loss. This is an argument from symmetry: the attacker would not have bothered with the attack if their cost of mining the alternative chain was not outweighed by the benefits of swindling the exchange. At one level, this is damage control: by spending a small amount carrying out a successful 51% counter-attack, the exchange averts the higher loss it would otherwise incur if the double-spend is successful. At a deeper level, the strategy is intended as deterrence for future attackers. Assuming a successful counter-attack undoing the original chain reorganization, both the attacker and the exchange are in the red with nothing to show for it. The perpetrators wasted money on a short-lived 51% attack while the defenders wasted an approximately equal amount on reverting that. While the attacker can try again, so can the defender resulting in a game-theoretical stalemate. But that theoretical model suffers from two problems:

• Assumption that costs are symmetrical. That defender can achieve 51% hash-rate at the same price as the attacker. There are many ways that can fail, the most obvious being one where the attacker is not merely renting hash power from an open market but is in possession of mining hardware, bringing down their costs. Second, even if both parties are bidding for hash power in a market such as NiceHash, the first mover may have an advantage: once demand for hash power for a particular PoW function increases, the next buyer may have to bid higher to achieve the same concentration.
• More important, this model assumes that the perpetrator and targeted exchange are the only parties with a stake in the reorganization battle. Consider a different attack strategy: instead of simply sending funds back to herself on the alternative chain, Alice instead sends them to another exchange and carries out a second double-spend attack following the same modus operandi: convert all deposits into another cryptocurrency and withdraw those proceeds immediately. At this point, Alice does not care which version of blockchain history wins out. The two exchanges can duke it out all day long by orchestrating their 51% attacks & counter-attacks against each other; Alice comes out ahead in all cases. Even the exchanges cooperating will not change that: at best they can settle for some equitable distribution of losses. (There is one way for the second target to avoid this situation: halt processing of deposits if there is a “deep” blockchain reorganization observed.)

Parallels with ACH fraud: the original double-spend

This situation has interesting parallels with a far more mundane, low-tech type of fraud targeting cryptocurrency businesses: the reversible nature of most fiat transfers. Consider the ACH Network for transferring funds. Suppose a customer initiates an ACH transfer of US dollars to an exchange account and uses those funds to purchase bitcoin. The withdrawal of that bitcoin to a personal wallet is irreversible; once the transaction is mined and confirmed, it is not possible for the exchange to claw-back those funds. (Short of organizing a 51% attack— you can see where this is going.) Surprisingly the incoming ACH deposit is far from being cast in stone: consumer protection laws in the US give account holders several weeks to contact their bank and dispute transactions.

That means a dishonest consumer can in fact reverse the ACH transfer to keep their USD, while walking away with the bitcoin purchased using those same funds. This is effectively double-spending of fiat currency: eating your (USD) cake and having it (back) at the same time. The root-cause is a mismatch between the settlement characteristics of two disparate payment systems: ACH transfers are reversible, or more accurately take on the order of months to “confirm” due to generous 60-day dispute window, while Bitcoin transactions are cast in stone in a matter of hours. When processing incoming ACH transfers and allowing customers to trade using those funds, the exchanges must manage the counter-party risk associated with the reversal of fiat deposits.

What if we replace ACH by another cryptocurrency? It would appear these opportunities to claw back funds disappear because transactions would become irreversible on both sides, with no opportunity for the customer to “reverse” their deposit while walking away with the withdrawal. But as the ETC incident demonstrates, reversibility is a matter of degree: transaction are “final” only to the extent that a deep-enough blockchain reorganization can not rewrite history with an alternative version of events. In one sense, blockchains are more fragile than wire transfers— which can not be unilaterally recalled— or even ACH which has a finite duration for disputes. Given enough mining power, blockchain history can be reverted going back an arbitrary length of time. (On the other hand, ACH and wire transfers are still vulnerable to a different class of “attacker:” lawyers wielding briefs.)

Confirmation times reconsidered

Conventional wisdom holds that blockchain transactions are “safe” as long as participants wait a fixed number of blocks before acting on the outcomes, dependent on the particular economic characteristic of the blockchain. For Bitcoin this magic number has historically hovered between three and six, with an ongoing game of brinkmanship to streamline user experience by creeping closer to zero confirmations. These are motivated by statistical models calculating the likelihood that some transaction may be reversed, given an adversary controlling some percent of hash-power less than 50%. While that may well be the relevant threat model for Bitcoin, less-competitive blockchains have to contend with a different question: what if the adversary can temporarily achieve majority power? Temporary being the operative keyword: while all bets are off with permanent 51% control, even short-lived spikes allow targeted attacks to profit by double-spending some recent transaction.

In this model, the number of confirmations required can not be a magic constant. It depends on the value-at-risk: the notional value of the transaction. Buying a cup of coffee with a small number of confirmations on Ethereum Classic (not that ETC ever aspired to being a realistic alternative for retail payments) is still perfectly reasonable, even in the aftermath of the recent ETC incident. Large amounts on the other hand will require more careful risk management strategies, such as increased confirmation depths, gradually crediting the deposit over time as more blocks are confirmed instead of all at once, requiring additional funds as collateral or placing withdrawal restrictions. For example, a customer could be credited with the full amount of the deposit for trading purposes, but not permitted to withdraw the proceeds from those trades until additional time has elapsed to guard against chain reorganizations.

[continued]

CP