Something like this happened last year with Ethereum. A hacker stole $150 million, but the funds were conveniently trapped on one place for a month. People rolled out a patch that moved the funds back to their original owners.

Some people thought that was a bad idea and kept running the unpatched version. That caused the blockchain to split into two separate blockchains, the patched (ETH) and unpatched (ETC).

After that, it was up to the market to determine which version was more valuable. So far ETH is worth a lot more, so apparently the market was fine with this action in this particular case.

If people were to roll out a patch that committed a theft instead of repairing one, it's unlikely that many other people would go along with it. There'd be another split, the thieving chain would drop to a low value, and the original chain would keep rolling along with funds unstolen.

The term "hacker" depends on your viewpoint. Put another way, a user executed a function on a decentralized smart contract platform that transferred $150 million to the possession of the function's caller.

If the value of smart contracts is that they will execute as written with no possibility of third party interference then Ethereum is not a smart contract platform. It is a very inefficiently designed public ledger governed by a highly centralized group of developers who can change it on a whim.

>The term "hacker" depends on your viewpoint. Put another way, a user executed a function on a decentralized smart contract platform that transferred $150 million to the possession of the function's caller.

I think if you view the action as criminal or if you view it as just a clever use of the smart contract, the person who did this is a hacker. They understood and controlled the software in a way the designers did not intend.

My memory of the event may be confused with another one, but I believe the guy who did this did it accidentally. He was as confused by the result as everyone else - in fact, he froze the account on his own, so that he wouldn't have access to it.

That was one of the events, I think. There was another one. Perhaps that's the one being described here. I seem to recall that one had a bunch of whitehats who figured out the bug and rushed to exploit everyone just to prevent the bad actors, and so they could return the funds later.

This all happened less than a year ago and there was a lot of discussion of it, here and elsewhere. We have google and duck-duck-go, not to mention a search bar on most HN pages.

Perhaps we could point to facts rather than vague remembrances?

Feel free to look it up and confirm or deny my recollection. That's more work than I was willing to put into it at the time I wrote that.

I don't think there's any problem relating vague recollections as long as they are presented as such and attempt to expand the conversation.

That's the recent Parity multisig wallet freeze. So far it doesn't look like there will be a fork for that.

The event I described happened in the summer of 2016, and was a fairly sophisticated attack.

So obviously you're in the group which thought it was a bad idea to alter the ledger. I think there's a reasonable case to be made for that point of view. My point was that in the end, everybody got the chain they wanted.

I don't think the word "hacker" should be considered pejorative on a site called "Hacker News."

> It is a very inefficiently designed public ledger governed by a highly centralized group of developers who can change it on a whim.

But they can't just change it without the network going along with the change. And, after all, it is the network who decides what the code does in the first place by running the same protocol.

It's still a system governed by consensus. The network came to a consensus that it wasn't how the contract should have executed.

> If the value of smart contracts is that they will execute as written with no possibility of third party interference then Ethereum is not a smart contract platform.

Why would there be such value in a dumb contract platform like that? Historically, what societies have chosen to adopt such a set of values?

I see real value in smart contracts despite the mentioned flaws above. The smart contracts can automate A lot of transactions that use intermediaries, see notaries, lawyers, judges that do a ton of bulk work to validate paperwork authenticity, all sorts of agents and middle-men that charge fees etcetera.

Ok, people say it’s not secure, contracts can be hacked, but why not back these smart contracts by law? And when issues/breaches happen have a judge decide. These tools should be complementary and should not eliminate each other. We can and probably will have smart contracts alongside the day-to-day bureaucracy to help us with the simple stuff at first. Like when I need to pay a couple thousand to a notary for changing ownership of an estate only because of trust issues. If that is not ripe for disruption then I don’t know what is.

It’s like trying to jump from manual driving to fully automated driving and complaining it’s not safe and it won’t work.

I think the perceived value comes from the assumption that contracts can be written perfectly. Apparently, some people believe that the problems encountered so far are just a matter of weeding out the problems and eventually contracts will be much less likely to have loopholes like this.

I don't really agree with that worldview, but not strongly enough to bet that it won't reach some fairly safe equilibrium at some point. Even then though, a major bug could be lurking for years just waiting to be exploited later.

This is a rather perfectionist point of view, implying that our current day-to-day contracts are perfect and don’t have loopholes. Why do smart contracts have to be written perfectly to be usable by people.

In the end, what’s perfect in the world around us? Big banks fail and lose people’s savings, cars break and cause deaths and it has’t stopped people from adopting these on a large scale and keep on improving them.

Wanting all contracts and actions performed by them to be immutable is an odd point of view in my eyes, but I'm not sure I would call it perfectionist because the perfection depends on whether you think a perfect system fulfills the contracts to the letter or the spirit.

In the physical world, we arbitrate contracts with authorities vested with the power to make decisions over them, such as courts, governments, mediators, etc that both parties have agreed has the final say, because the alternative is unworkable.

In a consensus system such as a blockchain, that consensus is based on a majority of the participants. Wanting them to have no say on the outcome of actions is like wanting the courts to have no jurisdiction over your contracts.

cryptos seem to reflect society in that way: you can be an ideologue and go your own way, but you ll suffer the consequences (ETC value). the design choices that most coins have are that the currency reflects the ethics of the majority of users. Would be interesting to devise an algorithm that makes itself immutable.

You're forgetting that the integrity of the blockchain has value, particularly for miners. The token would crash once such a deception were made known making the miner's reward for mining worthless. That's the cost that you are not factoring into your example.

Game theory. While the mining community understands the value, whoever is committing the theft is probably just interested in short-term gain. A few thieves have not broken the fundamental trust in crypto, but there is definitely a tipping point.

Yeah - as long as the crypto token has liquidity to settle into other currencies, there is a possibility of agreeing to ruin the chain and exchange the tokens while information asymmetry still exists. Essentially, if you don't care about the "store of value" part, a large enough group could do it.

Too many things going on here:

a. Are you aware of the Ethereum DAO hack? The whole Ethereum vs Ethereum classic. Short story - The largest ethereum contracts was hacked and money stolen. Then a patch was released saying that the hack didn't happen.

People who accepted the patch were "ethereum" holders and those who refused are now on "ethereum classic".

So, changing the rules in a patch doesn't matter. If there are enough people helping user x and the currency is still accepted it can be called 'currency classic/cash'.

b. There is a lot of confusion on whether cheating n blockchain somehow requires a patch or 51% support. It doesn't. 25% is enough to try and cheat within the rules. Read:

https://steemit.com/ethereum/@dhumphrey/update-f2pool-manipu...

With greater than 50% of capacity, you can do a lot of bad things.

For ASIC blockchains like bitcoin, a few companies in china dominate the network so they could easily collude and do just this.

For non-ASIC blockchains, you can do it through the cloud. Here is some math i did on it the other day:

digiconomist [0] estimates that current etherum mining cost is 1.3 billion a year, or 3.6 million a day, or 151,000 an hour, or 2,500 a minute.

Multiply by 5 for cloud on demand premiums and you could dominate the etherum network for an entire day for 18 million. You could also do it for free if you can manage to do it with stolen credit cards.

https://digiconomist.net/ethereum-energy-consumption

The reality is that even for Bitcoin, the attack, as described, is infeasible. It is possible for miners to collude to censor transactions, but not to create fake transactions, or to somehow steal money from a person and deliver it to others. An attack on that scale would require rewriting the block validity criteria, and no existing nodes or other miners would accept the new criteria, which would result in the chain forking, and the main chain simply losing a lot of hash power, which would be working on the fork that contained the change the validity criteria.

You're correct that cooperation is key and that if you get "enough" people (50% of hashing power in most cases) behind a plan, they can change the rules of the game. This could be used to steal coins.

This has actually happened in the past. When massive amounts of Ethereum were stolen from the DAO, the community got together and decided that those coins did not belong to the hacker. With >50% of the network, they forked the coin and created a refund contract where people could retrieve their stolen coins.[1] The dissenters remained to form what is now Ethereum Classic.

So, what prevents this from happening in a malicious way? The first hurdle is building that consensus. Many people involved in cryptocurrencies today believe that the future value is much higher than today's value. Paying them off would not be easy, especially considering that cashing out a large sum would crash the price of the coins, and thus the profits from your maneuver.

That being said, a core assumption of cryptocurrencies is that 50%+ of the network is not malicious. Another way of looking at this is that whoever controls greater than 50% of the network cannot be considered malicious from the network's perspective. They are they consensus.

The last point I'll make is speculative. If you created (or took over) a cryptocurrency and built consensus out of malicious actors, what value do you think the outside world would place on that coin? You would win lots of coins, but would anybody pay you dollars for them?

[1] https://www.cryptocompare.com/coins/guides/the-dao-the-hack-...

> Another way of looking at this is that whoever controls greater than 50% of the network cannot be considered malicious from the network's perspective.

What people forget about in these imagined 50% attack scenarios is that 50% attacks only work if the attacking nodes generate valid blocks. All the hashpower in the world doesn't matter if your blocks do not pass validation. So no consortium can just start mining bad blocks and get away with it. The problem is that there are a non-trivial amount of clients that don't do any validation themselves and so rely on full nodes to tell them the true state of the network. Those clients would be subject to losing money. But any big exchange should be validating blocks themselves so the risk to the entire network is minimal to non-existent.

Now sell your coins...bitcoin is only worth something if it works. you'd also have to get bunch of people that have invested most of their lives to it.

... unless the end goal is not to generate profit, but to diminish value represented as BTC by undermining fundamental faith in the network, in which case, a value drop is working as intended.

When you create counterfeit money, you damage people's trust in the money, which damages it's perceived value. You'd have to do it without doing catastrophic damage to the public trust, because then all you've stolen wouldn't have nay value.

However, you could SHORT crypto currency and then do some damage it. Where would this logic break?

Yes, it doesn't. Also isn't not what I wrote about.

> the cost to get enough shared ledgers to agree that user x has 0$ (previously had $5M) is less than or equal to the amount of money that could be divided amongst the thieves

That's the trick. In some cases, you'd be correct and the thieves can get away with theft. In most cases though you are incorrect, the cost of getting that many ledgers to agree with the thieves is prohibitively high.

This theory underscores the importance of having many full nodes running on the network. If only a small number of people run validating nodes, the cost of committing some theft like this is substantially reduced. This is one of the biggest and most important arguments behind having small blocks instead of large blocks.

Large block supporters tend to think you only need a few full nodes to get immunity from these types of attacks, and small block supporters tend to believe that a small number of nodes is easy to compromise relative to the reward for doing so.

> Large block supporters tend to think you only need a few full nodes to get immunity from these types of attacks

How exactly do you see an attack on full nodes going down? I imagine the attack would occur on the mining side..

Also, if the mempool becomes more expensive to host than blocks on disk - would you still think small blocks are safer?

Hack the full nodes to modify their database. Or cut a business deal with the biggest full nodes (Coinbase, Bitmain, Shapeshift, But go, etc.) and decide to implement a rule much of the network opposes, like raising the block size (which consequentially makes a repeat attack easier in the future because fewer users will have the resources to run full nodes themselves)

> and decide to implement a rule much of the network opposes

And they'll immediately be blacklisted from the network..

Do people realize you can store the entire bitcoin chain for less than the cost of one transaction? The centralization narrative doesn't hold up.

The mempool is whatever you want it to be. You set the fee by which a transaction rides past your node.

And yes, multiple attacks have been attempted by the miner side on full nodes. The most recent being Segwit2X, which didn't get off the ground because convincing 100k nodes that their version of Bitcoin was different wasn't going to work.

>> Isn't cooperation key to a decentralized system?

Slightly off-topic, but cooperation is key to traditional currencies, too. If a majority of the United States determines that I suck and tries to stick it to me and anybody who does business with me, all of my US Dollars would have substantially less purchasing power.

I'll be off-topic with you. Your scenario seems a little different, because I could still shop with dollars at the 49% of stores that still like me. Whereas if bitcoin replaced dollars, even those 49% of stores that liked me couldn't take my money, because the 51% can veto the transaction.

Imagine its an industry at the top of the food chain and middle man are forbidden, so you can go shop at the neutral 49% of stores, but they may not provision you with something essential and monopolised. Although in those cases the law is layed out to mandate certain types of business take contracts.

1. enough people means >50%, that's a lot.

2. ledgers keep transaction histories, not absolute values. to clear someone's wallet, you have to transfer his money out. you can't forge that guy's crypto signature.

3.whoever owns more than 5m would not probably put all the money under one wallet.

The longest valid chain wins. People can't add invalid blocks to the chain and have them be accepted by the rest of the community that is not in on it.

The power of >50% is that you can keep some (valid) blocks on the chain, like some payments to a service provider, for as long as you want and have them accepted by the community because that's the longest chain that everyone's seen, and collect the service for that payment. Then whenever you want release another chain, that's longer and doesn't include the payment blocks, invalidating the payment.

The rest of the 49% of the users can still agree that someone has 5m, nobody's gonna take that away from them. But they're not going to be able to agree on any payments on the chain, because the 51% could invalidate them at any point.

Yes you are correct.

that guy has his 5m from a series transactions, you will need to drop the entire bitcoin transaction history to deny him do you?

You can censor him though I guess, ignore all his transactions.

Yes what I said is impractical.

As another person said, that would damage the reputation of the network.

It reminded me of how in the movies a group of bad guys get away with the big briefcase of money and then two of them plan to get rid of the third guy and split the rest between themselves.

You don't even need a protocal change (patch) - a supermajority group of validators (miners or stakers) can censor the minority group profitably, with no way to tell in-protocol.

The fact is, all existing blockchain protocols are not coalition resistant Nash equilibria (https://en.m.wikipedia.org/wiki/Coalition-proof_Nash_equilib...) and we rely on the difficulty of coordination for security. Strong centralization can make coordination easier though.

No you can't do this. Disregard the DAO comments. Yes, a hack caused a hard fork - but the fork itself was not a hack.

You can't update an account value without issuing a valid transaction (requiring the private key). What you can do with a majority hash power is roll back transactions. But this is limited to your ability to generate a longer chain which becomes more improbable with each mined block.

This attack vector isn't that great because transactions worth larger amounts will wait for more confirmations. You're essentially left with an expensive DoS.

The particular attack you describe is infeasible in Bitcoin for sure, and almost certainly for any other cryptocurrency. The problem is that the miners certify that a given chain is valid, but nodes and other miners will apply block validity criteria on top of that. Block validity includes things like "transactions are properly signed" and "miner rewards are correctly calculated".

This effectively means that creating a "fake" transaction that would empty someone's account and credit it to the thieves would require a valid signature from the original account. Otherwise nobody would accept the new block. Changing the block validity criteria is possible, but requires cooperation on a much more grand scale, especially for Bitcoin where there are many implementations of the protocol that would have to change to match the new block validity criteria (which, suspiciously, will contain a new criteria saying "oh, and the signature check criteria don't apply to transactions from this address").

Without some form of consensus, this would amount to "theftcoin" simply being a hard fork of Bitcoin, with the main chain continuing, potentially with less hash power.

There's a cost to run shards - bandwidth, processing and storage. Each transaction has a 2n1 cost (2 Parties, 1 shard, 'n' shards to sync too.) Decentralization has a high overhead to verify transactions over 'n' participants.

That why centralized ledgers were created. Sharded ledgers just means that you have smaller ledgers that have to be synchronized at some point. When you have more centralization you have larger chance of fraud.

It doesn't break down everywhere. This is one of the reasons why BTC is leading the way even though there are a lot of other blockchains which are arguably "better". Being the first kid on the block has a lot of benefits since the mining power is sufficiently large and distributed that it's near impossible to have a 50% attack now, unless the miners stop mining or cooperate.

If you think about it, there are many improvements that could be made to basic networking protocols (TCP, IP, HTTP), but since the standards were set "in stone" so long ago, it is difficult to change now.