bitcoin-security

Bitcoin Attacks in Plain English

I get asked about Bitcoin a lot – mining, usage, fundamental economic principles, basic technical details etc. I spend a lot of time telling people the things they need to know about Bitcoin to participate in this grand experiment of ours and almost as much time quieting unfounded fears. It seems at least once or twice per month the news is bubbling with the story of one Bitcoin business or another being hacked, turning out to be a Ponzi scheme or just going under for good old-fashioned bad business practices. The scariest to most are the hacks since they seem to come from nowhere and play to an unfortunate fear that many have: the fear that there is someone out there clever enough to magically make all their digital assets vanish without a trace. But is such a thing really feasible? This article will examine a few of the more common attack mechanisms in the Bitcoin world today and how worried you should actually be.


The 51% Attack

What is it?

The 51% attack is perhaps the best-known of Bitcoin’s security vulnerabilities and it’s been on our collective radar since day 1. Bitcoin stores its transaction information in database chunks that are collectively referred to as the “blockchain.” As new transactions occur, they go into a new block on the end of the chain. While most of the time, the chain remains one straight line of blocks, on occasion a “fork” happens – two conflicting blocks appear and the network has to decide which one is valid. Each miner votes by continuing to tack new blocks onto the end of whichever block they think is valid – eventually the longest chain wins.

This also means that if I’m clever I can intentionally create two conflicting transactions, one in which I send money to a merchant and one in which I’m sending that same money to an address that I control. If I control more than half of the network’s processing power then I can decide which block ultimately gets accepted as true. Of course the longer back in time I go when creating these conflicting blocks, the more blocks I have to add to the end of my fraudulent chain before anyone accepts it as valid, so I’m pretty limited in how far back I can revise history and the further back I go, the more it costs me. This is the primary reasoning behind transactions not being considered complete until they’ve got 6+ confirmations.

Should I be worried?

For brevity’s sake: no, not really. The 51% attack is the oldest and best-understood attack in all of Bitcoin. Everyone is watching for it, we all know how it’s supposed to work and the “fix” is built right into the client – just wait for your 6 confirmations. Realistically, worrying about the 51% attack is a good indicator of high paranoia levels since it’s so amazingly cost-prohibitive to perform that we’re basically talking about a government focusing the full power of every top-secret ridiculously expensive supercomputer they’ve got at us – especially once some of those fancy new ASIC products start coming online.


The Finney or “Block Withholding” Attack

What is it?

When a transaction is performed on the Bitcoin network, the clients involved broadcast that transaction to everyone. This means that both parties are aware of the transaction immediately, as are all of the miners who are working to put that transaction into a block. Technically speaking, though, that confirmation is just a nicety – your transaction hasn’t actually occurred until it’s in a block. So what if some miner spits out a block that intentionally holds a conflicting transaction that wasn’t announced to the network? The Finney attack involves a fraudulent miner working on a block that contains a transaction where I’ve sent coins to myself. When I find that block, I go out and send those coins to someone else, then immediately release the block. Because you can’t spend the same money twice and the Bitcoin network saw my fraudulent block first, the legitimate transaction I made with you is rejected and never finds its way into a block.

Should I be worried?

Again, probably not. You need to be a pretty big-time miner to get enough opportunities at a Finney attack to make it worthwhile. Even with the right equipment, you need to have perfect timing since while you’re sitting on that fraudulent block the rest of the network is still looking for its own solution. You have to make your transaction, walk away with the goods and release your block before anyone else beats you to the punch otherwise you have legitimately spent funds and your attack is no good. Again, the fix is built into the protocol – just wait for confirmations.


The Race Attack

What is it?

To be fair, I’m not sure this one has an official name yet, but given that two of the three names on the paper originally describing the attack are Swiss, I’m calling it the Swiss Attack. Scratch that, it’s apparently called the “Race Attack.” It basically amounts to controlling your level of connectivity to certain targets and exploiting the behavior of the Bitcoin client. See, before your client gets confirmations (blocks) if it’s sent two conflicting transactions it does two things wrong: first, it doesn’t inform you of the conflict and second, it automatically considers whichever transaction it got first to be valid. So in this case, the attack is easy: release two conflicting transactions into the network: one directly to the merchant and then one to several hundred other users simultaneously. With such a big head start, most of the network will see your fraudulent transaction first so it has a much better chance of getting into a block than the one the merchant sees.

Should I be worried?

A little bit, actually. While this one can still be fixed by just waiting for transactions like the others, this one doesn’t require any exceptionally exotic setup by the scammer – they don’t need high-end mining equipment, they don’t have to know how to modify mining software to include an un-released transaction, etc. All they really need is access to a lot of computers at once – and what scammer can’t get their hands on a botnet these days? It’s worth noting that simply checking unconfirmed transactions with a trusted third party goes a long way toward fixing this.


Key Guessing / Collision Attacks

What is it?

Bitcoin is built around some really strong encryption and signing technologies. In really basic terms, your whole account boils down to a couple of really long random-looking numbers that happen to be mathematically related in a difficult-to-guess way. If someone can guess one of those numbers – called the “private key” – correctly then they can gain access to your account and spend the funds it contains. Scary, right?

Should I be worried?

No. Not at all. Not even a little. I actually wrote a whole article not that long ago about why this particular attack should not scare you in the least. Don’t lose any sleep over this – I mean it, none. The only way someone is guessing your private key is if you used a brain wallet and your password was “password” but if you’re clever enough to be making and using brain wallets I sincerely doubt you’re a member of the target audience for this particular post.


Non-Bitcoin / Infrastructure Attacks

What is it?

This category encompasses the really dangerous stuff. Notice how with the exception of the one attack I told you not to lose any sleep over all of the other attacks are nullified by simply waiting for confirmations? That’s because Bitcoin is designed to be completely secure as long as you wait for confirmations and no one has broken Bitcoin itself. But there are all kind of hacks on the news, right? Well, these are them. The fact is, the majority of Bitcoin-related hacks happened the same way all hacks happen – inside jobs, incompetence and accidents. More than once Bitcoins have been stolen, not because Bitcoin itself was insecure, but because someone’s web hosting company let someone smooth-talk them into resetting a password. There are certainly ways to safeguard against this sort of thing and the best most reputable companies typically do, but failures do happen.

Should I be worried?

Well the answer is almost certainly “yes” but the real question should be “what can I do about it?” – and (unless you operate a Bitcoin business) chances are your personal answer is “nothing.” We can all do our best to deal only with reputable companies, but MtGox and Bitcoinica were both pretty reputable and they got nailed by these kind of attacks. They were hardly the first and it’s doubtful they’ll be the last.


Non-Technical Attacks / Scams

What is it?

Technically not an attack at all, but they’re so commonplace these days that I felt they needed an honorable mention. These are the kinds of things that snake-oil salesmen have been peddling practically since money was invented. They all sound too good to be true and indeed they all are.

Should I be worried?

A big part of me wants to shout “Of course not, just use your brain!” every time I see one of these – but that’s hardly fair. The best of us can be taken in by sweet talk from time to time and it’s not fair to further victimize those taken in by labeling them fools. Still, you already have all the tools you need to detect and avoid these: if it sounds too good to be true, just walk away. Earning 7% per year on an investment is good, earning 7% per WEEK is absurd.

5 tips so far
0.023 BTC
(avg tip 0.0046 BTC)

Tip With Bitcoin

1CzjpkDFxGHyCyoWVpKkMyWFdN9pxAK3XJ

Each post has its own unique address, so your tips also tell me what you liked!
Vote with your wallet!

  • http://twitter.com/bitcoinmoney @bitcoinmoney

    What you call the Swiss Attack is commonly referred to as the race attack. The thief broadcasts two separate spend transactions to two separate nodes, hoping the transaction to the merchant does not reach the miners until after the double spend transaction does.

    A merchant is very vulnerable to this when operating a node that is misconfigured, and that is the configuration the Swiss chose to use (where they were specifically connected to the merchant's node). The proper configuration for a merchant is to not allow incoming transactions and to have an explicit outgoing transaction to a well-connected node.

    Additionally, the tip you suggested is good to have as well as being properly configured — to check unconfirmed transactions with a trusted third party first.

    This is a great article, and it has been added it to the Double Spending page on the Bitcoin wiki:

    http://en.bitcoin.it/wiki/Double-spending

    • http://codinginmysleep.com David Perry

      Thanks for the tidbit, I had no idea it actually had a name – article updated!

  • http://twitter.com/bitcoinmoney @bitcoinmoney

    What you call the Swiss Attack is commonly referred to as the race attack. The thief broadcasts two separate spend transactions to two separate nodes, hoping the transaction to the merchant does not reach the miners until after the double spend transaction does.

    A merchant is very vulnerable to this when operating a node that is misconfigured, and that is the configuration the Swiss chose to use (where they were specifically connected to the merchant's node). The proper configuration for a merchant is to not allow incoming transactions and to have an explicit outgoing transaction to a well-connected node.

    Additionally, the tip you suggested is good to have as well as being properly configured — to check unconfirmed transactions with a trusted third party first.

    This is a great article, and it has been added it to the Double Spending page on the Bitcoin wiki:

    http://en.bitcoin.it/wiki/Double-spending

    • http://codinginmysleep.com David Perry

      Thanks for the tidbit, I had no idea it actually had a name – article updated!

  • Pingback: Bitcoin Attacks in Plain English | Bitcoin News Bits - CoinBits.com()

  • Pingback: Bitcoin Attacks in Plain English | Bitcoin News Bits - CoinBits.com()

  • Pingback: Bitcoin Attacks in Plain English » Coding In My Sleep | Bitcoin News Bits - CoinBits.com()

  • Pingback: Bitcoin Attacks in Plain English » Coding In My Sleep | Bitcoin News Bits - CoinBits.com()

  • AvL

    There's another "attack", nowadays: As miners become more and more greedy and tend to ignore transactions with "too little" miner fee, all you do is make a transaction with just the right amount of "too little" miner fee. If you spend much too little, then your tx won't even be propagated, and if you're "too generous" (in context of the attack), then your tx will just be confirmed.

    Needless to say, that this one is easily avertable by waiting for confirmations on receiver's side, or by tying consequencial outgoing payments to the incoming one, but at least one public bitcoin-related site does not seem to do that, yet.

  • AvL

    There's another "attack", nowadays: As miners become more and more greedy and tend to ignore transactions with "too little" miner fee, all you do is make a transaction with just the right amount of "too little" miner fee. If you spend much too little, then your tx won't even be propagated, and if you're "too generous" (in context of the attack), then your tx will just be confirmed.

    Needless to say, that this one is easily avertable by waiting for confirmations on receiver's side, or by tying consequencial outgoing payments to the incoming one, but at least one public bitcoin-related site does not seem to do that, yet.

  • http://www.reasonmusic.ru/userinfo.php?uid=61881 Anonymous

    Whatever kind of game you like, someone’s probably made a free version of it already.
    The switchable main characters of Grand Theft Auto
    V were originally intended to be included much earlier in the franchise’s history.
    Affirmations are also a great way to guide your life in a more positive way.

  • http://www.reasonmusic.ru/userinfo.php?uid=61881 Anonymous

    Whatever kind of game you like, someone’s probably made a free version of it already.
    The switchable main characters of Grand Theft Auto
    V were originally intended to be included much earlier in the franchise’s history.
    Affirmations are also a great way to guide your life in a more positive way.

  • Kai

    I very much appreciate that you try to explain the bitcoin subtleties in good plain language! Im searching for information on the "double spend" problem. Your explanation of the 51% attack here is really very helpful. However, one questions still remains on my side: If there are two conflicting blocks (a "fork"), how can honest miner decide / find out which of the conflicting blocks is really true? I have read, they solve "mathematical problems". But I don't understand how this can help to distinguish between the correct transaction and the fraudulent. Could anybody explain this to me in common language? I'm no coder – only a simple-minded economist…

    • Paddy

      Well – the idea is that the computer (miner) is able to look at a block – solve some mathematical puzzle (aka look at a transaction and check its history with what you already know to be correct) and prove all the transactions are safe/true. So you don't need to rely on people to tell you a block is "honest" – you can test it yourself as your computer contains a list of all transactions that have ever happened.

      Also – if a fork does happen – and there are competing blocks – you normally pick one that you know is honest and start 'mining' the block. However – the block you are mining may not become part of history – if another chain of blocks is discovered faster than yours.

      Two chains:

      b1a, b2a

      b1b, b2b

      You start working on b2a, but the rest of the network find two new blocks b3b, b4b,

      b1a, b2a

      b1b, b2b, b3b, b4b

      Because the second list of blocks is longer – you stop working on b2b and hop on board of b4b.

  • Kai

    I very much appreciate that you try to explain the bitcoin subtleties in good plain language! Im searching for information on the "double spend" problem. Your explanation of the 51% attack here is really very helpful. However, one questions still remains on my side: If there are two conflicting blocks (a "fork"), how can honest miner decide / find out which of the conflicting blocks is really true? I have read, they solve "mathematical problems". But I don't understand how this can help to distinguish between the correct transaction and the fraudulent. Could anybody explain this to me in common language? I'm no coder – only a simple-minded economist…

    • Paddy

      Well – the idea is that the computer (miner) is able to look at a block – solve some mathematical puzzle (aka look at a transaction and check its history with what you already know to be correct) and prove all the transactions are safe/true. So you don't need to rely on people to tell you a block is "honest" – you can test it yourself as your computer contains a list of all transactions that have ever happened.

      Also – if a fork does happen – and there are competing blocks – you normally pick one that you know is honest and start 'mining' the block. However – the block you are mining may not become part of history – if another chain of blocks is discovered faster than yours.

      Two chains:

      b1a, b2a

      b1b, b2b

      You start working on b2a, but the rest of the network find two new blocks b3b, b4b,

      b1a, b2a

      b1b, b2b, b3b, b4b

      Because the second list of blocks is longer – you stop working on b2b and hop on board of b4b.

  • rph

    What about an 'actual' attack? If I'm walking down the street and a guy comes up to me and pulls a gun and demands my wallet, I hand it to him and typically I'd be out at most 100 bucks. What if the same gunman says, "Give me your bitcoin codes or I'll kill you." Couldn't I then lose my entire life savings in an instant to an untraceable criminal?

    • http://codinginmysleep.com David Perry

      An actual attack is always a possibility with anything of value. The solution is simple, and exactly the same as with cash: never carry (and that includes in your brain) more than you're willing to lose. I back up my Electrum seed, for example, but I explicitly never memorize it – you can't beat what I don't know out of me, so if you mug me all you get is what's on my phone, which is roughly the $100 you quoted. It's also important to note that you never have to physically transport bitcoins anywhere. Most folks keep a small amount on their phone for convenience, but if I wanted to move 1,000 coins to a paper wallet in a secure vault, I could put an empty wallet in the vault and then fund it from home once the vault is locked, removing the danger of transporting high value goods entirely.

  • rph

    What about an 'actual' attack? If I'm walking down the street and a guy comes up to me and pulls a gun and demands my wallet, I hand it to him and typically I'd be out at most 100 bucks. What if the same gunman says, "Give me your bitcoin codes or I'll kill you." Couldn't I then lose my entire life savings in an instant to an untraceable criminal?

    • http://codinginmysleep.com David Perry

      An actual attack is always a possibility with anything of value. The solution is simple, and exactly the same as with cash: never carry (and that includes in your brain) more than you're willing to lose. I back up my Electrum seed, for example, but I explicitly never memorize it – you can't beat what I don't know out of me, so if you mug me all you get is what's on my phone, which is roughly the $100 you quoted. It's also important to note that you never have to physically transport bitcoins anywhere. Most folks keep a small amount on their phone for convenience, but if I wanted to move 1,000 coins to a paper wallet in a secure vault, I could put an empty wallet in the vault and then fund it from home once the vault is locked, removing the danger of transporting high value goods entirely.

  • martinalasvegas

    good

  • martinalasvegas

    good