A Modest Proposal
Mike Hearn recently proposed a change to the Bitcoin protocol on the bitcoin-development mailing lists. For those who are not subscribed, this is what he suggests:
Lately someone launched Finney attacks as a service (BitUndo). As a reminder for newcomers, Finney attacks are where a miner secretly works on a block containing a double spend. When they eventually find a block, they run to the merchant and pay, then broadcast the block. In a simpler variant of this attack you make purchases as normal with a modified wallet that always submits a double spend to the service, and then N% of the time where N is the percentage of overall hash power the dishonest miners have, you get your money back minus their fee.
N does not need to be very high to render Bitcoin much less useful. Real time transactions are very important. Although I never expected it when I first started using Bitcoin, nowadays most of my purchases with it are for food and drink. If Bitcoin could not support such purchases, I would use it much less.
Even with their woeful security many merchants see <1-2% credit card chargeback rates, and chargebacks can be disputed. In fact merchants win about 40% of chargeback disputes. So if N was only, say, 5%, and there was a large enough population of users who were systematically trying to defraud merchants, we'd already be having worse security than magstripe credit cards. EMV transactions have loss rates in the noise, so for merchants who take those Bitcoin would be dramatically less secure.
The idea of discouraging blocks that perform Finney attacks by having honest miners refuse to build on them has been proposed. But it has a couple of problems:We can resolve these problems with a couple of tweaks:
- It's hard to automatically detect Finney attacks. Looking for blocks that contain unseen transactions that override the mempool doesn't work - the dishonest users could broadcast all their double spends once a Finney block was found and then broadcast the block immediately afterwards, thus making the block look like any other would in the presence of double spends.
- If they could be automatically identified, it possibly could be converted into a DoS on the network by broadcasting double spends in such a way that the system races, and every miner produces a block that looks like a Finney attack to some of the others. The chain would stop advancing.
- Miners who want to vote "no" on a block take a big risk, they could be on the losing side of the fork and end up wasting their work.
This may seem a radical suggestion, but I think it's much less radical than some of the others being thrown around.
- Dishonest blocks can be identified out of band, by having honest miners submit double spends against themselves to the service anonymously using a separate tool. When their own double spend appears they know the block is bad.
- Miners can vote to reallocate the coinbase value of bad blocks before they mature. If a majority of blocks leading up to maturity vote for reallocation, the value goes into a pot that subsequent blocks are allowed to claim for themselves. Thus there is no risk to voting "no" on a block, the work done by the Finney attacker is not wasted, and users do not have to suffer through huge reorgs.
The above approach works as long as the majority of hashpower is honest, defined to mean, working to stop double spending. This is the same security property as described in the white paper, thus this introduces no new security assumptions. Note that assuming all miners are dishonest and are willing to double spend automatically resolves the Bitcoin experiment as a failure, because that would invalidate the entire theory upon which the system is built. That doesn't mean the assumption is wrong! It may be that an entirely unregulated market for double spending prevention cannot work and the participants eventually all end up trashing the commons - but the hope is that smart incentives can replace the traditional reliance on law and regulation to avoid this.
The voting mechanism would only apply to coinbases, not arbitrary transactions, thus it cannot be used to steal arbitrary users bitcoins. A majority of miners can already reallocate coinbases by forking them out, but this wastes energy and work presenting a significant discouragement to vote unless you already know via some out of band mechanism that you have a solid majority. Placing votes into the coinbase scriptSig as is done with other things avoids that problem.
The identification of Finney blocks relies on miners to take explicit action, like downloading and running a tool that submits votes via RPC. It can be expected that double spending services would try to identify and block the sentinel transactions, which is why it's better to have the code that fights this arms race be out of process and developed externally to Bitcoin Core itself, which should ultimately just enforce the new (forking) rule change.In summary, a service has launched that allows dishonest users attempt to defraud merchants, and now Mike Hearn is proposing as a solution that we change the Bitcoin protocol to allow a majority of miners to vote on the blockchain to confiscate the newly-minted coins of any other miner.
If this proposal sounds problematic to you, that's because it is. As several other individuals in the thread pointed out, this fundamentally changes the nature of the Bitcoin network and adds a mechanism via which other changes the Bitcoin users do not want (blacklists) can be secretly added at any time in the future.
What is Bitcoin?
In order to talk meaningfully talk about fundamental changes to the nature of Bitcoin, we can only do so by first identifying and defining what exactly that fundamental nature actually is, assuming that it has one at all. Could it be the case that is doesn't have any nature to violate? Could Mike be right when he says, "Bitcoin imposes far more rules than just execution of the scripting language, many of which are entirely arbitrary and the result of (controversial) human judgement, like the inflation schedule. You can't claim Bitcoin implements only some kind of natural law." Perhaps since Bitcoin's rules were arbitrarily decided upon by humans it means that the network makes no promises to its users and so the developers should feel free to change its behavior on any other arbitrary whim.
Of course not. Bitcoin does have specific defining characteristics that differentiate it from all other other currencies that came before. These essential characteristics differ from behaviors of lessor importance, in that you can't change them without destroying Bitcoin. The represent the definition of Bitcoin as well as the implicit contract which the Bitcoin network enforces:
Fucking around with the protocol such that promise #2 is no longer true is equivalent to destroying Bitcoin, because this is one of the promises from which Bitcoin derives its value.Of course not. Bitcoin does have specific defining characteristics that differentiate it from all other other currencies that came before. These essential characteristics differ from behaviors of lessor importance, in that you can't change them without destroying Bitcoin. The represent the definition of Bitcoin as well as the implicit contract which the Bitcoin network enforces:
- The number of units in the Bitcoin network is finite, and the issuance is controlled via a known, predictable, constant formula.
- Bitcoin transaction processing is neutral. Users require no permission to use their coins as they see fit, and are safe from having their funds arbitrarily confiscated This promise could be expressed as the following:
Satisfying the conditions of its associated script is both necessary and sufficient to spend an output.
Solving the Finney Attack Without Destroying Bitcoin
If a majority of the miners in the network are honest, which is what Mike's proposal asserts, then they should be willing to offer a double spend protection service which will compete with BitUndo's paid scamming service.
A mining pool could offer an paid service via which any party can purchase double spend protection. The pool would create a queryable interface to which merchants can submit transactions. The service could reply to a query is various ways, with some responses possibly being priced differently than others:
- "We've seen a conflicting transaction on the network."
- "We've not seen a conflicting transaction in the network, and we won't allow one to enter our mempool."
- "We haven't seen a conflicting transaction, and we'll try to orphan any block containing one as long as it's less than N block deep (where N is the level of double spending protection the customer has purchased)."
As long as enough miners offer this service, a merchant can purchase however much double spend protection he requires to meet his business goals.
It might be the case that individual merchants don't want to negotiate with individual mining pools. In fact, most of them won't want to. This is a perfect example of a detail which payment processors can handle for them. Payment processors can negotiate bulk or flat rates from the mining pools, and then resell this service to their customers as an optional feature to merchants who need it.
Since the risk of a double spend has now become something calculable, that means it's insurable, which means that even if payment processors don't want to handle the details themselves then companies which do want to provide transaction insurance will have the mechanisms via which they can price their risk.
The solution above requires no changes to the Bitcoin protocol.
Since the risk of a double spend has now become something calculable, that means it's insurable, which means that even if payment processors don't want to handle the details themselves then companies which do want to provide transaction insurance will have the mechanisms via which they can price their risk.
The solution above requires no changes to the Bitcoin protocol.
A Question of Venue and Roles
There are other relevant issues brought up by this proposal besides its obvious implications.Why are fundamental changes to the Bitcoin protocol, with wide-ranging implications relevant to all Bitcoin users, being discussed in relatively obscure corners of the Internet?
It may be the case that email lists are where programmers feel most comfortable "talking shop", but it also remains the case that Bitcoin doesn't belong to them.
Bitcoin belongs to everyone who uses it. No amount of code contributions will ever give some set of "core developers" the right to impose their decisions on the rest of the network. In fact, the degree to which they recognize that fact is the exact degree to which they will remain relevant to the future. Bitcoin users have a choice of software implementations these days, and implementations which attempt to rule the network instead of serve it will be dropped.
Bitcoin belongs to everyone who uses it. No amount of code contributions will ever give some set of "core developers" the right to impose their decisions on the rest of the network. In fact, the degree to which they recognize that fact is the exact degree to which they will remain relevant to the future. Bitcoin users have a choice of software implementations these days, and implementations which attempt to rule the network instead of serve it will be dropped.
Individuals wishing to propose existential changes to the network should have that discussion in the public sphere, where the users are, so that those users have the best information possible regarding which implementations they should trust.
Core developers are not philosopher-kings who rule the network by imposing their judgement on the hoi polli, and they shouldn't act like it. (Note that this is not the first time Mike Hearn has floated proposals he knew Bitcoin users wouldn't like as trial balloons in relative obscurity). Once there is consensus among the community, or at least after they are aware of the proposal, then the development mailing list is an appropriate place to discuss how to implement it.
Core developers are not philosopher-kings who rule the network by imposing their judgement on the hoi polli, and they shouldn't act like it. (Note that this is not the first time Mike Hearn has floated proposals he knew Bitcoin users wouldn't like as trial balloons in relative obscurity). Once there is consensus among the community, or at least after they are aware of the proposal, then the development mailing list is an appropriate place to discuss how to implement it.
A Wakeup Call
If the events of the past year weren't enough already, this event should convince Bitcoin users (and open source software users in general) that they need to pay attention to the actions of the people developing the software they rely on.
The price of freedom is eternal vigilance, as the saying goes, and that most certainly applies here. Remaining ignorant of the discussions happening and deals being made in virtual smoke-filled rooms is a good way to discover one day that the Bitcoin up adopted and promoted has been taken out back and shot, and replaced with a malicious body double.