A vending machine can, today, be implemented risk-free as well. All it needs to do is listen for double spend proofs and when one appears for the transaction (or a parent) it cancels the transaction. This happens FASTER than a credit-card transaction and is more secure than a card transaction (can’t be reversed).
With ZCE you loose the escrow when trying to do funny business.
And wtih DSP you lose your funds too. No difference in risk to merchants.
Additional advantage of using DSP is that the customer doesn’t have to tie up additional funds. You can actually buy that mars bar from your LAST coin with DSP.
How long does it take for the machine to release the product? 10 seconds? The culprit can simply wait 10 seconds to get the product in his hands and then post his double-spend TX. Sure, there’s the “first seen” policy, but that is an externality the merchant can’t control, and there are no guarantees that it will always be widely adopted - so the point of creeping risk with our network growing still applies.
You don’t exactly lose - you still got the product you bought, and here a double-spend attempt is a free shot at trying to get your money back but keep the product. With ZCEs you’d lose an additional value on top of the money paid for the product, you’d pay double the price of product for attempting to cheat and get it for free.
The point is to convince them that they don’t want the confirmations.
They are not aware yet that ZECs exist and actually work. Once they gain confidence in the tech, I am sure instant deposits and withdrawals for sums less than $100.000 should be natural.
The risk is almost non-existent. This is the point. Which you missed.
This is my “civil level” right now. I am not going to tell you I love you, I am here to tell you your argument is invalid, not love you and be your boyfriend.
The point of discussion is to point out that somebody or something is wrong in order to reach the truth.
I will not discuss to be excessively polite to people. That does not make any sense.
The culprit can simply wait 10 seconds to get the product in his hands and then post his double-spend TX.
If it is 10 seconds, then it is a lot of time. If the attacker is not the miner or the mining pool, then it is very hard to do that in practice. Satoshi addressed that issue long time ago (search: Bitcoin snack machine).
The network nodes only accept the first version of a transaction they receive to incorporate into the block they’re trying to generate. When you broadcast a transaction, if someone else broadcasts a double-spend at the same time, it’s a race to propagate to the most nodes first. If one has a slight head start, it’ll geometrically spread through the network faster and get most of the nodes.
A rough back-of-the-envelope example:
4 1
16 4
64 16
80% 20%
So if a double-spend has to wait even a second, it has a huge disadvantage.
“[Statistically] very hard to do that in practice” but without cost or risk it will be achieved given enough attempts.
This was the numbers on 5 second delays with a small miner bribe a couple of years ago. I don’t know what the numbers for “10 s delay” would be, but I assume not zero.
Yes, there was BU nodes on the network with non-standard relay policies that probably isn’t there today. But deploying nodes with such software isn’t particularly expensive.
Yup, nothing stops anyone from running a rogue mining pool that has a little network of nodes that can take bribe offers. Right now there’s no incentive to have that, but as we grow there may be and nothing anyone can do to stop it - other than having a way of spending where it doesn’t pay to try and cheat.
The problem is that “rogue” in this scenario actually means “(short-term) profit maximizer”. The incentives are currently lined up for a miner to take the transaction with highest fees, but ZCE shifts those incentives so the highest profits is achieved by claiming the escrow.
Yes, but I have thoroughly analyzed this possible scenario like 6 years ago, loooooong before DSPs and ZECs even existed and concluded it is not profitable for the mining pool at sums less than $10000-$50000.
This scenario is so hard to do, so costly and so difficult to make it profitable (huge reputation hit is also a factor), that there is no wonder why miners never did it to this day.
We(the community) have been talking about such scenarios for like 10 years, but they never actually happen. Zero Confrimation transactions are generally safe, even more with Double Spend Proofs and Zero Confirmation Escrows.
In my opinion “0-conf is not safe” was always only propaganda, never reality. 0-conf can be and is safe.
I’m not talking about reorgs, this is just about enabling an interface to take in “bribe” TX-es which they’d put instead of the 1st seen one while they mine a block. If they get lucky with a block - they will make more, if not - they will still get a regular block reward later, and the guy at the vending machine will get his thing at normal price instead of 0. ViaBTC has a website where you can post a raw TX, and it must obey relay rules. What’s stopping them from dropping the requirement and accepting cheater TXes? ZCEs would make it so that it pays more to cheat the cheater
But such a bribe has the maximum chance of success equal to the percentage of the malicious mining pool.
Counting in the reputation hit, it is highly improbable that any pool that would accept such bribes would ever get more than 10% of mining power. Reputation would take a hit and miners would stop using such pool.
So this is why no mining pool ever (correct me if wrong) ever did that [in pre-2016 BTC and BCH all time].
When you factor in the cost, the super-low probability of success and reputation hit, it stops being profitable.
Yup, but it’s still a free shot… at 1% or 10% chance. You will not bother to do it for getting an one-off discount on piece of candy but here we’re trying to imagine how our network and adoption would look like in a success scenario where we have numbers that could make the game potentially interesting to criminal organizations.
What do SHA-256 hardware owners care about reputation? They’re anonymous, and get paid either way, and some may not care about morals and would join a pool because it pays more - by enabling others to steal. We don’t have to depend on morals when we have a tool that can make incentives right for desired behavior.
I don’t know, but I hope that we will move into unprecedented territory - like having consistent 2MB blocks And then we’ll start to get some data.
A: Get a large number of people to use it for smaller (<$1000) purchases
B: Get few one time huge shots, but this would have to be really huge amounts, like $50000 to be profitable and worth the bother
Scenario A is not even doable anonymously. To get enough people to have any chance of success and significant profit, would require advertisements. To do large scale advertisements, you need to be a company.
Case closed.
Scenario B can be done anonymously, but only for large sums of money, otherwise it doesn’t make any sense on scale.
Obviously, they don’t. But a large mining pool has to have a website, so they have to report their profits to some government somewhere. Are there any fully anonymous large pools without a website and a company running them?
You can be sure that as soon as such a pool would appear, start advertising their “bribing” and grow beyond 10% of hashing power, that would mean huge legal troubles for them.
You can’t really do crime and bad things in general at large scale fully anonymously. Humans are the weakest link in chain, there is always a weak link.
You see, it is generally more profitable to just mine honestly, than trying such complicated large-scale shenanigans. If it was ever worth it, somebody would have already tried in the last 13 years of Bitcoin mining. Nobody ever did.
Therefore the only way I see such mining-bribe-attacks succeeding is via cheating a big sum ($50000 and more) once or few times. Which would mean cheating an exchange or an ATM.
Which is exactly why ATMs and exchanges and require confirmations. They understand this.
I am aware of the “calculated number of total double spends” on the network you are quoting, I have seen it. This work of Peter Rizun was quite famous.
I have some doubts whether this data actually represents a real double spends of real internet/brick&mortar stores or whether this is just some testing or fluke of the network.
As far as I am aware, no merchant ever complained of being robbed this way on BCH network. So I am not really sure what this data means.
I was in the community all the time and if something like this happened, I would just know about it 100%. No such thing ever happened. No merchant was ever robbed of the goods using double spends on BCH network (even including pre-2016/pre-RBF BTC too).
To add even more, BCH has less than 1% hashrate and A LOT of enemies.
If such a miner-bribing attack was real-life doable and even better - profitable, it would have happened like 4-5 years ago, in 2017-2018 because it was easier to do back then. The enemy would do it just in order to prove that BCH cannot be P2P Electronic Cash, profit is not even needed.
I feel like we’re going in circles. I already had this discussion in 2018, at least 3 times. Back then the conclusion also was that “while the attack is theoretically doable, nobody ever did it, which proves it is most probably not practical in real-life, so nobody will use it”.
To sum it up:
0-conf is secure enough for everyday purchases ($<1000).
0-conf with Double Spend Proofs should be secure enough even for bigger amounts ($<10000) in ATMs.
0-conf with Zero Confirmation Escrows is practically completely secure for all means and purposes, assuming it works as advertised. BCH has become instant P2P currency.
The numbers above from Rizun says that if the ATM would wait 5 seconds before giving someone the money anyone could, without risk or cost, do a miner-bribe attack of ~300000 satoshis and succeed 5.5% of the time. Any DSP would be triggered too late!
5.5% is not enough. Also ATM is real life. Real life is not secure, unlike properly secured Internet connection.
You would have been found and stopped using traditional means (police, jail time) maybe even before you could succeed (5.5% is a very low chance, also it is not guaranteed at all you will succeed in ~20 tries, this is random).
This is exactly why I am saying this attack is not practical. Sure - it is doable theoretically, but risks outweigh the possible profits. Not practical on larger scale - that’s for sure.
I am still waiting for the merchant who was scammed using 0-conf. I am waiting since 2015.
just wanted to add some facts around the actual state of the zero-conf transaction security right now as that seems to be not known widely.
First of all, sending a second transaction to double spend your own can only lead successfully to a double spend in a very small amount of time. Within 3 seconds the entire network has the first one sent, so if you wait longer your new transaction will simply get rejected by each and every peer. No effect. You basically need to do it at the exact same time as the original one that the merchant has to see.
A user that successfully sends two transactions and is already extremely lucky to make it into some miners mempools then gets into the gamble of getting the one they want mined. If that miner didn’t get the block, no luck.
This is a big gamble and most of the DS-attempts end up simply paying the merchant anyway. (which is why users trying this with DSProof in place lose their money most of the time).
DSProof protects against all those cases.
We didn’t make DSProofs any more strong than just a message to the merchant because the human factor is important. People testing, people confused and all that are relevant and various service minded companies will prefer to decide for themselves what the policy is. Anything from calling the police, confiscating the funds (in the ~80% chance of the DS failing) to simply giving a stern talking to. The currently deployed DSProof solution allows all of this.
An anonymous service or casino or vending machine are most likely just going to cancel the order and if the money arrives it will cover the administrative costs. The user that went out of their way to double spend loses it. I can’t lose any sleep over that…
There is another thing we want to do. An improvement of behavior when it comes to payment protocols. BIP 70 specifies that the customer is to send the transaction to the merchant and the merchant is then the one responsible for broadcasting it to the network. But this doesn’t happen in any current implementations.
Yet, having the merchant send the transaction to the network is super useful as it allows them to play with timing (we are talking about some 100s of milliseconds) of broadcasting the transaction.
This is super useful because the attacker has to know the timing in order to broadcast his offending transaction himself and have the right effect of his second transaction landing in the mempool of a miner. If the attacker is too fast, the merchant will instantly know as the transaction is rejected by the node he connects to (and he gets a bonus double spend proof).
If the attacker is too slow, the chance of the attack succeeding drops massively. (and still the merchant gets a double spend proof).
stealing from a receiver by double spending has a very low probability of succeeding.
Any DS needs to be sent within a second, max two, in order to have any realistic chance at all. The merchant-run-full-nodes simple reject it as they are the ones that value the first-seen rule to be kept, there is no reason to think it won’t be kept.
we can still improve when we start to develop better payment protocols which makes it even more certain that the money will go to the merchant.
There is in practice no risk to a merchant that uses a proper backend (which all wallets and point of sale software do anyway) because then they WILL learn about the double spend attempt.
Matching the ridiculously low chance of success with a certainty of being caught and the repurcussions.
Here is an example of what happens when a wallet checks for double spend proofs. Notice that it doesn’t really take long at all after first seeing it:
People realy need to understand that 0-conf was already pretty safe and “safe enough” for everyday spending.
With DSP, this is taken to another level, the chances for a successful attack and profitability of such attack scheme at large scales is decreased by order of magnitudes, literally.
With ZCEs, the risk of 0-conf transactions is reduced essentially to 0. Unconfirmed BCH transactions will be as good as confirmed BCH transactions.
But it cannot be so good without any downsides, right? Without caveats? Yeah - ZCEs requires an additional percentage of deposit in user’s wallet (for the self-escrow/penalty), so it is perhaps not as convenient for the user as DSPs.
The point is, BCH already has safe&secure transactions for doing groceries&small business. Now it will get safe&secure transactions good enough even for exchanges, ATMs & banks.
