Reorganizing blocks to recover stolen BTCs? This article tells you why it doesn't work.

After the money security hot wallet was hacked away from 7000BTC, Chan Chan CEO Zhao Changpeng said in a live broadcast question and answer yesterday that the team is considering the proposal of MIT Digital Money Program co-sponsor Jeremy Rubin to recover part of the funds through block reorganization. However, soon, he announced that he would not adopt block reorganization, but it still caused huge controversy in the Bitcoin community. He himself explained the matter on Twitter last night, saying that the currency security originally did not want to reorganize the block, and it could not be done at all.


Image source:

As discussed in the screenshot below, Adam believes that reorganization will not happen, and Ari says that it is possible to only reinforce the reorganization. So can block reorganization be implemented?


a simple model

Let us assume a very simple model in which 100% of the calculations are willing to help the currency. This is also the model that is the easiest to analyze. We assume that the currency has established a connection with each of the mines (actually unlikely), agreeing on the compensation for each miner (possible for some miners), and gaining consensus. For the time being we don't think anyone disagrees (actually impossible), and no one will build an alternative pool to dig a longer chain.

First, let's take a look at the reasonable amount of compensation for miners. If a miner has 10% of the network's computing power and the reorganization begins after the 100 blocks after the attack, the miner needs to give up 10 blocks of reward, or 125 BTC block rewards and fees. You might think that in the reorganization chain, they will get about 10% of the block rewards, so this part will offset, but it is not. They could have dug up the original chain to get a 10% block reward during this period, which means they will lose 125 BTC because they help the currency. Therefore, they need compensation. In this model, assuming that each block has a transaction fee of 0.5 BTC, then the total compensation required is 130 BTC.

This is not a full compensation, but also a risk premium. If no one other than this miner chooses the reorganization chain of the coin, it wastes the power that they could have placed in the original chain. If the miners’ efforts are unsuccessful, the currency security will have to agree to either compensate for this risk or be responsible for this wasted computing power. This is actually a big part of the compensation, but this article is temporarily ignored.

Therefore, if the currency security begins to attempt to reorganize 100 blocks after the hacker attack, then they basically need to pay at least 1300 BTC to recover 7000 BTC, the net amount is 5700 BTC. From the perspective of currency security, you can think of this as an ideal situation because they can recover most of the money.

What are the consequences of a situation like this? The most obvious thing is that such things will prove that Bitcoin is central, because if the currency can enforce 100 block reorganization, then any large enough entity can do the same thing. There will be many double-flowering attempts in the future, and those who trade in these 100 blocks will be affected. In fact, an attacker may steal money from the exchange in the form of a double flower, which may even be larger than the original 7000 BTC! Everyone who trades on the Bitcoin network will be severely disrupted, as everyone may have to make 3-6 transaction confirmations by then.

In other words, exchanges, businesses, and users will be confused. To make matters worse, they must bear the risks and consequences of a double flower. Therefore, block reorganization is highly unlikely, because in this case almost everyone is right.

a more controversial choice

That is the fork. Since 100 blocks are to be reorganized, it means that the original chain leads 100 blocks, and using 55% of the calculation power for the bifurcation average requires 1000 blocks (in this case, about 2 weeks) to become the longest chain. . The variance (variable) in this respect is also quite high, in which case the variance of 500 or 1500 blocks is quite common. Even in the case of 99% computing power, 101 blocks (about 20 hours) are required to become long chains.

But this is to assume that every miner will never change the camp. In fact, in this case, both parties hope to attract miners from the other side. The original chain is advantageous because it has a 100-block lead at the beginning.

Standing on the side of the original chain are exchanges, merchants and users who do not want 100+ block reorganization. They may all compensate the miners in the original chain . They can do this fairly easily: make a trade on the original chain and set a higher transaction cost. If the transaction costs of the original chain are high enough, many miners will want to switch camps. Need to point out a specific user on the original chain, that is the attacker. They are also willing to subsidize the miners in the original chain, after all, they don't want to be empty.

The competitor of the original chain is the currency security. They must beat these exchanges, merchants and users and even attackers to get a longer chain. The hackers got 7,000 bitcoins from the currency, so they are willing to spend so much to subsidize the miners in the original chain. The cost of the currency will include 1300 BTC + the money the hacker is willing to subsidize + the cost of the exchange / merchant / user. Obviously, from an economic point of view, such a fork is meaningless to the currency.

in conclusion

The actual situation is certainly more complicated. After all, there are a large number of offline mining equipment, but all of them are very easy to analyze. In general, block reorganization is not worth the loss for the currency.

Just like the benefits of lawyers in long-term litigation cases, the only benefit in the block reorganization is the miners. Funds flow from controversial transactions (coin security or hacking) to miners. At a deeper level, this is the design goal of the Bitcoin protocol, which means that the cost of changing a transaction is very high.

This is why people will not attempt to reorganize even after a mass theft. Reorganization will cost hackers, but it hurts everyone else.