In-depth analysis of the collapse of the currency security: block reorganization, the only beneficiary is only miners!

On May 7, 2019, Binance suffered a hacker attack and lost 7,000 BTCs. After that, we quickly saw Jeremy Rubin (Bitcoin Core Developer) publishing a tweet suggesting that Chan Chang, CEO of Changan, used block reorganization to “revoke the theft”:
Tweet translation: @cz_binance (赵长鹏): If you disclose the private key of the attacked currency (or part of these keys), you can centrally coordinate a block reorganization (reorg) at zero cost to revoke the theft. behavior.
This obviously made the currency security consider the block reorganization. According to Zhao Changpeng, CEO of the currency security company, after consultation with some people, the reorganization plan was aborted:
Tweet translation: @cz_binance (赵长鹏): If you disclose the private key of the attacked currency (or part of these keys), you can centrally coordinate a block reorganization (reorg) at zero cost to revoke the theft. behavior.
In this article, the author (Jimmy Song) will detail the incentives behind possible chain reorganization. In a sense, Jimmy Song has calculated the cost of the reorganization of the currency through the previous tweet: How much will it cost:
1/ The cost of reorganizing 58 blocks by mathematical calculations (according to the confirmed hash value of the stolen trades that have been obtained so far):

Lowest cost: 58*12.5 BTC = 725 BTC (assuming each miner gets roughly the same transaction costs on the restructured new chain, and 100% of the miners agree to restructure, note: The current bitcoin block mining award is 12.5 BTC )

2/ But if only 75% of the miners agree to restructure, this will require an average of 116 blocks (equivalent to the need for compensation for the 75% of miners), which is approximately 1,450 BTC, ie 116*12.5=1,450) This is to catch up with the current main chain. Similarly, if 60% of miners agree to restructure, an average of 290 blocks (3,625 BTC is required to compensate for these miners) to catch up with the current backbone; if 55% of the miners agree, 580 Blocks (reward compensation for these miners is 7,250 BTC).
3/ Since 7,250 BTC > 7,000 BTC, at least 55% of the computing power (miners) is required to agree to chain restructuring. If the number of reorganized blocks exceeds 58, the required computing power is at least 60%; if the number of reorganized blocks is 116, at least 65% of the computing power is required; correspondingly, 174 blocks require at least 70%. The calculation power, 232 blocks require at least 75% of the power. Assuming all miners agree to reorganization, the cost will increase rapidly.
4/ But for any miner who chooses to restructure and abandon the original main chain, there is also a great risk, because it greatly increases the risk of wasting calculations, and these calculations can be effectively used to mine the original one longer. The main chain.
5/ And depending on the extra cost that the miner charges for this risk, it means that the decision to make a reorganization takes much less time than the 232 block. If restructured, it will eventually pay the miners from the hands of the hackers. The currency has not benefited too much from it.
6/ The minimum loss is still 725 BTC, which is still a small change.
7/ coin security is subject to double squeeze of time and risk. Each new block is another block that needs to be overtaken, with a minimum cost of 12.5 BTC. It may not be easy to quickly coordinate (restructuring) with an existing mining pool. It may take more than one day (144 blocks) to reach an agreement alone. (Note: The current Bitcoin blockchain generates an average of 1 block every 10 minutes, and 24 hours is 144 blocks).
In the following, the author will continue to discuss the consequences of restructuring more comprehensively.


In the tweet below, you can see that Ari Paul (investment director of blockchain investment company BlockTower Capital) and Adam Back (password punk, blockchain startup Blockstream co-founder) have differences on whether to restructure:
Adam Black (below) Tweet translation: Bitcoin reorganization does not happen. I doubt that any Bitcoin field, miners or developers will consider restructuring. Think of the $473 million loss that Mt. Gox suffered in 2014. In 2016, Bitfinex was attacked, causing a loss of $72 million, and the loss of $40 million in 2019, etc., (reorganization)# did not occur.

Ari Paul (on) Tweet translation: The last thought was inspired by Adam Back (but I disagree with him). Past data is useless here. Incentive reorganization is a difficult problem to coordinate, and a fairly simple new technology may solve this problem.

In essence, Adam believes that such a reorganization will not happen, and Ari believes that incentives can make reorganization possible. Who is right? This is what we need to do some game theory analysis. Let's start with the most basic scenario:

a simple model

Let us assume a very simple model in which 100% of the computational power (miners) are willing to help the currency to reorganize.

This is the easiest scenario to analyze. We assume that the currency is in contact with each of the mines (although this is unlikely) and agrees on the amount of compensation for each miner (although some miners may agree, other miners are unlikely to agree) and reach a consensus . We assume that no one currently disagrees (though this is highly unlikely) and no one will build a spare pool to continue mining the current longer chain.

First, let us look at the reasonable amount of compensation for miners. Suppose a miner has 10% of the network computing power and reorganizes 100 blocks after the attack, which means that the miner will give up the rewards of the 10 blocks he has already dug in the original chain ( That is, 100*10%=10) and the corresponding transaction fee, that is, abandonment of 125 BTCs (ie 10*12.5=125) and corresponding block transaction fees.

(Remarks: Reorg is also a transaction rollback. As long as there is more than 51% of the calculation power, before the stolen currency trading block, start digging a fork again, and only remove the stolen transaction (and follow-up) The transaction, normal packaging of other transactions in the original chain, then after the new fork length exceeds the original stolen chain, block reorganization will occur. Reorganization can be simply understood as: the new fork covers the original stolen chain, the effect Yes: Roll back the stolen money transaction separately without affecting other transactions.)

You might think that the miner will be able to mine on that restructured chain and get about 10% of the block reward, which can be offset, but it is not . Because if the miner is in the period of block reorganization, he can continue to mine in the original chain through his own calculations and get 10% of the block reward (and transaction costs), while not using Abandoning the rewards (and transaction fees) of the 10 blocks that were previously excavated in the original chain, which means that the mine union lost at least 125 BTCs because of the help of the block reorganization.

Therefore, the mine union that helped the currency reorganization required the currency to compensate the miners for the rewards (and transaction costs) of the blocks that had been excavated in the original chain. In this scenario, assume that each block has 0.5 BTC fees, that is, a total of 130 BTCs (ie 125 + 0.5*10=130) that need to be compensated for this miner with 10% of computing power.

This is not all! There is also a risk premium to prevent problems. If, besides this 10% computing miner, no one else is willing to use the new restructured chain of the coin, it would waste the power that the miner could have used to mine the original chain.

If the reorganization efforts are not successful, the currency security will have to agree to either compensate for this premium risk or bear the losses caused by the wasted computing power. This will be an important part of the compensation, but in order to make this article short and easy to understand, we temporarily ignore this factor.

Therefore, if Coin Security begins to attempt to reorganize 100 blocks after the theft, they will have to pay a cost of 1,300 BTC (ie 100*12.5+100*0.5=1,300, of which 12.5 is the block reward for the bitcoin chain, 0.5 is The transaction cost that the miner can obtain after each excavation of one block) is used to recover the stolen 7,000 BTC, that is, the coin can recover 5700 BTC. From the perspective of currency security, you can think of this as an ideal scenario because they can save a lot of money.

What are the consequences of this situation? Most notably, such a thing would prove that Bitcoin is central, because if the currency can force the reorganization of the 100 blocks, any other powerful entity can do the same thing.

This will lead to many double spending attempts, and anyone who trades in these 100 blocks will have to work hard to figure out what's going on. In fact, reorganization may result in a larger double-flower problem than the current loss of 7,000 BTC! For everyone who trades on the Bitcoin network, this will cause significant disruption, because no one will accept 3-6 transaction confirmations, considering what the currency can do.

In other words, exchanges, businesses, and users all have to suffer at least a big headache. What's worse, they have to deal with more pains to deal with possible double flowers.

Wait, we haven't talked about what thieves (hackers) will do!

Therefore, the situation of reorganization is very unlikely, because all those who experience pain in this situation will resist.

a more controversial choice

The reorganization will bring about a controversial split and a competition for a longer chain. With 55% of the computing power to reorganize the 100 blocks and catch up with the current main chain, this means that about 1,000 blocks need to be dug in the new chain (in this case, it takes 2 weeks). This number is also quite variable. In this scenario, it is not surprising that you need to dig out 500 blocks or 1,500 blocks.

Even with 99% of computing power, 101 blocks need to be dug in the new chain (about 20 hours). (Note: The current bitcoin chain averages about one block every 10 minutes, so the time required for 101 blocks is about 20 hours)

In this case, both the original main chain and the reorganized new chain are hoping to attract each other's miners. The original main chain has an advantage because it leads 100 blocks at the beginning of the competition.

Supporting the original backbone is a number of exchanges, merchants, and users who do not want to reorganize the 100 blocks. They are likely to compensate the miners on the original main chain. They can easily compensate the miners: spend a UTXO (unused transaction output) on the original main chain for a high fee, and this UTXO is only valid on the original main chain. If the fee is high enough, many miners will be tempted to dig in the original main chain.

It needs to be pointed out that there is also a special user on the original main chain – the hacker who launched the attack. He may also initiate similar transactions (UTXO involving stolen transactions) to compensate miners with higher fees on the original main chain.

On the other hand, the currency is safe. The currency must fight against all of these exchanges, merchants, and users, not to mention the hackers who launched the attack.

The hacker has stolen 7,000 BTC from the currency security, so the hacker can use this amount to encourage the miners to continue mining in the original main chain and organize the block reorganization.

In contrast, the currency must cost 1,300 BTC + the amount the hacker is willing to spend to prevent the reorganization + the amount that other exchanges/merchants/users are willing to spend to prevent reorganization. This is obviously a struggle for failure. Unless the currency is considered worthy of spending 1,300 BTC to punish the hacker (or 13 BTC * the number of confirmed stolen transactions), the reorganization is not good for the currency.

to sum up
There are still more complex situations, especially with many offline mining equipment, but all of these are easy to analyze. Hackers can motivate miners, so for the currency security, this is a failed battle, and the currency security must bear the responsibility of restructuring each block and the money lost in the theft.

Just as a protracted lawsuit is actually only beneficial to lawyers, the only benefit to the block reorganization plan is the miners. The money flows to the miners through controversial transactions (from money security or hacking). At a deeper level, this is the original intention of the Bitcoin protocol, and the cost of changing it is very high.

There is a reason why people don't try to reorganize, even after mass theft. Restructuring not only hurts the money thief, but also hurts others. There is a huge collective motivation not to change the trading history of Bitcoin.

Reference link:


Author | Jimmy Song

Compile | Jhonny

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more


EigenLayer has been deployed on the Ethereum mainnet

The Ethereum-based EigenLayer protocol for heavy staking has deployed its first phase on the Ethereum mainnet and o...


EigenLayer Official Inventory of 12 Early-stage Projects in the Ecosystem

EigenLayer officially listed 12 early-stage projects in its ecosystem, namely AltLayer, Blockless, Celo, Drosera, Esp...


In-depth analysis of how the MEV market transitions from 'zero-sum game' to 'separation of powers

MEV has gradually transitioned from the initial dark forest zero-sum game to a stage of checks and balances with sepa...


Under the narrative of re-collateralization, how to value EigenLayer?

EigenLayer provides a token-based secure leasing market, offering demand matching services between LSD providers and ...


Understanding MEV and opportunities for Oracle extractable value

Redesigning the order process auction to create a sustainable DeFi ecosystem.


Latest article by Vitalik: Keeping it Simple and Avoiding Ethereum Consensus Overload

We should maintain the minimalism of the chain, support the use of re-staking, instead of expanding the role of Ether...