Written by
2018-11-23

The Ver Attack: The Biggest Vulnerability in Bitcoin?

Anyone who knows Saito knows that we’re obsessed with economic attacks. From inception to our TechCrunch panel last Tuesday, we’ve stressed that vulnerabilities in blockchain are almost always economic at heart.

Given this, the most fascinating part of the Bitcoin Hash War for us has been watching the fallout from what we’re calling the Ver Attack. We are actually fond of Roger and don’t mean this maliciously, but settled on “Ver Attack” for the same reason people talk about the “Morris Worm”: the first person to exploit a vulnerability generally gets credit for discovering it.*

Also, “Ver Attack” is a lot easier to say than “hash-transfer supply-curve-mediated governance attack”, which is what the attack technically involves: moving hashpower from one chain to another to force changes to consensus-level rules on the receiving chain.

Regardless of whether people support ABC or SV we should agree that this constitutes an attack. If someone used a similar tactic to change the 21mm bitcoin coin limit almost everyone would be howling with outrage. So why the lack of concern? The reason seems to be that many think the Ver Attack is an intended part of network design — if a miner has a majority of hashpower why shouldn’t they decide the fate of the chain? Isn’t this how bitcoin is supposed to work? Why shouldn’t someone be able to rent hashpower?

What this stance misses is that the Ver Attack is distinct from the 51% attack, because while a POW blockchain is *always* vulnerable to 51% attacks, Ver Attacks are only possible when there exists a sizeable pool of off-chain hashpower available for use. Because this should not be possible in a secure blockchain, what the Ver Attack highlights is an economic truth that very few people in the space understand: the security of bitcoin depends far more on the shape of the supply curve for hashpower than on the efficiency of the hashing machines themselves. The key vulnerabilities are bounded by economic — not technical — factors and are to some degree out of the control of network operators.

Here, the discussion gets interesting, because these vulnerabilities are not entirely out of the control of the miners, and problems are minimized when miners behave like Calvin Ayre and Craig Wright, and threaten to water the fields of Carthage with the blood whomever even thinks about forking the chain. By behaving in this way — and forcing a brutal death-pact on any competing fork — Calvin and Craig are ensuring that only one network ultimately survives to incentivizes the production of hashpower. This limits the production of off-chain hash by ensuring a limited flow of resources for new miner production.

In other words, despite the torrent of abuse thrown their way, what nChain is doing is not only the right thing for the security of Bitcoin SV, but it is absolutely essential for the security of proof-of-work as a governance mechanism. The “live and let live” strategy advocated by Roger Ver and Bitmain might sound reasonable to those who want their own fork to play with, but permitting the existence of multiple forks is self-destructive, destroying the security not only of the child fork, but eventually that of the main chain as well. And, yes, this logic extends to the need to eradicate all POW blockchains relying on double-SHA256. Whether SV survives or ABC survives, one of them must absolutely die.

This raises a troubling question: does Bitmain even understand bitcoin’s security model? While one fork might be an accident, two is a nasty habit. It may be that the company’s sales department believes multiple chains are good for business — more buyers for mining equipment — but the long-term result of profligate forking is the collapse of the security mechanism that underpins their entire business model.

On a deeper level, the fact that only nChain seems to be aggressively defending the integrity of its chain raises unsettling questions about the rationality of the entire cryptocurrency space. Why is the entire ecosystem so fork-friendly? And why is it perceived as malicious for miners to protect their own chains by crushing forks? Is the problem that people are lured into economic irrationality by the prospect of “free money” on forked chains? Is this a simple matter of miners not knowing their own interests? Or perhaps there is a collective action problem at play: even though all miners would benefit from crushing a competing fork, no-one will volunteer their hashpower to serve as executioner when there is more profitable mining to be done for the main chain. Is POW only secure when it is backed by a hegemon willing to sacrifice its all in defense of the chain? Or an industrial magnate like Ayre with the conviction to make large bets on network integrity?

Ultimately, it is striking to us that nChain and its followers in the SV camp are the only ones that seem to understand that the survival of proof-of-work as a governance system implies the existence of a single chain with total hash-dominance. We wonder how long people can continue to believe otherwise before it sparks existential crisis for proof-of-work itself.

* We have heard from friends on both sides that ABC and SV deployed hashpower from other chains into BCH as part of their fork strategies. So while this may or may not be a one-sided attack, we figure that the honour of the name goes to Roger—if only for being the first to publicly own up to using the tactic.

Written by