Re-quantifying Bitcoin double-spending risk: Is it safe to confirm 6 transactions?

特邀专栏作者

2023-02-20 13:00

This article is about 1800 words, reading the full article takes about 3 minutes

The rule of thumb is no longer applicable, and those who trade large amounts need to evaluate the transaction risk in real time based on the current mining ecology.

AI Summary

Expand

The rule of thumb is no longer applicable, and those who trade large amounts need to evaluate the transaction risk in real time based on the current mining ecology.

Original compilation: aididiaojp.eth, Foresight News

If you've ever used the Bitcoin network to transact, you may be aware of the dangers of accepting unconfirmed (aka zero-confirmation) transactions. Without confirmation, bitcoin recipients are vulnerable to race attacks, Finney attacks, and 51% attacks.

When you have at least one transaction confirmed, then you will no longer be vulnerable to racial attacks or Finney attacks. Now the only thing you care about is a 51% attack. What is the rule of thumb for its acceptable number of confirmations?

1 confirmation: Enough for small payments under $1,000.
3 Confirmations: Most exchanges require 3 deposit confirmations for payments of $1,000-$10,000.
6 Confirmations: For large payments between $10,000 and $1 million. Six confirmations is considered a safe standard.
10 Confirmations: Recommended for large payments > $1 million.

In-depth exploration

Naturally Bitcoin isn't that simple, and our so-called confirmatory rules of thumb are just based on assumptions we're not really talking about.

For example, the confirmation thresholds listed above as a rule of thumb are actually based on an attacker with 10% of the global hash rate, in which case 6 confirmations are 99.99% guaranteed that the attacker cannot rewrite in the blockchain network A large number of historical records.

But these calculations (which can be found in the white paper) were done long before mining pools and industrial mining, when it was reasonable to assume that it would be difficult for someone to own more than 10% of the global hash rate. Since 2011, a large number of block producing entities (mining pools) have emerged on the network, amassing well over 10% of the global hash rate. At the time of writing, there are 5 such pools.

Quantify real-time risk

bitcoin white paperPages 6 and 7Outlines a method for calculating the risk of an attacker rewriting the blockchain after a given number of transaction confirmations.

The competition between the honest chain and the attacker chain can be described asbinomial random walk. A success event is when the honest chain is extended by one block, increasing its lead by 1, while a failure event is when the attacker's chain is extended by one block, reducing its lead by 1. The probability that the attacker chain catches up to the honest chain is given by something likegambler brokequestion. In layman's terms: the gambler (the attacker) has a negative expected value of winning most of the time, so the longer they play the game with this negative expected value, the less likely they are to be winners.

Given that we assume the attacker owns less than 50% of the network hashrate, the probability of the attacker catching up decreases exponentially with the number of blocks they have to catch up. Since the longer the delay, the worse it is for the attacker, and if he doesn't get lucky with a sprint forward early on, his chances dwindle as he falls further and further behind. The attacker's potential progression probability resembles a Poisson distribution, since all mining is a Poisson process, and thus successful outcomes follow this distribution.

To determine the probability that an attacker can rewrite the blockchain from z blocks ago, we multiply the Poisson density of each amount of progress the attacker can make by the probability that he can catch up at that position, where:

p = probability that an honest miner finds the next block
q = probability that the attacker will find the next block
z = how many blocks need to be reorganized (confirmation)
lambda = z * (q / p)
k = integer from 0 to z

It's not a fun formula to calculate, so it seems like a good choice for an open source project.

Confirm Risk Calculator

i createdThe following tools, which will dynamically calculate the current chain reorganization risk (from the trailing weeks of mined blocks.) based on the pool with the highest hash rate estimate. Of course, you can override this parameter with any other hash rate percentage as well as obtain a risk score The number of confirmations required.

Now it's easy to see that if we want to be 99.9% sure that our transaction won't be double spent, for an attacker with a given percentage of network hash rate, as the attacker's hash rate approaches 50%, the number of confirmations will increase dramatically.

why should you care

At the time of writing, Foundry has 36% of the global hash rate, which means that if you accept a payment after 3 confirmations, Foundry still has a 49% chance of rewriting the blockchain and launching a double spend attack.

Assuming the attacker has 10% hashrate, the rule of thumb of 6 block confirmations ensures 99.99% that no double spend will occur, whereas now it would take 60 transaction confirmations to achieve the same level of confidence.

Summarize

While Bitcoin is robust and stable in some ways, it is very volatile in others. It is important for anyone making high volume transactions on the Bitcoin blockchain to be aware that their risk assessment should be adjusted based on the current state of the mining ecosystem.

To be clear, the above points about Foundry should not be interpreted as some sort of imminent or systemic threat to the integrity of the Bitcoin network. Over the past decade, we have seen ebbs and flows in miner concentration due to a number of factors. For example: