02:07:52kanzure:(nothing new, but nothing bad) "This issue could totally be fixed by adding something to the Bitcoin protocol where a transaction can specify what chain it is on, and it would be invalid for miners to include the transaction on any other chain. (For example, the transaction could include the hash of a previous block inside it.) Since we don't have that feature, it is pretty difficult for me to treat the bitcoin I own on both forks ...
02:07:58kanzure:... independently."
02:10:31phantomcircuit:kanzure, wat
02:11:16kanzure:an opcode that checks for a blockhash in history is not very wat
02:11:40phantomcircuit:kanzure, how about, why?
02:12:59kanzure:see spendonlyafterblockhash http://gnusha.org/bitcoin-wizards/2014-12-23.log
02:13:15gmaxwell:kanzure: hm. you've now given me an argument against the transaction checkpoints.
02:13:48gmaxwell:it's undesirable to be able, e.g. I feed you a fork where I've paid you, secure in the comfort that the transaction won't show up on another chain.
02:14:46kanzure:oh right there's probably some sort of collective prisoner's dillema game theory stuff going on there if everyone is only giving out anti-reorg transactions or something
02:15:00kanzure:and presumably reorg-compatible transactions would be more "expensive" heh
02:15:06kanzure:expensive for the receiver.. er..
02:15:29kanzure:i mean: you would have trouble convincing people to give you a more regular type of transaction
02:17:58kanzure:i'm not sure what you mean by fork feeding, why would the rest of the network care about your fork blockset?
02:19:04kanzure:also you could possibly just make it a rule that your transaction checkpoints or spendonlyafter[blockhash] must have a certain minimum blockheight difference like 500 or something
02:22:13kragen:hi, I heard people were talking about IPFS?
02:22:19kanzure:hello kragen, if you wait long enough you can also bug zooko
02:22:31kanzure:no, i'm sorry, i didn't intend to mislead you about that (my message was unrelated to IPFS)
02:23:01kragen:kragen has left #bitcoin-wizards
02:40:25justanotheruser:Sorry if this has been covered, but when there are two top blocks, don't miners have an incentive to try to come to consensus on which one is "more correct"? If the network mined on top of the lower hash block between the two then the odds of another set of competing blocks and a two block reorg would be lower. If a pool just goes by which block it got first then the network would be more evenly split between the two ...
02:40:31justanotheruser:... blocks, maybe 60% would be on fork A and 40% on fork B. If you go by the lower hash, presumably only the miner who made the higher hash block would end up mining it on top of it while the rest would be mining the lower hash block to avoid a fork.
02:43:43justanotheruser:One problem I can see is that if there is a block that is just below the target, the "difficulty" may only be 5% higher to try to get that block out. Maybe that can be fixed with miners considering the lowness of the hash, but also how long it took for the block to get to them after the first.
03:54:56op_mul:the "lowness" of the hash is quite irrelevant, what matters is that they hit the target.
03:55:34justanotheruser:op_mul: Not sure what you mean? I am discussing a possible consensus improvement, not how it works now.
03:55:55op_mul:a chain is evaluated by the cumulative target difficulties, not the cumulative "achieved" difficulties.
03:56:11justanotheruser:I know
03:56:17justanotheruser:please read what I wrote again
03:58:50op_mul:the bit about how long a block took to get to the miner doesn't really make sense in context, the block timestamps are never correct, and doing it like that would give an incentive to warp backwards.
03:59:02op_mul:oh you weren't talking about that.
03:59:17op_mul:sorry, I'll shut up.
04:00:31justanotheruser:yeah, I'm just thinking there is a better way to select which fork to mine on top of when they both have the same height other than which you got first
04:02:41op_mul:I'm not sure you'd actually one block at the same height after another anyway
04:03:40justanotheruser:could you rephrase that
04:04:43op_mul:I can't remember how the client deals with seeing the headers of two blocks at the same height.
04:05:10justanotheruser:I think it only cares about the first one
04:05:22phantomcircuit:op_mul, if they're both the tip then first seen wins
04:05:38op_mul:yes, but you don't even download the alt block do you?
04:06:04phantomcircuit:bitcoin core entirely ignored the other block
04:54:59dgenr8:justanotheruser: that has the undesirable property that the lower has could be seen quite a while after the first block at given height
05:05:21justanotheruser:dgenr8: why is that a problem?
05:05:53justanotheruser:dgenr8: you already have an incentive to mine on top of the top block.
05:06:40dgenr8:justanotheruser: only because he needs to switch what he is wokringon, afaik
05:13:01justanotheruser:I'm not sure what your argument is
05:13:59dgenr8:it's just a minor amount of housekeeping for the software. the other problem you pointed out seems significant though. whole new fork-off vector
05:15:25justanotheruser:Right now miners minimize the risk of a large reorg by mining on the block they think most other people are mining on. This is done by accepting the first propogated block usually. This is imperfect and I am proposing that by accounting for the time the block was sent to you and the lowness of the hash, you may have a better chance of choosing the block the majority of the network is working on (assuming the also follow ...
05:15:31justanotheruser:... the low hash rule)
05:16:18dgenr8:yeah i think i got it. let's see the actual formula ;)
05:18:59justanotheruser:mine on the block with the lowest tslb * hash^(1/N) where N is some variable that is optomized for this purpose. A high N means that the hash won't matter at all most the time, a low N means that an attacker may try to create a fork since his hash being a bit lower means people will mine his fork.
05:24:47dgenr8:that's close to what I thought you were considering ... i thought it might be luckiness^something. your 60/40 scenario doesn't represent a very common case btw...
05:25:51op_mul:it's hard to get stats about how often stale blocks even happen
05:28:30op_mul:miners like the antminer don't even bother submitting a result if it thinks it's a stale
05:29:57phantomcircuit:op_mul, that's silly
05:30:40op_mul:yep. messes with p2pool because a stale p2pool share could be a valid block, and the antminer just throws it out.
05:32:18op_mul:I'm sure other hardware does that too
05:32:26phantomcircuit:the pool software i wrote even tries to submit stale shares to the network
05:32:35phantomcircuit:there's virtually no reason not to push them upstream
05:44:14op_mul:phantomcircuit: have you ever won with that?
05:44:42op_mul:phantomcircuit: oh, and extending on that, how many blocks have you solved that were DOA?
05:46:03phantomcircuit:op_mul, we never won with that but we did get 2 1 vs 1 races
05:46:05phantomcircuit:lost both
05:46:37phantomcircuit:total orphan rate is ~1.5% which is mostly blocks that were stale when received
05:48:06op_mul:phantomcircuit: thank you. my farm was all so far down in the noise that I never got good stats.
05:48:55op_mul:(0% orphans, though!)
05:49:38gmaxwell:justanotheruser: the next block is the consensus on this one; using lowness leads to a profitable withholding attack.
05:50:12gmaxwell:justanotheruser: where you a rationally incented to conceal your block from others when it had a low value that made it likely to be successful in a race even if announced later.
05:53:16justanotheruser:gmaxwell: I don't think the hash should weigh in very much. If someone releases a lower hash block 1 minute later then it shouldn't be considered in most cases.
05:54:11justanotheruser:But when the times are really close, like 10 seconds then the hash might be a useful tool for getting most of the hashpower on the same fork and prevent a 2 block reorg.
05:54:55gmaxwell:justanotheruser: you can remove the attack by making it not matter; yes. is it possible that there is some amount of use which is safe? maybe but if you've made it mostly ignore it in the process what actual thing did you hope to gain except making the software more complex? Especially when it seems to already be unmanagably complex?
05:55:30gmaxwell:justanotheruser: if they were 10 seconds apart they would have already agreed.
05:55:36justanotheruser:The gain would be less >1 block reorgs
05:55:45gmaxwell:(90pct propagation is under that time)
05:56:33gmaxwell:justanotheruser: I'm not actually sure that it would.
05:58:56justanotheruser:If more people are mining the same top block I would at least expect that
05:59:55gmaxwell:actually what you're describing doesn't close the attack.
06:00:37gmaxwell:I mine, if I get a winner, I do not announce, and I try to mine the next one. if someone announces, then I announce. I win as your hurestic still applies as I'm only a second behind.
06:01:02dgenr8:gmaxwell: withholder might get surprised by what other withholders show up to the party with... but not a good milieu to be sure
06:01:36gmaxwell:dgenr8: you know based on your numbers how likely that is and can optimize income.
06:02:11justanotheruser:I'm not sure what you mean. The times are based on the time you receive the block, not the timestamp.
06:02:28justanotheruser:Withholding will continue to cause your withheld block to not be mined on
06:02:36gmaxwell:justanotheruser: please read what I described again.
06:02:41gmaxwell:justanotheruser: no, it doesn't.
06:02:56gmaxwell:You'll be mining on it all along; and everyone else will be when you announce it.
06:03:33justanotheruser:okay, I see what you're saying. This will make withholding profitable when you get a low hash value block.
06:03:48justanotheruser:Basically everytime I get a low hash value block I might as well withhold.
06:09:27op_mul:op_mul is now known as q16
06:48:14q16:q16 is now known as op_mul
07:23:06lclc_bnc:lclc_bnc is now known as lclc
08:02:54[\\\]:[\\\] is now known as completejerk
08:03:07completejerk:completejerk is now known as [\\\]
08:37:06SDCDev:SDCDev is now known as Rynomster
09:05:18hitchcock.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:18hitchcock.freenode.net:Users on #bitcoin-wizards: andy-logbot adam3us fanquake soundx wiz damethos Rynomster paveljanik contrapumpkin benten waxwing bendavenport TheSeven DoctorBTC pgokeeffe d1ggy_ nick1234abcd__ Dr-G3 PaulCapestany execut3 bosma Emcy justanotheruser Graftec SubCreative adlai dgenr8 Starduster gribble Burrito samson_ atgreen mkarrer fluffypony bbrittain jbenet grandmaster jaekwon_ ryanxcharles spinza austeritysucks wumpus Guest62409 iddo HarusameNyanko delll irc88
09:05:18hitchcock.freenode.net:Users on #bitcoin-wizards: Fistful_of_Coins thrasher` Shiftos yoleaux butters Tjopper PRab NikolaiToryzin nsh epscy wizkid057 luny tacotime nuke1989 mortale catlasshrugged op_mul maaku cluckj Hunger- hashtagg kyletorpey ebfull Greed Iriez ajweiss BlueMatt mbelshe Graet dansmith_btc midnightmagic starsoccer huseby Grishnakh Luke-Jr BrainOverfl0w burcin [d__d] gavinandresen danneu catcow TD-Linux ryan-c smooth Alanius AdrianG tromp pigeons Dyaheon- Cory livegnik
09:05:18hitchcock.freenode.net:Users on #bitcoin-wizards: MRL-Relay pi07r sadgit throughnothing lechuga_ poggy JonTitor hollandais amiller LarsLarsen Muis kumavis michagogo artifexd lnovy cfields btc__ rasengan hguux_ Meeh yrashk a5m0 jgarzik Keefe berndj morcos Logicwax stonecoldpat sl01 optimator null_radix roasbeef_ hktud0 BigBitz [\\\] mappum gnusha otoburb mr_burdell s1w go1111111 HM2 Apocalyptic sdaftuar btcdrak CryptOprah jcorgan forrestv tromp_ lclc harrow @gmaxwell isis brand0 eric Krellan
09:05:18hitchcock.freenode.net:Users on #bitcoin-wizards: @ChanServ jaromil petertodd helo v3Rve espes__ nickler ahmed_ warren fenn phantomcircuit kanzure bobke BananaLotus coryfields Anduck Eliel nanotube gwillen heath EasyAt asoltys_ K1773R comboy andytoshi warptangent Guest38445 phedny so crescendo Taek @sipa sneak azariah kinlo
10:52:54Rynomster:Rynomster is now known as SDCDev
12:53:18lclc:lclc is now known as lclc_bnc
13:13:37d1ggy_:d1ggy_ is now known as d1ggy
14:22:21atgreen:I just hacked moxiebox to optionally record basic block counts for use with gprof: http://ur1.ca/jevjn
14:22:40atgreen:emitting call graph info should be easy as well. I'll submit patch tonight.
14:46:44wumpus:atgreen: nice!
15:04:07lclc_bnc:lclc_bnc is now known as lclc
17:38:39lclc:lclc is now known as lclc_bnc
19:07:39kanzure:seems dangerous to ask exchanges to rely on a third party for listunspents
19:11:25justanotheruser:welll, do you trust the third party the exchange is trusting with your money? Because they can pretty easily take it if they aren't verifying the utxo themselves :P
19:11:27kanzure:and the transactin seems to be created by the remote server essentially
19:11:57kanzure:bendavenport: they were okay with this?
19:15:05kanzure:justanotheruser: yeah, that's my understanding..
19:33:02kanzure:justanotheruser: i suppose one possible defense is if the change address is not a value returned by the api.
20:04:43kanzure:hmm https://github.com/BitGo/BitGoJS/blob/3b72ab19f6620f4ab11c21ab7e326de020f4d340/src/wallet.js#L73
20:06:53kanzure:so the attack is: return one very large unspent for listunspents from the remote api, return hack custom change address, will receive everything 'cept whatever the original withdrawal was for
20:09:34phantomcircuit:kanzure, they're trusting the remote server to give them valid change addresses?
20:10:08phantomcircuit:that kind of defeats the purpose of an hd wallet...
20:30:11zz_lnovy:zz_lnovy is now known as lnovy
20:40:10NewLiberty:NewLiberty is now known as NewLiberty-afk
22:03:07Eliel:phantomcircuit: well, at least it should be possible to verify the given address locally given that it's a deterministic process that creates them.
22:26:05Profreid_:Profreid_ is now known as Profreid
22:34:05Dizzle__:Dizzle__ is now known as Dizzle
22:38:11op_mul:Eliel: I bet they don't verify it though.
22:54:38kanzure:op_mul: bitgojs does not seem to verify it. and i think they are using bitgojs (because what other clients do they have?).
22:56:01op_mul:kanzure: yes, that's not a new flaw either sadly. other people have made similar mistakes in their clients where change addresses aren't validated.
22:57:05kanzure:go on?
22:57:32kanzure:where did other implementations fetch from? i mean there can't be that many ways to get this wrong.
23:01:36op_mul:I'm not going to disclose that.
23:25:37kyletorpey:kyletorpey has left #bitcoin-wizards