[Ferret7446]

51% is also not very viable for proof of work either.

What 51% gets you is that 51% of the time, you get to choose which transactions go into the blockchain. This is mostly only useful if you want to prevent someone else's transactions from getting in, or for complicated scams where you want one person's transactions to get in before another person's. 49% of the time, those transactions will still get in, so 51% actually doesn't buy you a lot. At best you cause a short term chain split and people will wait longer before the chain stabilizes.

[c0ffeebabe]

You are misunderstanding the attack. At 50+% of the hashing power, you are guaranteed to win a race against the honest block producers. The attack is a double spend: you spend a coin C to pay ADDR_A while mining a private chain that spends the coin C to pay ADDR_B (you can, of course, be ADDR_B).

One ADDR_A accepts your payment, you post your private chain publicly. You coin C cannot be spent to ADDR_A and ADDR_B, so the chain must choose which one is it. Because you have 50%+ of the hashing power, your private chain necessarily has more work (generally simplified to "is longer") than the public chain.

You've now successfully double spent.

In fact: you don't even need 50+% to attempt the attack. I did some math recently I believe something like 40% gets you 75% chance of successfully executing the attack over a 10-block-period. The Bitcoin paper has the exact algorithm to calculate this, it is a random walk.

[null0pointer]

You are never _guaranteed_ to win a race against honest block producers for any finite time horizon, even if you owned 99% of all hashing power.

A double spend via 51% isn't really feasible anyway. A double spend attack, in the simplest case, is to:

1. Pay for good or services

2. Receive delivery of the goods or services

3. Invalidate the original payment once the goods or services are no longer revokable.

For a double spend to be worthwhile the value of the scam must exceed the cost of the scam. Maintaining >50% hashing power is extremely expensive and is more and more expensive the longer you maintain it. Therefore the value of the scam must also be extremely large. For crypto transactions it's common sense to wait for more and more confirmations (additional blocks mined after the block containing the transaction) before delivering the goods or services as the size of the transaction grows. Since it's trivial to wait for N+1 confirmations as the seller of goods or services it's trivial to defend against double spends for any meaningful amount of money.

[senordevnyc]

Isn’t this detectable by the market though? So keep going: what happens to the Bitcoin network once this happens?

[c0ffeebabe]

It is detectable once it happened. If you run your own node, you can tell when it is "reorganizing", i.e.: discarding one branch for another. One block reorgs, or two block reorgs are somewhat common (citation needed, I don't have the numbers at hand). That's why you see most merchants considering your Bitcoin "paid" only after six confirmations. They are protecting themselves against a Bitcoin reorganization of more than six blocks. The more money you accept, the longer your confirmation period needs to be. Some protocols require 100 confirmations.

What happens to Bitcoin when this happens: to "Bitcoin" the software, nothing. Everything just keeps going. To "Bitcoin" as a currency, your guess is as good as mine. It depends on what the "social layer" (the community - devs/users/stakeholders) decide is the best course of action. This would be considered an emergency event.

EDIT: You might be wondering why it is not detectable before it happens. It isn't detectable before because the attack would be privately mining their fork. That is: they would not broadcast the evil blocks.

[corimaith]

Yeah, but what kind of transaction justifies the cost of running such an attack?