Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Eric Voskuil <eric@voskuil.org>
Mime-Version: 1.0 (1.0)
Date: Tue, 2 Mar 2021 12:07:16 -0800
Message-Id: <2944FA84-5BE6-4690-9C10-0E43A4954403@voskuil.org>
References: <c7784af1-7f69-2607-ba3a-c34f2b2fe995@riseup.net>
In-Reply-To: <c7784af1-7f69-2607-ba3a-c34f2b2fe995@riseup.net>
To: Chris Belcher <belcher@riseup.net>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] LOT=False is dangerous and shouldn't be used
Precedence: list

To clarify, it is the soft fork enforcement by majority hash power that is t=
he 51% attack, not the stopping of it. Majority hash power censors non-confo=
rming transactions. To counter it requires only a non-censoring majority to c=
ontinue mining.

It is correct that the purpose of supermajority signaling is to reduce the c=
hance of a chain split. It is misleading to call it a bug and to imply that u=
ser activation isn=E2=80=99t actually intended to create, or at least threat=
en, a chain split. It=E2=80=99s a game of chicken.

e

> On Mar 2, 2021, at 10:22, Chris Belcher via bitcoin-dev <bitcoin-dev@lists=
.linuxfoundation.org> wrote:
>=20
> =EF=BB=BFIt is wrong to say that using miner signalling alone for activati=
on
> (LOT=3Dfalse) is a bug.
>=20
> As we vividly saw in the events of the 2017 UASF, the purpose of miner
> signalling isn't to activate or enforce the new rules but to stop a
> chain split. A majority of miners can stop a chain split by essentially
> doing a 51% attack. Such attacks have been known about since day one,
> and even the whitepaper writes about them.
>=20
> So they are not a bug but an inherent part of the way bitcoin works. If
> fixing this issue was a simple as setting a consensus rule parameter
> then bitcoin would have been invented decades earlier than it was.
>=20
> And certainly miner signalling cannot be compared to an inflation bug.
> The inflation rules are enforced by the economy using full nodes, but
> chain splits or lack of them is enforced by miners. They are two
> different parts of the bitcoin system. Back in 2010 there was an
> inflation bug CVE-2010-5139 (the "Value overflow incident") which proves
> my point. Even though miners created a block which printed 184 billion
> bitcoins, the economy quickly adopted a patch which fixed the bug and
> miners switched over to the correct chain which soon overtook the bugged
> chain (there was a reorg of 53 blocks).
>=20
>=20
>=20
>=20
> Also another point: in a hypothetical chain split it's true that the
> LOT=3Dfalse chain would be vulnerable to reorgs, but it's also true that
> the LOT=3Dtrue would suffer from slow blocks.
>=20
> So for example, imagine trading bitcoin for cash in person, but instead
> of waiting on average 10 minutes for a confirmation you have to wait 2
> hours. Imagine depositing coins to an exchange which requires 3
> confirmation, then instead of waiting ~30 minutes you have to actually
> wait 6 hours. This is a significant degradation in usability. The
> situation is a mirror image of how the LOT=3Dfalse chain is vulnerable to
> reorgs. Both chains suffer if a chain split happens which is why they
> are pretty important to avoid. That's why its inaccurate to portray
> LOT=3Dtrue chain as safe with no downsides at all.
>=20
>=20
>=20
>=20
>> On 28/02/2021 19:33, Luke Dashjr via bitcoin-dev wrote:
>> (Note: I am writing this as a general case against LOT=3DFalse, but using=
=20
>> Taproot simply as an example softfork. Note that this is addressing=20
>> activation under the assumption that the softfork is ethical and has=20
>> sufficient community support. If those criteria have not been met, no=20
>> activation should be deployed at all, of any type.)
>>=20
>> As we saw in 2017 with BIP 9, coordinating activation by miner signal alo=
ne,=20
>> despite its potential benefits, also leaves open the door to a miner veto=
.=20
>> This was never the intended behaviour, and a bug, which took a rushed=20
>> deployment of BIP148 to address. LOT=3DFalse would reintroduce that same b=
ug.
>> It wouldn't be much different than adding back the inflation bug=20
>> (CVE-2018-17144) and trusting miners not to exploit it.
>>=20
>> Some have tried to spin LOT=3DTrue as some kind of punishment for miners o=
r=20
>> reactive "counter-attack". Rather, it is simply a fallback to avoid=20
>> regression on this and other bugs. "Flag day" activation is not fundament=
ally=20
>> flawed or dangerous, just slow since everyone needs time to upgrade.
>> BIP 8(LOT=3DTrue) combines the certainty of such a flag day, with the spe=
ed=20
>> improvement of a MASF, so that softforks can be activated both reasonably=
=20
>> quick and safely.
>>=20
>> In the normal path, and that which BIP8(True) best incentivises, miners w=
ill=20
>> simply upgrade and signal, and activation can occur as soon as the econom=
ic=20
>> majority is expected to have had time to upgrade. In the worst-case path,=
 the=20
>> behaviour of LOT=3DTrue is the least-harmful result: unambiguous activati=
on and=20
>> enforcement by the economy, with miners either deciding to make an=20
>> anti-Taproot(eg) altcoin, or continue mining Bitcoin. Even if ALL the min=
ers=20
>> revolt against the softfork, the LOT=3DTrue nodes are simply faced with a=
=20
>> choice to hardfork (replacing the miners with a PoW change) or concede - t=
hey=20
>> do not risk vulnerability or loss.
>>=20
>> With LOT=3DFalse in the picture, however, things can get messy: some user=
s will=20
>> enforce Taproot(eg) (those running LOT=3DTrue), while others will not (th=
ose=20
>> with LOT=3DFalse). Users with LOT=3DTrue will still get all the safety th=
ereof,=20
>> but those with LOT=3DFalse will (in the event of miners deciding to produ=
ce a=20
>> chain split) face an unreliable chain, being replaced by the LOT=3DTrue c=
hain=20
>> every time it overtakes the LOT=3DFalse chain in work. For 2 weeks, users=
 with=20
>> LOT=3DFalse would not have a usable network. The only way to resolve this=
 would=20
>> be to upgrade to LOT=3DTrue or to produce a softfork that makes an activa=
ted=20
>> chain invalid (thereby taking the anti-Taproot path). Even if nobody ran=20=

>> LOT=3DTrue (very unlikely), LOT=3DFalse would still fail because users wo=
uld be=20
>> faced with either accepting the loss of Taproot(eg), or re-deploying from=
=20
>> scratch with LOT=3DTrue. It accomplishes nothing compared to just deployi=
ng=20
>> LOT=3DTrue from the beginning. Furthermore, this process creates a lot of=
=20
>> confusion for users ("Yep, I upgraded for Taproot(eg). Wait, you mean I h=
ave=20
>> to do it AGAIN?"), and in some scenarios additional code may be needed to=
=20
>> handle the subsequent upgrade cleanly.
>>=20
>> To make matters worse for LOT=3DFalse, giving miners a veto also creates a=
n=20
>> incentive to second-guess the decision to activate and/or hold the activa=
tion=20
>> hostage. This is a direct result of the bug giving them a power they were=
n't=20
>> intended to have. Even if we trust miners to act ethically, that does not=
=20
>> justify sustaining the bug creating both a possibility and incentive to=20=

>> behave unethically.
>>=20
>> So in all possible scenarios, LOT=3DFalse puts users and the network at=20=

>> significant risk. In all possible scenarios, LOT=3DTrue minimises risk to=
=20
>> everyone and has no risk to users running LOT=3DTrue.
>>=20
>> The overall risk is maximally reduced by LOT=3DTrue being the only deploy=
ed=20
>> parameter, and any introduction of LOT=3DFalse only increases risk probab=
ility=20
>> and severity.
>>=20
>> For all these reasons, I regret adding LOT as an option to BIP 8, and thi=
nk it=20
>> would be best to remove it entirely, with all deployments in the future=20=

>> behaving as LOT=3DTrue. I do also recognise that there is not yet consens=
us on=20
>> this, and for that reason I have not taken action (nor intend to) to remo=
ve=20
>> LOT from BIP 8. However, the fact remains that LOT=3DFalse should not be u=
sed,=20
>> and it is best if every softfork is deployed with LOT=3DTrue.
>>=20
>> Luke
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev