<div dir="ltr"><div><div>>As far as I can tell there is no opportunity cost to casting a malicious
vote, no repercussions, and no collective action barrier that needs to
be overcome.<br><br></div>There is another interesting analysis on BMM and drivechains from <a href="https://www.reddit.com/r/Bitcoin/comments/6ztp3b/lets_discuss_something_techrelated_for_a_change/dn0rsdo/">/u/almkglor on reddit</a>. I'm going to share here for visibility. <br></div><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p>The problem with drivechains and blind merged mining is the
disconnect between voting and "blind" merge mining. With BMM, a miner
can do:</p><ol><li> Not accept BMM, not vote.</li><li> Not accept BMM, operate their own sidechain node, mine sidecoin, and vote correctly.</li><li> Not accept BMM, always upvote (i.e. allow theft).</li><li> Not accept BMM, always downvote (i.e. strangle).</li><li> Accept BMM, not vote.</li><li> Accept BMM, operate their own sidechain node, and vote correctly.
(not mine sidecoin directly: they get paid in maincoin by sidecoin-only
miners).</li><li> Accept BMM, always upvote (i.e. allow theft).</li><li> Accept BMM, always downvote (i.e. strangle).</li></ol><p>3 and 7 will mean that non-verifying miners will be (inadvertently)
complicit in theft. Drivechains have 1008-block cycles ostensibly to
protect against theft, so that someone can "raise the alarm" and tell
miners to downvote a particular theft withdrawal, but that sounds too
much like centralized collusion to me.</p><p>Strategy 8 will dominate over strategy 6, since the miner does not
have to run a sidechain node (reduced cost) while still earning the same
as strategy 6.</p><p>Strategies 5->8 are all strictly superior to 1->4, so BMM does
not really change anything: strategy 8 (equivalent to strategy 4 if BMM
is not implemented) will still choke strategy 6 (equivalent to strategy 2
if BMM is not implemented)</p><p>It seems Drivechain's security model is: miners always upvote by
default. If a theft withdrawal is done on the mainchain, some sidechain
nodes call up their miner friends (which makes me worry about miner
centralization) to downvote it instead.</p><p>The problem is: what if after a theft withdrawal is defeated, another
theft withdrawal is done? And another, and another? This weakens the
peg: while a theft withdrawal is on-going, a genuine withdrawal can't be
posted (at least as I understand Sztorc's explanation). This chokes
the sidechain withdrawal.</p><p>The difference from maincoin is that attempts to choke the block are
somewhat costly and a maincoin user can offer a higher transaction fee
to beat the spam. If side->main is choked, no amount of sidecoin can
be offered to beat the spammed theft transactions.</p><p>I don't know, it seems like very weak security to me.</p></blockquote><div>TLDR: a miner is most profitable if he always accepts BMM bribes, but downvotes withdrawal transactions (WT). This obviously isn't ideal because a withdrawal will never occur from the drivechain if enough miners employ this strategy -- which seems to be the most profitable strategy. <br></div><div><br></div><div>-Chris<br></div><div> </div>
</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 4, 2017 at 1:36 PM, Chris Pacia via bitcoin-dev <span dir="ltr"><<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="m_4849272993808656596quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><div class="m_4849272993808656596quoted-text">I think you are missing a few things.<br></div>
<br>
First of all, I think the security model for sidechains is the same as<br>
that of every blockchain<br>
<br>
People will say things, like "but with sidechains 51% hashrate can steal<br>
your coins!", but as I have repeated many times, this is also true of<br></span>
mainchain btc-tx. is something else?<br></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">There are substantial opportunity costs as well as a collective action problem when it comes to re-writing the mainchain. </div><div dir="auto"><br></div><div dir="auto">Is there anything similar for drivechains? As far as I can tell there is no opportunity cost to casting a malicious vote, no repercussions, and no collective action barrier that needs to be overcome. </div><div dir="auto"><br></div><div dir="auto">Unless I'm missing something I wouldn't liken the security of a drivechain to that of the mainchain.</div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="m_4849272993808656596quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote></div></div></div></div>
<br>______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.<wbr>linuxfoundation.org</a><br>
<a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
<br></blockquote></div><br></div>