# Blockchain failure

**Video lecture: https://youtu.be/l-rRwSZEkLE**

Your bitcoins, Ethereums are not as safe as you think. I'm not talking about someone hacked your computer and steal your bitcoins. I'm not talking about just you. I'm talking about all of you if you have blockchain based cryptocurrencies.

But how come? I'll show you mathematically in a moment.
Before we continue, I would be so glad if you smash the like button and subscribe to my channel.

## The misunderstanding of why Satoshi created blockchain

Almost all mainstream media including wikipedia told you that "blockchain is created to resist modification of its data. This is because once recorded, the data in any given block cannot be altered retroactively without alteration of all subsequent blocks." 

I'm sorry but I have to tell you this: this is not completely correct. Digital signature algorithms are safe enough to resist modification of data.

Here is the question. Why Blockchian, why blocks? why not tables? why chains? why not trees or graphs? And why not just use traditional databases like MySQL and just broadcast each transactions over the network instead?

The truth is, Satoshi created blockchain not to resist modification of data, but to prevent double spending. It's all the reason why Satoshi created blockchain.

## Is blockchain really safe?

In the bitcoin network, all nodes accept the longest chain as the main chain (like the main trunk of a tree). any branch that has length less that the longest chain become useless branch chains. The money you received must go into the main chain to be eventually safe. 

What's the purpose of the main chain? 

Digital currencies are just bits, when someone send you 1 bitcoin, he could send the same bitcoin to someone else at the same time. This is called double spending. To solve this problem, Satoshi invented Blockchain. A transaction will be seen as valid transaction by all nodes on the network, as long as this transaction is included in the main chain. If the same bitcoin were used in a different transaction, but not included in the main chain, that transaction becomes invalid transaction.


If an attacker can create a branch chain that is longer than the current longest chain, then the bitcoin he sent you can be reversed. 

Here comes the math problem: how likely can he do that?


## Markov chain in Blockchain

Assuming the current longest chain is 99 blocks long, and a scammer sends you 1 bitcoin. Then all honest nodes started to mine the 100th block that includes this transaction. In the meantime, the scammer creates a new transaction that reverses the bitcoin he just sent you by sending the same bitcoin back to himself. He is also trying to mine an alterntive block as the 100th block which doesn't include the 1 bitcoin he send you but a transaction that sends the same bitcoin back to himself.

After the 100th block mined by an honest node is added to the chain, you think you have succesfully received your bitcoin. However, the scammer is still mining hard trying to catch up with the 100th block. In order to reverse the bitcoin he sent you, besides catching up with the 100th block, his alternative chain also needs to lead 1 block ahead of the honest chain to have a length of 101. If he succeed, the honest chain that includes your transaction becomes branch chain and therefore your transaction becomes invalid.

What is the probability of such event?

Let's consider the scenario of an attacker trying to generate a branch chain faster than the main chain. The race between the honest chain and an attacker chain can be characterized as moving randomly on a one dimensional line. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.

The nature numbers shown in here are the length difference of two chains. $0$ means the attacker's chain and honest chain has the same length. If the honest chain succeeded generating the 100th block first, then the difference moves right to $1$. In order for the attacker to lead ahead, the attacker's chain must be at least 1 block ahead of the honest chain, that is the difference needs to move two steps to the left from $1$ to $-1$.

$$
... -n, -(n-1), .... -3, -2, -1, \boldsymbol{0}, 1, 2, 3, ... n-1, n, ...
$$


If we let $X_n$ denote the difference at time n, then the process $\{X_n, n=..., -2, -1, 0, 1, 2, ...\}$ is a Markov chain, given the current difference and its past differences, the probability of moving to right or left only depends on its current difference. 

To simply our mathematically model, we use $1$ as the zero length difference of two chains and $0$ means the attack's chain leads 1 block ahead. Simularly, $2$ means the honest chain leads 1 block ahead.

We further simply the Markov chain by cutting the states on the right to a maximum value of $N$. Once the difference enters $N$, it will never be able to reach $0$, that is the attacker will never be able to lead. To find the probability of our original model, we just have to find the limiting probabilities when $N \rightarrow \infty$.


Let $p$ be the proportion of the honest node's hashing power of the total bitcoin network, then $1-p$ is proportion of attacker node's hashing power in the entire bitcoin network. The length difference moves one step to the right with probability $p$ and moves one step to the left with probability $1-p$ or we simply use $q$. 

State $0$ and $N$ are absorbing states. If it's in state $0$, the attacker has already succeeded. If it enters $N$, the process will never reach $0$.

Let $\alpha_k$ denote the probability that starting at $k$, the difference will eventually reach $0$. Therefore we have: $\alpha_0 = 1$ and $\alpha_N = 0$.

Starting at difference $k$, the probability of ever reaching $0$ is $\alpha_k$, which equals to the probability of moving one step right to $k+1$ with probability $p$ times the probability of ever reaching $0$ from $k+1$, plus the probability of moving one step to $k-1$ with probability $q$ times the probability of ever reaching $0$ from $k-1$.

$$
\alpha_k = p\alpha_{k+1} + q\alpha_{k-1}, \qquad k=1,2,...,N-1
$$

since $p+q = 1$,

$$
p\alpha_k+q\alpha_k = p\alpha_{k+1} + q\alpha_{k-1}
$$

or:

$$
\alpha_{k+1}-\alpha_{k} = \frac{q}{p}(\alpha_k-\alpha_{k-1})
$$

Expand it we found:

$$
\begin{aligned}
  & \alpha_{2}-\alpha_{1} = \frac{q}{p}(\alpha_1-1) \\
  & \alpha_{3}-\alpha_{2} = \frac{q}{p}(\alpha_2-\alpha_{1}) = \bigg(\frac{q}{p}\bigg)^2(\alpha_1-1) \\
  & \alpha_{4}-\alpha_{3} = \frac{q}{p}(\alpha_3-\alpha_{2}) = \bigg(\frac{q}{p}\bigg)^3(\alpha_1-1) \\
  & ... ... ... ...  \\
  & \alpha_{N}-\alpha_{N-1} = \frac{q}{p}(\alpha_{N-1}-\alpha_{N-2}) = \bigg(\frac{q}{p}\bigg)^{N-1}(\alpha_1-1) \\
\end{aligned}
$$

Add them up and let $r=\frac{q}{p}$:

$$
\alpha_{k} - \alpha_1 = (\alpha_1 - 1)\bigg[ r + r^2 + r^3 + ... + r^{k-1} \bigg]
$$

Or:

$$
\alpha_k = \begin{cases}
  \alpha_1 \frac{1-r^k}{1-r} - \frac{r-r^k}{1-r} &\text{if } \frac{q}{p} \ne 1 \\
  \alpha_1{k} - (k-1) &\text{if } \frac{q}{p} = 1
\end{cases}
$$

Since $\alpha_N=0$, thus $0 = \alpha_1 \frac{1-r^N}{1-r} - \frac{r-r^N}{1-r}$. We got $\alpha_1$:

$$
\alpha_1 = \begin{cases}
  \frac{r-r^N}{1-r^N} &\text{if } \frac{q}{p} \ne 1 \\
  \frac{N-1}{N} &\text{if } \frac{q}{p} = 1
\end{cases}
$$

Further we get $\alpha_k$:

$$
\alpha_k = \begin{cases}
  \frac{r-r^N}{1-r^N} \frac{1-r^k}{1-r} - \frac{r-r^k}{1-r} &\text{if }   \frac{q}{p} \ne 1 \\
  \frac{N-1}{N} k - (k-1) &\text{if } \frac{q}{p} = 1
\end{cases}
$$

If we let $N \rightarrow \infty$,

$$
\alpha_1 = \begin{cases}
  \frac{q}{p} &\text{if } q \lt p \\
  1 &\text{if } q \ge p
\end{cases}
$$

$$
\alpha_k = \begin{cases}
  (\frac{q}{p})^k &\text{if } q \lt p \\
  1 &\text{if } q \ge p
\end{cases}
$$

Therefore, if the attacker is one block behind of the honest chain, the probability for the attacker to catch up then lead one block ahead of the honest chain, will be $(\frac{q}{p})^2$. If the attacker has 40% of the hashing power versus the honest nodes having 60% of the hashing power. That probability will be around 44%. And I think it's a pretty high probability.

Some people may say, yeh yeh, but such probability will decline exponential when the difference of the two chains are large. That's true. however, the problem is, Once the attacker succeeded, his alternative chain becomes the main chain and thus accepted by the rest of the miners on the bitcoin network, and they will start mining new blocks on top of this new chain, further enhancing the attacker's chain. And the bitcoin he sent you 10 minutes ago now becomes invalid. 


