We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using x.com. You can see a list of supported browsers in our Help…
We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using x.com. You can see a list of supported browsers in our Help Center.
Read the original article
Comments
By vlugorilla 2025-08-1213:214 reply A 6 re-org does not mean a '51% attack' was successful. In that case, we'd see unbounded-depth re-orgs/no blocks mined by any other mining pool (assuming the adversary censors other mining pools, as this one does).
It does mean an adversary with a high amount of hash got lucky. I noted there's a discrepancy between their claimed network hashrate and pools' claimed network hash rate.
They may not be including their own hash rate in the network's, in which case they'd need to exceed it. Having 51% would only be 34% of total.
They're an unreliable narrator and I wouldn't trust any data from them. There's insufficient evidence to claim they have 51% of the network's hash power.
By vlugorilla 2025-08-1213:231 reply Qubic never actually hit 51% btw. Don't fall for it.
However they do have a large enough hashrate to perform multi-block re-orgs with their selfish mining strategy.
They disabled API hashrate reporting so that they could lie about it.
Keep mining and ignore the noise.
By reorder9695 2025-08-138:431 reply I am not that well versed in crypto. I understand the concept of a blockchain and what an n block reorg is, but what is the downside of a reorg? Like who can profit financially and why?
By johnpaulkiser 2025-08-1312:51 You get all the money from the block rewards for those blocks if you reorg other miners blocks out.
America would be screwed if owning 51% of its value meant you could rewrite ownership.
*gestures wildly*
By 01HNNWZ0MV43FF 2025-08-138:591 reply Good thing you need 30 percent, a larger number
By red-iron-pine 2025-08-1413:05 GPT has been shaping conversations on HN, directly or indirectly, since GPT-1 mate.
Reasonably creditable studies put 30-40% of social media having some sort of AI or automation. This is just the low hanging fruit.
By acjohnson55 2025-08-132:253 reply I'm a little rusty with the terminology, but in a blockchain, the canonical current block is the one that has the greatest amount of proof of work (I think they call this the heaviest chain). Typically, each new block is the descendant of the most recent block. But it is possible to create a heavier chain from an earlier block. This invalidates any transactions on what was previously known to be the heaviest chain, and is called a reorg.
The farther back, the less likely a reorg is, so to have a reorg that invalidates is blocks is extremely unusual.
If one entity has a majority of the hash power, they gain the ability to try to force reorgs with a likelihood that increases with their advantage in hash power.
I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
> I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
Please don't. This would be useless spam, and is completely rude. Do we tell people to "Just google it?" here?
By acjohnson55 2025-08-1318:19 It's different in that there's no need to go hunting through search results. This is what Claude responded when I just asked it: https://claude.ai/share/684fa294-ee35-4044-8344-99e1ceb2e643
I don't think that's spam at all, and I don't think I did anything special in my prompt that someone with less background knowledge could have done.
By tromp 2025-08-139:37 User skarz did indeed ask an LLM, which got [flagged] since the LLM gave a distinctly worse answer. Expand the [9 more] below to see it.
This was a great answer. I'm glad you spent the time on it. Though I am curious what the 6 indicates.
By ningen_000 2025-08-133:46 Six blocks
No, it's not 6 blocks longer. It just needs to be 1 longer (i.e. 7 blocks since the last common block), which guarantees a higher cumulative difficulty and thus all honest miners will switch to the new branch, obsoleting 6 blocks on the old branch.
By 1270018080 2025-08-1219:422 reply It would be impossible to enforce, and a place that HN that has leaders who evangelize AI as a cure-all would never do it, but "I asked AI and here's what it said" comments should be against the rules.
By dragonwriter 2025-08-1221:211 reply Actually, they shouldn't, because then people will do it without announcing them, and you want them to be open.
They're almost invariably low quality and deserving of downvotes for that reason, but being open is better than them being camouflaged.
By dotancohen 2025-08-1220:081 reply Why?
Most such comments are actually informative, and the honesty about asking an AI is an important detail. This particular one was heavily downvoted, as it should have been, because it was wrong. It was still a human writing, trying to be helpful.
You shouldn't downvote entries that are wrong, you should present evidence against them. People shouldn't feel penalized for being wrong, just not rewarded for it.
However, you should downvote for doing things that hurt the community -- and "I asked ChatGPT" hurts the community almost as much as "I googled this for you" does.
By aspenmayer 2025-08-1221:441 reply Downvoted for disagreement and for mentioning voting, but I'm telling you why because you think I ought to say something if I disagree, which I'm able to do in this case.
It's fine to downvote things that you believe are wrong or simply disagree with, and I have read mods on HN say that downvoting for disagreement is okay. Asking or insisting for more from an HN user is presumptuous, and discussion of voting is largely considered off-topic and therefore not really what the guidelines suggests we should do.
https://news.ycombinator.com/item?id=43560543
> Downvoting for disagreement has always been fine on HN. People sometimes assume otherwise because they're implicitly porting the rules from a larger site, but that's a mistake.
> https://news.ycombinator.com/item?id=16131314
More to the upthread point, generated comments are against guidelines:
https://news.ycombinator.com/item?id=33950747
> HN has never allowed bots or generated comments. If we have to, we'll add that explicitly to https://news.ycombinator.com/newsguidelines.html, but I'd say it already follows from the rules that are in there. We don't want canned responses from humans either!
These are quotes from dang, not my own. I'm just a HN user, which is why I found the quotes to help everyone make up their own mind what the guidelines say.
I note that the body of your comment implicitly agrees with me that providing evidence is a good thing :)
The character of a community is formed by what it does more than what it says it does.
By aspenmayer 2025-08-1323:37 I would tend to agree that it usually does benefit the discussion to say why one disagrees instead of a simple drive-by downvote, but when folks have already agreed to disagree or are in the process of reaching such agreement, more rabble-rousing inclined folks tend to jump into the fraying thread to sow discord, so I understand why it’s not in the guidelines that we must specify why we downvote or flag instead of just doing so.
More from dang on this topic here:
https://news.ycombinator.com/item?id=12334384
The whole comment is worth a read, so here’s just a taste:
> Our goal is to optimize HN for intellectual curiosity, which requires a higher signal/noise ratio. Downvotes dampen low-value comments. I know downvotes do bad things too, but that's the good thing they do, and it's big. Taking that away and/or increasing the noise with a flood of people disagreeing about their disagreements would not be an optimization.
By NooneAtAll3 2025-08-1216:531 reply who are "they" you're talking about?
By vlugorilla 2025-08-1217:142 reply "They" refers to Qubic (by Sergey Ivancheglo), a blockchain network that uses a "Useful Proof-of-Work" system, so it is not built for traditional cryptocurrency mining that solves arbitrary puzzles. Instead, it uses the collective processing power of its miners to train an AI. Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
Qubic was able to orchestrate its network of miners to temporarily halt their AI-related tasks and redirect their collective CPU power to mine on the Monero network instead.
Also, Qubic has implemented an economic strategy that involves selling the Monero it mines for a stablecoin like USDT and then using those funds to benefit its own ecosystem and attract more miners, and renting hardware to gain more hash power. The proceeds from the sale of XMR are used to buy Qubic's native token (QUBIC) from exchanges. These purchased tokens are then "burned" or permanently removed from circulation.
By sidewndr46 2025-08-1221:45 This seems oddly similar to the whole IRON/TITAN thing years back, but with extra steps.
My guess would be to turn the crank of a ponzi scheme until it falls off.
However,
> Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
I don't understand how this makes any sense at all.
By fruitworks 2025-08-1218:551 reply I've looked into the "source code", and it doesn't. There is no such thing as useful PoW. Qubic isn't actually a decentralized cryptocurrency. It's closed source, runs as a EFI executable, and is only accessible from their discord channel.
The attack is no different than paying miners to join a malicious pool. It works as long as money flows in.
By OneDeuxTriSeiGo 2025-08-1219:273 reply There is such a thing as useful proof of work. Qubic may not be doing it but it does exist. The linked papers [1][2] are examples of way to do it. They aren't 100% "useful" but rather achieve partial efficiency by essentially forcing miners down random paths in a manner that limits the ability to complete work ahead of time or otherwise "cheat".
By contravariant 2025-08-1221:581 reply Proof of useful work feels like it's one and a half steps removed from discovering seigniorage and reinventing money.
By OneDeuxTriSeiGo 2025-08-132:57 I mean that's just proof of work. PoUW is just an attempt at converting some of that work into something worthwhile and not pointless hash grinding.
There's a lot of re-inventing the wheel in the cryptocurrency space but on the formal academics side of the space people are very cognizant of what they are working on and their work is focusing on improving very specific properties of consensus algorithms.
> There is such a thing as useful proof of work.
Not really-- or, rather, the security provided by proof of work is only proportional to the part of the cost above the fair value of the useful work.
One of the main idea behind POW security is that you spend energy and the thing you get for it is income in the blockchain. And so if you mine unfaithfully your work will end up on a chain of debased value or won't end up in the eventual consensus chain at all.. so your effort is burnt out.
Now imagine a POW that costs $5 in energy and does $5 in "useful work" --- well in that system you can now attack for 'free'. Or say it costs $6 in energy to mine plus due $5 in "useful work". There your security is related to the $1, the $5 is mostly coming along for a ride.
There are other problems with "useful" proof of work: e.g. A POW function should ideally be approximation free and optimization free... if an attacker invents a better version they gain an advantage. So e.g. if the miner detects that this particular work instance is 'hard' they can just discard it and try another. This makes it really hard to do much of anything 'useful' except the most contrived kinds of 'useful' without creating vulnerabilities.
But difficulties aside, the fact that outside benefits don't contribute to security (or at least don't contribute much) makes the whole idea space kind of unexciting.
By OneDeuxTriSeiGo 2025-08-152:50 > Not really-- or, rather, the security provided by proof of work is only proportional to the part of the cost above the fair value of the useful work.
This is only partially true for a number of reasons.
> Now imagine a POW that costs $5 in energy and does $5 in "useful work" --- well in that system you can now attack for 'free'. Or say it costs $6 in energy to mine plus due $5 in "useful work". There your security is related to the $1, the $5 is mostly coming along for a ride.
This is one aspect however you make assumptions about the rewards that are not necessarily true. If rewards only payout on a cycle or if the rewards have a locking/"vesting" schedule before they become accessible. There's a lot of ways to make attacks more expensive/nonviable but without the "useful work" aspect, they've not provided meaningful benefits to the protocol and therefore haven't been integrated.
> There are other problems with "useful" proof of work: e.g. A POW function should ideally be approximation free and optimization free... if an attacker invents a better version they gain an advantage. So e.g. if the miner detects that this particular work instance is 'hard' they can just discard it and try another. This makes it really hard to do much of anything 'useful' except the most contrived kinds of 'useful' without creating vulnerabilities.
Now with this you'd see that the research papers explicitly were tackling this problem. The one is implementing an SMT solver/optimizer for large, expensive problems. It uses random walks (forcing the miner to bias their choices in specific random ways) based on a VRF or their results are invalid. The efficiency is only 50% of course however that doesn't mean the price is 50%, just that the energy efficiency is 50%. The market on problems to be solved of course will still be priced on supply/demand (give or take parameters) and if there is insufficient utilization, mining falls back to a traditional PoW algorithm.
So in a sense what PoUW is attempting to do is to supplement the valuation of the underlying tokens via production/cash inflow rather than purely relying on demand for tokens to pay the transaction fees.
Also I do want to point out that those papers aren't just making claims, they include a lot of verification and proofs to demonstrate the functionality of the systems in question.
> But difficulties aside, the fact that outside benefits don't contribute to security (or at least don't contribute much) makes the whole idea space kind of unexciting.
The interest is in being able to produce a digital resource (that can be used for consensus) from a physically hard task while actually producing something of value as a side effect.
Gold and other metals were valuable as currency because they were difficult to mine however their value increased because practical uses for the metals increased demand beyond the synthetic demand as a currency. That increased incentives for mining which led to more mining. Eventually it reached equilibrium.
Also notably outside of a given PoUW algorithm's viability as a PoW, it's still important research because every PoUW algorithm that is game theoretically sound is viable as a decentralised market for computation/work where cheating is effectively non-viable.
By fruitworks 2025-08-1220:26 I will have to read these papers then. My intuition is that it's impossible to usefully use PoW to train neural networks because you have to rely on user-submitted training data in order to work which allows you to cheat by pre-determining the solution to your own work.
It's not a terrible idea, but I've yet to see it be inplemented. Gridcoin is one typical example where it's just PoS with "useful PoW" tacked on for token distribution, and doesn't actually use PoW for security.
By fruitworks 2025-08-1218:57 Gain media attention and pump their coin.
To summarise:
* One actor in the space appears to have done a proof of concept takeover of 51%.
* It’s not clear there was any malicious action nor intent in doing so.
* Performing something like this is definitely expensive.
* The potential impact of doing so is disputed.
* Whether or not it was achieved is also disputed
However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this.
By nickysielicki 2025-08-1214:511 reply > Whether this is an issue is a matter for debate.
Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here.
It would be interesting if a "coin" were tied to protein folding prediction or something else useful.
By MadnessASAP 2025-08-133:451 reply Proof-of-Work fails if the work has value.
By MadnessASAP 2025-08-138:192 reply In Proof-of-Work the cost of the work is what keeps the network honest. If the work has value then an attacker is free to invest as many resources as I want into subverting the network. Even a failed attack can still be profitable, just less so.
In another scenario, where the works value is less then the cost you're still hoping that at no point in the future will an attacker figure out a way to do the work at a net profit.
The only way the network can be trusted is if the work has definitely now and always, 0 value.
By chipsrafferty 2025-08-1314:24 Not littering has value. However, if I don't litter, it doesn't benefit me, and I cannot profit off of it; no matter how eco-friendly I am, I get no value from it.
By OldfieldFund 2025-08-1313:251 reply Am I wrong in saying that the work has negative value? And there are different degrees of that. Bitcoin's negative value is larger.
By MadnessASAP 2025-08-1314:44 You are not wrong, the output has no value. The work then being Value Out - Value In.
By red-iron-pine 2025-08-1413:09 because Proof-of-Work only generates value for an arbitrary, made up coin if it has no other real value.
Otherwise you're making money that way, and the value of the coin is tied to the work that you did.
until recently gold was a pretty but mostly useless metal. too heavy for practical uses, too melty for industrial uses, too soft for weapons, etc. but it didn't rust and was a good medium of exchange because it had no other real value. once it has value outside of being currency it's less useful in that capacity, since now its value is tied to how much you can get for it by utilizing it in computers, chemical reactions, etc.... same basic idea with PoW
By 4gotunameagain 2025-08-137:101 reply I don't think it's true, look up Proof of Useful Work
By OneDeuxTriSeiGo 2025-08-153:17 It's worth noting that lots of projects claim to be "Proofs of Useful Work" without the academic rigor to actually prove so. The attacker of course being one of those who has failed to do so.
1. Their paper has not been accepted by any conference or journal.
2. Neither author on their paper is an academic (or practicing engineer or researcher) in the fields of computer science, economics, game theory, or cryptography (or any maths in general). The one is a C-level exec with what seems to be minimal CS experience and the other is a psychology professor. Neither author appears to have qualifications to be able to assume some level of rigor (before looking at the underlying work).
3. The paper is a bunch of text and buzzwords about AI and AGI intermixed with some academic history and some discussions on psychology. Of the 47 pages of the paper, only about 1-2 pages are semi-technical in major with an additional ~3 pages of code included to show their algorithm. There are two graphs relevant to the protocol on those 1-2 pages and neither one addresses any security aspects, instead showing it's performance at doing the "useful" part. So again to reiterate, their "academic paper" on the security of their PoUW algorithm includes no rigorous analysis of the protocol.
TLDR They aren't doing PoUW. They are doing cooperative compute with a centralised or federated coordinator dishing out rewards.
Proofs of Useful Work do actually exist and are an interesting field but they take a lot of rigor and analysis to be accepted and not immediately ripped to shreds. What the attacker claims is not even close to meeting that bar.
By jayknight 2025-08-131:50 Isn't that what GridCoin is?
By subsistence234 2025-08-1315:55 Since ASICs are built for mining one specific algorithm and no other, ASIC miners are invested in the survival of "their" mining algorithm.
If there are several competing coins using the same algorithm, it may be possible to incentivize ASIC miners to destroy one of them if it benefits the others, but even then it's risky.
CPUs in contrast can be used for a million different things, CPU miners are not incentivized to support any given crypto project. It's also much easier to rent large amounts of CPUs than of ASICs.
Disclaimer: ran a 150k GPU eth mining operation
PoS is the obvious choice now that ETH has had a bit of time to run. But, I remember when they went through the switch (before ETH PoS). Doing some sort of variation on GPU memory hard mining would have been a smart choice (ethash, progpow, etc), knowing full well that ETH would eventually go PoS. It would have given all the miners something to switch to, instead of just shutting down entirely, because there wasn't anything but ghost chains.
By subsistence234 2025-08-1315:561 reply I'm still a fan of PoW. PoS incentivizes centralization.
Hilariously posting in a thread about a 51% attack happening, because of miner centralization.
By subsistence234 2025-08-1319:261 reply It's mainly an argument against CPU/GPU mining. If you have invested in specialized hardware that can mine only one coin, you're strongly incentivized to protect trust in that coin. An attacker like Qubic would need to pay you a lot more than they need to pay a CPU miner.
So then, _centralize_ around an ASIC?
Tell me, how well did that work for Grin?
By subsistence234 2025-08-1323:21 >Tell me, how well did that work for Grin?
Crypto projects succeed/fail for all kinds of reasons that are completely unrelated to de-/centralization. You'll have to be more specific about what Grin's case should teach us.
>So then, _centralize_ around an ASIC?
ASICs are commodities. For BTC (SHA-256) there are at least 8 different companies producing ASICS, and even a smaller project like KAS (kHeavyHash) has >4 competing companies. Not much centralization risk on that side, at least not for mature projects (which a hypothetical ASIC-XMR would be by now).
The main challenge for ASIC-miners is the same as for CPU- and GPU-miners: cheap electricity -- and that's not something that can easily be centralized.
>until now, no-one has chosen to flex like this.
The two networks have wildly different proof-of-work algorithms, they're incompatible. A BTC ASIC will never mine Monero, ever.
I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"?
Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way.
*: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners)
EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain.
By tux3 2025-08-1222:22 >Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose.
By BoppreH 2025-08-1222:18 You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose.
By blibble 2025-08-1222:23 > Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
asic does not mean turing complete
good luck simulating a von neumann machine on a sha256 accelerator
By rokkamokka 2025-08-1213:022 reply That's not true for all altcoins however
By yieldcrv 2025-08-1214:27 Its always hilarious when someone launches an L1 with an algorithm everyone can already dominate and it gets attacked immediately
Last time I saw that was on photonics processor blockchains
Pretty much everything other than bitcoin, monero, and dogecoin are running proof of stake these days anyhow, so it kind of doesn't matter.
By OutOfHere 2025-08-1214:56 Litecoin goes in that PoW group too.
In fact, Litecoin has an optional privacy feature called MWEB, which is probably why Litecoin too got kicked off of being named on some conventional news sites.
By subsistence234 2025-08-1316:08 KAS is PoW, at ~240 times the hash-rate of LTC, ~120 000 000 times the hash-rate of XMR, and 0.0007 times the hash-rate of BTC. Obviously not really comparable...
By idiotsecant 2025-08-1215:433 reply That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason.
BTC will have to move to a proof of stake design to survive. It's unavoidable.
By ifwinterco 2025-08-1215:551 reply That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen
By ChadNauseam 2025-08-1222:011 reply why would staking rewards be any more necessary than mining rewards?
By ifwinterco 2025-08-137:231 reply In the end state (after ~2140), mining rewards just come from TX fees. But true, it is possible you could just redistribute TX fees to stakers.
Post-merge ethereum is designed so that the gas fees and the staking rewards roughly cancel out on balance (so overall inflation is around zero), but they are decoupled so even if nobody is using the network you still get a staking yield
>so overall inflation is around zero
Pedantic point: monetary inflation is around zero, not necessarily price inflation (which is what people typically mean when they just say "inflation").
By ifwinterco 2025-08-1314:49 Yes sorry, important clarification.
In theory if the entire world was on an ethereum standard with a steady state population, price inflation would also average out to zero
BTC can't move to proof of stake because religious zealots would keep their money in the old fork.
It's doomed in general, see the cash fork.
By latchkey 2025-08-1219:52 Tokenized bitcoin.
> It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash
The ASIC manufacturer would also need a backdoor. ASIC manufacturers don't control mining.
Large miners are unlikely to allow backdoors into their mining network.
By fruitworks 2025-08-1219:00 ASIC miners often do control mining. They often mine with chips before they drop them in the public market
By passivegains 2025-08-130:01 I think they mean the manufacturer would just keep most of the stock for themselves. Reminds me of that famous Scarface quote: "You should get high on your own supply, it's a great idea that won't end horribly."
By idiotsecant 2025-08-133:44 >ASIC manufacturers don't control mining.
I dont think you understand the BTC mining ecosystem
By mattwilsonn888 2025-08-1214:384 reply "Performing something like this is definitely expensive"
That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins.
If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority.
By hombre_fatal 2025-08-1214:393 reply Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap).
By marcosdumay 2025-08-1220:44 I guess the clearer term for that would be "capital intensive".
By ozlikethewizard 2025-08-1215:131 reply surely the fall in value of XMR caused by such an attack would make it unprofitable as well
You can only do that on centralized exchanges, which would mean that you effectively doxx yourself by shorting. Also the exchange will most probably seize your funds before you are able to withdraw them.
Not sure how are you doxxing yourself, what stopping me from YOLOing my life savings into this short after reading a few comments in this thread?
By subsistence234 2025-08-1316:131 reply You'd have to spend $30M per day in order to control 51% of XMR, and then you'd YOLO your life savings (which would have to be another couple hundred million dollars) on centralized exchanges without anyone noticing?
I meant I, as someone that is aware of attempt to take over, not as an attacker.
It's only doxxing if you can, you connect that large transaction to the attacker, but you can't unless I'm missing something.
By subsistence234 2025-08-1820:47 I was completely wrong about the cost. XMR mining rewards amount to only $150k/day.
At the height of the attack, Qubic (the company) paid people up to $3 in QUBIC for every $1 of XMR they mined through QUBIC, and they achieved around 33% of XMR's hashrate which was sufficient to mine the majority of blocks for a few hours.
If they were forced to buy back all those QUBICs they paid out, this might have cost them ~$100k/day. But thanks to the media attention it's likely that they didn't need to buy anything back and actually were able to emit more than they otherwise could have.
XMR needs to adapt -- switch to PoS, or ASICs-based POW, or a hybrid of both.
By subsistence234 2025-08-1319:40 Oh yeah for sure.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed.
There is a word for this. We call it risk.
I'm not sure I'd call this risk. Risk would be "you can invest the money, but you might not get it back" however the above is referring to the "a 51% attack absolutely works but you need a shit ton of money to do it" aspect instead. This makes it capital intensive, not (necessarily) risky.
The fact that it succeeds does not mean that you get the money back (eg the price of monero could drop if that happens). You may also have miscalculated some parameters in all this or something unexpected happens (where human factor is involved). So there should always be risk involved imo. Otherwise I agree, even in a probability 1 success situation this would still not be called "cheap".
By zamadatix 2025-08-1215:54 Agreed, no such thing as a real-world investment with truly 0 risk.
It is absolutely risky. Your facilities can burn down once the ASICs arrive and before they are turned on, or your employees simply steal them for their own uses. Heck, you can have a fire once they get powered-on, because a power cable was poorly made. You might get sent the wrong product, or you could be ghosted without a delivery.
Expensive is a better fit than capital intensive, because there are massive ongoing costs to actually perform the attack, electricity for one.
If you want to understand the risks for a project, pretend you are at arms length and are being asked to fund the project 100% up-front. You'll find a huge list of risks very soon.
By zamadatix 2025-08-1312:29 This is why I didn't say it made the investment risk free, I said being capital intensive does not make something (inherently) risky. There is no such thing as an investment without risk, but how risky it is is largely orthogonal to how capital intensive it is, and the above was talking about the latter so using the term "risk" for that half is not a great correction.
Having the power to deny others to mine blocks does not mean that you can obtain the tokens from their wallets. Miners can't sign transactions on users' behalf. You can rewrite all of history but then no exchange will accept your version of it to let you exchange the tokens for fiat. Also this will almost certainly crash the price of XMR substantially. And later people will be able to fork/restore the original version. The technological side of the blockchain is only part of the consensus/trust/market/popularity. People are the other part, and people will not pay the attacker for their successful attack.
By MadnessASAP 2025-08-133:532 reply The attacker doesn't need to steal tokens. They just need to short the token while they sufficiently disrupt the network to drive down the price. They get the money and your tokens become worthless.
By subsistence234 2025-08-1820:46 I was completely wrong about the cost. XMR mining rewards amount to only $150k/day.
At the height of the attack, Qubic (the company) paid people up to $3 in QUBIC for every $1 of XMR they mined through QUBIC, and they achieved around 33% of XMR's hashrate which was sufficient to mine the majority of blocks for a few hours.
If they were forced to buy back all those QUBICs they paid out, this might have cost them ~$100k/day. But thanks to the media attention it's likely that they didn't need to buy anything back and actually were able to emit more than they otherwise could have.
XMR needs to adapt -- switch to PoS, or ASICs-based POW, or a hybrid of both.
By subsistence234 2025-08-1316:191 reply Controlling 51% of XMR costs ~$30M per day, you'd have to short a huge amount of XMR to make that worthwhile. Who would be the counter party and how would you do that anonymously?
The attack itself is unprofitable, the "profit" for Qubic is the publicity they get. (or at least that's what they're betting on)
By MadnessASAP 2025-08-1318:24 Monero has a theoretical market cap of $4.7B USD and daily volumes >$100M USD. I wouldn't recommend taking that short position in one go but over a few days and a few exchanges I wouldn't see a problem acquiring a very large short of the token.
By devmor 2025-08-1216:24 If I buy a yacht for $2 millón and sell it for $4 million, it’s still an expensive yacht. Profit doesn’t make it less expensive.
By bawolff 2025-08-1216:19 When people say foo is expensive, they mean the gross cost not the net profit.
By dumbfounder 2025-08-1214:401 reply Unless they drive the price into the ground.
Right? If an attack like this is successful _and_ obvious/detectable, then it _should_ drive the price into the ground.
By JKCalhoun 2025-08-1222:25 Shades of the Hunt brothers attempt to corner the silver market in the 80's [1].
In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right?
By PhilippGille 2025-08-1214:391 reply It's worth being precise here:
- The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power.
- The attacker can prevent other transactions from landing in a block, as long as they have majority
- But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions
- And the attacker can also not steal your money, because they don't have your private keys
In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain).
By Ekaros 2025-08-139:52 My understanding is limited. But in addition to not making transaction "not happen". It is better to make new transaction for money. As the transaction would still be valid later and could be included later. Thus "double spend".
That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much?
Maybe there's more resilience to prevent chain swaps now, but my understanding of the original blockchain algorithm is that:
At block N someone could start to privately mine (empty) blocks.
They keep mining in private until block N+x is public, at which time the private (51%) chain is length N+x+1.
They then announce their longer chain.
By the protocol, this longer chain (technically "most work" chain) is the more trusted one, and undoes any transactions in N+1 through N+x.
More or less, but the private chain doesn't need to contain empty blocks.
A more sophisticated attack would include all the legitimate transactions on the network except for their own transaction(s) which they're trying to double spend. That way the network isn't disrupted apart from the parties you're double spending against.
By xnorswap 2025-08-137:50 Indeed, but I was arguing that the parent claim that "only your transactions" could be affected was false.
It's true that you can't synthesise false transactions, but you can undo anyone's transactions, not just your own.
That way you can also claim 100% of mining rewards with 51% hash rate.
How? If that were true you’d also be able to get 50% of block chain rewards with 25.1% of the hashing power. But you can’t because it isn’t true.
By Sohcahtoa82 2025-08-1223:00 If you control 51% of the hashing power, that means you can solve more blocks than the entire rest of the network combined. Even if other nodes on the network solve a couple blocks before you, statistically, you will eventually create a longer chain of blocks and the network will switch to your chain.
But your chain has every block solved by you, giving you all the block rewards.
That's the magic of the 51% attack. You gain control of the blocks. Because that extra 1% isn't a HUGE margin, it may take a while for your chain to become the winning chain, but theoretically, it will happen.
By dbdr 2025-08-1222:49 You only mine blocks on top of your previous blocks, ignoring blocks produced by the 49%. Since you have 51%, your chain is the longest over time, so you have 100% of the mining rewards.
You can't do that with 25% (or even 40%) hashrate.
By the_sleaze_ 2025-08-1213:31 Yes.
Newb question, but why's it expensive, aren't they mining the whole time and can therefore make the usual money from that mining?
By subsistence234 2025-08-1319:36 AFAIK Qubic (the company) is paying people extra to mine XMR through Qubic (if you mine $1 worth of XMR, you get $1.50 worth of QUBIC (the coin) which you can then sell). Qubic (indirectly) loses those extra $0.50. If on average the miners sell too much (more than two thirds of the rewards), then Qubic has to buy their own coins back in order to keep the price stable. Qubic bets on their coin pumping from the publicity.
By treyd 2025-08-1214:35 You are correct. It's expensive if you want to go rewrite history. 51% is when that becomes economically viable to do on its own.
By soared 2025-08-1213:10 Way more context here https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
No one is spending $75M a day to do a proof of concept. There's obviously some kind of intent to profit.
By fruitworks 2025-08-1219:02 Qubic aims to profit from the publicity
This is odd. The current hash rate is around its nominal 5 GH/s, and neither any pool nor individual seems to be above 50%:
https://miningpoolstats.stream/monero
This Qubic group claims to concentrate 3 GH/s of hashing power, yet there has been no increase in the global hash rate either:
https://www.coinwarz.com/mining/monero/hashrate-chart
Could this be just a bait?
dumb question: i took a look at https://miningpoolstats.stream/ethereumclassic for ethereumclassic and f2pool.com seems to have ~64% of the total hashrate... is that a takeover as well ?
By idiotsecant 2025-08-1215:45 I mean, it means that eth classic's ledger is rewritable on a whim by that that pool, if it has central control.
By nullc 2025-08-141:02 You don't mean to suggest that a scammy cryptocurrency entity that is currently bragging about attacking a competing system might ... lie to people???? Is that possible?
By fruitworks 2025-08-1219:11 Peek the % of unknown miners in the pie chart at the bottom
