Yo can fool a SPV wallet even if it requires a thousands confirmations using this attack, and you don't need a Sybil attack, so yes, it impacts SPV wallets also. The protections a SPV node should have to prevent this attack are different, so it must be considered separately.
It should be said that a SPV node can avoid accepting payments if any Merkle node is at the same time a valid transaction, and that basically almost eliminates the problem. SPV Wallet would reject valid payments with a astonishingly low probability. On Sat, Jun 9, 2018 at 2:45 PM Peter Todd <p...@petertodd.org> wrote: > On Sat, Jun 09, 2018 at 02:21:17PM +0200, Sergio Demian Lerner wrote: > > Also it must be noted that an attacker having only 1.3M USD that can > > brute-force 72 bits (4 days of hashing on capable ASICs) can perform the > > same attack, so the attack is entirely feasible and no person should > accept > > more than 1M USD using a SPV wallet. > > That doesn't make any sense. Against a SPV wallet you don't need that > attack; > with that kind of budget you can fool it by just creating a fake block at > far > less cost, along with a sybil attack. Sybils aren't difficult to pull off > when > you have the budget to be greating fake blocks. > > > Also the attack can be repeated: once you create the "extension point" > > block, you can attack more and more parties without any additional > > computation. > > That's technically incorrect: txouts can only be spent once, so you'll > need to > do 2^40 work each time you want to repeat the attack to grind the matching > part > of the prevout again. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org >
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
