How Light Clients Can Protect Themselves From a Bitcoin Coin-Split
Bitcoin could soon split in two. If Bitcoin Unlimited miners start mining blocks exceeding one megabyte, these would be rejected by full Bitcoin nodes like Bitcoin Core and Bitcoin Knots. This could result in two different and incompatible blockchains and networks, each with their own currency: Bitcoin’s “BTC” and Bitcoin Unlimited’s “BTU.”
While full nodes would know which protocol to follow, for many light clients — like almost all mobile wallets — things would not be so clear. One type of light client in particular, Simplified Payment Verification (SPV) wallets, often rely on data received from random nodes. These could be Bitcoin nodes or Bitcoin Unlimited nodes. Therefore, users will have no way of knowing whether they’re seeing BTC or BTU in their wallet interface. They could inadvertently accept one currency, while thinking they’re accepting the other.
But a recent Bitcoin Improvement Proposal by Bitcoin Knots maintainer and Bitcoin Core developer Luke Dashjr can solve this.
Simplified Payment Verification
Simplified Payment Verification was first described by Satoshi Nakamoto in the Bitcoin white paper. SPV wallets do connect to Bitcoin’s peer-to-peer network directly, but request only a bare minimum of data. They currently check blocks for proof of work to make sure these aren’t created out of thin air. And to calculate their balance, they check if any bitcoins were sent to or from their specific Bitcoin addresses.
The problem with SPV wallets is that they can be fooled by miners. For example, a miner could create a block that has a valid proof of work but which spends bitcoins that don’t belong to the miner. The SPV wallet has no idea that these bitcoins don’t belong to the miner, so it would accept the transaction as a valid payment.
Likewise, an SPV wallet doesn’t check for Bitcoin’s block size limit. So, if a split happens, these wallets will check for proof of work but won’t know that a block is invalid according to the (current) Bitcoin protocol. If Bitcoin Unlimited has the longest chain by proof of work, and an SPV wallet receives data from at least one Bitcoin Unlimited node, it blindly follows the Bitcoin Unlimited chain instead.
As an unfortunate consequence, this means that users of SPV wallets could unknowingly accept BTU, when they think they’re accepting BTC. Their wallet can’t tell the difference, and if they are not paying attention to Bitcoin’s scaling debate, they may not even know there was a split. It’s only when they spend their coins, deposit them in a different wallet or send them to an exchange that they’ll find out they don’t own any BTC; they own BTU. Or more accurately: they owned BTU, and now they have to hope that the merchant, the other wallet or the exchange accepts BTU or returns it to them.
And that’s not taking into account that the Bitcoin Unlimited chain may at some point be discarded altogether. If that were to happen, their coins would suddenly disappear from their wallet.
In the Bitcoin white paper, Satoshi Nakamoto proposed a solution for these attack vectors. If a full node detects an invalid block, Nakamoto suggested, it should send an “alert” to SPV nodes. This solution has not been developed, however, and it is unclear whether it really can be.
This explains why some Bitcoin developers have always been wary of the current implementation of SPV wallets. And perhaps none more than Luke Dashjr. (Dashjr even refers to these wallets as “pseudo-SPV” or “pSPV”; he believes their lack of security doesn’t warrant the term “SPV” as described in the Bitcoin white paper.)
Now, Dashjr is proposing a partial fix to the problem, specifically designed for the block size limit. Digging into the weeds of Bitcoin’s hashing algorithm, the Bitcoin developer thinks he has figured out a way to determine whether a block exceeds one megabyte with only the proof of work hash, and a sort of alert first suggested by Nakamoto (now called a “fraud proof”). While an SPV wallet won’t know the exact size, it will know when a block exceeds one megabyte.
These fraud proofs will need to be sent from full nodes, like Bitcoin Core or Bitcoin Knots. Once at least about a quarter of all Bitcoin nodes on the network have upgraded to provide fraud proofs, SPV nodes that have integrated the solution should connect to at least one of them and be relatively reliable.
For some discussion and more information, see the Bitcoin-dev mailing list.