This is an action point from the last dev meeting:
Beam recently announced repeated 51% attacks on their network that resulted in exchanges being defrauded.
Since it’s possible that Grin will become target of a similar attack at some point in the future, it’s worth to consider our options.
There are two main options, each coming with their own set of trade-offs:
EITHER: keep the “longest chain rule” intact, and do not introduce any checkpoints. This makes it easier to 51% attack a chain with low hashpower. If this happens or is at risk of happening, you will then need to instruct exchanges and vulnerable services to increase their confirmation times for transactions. They may not follow your advice, and people and services may lose money. You try to ride out the attacks as best you can. This can create a negative death spiral, where: Chain has low hash power -> Gets attacked successfully -> Confidence in chain is lost / exchanges delist -> Chain gets even less hash power -> Attacks become easier … etc.
OR: introduce checkpoints of some sort where re-orgs beyond a certain horizon are no longer possible. This leads to the longest chain rule no longer being sound. It is harder to 51% attack, but it becomes much easier for an attacker to force a network split. This then introduces a centralization point where some group of people determine which chain to follow after a split occurs.
Beam ended up implementing a rolling checkpoint mechanism (option 2 above) that prevents re-orgs from happening that are deeper than 60 blocks. The “longest chain rule” is no longer valid beyond that threshold.
They also increased the required amount of confirmations to 70, or 80.
While it is now harder for these 51% attacks to continue, it is easy for an attacker to force their network to split, something which can happen repeatedly.
What should Grin do?
The “longest chain rule” is a fundamental principle of nakamoto consensus, and is ultimately what is allowing the network to automatically decide which chain to follow, removing the need for a trusted authority to instruct the network on which chain is the “right” one.
In the meeting, which everyone is urged to read the notes from, the general consensus was:
Grin would rather suffer a 51% attack than adopt an unsound longest chain rule.
Do you agree?
Opinions for/against, as well as other ideas are welcome.
 Beam added an exception to this reorg rule, which states that if the current tip has seen no progress in the last hour, then deep reorgs are allowed.
This so that after a chain split, if one side is abandoned by miners, then nodes on that side will rejoin the other side automatically.
This mechanism can be prevented by an attacker that continues to mine the chain, as long as they can bring difficulty down fast enough to avoid a >1 hour block.
Therefore forcing a manual intervention.