39

I often read that checkpoints protect the network from a 51% attack because an attacker cannot reverse transactions made before the last checkpoint.

How exactly does this checkpoint mechanism work? And who creates the checkpoints?

Murch
  • 75,206
  • 34
  • 186
  • 622
nmat
  • 11,509
  • 14
  • 50
  • 78

4 Answers4

30

The checkpoints are hard coded into the standard client. The concept is, that the standard client will accept all transactions up to the checkpoint as valid and irreversible. If anyone tries to fork the blockchain starting from a block before the checkpoint, the client will not accept the fork. This makes those blocks "set in stone".

ThePiachu
  • 43,091
  • 25
  • 139
  • 348
  • 1
    So a checkpoint is usually created everytime the client is updated? – nmat Nov 02 '11 at 01:05
  • As far as I know, yes, but it is all in the hands of the developers. – ThePiachu Nov 02 '11 at 01:12
  • 1
    Would there be any way to make this behavior official? Something like "If the block was published to the network over a year ago, it is set in stone" which does not rely on the developers? This seem to be one of the few places where Bitcoin developers have a lot of authority, and it seems they generally work to keep that authority minimal. – Daniel H Aug 21 '12 at 22:02
  • 1
    @DanielH I don't see why some automatic algorithm couldn't be implemented that would be choosing suitable checkpoints during each code update. I guess you can propose such a feature on the forum or the github project page. – ThePiachu Aug 22 '12 at 07:02
  • 11
    We really plan to get rid of checkpoints, or at least significantly reduce their power. They don't actually add any security (if they would actually affect the chain, the system is already broken). – Pieter Wuille Sep 14 '14 at 20:47
  • 1
    @PieterWuille@ThePiachu: I didn't find any checkpoints hardcoded in main.cpp, checkpoints.h, checkpoints.cpp...Can you tell where the first checkpoint is placed? – Aliakbar Ahmadi May 31 '15 at 21:05
  • 1
    They are chain-specific data, and have thus been moved to chainparams.cpp now. – Pieter Wuille Jun 01 '15 at 21:04
  • @ThePiachu Thanks for the answer. But, the question is, in a case where there's no checkpoint, why would client accept a chain shorter than what he already has? – user153465 Aug 02 '17 at 10:21
9

Update on this as of time of writing, just to clarify more specifically upon the other answer: dependence on checkpoints in the security model has been significantly reduced, they are only used in one very specific case now. That case is just to ignore forks from the chain early on, before the most recently seen checkpoint. When a node has seen a block it recognises as a checkpoint, any further blocks received below that height will be ignored.

You can see this here: https://github.com/bitcoin/bitcoin/blob/0dfc25f82a01d9fec26380d95915df31e1fe2c02/src/validation.cpp#L3107

It is a long term goal of removing the checkpoints entirely, because they are a source of confusion over the security model and power the developers have. But currently the role they serve is to prevent low difficulty header flooding attacks, and there has been no alternative solution proposed yet (that I know of).

meshcollider
  • 11,815
  • 4
  • 25
  • 53
  • so every node maintains a list of checkpoints? who decides which blocks get added to the list of checkpoints? – fdzsfhaS Mar 14 '18 at 02:55
  • 3
    @Auburn the list of checkpoints is hardcoded here: https://github.com/bitcoin/bitcoin/blob/master/src/chainparams.cpp#L153-L167 No new checkpoints are ever added anymore, the last was added on Jul 16, 2014 – meshcollider Mar 14 '18 at 05:55
  • 2

    there has been no alternative solution proposed yet (that I know of).

    Sure there have been. E.g. increasing the minimum difficulty for any alternative chain. Or changing the logic used to fetch headers to be able to explorer a competing fork without saving it.

     – G. Maxwell Oct 05 '21 at 07:24
  • 5
    2022 update: an alternative technique to prevent low difficulty header flooding that does not rely on checkpoints (only on the even weaker minchainwork value) has been merged: https://github.com/bitcoin/bitcoin/pull/25717 – Pieter Wuille Feb 01 '23 at 22:33
0

AIK there‘s one big use case so far for checkpoints and there‘s actually no golden path to achieve that otherwise.

Let‘s say one has a really really lot of computing power and intentionally or accidentally starts mining at a very low difficulty. Then all nodes were „forced by the rules of consensus“ to check that blocks for validity even there is praktically low to now chance they catch up the entire blockchain. On a time critical node that kind of behaviour could at least create disturbance.

Checkpoints are a tool against that. The node will only check higher blocks than the last checkpoint anf hence „focus on real (trans)actions on the net“.

jagottsicher
  • 1
  • 1
  • 1
    This hasn't been the case since the introduction of headers-first synchronization in 2014 (https://github.com/bitcoin/bitcoin/pull/4468), which meant that blocks won't even be fully downloaded in case they're not on a chain of headers that leads to a tip with a promising amount of work. This did leave open a weaker version of that (header spam), but that has been addressed since the introduction of headers presync (https://github.com/bitcoin/bitcoin/pull/25717) last year. – Pieter Wuille Feb 01 '23 at 21:20
  • Thanks for the deeper insights @PieterWuille it is hard to keep pace with the developments. I appreciate to get deeper understanding.

    Well, checkpoints are now obsolete. Are they already removed? The Go implementation btcsuite/btcd still supports it.

     – jagottsicher Feb 03 '23 at 00:08
  • 1
    They're not removed no; there is little harm in leaving them around, but they'll likely be removed from Bitcoin Core at some point. I also don't think btcd has anything like Core's header presync logic, but whether particular software implements and/or keeps something like these checkpoints is their own decision. – Pieter Wuille Feb 03 '23 at 01:41
0

Bitcoin consensus algo is probabilistic (rather than deterministic) so in theory there is always the possibility of reversibility. The checkpoint gets around that by setting how far back it with even consider looking for blocks to verify.

user898617
  • 37
  • 3