I am thinking about the following scenario. Alice has two wallets: wallet A contains 9 XCH, and wallet A’ is empty. Alice sends all 9 XCH from wallet A to Bob in exchange for some goods. The transaction appears on the blockchain, and once there are 6 additional blocks on top of it, Bob considers the transaction confirmed and gives Alice the goods. Alice then signs and propagates a new transaction (currently invalid) sending 9 XCH from wallet A to wallet A’, then transferring 1 XCH from wallet A’ to each of the 7 farmers who won the block containing Alice’s payment to Bob and the 6 blocks that followed. Alice puts a transaction fee of 1 XCH, to be paid from wallet A’. At some point another block is completed, and at that point the winning farmer and the 7 previous farmers have a decision to make. They can all see Alice’s new transaction, and they deduce that if Alice’s payment to Bob had not happened, Alice’s new transaction would be valid and each of those 8 farmers would earn 1 XCH (as would Alice). But they have the power to rewrite the chain starting from the block containing Alice’s payment to Bob (this is a consequence of having a different blockchain for the data and for the proofs of space and time). So each of these farmers has a financial incentive to behave dishonestly. Also, Alice didn’t have to risk anything to try this, so she can repeat the process many times until she finds a group of 8 farmers willing to act selfishly.
I might be misunderstanding something about how the chia blockchain works, so first let me ask: is the scenario above possible? But also, is this something to worry about?
My understanding of the chia blockchain is that the previous n farmers can always get together and create a new blockchain of equal length to the “honest” chain, which forked from the honest chain n blocks in the past. If this new chain (and not the honest chain) gets confirmed by another block, then according to chia protocol, farmers should try to extend the new chain instead, so the new chain becomes the “real” one.
In bitcoin (for example), a miner who was won a block cannot, in the future, change the data in that block without redoing the PoW for all subsequent blocks. In Chia, the “foliage” (data+signatures) is a separate chain than the “trunk” (PoST), so farmers can rewrite a data block so long as they can get their new chain signed by every subsequent farmer, without redoing PoST. This requires all the subsequent farmers to be dishonest, but it does not require them to be coordinated.
Also, in the scenario I describe, that group of 8 farmers can decide to act selfishly to profit while risking nothing, whereas in bitcoin, working on a dishonest chain risks losing mining rewards should that chain not overtake the honest chain.
I certainly might be misunderstanding something about how the chia blockchain works, but it seems like what I have in mind works quite differently in chia than in PoW blockchains.
This attack is described here, see the section on “Farmer bribe foliage reorg attack”. They say the solution is just to wait for more blocks to consider a confirmation confirmed (the linked document uses 32 blocks as an example).