Hi, I'm Chronos, and today we're going to talk about a potential security issue in Bitcoin Back in August of 2017, we added a new feature called Segregated Witness, or "Segwit" for short, and this fundamentally changed bitcoin's security

To understand this, we need to take a step back and talk about bitcoin mining Basically, every time a new block is mined, it's sent over the network to the other miners, and each one runs a quick validation on it to make sure it's legal and correct, and then they add it to their copy of the blockchain, and they start mining on top of it At least, that's what is supposed to happen But blocks are almost always correct anyway, because it takes so much effort to make one that it would be a huge waste to make an invalid one And every moment spent validating a new block, instead of mining on it immediately, is lost income to the miner, because their equipment doesn't have anything to do during that time

So there's a natural incentive to just mine first, and validate later But this can go terribly wrong On July 4th, 2015, a mining pool called BTC Nuggets mined a block with an old version number, which is something that all miners had already agreed would be invalid Another group, F2Pool, didn't check the version number They just mined on top of it, to save time

Then they got lucky, or unlucky, as you might say, because they did successfully mine a block on top of it Other miners followed their lead, and soon 6 blocks had been mined on an invalid chain Oops We were actually lucky in that case, because those extra illegal blocks didn't contain any transactions, so no actual bitcoin payments were reversed, but we might not get so lucky next time If this happens again, it could be a huge disaster

So what does this have to do with Segwit? Well, the power of Segwit is to separate the witness data from the rest of the block What is the witness data? Basically, this data proves that each transaction is being spent by the person who actually owns the coins Without the witnesses, you can't tell if somebody is spending someone else's money But now that the witnesses are separated, they can easily be sent to miners after the rest of the block, to save time I'm sure you're starting to see the problem here: First, miners can start mining on a new block before they even receive the witness data

All they need is the block header And they'll make more money if they do this, because they don't have to wait Worse, nobody can tell who, if anyone, is actually doing any validation, because almost all blocks are valid anyway So the equilibrium state of the network is that miners mine on new blocks before even receiving the witness data And once over half of the miners are doing this, the network becomes unstable and vulnerable to attack

Any miner could then add a transaction that steals YOUR bitcoin, if it's in a Segwit address, and the other miners might not even notice It remains to be seen just how serious this might become, but I think it's only a matter of time, as more and more users switch to Segwit transactions It looks to me like we're eventually going to have a nasty, unexpected fork Because of this, I personally wouldn't recommend using Segwit on the bitcoin network