I think the argument is that by doing a 51% attack you undermine the market value so you never get the rewards. This makes sense, but only for the leading crypto coin. As we see here today, you can 51% attack smaller coins, which should imply an increase in the value of Bitcoin from consolidation.

In the bitcoin system, miners make literally billions of dollars a year protecting the network. Any successful attack on the bitcoin network is going to massively erode confidence, reduce the price, reduce the usage, and therefore reduce the value of all that single-purpose, bitcoin-only hardware.

Large miners don't want to see Bitcoin get attacked because it destroys their income and de-values their incredibly expensive hardware. This is also why miners won't just let you borrow their hashrate for a while - it's a big issue if you use that hashrate to undermine their cash cow.

There is another--less talked about--way to double-spend: developers can cause forks and double-spend during the confusion.

In 2013, the network forked unexpectedly [0] and the Bitcoin network had 2 chains for about 4 hours. During those 4 hours, it is entirely possible that people sent BTC to exchanges they knew were going to be on the chain that ended up being orphaned.

A conniving team of centralized developers can take this a step further and discover or intentionally plant a consensus bug that causes such a fork and because developers ultimately tell everyone which chain contains the "fix" (in 2013, they commanded that the minority chain was the right one), the developers know which chain will be orphaned and thus which exchange they can exploit.

[0] https://freedom-to-tinker.com/2015/07/28/analyzing-the-2013-...

What a lot of people in the thread seem to be missing is that when you receive a huge payment you can require a higher amount of confirmations to accept it. High enough that it would make the 51% attack unprofitable.

Great points. The thing is though that a double spend would harm both the attacker and all others on the network. It would weaken the trust. It is a double edged sword. You would have to do the double spend without anyone noticing and then liquidate your earnings as fast as possible. With more combined hashing power this would become very hard to do.

There are a lot of problems other than double spend with the Bitcoin. Transactions fees rise very quickly because of the block size limit of about 1MB. You can't really rely on 0-confirmation transactions. The saviour lightning network in my opinion is the wrong solution to the scaling problem. It changes fundamentally how bitcoins are exchanged and steers away from the original white paper by Satoshi. Not that this is wrong... it just becomes another project altogether.

It is often asserted (for example, in the Bitcoin white paper [22]) that a cartel can double-spend Bitcoins. In a strict sense, this is true: a cartel can spend a Bitcoin by paying it to a player Alice, receiving goods or services, and then shifting the consensus choice of history to a branch where that coin is instead paid to a different player Bob. However, we argue that double-spending by a cartel has a limited payoff. Bitcoins have value because people are willing to trade them for goods and services. If players were unwilling to accept Bitcoins for trade or unwilling to spend Bitcoins for fear of having their payments nullified, the value of Bitcoins would diminish significantly as players lost confidence in the system. Worse, because players are encouraged to generate a new identity for each transaction and because identities are not linked to any side information, players cannot easily determine whether a proffered payment is coming from the double-spending cartel or an honest user. Thus, a rational player should refuse to accept any payments when there is a significant threat of double-spending.

As a cartel must outmine the entire Bitcoin network and thus outspend the entire Bitcoin network for as long as it would remain a cartel, we believe it is very unlikely that a cartel could double-spend enough to recover the cost of the attack...

As described above, a 51% cartel attack is unlikely to generate enough reward within the Bitcoin economy to be worthwhile to the attacker. However, this does not rule out the possibility of a 51% attack that aims to destroy the Bitcoin economy in order to achieve utility outside the Bitcoin economy. We call this the Goldfinger attack after the character in film who tries to undermine U.S. currency by ruining its gold backing [15]...

In all of these cases, the attacker must achieve enough utility to justify the substantial cost of an attack. We agree with Becker et al. that it is unlikely that a protest movement could muster the resources to launch a successful attack. And at present it does not appear possible to acquire a short position on Bitcoins that is large enough to justify an attack. (2013)

The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries

Joshua A. Kroll, Ian C. Davey, and Edward W. Felten, Princeton University

https://www.econinfosec.org/archive/weis2013/papers/KrollDav...

You have used technical analysis for making an investment decision. Scientific method, skeptical approach, great. And the assumption is "the tech is broken, the price will fall because of it, won't buy".

But, if we take on step further and continue our experiment, lets compare the actual facts with the assumption.

And what we see? Two cryptocurrencies (Bitcoin Gold and Verge) which were successfully attacked this week, didn't lose in market cap.

How comes? What conclusion should we take from this assumption/fact, if continue being scientific? Do we need a new assumption?

This attacked occurred on BTG a clone of Bitcoin, appropriating the name “Bitcoin” Gold.

It has nothing to do with Bitcoin.

> there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized crime

Nation states. Don't forget the large number of sanctioned regimes who would (a) have the resources to execute such an attack and (b) find great profit in doing so.

> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates

"Renting 51%" (of any global market) and "at market rates" are mutually exclusive.

> There is no equilibrium point for transaction fees where this attack becomes uneconomical.

The counterforce against doublespending is not transaction fee but cost of ownership of mining equipment.

Some other arguments against your conclusion:

- As mentioned nearby, for big transactions you want to wait longer than 6 confirmations.

- Also, as recipient you might want to distribute huge payments into smaller ones distributed over time.

- It's in the interest of mining capacity lenders to make sure you don't get 51% because it renders their equipment worthless in case you are successful.

- As you correctly stated, low prices will lead to lower hash rates (and higher prices to higher rates). This means actually that bitcoin will be more stable (it's harder to obtain 51%) if prices rise. There's an equilibrium on that side as well! That is, if double spending is what you're worried about.

> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.

At this point in time the current hashrate of the bitcoin network is 32.500 PH/s, up from 5.000 PH/s a year ago and 1.400 PH/s two years ago. If you rent 51% of the network it's going to be rather obvious that something is happening, that will however not prevent an attack. Let us assume that you can rent capacity because the miners are greedy, what price would you have to pay? Let's assume that you can buy from miners that want to exit the mining business, so they do not care about deprecating the value of their hardware nor the bitcoin value itself.

So the assumptions are that 51% of the available capacity don't care if bitcoin tank and burn as long as they profit enough, and you're able to buy that. A 0.43% difficulty increase daily (average over last 2 years), bitcoin price of 7.600$, a 4MW powerdraw, and electricity prices of $0.08/KWh

Miners controlling 51% would profit north of $1.000.000.000 yearly, and if they just want to be compensated for that one year, you have to pay $1.000.000.000 to rent 51%. That is a lot of money, and at $20.000 high it would be tripple that value.

However, why would 51% of the capacity suddenly exit? Rather they want to be compensated for multiple years of profit, lets say 5 years and it's not unreasonable to expect bitcoin to reach $70.000 in that time. So we're looking at a $50.000.000.000 cost to coordinate the attack. That's expensive, and with that kind of money there are other ways to make them multiply. Who would pay that to ensure destruction of the thing we know as Bitcoin? After all, the success means it's likely that another *coin takes over, where you cannot 51% as easily.

I do believe you are vastly underestimating how difficult an attack on the bitcoin network would be. I seriously doubt anyone other than a handful of state level actors could pull it off, and even then I am not sure. The amount of energy we are talking is tremendous, and gets orders of magnitude larger the more blocks you go backwards in time. The XVG hack only went back 22 blocks, that is mathematically, and most certainly financially and perhaps even physically impossible with bitcoin. The amount of energy and money spent would never, ever make it worth it.

Interesting points. A defense against this type of attack is to use at least the hybrid proof-of-stake design that Ethereum is rolling out in about three months; blocks are proposed by proof of work, but proof of stake periodically adds a layer of "economic finality." Here's a paper: https://arxiv.org/abs/1710.09437

Those are some really great and interesting points. However, I think there is a resource you didn't mention that combats such attacks: time. If I'm a vendor, e.g. I pay cash for bitcoin, then I can tune the amount of time the transaction is held in limbo or escrow based on the vulnerability of the network.

For instance, I can decide not to finalize the transaction until I see a chain with 12 new blocks added after the transaction block. So an attacker has to control 51% for 2 hours to successfully scam me. Or I can make it 24 blocks (4 hours), or whatever.

Not sure this can mitigate the attacks and market forces you discuss, but it might. I see Bitcoin moving toward an intermediary system where you have a "Bitcoin balance" with a "Bitcoin bank" that allows you to make immediate transactions and takes on the risk and time delay of settling these transactions on the blockchain over the course of the next day or two.

I think one of the other issues is that each transaction that they are double spending can be worth so much. If each transaction was maxed out at say $100, the incentive to double spend the transaction becomes smaller. Obviously that changes a lot about the costs of mining and transactions, just saying the bigger a single transaction or value in a single address, the larger the likelihood of an attack. We see the same things with cash, they only run the "counterfeit" pen on $20 or larger.

Just wondering if there is some kind of crypto currency where the transactions had a max of some kind. Would the difficulty be able to be much smaller and blocks every minute (since there would be so many more to transact)? This isn't well formed, just off the top.....

When Bitcoin was hitting $20,000, which I never thought they'd do, I mostly concluded I'd missed any investment opportunity.

I plausibly could have invested a few hundred or thousand in Bitcoin was in the low hundreds, and if I hodl'd to the moon realized a hundredfold gain, which would have been nice.

But once you're at the moon, then what?

The new price predictions are things like "If Bitcoin replaces gold it could be worth $135,000/BTC.". Which is a lot, and a little far fetched, but also only 6x from the last peak.

I'm not interested in a risky investment which takes years to come to fruition and only yields 6x. It's too risk for a safe investment and too low-yield for a risky investment. Boat missed.

If the scenario you laid out actually pans out it would be very good for Bitcoin, because there is a lot of free energy in the world but it is highly distributed.

The dominant form of mining would be utility companies and individuals redirecting excess electricity generated from their renewable electric power generators, during off-peak hours and spikes in generation, to mining, and the constituents would be both numerous and globally distributed, owing to the wide geography areas across which renewable energy resources are found.

> If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack. There is no equilibrium point for transaction fees where this attack becomes uneconomical. The only defense is that the market for hash capacity is imperfect.

You're killing your goose with the golden eggs. That is, if a currencies remains in use.

>Attacking a huge network like bitcoin would be an audacious and expensive act, but there are certainly organizations with the resources to do it, e.g. intelligence agencies, organized

How do you propose they would go about doing this? Would they jam up the whole worlds chip production to source the ASICs at above market rates? How could this be profitable?

Perhaps by taking over existing mining operations, but then you’d need to somehow perform the attack before you’re detected.

If bitcoin becomes 'the currency of the future' then renting 51% of the capacity at market rates will be prohibitively expensive.

Your analysis isn't really a good one, since Proof of Work consensus through mining, isn't really used anymore by the new coins.

It seems you're too focused on a specific decentralized consensus solution, while there are already much better ones out there, e.g. Iota with a tangle, skycoin with a web of trust or Elastos that are immune to 51% attacks.

Wouldn't this level of energy consumption be noticeable and stand out? What about the sheer number of ASIC units?

Right now what would minimum amount of power would be necessary? How many homes/neighborhood worth? How many Amazon data centers?

Here's my reason for not "investing" (it's no investing, it's speculation):

* bitcoin is not mandated as the sole accepted currency for settling tax in any sovereign state, therefore it can go to zero

What do you mean, “underbidding”, e.g. “underbidding attack”? I don’t understand this term in the context of your hypotheses which assumes a perfectly efficient market for hashpower

blockchains are not immutable, the software that blockchain servers run can be updated to any chain with the most social consensus, if an attack was that bad it can be fixed with a few git pushes and pulls, the price might suffer but even that is not a guarantee, price movements have a greater influence than fundamental value in crypto

By the way doesn’t your argument also destroy anarcho capitalist utopia scenarios?

Someone could rent the local courts for a week, pillage everyone, and leave.

Or just come with a larger army.

can you explain this in better words: "then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack."

Not all cryptocurrencies are secured by hashpower or "mining", have you considered those?

Examples like Delegated Proof-of-Stake or "eusocial oligarchy like consensus" systems like Byteball?

One of the many practical vulnerabilities.

>If hash capacity were traded on a perfectly competitive market, then it would always make sense to rent 51% of the capacity at market rates, earn the transaction fees, and also perform a double-spending attack.

Lenin was right: "When it comes time to hang the capitalists, they will vie with each other for the rope contract."[0]

[0] https://quoteinvestigator.com/2018/02/22/rope/

2nd and 3rd gen blockchain tech is not vulnerable to double-spend attack, i believe. Only the legacy chains (Bitcoin, Litecoin etc) are

The numbers I've seen quoted for a double spend attach on Bitcoin Cash (assuming guaranteed block space) are that it would cost about 50K to double spend on a 0-conf transaction. So really, you can confidently accept 0-conf for <1K reasonably. More that that you can accept 1-conf or more which can take a minute or two. BTC rejects 0-conf transactions, but they are already in use around the world and are successful as far as I know.

If you wait long enough, say, for 144 confirmations (or 24 hours, whichever is greater) then a double spend may as well be the least of your worries, for bitcoin, or any of the top mined crypto-currencies.

These double-spend attacks are only successful if the receiving party doesn't wait long enough.

Also, could't find any sources from exchanges if they were actually successful? The article didn't mention which exchanges.

Quote:

"Blockchain data indicates that the attacker successfully reversed transactions as far back as 22 blocks, leading developers to advise raising confirmation requirements to 50 blocks."

So as long as exchanges wait 50 blocks before crediting, they should be all right.

The problem I think is that there are 25 cryptocurrencies bigger than it. Particularly with its form of mining, it's trivially easy for say a big player in the 10th largest currency to shift their mining power to a smaller one like Bitcoin Gold, overpowering everything else.

Normally the non-51% attack argument is that anyone who invests enough in 51% of the infrastructure and has sufficient coins to profit from double-spending, is very unlikely to do so because it would render the coins and mining equipment worthless or at least worth less than the investment had cost.

That'd be true for bitcoin, but not for a GPU-mined 26th largest cryptocurrency. You can completely destroy it, cash out and use your equipment elsewhere on coins in which people still have faith.

> It's possible that any altcoin that becomes sufficiently valuable will suffer similar attacks to the ones that have now taken place on Verge and Bitcoin Gold.

The trust in these systems seems to be based on proving a negative.

The lack of an attack is neither a proof of robustness nor proof that one or more zero days aren’t already known. We can only “know” it’s safe when the temptation to use an exploit is far too high to resist.

I think there are a lot of people who imagine “an attack” as a ready-aim-fire affair. There’s a juicy target, someone concocts a plan and then uses it.

But as you illustrate, maybe there is already a plan and someone is waiting for the target to get juicy enough. Aim, ready, fire.

I guess the conclusion is that if you're attempting to create a new PoW cryptocurrency you better make sure to tweak your PoW algorithm enough to make sure that existing miners cannot easily convert their special purpose mining rigs to sink you for fun and/or profit.

All those arguments do make sense, but only if the underlying cryptocurrency is actually big enough. That it has enough hashpower (in whatever algorithm) - to be secure. Bitcoin Gold simply was too small.

Sounds like it isn't very wise to come up with new cryptocurrencies as long as the mining network is unregulated and the double spending problem isn't solved...

the verge attack was different

All of the major Bitcoin miners are very pro Bitcoin cash. They basically created Bitcoin cash. They would be more likely to attack Bitcoin Core, if anything.

I would also point out that Bitcoin cash is the 4th largest crypto currency in the world, by market cap. If IT is in danger.... Well I fear for everyone else even more.

Exchanges need to be built with the fluid nature of blockchain conflict resolution in mind.

You can estimate the cost of double-spend attacks on each chain at any time, calculate your potential exposure, track where the related funds are now in your system, and mitigate your exposure by delaying the outflow of funds that have outsize exposure to double-spend attack potential.

In the simple case, you might allow withdrawal of a single $10 deposit after 2 confirmations but enforce a long 1000-confirmation waiting period on a million-dollar deposit, in order to increase the cost of executing a double-spend against your exchange beyond the point which you estimate it becomes infeasible.

It's a little trickier in practice because someone could split their million-dollar deposit into 1000 thousand-dollar deposits from separate addresses into separate accounts. But you can still track your exposure in aggregate, and you should design a system to hold all impacted funds as long as is necessary to make a double-spend attack infeasible.

You can be upfront with your clients about what's happening and why their withdrawals are sometimes delayed: it would increase confidence in the safety of honest customers' deposits while discouraging thieves from targeting you.

You're hitting the nail on the head on this one. Couldn't have said it myself.

Majority of current exchanges are playing it absolutely fast-and dangerous. It's no surprise with new exchanges popping up like mushrooms.

I'd bet that the top exchanges didn't lose anything on this. I'd actually wager this didn't happen to an exchange, but some other type of site, like a BTG Betting site or something.

Many people use exchanges for arbitrage. Exchanges benefit from arbitrage since they take a fee out of every trade and because they want their prices to be close to the international price of the asset.

This trade would look exactly the same as an arbitrage move.

You can rent hashing power on Nicehash, which currently has ~77MSol/s available for rent. I'm not 100% familiar with how the auction process works, but it looks like I could purchase 26MSol/s via a fixed contract for 1 hour for ~1BTC.

Am I misunderstanding something here, or can I maintain a 51% attack right now for ~$8k an hour. This can't be right.

I was curious about the cost as well, so I ran some rough numbers.

417.5 BTC/GH/day for equihash if you're renting from nicehash [1]. Block interval 10 minutes [2]. 144 blocks per day target yields 0.0869 BTC/block, so cost of the 22 block reversal was ~1.91 BTC, or roughly $15k.

I'm curious if this was done as one large deposit, or many smaller deposits. I've imagined a system where block confirmations required are based on a computed cost of attack done like I did above, which would be pretty effective for very large single transaction double spends. A bit trickier to handle multiple deposits spread across multiple user accounts.

[1]: https://api.nicehash.com/api?method=simplemultialgo.info

[2]: https://bitcointalk.org/index.php?topic=2284289.0;all

> If the exchange is aware of the attack, they may also freeze his account, so that all the funds will be locked inside the Exchange. A failed 21 block attack performed with a 10,000 BTG deposit where the Exchange freezes the account in time will result in a 10,262.5 BTG loss for the attacker. (From link.)

That sounds problematic. If I deposited coins and the exchange determined I was attacking them (how does that work beforehand?) to confiscate my money I'd be pretty miffed.

Except Bitmain has announced and will be shipping to preorders the first Equihash ASIC (Antminer z9) in July... only 3000 z9's would be needed to equal 30 Megahash, which would be $6M at the z9's $2k price tag. Bitmain obviously has been mining themselves with the z9's for a while, so I would bet that they noticed this and jumped on it before shipping their "lightly used" units out.

I run around 630 sol/s per 1080ti GPUs, each costed me around 950$. You'd also need to add the electricity in there, I think the challenge is to control an infrastructure being able to do over 15 MH/s as opposed to having the capital.

"It changed to a proof of work that is supposed to be ASIC resistant."

These are the absolute worst. All they're doing is causing the cost of graphics cards to go up.

Not every distributed consensus algorithm is happy with 51%. If you increased the minimum to 60% you’d increase the number of machines the attacker requires by 50%.

If 100 machines play fair, >50% requires 101 evil machines, but >60% requires 151 evil machines.

So, that's an interesting pair of ideas, in that it gets me thinking that any Bitcoin-style cryptocurrency might ultimately be doomed by its own design.

Shooting from the hip:

They've go this 51% vulnerability that is well known and hypothetically cannot be truly closed. Instead, we rely on the idea that mounting such an attack would be "too expensive". But at the same time, the cost/benefit of mounting such an attack is fairly easy to estimate using public data - all you really need to know is the cost to get to 51% and stay there for a given amount of time, which you can infer by monitoring mining activity, and the current price of the currency you'd want to attack. And you have to assume that whenever the cost of mounting such an attack dips below the benefit, such a thing _will_ happen.

So then, I think that implies that the only other feature you'd need to throw into the mix to ensure a cryptocurrency is ultimately doomed is to make the rate at which new coin can be mined asymptotically approach zero. Such a feature would mean that, in the long term, miners' revenue would ultimately be dominated by transaction fees, which, this being a supremely commodity service, market forces will presumably tend to keep relatively low. That would, in turn, limit the number of miners the economy can support, which would serve to limit the cost of mounting a 51% attack.

Meanwhile, what with a money supply that can't grow being inherently deflationary, the benefit of mounting such an attack would be constantly growing, for as long as said cryptocurrency remains in use.

Interesting point. The cryptocurrency energy consumption problem will never be solved, since if it is, it will be economically feasible to attack. So cryptocurrency adoption in the mainstream will require massive electricity consumption.

> Crypto currencies are worthless unless they have an enormous amount of hashing power behind them.

Why would you think an enormous amount of hashing power helps? Even with Bitcoin, the actual marginal cost of a 51% attack is quite low. The difficulty is the capital expense of actually connecting to a couple GW of power and finding enough rentable ASICs.

I think this is fundamental. In a proof-of-work scheme, if the mining rewards in whatever time frame is considered a full confirmation are less than the amount of gain available using a 51% attack, then a 51% attack is economical.

ASIC mining during boom time helps mitigate the issue a bit, since the ASICs are worth more if the currency isn’t devalued by 51% attacks, but even Bitcoin will be vulnerable of older, less efficient ASICs start flooding the market, which seems inevitable if the price of BTC stagnates enough.

Maybe all that energy spent to secure the chain is not so bad after all.

Related: https://arewedecentralizedyet.com

This point should be made more often. It also supports the ethereum and EOS use case, a general purpose computing blockchain and distributed vm, it allows smaller utility coins to be backed by the same size network as the eth token and ecosystem, something they would never do on their own. The token's security is proportional to it's network size. Fragmentation of the already small subset of people capable of running blockchain nodes that actually do run nodes is great for innovation but bad for network security and confidence.

>>>Crypto currencies are worthless unless they have an enormous amount of hashing power behind them.

And maybe they're worthless even then. Time will tell on that.

there is http://arewedecentralizedyet.com

> Crypto currencies are worthless unless they have an enormous amount of hashing power behind them.

I think this is only true if you assume that crypto-currencies must be based on proof-of-work algorithms.

What about proof of stake systems?

it exists

https://bitinfocharts.com/comparison/bitcoin%20gold-hashrate...

You are correct. The longest chain is accepted as the correct one, so if you have 51% hashpower and secretly mine while maintaining majority hashpower the whole time, your chain will be longer and you can publish it at any time, and effectively rewrite recent history.

Well, under the standard assumptions of blockchains like Bitcoin, yes it's incredibly expensive to obtain enough hashing power to do a 51% attack. There's a lot of nuance to it though.

In this case, Bitcoin Gold chose to have an "ASIC Resistant" algorithm, Equihash, and likely was only protected by GPUs mining the network. Bitmain has recently released an ASIC for Equihash that is substantially cheaper and more energy efficient than using GPUs, meaning that some pool which was able to buy a large number of the ASICs would have had a pretty easy time gaining enough hashrate to launch a 51% attack.

This is one of the big risks of attempting ASIC resistance. In the event that someone produces an ASIC, your coin is a complete sitting duck.

Under normal free market assumptions, the cost of double spending is simply the expected reward of each block multiplied by the number of blocks that need to be mined. For bitcoin, where the reward for finding a block is currently ~$100,000, that means you should be able to double spend by mining 6 blocks at a cost of less than a million dollars.

The question is: are bitcoin miners subject to the usual free market assumptions? If someone offered you double the market rate to hire a bitcoin miner for an hour would you accept that offer or not?

Also they only need to hold 51% for as long as they can complete the double-spend attack.

Totally, i even predicted this would happen 5 months ago (Not the crash yet though): https://news.ycombinator.com/item?id=15836819

>We'll probably only find out after the double spending is discovered but this type of outcome seems almost inevitable

attacks like this is harder to pull off than you think. miners constantly submit "shares" to the pool, which are then validated to credit them a share in the block reward[1]. depending on the difficulty threshold of the shares are, these could be submitted a few times a minute to every few minutes. if you hacked and gained control of the miners, sure you can redirect all the hashing power to you, but this will be detected quite quickly. with thousands of dollars on the line per minute, you can bet that everybody has monitoring in place to detect a dip in shares submission. also keep in mind that you have to keep this going for about 1 hour (for your initial transaction to confirm) without people noticing. moreover, the core problem stealing hash power to do a 50% attack is that block times will skyrocket on the main chain, which will let everybody (and not just the pool operator) know that something's up. plus after this attack, you can bet that exchanges will start requiring additional confirmations for large deposits, and instituting withholding times for cryptocurrency withdraws.

[1] I don't know whether large mining operators do this. Strictly speaking, they don't but I'd imagine they do this because it lets them know that their rigs are up and producing valid hashes (ie. not malfunctioning). It's almost certain that small mining operators use pools.