Mining attacks
==============
Homework 2 is out, due Monday; note weird office hours this week
Warm-up: The Finney attack (double spending)
Malicious miner controls two addresses A and B
Includes A->B payment in every block it tries to mine
Win the block? Don't publish it immediately
Instead, run to a store and spend A->C
Publish private branch as soon as miner get the goods
If its chain is longer, will succeed at double-spend attack
51% attacks aren't that hard on less established blockchains
Especially if hash used by other blockchains (or CPU/GPU feasible)
Zencash
Between blocks 318165 and 318275, the attacker(s) caused
multiple reorganizations of the blockchain, reverting 38 blocks
in the longest reorganization. In block 318204 and 318234 the
attacker(s) performed double-spend attacks.
BTG
they were able to deposit funds on exchanges and quickly
withdraw them again, after which they reversed the initial
transaction so that they could send the coins they had
originally deposited to another wallet.
Verge
Can censor transactions with punitive forking
51% of miners (by hash power) announce they are censoring some transactions
Won't mine on chains with censored transactions to/from victims
Now honest miners won't wast time mining block with censored transactions
Feather forking
<50% miners announce won't directly on block with censored transactions
But will mine on grandchildren blocks with censored transactions
So not completely censored
What does this mean for rational miners who don't care?
If you include censored transaction, more likely to create orphan block
So maybe just avoid censored transactions
Another variant, don't mine blocks whose parent has censored transaction
Eclipse attack
Bitcoin overlay network node typical parameters:
Only allow outgoing TCP connections to 8 other nodes
Only accept up to 117 incoming TCP connections
How do nodes know where to connect?
Initially get peer addresses from DNS seeds (e.g., seed.bitcoinstats.com)
https://github.com/bitcoin/bitcoin/blob/master/src/chainparams.cpp#L121
Receive ADDR command, specifying up to 1000 known peers/timestamps
Each node stores set of peers in "tried" table on disk
Each node hashed to one of 64 "buckets" of 64 entries each
Nodes semi-randomly evicted from "tried" buckets when full
pick 4 peers in bucket, evict one with oldest timestamp
Eviction actually sends node back to the new bucket
Mapping also uses "group" (IPv4 /16) to restrict to 4 buckets
Each node also keeps "new" table
256 buckets (64 nodes each) that it has not tried to connect to yet
Select buckets based on group (IPv4 /16) of peer
But also based on group (IPv4 /16) of node who told us about this peer
Similar eviction to tried, but discard evicted instead of downgrading
Randomly connect to another node when outgoing connection dropped
Pick between new/tried with probability depending on
number of currently good outgoing connections
ratio of sizes of new and tried
So can consume all of a victim node's connections in overlay network
Use botnet to own IP addresses in many groups
Connect to victim node 117 times
Send ADDR command with all your own IP addresses
Effectively a Sybil attack on overlay network
By controlling what victim miners learn, can:
- Engineer block races (so miners waste time on orphan blocks)
- Can split mining power (making 51% and Finney attacks easier)
- Also facilitate other attacks we will see...
Timewarp attack - Manipulate timestamps to decrease difficulty
Could reject invalid timestamps, but would cause soft fork with orphans
Doesn't seem like a real problem in practice
Could even intentionally exploit "forward blocks" to obtain better scaling!
"Goldfinger" attacks - Extrinsic incentives to mess with blockchain
- Government wants to censor to enforce law, detect money laundering, etc.
- Non-state actor wants to pursue social goal ("Occupy Bitcoin")
- Market manipulator who shorted Bitcoin wants to shake confidence in coin
- Stakeholder in one coin is afraid of competition from newer altcoins
Several happened against new chains in 2013
Feathercoin
The network was operating at a sustained 0.2 Gigahashes/sec
prior to the attack. It jumped to 1.5 Gigahashes/sec... might
be linked to another attack that occurred on May 23... a mining
pool solved a block... orphaned by someone mining from a vanity
address, "feathercoinsucks".
Terracoin
Selfish mining
What happens if a pool S doesn't immediately publish mined blocks?
Starts on next block while other pools waste time on shorter chain
Consider this "selfish mining" strategy (S rewards S, O rewards other pool)
When S mines new block S*, withold it unless was competing at same length:
publish here: X -- S -- S* but not here: X -- S -- S*
\-- O
When other pool mines block O*, keep lead of 2 or publish all
publish: X -- S -- S -- S X -- S
\-- O -- O* \-- O*
publish 1 block (S0) to maintain lead of 2: X -- S0 -- S1 -- S2
\-- O*
Two key parameters to analyze selfish mining:
\alpha - fraction of mining power controlled by selfish mining pool
\gamma - Prob. honest miners chose S* when equal length branches [state 0']
[Show figure 1 in selfish mining paper.]
When is selfish mining profitable? [Show figure 2]
If \gamma = 1, always. Why? No penalty for withholding
If \gamma = 0.5, pool needs \alpha > 0.25 for selfish profitability
If \gamma = 0, pool needs \alpha > 0.33 for selfish profitability
Analytic solution: (1-\gamma)/(3-2\gamma) < \alpha < 0.5
Why does graph [figure 2] only go up to \alpha=0.5?
At \alpha > 0.5, just publish everything and ignore other pools
This could be catastrophic for centralization
Pool with selfish advantage pays higher reward to attract miners
Says, "we'll close pool to new miners when we hit 51%"
Join now or risk losing your investment on mining equipment!
What do you think \gamma is in Bitcoin? ~1 (worst case) Why?
Just use an eclipse attack
Throttle propagation of O blocks until S is sent first
Selfish mining in the wild: Monacoin
What can we do about selfish mining?
Original authors: don't mine on first block heard, chose randomly if multiple
Easy backwards compatible way to ensure \gamma ~ 0.5 instead of 1
New proposal: Publish or Perish
Estimate \tau to be upper bound on propagation time
Incorporate new type of uncle block into chain:
Uncles can only be one deep in chain (no great-uncles)
Uncles must be received within time \tau of current chain tail
Define the *weight* of a chain to be
Number of "on-time" blocks and embedded in chain history, including uncles
Note relative definition! I might consider a block on time, you not
New mining rules:
If two chains differ by >= k blocks, mine on longest one
Allows us to recover from different ideas of weight
Otherwise, mine on chain with greatest weight
If weights tied, then pick one randomly
Consider normal selfish mining [Show figure 1 left]
Selfish miner reveals first block, but pre-mined second block has no uncle
So even a lead of 2 is no advantage
What if selfish miner withholds?
Now its blocks are not on-time, so its chain has less weight
Another possibility: Eliminate pools through non-outsourceable mining puzzles
E.g., require Hash(Sign(coinbase-recipient, header)) < max/D
Often use two-phase mining, where phase2 requires "coinbase" private key
So reward coins go to miner, not pool manager (or miner knows coinbase key)
But miners could mine for themselves and pay a fee to pool manager
I.e., all shares must be for blocks paying a fee to pool operator
Block withholding attacks
If a pool member releases shares but not full solutions, hurts mining pool
Infiltrator shares in mining reward without increasing effective hash rate
What if one pool infiltrates another?
Reduces overall hash effective hash rate in system and hence rewards
But attacker can potentially increase its share of rewards
When Bitcoin difficulty resets after 2016 blocks, could be profitable
But what if all pools attack other pools?
Creates lots of wasted work, reduces difficulty => blockchain less secure
"miner's dilemma" ~ prisoner's dilemma
Might China attack Bitcoin?
By end of 2013 half of Bitcoin transactions happening on Chinese exchanges
Single exchange BTC China handled 1/3 of worldwide volume
China limits investment assets, BTC could hedge inflation, offer upside
Mobile payment more prevalent in China (so crypto more intuitive)
Maybe decentralization appealing as counterpoint to government
Situation not ideal from Chinese government point of view
Bitcoin could be used to evade capital controls (remove money from Country)
Facilitated trade-based money laundering
US criminals buy Chinese goods, sell in Mexico, South America
December 2013 China banned buying and selling Bitcoin or treating as currency
Used grounds of criminal activity and speculative risk
Exchanges could still operate, but had to obey KYC/AML laws
Using loopholes, China became 98% of exchange volume by December 2016:
- Selling redeemable voucher codes instead of BTC directly
- Deploying ATMs to convert physical cash to BTC
- Using corporate/personal bank accounts
In 2017, Chinese government really clamped down on Bitcoin
Warned exchanges to comply with 2013 law and banned ICOs
In September ordered all exchanges shut down
Early 2018 banned loopholes: OTC/peer-to-peer trading, foreign listings
Now China less than 1% of world exchange volume
But China still has great leverage over Bitcoin
ASIC manufacturers (including BitMain = 70% of market) located in China
*Mining* is a different story from exchanges:
80% of BTC mining by 6 pools, 5 of them managed from China
74% of hashing power controlled by Chinese pools
Doesn't mean all hashing located there, but still lots of control
Can set price of electricity to disadvantage Bitcoin
2018 trying to limit power subsidy for mining to scale down operations
Great firewall (GFW) and great cannon
Adds latency & throttles bandwidth, incentivizes mining empty blocks
One study: full blocks take 17.4 sec to cross GFW (vs. 3.9 sec)
June 2016: compact block relay optimization reduces empty blocks
Why might China still care about Bitcoin?
Make ideological statement against decentralization
Aid law enforcement (censor people to flush out illegal use of Bitcoin)
Increase control (e.g., disrupt non-Chinese mining pools)
Exert influence over anyone using Bitcoin outside China
What kinds of attacks is China well placed to carry out?
Censor transactions
Punative or feather forking
Eclipse attacks
GFW/great cannon/ISP-level filtering can achieve equivalent to eclipse
De-anonymize transactions (Dan will say more in lecture 13)
GFW and domestic ISP monitoring will help a lot with this
Undermine consensus to destabilize the system
Finney, Goldfinger, or brute-force (51%) attacks
Balance attack - disrupt communication between mining groups
Cause well-intentioned miners to create deep forks