Only 20% of the hashrate is needed to attack BTC? Selfish mining author proposes new BDoS scheme, sparking debate

Preface: Researchers from Cornell University and IC3 announced that they have discovered a denial of service attack against the Nakamoto consensus protocol blockchain, which they call BDoS. This attack is much cheaper than previous DoS attacks (only 20% of the computing power is required). The researchers showed how attackers can induce rational miners to stop mining and proposed a mitigation measure.

This research has also attracted the attention of the crypto community. Ethereum founder Vitalik recognized it, and independent blockchain security auditor Sergio Demian Lerner said that this research is interesting. He mentioned that RSK can provide additional incentives to reduce miner problems (RSK is equivalent to providing uncle block rewards) and is therefore not affected by this attack.

Original paper authors: Michael Mirkin, Yan Ji, Jonathan Pang, Ariah Klages-Mundt, Ittay Eyal (proposer of selfish mining), Ari Juels (Professor of Computer Science at Cornell University)

Original paper link: https://arxiv.org/pdf/1912.07497.pdf

The following is a simplified translation of the blog post:

Denial of Service (DoS) attacks have been a problem since the dawn of the Internet. DoS attackers target a variety of services for fun and profit. Most commonly, they flood a server with so many requests that it becomes too busy to serve normal users.

The response is usually to prevent such attacks by identifying the source of the flood. Therefore, in a so-called distributed denial of service (DDoS) attack, the attacker must coordinate the flooding from multiple computers.

Fun fact: Distributed sources are often regular users’ machines that form a network of robots or botnets.

Cryptocurrencies such as Bitcoin are a particularly lucrative target for DoS attacks. In theory, futures markets and margin trading allow attackers to short a cryptocurrency and profit by driving down the price of that currency. Competing cryptocurrencies and governments concerned about the impact of cryptocurrencies on financial sovereignty are other potential attackers.

However, to our knowledge, no one has ever successfully conducted a denial-of-service attack on a major cryptocurrency in practice.

The reason is the decentralized nature of the blockchain protocol. In a blockchain, there is no central server that can be attacked. The machines that operate the blockchain are called mining machines, and they fully replicate the blockchain data. While attacks on individual machines are known to occur, the complete shutdown (or even control) of a few machines has little impact on the availability of the entire system.

More interesting fact: Bitcoin’s peer-to-peer network is built to be resistant to attack, having learned the lessons of botnets.

In fact, DoS attacks on blockchains like Bitcoin are known to be very expensive. The Bitcoin protocol proposed by Satoshi Nakamoto relies on Proof of Work (PoW) for security, where miners can only create blocks if they prove that they have spent resources (i.e. computing power) outside the system. The security of the blockchain can only be maintained when the majority of computing power in the system behaves appropriately. Therefore, in order to perform a DoS attack, the attacker must have more computing power than the sum of all other participants, i.e. a 51% attack. For major cryptocurrencies, a 51% attack is very expensive for most entities.

Such attacks were attempted during the “hash war” between Bitcoin ABC and Bitcoin SV in late 2018, but with limited success.

The Proposal of BDoS

We find that the inherent properties of the Nakamoto protocol expose it to a significantly cheaper DoS attack, exploiting the fact that blockchain protocols rely on security incentives. In blockchains, participants (miners) are rewarded for participating in cryptocurrency mining. When these incentives no longer promote good behavior, the system is in danger. We call this attack Blockchain DoS (BDoS), which exploits the rationality of miners, making it more profitable for them to break the rules than to follow them.

To be fully effective, the attacker needs to make miners aware of the attack and that this behavior will increase their profits. This strategic behavior is obviously not pre-programmed in the mining software. Therefore, we believe that this attack does not pose an imminent risk because miners must re-arrange their mining equipment to maximize their profits when faced with the attack.

The existence of this attack is perhaps unsurprising, and is indeed a manifestation of the theory proposed by Bryan Ford and Rainer Böhme, who argue that the utility of analyzing systems from the perspective of rational agents is limited because extrinsic incentives are indistinguishable from Byzantine behavior.

Below we will outline the mechanics of this BDoS attack. But first, for those of you who are not familiar with Satoshi Land, let’s start with some background.

background

The vast majority of cryptocurrencies use the blockchain protocol proposed by Satoshi Nakamoto for Bitcoin. In a Nakamoto consensus blockchain, all transactions in the system are placed in blocks, forming a growing chain of data. Miners extend this chain with new blocks consisting of new transactions and publish them to all other system participants. The rate of block production is regulated by requiring miners to include proof of work (solutions to cryptographic puzzles) in their blocks. (Blocks without PoW are invalid by definition.) To compensate miners for their efforts, the production of blocks is accompanied by some fixed reward (for example, the current fixed block reward for Bitcoin is 12.5 BTC). If miners mine honestly, then they are incentivized to extend the blockchain and receive corresponding rewards.

Since miners are spread all over the world, occasionally two or more miners will produce blocks at the same time, and these blocks have the same parent block, which results in forks, that is, multiple branches of the chain. To determine which chain is the main chain, the rule proposed by Satoshi Nakamoto is: the longest chain is the main chain, all miners should extend this longest chain, and blocks separated from the main chain and their rewards will be ignored.

To avoid losing rewards, miners start mining the latest block as soon as they receive its metadata in its header. This avoids wasting mining resources on old blocks and increases the chances of mining the next block. This is generally not a good practice and has attracted the attention of many security researchers. This header-based mining method was applied after lightweight clients used the Simplified Payment Verification (SPV) protocol to perform partial blockchain verification and was called SPV mining.

attack

Our proposed BDoS attack can bring a blockchain to a standstill by manipulating rewards for rational miners.

The attacker can put the system into a state where the best action for rational miners is to stop mining.

To induce this state and the corresponding proof, the attacker generates a block and publishes only its header. Given a header, a rational miner has three possible actions:

1. It can extend the main chain and then ignore the block headers;

2. It can extend this block header (SPV mining);

3. It can stop mining, neither consuming computing power nor winning rewards;

If the rational miners follow option 1 and extend the main chain, find and broadcast a new block, then the attacker miners will use their relatively high connectivity (such as selfish mining) and broadcast the complete block corresponding to the block header BA. This will lead to a competition between two groups of miners, one of which receives the attacker's block data first, and the other group receives the rational miner's block first.

With a certain probability, rational miners will lose the game and block Bi will never be included in the main chain. This will reduce the expected reward of mining on the last complete block compared to the "no attack" case.

If the rational miner follows option 2 and successfully extends the attacker's block header BA, the attacker will not publish the complete block BA. This causes the rational miner's block to never be included in the main chain, resulting in the expected reward of the block being zero.

Therefore, if the raw profitability in the “no attack” setting is not too high, in both cases the attacker can ensure that the honest miners will eventually lose money. Therefore, the threat of BDoS attackers means that honest miners are better off giving up rather than choosing to mine, that is, choosing the third option. As the movie “War Games” said, “The only way to win is to not participate.”

Under what conditions can a BDoS attack be successful?

We now explain what the success conditions are for a BDoS attacker. Specifically, we consider that for a particular rational miner i, it is more profitable for him to stop mining than to continue mining, regardless of the behavior of other participants. The answer depends on three factors: first, if the attacker holds enough computing power, then the attack will succeed; second, if miner i has enough computing power, then he will succeed; finally, if miner i is not very profitable at the beginning, then he will succeed;

The profitability factor for miner i is the return on every dollar of investment he or she would have made in the mining operation if no attack had occurred.

The following graph shows the maximum return on a successful attack for different attacker sizes (X-axis) and miner sizes (different curves).

In our analysis, we used a property called the profitability factor, which represents the return per dollar invested. This depends on the mining equipment and electricity costs, as well as the price of the relevant cryptocurrency.

To give a specific example, if the largest miner holds 20% of the total network computing power, then an attacker with 20% of the total network computing power can incentivize all miners to stop mining when their profit coefficient falls below 1.37.

Currently, for Bitcoin, at an electricity price of $0.05/kWh, the profit factor of a Bitmain S17 Pro miner is close to 2, while the profit factor of an S9 is close to 1. If the price of the coin drops significantly, attackers will be able to incentivize existing miners to stop mining, causing the Bitcoin network to stop operating completely.

Additionally, the Bitcoin block reward is expected to halve in 2020, which will correspondingly reduce miners’ profitability.

Two coin models

Note that our model is conservative and in a sense underestimates the attacker's chances. So far, we have assumed that a miner can either continue mining or stop mining if the profit is 0. However, cryptocurrency miners often switch their mining work to a second cryptocurrency, even temporarily. If the initial profitability of both coins (before the attack) is similar, then it is almost always profitable to switch to the other coin when the attack occurs. This means that the threat of an attack in this case, which we call the two-coin model, is even higher than our analysis above shows. In fact, the two-coin model is more in line with realistic scenarios. For example, there is evidence that miners often switch their work between BTC and BCH, depending on the profitability ratio.

Mitigation measures and disclosure obligations

Instead of renting mining equipment to carry out the attack, or shorting Bitcoin and running for cover, we followed best practices for security research, which involved a period of responsible disclosure. We alerted the developers of the major affected cryptocurrencies to the attack and discussed mitigation measures.

We propose a small change to the consensus rules so that miners can give lower priority to blocks whose block headers are older than some threshold time (e.g. 1 minute) in the body.

This will increase the chances of an attacker losing the block propagation race, thus reducing the effectiveness of BDoS attacks.

Unfortunately, this countermeasure is not fundamental. As we explain in the paper, an attacker can use smart contracts or zero-knowledge (ZK) proofs to prove that they found a block (rather than publishing a block header). Using these techniques, the attacker's blocks in the block propagation race are indistinguishable from rational miner blocks, rendering the mitigation technique ineffective.

Another possible solution to BDoS attacks is to use uncle block rewards, as Ethereum does. Uncle block rewards reward miners for mining blocks that are not on the main chain (but are directly connected to the main chain). If uncle block rewards are used, the chance of a rational miner stopping mining during a BDoS attack is much lower, because even if it loses the game, it will still receive a reward (equivalent to 7/8 of Ethereum's full block reward). However, this is a trade-off, as uncle blocks reduce security against selfish mining attacks.

in conclusion

BDoS is a threat to Nakamoto consensus blockchains because it allows attackers to perform denial of service attacks using far less computing power than previous attacks. We have shown how attackers can distort incentives and induce profit-seeking miners to stop mining. The mitigation we proposed is easy to implement (no network fork is required), but only affects specific BDoS attacks. Without stronger mitigations, the liveness of Nakamoto consensus blockchains depends on miners' willingness to comply with the protocol in the face of revenue loss, i.e. altruism.

All the details are in our technical paper.

We would like to thank IC3 Community Manager Sarah Allen for her help in writing this blog post.