Mining Attacks and Interference

Introduction

In this article, I discuss some security challenges Bitcoin and related network have regarding the conservation of their system integrity, mostly with the process of validating transactions undergone by miners and/or validators.
There are many different ways that users can interact with a blockchain network. I like to think of their interactions in terms of type(s) of users that either facilitating and/or utilise the network:

• Miners/Validators – The same as a full node on the network. They unfailingly enforce a set of rules when considering the validity of each block and their transactions as they maintain the complete history of the blockchain.
• Operators/Speculators – Your typical individual that either holds part ownership of the network resource(s) and/or regularly interacts with the network either by observing or signing transactions that get inserted into blocks. This could be a user of a decentralised application that relies on blockchain interactions, or one that stores their own share of Bitcoins and regularly sends/receives them with other users. (Includes Developers/Services)
• Developers/Services – Facilitators of services such as the creator of a decentralised application that relies on interactions with the blockchain for handling transactions or storing information.
  However, issues arise between these types of agents when they interact since often at times, their interests aren’t aligned, particularly between miners/validators and other types of users. It is the role of the consensus rules to try and best align these interests and ensuring the security, availability and integrity of the network.
  There are a couple types of attacks and interferences that miners may exercise that target users of the network either for political motivational reasons, or financial and I try my best to cover some existing and proposed countermeasures that make these kinds of attacks difficult and prohibitively expensive, if not impossible.

The Double Spend Problem

When used correctly, base-layer transactions that get published to decentralised sovereign blockchains are irreversible and final. And it is the assortment of various elements including mining, proof-of-work, difficulty, etc. that exist to ensure that it is computationally and/or financially impractical to modify any of the blockchain’s history.
It was through the deviation of these core mechanisms and smart application of economic principles that enabled the creation of Bitcoin. Without them, transactions would not be able to be treated as irreversible and final, severely limiting their use-cases.

Double-spending is the result of successfully using the same money more than once or in the context of execution of smart-contracts, receiving excess utility from a second form of computation. (E.g. registering a product in two separate jurisdictions for separate benefits) Users can protect themselves from double-spends by waiting for confirmations when receiving payments or observing blockchain state transitions.

It is because of these game theory mechanisms that makes double-spends incredibly difficult to pull off in reality. However, although historically there have been few instances where they’ve successfully occurred, they’re still an imminent threat and users should still remain cautious. The most famous successful double-spend in practice was in November 2013, where it was discovered that the GHash.io mining pool appeared to be engaging in repeated payment fraud against Betcoin Dice, a gambling site. They used their mining power to manipulate transactions being made through the service that used only one transaction per bet and didn’t wait for any confirmations.

Double Spend Attacks

There are a number of different kinds of double-spend attacks that regular users with or without the collusion with miners may use to defraud merchants service providers. I provide a brief overview of a couple of these methods of attack:

Race Attack

Incredibly susceptible to merchants that process “0/unconfirmed”, the race attack is an attempt by a fraudster to double-spend by sending a transaction paying the merchant directly to the merchant, whilst also sending a conflicting transaction sending the same resource to themselves to the rest of the network. There is a high degree of certainty that the second conflicting transaction would get prioritised by miners over the first seeing as its been observed by a larger number of miners.

Merchants are able to take precautions to lessen the risk of this type of attack by disabling incoming connections and choosing specific outgoing connections.

Developers must take this factor into account when making the decision to honour “0/unconfirmed” transactions.

Taken from “Two Bitcoins at the Price of One? Double Spending Attacks on Fast Payments in Bitcoin” By Ghassan O. Karame, Elli Androulaki, Srdjan Capkun

The only way a Merchant can take precaution against this type of attack is to await block confirmations.

Vector76/One-confirmation Attack

This type of attack is a combination of the race attack and Finney attack and merchants are susceptible to it even though they are listening for 1 confirmation on each incoming transaction. A successful attack costs the attacker one-block’s worth of ‘transaction fees’ + ‘block reward’ and consists of the attacker sending the merchant the block they’ve generated along with their fraudulent transaction included.

Similarly, by disabling incoming connections and choosing specific outgoing connections, merchants/service providers are able to significantly downsize the risk of these kinds of attacks.

Majority Attack

Also known as the 51% attack or >50% attack. This attack is only possible when a miner controls a majority of the network mining power (>50%) and means they can generate blocks faster than the rest of the network. This lets them preserve their own version of the blockchain and fork whenever the blockchain built by honest miners becomes longer. By holding the majority of the network mining power, the attacker may also conduct a variety of other attacks including censorship/blacklisting. They are also capable of conducting double-spends easily as they have huge control over the consensus of the protocol and can catch-up and over-rule the longer chain at the time after n confirmations.

By monitoring the number of confirmations required for transactions, merchants can still have strong reassurance against majority attacks as the blockchain becomes harder to fork.

Game Theory & Network Attacks

Alongside double-spend attacks, there are a couple other types of ‘attacks’ that have been theorised. The majority of these types of attacks are thought to be feasible for execution by miners that meet a required fraction of the overall mining power. Some game theorists claim that Bitcoin and similar protocols are incentive incompatible and will result in unexpected behaviour made by agents within the system despite these strategies never being observed in-practice on the Bitcoin main-net in the almost 10 years that its operated for. This leads to the common expression that the bitcoin protocol works out a lot better in-practice than on paper and has made it a hot research area right now among economists.

Below I highlight just a handful of these proposed strategies that divert from the default ‘honest’ mining strategy yielding more profit whilst also disrupting performance. You can find more detailed explanations by Max Feng in his BPASE18 presentation.

Eclipse Attack

When a large majority of peers to a node maliciously misinform the node and prevents it from being well-connected with the rest of the network. The eclipse attack is targeted at a single party and is able to then control the information flow. [A comprehensive explanation] Eclipse attacks can be used to control the blocks the victim sees, and leaves them vulnerable to double-spend attacks.

Sybil Attack

When a malicious actor tries to spam the network by impersonating multiple identities/nodes and attempting to subvert the network’s reputation system. Sybil attacks are network targeted but aren’t particularly as harmful in PoW since consensus rules often have Sybil-resistance baked-in and any deviation will lead to DoS bans.

Selfish Mining

In 2014, Ittay Eyal and Emin Gun Sirer published a paper titled “Majority is not Enough: Bitcoin Mining is Vulnerable” where they claimed Bitcoin was not incentive compatible and introduced the concept of “Selfish Mining”.

This strategy involves a miner withholding from broadcasting their own discovered blocks within the network, in order to gain advantage at mining for the subsequent block(s) over other nodes. The idea is for a miner to try and find two blocks before other nodes are able to find the next one.

Success with this method is found when a miner has found a second block in subsequence to the first discovered block before the rest of the network has found the first.

Taken from “Game Theory and Network Attacks: How to Destroy Bitcoin” - Max Fang

In the off-chance that another miner is able to discover a block before you’re able to generate your subsequent second block, you would immediately broadcast your first block and it becomes a race to propagate your block through the network for acceptance before the competitor. (This is where one of the concerns over viability arises)

• But if on average your block manages to propagate to 50% of the network before the competitor, this malicious selfish strategy becomes more profitable when your mining power is greater than ~25% of the overall network’s mining power.
• And in the case where you have greater than ~33% mining power, the strategy is more profitable even in cases where you lose the race each time.

However, there is some backlash to some claims made in the analysis. Mainly that the authors commit the fallacy of incorrectly identifying a strictly dominating strategy that must conform to the following as per the game theoretic definition of one:

1. There are situations where strategy A is a better choice than strategy B, and
2. no matter what the other players do, strategy A is never a worse choice than strategy B.

In their paper, they say “we have shown that selfish mining dominates the honest Bitcoin protocol” which is really arguing that “selfish” wins against “honest” – which implies part (1) of the definition, but they don’t provide sufficient evidence to suggest that (2) also holds. There isn’t sufficient evidence to suggest that selfish mining would yield a higher payoff, but introduces an alternate mining strategy that could have an adverse impact on other users. This strategy also gets developed into the generalised strategy of stubborn mining briefly explained next.

Stubborn Mining as a generalization of Selfish Mining

It was in a paper published by a group of researchers titled “Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack” that a more generalizing selfish mining strategy was proposed that captured more variables and included the block propagation race into the model (something that was of some contention in the selfish mining paper proposition). Using a Markov chain representation, they were able to systematically explore more of the strategy space <See images below>. In combination with stubborn mining, they discuss how additional exploitation of network-level attacks can further increase the miner’s gains. In particular, with a successful eclipse attack.

Markov representation of strategies (Nayak, Kumar, Miller, Shi)

The group of researchers also identified via simulation which circumstances certain strategies were dominant depending on the available hash power and the network’s preference of mining on either chain.

Graph displaying optimality of each strategy given parameters

Although more research is required to assess the viability of these types of strategies, there has already been many suggested alterations to the protocol that could help mitigate the viability of these selfish mining attacks:

• Uniform Tie Breaking (2014) – In the case of a tie between proposed blocks that a miner receives, the miner randomly picks which chain to mine. This helps prevent information asymmetry and network-level dominance from an attacker.
• Unforgeable timestamps (2014) – Miners include the latest unforgeable timestamp issued by a trusted party into the block, and when two competing blocks are received with a fixed time period, the more recent block is picked. This discourages refraining from broadcasting discovered blocks.
• ‘Publish or Perish’ Fork-Resolving Policy (2017) – Ren Zhang and Bart Preneel propose a change to the current fork-resolving policy replacing the current length-based policy with a weighted policy and unlike the two tie-breaking defences mentioned above, this policy would also disincentivize selfish mining even when they have the longest chain. The algorithm doesn’t achieve incentive compatibility but is a step in the right direction.

Zhang and Preneel’s Weighted Fork-Resolving Policy:

1. if one chain is longer than the others by no less than k blocks, a miner mines on the longest chain;
2. otherwise the miner chooses the chain with the largest weight;
3. if the largest weight is achieved by multiple chains simultaneously, the miner chooses one among them randomly.

Blacklisting transactions

Another type of attack presented by Max Feng is the censoring of transactions coming from a particular wallet address owned by an individual as a form of blacklisting, limiting the number of transactions they can make. This is achieved through deliberate forking in conflicts with a chain that features an unwanted transaction:

• Punitive Forking – If the attacker has 51% majority, they’re able to repeatedly fork and create longer chains and invalidating unwanted transactions which will never get published. Eventually other miners will stop including these transactions as it impedes on their profit-making ability.
• Feather Forking – An alternate forking method that doesn’t require 50% majority of mining power. Feather forking consists of announcing to the network that you’ll attempt to fork if the newly discovered block contains a specified transaction, but that you’ll give up after a fixed number of confirmations. This serves as a threat to other miners, who are now pressured to not include the transaction(s) if they wish to not have their block potentially invalidated.
  The effect this has on the victim is that they now must “bribe” miners to include their transaction into blocks by including a significantly higher transaction fee.

Mining Pool Collusions

One of the major reasons that miners organise themselves into pools is in order to minimize the variance of everyone’s earnings over a duration. Whilst you would only receive a payment each time you generate a new block, for a small miner without much mining power, the odds that they generate a block are low, but by colluding they’re able to work together with others to mine on the same block, and consequently share the payment and allowing regular payment. This does not directly pose as a threat to the reliability of the system, but by controlling a large portion of mining power, it opens up the possibilities of other kinds of attacks discussed above.
On a slightly unrelated note but of interest is the fact that bitcoin mining is zero sum. If one miner increases their earnings, someone else must lose out. This leads to interesting cases where by colluding with other miners to form a network majority, your pool could conduct attacks against chains developed by excluded miners, reducing their share of payments and leading to greater degree of mining centralisation.

Mining Strikes

Not necessarily what could be considered direct attack, but of a nuisance, is where a miner(s) temporarily refuses to mine any blocks and provide proportional security to a particular network. There could be a variety of reasons that a miner would do this, but usually to add political pressure for a certain feature. Another consequence of this is that the duration of block confirmations becomes longer temporarily before a readjustment, causing inconvenience to merchants and users that might have to pay greater transaction fees as a consequence as well. This attack however is a lot more expensive than most others given miners committing the strike would be foregoing fees which equate to $millions/day at the time of writing this article.

Further Mining Interference

Up until now, I have mostly discussed attacks stemming from miner’s having control over significant proportions of the network’s mining power within the context of handling pending transactions without much consideration for the differences between those transactions unless in the double-spending instance where the sender/recipient matters. However, transactions don’t just consist of instructions dictating value transfer from wallet address A->B. Depending on the blockchain, there is a different instruction set available. Ethereum is famous for having one of the most expressive ranges of available instructions which transactions could include, that makes it considered as being close to Turing-complete.
This feature-full instruction set is what lets developers build what are described as ‘Decentralised Applications’ that rely on an assortment of ‘smart contracts’ that act as autonomous agents on the blockchain facilitating trusted interactions in the form of transactions with users.
In his education series titled “Miners Aren’t Your Friends”, James Prestwich covers some of the sly tactics that miners may use that would interfere with the processing of these types of transactions and interactions between D-Apps and users.

Transaction Reordering

When transactions depend on the preceding calls of other transactions that change the state, the miner may choose to re-order them when inserting them into a generated block. This leads to the dependant transaction failing since it’s been ordered first. The application would then have to resubmit another transaction, wasting gas.
Contract developers should plan for this accordingly otherwise they risk their users from paying excess gas fees or other potential harm.

Transaction Insertion

Also referred to as ‘front-running’, this is where the miner submits their own transaction ahead of others’ within blocks they generate. This could be done for a variety of reasons but allows the miner to often be the recipient of money or a deal that would otherwise belong to a regular user.
This is a major hurdle that designers of decentralised exchanges that facilitate the exchange of value must account for, and Will Warren from the 0x project has contributed valuable discussion on ways this issue can be addressed.
Miners also have a great advantage when it comes to exploiting weaknesses in existing systems such as the flaw discovered in the Bancor exchange a couple months ago.
What is better than providing a bigger bribe to miners to process your transaction? Being the miner yourself.

Forced Errors

An application of transaction reordering and insertion, where a miner is able to get a fee for refusing to do work. They achieve this by causing calls to error out by modifying the state ahead of time to one the call doesn’t expect. The ideal block for a miner is one full of transactions that have errored out and minimally changed the state, requiring the user to spend even more in fees.
Contract developers can combat this tactic by reviewing revert and require statements. Chances are that if a call relies on a state that can be immediately changed by another user, it is susceptible to this vulnerability.

Censorship

Similar to how miners may censor transfer transactions, miners may also choose to censor calls to smart contracts and system interactions.

Conclusion

These types of issues have been on the minds of many within the blockchain community for the longest time, and it is evident that a lot more research has to be done before we can arrive at an ideal set of governing protocols to drive consensus. While analysing many of these kinds of attacks, it is important to recognise that many of them are self-destructive and damages the network. Acquiring majority mining power definitely isn’t cheap and by harming the network, it’s like “killing the goose that lays the golden eggs”.
Also, by exercising a miner’s access to a majority of mining power, they’re still not able to:

• Take any coins already possessed by individuals.
• Change the rules of the network.
• Hurt anyone without hurting themselves to some degree.

It is hard to predict how things will turn out in the long-run as blockchain networks attract more wider adoption. But with more networks beginning to operate live, we’ll start to see what proves secure and what doesn’t. There will most likely exist a multitude of blockchain networks, each providing security for particular kinds of operations and they’ll be interoperable, and not a one size fits all type solution.

Resources

I’ve been able to source a lot of information covered in this article from the following sources which I’d recommend visiting if you’d like to read further.

• Presentations at the “Blockchain Protcol Analysis and Security Engineering 2018” conference.
• Bitcoin Wiki
• https://freedom-to-tinker.com/2013/11/11/game-theory-and-bitcoin/
• Comments and Analysis from CITP
• Vitalik Buterin's blog posts on consensus and governance issues