Wednesday, 30 March 2016

A bribe attack is ongoing


First of all, I should note it's not a big deal and there are no reasons to panic or anything, but it's just remarkable that the thing we knew is theoretically possible is happening now.To provide background on this kind of attack I need to start from fundamentals. Here's the security assumption from the Bitcoin paper:The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.Originally mining was done by users themselves, it was a part of node/wallet software. However, later it became more specialized.Hashing, running nodes and using Bitcoin are completely separate things nowadays when pooled mining is commonplace. That is, somebody can "mine" bitcoins using his hashing hardware without running a node. (And, perhaps, without even being a Bitcoin user, as a "miner" can auto-convert his revenue to dollars.)Calling this "mining" isn't quite accurate. More precisely it can be described as renting (that is, mining pools rent hashing hardware of so-called "miners") or paying for a service (mining pools pays a "miner" for the efforts he's performed).Some "miners" believe that they receive bitcoins they created, but it's not true in a general case. One thing is that more often then not, individual miners fail to solve the block, but are still compensated for their efforts (not for results). Also pools generally have reserves which they use to smooth out reward payments, thus rewards miners receive do not necessarily come from freshly mined bitcoins.Now let's recall that hashpower is intimately linked to the security of the network. Attacker who controls a significant portion of total hashpower might be able to perform double-spend attacks (e.g. see Meni Rosenfeld's Analysis of Hashrate-Based Double Spending) or denial-of-service attacks (he might mine empty blocks).It is usually understood that these attacks are practically unfeasible, as overpowering the honest network would require enormous amounts of hardware, energy, etc. However, there are several different attack model.The most primitive one was relevant back when mining was done on CPUs: an attacker could rent CPU power from a cloud provider such as Amazon and try to do a double-spend reorganization or a 51% attack. It's fairly easy to do calculations within this model as the cost of an attack is known (for a certain difficulty) and one just needs to compare it to potential profits attacker might get.But CPU mining is irrelevant now, attacker would need specialized hardware to have a chance. This makes attack much more complex, as attacker needs to buy hardware, deploy it, start mining... And once attack is complete, he needs to do something with that hardware. It's generally understood that parties who own hashing hardware will be reluctant to perform attack because a successful attack can drastically decrease the value of the hardware they own. Thus it can be said that ASICs made Bitcoin much more secure due to this stickiness.But wait... what if an attacker rents hardware instead of buying it? It's much simpler than buying hardware: no complex logistics, little overhead, no concerns about how an attack would affect hardware price. Attacker would need to pay slightly above the market price to make sure he gets more than a half of total hashpower to make sure that it's statistically certain his attack can succeed.This can be describe as a sort of a bribe. Normally miners get block rewards (subsidy + fees). Attacker adds a bribe to it, making it subsidy + fees + bribe. This is attractive to miners as it pays more. Once attack is successful, attacker receives subsidy + fees + attack profit. Thus his cost is(subsidy + fees + attack profit) - (subsidy + fees + bribe) = attack profit - bribe Note that bribe can be arbitrarily small, it should be just enough to get miners interested. It can be 1% of a subsidy, for example. E.g. suppose attacker wants to earn 1000 BTC by double-spending, he gives a 10 BTC bribe to miners to orphan some of the recent blocks and pockets 990 BTC.The cost of this attack can be arbitrarily small, but it requires a lot of a capital and is also quite risky. And also it's not possible right now because miners do not just rent their hashpower to the highest bidder, they use mining pools they trust. Thus there's no way for the attacker go get more than 50% of total hashpower to be successful with this attack.There are, however, pools which allow people to rent hashpower. For example, NiceHash. It currently has 16 PH/s of SHA256 hashpower (according to the stats they publish), thus controlling around 1% of total hashpower. NiceHash allocates hashpower to highest bidder, and thus it can be potentially used for attacks I described above. But currently it's too small to have any effect.So this is just something to keep in mind. Pools like NiceHash are evil, they can potentially destabilize Bitcoin if more than a half of total Bitcoin's hashpower will be rented out on pools like this. It is important for miners to choose legitimate pools.So until now I thought that a bribe attack is just a curiosity in context of Bitcoin (it might be more relevant for alt-coins with much weaker hashpower), but today I was surprised with the fact that somebody tries to pull it off right now.There's a post on /r/btc: Someone just donated 16 BTC towards Classic Hashpower. We are now at 2 Petahash/sec on Slush pool. Thank you, donator. The fund is at 30 BTC and recycling the mining rewards over and over..This is exactly the bribe attack, but they aren't using for double-spending or DoS, but on an attempt to hard-fork Bitcoin. Basically it's an attempt to artificially prop up Classic hashpower a little, and is good only for PR. But still it's something we should be aware of, I think.NodeCounter site the link points to is absolutely hilarious, BTW, totally recommend:Bitcoin development has been bought out by a private company called "Blockstream". Blockstream has directed the crippling of Bitcoin in order to provide the solution, for their own future, financial gain.(I hope moderators won't remove my post. /r/btc is currently being advertised in the sidebar of this subreddit, so every visitor is already one click away from learning information about "Classic Hashpower". I see absolutely no point in censoring this information.) via /r/Bitcoin http://bit.ly/1pKt1Rd

No comments :

Post a Comment