Ideological vulnerability, attack on cryptocurrency mining pools
All mining pools, including p2pool , have one very simple and unpleasant ideological vulnerability, with the help of which it is possible to reduce the total income of the pool relative to its total capacity. An attacker can 'punish' the pool for an amount comparable to the proceeds from the attacker's capacities, in fact, the entire reward paid to him by the pool. And the greater the power of the attacker and the longer the attack lasts, the greater the chance that this pool loss will approach this value. And most importantly, such an attack does not cost the attacker practically anything.
This is especially true for owners of large capacities, comparable to the capacity of the pool itself.
This is not a vulnerability of the bitcoin protocol, because it can be done for any modern cryptocurrency, it is not a vulnerability in the code of mining pools - it is an ideological vulnerability of the method of determining the method of charging rewards in distributed computing.
Mining pools do not pay their users for the blocks found, but for the power that users bring to the pool. Absolutely all existing methods of calculating PPS / PPLNS / Prop / ... are based on the fact that payment is made for balls received by the pool - private solutions, one of which can be the pool’s target decision to collect the block in the bitcoin network. And the problem is that the miner, finding a solution, knows which one is the target for the pool and which is the usual one. This is determined by the complexity that this particular solution is suitable for, if it is more than the complexity of the network, then this solution is targeted.
For example, the popular cgminer utility displays information on each ball found in its window.
For example, this line: [2013-03-10 20:17:16] Accepted 03316740 Diff 80/52 AVA 0 pol 0
80 - this is the complexity for which this ball is suitable as a solution, and 52 is the complexity that was requested by the pool when issuing a task to a miner. The pool pays based on this complexity of 52.
It is enough for the attacker-miner not to send the pool solutions that are targeted for finding the block (i.e., with complexity> = current power), these are a few modified lines in the miner code (in the screenshot above, this complexity is indicated above - 4.37M). The pool will still pay for the remaining balls, but the block from the miner will never receive! It turns out the cost of the attack, for the PPS payment method - one single ball for each lost block by the pool, for other methods the estimate of the cost of the attack will be comparable to the fraction of the damage caused, equal to the ratio of the pool power to the attacker's power.
This means that if an attacker continues to do this for a sufficiently long time, he will drive the pool into the debt hole for PPS or significantly reduce the profit of the pool users for other payment methods. For the pool, it will look like a long, increased failure.
You can detect such an attack statistically, simply by calculating the power of the miner and the number of blocks found by him. But the maximum that the pool can do is ban the intruder after a successful attack , and it will not be difficult for an attacker to create a new account.
The purpose of this attack can be a competition between mining pools, where if the pool-attacker hides the task that the miner solves (this happens when using old mining protocols, unlike new types of stratum), then he can redirect some or all of his powers to the attacked pool as its usual clients.
But even when using the latest protocols, how many miners really control what task they are given the pool? None of the clients known to me for mining conduct this test and provide mechanisms to indicate the conditions under which it can determine whether this is the task that the pool promises? A maximum message will be issued in case the pool continues to hide the contents of the block being collected using the new stratum protocol.
upd: thanks Balthazar , links to a more detailed analysis of various payment methods on pools
This is especially true for owners of large capacities, comparable to the capacity of the pool itself.
This is not a vulnerability of the bitcoin protocol, because it can be done for any modern cryptocurrency, it is not a vulnerability in the code of mining pools - it is an ideological vulnerability of the method of determining the method of charging rewards in distributed computing.
Mining pools do not pay their users for the blocks found, but for the power that users bring to the pool. Absolutely all existing methods of calculating PPS / PPLNS / Prop / ... are based on the fact that payment is made for balls received by the pool - private solutions, one of which can be the pool’s target decision to collect the block in the bitcoin network. And the problem is that the miner, finding a solution, knows which one is the target for the pool and which is the usual one. This is determined by the complexity that this particular solution is suitable for, if it is more than the complexity of the network, then this solution is targeted.
For example, the popular cgminer utility displays information on each ball found in its window.
For example, this line: [2013-03-10 20:17:16] Accepted 03316740 Diff 80/52 AVA 0 pol 0
80 - this is the complexity for which this ball is suitable as a solution, and 52 is the complexity that was requested by the pool when issuing a task to a miner. The pool pays based on this complexity of 52.
It is enough for the attacker-miner not to send the pool solutions that are targeted for finding the block (i.e., with complexity> = current power), these are a few modified lines in the miner code (in the screenshot above, this complexity is indicated above - 4.37M). The pool will still pay for the remaining balls, but the block from the miner will never receive! It turns out the cost of the attack, for the PPS payment method - one single ball for each lost block by the pool, for other methods the estimate of the cost of the attack will be comparable to the fraction of the damage caused, equal to the ratio of the pool power to the attacker's power.
This means that if an attacker continues to do this for a sufficiently long time, he will drive the pool into the debt hole for PPS or significantly reduce the profit of the pool users for other payment methods. For the pool, it will look like a long, increased failure.
You can detect such an attack statistically, simply by calculating the power of the miner and the number of blocks found by him. But the maximum that the pool can do is ban the intruder after a successful attack , and it will not be difficult for an attacker to create a new account.
The purpose of this attack can be a competition between mining pools, where if the pool-attacker hides the task that the miner solves (this happens when using old mining protocols, unlike new types of stratum), then he can redirect some or all of his powers to the attacked pool as its usual clients.
But even when using the latest protocols, how many miners really control what task they are given the pool? None of the clients known to me for mining conduct this test and provide mechanisms to indicate the conditions under which it can determine whether this is the task that the pool promises? A maximum message will be issued in case the pool continues to hide the contents of the block being collected using the new stratum protocol.
upd: thanks Balthazar , links to a more detailed analysis of various payment methods on pools
bitcointalk.org/index.php?topic=32814.0
bitcoil.co.il/pool_analysis.pdf
bitcoin.stackexchange.com/questions/4943/what-is-a-block-withholding-attack
permalink.gmane.org/gmane.comp .bitcoin.devel / 1112
bitcoin.stackexchange.com/questions/1338/how-is-block-solution-withholding-a-threat-to-mining-pools