Written in front: Researchers from Cornell University and IC3 announced that they have discovered a denial-of-service attack against the Satoshi consensus protocol blockchain, and called it BDoS, which is far more than the previous DoS Attacks are much cheaper (only 20% of the computing power is required). The researchers showed how attackers induced rational miners to stop mining and proposed a mitigation measure.
This research has also attracted the attention of the crypto community, which was recognized by the founder of Ethereum, vitalik, and independent blockchain security auditor Sergio Demian Lerner said the research was interesting . He mentioned that RSK can provide additional incentives. In order to reduce the problem of miners (RSK is equivalent to providing uncle block rewards), so it is not affected by this attack.
Original authors: Michael Mirkin, Yan Ji, Jonathan Pang, Ariah Klages-Mundt, Ittay Eyal (selfish mining proponent), Ari Juels (Cornell University Professor of Computer Science)
Link to original paper: https://arxiv.org/pdf/1912.07497.pdf
Here is a simplified version of the blog post:
Since the birth of the Internet, denial of service (DoS) attacks have been a headache. DoS attackers target a variety of services with the goal of gaining fun and profit. The most common scenario is that they send a large number of requests to the server, which will cause the server to be too busy to serve normal users.
The countermeasure is usually to prevent such attacks by identifying the source of flooding. Therefore, in a so-called distributed denial of service (DDoS) attack, the attacker must coordinate flooding from multiple computers.
Fun fact : Distributed sources are usually machines for ordinary users, and they form a robot network or a botnet .
Cryptocurrencies such as Bitcoin are a particularly profitable target for DoS attacks. In theory, futures markets and margin trading allow attackers to short a cryptocurrency and make profits by driving down the price of that currency. Competing cryptocurrencies, and governments worried about the impact of cryptocurrencies on financial sovereignty, are other potential attackers.
However, as far as we know, in practice, no one has performed a successful denial-of-service attack on important cryptocurrencies.
The reason is the decentralized nature of the blockchain protocol. In the blockchain, there is no central server that can be attacked. The machines that operate the blockchain are called miners, and they will completely replicate the blockchain data. Although attacks on individual machines have been known to occur, the complete shutdown (or even control) of several machines has little impact on the availability of the entire system.
More interesting fact: Bitcoin's peer-to-peer network was built to defend against attacks, and it learned the lessons of botnets.
In fact, DoS attacks against blockchains like Bitcoin are known to be very expensive. The Bitcoin protocol proposed by Satoshi Nakamoto relies on the proof-of-work mechanism (PoW) to ensure security. Miners can only create blocks if they prove that they have spent resources (ie, computing power) outside the system. Only when most of the computing power in the system behaves properly can the security of the blockchain be maintained. Therefore, for an attacker to perform a DoS attack, the computing power possessed by the attacker is higher than the sum of other participants, that is, 51% of the attack. For major cryptocurrencies, 51% attacks are very expensive for most entities.
This type of attack was tried in the "hash war" between Bitcoin ABC and Bitcoin SV at the end of 2018, but success was limited .
We found that the inherent characteristics of the Satoshi protocol exposed it to significantly cheaper DoS attacks, and we took advantage of the fact that blockchain protocols rely on security incentives. In the blockchain, participants (miners) are rewarded for participating in cryptocurrency mining. When these incentives no longer promote good behavior, the system is at risk. We call this attack the Blockchain DoS (BDoS), which utilizes the rationality of miners, making them more profitable than violating rules.
In order to be effective, attackers need to make miners aware of such attacks, and that such actions increase their profits. This strategic behavior is obviously not pre-programmed in the mining software. Therefore, we believe that this attack does not bring imminent risks, because miners must re-plan the mining equipment to maximize their profits when facing the attack.
The existence of this attack may not be surprising, it is indeed a manifestation of the theory proposed by Bryan Ford and Rainer Böhme. They believe that the utility of analyzing the system from the perspective of rational subjects is limited because of external incentives. It cannot be distinguished from Byzantine behavior.
Below we will outline the mechanism of this BDoS attack. But first, for those unfamiliar with Satoshi Nakamoto, let's start with the background.
Most cryptocurrencies use the blockchain protocol proposed by Satoshi Nakamoto for Bitcoin. In the Satoshi consensus blockchain, all transactions in the system are placed in blocks and form a growing data chain. Miners extend this chain with new blocks made up of new transactions and publish them to all other system participants. The speed of block production is regulated by requiring miners to include proof of work (a solution to the cryptographic challenge) in their blocks. (The blocks without PoW are invalid by definition.) In order to compensate the miners' efforts, the production blocks will be accompanied by some fixed rewards (for example, the current Bitcoin fixed block reward is 12.5 BTC). If miners are mining honestly, then they will be motivated to extend the blockchain and receive corresponding rewards.
Because miners are scattered all over the world, occasionally two or more miners produce blocks at the same time, and these blocks have the same parent block, which results in a fork, that is, multiple branches of the chain. To determine which chain is the main chain, the rule proposed by Satoshi Nakamoto is: the longest chain is the main chain, all miners should extend this longest chain, and blocks separated from the main chain and their returns will be ignored .
In order to avoid losing the reward, once the miners receive its metadata in the header of the latest block, they start mining it. This avoids wasting mining resources on the old block and increases the chance of mining the next block. This is generally not a good practice and has attracted the attention of many security researchers. After the lightweight client uses the simplified payment verification (SPV) protocol for part of the blockchain verification, this block-header-based mining method has been applied and is called SPV mining.
The BDoS attack we propose can stop the blockchain by manipulating rewards to rational miners.
An attacker puts the system in a state where the best action for a rational miner is to stop mining.
To induce this state and the corresponding proof, the attacker generates a block and publishes only its block header. Given a block header, a rational miner has three possible actions:
- It can extend the main chain and then ignore the block header;
- It can expand this block header (SPV mining);
- It can stop mining without consuming computing power or winning rewards;
If a rational miner follows option 1 and expands the main chain to find and broadcast a new block, then the attacker miner will use its relatively high connectivity (such as selfish mining) and propagate the complete block corresponding to the block header BA Piece. This will lead to competition between two groups of miners, one of which will receive the attacker's block data first, and the other will receive the blocks of rational miners first.
Under a certain probability, the rational mining union loses the game, and the block Bi will never be included in the main chain. This reduces the expected return on mining on the last complete block compared to the "no attack" scenario.
If a rational miner follows option 2 and successfully expands the attacker's block header BA, the attacker will not publish the full block BA. This results in that the block of rational miners will never be included in the main chain, resulting in zero expected returns for the block.
Therefore, if the original profitability in the "no attack" setting is not too high, in both cases, the attacker can ensure that honest miners will eventually lose money. Therefore, the threat of BDoS attackers means that it is better for honest miners to give up than choose mining, that is, choose the third option. As the movie "Game of War" states, "The only way to win is not to participate ."
Under what conditions can BDoS attacks succeed?
We now explain what the success conditions of a BDoS attacker are. Specifically, we consider that for a particular rational miner i, regardless of the behavior of other participants, it is more profitable to stop mining than to continue mining. The answer depends on three factors: first, if the attacker holds enough hash power, then the attack will succeed; second, if miner i's hash power is small enough, then he will succeed; finally, if miner i does not start with a profit High, then he will succeed;
The profit factor of miner i is the return on every dollar invested in mining operations if no attack occurs.
The images below show the maximum return on successful attacks for different attacker sizes (X-axis) and miner sizes (different curves).
In our analysis, we used an attribute called return factor, which represents the return on each dollar of investment. It depends on the cost of mining equipment and electricity, and the price of the relevant cryptocurrency.
For example, if the largest miner holds 20% of the entire network's computing power, an attacker with 20% of the entire network's computing power can motivate all miners to stop mining when their profit coefficient is lower than 1.37 mine.
Currently, for bitcoin, with the electricity price of 0.05 USD / kWh, the profit factor of Bitmain's S17 Pro miner is close to 2 and the return factor of S9 is close to 1. If the price of the currency drops significantly, the attacker will be able to motivate existing miners to stop mining, causing the Bitcoin network to stop operating completely.
In addition, the Bitcoin block reward is expected to be halved in 2020, which will correspondingly reduce the profitability of miners.
Two currency models
Please note that our model is conservative and underestimates the opportunities of attackers in a sense. So far, we have assumed that a miner can continue mining or stop mining with a profit of zero. However, cryptocurrency miners usually transfer their mining work to a second cryptocurrency, even temporarily. If the initial profitability of the two currencies (before the attack) is similar, then switching to another currency when the attack occurs is almost profitable. This means that in this case, the attack threat we call the two-currency model is even higher than what our analysis above shows. In fact, the two currency models are more in line with the real world. For example, there is evidence that miners often switch between BTC and BCH, depending on profitability.
Mitigation measures and disclosure obligations
We did not rent mining equipment to carry out the attack, nor did we short bitcoin and run to avoid it. Instead, we followed security research best practices, which went through a responsible disclosure period. We issued an attack alert to the developers of the affected major cryptocurrencies and discussed mitigation measures.
We recommend making a small modification to the consensus rules so that miners can give lower priority to blocks whose block headers are above a certain threshold time (such as 1 minute).
This will increase the chance for an attacker to lose the block spread competition, and thus reduce the effectiveness of BDoS attacks.
Unfortunately, this countermeasure is not fundamental. As we explained in the paper, attackers can use smart contracts or zero-knowledge (ZK) proofs to prove that they found a block (instead of publishing a block header). The use of these technologies will make it impossible to distinguish between the attacker block and the rational miner block in the block propagation competition, thus rendering the mitigation technology ineffective.
Another possible solution for BDoS attacks is to use the uncle block reward mechanism, just like the scheme adopted by Ethereum. The uncle block reward mechanism rewards miners who dig to non-main chain (but directly connected to the main chain) blocks. If the uncle block reward mechanism is used, the chance of a reasonable miner to stop mining in a BDoS attack is much lower, because even if it loses the game, it will get a reward (equivalent to 7 of the Ethereum full block reward /8). However, this is a compromise because uncle blocks reduce the security against selfish mining attacks .
BDoS is a threat to the Satoshi consensus blockchain because it allows attackers to perform denial-of-service attacks with much lower computing power than previous attacks. We have shown how attackers can distort incentives and guide profit-mining miners to stop mining activities. The mitigation measures we have proposed are easy to implement (no network fork is required), but only affect specific BDoS attacks. Without stronger mitigation measures, the activity of Satoshi Nakamoto consensus blockchain will depend on whether miners are willing to abide by the agreement in the case of lost revenue, that is, altruism.
Full details are in our technical paper .
Thanks to IC3 community manager Sarah Allen for her help in writing this blog post.