Attacks on the Blockchain

One of the most important questions in the design of a DLT is whether it is secure enough to withstand attacks aimed at corrupting the information that it stores. Moreover, security needs to be achieved in a decentralised manner, without relying on a small group of trusted intermediaries. In this note, we describe the 51% and selfish mining attacks that can occur within the Proof-Of-Work protocol that is used in Bitcoin.

Before describing the two types of attacks, we provide a brief introduction on how mining works in Bitcoin. Transactions are recorded on the blockchain, which is just a series of blocks. Every ten minutes, a new block is created, containing a new set of transactions. The block is “attached” to the blockchain by a miner, who is the first to successfully solve a difficult cryptographic puzzle. The probability of solving the puzzle is proportional to the amount of resources (hashing power) devoted to this task. The miner who writes the block also receives a reward, in the form of newly minted Bitcoins, and transaction fees. The difficulty of the puzzle is periodically adjusted given the available hashing power, such that a solution is found approximately every 10 minutes.

The cryptographic puzzle for the new block is generated using information from the last block in the existing blockchain. This means that a block always points to a unique predecessor, thus forming a mainchain that everyone accepts. If two miners simultaneously solve the puzzle, a fork is created, generating two competing chains. Miners can then choose on which branch to attach their new blocks. Although there can be uncertainty about which branch will be the accepted one, the Bitcoin protocol requires that miners always mine on the longest chain. If the miners follow this protocol, eventually only one branch survives. Transactions that were recorded in abandoned branches are no longer valid and the rewards of the corresponding blocks are valueless.

51% Attacks

The Bitcoin protocol works if the majority of the miners are honest. If they are not, the security of the blockchain is compromised. For example, a big enough group of dishonest miners could exclude some transactions, or even reverse others, in order to divert funds to them. Such an attack can be successfully staged if the dishonest group is able to mine blocks (i.e. solve cryptographic puzzles) at a higher speed than that of the honest group. This can occur with high probability if the dishonest group controls the majority of the hashing power, leading to a “51% attack”. Even if they do not reverse any transactions, they can reject any blocks mined by anyone not belonging to their group, hence reaping all the rewards. By then, the blockchain ceases to be decentralised.

Selfish Mining Attacks

Although this is the most well-known attack, it is not the only one. The academic literature has identified a few others, the most interesting being the “selfish mining” attack, which was first described by Eyal and Sirer (2018). Alarmingly, it only requires control of up to 33% of the hashing power to succeed, instead of the majority, as it is the case with the “51% attack”. This goes against the popular belief that the blockchain can be compromised only if the majority of hashing power is controlled by malicious actors.

To describe selfish mining, suppose that there are two groups of miners, the honest and the selfish ones. The honest miners always mine on the longest public chain and publish the solution to the puzzle immediately, conforming with the Bitcoin protocol. The selfish miners collude with each other and act strategically, by choosing when to reveal the solution to the puzzle. This strategy creates a second, private branch, that only the selfish miners know and can be different from the public branch.

When the selfish miners mine a new block, they can either make it public, so that the honest miners start mining the next one, or they can keep it private, so that the honest miners waste resources trying to solve a puzzle that has already been solved. By choosing the second option, a private fork is created. The selfish miners now have a lead over the honest miners, or nodes.

In order to determine the revenues for the selfish miners, we consider two cases. First, the honest nodes find and publish the solution to the puzzle before the selfish group can mine a second block. In that case, the selfish group immediately publish their own solution as well, so that a public fork is created. An honest node mines on top of the block that they heard first, so they could be mining on either of the two branches. However, each selfish node mines on top of the block published by their group. Only one branch will eventually survive. The honest nodes have the majority of hashing power; however, the selfish nodes have been mining the second block privately, thus they start from an advantageous position. Moreover, some honest nodes also mine on top of the selfish branch, because they heard the selfish miners’ solution first. As a result, the probability that the branch of the selfish group survives is higher than the group’s share of total hashing power.

Second, the selfish nodes manage to mine a second block, before the honest nodes mine the first one. Then, they have a comfortable lead of two blocks, that they keep hidden on the private fork. Whenever the honest nodes publish a new block, the selfish nodes immediately publish the equivalent private one. If at any point the honest nodes reach too close to eclipsing the selfish group’s lead, they publish the entire private fork. Because it is longer, it becomes the accepted one by all nodes and the selfish nodes reap all the rewards.

Is this strategy profitable? Eyal and Sirer (2018) show that it is, as long as the selfish miners control at least 33% of the hashing power. This does not require any honest nodes mining on the selfish branch. However, the 33% threshold can decrease even further, as the propagation mechanism that transmits the selfish group’s solution to the honest miners becomes more effective, so that they hear that solution first, and subsequently mine on the selfish branch. This means that even groups with a relatively small share of the hashing power can profit from selfish mining. A solution to this problem, proposed by Eyal and Sirer (2018), is to modify the Bitcoin protocol, so that when an honest node receives a block with the puzzle solution, they propagate it further, instead of accepting it immediately. This allows for some time to elapse, in case there are other blocks that have solved the same puzzle. By randomizing in terms of which block to accept, the probability of accepting the selfish block decreases, thus reducing the revenues for the selfish group. For example, if this modification reduces the probability of an honest node mining on the selfish branch to ½, then the threshold for staging an attack becomes 25% of the hashing power.

Another interesting result of their analysis is that, as long as we are above the threshold, each selfish node’s revenue increases with the selfish group’s size. This means that if honest nodes express an interest in joining the selfish group, they will accept them, because their revenues will increase. But then, a minority (in terms of hashing power) can easily become the majority. At that point, the selfish miners can switch to a 51% attack. As they effectively control the blockchain, they can reject any blocks not coming from their group and reap all the rewards.

Conclusion

Although the selfish mining attack is a theoretical possibility, it has not yet been observed in practice. Moreover, it may be more relevant for blockchains that “carry” less value than that of Bitcoin, because in the latter case it is very expensive to control 33% of the hashing power. On the other hand, successful 51% attacks have been staged on several networks, although not on Bitcoin. Examples include Bitcoin Gold, Ethereum Classic and Bitcoin Cash. This can be a big problem for young or immature blockchains, which have not yet attracted a large hashing power and are therefore more vulnerable to attacks.  

 

Bibliography

Eyal, I. and Sirer, E.G., 2018. Majority is not enough: Bitcoin mining is vulnerable. Communications of the ACM61(7), pp.95-102.

 

Disclaimer

Aaro Capital is the trading name of Aaro Capital Limited (“Aaro”), a private limited company, registered in England and Wales with number 11419585, whose registered office is at 62 Wilson Street, London, United Kingdom, EC2A 2BU. Aaro is not authorised or regulated by the Financial Conduct Authority ("FCA")

The material provided in this article is being provided for general informational purposes. Aaro Capital Limited does not provide, and does not hold itself out as providing, investment advice and the information provided in this article should not be relied upon or form the basis of any investment decision nor for the potential suitability of any particular investment. The figures shown in this article refer to the past or are provided as examples only. Past performance is not reliable indicator of future results.

This article may contain information about cryptoassets. Cryptoassets are at a developmental stage and anyone thinking about investing into these types of assets should be cautious and take appropriate advice in relation to the risks associated with these assets including (without limitation) volatility, total capital loss, and lack of regulation over certain market participants. While the directors of Aaro Capital Limited have used their reasonable endeavours to ensure the accuracy of the information contained in this article, neither Aaro Capital Limited nor its directors give any warranty or guarantee as to the accuracy and completeness of such information.

Please be sure to consult your own appropriately qualified financial advisor when making decisions regarding your own investments.

 

Back