Ideological vulnerability, attack on cryptocurrency mining pools
All mining pools, including p2pool , have one very simple and unpleasant ideological vulnerability, with which you can reduce the pool's total income relative to its total capacity. An attacker can 'punish' a pool for an amount comparable to income from an attacker's power, in fact, the entire reward paid to him by the pool. And the greater the attacker's power and the longer the attack lasts, the greater the chance that these pool losses will approach this value. And most importantly, such an attack does not cost the attacker almost anything.
This is especially true for owners of large capacities, comparable to the power of the pool itself.
This is not a bitcoin protocol vulnerability, because it can be done for any modern cryptocurrency, it is not a vulnerability in the mining pool code - this is the ideological vulnerability of the method of determining the method of calculating rewards for distributed computing.
')
Mining pools do not pay their users for the found blocks, but for the power that users put on the pool. Absolutely all existing methods of calculating PPS / PPLNS / Prop / ... are based on the fact that payment is made for the balls received by the pool - private solutions, one of which may be the target solution of the pool for collecting a block in the bitcoin network. And the problem is that the miner, finding a solution, knows which of them is target for the pool, and which is normal. This is determined by the complexity under which this particular solution is suitable; if it is more than the complexity of the network, then this solution is targeted.
For example, the popular utility cgminer displays in its window information on each ball found.
Here, for example, this line: [2013-03-10 20:17:16] Accepted 03316740 Diff 80/52 AVA 0 pol 0
80 is the complexity for which this ball is suitable as a solution, and 52 is the complexity that was requested by the pool when issuing the task to the miner. The pool pays at the rate of 52.
It is enough for Miner-attacker not to send solutions to the pool that are targeted for finding a block (ie, with complexity> = current capacity), these are a few modified lines in the miner code (in the screenshot above, this complexity is indicated at the top - 4.37M). The pool will still pay for the remaining balls, but the miner will never get a block from the miner! It turns out the cost of the attack, for the PPS payment method - one single ball for each block not received by the pool, for other methods, the assessment of the cost of the attack will be comparable to the share of the damage done equal to the ratio of the power of the pool to the power of the attacker.
This means that if an attacker continues to do this long enough, he will drive the pool into the debt trap for PPS or significantly reduce the profits of the pool users for the remaining payment methods. For a pool, it will look like a prolonged heightened failure.
You can detect a similar attack statistically, simply by calculating the power of the miner and the number of blocks found by him. But the maximum that the pool can do is to ban the intruder after a successful attack , and the attacker will not be able to start a new account.
The goal of this attack may be a competition between mining pools, where, if an attacker pool hides a problem that the miner solves (this happens when using old mining protocols, unlike new stratum types), he can redirect part or all of his powers to the attacked pool as its usual clients.
But even with the use of the newest protocols, do many miners really control what the pool gives them for the task? None of the clients I know for mining does this test and does not provide mechanisms for specifying the conditions by which it can determine - is this a task that the pool promises? The maximum will be a message in case if, using the new protocol, the stratum pool continues to hide the contents of the collected block.
upd: thanks to Balthazar , links to a more detailed analysis of various methods of payment on pools
This is especially true for owners of large capacities, comparable to the power of the pool itself.
This is not a bitcoin protocol vulnerability, because it can be done for any modern cryptocurrency, it is not a vulnerability in the mining pool code - this is the ideological vulnerability of the method of determining the method of calculating rewards for distributed computing.
')
Mining pools do not pay their users for the found blocks, but for the power that users put on the pool. Absolutely all existing methods of calculating PPS / PPLNS / Prop / ... are based on the fact that payment is made for the balls received by the pool - private solutions, one of which may be the target solution of the pool for collecting a block in the bitcoin network. And the problem is that the miner, finding a solution, knows which of them is target for the pool, and which is normal. This is determined by the complexity under which this particular solution is suitable; if it is more than the complexity of the network, then this solution is targeted.
For example, the popular utility cgminer displays in its window information on each ball found.
Here, for example, this line: [2013-03-10 20:17:16] Accepted 03316740 Diff 80/52 AVA 0 pol 0
80 is the complexity for which this ball is suitable as a solution, and 52 is the complexity that was requested by the pool when issuing the task to the miner. The pool pays at the rate of 52.
It is enough for Miner-attacker not to send solutions to the pool that are targeted for finding a block (ie, with complexity> = current capacity), these are a few modified lines in the miner code (in the screenshot above, this complexity is indicated at the top - 4.37M). The pool will still pay for the remaining balls, but the miner will never get a block from the miner! It turns out the cost of the attack, for the PPS payment method - one single ball for each block not received by the pool, for other methods, the assessment of the cost of the attack will be comparable to the share of the damage done equal to the ratio of the power of the pool to the power of the attacker.
This means that if an attacker continues to do this long enough, he will drive the pool into the debt trap for PPS or significantly reduce the profits of the pool users for the remaining payment methods. For a pool, it will look like a prolonged heightened failure.
You can detect a similar attack statistically, simply by calculating the power of the miner and the number of blocks found by him. But the maximum that the pool can do is to ban the intruder after a successful attack , and the attacker will not be able to start a new account.
The goal of this attack may be a competition between mining pools, where, if an attacker pool hides a problem that the miner solves (this happens when using old mining protocols, unlike new stratum types), he can redirect part or all of his powers to the attacked pool as its usual clients.
But even with the use of the newest protocols, do many miners really control what the pool gives them for the task? None of the clients I know for mining does this test and does not provide mechanisms for specifying the conditions by which it can determine - is this a task that the pool promises? The maximum will be a message in case if, using the new protocol, the stratum pool continues to hide the contents of the collected block.
upd: thanks to Balthazar , links to a more detailed analysis of various methods of payment on pools
bitcointalk.org/index.php?topic=32814.0
bitcoil.co.il/pool_analysis.pdf
bitcoin.stackexchange.com/questions/4943/what-is-a-block-withholding-attack
permalink.gmane.org/gmane.comp.bitcoin.devel/1112
bitcoin.stackexchange.com/questions/1338/how-is-block-solution-withholding-a-threat-to-mining-pools
Source: https://habr.com/ru/post/178549/
All Articles