A paper released yesterday by researchers Ittay Eyal and Emin Gun Sirer at Cornell University suggested a subtle new way in which the bitcoin mining network could be vulnerable to a form of economic attack called ‘Selfish Mining’.
Gavin Andresen, the lead developer of Bitcoin, was quick to dismiss the paper and its contents.
Executive summary of Cornell paper: not a big deal even assuming their analysis is correct (I’m not yet convinced).
— Gavin Andresen (@gavinandresen) November 5, 2013
Although a similar attack called the ‘Mining Cartel Attack‘ was proposed as early as 2010, the new study proposes a variation that uses sybil nodes in order to generate a more powerful attack than initially conceived of. However, the attack has created a controversy and many developers have hit back saying that the problem is quite well understood and not workable in practice.
In a nutshell, a ‘Selfish Mining Pool’, (explained in the blog post ‘Bitcoin is Broken‘) keeps their discovery of a new block on the block chain private until such time as they must submit it to the network or lose it to another ‘Honest Mining Pool’. The theory is that because they have kept a block secret, the rest of the network will waste resources looking for it whilst the Selfish Pool will get a head start on the next block.
The Selfish Mining Pool must also spy on other mining pools to anticipate their block discoveries and when an Honest Mining Pool broadcasts a block, they must employ a Sibyl attack on the network in order to get it to accept their secretly produced block first.
The block header of course is time stamped, so provided that enough sybil nodes report the Selfish Miner’s block as being discovered first, the network is likely to accept it and reward the Selfish Miners.
Once they have achieved this they will already be ahead in the race to find the second block, and so, in theory at least they can offer a greater reward for other dishonest miners to come and join them. In time, the researchers argue, a Selfish Mining Cartel could theoretically build up enough power to monopolise the entire bitcoin network and gain control of the protocol.
To counter this possibility they propose a change to the protocol that would limit the amount of the network that each pool could hold to a maximum of 25%.
However, as the study was not first submitted to the Bitcoin Security List, (the mailing group that deals with precisely these kinds of issues), and instead submitted to public review first, controversy has flared up without the benefit of a reasoned and careful analysis by the bitcoin core developers.
“In practice, most Bitcoin miners act altruistically to support the network, both out of ideological considerations and because they do not want to destabilize the source of their own revenue. Such higher-level economic concerns are beyond the scope of Eyal and Sirer’s paper, but they seriously reduce the chance that this economic attack will work in practice.
Furthermore, unlike a standard 51% attack, which only becomes obvious after the fact, this economic attack would need to be announced in advance to let neutral miners know that they have the opportunity to join the attacking coalition for their own benefit. Thus, mining pools cannot practically pull this off; as soon as one announces its intention to cheat the network, its users will leave out of ideological considerations, and even if they do not other mining pools will likely offer heavy discounts on fees to that mining pool’s users to convince even profit-maximizing participants to switch away.”
With regards to the Sybil attack variation, lead Bitcoin developer Andresen also posted on the Bitcoin Talk forum saying: “I would still like to see blocks and transactions being broadcast over another completely different networking protocol, either peer-to-peer or not. More diversity so we’re not relying on the one p2p network would be great, and, depending on how it was implemented, might automatically bring sybil resistance”
Stephen Gornick also echoed the sentiments of many core developers saying: “Isn’t the economic benefit to joining the selfish pool easy to extinguish? The further ahead the selfish pool is, the greater the cost to them if they lose that race. […] Wouldn’t it be easy to tell if a block seems to be coming from a selfish pool as each new block will appear to be lagging since it has no recently arrived transactions?”
It would seem in this case that the researchers may have jumped too quickly to their conclusions and published their findings prematurely stating openly:
“Bitcoin is broken. And not just superficially so, but fundamentally, at the core protocol level. We’re not talking about a simple buffer overflow here, or even a badly designed API that can be easily patched; instead, the problem is intrinsic to the entire way Bitcoin works. […] Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues in excess of their fair share, and grow in number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity; it is no longer decentralized; the controlling entity can determine who participates in mining and which transactions are committed, and can even roll back transactions at will. This snowball scenario does not require an ill-intentioned Bond-style villain to launch; it can take place as the collaborative result of people trying to earn a bit more money for their mining efforts.”
Despite Gavin Andressen’s response, many observers feel that the jury is still out on this one, and no doubt this is one controversy that will probably rage for a bit longer.