In a recent paper, Ittay Eyal from Cornell University takes the block withholding attacks to the next level. Very interesting work. We are going to decrypt and clarify a few things regarding this paper and how it relates to other previously published works (in particular our paper).
The Invention of Block Withholding
The danger of a block withholding attack is more or less as old as Bitcoin pools, and two specific versions of this attack were already described by Rosenfeld in 2011. In a nutshell, a block withholding attack is a method to sabotage the revenue of a pool in which the attacker mines normally and does not send the winning blocks tot he pool. In fact the miner sends shares routinely as normal and is paid for his effort like any other user, however only in the excessively rare cases in which the attacker mines a winning block, he does NOT send it to the pool, he simply destroys this block (he cannot use it in any way, as typically the block gives the money not to the miner but initially to one or more specific bitcoin addresses decided and controlled by the pool). This decreases the pool revenue, but does not decrease the percentage of this revenue which will be paid to the attacker. The attacker is paid as more or less as usual. Because the events in which a block is actually mined are excessively rare from the point of view of individual miners, and they have a very large standard deviation, see Section IV-B here, such attacks are in practice extremely difficult to detect (unless the attacker is not very clever, see Discussion below).
Can Block Withholding Be Profitable?
In the new paper we read: “Early work did not address the possibility of pools infiltrating other pools for block withholding” and that “Courtois and Bahack have recently noted that a pool can increase its overall revenue with block withholding”.
This is bit of understatement. Basically, many authors failed to see that block withholding attack could be profitable at all, which is one of the main results in Courtois and Bahack paper here, and many authors have naively claimed that nobody would execute such an attack… because it is not profitable. This including the author of the new paper himself, who has also written that “the attacker does not gain any direct benefit by performing the attack” and that “it’s purely destructive” even though at this moment a large scale attack of this type was already executed against a major pool which could suggest that the attacker could have a reason to run such an attack.
Now finally the author have changed his mind and in the conclusion he says:
“We observe that no-pool-attacks is not a Nash equilibrium: If none of the other pools attack, a pool can increase its revenue by attacking the others” (which was first discovered in our paper here).
The new paper considers further more complex scenarios where several miners are trying to cheat simultaneously, which decreases the incentives for the attack and potentially might convince the miners to be honest.
We agree with this diagnostic.
Now the new paper also claims that this “would push miners to join private pools which can verify that their registered miners do not withhold blocks”.
This is not very likely. No pools can ever detect such attacks if they are done correctly.
In our paper we clearly show that these attack can be executed in such a way that it is near-impossible to detect in practice, or at least it is impossible for a large pool to identify any exact user which might be cheating ever.
In a recent real-life large scale attack on Eligius (June 2014) the attacker(s) have basically mined hundreds of bitcoins with just two bitcoin addresses, which made the detection possible, as these addresses have mined a very large number of shares and after a certain time it is unlikely that they would not mine a valid block.
Would the attacker(s) be more careful, and fragmented their block withtholding attack and use many different accounts, the attackers would have never been identified and their money could not be seized by the pool managers.
ADDED in 2020. New stratum protocol will have some protection against hash redirection attacks.