ETHNews’ Adam Reese does a deep dive into the technical implications of a recent paper that outlined three types of EDCCs that could, theoretically, be used to bribe Ether miners to change their behavior in ways that benefit the briber. This article describes the three schemes and brings in commentary and additional explanations from Vitalik Buterin, Martin Swende, and one of the paper’s authors, Patrick McCorry.
An academic paper written by Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn explores three types of EDCCs, or smart contracts, that can be written on the Ethereum blockchain and would allow for a user (or, perhaps, a cooperative of users) to bribe miners to behave in unconventional ways with little to no trust existing between the parties.
These schemes are not highly practical today, not least because of the amount of capital that one would need to successfully execute them. However, they’re noteworthy because Ethereum’s consensus protocol is intended to incentivize miners to behave in ways that generally benefit everyone using the network, rather than catering to the desires of one or a few select parties.
In the blockchain space as a whole, the authors believe that attacks based on bribery schemes are “becoming increasingly viable” and “thus also argue that new Nakamoto-style consensus protocols should consider bribery attacks when evaluating whether the protocol is incentive-compatible.”
In response to the paper, Ethereum founder Vitalik Buterin told ETHNews:
“You can’t prevent these kinds of attacks by simply changing the rules of the Ethereum blockchain, because no matter what Ethereum does, the bribing contracts could instead be implemented on, say, Ethereum Classic. The only thing that can be done is working on fundamental cryptoeconomics to devise algorithms that provide much stronger disincentives against bad behavior and thereby require much larger bribing attacks to corrupt them; Casper (FFG and CBC families) is an example of this.”
The first of these schemes, the censorship contract, involves uncle blocks.
Uncle blocks are “stale” blocks, which can be thought of as unfinished attempts to mine a block by a miner who was ultimately beaten to the punch by another. On the Ethereum blockchain, data related to a select number of these uncle blocks are actually included in future blocks. This design feature aims to boost network security by increasing the probability that the fork on which the most hash power is being used for mining will be the “longest chain.” Hash power correlates to what one might call the strength of mining equipment. The inclusion of uncle block data in future blocks is also meant to discourage the concentration of hash power in very large mining pools by encouraging miners with less hash power (who are less likely to successfully mine blocks than those with more) to try their luck anyhow. Miners stand to receive a smaller payout from uncle blocks but its a payout nonetheless. According to Ethereum’s whitepaper, this reduces the likelihood that one party, or consortium of parties, gains “de facto control over the mining process,” and thus over the new tokens that are generated with every new block, among other things.
Returning to the censorship attack: the party offering the bribe (in the form of an EDCC) does so with the goal of controlling “which transactions are accepted into the blockchain.”
To execute the scheme, the briber loads up a censorship contract with funds in order to entice (certain) miners to exclusively mine uncle blocks, withholding their blocks “until a competing block by [the briber] is accepted into the blockchain, only then publishing [their] block[s] for inclusion as an uncle block.” (The briber increases their own chances of mining the block by bribing other miners not to compete with them.)
This approach reduces the amount of the bribe that would normally be paid out in a censorship scheme because “Ethereum’s uncle block reward policy is used to directly subsidise bribes.”
For the plan to succeed, certain conditions would need to be met: for instance, that the briber has mined all the blocks in the blockchain’s recent history.
When ETHNews reached out to McCorry, he said that he didn’t expect this type of attack to remain possible if and when the Ethereum network switches from a PoW consensus mechanism to one based on PoS.
The Ethereum Foundation’s Martin Swende told ETHNews that this strategy “is not viable after the Byzantium hard fork, since we changed how difficulty is calculated to take uncle blocks into account.” McCorry pointed out, however, that it remains technically possible, albeit under improbable conditions.
The second scheme is the history revision contract, which rewards “miners for mining on a fork other than the current longest chain.” (Under normal conditions, when no bribes are being offered, miners are economically incentivized to mine on the longest chain.)
One motivation for a briber to encourage the mining of an alternative fork, potentially starting several blocks back from the current block on the longest chain, is the chance to double spend some Ether. For instance, if the would-be briber has already received goods or services in exchange for tokens spent, they might try to transfer those same tokens, which are no longer theirs on the current longest chain, to a different party (including themself) on the forked chain, extracting twice the value from the same Ether tokens in the process. On the topic of mining a shorter chain, McCorry said:
“There can be real social benefits – such as reversing (or incentivizing a hard fork) to fix the Parity wallet bug and release the 519,000 Ether – but I don’t think these benefits outweigh the potential danger of allowing a wealthy adversary such significant influence. Especially if these benefits are used as a means to make the bribery attack appear as ‘socially acceptable.'”
As McCorry explained to ETHNews, the bribed miner (or more likely miners) in this scheme “will receive a bribe for every new bribed block he creates” on the new fork. This contract incentivizes an “all or nothing” attack, meaning that bribes get paid out only “if this new fork becomes the longest chain.” To set it up, the briber “puts a large sum into the contract to cover N bribed blocks. The briber can decide to ‘top up’ the contract if necessary. Once the new fork becomes the longest chain, no more bribes are needed since all miners will simply just mine the longest chain from then onwards.”
Unlike the other two schemes discussed in the paper, miners backing a history revision plot “are paid only if the attack is successful.” McCorry told ETHNewsthat he is “not aware of any architecture changes that could prevent the history-revision attack.”
In Swende’s view, this strategy “basically relies on the fact that it’s possible to bribe miners to mine a certain fork,” and that “this has similar costs as if the attacker was to rent the mining farm for his own purposes.” Referring to the scheme, he also said that he does not “really see a way around the fact that miners can be bribed.”
The third and final mode of attack is the Goldfinger contract, which offers an Ether bribe to a miner who can prove that they have devalued or reduced the usefulness of a different cryptocurrency and/or the blockchain to which it is native. For the purposes of this contract, the authors focused on one particular way that this harm could be inflicted: by mining a certain number of consecutive empty blocks on that other network.
For this machination to work, the contract would pay bribed miners of the token-to-be-attacked on a block-by-block basis and would have “access to all known forks in the victim cryptocurrency,” while the briber would have to stay online to “ensure all empty blocks are propagated throughout the victim cryptocurrency’s network.”
The authors note that while there are strategies to fight against such an attack or prevent its recurrence, none that they are aware of are optimal.
As Swende pointed out, these EDCCs do not represent “vulnerabilities which can lead to consensus failures.” Rather, they are strategies for “gaming the incentives for mining.” Ultimately, the work of these authors should not be taken as cause for alarm, but perhaps it will motivate people in the blockchain space to, as Buterin put it, “devise algorithms that provide much stronger disincentives against bad behavior.”