An Empirical Analysis of Chain Reorganizations and Double-Spend Attacks on Proof-of-Work Cryptocurrencies by James Peter Thomas Lovejoy S.B. Electrical Engineering and Computer Science Massachusetts Institute of Technology, 2019 SUBMITTED TO THE DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF ENGINEERING IN ELECTRICAL ENGINEERING AND COMPUTER SCIENCE AT THE MASSACHUSETTS INSTITUTE OF TECHNOLOGY MAY 2020 c 2020 Massachusetts Institute of Technology. All rights reserved. Signature of Author: Department of Electrical Engineering and Computer Science May 19, 2020 Certified by: Neha Narula Director, Digital Currency Initiative Thesis Supervisor Accepted by: Katrina LaCurts Chair, Master of Engineering Thesis Committee 1 An Empirical Analysis of Chain Reorganizations and Double-Spend Attacks on Proof-of-Work Cryptocurrencies by James Peter Thomas Lovejoy Submitted to the Department of Electrical Engineering and Computer Science on May 19, 2020 in Partial Fulfillment of the Requirement for the Degree of Master of Engineering in Electrical Engineering and Computer Science ABSTRACT Nakamoto consensus has powered Bitcoin and the cryptocurrency industry over the past 10 years, but its security properties when an adversary's economic incentives are taken into account remain poorly understood. Recently, reports of successful real-world attacks against some coins have served as a wake-up call for the industry to review each coins' consensus risk. This research contributes a new system for detecting transaction reordering events against live cryptocurrencies. We deployed the system on a spectrum of different cryptocurrencies and combined our results with historical market data to analyze how the properties of each coin affect its consensus risk and evaluate the effectiveness of existing theoretical models for quantifying the cost of attack. We also describe some of the significant attacks we detected, providing empirical evidence that launching an attack can be practical, and that counterattacking may be a viable strategy for victims to defend themselves from an economically rational adversary. Thesis Supervisor: Neha Narula Title: Director, Digital Currency Initiative 2 Contents 1 Introduction 9 2 Background 14 2.1 Nakamoto Consensus . 14 2.1.1 Cryptographic Hash Functions . 14 2.1.2 Transactions and Blocks . 15 2.1.3 Mining . 17 2.1.4 Security Argument . 19 2.1.5 Mining Attacks . 21 2.2 Economic Security of Proof-of-Work . 22 2.2.1 Mining at Market Equilibrium . 23 2.2.2 Post-Attack Price Changes . 24 2.2.3 Potential for Attack Failure . 25 2.2.4 Non-Repurposable Hardware . 26 2.3 Mining Pools . 27 2.3.1 Centralized Pools . 27 2.3.2 Mining Rental Markets . 29 3 Related Work 32 3.1 Theoretical Models of Double-Spend Attacks . 32 3.2 Techniques for Preventing Attacks . 34 3 3.3 Efforts at Attack Detection . 36 3.4 Other Reordering Attacks . 37 4 Methodology 39 4.1 Reorg Tracker . 39 4.1.1 System Design . 39 4.1.2 System Deployment . 46 4.2 Event Analysis . 49 4.2.1 Market Data . 49 4.2.2 Estimating Event Variables . 50 5 Reorg Analysis 53 5.1 Dataset Summary . 53 5.1.1 Budish vs Nicehash Cost . 58 5.1.2 Observed Reorg Rate . 62 5.1.3 Transaction Safety . 66 5.2 Deep Reorg Attacks . 70 5.2.1 Summary of Attacks . 70 5.2.2 Post-Attack Price Change . 72 5.2.3 Case Studies . 75 5.3 Shallow Double-Spends . 80 6 Double-Spend Attack Mitigations 84 6.1 Halt Operations . 84 6.2 Economic Confirmations . 85 6.3 Fixed Reorg Depth Limit . 86 6.4 Precious Addresses . 87 6.5 Whale Transactions . 88 6.6 Implementation . 89 4 7 Future Work 90 8 Conclusion 94 5 List of Figures 2.1 Block diagram describing the typical structure of a centralized mining pool . 28 2.2 Block diagram describing the structure of the Nicehash rental market and how it interacts with renters and lessors . 31 4.1 Internal tracker chain state during normal operation and reorg events. 41 4.2 Block diagram describing the components of the Reorg Tracker. 42 4.3 Possible mappings between inputs to double-spent transactions in output- based versus account-based systems. 45 5.1 Plot of the proportion of the depths reorg events that were detected for each coin. 56 5.2 Plot of the average reorg cost using Budish and Nicehash estimation methods across all observed reorgs. 60 5.3 Plot of the average ratio between the Nicehash reorg cost estimation and the reorg block rewards. 61 5.4 Plot of the average reorg cost using Budish method versus average daily reorg count. 63 5.5 Plot of the average number of reorgs per day compared to the block interval for each coin. 64 5.6 Plot of the average reorg depth compared to the average reorg reward per block. 64 5.7 Plot of the average reorg depth compared to block intervals. 65 6 5.8 Plot of the maximum observed reorg depth for each coin normalized by block interval to hours of blocks. 67 5.9 Plot of the average proportion of the expected hashrate required to perform a reorg that was available on Nicehash. 68 5.10 Plot of the average transacted value involved in a reorg versus the average Budish reorg cost. 69 5.11 Plot of the average hourly reorg value transacted to block reward ratio. 69 5.12 Plot of the depth and time of detected deep reorgs and the cumulative value of double-spent outputs. 73 5.13 Plot of the average change in coin market price post-attack up to one month later. 74 5.14 Plot of Nicehash ZHash hashrate rental price and capacity around the time of the deep-reorg attacks on Bitcoin Gold. 76 5.15 Plot of Nicehash Lyra2REv3 hashrate rental price and capacity around the time of the deep-reorg attack on Vertcoin. 79 7 List of Tables 2.1 Maximum safe BTC transaction sizes for different values of Pattack under equa- tion 2.8 . 25 4.1 List of coins tracked by the Reorg Tracker and the date of first reorganization observation. 47 5.1 Summary of all observed reorgs, their depths, costs and estimated losses to non-attacking miners. 57 5.2 Summary of reorg events where at least six blocks were reversed. 72 5.3 List of the twenty most common Ethereum smart contract addresses experi- encing double-spends in shallow reorgs. 82 8 Chapter 1 Introduction The Nakamoto consensus algorithm, Bitcoin's primary contribution to the field of computer science, has remained the backbone of permissionless cryptocurrencies for over 10 years. It is designed to solve the \double-spend" problem, where an adversary spends the same coins more than once, reversing payments that the recipient already considered settled and irre- versible. In Nakamoto consensus (often called \proof-of-work"), agents known as \miners" continuously perform a computationally expensive lottery in which they compete to append new transactions to a shared ledger in return for payment in the form of newly minted coins and transaction fees. A miner's probability of winning the lottery first is equal to its proportion of the total computational power being used by all miners. Thus, security from double-spending relies on a key assumption that adversaries are unable to control greater than half of the total computational power. If this assumption does not hold, an adversary could launch a \51% attack", in which they use their majority to rewrite settled transaction history or censor transactions from users or other miners. For many years this assumption persisted unchallenged until a large number of al- ternative cryptocurrencies were launched, each being mined with much less computational power than Bitcoin. Combined with the introduction of mining rental markets where miners can outsource their computation to the highest bidder, for many less prominent coins the 9 assumption that a 51% attack is realistically impossible no longer holds. Challenging this assumption, theorists have since designed models to explain the incentives against double- spend attacks in a world where computational power for mining is available in a liquid market. These models suggest that double-spend attacks should in fact have negligible cost unless additional factors such as post-attack price depreciation are considered. Since 2018, multiple alternative cryptocurrencies have been successfully 51% attacked in practice, with millions of dollars having been disclosed as double-spent in media reports. Despite the central importance of Nakamoto consensus to the security claims of a majority of the cryptocurrency market, scarce empirical research has been performed to understand the nature of 51% and double-spend attacks in practice. Reorganizations or \reorgs", events in which one suffix of transactions is replaced by another in the transaction history, are transient such that one must observe them in the moment. This is because the ledger only commits to a single, linear list of transactions without branches and discards any alternative transaction histories that may have been proposed in the past. It is thus not possible to determine whether a reorg occurred by retroactively analyzing the transaction history. Therefore, until this research, the field’s understanding of 51% attacks has been limited to media reports, exchange disclosures and theoretical models. To solve this problem, we designed a new system called the \Reorg Tracker" that monitors cryptocurrency networks to detect, save and analyze reorg events in real-time. We used the system to monitor 23 different coins over periods of up to 10 months. We analyzed the dataset in aggregate form to present empirical data on the frequency and severity of reorgs between coins. We combined the reorg data with historical price and mining rental market data for each coin to estimate the costs of reorgs.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages101 Page
-
File Size-