An introduction to understanding attacks and dishonesty on proof-of-work blockchains
Any computer network can be attacked and blockchains running on distributed networks are no different. But the types of attacks blockchains are vulnerable to are somewhat different: in most cases, attackers must focus on manipulating the consensus process in order to hack or alter any information on a blockchain, rather than compromising anything like a password or firewall. In the following, I will explain the structure that hackers manipulate when trying to attack a blockchain secured by a proof-of-work consensus algorithm and will go over the most common types of attack: the 51% attack and double spending. This will prepare us to take a closer look at some research by Arthur Gervais who looks for an answer to the question: “How should a rational attacker behave and allocate his resources to maximize profit?”.
To understand how an attacker can approach proof-of-work based networks, we will first revisit how the integrity of data is established across a distributed network (using a system called a “consensus” algorithm, see my older article on consensus systems for different approaches): Although many individuals participate in running the distributed network, only one individual may add any one new piece of data to the blockchain (i.e. make a new entry into the database) at a time. It’s important to distinguish between participants who run the network (often called “miners”) and the users of the network, e.g. people receiving and sending Bitcoins (or more generally, the people who want to read and store some data on the blockchain). To get a new piece of data added to the blockchain, a user broadcasts his data a (but not necessarily all) network participant who stores all pending announcements by users. But this is not enough to get the data automatically appended to the network: just announcing the data does not guarantee that everyone across the network sees the same data, and it does not have a way to deal with contradicting information announced to different network participants. In order to add the data to the blockchain, all miners attempt to solve a computationally difficult puzzle and the individual who gets a valid answer first wins the right to add data users have announced to the network. Because of the nature of the “puzzles” in question, the winner is essentially determined by chance. There is not much anyone can do to be better at solving these “puzzles” than anyone else. To win you just need to get lucky. The puzzle is designed so that solutions are expected to be found in regular intervals called “block time”. In Bitcoin’s case, the block time is 10 minutes.
And all miners do indeed want to win: that is to say, everyone wants to be the one to add new data to the blockchain. This is because whoever adds data to the blockchain is given a prize, called a “block reward”. Bitcoin’s block reward for example, is 12.5 Bitcoins. Because of this reward, the process of solving the “puzzle” to win the right to add the next piece of data to the blockchain is often called “mining”. The analogy being that participants doing the “work” to solve the puzzle hoping for the block reward”is similar to gold rush hopefuls doing the “work” to “find the right spot” to strike for “gold”. While the blockchain puzzle that all miners are trying to solve is very hard, i.e. it requires lots of computational power, and it does not have a single valid answer. Rather, a correct answer is one that fits certain strict parameters. This means that while it is unlikely that two “miners” will find an answer simultaneously, it is indeed possible. In that event, both participants may append their block to the chain — -thereby causing the chain to ‘fork’, i.e. to have two ends.
Data integrity across the distributed network that stores the blockchain data necessitates a unique, single chain trusted and followed by everyone. Put differently: the database in a blockchain is the totality of the single, straight chain that everyone agrees upon. Forks in the chain represent potential disagreements among network participants and open the possibility for one fork end to contain different data than the other fork end. This different data may or may not be correct, but either way, it compromises the database’s integrity. For a blockchain to work, it is essential that all participants have one chain that they agree upon as the true data — there is only legitimate database. The network establishes a ‘consent’ on the accepted data by following the same rule to decide which forks to ignore: While it’s technically possible for forks to occur, or even for a participant to knowingly create one, the majority of the miners and users will ignore forks in the database and only build onto the longest continuous chain. Here the blockchain design has put the self-interest of the miners’ to work: because miners add new information (blocks) to the blockchain with the primary motivation of being granted a reward (the block reward, 12.5 BTC), they have a very strong incentive to add their new blocks to the sole valid chain. Should a miner add a new block to an invalid chain, their block reward — the whole reason they are participating in processing information onto the database in the first place — will not be acknowledged as legitimate by the system. It would be tantamount to choosing to receive your paycheck in Monopoly money. This is because if the record of the miner’s work is only on a shorter, not agreed-upon and therefore invalid fork (which would be the consequence of putting a new block onto a shorter, invalid fork), then the record of the miner’s reward is also only on that invalid fork, and those records, reward and all, are all automatically overlooked and effectively invalid. So, the self-interest of the blockchain’s miners helps keep a system working, despite the lack of any personal trust in the individuals operating the system.
In strong well-established blockchain networks, such as the Bitcoin network, obtaining a majority stake in the mining power is very difficult, if not impossible. But even without an outright majority of mining power, an adversary could attempt to pass off a piece of false information for a short period of time by adding a block with falsified information within it to the chain by announcing it to the network. Upon seeing the false information, other miners would then choose to create a fork rather than build on the incorrect block. In the following, we will see how the rule to follow the longest chain in case of a fork will help to resolve this type of attack.
So, once a fork has occurred, either by coincidence, stupidity, or an attempt at malice, the community continues to mine, which is to say, to process new information to add onto the blockchain. Once the next miner has struck gold, i. e.solved the hard puzzle and won the lottery, that person adds the next block to the chain. They act in their own self-interest, adding the new block to the fork that they believe the most likely to be the valid chain. As more miners strike gold and add more information, it becomes clear which of the two forks the community has agreed upon as the ‘valid’ chain. The longer chain, the chain where most miners staked their rewards, is the ‘consensus’ and becomes the blockchain. The smaller forks are abandoned and ignored. Any information added to a now invalid chain must be reprocessed.
Understanding how new information is added to the blockchain is essential to understanding how a blockchain could potentially be attacked. This is because data cannot be modified once it is on the block chain (that is to say, in the database): attackers can only attempt to influence the system through manipulating the ‘consensus’. Meaning, an attacker who wants to pass off false or invalid information as valid needs to get the community to accept a new longest path for the consensus chain that includes his block with his fraudulent data. That is to say, an attacker needs to convince the community his (illegitimate) fork is actually the legitimate path for the chain to follow and get community members to begin adding on new information to their preferred fork of the chain.
This brings us to the 51% attack and double spending. We will start with the former. In the 51% attack, the attacker controls the information added to the blockchain and can use his power to ensure that the consensus path only includes the attacker’s chosen data. That means that an entity, whether an individual or colluding group, in control of 51% or more of the total “mining power” in the system will, statistically, win the right to add the next block to the blockchain more often than the rest of the network. The adversary in the 51% attack uses that position to then add blocks to the forks that he prefers, thus guiding or changing the consensus view of the blockchain. With this ability to add information a majority of the time and statistically creating more than half of the blocks any fork he chooses will eventually form the longest chain, and by definition everyone else who uses the blockchain to look up data will only look at the chain and data written by the attacker. As long as no individual or group controls more than 50% of the mining power, the network is safe from this type of attack.
On blockchain systems that store a ledger, e.g. Bitcoin and other currencies, the attacker can execute a double-spending attack by spending more coins than he has. He does so by using the same coins to create two or more transactions containing the same coins. The network is supposed to prevent these transactions from being included in the database: Such transactions are deemed invalid and miners will not include them. But what if the attacker wins the right to generate the next block, and includes this double-spending information himself? The other miners on the network would see this and try to append their own blocks by forking the blockchain before the attacker’s block. But for the short duration of time between the generation of two blocks, the block time, the data will be on the network. In Bitcoin, it is common to not accept the data in the newest block but to wait until 5 or more blocks are appended to it to “confirm” the data in the older block. Because an attacker should never have a significant amount of the miner’s share, the honest miners should be able to establish a longer chain in the work that does not include the attacker’s data. To make the transaction seem valid for a longer time period, the double-spending transactions needs to be included in the longest blockchain, which in turns mean that the attacker needs to maintain a longer chain than the fork the honest miners will create.
Without a high percentage of the total mining power, it is very unlikely that an attacker can do it. But when is it worth it? The follow-up article will look exactly at this situation: Given a certain amount of mining power, and a duration during which the adversary wants to maintain the longest chain, when is it worth trying to double-spend and how much money needs to be gained in the attempt? I will look into answers to questions along these lines in my upcoming posts.
If you liked the article, follow me and recommend the article. If you want to read more about blockchain and related technologies, consider filling out my survey and subscribe on my mailing list down below. Let me know what topics you want to hear more about — on a non-technical, digestible level.