How Bitmain indeed mines coins in secret

Hakkane (Salva Herrera) is an independent third-party blockchain developer and owner of SiaStats.info. SiaStats is a website devoted to presenting reliable and credible real-time statistics of the Sia blockchain. By providing independently contrasted statistics about mining pools, it also strives to make the Sia mining sphere a safer space.

I often imagine blockchains as towers made of crystal. Bright, fascinating, landmarks looming above the fields of cryptography, data science and economics. Inspiring but also intimidating for those that approach them. Solid… yet completely transparent. The ledger of transactions is public, continuously validated by each participating full node. Every user can track funds as they jump from address to address or smart contracts as they get formed, used and expired. Blockchains do not need arbiters or regulatory organisms, as the rules that govern them are enforced by every node. The process and the results are transparently visible to every participant.

Unlike the Proof of Work blockchains they serve, ASIC manufacturers usually fail to provide the same levels of transparency. Unknown amounts of hashrate owned for self-mining, undisclosed sizes of the batches they sell (so customers can’t estimate their profitability, which ends in saturated markets where no miner gets profit) or mining in secret before the release of the hardware are among their most criticized practices. The lattermost case is especially concerning. Mining is a competitive process where all the miners share a fixed block reward according to their owned hashrate. When a next-generation ASIC is designed for a blockchain, its first owners will get most of the profits, as they quickly outcompete the previous generation of ASICs or the GPUs/CPUs they replace. By self-mining and not releasing the hardware to the public for a time, ASIC manufacturers can enjoy this privilege (and its profits) in exclusivity. In other words, they get a market advantage by outcompeting their own customers.

Being that blockchains are a paradigm of transparency, unsurprisingly multiple cases of friction and confrontation have aroused between crypto communities and manufacturers over the last 2 years. The world’s manufacturer leader, Bitmain, has recently undergone a campaign of, in their own words, “radical transparency” and “dialogue with the cryptocurrency communities” (1, 2, 3 & 4). On its most recent blog entry , on July 25, 2018 we can read the following:

Zero tolerance policy against ‘secret mining’. (…) Bitmain itself has been unfairly accused of this practice. In the end, Bitmain values transparency and fair competition. We therefore remain opposed to this practice and maintain our long-held zero-tolerance policy regarding same

This assertion, however, goes drastically against the way Bitmain actually behaved on the Sia network at the end of last year. This article is aimed to provide evidence, abundantly explained, that shows how Bitmain mined in secret Siacoins during the two months previous to the presentation of their Sia miner back on January, among other dishonest practices. As readers might not be familiar with the context, I find important to narrate the events and the disruption caused on the Sia community and blockchain by Bitmain when they introduced their Sia miners.

Sia meets Bitmain

“A bull in a china shop”

If I had to describe the arrival of Bitmain to the Sia community in a few words, I would say it was “like a bull in a china shop” (those unfamiliar with this English idiom will quickly understand the metaphor with the picture above). Without any previous communication, on January 17th, Bitmain announced its Antminer A3 miner for the Sia network and opened the sale immediately. Batch 1 sold out after a few minutes.

This should have not be an issue by itself for the community. However, 6 months before, the Sia core developers created an ASIC manufacturing subsidiary, Obelisk, opening pre-orders for what was believed it would be the first ASIC to hit the Sia network. Many contributors and community members in general participated on the pre-sale. The just-announced Bitmain A3 was going to hit the market first, many months ahead of Obelisk’s, ripping the expected profits of the latter. The last ingredient of the drama was the announcement that the Obelisk miner had on its design the backup capability of mining an alternative algorithm, and that a fork on the Sia network to embrace it would be enacted, invalidating Bitmain’s miners, if Bitmain showed a damaging behavior against the Sia project. While reserved for a case of emergency, many community contributors, coders and moderators pushed for an unconditional fork. Among those who purchased the A3 on the Bitmain’s flash sale, there were contributors, coders and moderators as well. The perfect storm.

I remember those days as the most stressful experience I have lived on the blockchain space. Being a moderator of the official Discord, I had to deal with the confrontation of the community while I had to deal with my own feelings but keeping them aside. The once peaceful and collaborative community stopped talking about Terabytes of data stored, file contracts and new features, abandoning itself for weeks to a situation akin to a civil war, including letters, confusing polls, lawsuits and death threats. To fork or not to fork? Either choice would tear apart the community. Either choice the community would lose members and contributors. Some left it already even after the final decision. My anxiety, ATH. In the end it was decided not to fork. The echoes of the decision are still conditioning the life of the community and will haunt it for many years. For those interested on further details about this episode, I recommend this non-partisan timeline by the Sia contributor mtlynch and this recent talk from cofounder of Sia at the Zcon0 conference

Sia’s hashrate growth after the release of ASICs

The aggressive commercial arts of Bitmain did not help. While Bitmain claimed (and keeps claiming) they limited the sale to one miner per purchaser, the reality is that this policy was never enforced: during the days after the sale the A3-batch 1, it was easy to find pictures of basements with multiple A3 and even purchase receipts with multiple units. While Bitmain also claims they did not saturated the market, analyzing the steps on the hashrate chart of Sia (above) it is easy to calculate batch 1 consisted on around 13,000 units (0.81 TH/s per unit) and batch 2 on 20,000. Subsequent Bitmain batches overlap with the shipping of another manufacturer, Innosilicon, so it is not possible to calculate the size of these batches. There are, however, no reasons to believe they were any smaller. Anyway, the 33,000 units of the first two batches were enough to sink the ROI of the Bitmain A3 purchasers, that started to complain how their expected ROI was extending to more than 6 months or even beyond a year. In the end, Bitmain killed the profitability of their own customers by flooding the network with more miners than what the network macroeconomics could sustain. And the hashrate kept scaling batch after batch of A3s and thanks also to the Innosilicon miners. Of course, this also ruined the possibilities of ROI of Obelisk backers.

Community consequences aside, releasing ASICs without warning could have had devastating effects for the blockchain functionality. Without an appropriate Difficulty Adjustment Algorithm (DAA), the dramatic increase in hashrate that followed could have provoked the inclusion of thousands of blocks before the next difficulty adjustment. The file storage contracts of the Sia network measure time in blocks, what could have provoked multiple contracts to expire prematurely without the renters having time to renew them, driving to data loss. We were lucky that an optimized DAA was introduced just a few weeks before the Bitmain announcement. Nevertheless, this illustrates the dangers of unannounced ASIC introductions.

On the same release day of the A3, AntPool, the mining pool of Bitmain, opened a branch on the Sia network, becoming the sixth known pool of Sia. On the first days of the pool, their API showed a very small number of workers (<100) and hashrates around the 5% of the network. By March, the number of workers grew to several thousands and the hashrate to figures around 20% of the network, remaining in that level until the present date. All this information was recorded by SiaStats and can be accessed on https://siastats.info/pools/antpool . This apparent gradual grow of their hashrate, if true, would have been compatible with their vision against secret mining, as the pool only got organic grow after their batch 1 was delivered.

Nevertheless, it has to be noted that the Sia community detected during November and December sudden spikes of the network’s hashrate accompanied by bursts of blocks mined by unknown pools, representing up to 25% of the total blocks. Previously, the rate of these unknown pools remained under 5%. This data can be accessed at https://siastats.info/mining_pools in the chart “Mining pools evolution”. Some members suggested the possibility of Bitmain, others suggested alternatives, like the manufacturer Baikal (including myself). The time has proven those blocks were indeed Antpool’s, as we will analyze in a moment.

When you try to hide your activity on the blockchain…

Despite the “radical transparency” messages from Bitmain, the fact is that Antpool is acting as the most opaque and dishonest mining pool on the Sia mining scene:

  • No signature on their mined blocks. Most of the pools in Sia use a single payout address for the block reward and a standard message on the arbitrary data field of the block. These two variables allow blockchain explorers to identify without doubt the pool that mined the block. Antpool instead has used so far more than 2600 different addresses and the arbitrary data of their blocks is an encrypted string, different each time. This prevents the independent validation of who mined the block.
  • Failure on reporting blocks. In absence of a signature, explorers must trust whatever Antpool claims on its website. To the present date, Antpool has only claimed 687 blocks. Their list of claimed blocks include multiple gaps of several thousands of blocks (see the image below). Considering their hashrate (around 20% of the network), these gaps are impossible statistically, meaning that they are refusing to report many of their blocks.
Gaps in the reporting of blocks (blue lines) and false blocks (red boxes) on Antpool’s website
  • Fake claimed blocks. Their list of claimed blocks also include blocks owned without doubts by other pools. For example, blocks 155407 and 152847 are actually blocks of F2pool, and we can be sure of this because the block reward is being paid to the publicly known mining address of F2pool `dc0cb4f6…`
  • Fake reported hashrates. SiaStats has records of the average reported hashrate of each pool in a daily fashion, by scoring what their websites/APIs indicate every 30 minutes. It also keeps records of the % of mined blocks by each pool. We don’t have reliable information about Antpool’s blocks (reasons are above), but even if we assume that all the blocks mined by “Unknown” pools are Antpool’s too (tip: they are not, but let’s be generous), even the aggregated % of blocks does not match the hashrate reported by them (check the image below). While since the end of March they have reported roughly a 19% of the hashrate, the combined blocks of Antpool + Unknown represent roughly the 14%. That extreme bad luck is impossible considering we are analyzing 4 months of data. Instead, this means a misleading representation of their real hashrate, inflated more than a 35%. In PPLNS pools as them, higher hashrates drive to more stable payouts for miners. This means they are benefiting from this misrepresentation, deceiving miners making them believe they are more stable paying than what they really are.
Antpool’s share of the network hashrate (as claimed on their website) vs their real rate of blocks

… but you forget that the blockchain is transparent

However, even if Bitmain/Antpool tries to hide and obfuscate its activity, it doesn’t mean we can’t take a deep look at the blockchain to reveal the complete picture. I recently developed an open-source blockchain explorer with great analytical capabilities, as well as methodologies to find the blocks mined by Antpool even in absence of claiming. The need of this specific tracking came from the goal of SiaStats about providing transparency to the mining sphere of Sia: if Antpool grows their percentage of mined blocks, the Sia community needs to know it. If there is another secret pool emerging, we need to segregate the blocks of Antpool from the blocks of this secret pool to score its size. The Sia network can’t be safe if the community stays in the dark while a pool grows to a 51% of the hashrate in secret.

The methodology is not rocket science and it is simply based on following the movements of Siacoins on Antpool’s wallets. What follows is the explanation, explained in accessible terms.

Let’s start talking about transactions. In Sia, and many other blockchains, a wallet is composed by multiple addresses, and each address contains multiple “outputs” that need to be fully spent during a transaction. If Alice has a mining pool that mined 7 blocks in different addresses, with a reward of 100 SC each, she will have a wallet with 7 addresses and one output of 100 SC on each address. If Alice wants to send 650 SC to Bob, what the Sia wallet will do is collecting the 7 outputs, send 650 coins to Bob, and create a new output with 50 coins that will be sent back to a new address of Alice’s wallet (different from the 7 previous). In the real world, block rewards are never round and include many decimals (collected fees), while the amounts we send to people tend to be round. This makes the output that returns to the new address easy to identify, and addresses can be linked to a single wallet if one looks carefully to the blockchain.

Wallets have another feature: defragmentation. As Alice receives block payouts, once she has a lot of scattered outputs, the wallet will automatically consolidate them all into a single output in a new address of the wallet. This helps Alice to spend her coins in the future as the resulting transaction will be smaller in bytes. But it also means that all the input addresses, together with the resulting output address, become linked to the same wallet for an external observer.

Mining pool addresses are also easy to differentiate from the address of the miners that join the pool. The payouts that the pool sends to miners are sent in multi-output operations as in this example (sometimes with hundreds of payout outputs), so we can discriminate when coins abandon the wallet of the pool. These payouts also include one remaining amount that returns to the pool’s wallet. We can’t say initially which is that output… unless it is merged again in a defragmentation operation together with other already known addresses of the pool. It is also easy to say when the pool sends the coins to an exchange (so we do not assign incorrectly an exchange’s address to the pool): while pool addresses receive coins whose lineage connect to the coinbase of blocks (aka block rewards), exchanges addresses connect, after defragmentation operations, “upstream” with addresses of users, easily identifiable too (as they include small and rounded transactions, not connected in a few jumps with coinbases)

From one claimed block, we can end up deducing many more

All the following links come from a blockchain explorer I own, SiaStats Navigator, but the transactions and addresses can be tracked as well using SiaHub’s explorer, of which I have no control. Let’s take a block mined by Antpool and claimed on their website (see image above) to perform a forward analysis: block #152134, mined on April 27th. Its payout was deposited on the address “9176b0…”. The coins were transferred on April 29th on the transaction “762cde…” to the address “b5078a…” in a wallet defragmentation operation. On May 17th this new address, together with more addresses being merged (more coinbases), sent 20 million SC to the address “2b87bb…” and immediately after that to the address “91d23b…”. This last address is what I consider a “master address” of Antpool, an address receiving round amounts of several millions, collecting block rewards and sending again millions that end up in payout addresses and cold wallets.

The most interesting thing of this address is that all the coinbases of their claimed blocks end up here, transiently. What if now we take the input transactions and trace back these coins up to their coinbases (a reverse analysis)? Will we be able to find new blocks not claimed by Antpool? The address “669029…” sent 5 million SC to the “master address” on January 1st. Some time before, on November 30th, this mentioned address received its balance from the defragmentation operation “cb3f5e…” that merged many coinbases with 35.88 SC from the address “c5a432…”. Those 35 SC came from another defragmentation on November 21th, that collected block payouts of multiple addresses as “065022…”. This last address was the recipient of the block reward of Block #132592. Overall, in just 4 transaction “jumps”, we found the payout of an old and not claimed block by Antpool, that goes back to November 20th. The following schematic is a summary of the presented analysis:

From the direct analysis of claimed blocks, a reverse analysis can be performed to find secretly mined blocks
The oldest block we can track of Antpool is #132204, dated on November 17th, what means that Bitmain mined Siacoins in secret for exactly 2 months

Using an automated script, SiaStats found more than 2100 new blocks that Antpool rejects to claim. These blocks have been added to SiaStats databases, and more blocks are automatically being added as soon as their payouts are sent to known Antpool’s master addresses. The most interesting fact is that the oldest block we can track of Antpool is #132204, dated on November 17th, what means that Bitmain mined Siacoins in secret for exactly 2 months (as the Antminer A3 was presented on January 17th). Antpool collected 488 blocks in total thanks to their exclusivity using ASICs, using their brand new hardware in secret.

The secret mining activity of Bitmain

The apparent organic grow of the Antpool’s hashrate mentioned above was an illusion: in those two previous months, there was days they mined up to 25% of the blocks. Interestingly, there are two gaps in these months that correspond with spikes of “Unknown” pools (“Others” in the chart) of similar size as Antpool’s block rate (Dec 27- Jan 7 and Jan15 — Jan 17, see image above). The payouts of these blocks (60 additional blocks in total) have not moved from their addresses on the last 7 months. As that amount of hashrate can’t be created out of the thin air to vanish forever after a few days, this obviously means those blocks were mined by Antpool too.

The crystal tower

Crystal Tower Palace, envisioned by C. Burton in 1851 for the city of London
Bitmain could have recovered the whole cost of the ASIC development just by secret mining during those 2 months

In total, 550 blocks were mined in secret during the 2 months previous to the Antminer A3 announcement, representing around 85 million Siacoins in block rewards. According to CoinMarketCap, the value of Siacoin oscillated during November and January on the range of 0.5 and 11 USD cents. Interestingly, the maximal historic value of SC was reached on January 6th, 11 days before the Bitmain announcement. Depending on the moment they sold their “warchests”, they could have obtained something between $0.4 and $9 million from the secret mining operation. According to some estimations, the development of the A3 costed Bitmain $10 million. If they planned the trades carefully, this means they could have recovered the whole cost of the ASIC development just by secret mining during those 2 months. This, of course, on top of the $74 million in sales profit just from the first 2 batches ($2300 per unit and 33,000 units as we explained above).

I wish I had the tools and the expertise I have today back on January, so I could have released all this information when it was most relevant. I don’t know if it would have made any difference in the context of the debates of the Sia community, but I believe just having this information would have been valuable by itself. This is a cautionary tale for other blockchains: we need developers and websites tracking independently the health and the use (or misuse) of the blockchain, identifying the issues before they become a real threat with no turning back. Communities should also encourage and patronize with donations these projects, as most of the times these are just free-time projects without a business intention.

I hope this article was abundantly clear demonstrating that, opposed to Bitmain’s official message about transparency and absence of secret mining, Bitmain indeed mines coins in secret previously to the release of their mining hardware. Also, that this practice is a multi-million business for them. I also hope this article encourages developers across the cryptosphere to create and maintain tools that track misbehaving actors trying to hide on the blockchain.

The big mistake of Bitmain is hiding inside a crystal tower, believing no one will peek inside

It is shocking that this ASIC manufacturer decided to claim they do not mine coins in secret when the evidence of this lie is so evident on the blockchain. Returning to the metaphor of the crystal tower that opened the article, the big mistake of Bitmain is hiding inside a crystal tower, believing no one will peek inside. Fortunately for the rest of us, crystal is transparent.

EDIT (27 July 2018): Some grammar corrections. Thanks to everybody who contacted me about them.