Do miners execute consensus-level attack against Ethereum (or other major tokens)❓🤔
The answer is *yes*❗🤯
Read on for full deets 👇
Joint work with Gilad Stern and @Avivz78.
Full paper: dx.doi.org/10.13140/RG.2.…
Medium post: medium.com/@aviv.yaish/un…
... (1/12)
The answer is *yes*❗🤯
Read on for full deets 👇
Joint work with Gilad Stern and @Avivz78.
Full paper: dx.doi.org/10.13140/RG.2.…
Medium post: medium.com/@aviv.yaish/un…
... (1/12)
(2/12) In Ethereum, the difficulty of mining the current block changes on-the-fly and decreases the longer the time that has passed without anyone mining a new valid block; this is done to ensure that inter-block time will not be too high, in expectation. What could go wrong? ...
(3/12) The time between blocks, and thus also mining difficulty, is determined according to block timestamps. The problem with this is that according to Ethereum's consensus laws miners have a certain degree of freedom when setting them, and can even set false timestamps. ...
(4/12) The same consensus laws say that in case of ties between blocks of the same height, the block with a higher total mining difficulty should be picked to be the parent of the currently mined block, while the other one should be its uncle. ...
(5/12) Thus, a miner who wishes to replace the last block on the blockchain can mine a new block of its own which has a timestamp that is low enough to increase the block’s mining difficulty. This can be useful, in cases where this last block has high paying transactions ...
(6/12) or to double-spend txs contained within the block. One can even preemptively mine blocks with such timestamps to make sure they win in case of ties with other blocks which might be mined concurrently, or which might’ve been mined but haven’t reached the attacker yet. ...
(7/12) In our paper we rigorously analyze this attack & show that by executing it in a specific manner, the attack does not entail any behavior which has a non-zero probability of earning less than mining honestly, meaning that our attack dominates the honest mining strategy. ...
(8/12) By analyzing publicly available on-chain data, we can finally say that the answer to the long-standing question "do miners attack the consensus layer of major cryptocurrencies?" is yes! Specifically, F2Pool's blocks have the fingerprint of the attack all over them. ...
(9/12) Whenever F2Pool's block timestamps reach the point where mining difficulty is supposed to decrease, they artificially set them to be one second earlier. F2Pool has been executing this attack over the past two years, and the evidence has been hiding in plain sight! ... 
(10/12) Because they execute this attack only against blocks that have a timestamp difference from their parents which is divisible by 9, and so we see that competing mining pools have an over-representation of uncle blocks at the 9 seconds mark. ...
(11/12) We feel that it is very fitting to publish this paper on the cusp of The Merge, e.g. Ethereum’s migration to Proof-of-Stake. Our paper shows that consensus mechanisms and changes to them should be rigorously analyzed, especially with regards to mining incentives. ...
(12/12) I hope you enjoyed this thread and that you'll give our paper a read and enjoy our labor of love! 🧑🍼
This work was responsibly disclosed to the Ethereum Foundation.
This work was responsibly disclosed to the Ethereum Foundation.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
