(This article contains some material originally published in 2019 in the IOV Labs RSK Blog )
The security of Bitcoin relies on the economic incentives for miners to extend the “heaviest chain”, which is the chain with the most accumulated difficulty (usually the longest).Currently, those incentives are provided by the block reward, which consists of the block subsidy and the transaction fees.But the subsidy (currently 6.25 BTC) is substantially higher than the average transaction fees per block (currently 0.25 BTC).Bitcoin subsidy halves every 4 years, and without an inversely proportional BTC price appreciation, the main incentive for mining will shift from block subsidy to block transaction fees.To maintain the current security budget transaction cost would need to increase 25-fold.It’s too early to tell if this will ever become a problem for Bitcoin.
It is possible that Bitcoin needs to soft-fork or hard-fork to adapt to a new era of low subsidy.In 2014, I showed how Bitcoin could become unstable when I presented the (mainly theoretical) FRONT Attack .Carlsten et al.(2016) analyzed this problem in depth but they could not find a satisfactory solution.This is not only Bitcoin’s problem but one every cryptocurrency whose money issuance diminishes over time will need to face.
But we don’t need to worry about Bitcoin for now.The bitcoin community might need to solve this problem in 10 or 20 years, or maybe never.
Every now and then the issue is reexamined , with analyses both highlighting and minimizing the problem.But when we analyze Bitcoin sidechains, such as RSK, the problem is quite real.
In 2019, Blockstream’s CEO Adam Back mentioned smoothing when discussing Bitcoin’s long term security budget: “Other longer term low subsidy era ideas include fee averaging across block intervals to smooth fee revenue.”
https://twitter.com/adam3us/status/1097031151921713152
RSK implements exactly that idea, the smoothing of fee revenue, since 2016.But before we explain how RSK handles transactions with high fees, we’ll show in more detail the three major block reversal attacks that can be triggered by transaction fees: fee sniping, whale transactions and mining atomization.
Fee Sniping If the block subsidy is low and the transaction fees in the last mined block are much higher than the fees that can be collected from transactions in the mempool, short-term rational miners are incentivized to grab transactions from the last mined block and mine a competing block, instead of extending it.
This is a deviation from Nakamoto Consensus, and it’s called Fee sniping .
By definition, such a deviation is an attack on the protocol, and the miner is considered a malicious party.To cash the grabbed transaction fees, the malicious miner also needs to mine one additional confirmation block faster than the honest chain, so that the rest of the miners switch to his chain.Therefore fee sniping is not always profitable, since the malicious miner risks wasting his hashrate if his selfish fork does not outpace the honest chain.Infrequent fee sniping may not be a problem, but if miners change their consensus code to profit from potential fee sniping opportunities over all existing forks, then the network can be exposed to more dangerous attacks.
Whale Transactions Once miners nodes perform automatic fee sniping, an attacker can take advantage of this situation to perform a double-spend attack.A malicious miner may spend coins in the honest chain and receive another external asset in exchange, and later fork the honest chain at a block before the first.
In the malicious fork, the attacker double-spends the coins but also introduces a distinctive feature (i.e.a unique UTXO) that must not exist in the honest fork.Immediately afterwards, the attacker broadcasts a “whale” transaction that makes use of this feature (i.e.
consumes this UTXO) and offers an unusually high transaction fee as a bait (or a bribe) to the miners running the fee sniping code.
While the term “whale transaction” may be understood as a transaction that transfers a high value, here we use the definition in the referenced paper, as a transaction that pays high fees, no matter the amount of value transferred.In Bitcoin, the whale transaction and the malicious fork blocks would need to be sent directly to miners’ nodes, because non-best forks are not forwarded by the full nodes in the peer to peer network.However, in many smart-contract platforms, the attack is much easier because they do broadcast non-best forks.Also in smart-contract platforms, creating a whale transaction is simpler: the attacker can re-use a nonce already used in the honest chain therefore preventing the whale transaction to be included in the honest chain.Alternatively, the whale transaction can execute a contract that checks if the previous block hash matches a block hash that only exists in the selfish fork (i.e.using BLOCKHASH opcode) and pays a bribe only on the selfish fork.
Once miners detect a whale transaction, they may consider extending the malicious fork, even if lagging behind, if the bribe is high enough, betting that it will outpace the longer honest chain.Without smart-contracts, the best attack strategy is to concurrently broadcast a series of whale transactions bribing the following miners so that they keep extending the malicious fork.
In Bitcoin, transactions can be chained with CHECKLOCKLOCKVERIFY or CHECKSEQUENCEVERIFY .In smart-contract platforms this can be done by either re-using nonces or by contract calls.Even if not automated, the attacker can continue generating whale transactions on the malicious fork, until it overtakes the honest chain.
Miner Atomization Attacks In the Whale Transaction attack, we considered that miners need to dynamically switch to a complex mining strategy to accept bribes based on fork winning probabilities.We can more realistically consider that the miners are running a simpler strategy that does not consider future bribes, but only selfish fee sniping.
If this is the strategy adopted by the majority of miners, then a new attack is possible.The Miner Atomization attack is a network-wide denial of service attack that attempts to entice all miners to work on selfish forks simultaneously, therefore reducing the rate and convergence of the honest chain.The attack begins with the broadcasting of a transaction with very high fees, similar to the fee snipping attack or the whale transaction attack.This transaction is not intended to help double-spend but it is a bait that aims to atomize the mining network.We’ll show the attack with an example.Suppose that a transaction T in a block at height N pays 100 coins in fees, but the average block reward is just 10 coins.
We assume that all miners’ nodes are programmed to follow this rational strategy:
If T is included in any of the last K blocks of the honest chain, grab the transaction T and try to mine a competing block at height N, then keep mining child blocks of this selfish fork until it outpaces the honest chain.If the honest chain outpaces the selfish fork by more than K blocks, give up.The high fee malicious transaction atomizes mining for the benefit of the larger mining pool, which has the highest chances of mining the transaction T plus enough additional selfish confirmation blocks so that the remaining miners will give up.Curiously, the more decentralized the mining network is, the worse the disruption caused by transaction T is.For instance, for a blockchain having a 10 minute average block interval, if there were 100 miners each having 1% of the total hashrate, the network would suffer a 100x slowdown for several blocks until it finally converges.The network would be unusable for 2 days!
RSK Protections Against Fee Sniping RSK is a pure Bitcoin sidechain , so it had to face the challenge of securing the blockchain with a security budget that consists only of transaction fees since its inception.
Therefore RSK had to be prepared for abnormally high or low fees.RSK was the first production-ready sidechain, and it uses merge-mining for consensus.Currently more than 40% of Bitcoin miners merge-mine RSK .
RSK miners expect economic compensation for running RSK full nodes.Most blockchains issue new coins for this compensation.Some other distributed ledgers, such as Ripple, don’t issue coins to pay block producers but block producers can be externally subsidized.Ripple Labs, which pre-mined XRPs, has so many of them that they can provide compensation in XRP for third parties to become block producers.RSK, on the other hand, faces the toughest conditions: it doesn’t have coin issuance (like Bitcoin) and it doesn’t have a coin premine (like XRP).RSK represents a successful example of a Bitcoin sidechain, a glimpse of the future of consensus in deflationary blockchains, and how a blockchain without subsidy can be sustainable.
However, having no subsidy means that the sidechain must be carefully designed against the attacks presented here.RSK implements several unique features to be more secure against blockchain reorganizations based on high fee transactions:
Block reward smoothing (also called fee smoothing).Block reward sharing Fork-aware merge mining In the following sections, we briefly present each technique.
Fee Smoothing Fee smoothing is a consensus rule that distributes transaction fees between miners in a more egalitarian way.It pays each miner a function of the past block rewards.
The function could be linear or nonlinear, based on a small number of prior block rewards, or based on a state that depends on all previous blocks.The simplest design is to use some kind of low-pass filter on the accumulated fees.RSK uses a smoothing function that is very simple, an IIR with α=0.1 .If an RSK miner solves a block at height N, the miner will be compensated with 10% of the block N transaction fees and 10% of all unpaid miner fees previously accumulated.In other words, there exists a “shared” miners’ account, where at each block the winning miner puts in the transaction fees and takes out 10% for himself.
Reward smoothing increases the incentive to extend the blockchain against the incentive to re-mine a past block to grab its paid fees, because the miner can only grab 10% of the whale transaction fees.We’ll bring up the previous example.
We assume that the average block reward is 10 coins and a block contains a 100-coin bribe at height N.In RSK, the block at height N would pay a reward of 19 coins, while the following block would pay 18.1 coins.The selfish miner now needs 10 times more hashing power than any other miner for the attack to be profitable.
We now show other complementary protective measures.
Block Reward Sharing RSK implements a reward-sharing consensus protocol called DECOR.DECOR splits block rewards evenly between sibling blocks, as long as those blocks headers are referenced by the honest chain.DECOR diminishes the incentive for an atomization attack because the winner of the high fee transaction must share the reward with as many as another 10 miners that produced sibling blocks.This is because a blockchain block can have up to 10 block sibling references, and the DECOR protocol shares the block reward between them all.
To avoid sharing, the miner would need to mine another 10 selfish blocks, preventing uncle references, reducing considerably his chances of success.Considering reward sharing together with fee smoothing, for an attempt to disrupt the RSK network to be successful, the bribe must be at least 110 times higher than the average block reward.
Fork-aware merge mining Fork-aware merged mining is a variant of merged mining that allows users to monitor the mainchain network (e.g.Bitcoin) for malicious forks in the sidechain-network (e.g.RSK).To profit from a whale transaction attack, the attacker must find a victim to double-spend.That victim would probably be an online crypto exchange.
Crypto exchanges wait for several hundred block confirmations before accepting a deposit, which is enough time for the RSK Armadillo system to detect the malicious fork beforehand and alert the exchange.In the case of fee sniping and miner atomization attacks, the malicious forks are short, and therefore Armadillo can only be used as a tool to diagnose the situation and identify the pools deviating from the honest protocol, but it cannot prevent the attack.
Other Protections Another complementary protective measure, which RSK does not currently implement, is to limit transaction gas price to a multiple of the minimum gas price (i.e.a 10x spread).I proposed a comparable measure for Bitcoin in 2013 .RSK could implement this easily, as each block advertises the minimum transaction gas price accepted.However, setting a maximum gas price does not completely solve the problem if the network is in a state where blocks do not consume all the gas limit available in a block.
The high transaction fee in T can be the result of a higher amount of gas consumed instead of a higher gas price (the paid fee is the product of these two amounts).
Bribing Miners Through Side Channels Reward smoothing is not the ultimate solution, as attackers can use a smart-contract platform to bribe miners into doing just about anything.I presented the theoretical “Eternal Choice for the Dark Side Attack” (or ECDSA 🙂 ) in 2014 , as a way to show how miners could be bribed to deviate from honest behavior.McCorry el at.( 2018 ) presented a wide gamut of theoretical bribing attacks.However, the level of understanding and preparation required to accept smart-contract based bribes is considerable.This makes smart-contract based bribing attacks much more difficult to perpetrate.
A miner must be aware of the bribing contract and understand how to interact with it.However, this type of attack is unavoidable: if the platform can perform a payment to the current block miner, then it can also execute a smart contract that pays the same miner.This is because the programming language that describes the protocol consensus and the one used by smart contracts are both “Turing-complete”.This is an interesting theoretical problem.
One can think of clever tricks to make bribe payments more difficult, such as forcing miner addresses to be special (i.e.one-time use only), so that a bribing contract cannot pay to the miner.However, a Turing complete smart-contract platform cannot prevent a payment from a party that is willing to pay to another party willing to be paid.
We always construct a successful bribing smart-contract that evades defenses.For example, the malicious miner can create a zero knowledge proof proving control of a specific miner address to the contract, without revealing the private key.The miner would send this proof to the bribing contract, together with an alternative receive address to receive the bribe.
It does not suffice to limit the smart contract language capabilities of the blockchain whose miners are to be bribed, since any other Turing-complete smart-contract platform can be used to pay bribes to miners.The platform only needs to run a block header relay (i.e.btcrelay).For example, RSK and Ethereum could be used to pay bribes to Bitcoin miners.However, coordinating an attack on a bridged blockchain is harder.
One potential defense against bribing attacks is to use a variant of PoS consensus protocol that requires that the majority of block producers sign blocks, and also requires them to have a security deposit (stake) of coins for a period of months.The stake of miners that equivocate (produce two contradicting blocks or extensions of contradicting forks) would be confiscated by a community launched hard fork.
While this protection does not eliminate the vulnerability, it can increase the attack cost, as the bribe must be higher than the stake lost.
Currently enabling miner staking is not possible on Bitcoin.While RSK could adopt a PoS consensus, there is no proposal to switch to PoS or nor mix PoW with PoS in RSK.
Summary We presented several known attacks to Nakamoto consensus based on malicious transactions paying out abnormally high fees.Some attacks allow double-spending and others cause network instability.
These attacks are especially relevant for all Bitcoin sidechains including RSK.RSK implements block reward smoothing, block reward sharing and fork-aware merged mining as deterrents.While reward smoothing works for explicit fees, the general case of bribes paid using smart contracts cannot be avoided.Defending from these attacks requires active network monitoring.Finally, further research on potential solutions for these attacks is necessary.
.
