CESC2020: Detecting Attacks against Proof of Work

2020 Ford F150. Everyone, welcome for tuning in, thank you for tuning in to discussion around a detecting attacks against proof of work. Will be talkin about this for the next 25 minutes or so, and we is myself. My name is, I work with Mr. T's digital currency initiative and my primary focus for the past eleven months or so has been a project called pool detective, which will be detailing more in the calming Christian station recently graduated from MIT

and he did his master's thesis with the digital currency initiative, as well as she'll be talking about in the digital currency initiative. Real quick, where Richards, Group based out of the MIT media lab. First and foremost, obviously, we're at still University, sober, educator, try to build capacity in this industry by teaching courses. Also advising our students on Vista pics were also conducting research research and development in some of the problems that are still in the blockchain space around scalability

privacy and also that's a security and obviously you're having a strong history of standard-setting and a neutral platform were also Goose conveners. So let's introduce the topic that we're going to cover today, we're going to start with Jace going to introduce you to her, which is a system that detects chain reorganization. And then My turn to talk to you about school. Detective, a full of technicians off the Record and analyze the behavior of cryptocurrency mining tools. So, first off, we're going to hand it off to talk to you through the

realtor. Okay, thanks buddy. I'll see what we're talking about today is the real track at which was my Master's thesis project this last year at the DCI, what is dealing with is studying 51%, tax? Now, proof of lock has been around as a consensus on for them to stop at ten years now bust used in Bitcoin but now used in many of the points across the industry and if you read satoshi's white paper and his security octaman is pretty hand-waving, you sent me says that, you know, 51% that text should be impractical

and really am. I know I should not want to do it, but more recently, economic recessions have been looking into while if we take mine was from a rational economic perspective, you know, is that really true? And ultimately, the current theory says that, actually 51% attack should be far from impossible. It says that they should be cheap. When it comes down to this Theory from microeconomics, which states that will cost becomes equal to the marginal revenue on what this means. For proof of luck, is that the cost

of a real dog, I should equal the value of the book for was from doing. My nonprofit is eliminated. An adversary could break even without even having to double spend on. This is introduced and Ashley three separate papers. One by our house, in a few others, and one by Rafael Ayala. Actually, we wanted to study these because we wanted to see if, you know, how does the theory hold up in practice and it seems the coins with a very small Network, hashrate tree

available for rent. This is because lots of coins Shah mining algorithm. So, if that's a lot of coin and then several smaller coins. Often only a very small percentage of the shift from one point to another in order to be 51% or 100%. Additionally for new players in the game such as my Sasha, Grey to the rental market is actually possible for an adversary one12 only have to pay the marginal cost of that, you don't have to worry about the fixed costs. While maintaining mining Hardware making a tracking form of practical

and coins has been detached and princess and money has been stolen and this is sort of an ex-cop from some of the news articles that came out before we Perform This research suggesting that number of cording to plan, but here in plastic Bitcoin gold, open 51. One of these articles, you can call to 51%. So which coins actually exist in the liquid hashrate Moc at at sun's out quite a lot that we are actually existing Inception market. Right now, I'll have the black line in the middle represents 100% of the more than 50% of the coins are

more than a hundred percent of available. I'm in the worst case with expanse thousand times that coins network hashrate available Why do we need a real tracker? Well, these events that transient so people often say, well, you know, you see the attack in the blockchain and the answer is no. You need to be monitoring but not watch to check whether or not an attack because Open up until now we've been relying on fixing to tell us about whether they've been attacked as you can imagine, you know, if this results in in Salton Sea or a loss of use of funds, victims are often not super interested. In

revealing has taken place in French Council, a realistic confirmation requirements to exchange. It should be using for these coins. We also wanted to investigate whether there are any mitigation strategies, the coins that use to protect themselves against What do we detect Sin? Cara in the normal operation of a blockchain. The subsequent blocks refer to a single previous block and the chain is extended continuously, but in the case of real one set of blocks can be replaced by the other than

the other one. So, what is include a transaction in the original set of walks that deposit to an exchange? Then once that exchange was credited, the deposit, they reveal a second set of blocks that replaces that deposit transaction. And in fact, makes it invalid such that the exchange kind of late. So I can see if that deposit transaction to keep and what they had on the exchange. So what did we do? We run Queen demons for the 21, different proof of what cryptocurrencies and we also tracked, you. And if you're in a classic, but

which we use for remote apis and then we tracked reloads on each of these coins for. Of 10 months. And then car-related, the attack events. We discovered with Market data from Nice, Ash and price Daytona from 4 to combat. Sorry, this is a block diagram of a system design. I sent you, what we had is cool. If the queen demons or web apis for the different coins responsible for people came to, there's going to be at 2 p.m. at wax Allen tracker processes for each of the coins which determined, whether or not a real old was taking place and if it real cat taking place it

saved but the original set of blocks The Replacements of blocks and before clock to a database for later analysis for double spend transactions. So what did we find? While we found that attacks to suddenly happened, I'm in the last case on Buck coin, we detected an attack that was 600 blocks Deep by which is the equivalent for the 24 hours of the blocks being removed, from the, the primary chain, which as you can. Imagine is pretty catastrophic and lots more than once that most people don't think about when they think about Bitcoin of these.

Additionally, we were able to compare just emotional cost, actually equal marginal revenue in practice. What we found is at least within for the one order of mac and cheese using the block reward as a proxy for the cost of a real seems to be pretty accurate estimation there something some Outlaws which can be explained. So, in terms of the attacks, we discovered, we detected a text on a number of different clients which includes a double spots. As you can see, the switch deepest,

real Sarasota 25 hours for Ingram as well as on bitcoin gold. You can see their cumulative amount of double spent value reaching over half-a-million dollars in that. So suddenly a significant amount of money is at stake here. Additionally, we found strong evidence that nice Ash is being used by adversaries before we were actually full of wound up with the attack on book one before because they might have discovered that they were being provided walkway in my stash the line on that question.

When we love the attack, we found out that was a pretty large spike in available Hatchery capacity, as well as price coinciding with the thought of the attack was starting to be generated. And when the end of the attack Additionally, we discovered counter tops. So the Bitcoin gold included. So what happens is the attack of the Brookfield that box showed up an extended, the original for to displace the attack us before we have to start even responded by extending them delicious. I'm finally. Once again, extended the original

or restoring, the original fall to the primary chain, for the attack, comes the theory that was developed at the VC. I buy a hobbit Street in Baton Rouge that states. The counter tax really should deter attacking in the fust place. Once there's a credible threat on the counter-attack. We also looked into you how asset prices change after an attack. Those lot of float Florence, the space that suggests that you have to post a tack. It would be catastrophic for the coins reputation and the price of BAC point of decreased significantly but we found the often that's not the case. Or at

least it's not the case. Within a short. Of time off the attack, at least giving the attacker enough time to withdraw the funds and make a profit on their attack. In fact, the one of the attacks on expense the attack coincides with the lodge exchange pump without the price of the asset, increase it to seven pines, meaning that the attack was incredibly profitable for the attacker even without including any doubles fence. Sometimes the Future walk. I'll be really great to deploy the real Trappers a commercial product, right now, it's just a research tool, it's not

really suitable for all sort of mass usage, but clearly these attacks are becoming more and more frequent, and lots of money is at stake. Its Cooley required that some kind of monitoring us is needed. Additionally, we don't know who the attacker in the victim's wife, so it's important to try and find that out because if it's exchanges that are being attacked in their losing use of funds, it's important for all uses to be aware of that. Secondly, we need to be able to interpret State changes between folks and account baselines, assuming an attack. One day happens when an account

basepoint, there a lot more complex interactions between different contracts. So, it's much harder than just seeing, which outfits a doubles match between different coins. I'm finally given the we've seen that counter-attacking is potentially a What to do if attack. Thanks Ange. Okay, so let's talk about it before we start to talk about pool detective, let's talk about pool mine, so when you buy a state-of-the-art Bitcoin miner, the beauty of the Bitcoin network is that you can record full notes. Install a little bit of software and then

be mining on the Bitcoins all by yourself. Now, the problem with this approach however is that you through the vast amounts of computational capacity, that's a Bitcoin Network currently has Your state-of-the-art before a minor will probably say somewhere between twenty and thirty years to find a block all of which time you'll have to like pay the electric bill for running a minor. And so, this is a real problem for minors, which day solved by introducing mining pools

in pools do is say, distributes the work that needs to be done to find a block, over a large population of minors that's there with share in the work clothes. But once the mining pool has found a bell as proof, they also share in the reward. So what a mining pool does reminder is instead of waiting really long for a really big payout, They received very small payouts, much more frequently and so is reduced its variants of the reward. That wants a bulldog and disrespect is just a coordinator. Ensure that no two minors through the same work because that's obviously wasteful.

And once the book rewards is received the mighty full custody to account for total pool resources, and communicate with my nurse, using a protocol that is called Estrada. Illustrate the power that money. I'm going to show you this chart that shows the distribution of traits among the eight largest Network control, 80% of the S5, Active on the network and to teach these persons or companies control was 80% of all. The mining. Hardware is working on a fairly serious amount self-control

because mining Hardware is really, really efficient at the running. Proof-of-work options, to hedge funds. In Greeley physically house is March of the fruits of work function as possible for the lowest amount of energy possible. Spell the word that they want to work on them so they can look in the sense that they'd risk the mining Hardware doing whatever to my gifts, the minor work that it doesn't expect. Then the mining are first going to execute that job regardless and she

wants to go it's we're positioning ourselves between the pool and the mining hardware and we record what the mining pool is selling the miner. At the same time we also position ourselves in the peer-to-peer network of the cryptocurrency monitor in order to see the moment at which New Hampshire Fox by listening to the piers announce blocks to each other and then we store all the unexpected behavior. And when I talk about the unexpected Behavior, what we

look for things that we set out when we started the project, First of all, we look for evidence of selfish Mining and in, selfish mining The Miner said our mining on that fool about a block that they found, and they will start looking for the next to the other. The problem there is that the mining pool have an unfair advantage to find in the next block and research shows that the Escape sea mining for a unfair advantage of making them receive more Awards than they lose. When they

So far we haven't found any evidence. We're still looking at the mining, Hardware is incapable of determining. Whether the work is received is a leech, a word that uses the same proof of work function. For instance, if your mining Bitcoin pool, you could receive work for Bitcoin, cash to bitcoin SV and you're minding hard for all of us to be executed because there's no way for tomorrow in Hartford sell that that Stephanie Respond instantly. Found one pool. That is sending us Bitcoin cash in his fever. While we expect it's

before work, we're currently waiting for that fool to respond to our findings. And then we're going to make a publication about this somewhere in the in the next few weeks. The other the first thing that they can do dat there. Sure is spell. It is mining a empty block on top of the one. That's another. So before they're even able to sell a 20 block, the problem is, if I do this for too long, the risk of finding an empty meaning that's the total average. True Foods

of the network will decrease because an empty blocked, a potential transaction capacity. And so we want to we want to compare how empty blocks are being sure that's worth. The people, whether they all do it the same way whether the pools are really slow but it's still going on out. There is my nipples are able to conceal. Their true hashrates by sending me for a walk, the face to an unknown address. So the party started a showed earlier attribute blocks to mining fools by looking at which address,

they pay out to or for instance, marker day to somewhere in the wework transaction and a mining pool cuz him to use a different payouts address that is unknown. Meaning that the mining hashrate for that part of the work will show up as a meeting. Nobody is able to sell what their true hashrate is, because mining pools are meant to not pass, the two large share of the network while at the same time. Having a higher share means higher income for the pool so it might be a possibility that they're doing this. We're looking for that the last one, it's about

underpaying minor. So if you sent a particular amount of work you expect a particular month but so far we've concluded that it's hard to determine whether mining pools under pay my nerves because you need more data than the date of this, we have a thirsty. You need to dated at the money for her ass about the other Miners. And so far, we haven't been able to draw any conclusions on that scroll. So, very, very basic how the systems designed the system is a reverse proxy. Where instead of having one pool and you just refuse to work with multiple,

Meijer normal Stratton property, you can. It's a reverse proxy where we connect to a bunch of upstream. And we did serve you to work to a single minor that we have. So we have a single minor for each of the algorithms that we Monitor and we make it through the work off multiple pools at the same time. Another thing about software that allows us to monitor what happens on the peer-to-peer networking threw himself of propagation. So we can see when will start to build a picture

sheet. So we can detect things like selfish mine in order to replace the globe to make sure to wear clothes and connect it to the cool notes that finds it looks or are close to the fool enough to find a blocks meeting that. We're learning how to block this past weekend. Now, the system's been running since November 1st is ever increasing. So we're looking at, you know, which pools are important. Is the current season for adding new foods that you go to. We're monitoring from about 92%

to bitcoin hashrate, which is a significant and important to have a large chair and that's their stem all toys. Also, he wrong. That's compatible work. And another aspect is, including rental market. What Jen said around rental, Marcus being used for it. If we mine on the rental markets as well, we can see the work on block that ends up in an attacker Shay and combined with the price. Say that that would be Smoking gum to these markets being used for sex. The girls here, analyzing

for selfies, whether we can relate Works to block the dresses. For full are also building a bi to exposed to the public for other people to build on to the next step for us. Our band is a p. I will be releasing a block both soon to introduce his birthday. Any more detail. What you can, what you can obviously read more about it. We're releasing a YouTube video on the detectives to explain it in more detail and maybe we're releasing also a public from sin for people to explore the state of

New York back or you can visit the website of the DCI which is e c, o m, i t that CD. You also if you want to learn more about to DTI in general that's a great place to start and you can follow us on Twitter. Epi account or me personally, or case personally, thank you for watching this. Feel free to fix the website or contact us imprinted. Thank you.