A block-withholding miner...

[JoeMattie]

I just had a thought...

Wouldn't it be pretty trivial to modify a miner (cgminer for instance) so that (while pool mining) if a share is found that satisfies the requirements for a block, instead of submitting it to the pool, it sent it to a local solomining client which was listening for the same coin...

The pool would receive all the lower difficulty shares (and their associated payout(s)) and the unscrupulous miner would get the block reward...

Would there be any way to detect such behavior?

[1713945831]

1713945831

[1713945831]

1713945831

[1713945831]

1713945831

[1713945831]

1713945831

[1713945831]

1713945831

[Winterfrost]

If I remember correctly, the pool keeps a secret key that must be combined with submitted work in order to be a valid block (or something similar to that). Obviously, if it were possible to withhold valid blocks then pool mining would be worthless unless you trusted every single miner in the pool.

[-ck]

Yes it's possible and in fact very easy to do. This is called a block withholding attack. If you are a on pay scheme on the pool based on some proportional pay scheme (true proportional, pplns, dgm etc) then you are penalising yourself since you will get paid less. If you are on a pay-per-share pay scheme only the pool stands to lose. The pool would have to have failsafes in where it randomly sent block solving shares to high hashrate miners to ensure they weren't doing this. It's not impossible, but I don't think any of the pools will tell you whether they do this or not, but I doubt they do.

[grue]

[...]If you are on a pay-per-share pay scheme only the pool stands to lose. The pool would have to have failsafes in where it randomly sent block solving shares to high hashrate miners to ensure they weren't doing this.[...]

And what actions can the administrator take? The attacker can simply create more accounts, or disguise his hashrate by splitting among multiple pools.

[-ck]

I didn't say it was practical, feasible or infallible, and I also said I doubt any pool currently does it. This is why pools really need to think thrice about offering PPS and then not offer it anyway. At least there's a disincentive to mining on a proportionally based pay scheme, but if the pool hashrate is high enough, it's not a big enough disincentive. The only payscheme which offers a large enough disincentive to not do block withhold attacks is the PoT scheme (which coincidentally was my idea btw) at high diffs. Regardless, if someone wanted to sacrifice the income, they could do it on any payscheme to make a pool suffer.

[optimiz3]

It's impossible, the Merkle Root in the block data encodes the transaction which assigns the reward to the pool.  There is no way to change the Merkle Root without invalidating the block.

Source: I develop Bitcoin Miner (http://www.groupfabric.com/bitcoin-miner/)

[cp1]

Yeah if you submitted a valid block to another pool the coinbase transaction would give the 25 BTC to the original pool anyway.

[JoeMattie]

It's impossible, the Merkle Root in the block data encodes the transaction which assigns the reward to the pool.  There is no way to change the Merkle Root without invalidating the block.

Source: I develop Bitcoin Miner (http://www.groupfabric.com/bitcoin-miner/)

Hmm, who to believe...

I'd be willing to bet that ckolivas' bitcoin miner has a little more widespread adoption than yours...

Fuck it, I guess I'm gonna be spending the next few days reading code.

[optimiz3]

What? It has nothing to do with the miner, it's the Bitcoin spec.

EDIT #2: ckolvias and I aren't disagreeing - his point is a strategy for hurting the pool on certain payout strategies. Note that no less work is done, and no blocks are reassigned. My point is that you can't reassign blocks because it is built into the block protocol definition.

[-ck]

Actually I missed the part where you wanted to send it to your own bitcoind. I thought it was just the title "block-withholding miner". No you can't redirect your block data, you can just withhold it.

[DeathAndTaxes]

Both ckolivas and optimiz are saying the same thing just in a different way.  Maybe this helps.  The nonce which solves a block only solves that specific EXACT block.  If you change anything, even a single bit it will produce a new different hash that will (almost always) be invalid.

Thus you can NEVER use a nonce that solves a blockheader created by the pool for any other purpose.  The pool/miner is rewarded by a transaction inside the block, if you change that, you change the block.  If you broadcast the block as is, well it doesn't matter who broadcasts it, the reward will go the the address(es) in the coinbase.

So
YES you can withhold a block from the pool.  In all pools except PPS this means your reward will go down as well as you are sharing a % of the total revenue produced by the pool and you have reduced the total revenue.  In a PPS pool your payment is fixed so it doesn't directly cost you anything but you don't gain directly either.  However if enough people did this the pool would eventually fail, the operators would lose, and you may need to go to a pool with less favorable terms. 

NO you can't "steal" the block reward, allow another pool to solve the block, or somehow gain any larger share of the reward.  

[crazyates]

NO you can't "steal" the block reward, allow another pool to solve the block, or somehow gain any larger share of the reward. 

Unless you're using PoT, in which case a block solver share is worth many times more than a regular share.

I totally agree with everything else you said; I'm just being a nitpicking ass. 

[JoeMattie]

Both ckolivas and optimiz are saying the same thing just in a different way.  Maybe this helps.  The nonce which solves a block only solves that specific EXACT block.  If you change anything, even a single bit it will produce a new different hash that will (almost always) be invalid.

Thus you can NEVER use a nonce that solves a blockheader created by the pool for any other purpose.  The pool/miner is rewarded by a transaction inside the block, if you change that, you change the block.  If you broadcast the block as is, well it doesn't matter who broadcasts it, the reward will go the the address(es) in the coinbase.

So
YES you can withhold a block from the pool.  In all pools except PPS this means your reward will go down as well as you are sharing a % of the total revenue produced by the pool and you have reduced the total revenue.  In a PPS pool your payment is fixed so it doesn't directly cost you anything but you don't gain directly either.  However if enough people did this the pool would eventually fail, the operators would lose, and you may need to go to a pool with less favorable terms. 

NO you can't "steal" the block reward, allow another pool to solve the block, or somehow gain any larger share of the reward.  

Okay, that makes sense.

[Van3cespencer7]

I believe something like this has already happened in a pay per share pool. Forget the name but the miner withheld a block and the owner ended up taking out loans to pay his miners.

Lesson here pay per block.

[Meni Rosenfeld]

or somehow gain any larger share of the reward.  

You can gain a larger share of the reward, with the "lie in wait" withholding attack described in AoBPMRS and elsewhere.