Sabotaging Mining Pools

[nibor]

If someone was to make a few line change to cgminer or other mining software that just meant that if you found a share that was a BLOCK it discarded it instead of sending to the mining pool this would soon kill the pool for virtually zero cost to the sabotager.

Only cost to the sabotager (assuming they were mining anyway) would be that one in 1.8 millions shares would not be submitted so reducing their personal income by a tiny amount. (Plus the 5% cost of mining PPS).

But the cost to the mining pool would be massive as they would be paying out on shares to someone who could NEVER find a block.

E.g. to sabotage slush who are charging 2-5% you would only need to have 2-5% of the pools hashing power (so about 25-60 g/hash) to wipe out their entire profits and so soon them. You would just mine PPS and only submit non-block shares!.

And if you were a Pool yourself you could possible redirect some of your users to solve other pools share hashes, collect the fees from the other pool but never send them successful blocks. In this way you can kill the competition without having any hashing power and only relatively small costs.

I know that p2pool tries to work round this by adding a 0.25BTC bonus if you submit a block making share but this hardly changes the costs significantly.

Obviously the pools could drop PPS, but then the costs would just look like bad luck to their users!

[1714131617]

1714131617

[1714131617]

1714131617

[Ferroh]

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

Edit:

Or it does, and I'm really tired, sorry

[Graet]

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

um actually. cgminer shows you blocks you find so you can tell.

this is called a witholding attack, you would need to be a large part of the pool. only way to do it without costing yourself lots is on a PPS pool.

[wabber]

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

You can.
But you can't change the payout address of the block after it was solved or you have to solve it again if you change it which is why you can't keep it for yourself.

[JoelKatz]

When a pool does mine a block, it can immediately assign that same work unit to many miners. Any that pull a new work unit and don't mine the block are highly suspect.

[ChrisKoss]

When a pool does mine a block, it can immediately assign that same work unit to many miners. Any that pull a new work unit and don't mine the block are highly suspect.

+1.  Nice solution.

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?

I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.

[nibor]

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

um actually. cgminer shows you blocks you find so you can tell.

this is called a witholding attack, you would need to be a large part of the pool. only way to do it without costing yourself lots is on a PPS pool.

You do not need a large percentage. Just slightly more than the fee. So 5%.
And you still get paid for mining there! So if you had a mining set up that was 5% (i.e. 50-75 Ghash for the 2nd tier pools) you just need to point it at them as pps and withhold the blocks and the attack really costs you nothing.

[JoelKatz]

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?

Yes, but nobody's that smart yet.

I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.

I think you could withhold for just 4 seconds and still get a pretty good idea. This would incur about a .7% chance of losing the block, with an expected cost of about $3.

[dree12]

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?

Yes, but nobody's that smart yet.

I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.

I think you could withhold for just 4 seconds and still get a pretty good idea. This would incur about a .7% chance of losing the block, with an expected cost of about $3.

Many pools do not require a password. If a malignant individual mines on someone else's account, they could possibly get them into trouble.

[JoelKatz]

Many pools do not require a password. If a malignant individual mines on someone else's account, they could possibly get them into trouble.

This seems like a pretty unlikely scenario from a practical standpoint. Most likely, you'd just wind up helping them because unless you actually mine a block, you are indistinguishable from a legitimate miner. Someone would have to dedicate huge amounts of hashing power to do this, and the most likely outcome is that they would just enrich the person they are trying to get in trouble.

However, it is definitely worth thinking about.

[K1773R]

source code or it didnt happen

[-ck]

You could definitely do a withholding attack, but why on earth would you do it? It doesn't benefit you, you just make the pool poorer that you mine with, and unless you have ultramegahashes to waste, your effect of withholding a block solve will be insignificant to the final outcome. There is nothing suspect about not returning a share from any work gathered from a pool, and a block solve is no different to returning a share. There is no way to check if a miner is returning all the shares it's "supposed to" as there is no such metric. Pools never send the same work item out to two different miners, so they'd have to have some reason to suspect this is the case, so unless you mine with a pool and after 10x difficulty submission of shares you still haven't sent a block solve, then they'd have to start investigating. Even then, bad luck alone is enough for even 10x difficulty and no block solve to occur. So at current difficulty, for example, a pool operator would have to get suspicious only after you had sent 30 million shares without a block solve. That's a heck of a lot of work you're doing just to withhold one block. So unless you personally have something like >1% of the total bitcoin network hashrate, this is a futile exercise.

On the other hand, if you get enough people running the same malicious mining software you could achieve this. But to what end? It doesn't benefit you directly in any way. Luckily all the source code for my mining software (along with most other mining software) is free and open and anyone can audit it to ensure it's not doing this.

[K1773R]

You could definitely do a withholding attack, but why on earth would you do it? It doesn't benefit you, you just make the pool poorer that you mine with, and unless you have ultramegahashes to waste, your effect of withholding a block solve will be insignificant to the final outcome. There is nothing suspect about not returning a share from any work gathered from a pool, and a block solve is no different to returning a share. There is no way to check if a miner is returning all the shares it's "supposed to" as there is no such metric. Pools never send the same work item out to two different miners, so they'd have to have some reason to suspect this is the case, so unless you mine with a pool and after 10x difficulty submission of shares you still haven't sent a block solve, then they'd have to start investigating. Even then, bad luck alone is enough for even 10x difficulty and no block solve to occur. So at current difficulty, for example, a pool operator would have to get suspicious only after you had sent 30 million shares without a block solve. That's a heck of a lot of work you're doing just to withhold one block. So unless you personally have something like >1% of the total bitcoin network hashrate, this is a futile exercise.

On the other hand, if you get enough people running the same malicious mining software you could achieve this. But to what end? It doesn't benefit you directly in any way. Luckily all the source code for my mining software (along with most other mining software) is free and open and anyone can audit it to ensure it's not doing this.

there is only one goal where it could be usefull, if a pool owner wants to take down a others pool and only if the others pool is PPS. Prop isnt worth it since u lose too.

[-ck]

there is only one goal where it could be usefull, if a pool owner wants to take down a others pool and only if the others pool is PPS. Prop isnt worth it since u lose too.

Certainly this is a real danger with a proxy pool...

[K1773R]

Certainly this is a real danger with a proxy pool...

but only if the proxy pool is using PPS, otherwise it wouldnt harm much. i wonder if anyone already created some patches for miners to do this...

[-ck]

Certainly this is a real danger with a proxy pool...

but only if the proxy pool is using PPS, otherwise it would harm much. i wonder if anyone already created some patches for miners to do this...

Indeed, but they could easily redirect shares to a PPS should they feel malicious.

[K1773R]

Certainly this is a real danger with a proxy pool...

but only if the proxy pool is using PPS, otherwise it would harm much. i wonder if anyone already created some patches for miners to do this...

Indeed, but they could easily redirect shares to a PPS should they feel malicious.

or a proxy pool just simply switches to another PPS pool to kill it and pay the surpases. this could be really nasty

[dust]

This attack has the advantage of keeping the difficulty artificially low.  It is economically advantageous to the attacker if they control > (share_difficulty / difficulty) of the network.

[Meni Rosenfeld]

I'd like to remind everyone that block withholding can be used for a profitable attack against non-PPS pools, called "Lie in wait". I estimate the max profit can be achieved from it to be multiplying the rewards by (1 + h/(4H)), where h is the attacker's hashrate and H is the network's total hashrate. And, if block withholding ever becomes a problem one solution is to modify the protocol to allow oblivious shares.

This attack has the advantage of keeping the difficulty artificially low.  It is economically advantageous to the attacker if they control > (share_difficulty / difficulty) of the network.

Almost. If the difficulty / share_difficulty is D, then by doing this they lose 1/D, and assuming everyone's hashrate stays the same, they difficulty drops by h/H meaning they get h/H, so this is indeed profitable if (h/H)>(1/D).

But if the difficulty goes down, mining becomes more profitable and people will add more hashrate. So the difference between the old and new equilibrium will not be as large as h/H, maybe it will be h/(2H). With this assumption you'd need twice as much hashrate to make this profitable.

[dree12]

But if the difficulty goes down, mining becomes more profitable.

Not if the pools begin increasing fees to compensate, which they inevitably will.