Smart Contracts Make Bitcoin Mining Pools Vulnerable

Yaron Velner , Jason Teutsch and Loi Luu

Mining & Pooled mining

• Mining: solve proof of work puzzle
• Hash(BlockHeader, nonce) ≤ d
• Finding a valid nonce is hard

2

• Pooled mining
• A group of miners mines blocks and shares rewards together
• Pool miners solve easier problems
• Hash(BlockHeader, nonce) ≤ D with D >> d
• Each solution (called share) has some probability being valid block

Incentive flaw in pooled mining

• Block withholding attack (Oakland ‘15, CSF ‘15)
• Adversary does not submit valid blocks to the pool, just drop it

3

• Main problem
• Adversary must have significant power to make attack practical

Network (Bitcoin, Ethereum)

Solo miners

Pool miners

Submit blocks

Found valid blocks

• The adversary can profit
• Coin supply is constant
• Loss on the victim pool is picked up by others

-12.5 BTC

+12.5 BTC

This work

• Introduce UnPool attack: allows an adversary with a tiny amount of computational power to attack a pool
• By leveraging the block withholding attack
• Intuition: Pay others to withhold block from the pool
• The attack is made practical with smart contracts
• Enforce the payment

4

UnPool attack: pay to withhold blocks

• Main idea
• Pay to miners who drop blocks from pools so they will get profit
• Why it works?
• Miners get the same reward for valid-block shares, adversary just needs to pay them more
• Assuming its PPS for now
• Adversary may not lose anything
• He can gain from the block-withholding attack

5

How to pay to miners: naive design

• Have an UnPool website where miners submit withheld blocks
• Pay if the blocks are valid and actually not in the main chain

6

• Problem: require trust
• Miners do not know if they will receive the payment

UnPool Website

Submit block

Send reward

Our solution: Use smart contract

• Verify withheld blocks inside a smart contract
• Proof of stale work: a tuple (b1, b2, b2’, b3), where:
• b1, b2, b2’, b3 are block headers; and
• b2 and b2’ both extend b1; and
• b3 extends only b2.
• Can be optimized to only (b2’) if relying on BTCRelay

7

b1

b2

b2’

b3

• Verifying block header is sufficient
• Cheaper than verifying the full block
• Can extract pool information from header

Problem: what if miners submit public stale blocks

• Solution: Use commit-release scheme

8

UnPool contract

• Commit to withhold block B and some deposit D
• Challenging period
• Allow anyone to submit B and get D/2 reward
• If no one else knows B, withholder submits B and gets reward and deposit back

H(B) and deposit

Reveal B

Deposit and reward

Challenging period

More in the paper

• Prove that even a small miner can conduct our attack
• For both PPS and PPLNS
• Interactive contract using bitcoin script
• Build block-withholder pools to reduce variance

9

Conclusion

• Introduce a new attack based on block withholding
• Can be conducted by a very small miner
• Leverage smart contract to make it practical
• Analytical analysis to prove the practicality of the attack
• Implementations
• based on both Ethereum smart contracts and Bitcoin scripts.

10

Thanks for listening

Q&A

11