Hostile Chain Takeovers

Posted on

cryptocurrency, bitcoin

(source: Roger Ver w/ modification)

This blog post was inspired by a recent long conversation with Jay, Nicola, and Jesse about value in blockchains. In a previous post, Dillon and I explored the concept of merging blockchains. In light of this, I'd like to explore another concept in blockchains: hostile chain takeovers.

For context, most proof-of-work based cryptocurrencies (being the vast majority of them right now) have miners competing for block rewards, awarded proportionally to the amount of computational power they bring to the network. Networks like Bitcoin are some of the most profitable to mine, because of the substantial competition on the network, in part due to the recent value appreciation Bitcoin has gone through (yes it's down from ATH, but still 10x on the year ;))

This reminded me of the earlier days of Bitcoin – if you wanted to add new consensus-breaking functionality without a sidechain, you would clone or fork Bitcoin with new rules. Muneeb Ali previously worked on Namecoin, a human-readable naming system, forked from the Bitcoin blockchain. A few years later, he revealed that one mining pool controlled nearly 60-70% of the hash rate of the Namecoin network, breaking network security guarantees [0]. While that mining pool didn't do anything malicious, it showed that bootstrapping a proof-of-work blockchain from scratch is *really* difficult (and one of the reasons why Ethereum started).

And this doesn't just happen to less secure altcoins – it's happened to Bitcoin as well! In 2014, GHash.io controlled 51% of Bitcoin's network power [1], causing a worldwide scare and panic, and while they didn't do anything malicious, they definitely had the potential to. The incentive to take over the network at the time was limited to none, given if the price crash, GHash.io's expected return would be minimized.

Keep in mind, this can also happen on proof-of-stake based consensus systems – they also suffer from the same network value bootstrapping problem. PoS systems such as Casper and Tendermint have designed incentives to prevent forking in the network (whether this is good or bad). However, systems like these don't require the need for cheap electricity and commodity hardware, potentially amplifying the security (or lack thereof) by directly attaching security costs to the market price of the underlying commodity (on this note, good criticisms on PoS from Mark Wilcox [2] and Paul Storzc [3] that I recommend).

Long story short, all these events have shown that it's possible to take over blockchain networks for potentially malicious reasons, and there may be a couple of reasons for doing as so.

Motives/Attacks

Why would anyone want to take over/break a blockchain? I envision a couple of reasons:

  1. Goldfinger Attacks: Some people just wanna see the world burn (see "On hostile blockchain takeovers" [4])
  2. Governance Takeovers: An imbalance in incentives lead to the Great Bitcoin Scaling Debate of 2015-2017. Different groups of actors in the system (various miners, users, wallets, etc.) wanted to control governance of the protocol to limit/move forward an upgrade. This could happen even more in the future as various blockchains stop being maintained.
  3. Double Spend Attacks: Why not double spend? I've always wanted to create money out of thin air...

  4. Competitive Chains: Chains that solve similar usecases will ultimately compete for developers, users, investors to determine value. If incentives become perverse enough (as money tends to), we could see more attacks 
  5. Forking from Middlemen: Things like founder rewards, ICOs, premines, etc. will often create an incentive for the community to fork away, if they think the value distributed away from the network isn't worth the value brought in by the developer team
  6. Traditional Attacks: Layer this on top of all the traditional blockchain attacks researchers have discovered the past several years. These include bribery attacks, selfish mining attacks, etc.

How chain takeovers materialize

  • Infinite forking
    • Drop difficulty, market token, confuse users
    • Litecoin Silver? Litecoin Cash? lol
  • Find small chains with lower hash rate, and take over 51% of the network
    • This works by either commisioning enough hardware (even easier with ASIC-resistant blockchains) or money to control voting 
    • attempt both soft and hard forks, see what miners stick with
    • Attempt double spends
  • Rally a community that wants change (politics!!!)
    • There are a ton of projects that haven't had code changes in a while. However, these networks still have value resting upon them, and shareholders that want to increase value -> hostile chain takeover time (doesn't necessarily need to be hostile, but it often is)
    • This can probably be used to pump prices (but for the love of god, please don't. This ecosystem is already crazy enough...)
    • Populism works really effectively here (see BIP148 UASF from last August)
    • Raise money to fund a rogue crack developer team to continue development on a chain, whether its abandoned or not
    • Accelerating Evolution Through Forking [5]
    • Often there's a rent premium in certain networks (as mentioned earlier), and more idealogical users don't like the idea of that
  • Introduce some black swan event
    • This one is implied, but often happens more than you'd think
    • Example: Sia team introducing new ASIC for the community, then Bitmain bring a much more powerful alternative, ruining early fixed economics for early adopters, and community largely (and brings up moral questions) [6]
    • Find a new class of attack and let it loose on a chain: Value overflow incident

For most small currencies, it's probably fairly trivial to point some computational power at the currency, and take it over, destroying the value of the underlying coins. This also brings up a larger meta question – do miners have too much power? I'll leave you with two posts ([7] [8]) that explores this question further!


Thanks to Jay Graber, Nicola Greco, Jesse Clayburgh, and Dillon Chen for conversations and/or reading drafts of this. You can follow me on twitter here or subscribe to be notified of future posts.

Disclaimer: I'm not responsible for your blockchain breaking or getting taken over because you didn't think about security enough :). As always, this should NOT be taken as investment advice or recommendations. Finally, this post does not represent the views of my employer, Polychain Capital.

Ethereum SAT

Posted on

cryptocurrency, ethereum

Test your knowledge of Ethereum and its underlying technology!

About four years ago, Olaf Carlson-Wee of Coinbase released a reddit post looking for more support staff to join the company. He created a Bitcoin test with some semi-advanced questions to gauge their knowledge (you can still take it here). Looking back in retrospect, the test seems relatively straightforward, compared to how the field has progressed as a whole. I decided to make an Ethereum SAT* to test your knowledge of Ethereum internals, in spirit of the Bitcoin test. Enjoy, and happy quizzing!

Questions:

  • What do the terms "wei", "finney", and "szabo" refer to in Ethereum?
  • Name two solutions to running out of gas in a smart contract.
  • Ethereum recently hard forked, but no new coins were created. What gives?
  • What's the approximate cost to store one gigabyte of data on the Ethereum blockchain? (without solutions like Filecoin or Swarm)
  • What does maintaining state enable in Ethereum, and what fundamental data structure modification from Bitcoin allows for that?
  • What is geth's fast sync and what makes it fast?
  • What are the differences between partially light, fully light, and archive nodes?
  • What is LLL, Solidity, and Serpent, and how does it relate to the EVM? Which is the most popular of the three?
  • What's the total supply of Ethereum? What is the "ice age"?
  • What is a colored coin and how does it relate to Ethereum tokens?
  • Briefly describe how you would write a naming service in a smart contract (think something like DNS).
  • What happens when a smart contract is broadcast to the network? Who runs the smart contract?
  • What happens when multisig control of a DAO splits? (alternatively, what happens when a token forks?)
  • What happens to a DAO when the base Ethereum protocol has a network split (resulting in two different coins)?
  • What is economic finality in Casper, and what does it achieve/solve compared to Nakamoto consensus?
  • What's the difference between Casper, the Friendly Finality Gadget and Casper, Correct-by-Construction?
  • What is a slashing condition?
  • What are long-range attacks and the nothing-at-stake problem, and how are they subverted?
  • Where do the slashed Ether deposits of byzantine nodes go when not following the Casper protocol?
  • What is a "layer two" system, and how is security guaranteed without a blockchain?
  • Lightning Network is a project involving payment-specific state channels. How does this work generalize to Plasma?
  • Ethereum recently added support for zero-knowledge proofs. How does it solve the trusted setup criticism posed in ZCash? Does it?
  • What is ASIC resistance and how does Ethereum's Proof-of-Work algorithm accomplish it?
  • Describe Ethereum's "holy trinity" initiative and its three components.

Ethereum is full of lots of exciting developments (it's a living science project!), so it was only natural to create an Ethereum version of the "Bitcoin Test". Given the depth of the Ethereum Project, I wasn't able to cover everything, unfortunately. If you have an interesting question about Ethereum, comment it down below! Answers can be viewed here.


Thanks to Dillon Chen for for giving me feedback on earlier versions of this post.

*Note: "SAT" is a registered trademark of the College Board, to whom I have no relation. Please don't sue me.

Have any questions or comments? Feel free to comment down below or shoot me a message on twitter @niraj.