The Fragility of Financialized Bitcoin Mining Pools
Trend towards FPPS
Late last year, I began thinking more about the business of bitcoin mining pools and wondered if I would ever want to launch my own. It had been years since I paid any attention to the mining pool business. I originally did a deep dive when I got into the industry in 2016, but since then, my focus has been solely on hardware, infrastructure, and controls, particularly related to off-grid oilfield bitcoin mining products.
When I heard a rumor last year that BraiinsPool was switching to FPPS rewards, I was both excited and disappointed. Like most bitcoin miners, I dislike the variance and uncertainty regarding when I will get my next paycheck; variance is a cost of doing business. I would rather receive fixed payouts, even if it comes with a small fee and loss of privacy.
My disappointment was mainly in learning that Braiins was not keeping PPLNS score-based payouts as an option but instead forcing users to fully switch over. Braiins was basically the last pool of significant hashrate to offer score-based payouts, so it felt like the end of an era, even though I think Braiins made the right business choice.
Like it or not, the vast majority of miners, in my experience, do not want to bear the cost and uncertainty (and anxiety) of the variance that comes with score-based reward systems. I would say that just about every single industrial client that Upstream Data serves prefers to have a reliable, fixed payout for the work shares they submit.
So, in late 2023, I began reading about mining pool reward systems again, and it reminded me of a serious flaw in FPPS/PPS reward systems that make them extremely easy to steal from, which is the focus of this blog post.
Block Withholding Attacks
There is a really outstanding paper about bitcoin mining pool reward systems which was published by Meni Rosenfeld back in 2011 called “Analysis of Bitcoin Pooled Mining Reward Systems” which you can download and read here.
Meni’s paper is rich with information on bitcoin mining pool reward systems and related incentive structures as it relates to bad actors. I assume if you are reading this blog then you already understand enough about bitcoin mining 101 and I do not need to explain the varying reward schemes, but if you do not then please refer to this paper.
Even though Meni wrote it a mere 2 years after bitcoin’s inception, it has aged quite well even 13 years later after he published it. In my estimation it ranks as one of the best papers ever written on the subject matter.
Anyways, in the paper Meni describes a serious attack vector that miners can use against pool operators called “Block Withholding” attacks. In particular, I want to focus on the ‘Sabotage’ attack. Here it is as described by the paper:
6.2 Block withholding
– Meni Rosenfeld
The analysis so far rested on the assumption that the atomic action that can be carried out by participants in a pool is to perform the work needed to find a share, and submit it to the pool unconditionally. However, with the current protocol, miners can determine whether a share they have found is a valid block or not, and refrain from or delay submitting of blocks. This can be used for two kinds of attack, sabotage and lie in wait.
6.2.1 Sabotage
The simpler attack is sabotage, where the attacker never submits any blocks. This has no direct benefit for the attacker, only causing harm to the pool operator or participants.
Using a reward system without operator risk like PPLNS, each participant (including the attacker) will lose a portion of his rewards equal to the attacker’s portion of the pool’s hashrate. If the attacker’s hashrate is h, the pool’s total is H and the pool fee is f, participants will obtain on average (1 − f)(1 − h/H)pB per share. This can create a significant loss, but since it is difficult to detect, it will likely not cause desertion of the pool or any other long-term disruptions.
With a reward system that puts the operator at risk like PPS, the entire loss falls on the operator. He will gain on average (f −h/H)pB per share submitted, and since f is typically only a few percent, this can easily be negative. This way it is possible to cause bankruptcy of the pool.
I added emphasis in bold since I will argue that despite being unethical, sabotaging a FPPS pool is actually incentivized financially, unlike a score based pool.
As Meni described, block withholding a PPLNS / score type pool has no direct benefit to the attacker because the attacker suffers like every other user. Therefore I would call a block withhold to be incentive-incompatible for the attacker on a PPLNS style pool.
However, since block withholding a FPPS / PPS pool the loss is entirely borne by the operator while miners get 100% expected rewards like normal, we can say that sabotaging a FPPS pool is incentive-compatible because the attacker will not only get 100% expected rewards for his work, but his work will not contribute to increasing Network Difficulty.
Therefore, when you ignore ethics, morals, potential illegality, and serious breach of the FPPS pool’s Terms-of-Service, block withholding is financially incentivized and that’s not good!
Why would someone block withhold a FPPS pool?
Since there are no costs to the attacker to block withhold a FPPS pool, here's a quick brainstorm on reasons I would guess would motivate an attacker:
- Competing pool: A competitor pool might block withhold their competition in an attempt to bankrupt them and gain their users. This is the most likely attacker, imho and some people suspect this has happened recently.
- Limit Difficulty: As cited previously, if you block withhold a FPPS pool you lose no revenue and you do *not* contribute to network difficulty, meaning you gain *more* revenue than you otherwise would.
- Trolls: Some small miners might not like a given pool operator, maybe they appear too large with too much hashrate and they want to attack them. Maybe they are simply the type of person who is jealous of builders / success, someone who prefers to destroy things rather than build things. These types of people are exist.
- Adversarial Government: Maybe a government who bans bitcoin wants to see bitcoin broadly damaged and attacks FPPS pools who do not comply with regulation. Maybe a government who wants to dominate hashrate seeks to attack competing nation's pool operators.
Block withholding is extremely easy to do and very hard to detect or prevent
I'm not going to pretend that I am an expert on this subject matter, I am merely parroting the answers I received to questions I posed to numerous industry experts. I also do not advocate for block withholding, I think it is unethical and worse.
Block withholding is best executed via a proxy, such as CKProxy, and can also be executed from the miner firmware. Historically, some of the people I interviewed suggested such attacks have occurred, but usually by improperly designed firmware from new vendors, not so much from malicious intent.
I asked one expert, Upstream Data's new CTO - James Hilliard, how easy is it for a malicious miner to execute an attack? He responded 3 minutes later with a block withholding modification to CKProxy code amounting to about 3 lines. I don't need to share the code, but even as a non-programmer I can see how easy it is to execute.
As far as I know there is no easy way for a pool operator to detect a block withholding attack. Generally they would rely on statistical analysis and check which users consistently show up as outliers on low Luck and ban them. Public pools however have no way to prevent them from coming back, nor auditing new users.
I believe there are potential fixes, Meni described one in his paper that I cited above, but it could require a hard fork which would make it untenable.
Public FPPS pool ignores the adversarial environment
As a business owner who cares about my profits and our customer's success, I do not understand how you can operate a FPPS pool and sleep at night. Imagine running a business whose survival is dependent on a competitor playing fair.
Recently Marty Bent wrote about current trends in mining centralization. His post was triggered by a particular observation by Mononaut that a number of mining pools were using the same block templates as Antpool, indicating some level of cahoots to the magnitude of ~47% of the network hashrate!
It was suggested that some of these blockfinders were coordinating with Antpool as a proxy service, or with another party named Cobo, who is acting as an insurance underwriter to these FPPS pool services and requires a specific block template. Whatever the case, someone here is operating on a massive risk basis.
We can also observe that either Antpool or Cobo has a high level of influence over a huge hashrate at the present, likely over 51% of the total network. Not ideal.
Fixing this attack is important
I don't know how to fix the Block Withholding attack, but I do think it is important that we fix it.
After doing a deep dive into the economics of mining pools at the end of 2023, which some of you saw me tweet about live, I concluded that operating a *public* FPPS pool is untenable. "Public" meaning anyone can access without any form of KYC. I do not think the pool operating risks are paid for by the relatively small fees that FPPS pools charge. I do not believe that the shareholders and insurers to public FPPS pools are pricing in this risk.
At this time I believe the only scalable way to operate a FPPS style pool is privately, where users are fully KYC'd and even possibly yield audits by their pool operator. For example, FoundryPool would be a FPPS requiring KYC creds by users, though I am not sure if they go any further re operational auditability.
Public facing pools will likely have to remain as PPLNS / SPLNS or similar score style reward systems, where the operator bears no risks to block withholding. An example of a popular public score style pool is Ocean.
You could also serve the public as an Proxy layer to somebody else's FPPS pool. If you do not know what a Proxy is, it is a pass-thru service that takes a spread/fee for connecting you to the underwriting pool operator, the Proxy usually offering added value services. For example, Lincoin is a proxy underwritten by Antpool.
FPPS is a valuable service
The vast majority of hashrate would pay a premium in fees to receive a fixed reward, rather than deal with variance of a scoring based pool. The cost of variance only increases as the network grows, and smaller scoring pools find it hard to remain competitive.
If public FPPS pool operators could operate without accounting for the risks of block withholding attackers, then there would be less friction in operating such pools. They would be more readily financeable as well as insurable. This would open pools up to more competition in pool operators, and in the mining industry broadly.
Eliminating the block withholding attack would benefit overall network health and energy efficiency due to wider distribution.
If I wanted to start a public FPPS pool today (assuming I had the financial backing to reduce the risk of bankruptcy - see Appendix C) then I would have to price in the block withhold risks on top of the variance risks, which makes the endeavor hardly financeable / insurable. I would be forced to operate a public scoring style pool like Ocean, which has a much more limited market demand since variance is passed onto the user.
Such pools do not seem to to be able last, even though they should yield the lowest fees and highest privacy.
♥ Steve
