kmod's blog

22Jan/190

PoolJacking: easy 51% attacks against Bitcoin and Ethereum

With the recent Ethereum Classic double-spend attack, I decided to finally write this post about an existing vulnerability in Bitcoin and Ethereum.  The attack vector has been used in the past to steal a small amount of Bitcoin, but it can be used more cleverly to pull off 51% attacks and double-spend an unbounded amount of cryptocurrency.

This blog post talks about Bitcoin, but Ethereum and some other coins have the exact same vulnerability.

Background: Stratum

Bitcoin has a lot of parts of it that are secure.  And it has some parts that are not secure.  Unfortunately, having lots of secure parts doesn't count for much if you have parts that are not secure.

In particular, the Bitcoin ecosystem contains a protocol called Stratum, which coordinates miners and their mining pools.  Since 85% of mining happens via pools, 85% of the hashrate is dependent on Stratum's security.

Stratum is notoriously insecure.  Not in the sense that there are clever attacks on it, but in the sense that it contains zero security measures.  It's like letting anyone with an armored truck drive up to a bank and load up the truck with money: if the request is formatted right, Stratum will let it through.  Stratum has been attacked in the past by an ISP employee to steal mining rewards from their network, which is a clever, although limited, way of abusing the lack of security.  You can do much more damage than that.

The ISP employee simply redirected where the mining rewards went.  But with Stratum, you also control what block the miners are mining.  This means that if you can intercept Stratum, you can control the entire hashpower of a mining pool.  Not only does this still steal the mining rewards, but if done on a large enough scale it allows 51% attacks which are devastating to the network as a whole.

I call this PoolJacking: using Stratum to hijack an entire pool at a time, and then controlling their hashpower to rewrite the blockchain.

It's not a total break of Bitcoin's security, but PoolJacking allows attackers to double-spend, DDOS the entire network, or simply collect $5MM a day in mining rewards.

It's exploitable

This attack relies on intercepting specific internet traffic.  There are a few ways to do it, and easiest among them is BGP hijacking (another is DNS poisoning).  BGP hijacking allows an attacker to use BGP, the core internet routing protocol, to redirect where traffic is sent, and already happens thousands of times a day.

BGP access is limited, but still broadly available.  There are 62,970 licenses that have been given out to send BGP updates, and there are 16k "Network Engineers" on LinkedIn, most of whom presumably have this access.  It's conservative to say that there are 10k people who have the ability to pull off this attack.

Worryingly, these people are distributed throughout the world, all located in different legal and political regimes.  It would be easy for Pakistan to intercept Bitcoin traffic in the same way that it intercepted YouTube traffic in 2008.  I'm no expert but it looks like North Korea has the level of access to pull this off as well.

The worst part is that while this attack is detectable, there is not much that can be done about it.  An attacker only needs about 2 hours to execute a double-spend, giving a very small window for people to notice and raise confirmation requirements.  Even if the attack is noticed, it will take a very long time to roll out the required protocol fixes, since this will require updating the firmware on hardware miners (or more realistically, waiting for the next generation of miners).

 

Stratum's weakness is already known to the community, yet there has been no progress in replacing it with something secure.  I hope this blog post reveals just how damaging the vulnerability can be, and brings attention to this lingering problem.

Filed under: bitcoin No Comments