[bitcoin-dev] SPV Mining reveals a problematic incentive issue.

Peter Todd pete at petertodd.org
Mon Jul 13 16:04:53 UTC 2015


On Sat, Jul 11, 2015 at 11:24:48AM +0200, Jorge Timón wrote:
> All miners should validate transactions precisely because of the latest
> attack you've described. Full miners can gain a lot from this attack to
> leverage their full validation against spv miners who blindly spend energy
> hashing on top of something that may be worthless crap. SPV mining makes no
> sense, but some miners claim they're doind it for very short periods of
> time, which shouldn't be as bad as doing it all the time.
>
> I think it would be more rational for them to keep mining on top of the old
> block until they've fully validated the new block (which shouldn't take so
> long anyway), even if this slightly increases the orphan rate.

You're missing something really critical about what F2Pool/AntPool were
(are?) doing: They're finding out about new blocks not by getting block
headers from just anywhere, but by connecting to other pools' via
stratum anonymously and determining what block hash they're telling the
hashers at the pool to work on. (e.g. what prevblockhash is in the block
header of shares being generated)

If other pools try to fake this information they're immediately and
directly losing money, because they're telling their own hashers to make
invalid blocks. This of course has a high chance of being detected, and
can easily be FUDed into "STOP MINING AT FOO POOL!" reardless of what
the ivory tower game theory might say. The only hope the pools have is
to somehow identify which connections correspond to other pools with
high reliability and target just those connections - good luck on that.


Anyway, all this concern about SPV mining is misguided: relying purely
on SPV w/ low #'s of confirmations just isn't very smart. What SPV can
do - at least while the inflation subsidy is still high - is give
reasonable protection against your third-party-run trusted full nodes
from lying to you, simply because doing so has well-defined costs in
terms of energy to create fake blocks. Targetting enough people at once
to make a fake block a worthwhile investment is difficult, particularly
when you take into account how timing works in the defenders favor - the
attacker probably only has a small % of hashing power, so they're going
to wait a long time to find their fake block. Between that and a trusted
third party-run full node you're probably reasonably safe, for now.

-- 
'peter'[:-1]@petertodd.org
0000000000000000086007e31decd6eb80e07f77271ef50c69e1e6342161f4e5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 650 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150713/4cc5aaa3/attachment.sig>


More information about the bitcoin-dev mailing list