Fact Check: DARPA Funded Report on Blockchain Centralization
In this analysis, we examine and fact check the claims in the recent DARPA blockchain report which claims that Bitcoin’s blockchain is susceptible to centralized control.
On June 21, 2022, a DARPA-funded report on blockchain centralization was released by Trail of Bits, a security research firm.
In this analysis, we will examine and fact check some of the claims in the report. We will focus primarily on Bitcoin, as that is the only blockchain that has demonstrated true resilience to attack in real world conditions. We will also contrast the academic findings in the paper with real world tests of these theories.
There is constant research into attacks in Bitcoin space, and much of it is interesting, relevant, and worth considering. As Bitcoin’s fundamental purpose is resistance to state-level attack, the premise of new attack vectors is exciting and worthy of discussion. With the system transmitting more than a trillion dollars of value yearly, it is also constantly subject to real world conditions for attack as one of the biggest financial honeypots in the world.
We concur with the report that most blockchains are centralized to varying degrees, ranging from “decentralization theater” to being fully centralized without any pretense of decentralization. Unfortunately, we find many significant problems with the paper’s analysis of Bitcoin. Below we will address most of the major claims in the report.
Every widely used blockchain has a privileged set of entities that can modify the semantics of the blockchain to potentially change past transactions […] There are currently four active contributors with access to modify the Bitcoin Core codebase, the compromise of any of whom would allow for arbitrary modification of the codebase.
FALSE. This is simply not true in practice in Bitcoin due to the fact that users running nodes, not developers, decide which code to run. There have been numerous examples of this in the past, including users who chose to run code put out by a pseudonymous developer because they wanted a particular upgrade faster during the blocksize wars of 2017, which went against the opinions of some highly respected Bitcoin core developers who spoke out against running it.
The code chosen by the users was run by many nodes, despite that the change was not implemented by the “four active contributors” claimed by the authors. Even if we focus on the most popular Bitcoin client, bitcoin-core, the claim that four people control the source code is also FALSE. A more in depth look at how changes happen in Bitcoin is available here.
Many other blockchains employ a forced-upgrade mechanism such as Ethereum’s difficulty bombs. In those cases, we find the claim to be largely TRUE because nodes are forced to upgrade in order to remain operational.
The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks.
MISLEADING. The claim that Bitcoin can be disrupted by attacking the top four mining pools is flawed for several reasons:
Mining pools aren’t miners. Miners are a globally distributed workforce, often located in remote regions where power is cheap. Miners can (and do) easily switch pools. In fact in 2014, miners voluntarily switched away from a pool that was gaining too much hashrate.
The attack has to last forever. As soon as the attack is stopped, mining can continue unabated.
If the attack on specific pools is indeed lasting a long time, it is easy for miners to regroup on still honest pools by changing a single line of configuration.
We find the claim MOSTLY TRUE for other blockchains, especially those running staking systems, as most of the stake is typically sitting at large centralized exchanges or datacenters, is in the hands of founders and insiders who granted themselves large token distributions, and can be used to compromise vote-based systems.
For a blockchain to be optimally distributed, there must be a so-called Sybil cost. There is currently no known way to implement Sybil costs in a permissionless blockchain like Bitcoin.
MISLEADING. A Sybil attack (pronounced sih-bill and named after the first person diagnosed with multiple personality disorder) is one where someone may create many nodes that pretend to be honest nodes, but are actually malicious, in order to trick an honest node into accepting invalid or untrue data, or otherwise coerce its behavior by misleading it. The invention of Nakamoto Consensus (i.e. Bitcoin’s reliance on proof of work for source of truth) was literally designed to prevent Sybil attacks. Satoshi wanted any participant to be able to add a block, but choosing one user at random would be open to individuals pretending to be many users. But work cannot be faked, and this is one reason Bitcoin uses Proof of Work.
Sybil attacks cannot trick a Bitcoin node into accepting a false copy of the blockchain. The node needs only a *single* connection to an honest node to be resilient to this attack due to the consensus of Bitcoin being based on the heaviest/greatest proof of work chain being the true copy. It does not matter if attackers take over 99.9% of the network.
There is a strong sybil cost in Bitcoin as far as mining goes: producing valid blocks requires burning real world energy. A malicious miner would have to consume significant real world energy to produce (still valid) blocks to starve the chain of transactions. A miner producing invalid blocks simply burns energy and loses money.
A dense, possibly non-scale-free, subnetwork of Bitcoin nodes appears to be largely responsible for reaching consensus and communicating with miners.
MISLEADING. The word “consensus” is not applied in this paper in the same way that Bitcoin defines consensus: i.e. that the rules of Bitcoin are followed. This causes the authors to reach conclusions that are simply not relevant to the functioning of the Bitcoin blockchain. Again, it does not matter if nodes maliciously modify traffic because the economic nodes that receive transactions verify the rules of Bitcoin, such that modified traffic will be considered invalid and thus ignored.
Consensus from this perspective is maintained at the edges (i.e. on each node that receives coins). It does not matter what happens in the middle. More on this topic is covered in the article Bitcoin Miners Beware: Invalid Blocks Need Not Apply.
The authors imply that attacking the network layer can allow the attacker to tamper with data transmission, but censorship (omission of data) is the only feasible attack. If a node finds that its transactions are not being included in the blockchain, it can trivially connect to other nodes that are honest/functioning. Any attacks that attempt to starve the network of data transmission must control vast areas of the Internet, and last forever to be effective.
The standard protocol for coordination within blockchain mining pools, Stratum, is unencrypted and, effectively, unauthenticated.
MIXED. It’s true that the current Stratum protocol has a less than ideal design. Still, in real world conditions, these flaws do not impact the functioning of mining pools by and large. While someone could use the flaws of the current protocol to perform denial of service attacks on mining pools, the ultimate question must be asked: to what end? As addressed above, miners can and do switch pools on a whim if their pool is having problems.
The paper also fails to mention that work on Stratum v2 is quite advanced and includes a solution to many of these problems including encryption, authentication, and pushing more decisions about block composition to the end miners rather than trusting the pool to select and order transactions.
Sign up to start saving Bitcoin
Buy automatically every day, week, or month, starting with as little as $10.
When nodes have an out-of-date or incorrect view of the network, this lowers the percentage of the hashrate necessary to execute a standard 51% attack
TRUE/IRRELEVANT. The authors fail to demonstrate real world scenarios under which this matters. If a node has been eclipse-attacked (surrounded by dishonest nodes) to the point where they do not have the most up to date copy of the true blockchain, this attack has to be sustained forever until the miner is able to connect to one other honest node, at which point it will recover. This attack also implies that the blockchain has been rewritten by a malicious actor, and that this malicious blockchain is being propagated to honest nodes. The real world costs of such an attack must be taken into account. It is not enough to handwave that nation states have unlimited resources. A nation state would have to commit a significant portion of their national energy output to such an attack and sustain it in perpetuity to fight against the rest of the world’s honest miners.
Bitcoin traffic is unencrypted—any third party on the network route between nodes (e.g., ISPs, Wi-Fi access point operators, or governments) can observe and choose to drop any messages they wish.
MIXED/IRRELEVANT. Some Bitcoin traffic is encrypted (i.e. on Tor), while some is cleartext. Dropping traffic in and of itself is not an attack on Bitcoin functionality as you’d have to have sustained control over the entire network in order to prevent the propagation of every single transaction. A single connection between an honest node and an honest miner would allow the transaction to propagate. Any attack must be sustained forever to be effective. Transactions can even be sent by methods outside of the Internet (i.e. satellites, mesh networks, and QR codes). As soon as a transaction reaches an honest miner, the attack has been subverted.
The Bitcoin Core client has a hard-coded delay of two minutes before it gossips new verified blocks to a peer.
FALSE. This statement is so obviously false on its face that it’s surprising that it passed review by 9 authors without anyone pointing it out. If nodes were deliberately delaying block propagation, it would increase the chance of orphaning blocks, and you would never have two blocks built on top of each other from different miners across the world less than two minutes apart. This is debunked by real world block propagation data. There is speculation that the authors confused block propagation with a condition in mempool propagation which has nothing to do with this at all.
Over the past year, a malicious actor (widely believed to be from Russia) used a Sybil attack to gain control of up to 40% of Tor exit nodes. The attacker used the nodes to rewrite Bitcoin traffic.
EXTREMELY MISLEADING. There was indeed an attack on Tor exit nodes, however rewriting “Bitcoin traffic” was not part of the attack. In fact, the attack rewrote websites to change bitcoin addresses published on them. The authors provide a citation, but the author of the report they cited clarifies: “…they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address.”
The claim that Bitcoin traffic can be rewritten is impossible based on the design of digital signatures. Bitcoin transactions are digitally signed with ECDSA signatures. It is not possible to “rewrite Bitcoin traffic” without making transaction signatures invalid, and thus unacceptable to the receiving nodes. It is impossible to tamper with blocks without making them invalid.
The two countries with the highest percentage of non-Tor nodes, the United States and Germany, have the highest aggregate consensus influence in Bitcoin.
EXTREMELY MISLEADING. The paper again uses a different definition of consensus from the Bitcoin protocol. It is not true that any country, or even a majority of all miners can make changes to Bitcoin consensus rules because the rules are enforced by nodes that receive payments. What the paper actually means is that a large enough actor can try to drop transactions, thus censoring them, but it only takes for that transaction to reach a single well behaved node for it to propagate properly. Case in point, the paper states “we would like to quantify the extent to which a country that unilaterally blocked all Bitcoin traffic could affect the system, ” yet fails to address how Bitcoin continued to function just fine during many bans in China, which famously has an all powerful firewall. Furthermore, many nodes may be using VPNs, thus their true location may not be obvious from network analysis.
21% of Bitcoin nodes are running an old version of the Bitcoin Core client that is known to be vulnerable.
EXTREMELY MISLEADING. First, there is no way to measure the total number of nodes, because the authors can only crawl nodes that are openly listening. Second, it doesn’t really matter. The vulnerability in question would only crash the out-of-date node, after which the node operator would presumably upgrade. It is more likely that these nodes that haven’t patched a critical vulnerability are not actually economic actors (i.e. do not really receive coins regularly) and thus aren’t really part of the system per se. Many could be testing nodes, for example, run by experimenters.
As a thought experiment, if we spin up a million nodes in a cloud datacenter running an old version of the software, nothing at all about the health of the network would change. However, using the methodology in the paper, the authors would conclude that 99.9+% of the network is centralized in a single datacenter and vulnerable to being crashed. Bitcoin network topology analysis is thus largely an academic exercise with few real world implications. Companies in the Bitcoin space regularly spin up large numbers of nodes for experimentation.
The majority of Bitcoin nodes have significant incentives to behave dishonestly.
FALSE. Miners have incredible incentive to behave honestly, because otherwise they’re wasting energy which is real world expensive. For other economic nodes, e.g. those that process payments, there is no definition in this paper of what dishonestly means or how it actually affects the Bitcoin network. Nodes act in self interest to validate Bitcoin transactions that they receive. If the definition of dishonesty is to fail to transmit data (i.e. transaction censorship), why have we not seen this in the wild, especially with state-level actors like China, which have desired to suppress Bitcoin activity in their country?
The Bitcoin system, which transfers over $1 Trillion dollars annually offers a significant honeypot for successful attacks. There are few systems of this financial magnitude, and all of them are attacked constantly, including Bitcoin. If an attack was possible, it would be tried, which we are not seeing today. Again, it is important to remember that censorship attacks are trivially defeated by transmitting a signed transaction to only a single honest mining node, no matter how many nodes the attacker controls, and this could literally be done on a handwritten piece of paper if necessary.
In this report, we identified several scenarios in which blockchain immutability is called into question not by exploiting cryptographic vulnerabilities but instead by subverting the properties of a blockchain’s implementation, networking, or consensus protocol.
FALSE. The authors have not achieved a successful description of an attack that would be able to rewrite Bitcoin history or change its consensus rules, the only two conditions that could reasonably be described as breaking “immutability.” At best, they have demonstrated incredibly improbable conditions for temporary attacks that starve the chain of blocks or otherwise censor transactions, which do not appear to be possible to sustain forever due to the real world energy costs of doing so, and are trivially thwarted.
At face value, the paper elaborates on many already explored attack vectors in Bitcoin, some of which Bitcoin was literally invented to solve (sybil attacks), but fails to give context to the attacks and their achievability and consequences in the real world.
In particular, “eclipse attacks” and “sybil attacks” which force a node to make connections to malicious nodes are not effective against Bitcoin. The node requires a single connection to another honest node to see the true blockchain.
Even if fully eclipsed, the node will not accept invalid transactions because it enforces the rules of Bitcoin consensus using its local software. The most damaging types of attack here might be a double spending attack, in which the attacker tries to exchange Bitcoin for some other currency and get away with it, as well as censorship attacks.
In practice, double spending is attempted on centralized exchanges and is very difficult to impossible to get away with in real life — especially on Bitcoin where it is easy to run a full node. In order for such an attack to be practical, you’re going to need to control enough of the internet to trick an exchange to connect to only malicious nodes, and that you’re going to sustain this long enough for nobody to notice and to steal funds without leaving an identifying trail in the traditional banking system.
The authors claim that Bitcoin could be attacked at the network layer to achieve censorship. Again, the authors have failed to demonstrate this in real world conditions, and have failed to mention that a connection to a single honest node with connectivity to the honest partition of the network defeats the attack.
Finally, the authors fail to clarify the significance of a 51% attack. Such an attack does not allow the attacker to create coins from thin air, spend coins that aren’t theirs, steal user funds, or really do anything of value other than censor transactions or starve the chain of blocks. Additionally, such an attack must be maintained literally forever and is very expensive to even launch, let alone sustain, because as soon as the remaining honest miners of the world have a majority hashpower, they can continue producing normal blocks.
Any attack that wasn’t able to last forever would ultimately restore functionality to Bitcoin, thus only proving its strength. Rewriting the history of the blockchain is an even more daunting and unachievable goal due to the exponential energy costs required to do so, and to do so in perpetuity against an honest group of miners. A further exposition of 51% attacks is available here: Is Bitcoin mining centralization a threat?
We conclude that the DARPA funded paper on blockchain centralization by Sultanik et al. contains many false or misleading claims and cannot be treated seriously.
Sign up to start saving Bitcoin
Buy automatically every day, week, or month, starting with as little as $10.
More from Swan Signal
Thoughts on Bitcoin from the Swan team and friends.