How MIT’s 'Pool Detective' could help prevent attacks on blockchains

To function properly, public blockchain networks that use proof-of-work mining depend on miners to act in the interest of the network — not just their own. In reality, however, that doesn’t always happen. Sometimes they attack.

Researchers at the MIT Media Lab’s Digital Currency Initiative (DCI) are trying to sniff out blockchain network attacks by miners before they happen.

There are a number of ways that a miner can exploit a blockchain network. The best-known method is called a 51% attack. To pull off a 51% attack, a miner must somehow gain control of more than half of the network’s mining power, or hashrate.

With all that hashrate, it’s possible for the miner to spend the same cryptocurrency twice. To pull off such a “double-spend,” the miner can send a payment, perhaps in exchange for goods or services, and then essentially re-write the transaction history so that according to the blockchain, the transaction never happened.

For some blockchain networks, particularly smaller ones in which hashpower is relatively inexpensive, the threat of a 51% has become an urgent problem. Ethereum Classic suffered three such attacks in August — its most recent attack costing the involved exchange Okex $5.6 million. Bitcoin Gold's network has also been hit with three 51% attacks, with the most recent one in July.

But what if there was a way to anticipate mining-based blockchain attacks before they occur, and thereby prevent them from happening? According to the DCI, monitoring mining pools may be the solution. And the group is developing a new system to do just that.

Pool Detective

Miners join pools because, collectively, they increase their chances of reaping a reward. The probability of a single miner solving a block are quite small, so miners pool their computational power and work on the solution together. When a block is discovered, the miners in the pool share the rewards.

According to DCI director Neha Narula, mining pools comprise a large percentage of the overall hash rate, or mining capacity, for many different cryptocurrency networks. This poses a potential problem, says Narula.

“The pool operator has a lot of control and could potentially give out work to the miners that could cause an attack on a cryptocurrency network,” she told The Block. “Since the miners in the pool aren’t running their own full nodes, they don't have the means to validate the instructions.”

Generally speaking, if a cryptocurrency miner runs their own full node, “they can determine what work to expect to extend that ledger,” says Gert-Jaap Glasbergen, a software developer who works for the DCI. “But if a miner doesn’t run a fully validated node, they don’t know what that last block should be. So if they decide to join a public mining pool, they must accept whatever the pool operator says is the last block.”

If no one is supervising the pool coordinators, then, in theory, there’s nothing stopping them from deceptively exploiting this setup.

That’s why in December 2019, DCI launched Pool Detective, a project aimed at collecting data on mining pool activities. As part of the project, the DCI has joined all public mining pools and is monitoring their activities, cross-checking the work that pool operators assign to their miners.

The team has built a proxy server that connects with 32 separate pools and collects all the mining jobs in a database. The server then carries out the mining tasks it receives from the pools’ coordinators. The researchers are running fully validated nodes, which they can use to calculate what the latest block should be.

The researchers then analyze this data for what it calls “unexpected behavior and anomalies.” For instance, by analyzing the “block hash” of each mining job, the team can determine if the new block that a pool is adding to the chain is different from the one expected.

Next steps

It’s not only mining pools that call for more intense scrutiny.

During the past year, the DCI team has published research on five 51% attacks. All five attacks it examined were powered by so-called hash rental marketplaces.

Hash rental marketplaces, which also operate as mining pools, allow users to rent mining power instead of buying and operating their own hardware. That has made it dramatically cheaper to accumulate computational power that can be used to attack a blockchain, according to the DCI.

According to Glasbergen, by monitoring these marketplaces closely, it could be possible to detect these attacks as they happen and perhaps even develop ways to warn potential targets. “With early warning systems the victims of those attacks, who are generally exchanges that get double spent, can increase their vigilance, and look for suspicious deposit and withdrawal activity on the networks potentially affected.”

In addition to this, according to a post the DCI team published last month, the researchers plan to expand their mining pool surveillance by monitoring more messages on peer-to-peer networks, rather than just tracking blocks. The content of the messages will help the DCI better understand what kind of work their miners should expect to receive versus what they are actually getting assigned.

Further down the road, the DCI plans to design a version of Pool Detective that individual miners can run themselves as protection against becoming unwittingly roped into someone else’s selfish attack.