Bribe & Fork: Cheap Bribing Attacks via Forking Threat

TL;DR

Bribe&Fork is introduced, a modified bribing attack that leverages the threat of a so-called feather fork which is analyzed with a novel formal model for the mining game with forking to shed more light on the potential vulnerability of PCNs and highlight the need for robust solutions.

Abstract

In this work, we reexamine the vulnerability of Payment Channel Networks (PCNs) to bribing attacks, where an adversary incentivizes blockchain miners to deliberately ignore a specific transaction to undermine the punishment mechanism of PCNs. While previous studies have posited a prohibitive cost for such attacks, we show that this cost may be dramatically reduced (to approximately \$125), thereby increasing the likelihood of these attacks. To this end, we introduce Bribe & Fork, a modified bribing attack that leverages the threat of a so-called feather fork which we analyze with a novel formal model for the mining game with forking. We empirically analyze historical data of some real-world blockchain implementations to evaluate the scale of this cost reduction. Our findings shed more light on the potential vulnerability of PCNs and highlight the need for robust solutions.

Figures (6)

• Figure 1: Comparison of the honest execution, the attack from zeta and our $\textit{Bribe \& Fork}\xspace$. (a) Honest execution: once an old state appears on-chain (black rectangle), $\mathcal{P}_1$ gets an option to revoke this state with a transaction $tx_1$ (included in the block $txs_1$ which is published in the first round). (b) Attack in zeta: the bribing party publishes $tx_2$ and $tx_b$ included in a single block $txs_2$, with a large miner fee (reversely proportional to the fraction of the mining power $\lambda_{min}$ of the least significant miner). The miners skip mining $txs_1$ in the first round, and mine $txs_2$ in the last round. (c) Bribe & Fork: the bribing party publishes $txs_2$ with a fee sufficient to bribe only the strongest miner (with $f_2-f$ reversely proportional to $\lambda_s$). The strongest miner publishes the self-penalty transactions $tx_{p_1}, tx_{p_2}$ that can be mined in transaction sets $txs_{p_1}, txs_{p_2}$. In the first round, the miner $N_s$ locks $P \approx \lambda_s \cdot B$ to the deposit transaction $tx_{p_1}$, thus threatening other miners that they will be forked once $txs_1$ is mined before the deadline. After the deadline the transaction set $txs_2$ is published and the miner $N_s$ may collect back the deposit using $txs_{p_2}$.
• Figure 2: The $\textit{Bribe \& Fork}\xspace$ attack. The green boxes indicate the transactions that should be put on-chain to run a successful $\textit{Bribe \& Fork}\xspace$ attack. The grey boxes indicate the transactions that should be published on the mempool before the chain reaches a specific length. For instance, Spend transaction $tx_2$ has to be published on the mempool before the chain reaches length $T_0 + 1$, even though it can not be published on the blockchain until the chain reaches length $T_0 + T$. The arrows going into the boxes indicate the spending conditions of the transactions and the arrows going out of the boxes indicate how the funds of the boxes can be spent.
• Figure 3: Average amount of fees aggregated in a block for each week in 2022 (btcexplorer)
• Figure 4: Average transaction fee of a single transaction for each week in 2022 (btcexplorer)
• Figure 5: Average mining hashrate week by week of the most significant Bitcoin miners in 2022 btcexplorer

Theorems & Definitions (17)

• definition thmcounterdefinition: Conditionally timelocked output zeta
• Conjecture 1: No shallow forks
• definition thmcounterdefinition: Conditionally timelocked game with forks
• lemma thmcounterlemma
• proof
• lemma thmcounterlemma
• Theorem 1
• proof
• Theorem 2
• proof