There is also another post, here on SN, with additional comments on this paper:
reply
There is also another post, here on SN, with additional comments on this paper:
reply
We present an attack on Ethereum’s consensus mechanism which can be used by miners to obtain consistentlyhigher mining rewards compared to the honest protocol. This attack is novel in that it does not entailwithholding blocks or any behavior which has a non-zero probability of earning less than mining honestly, incontrast with the existing literature.This risk-less attack relies instead on manipulating block timestamps, and carefully choosing whether andwhen to do so. We present this attack as an algorithm, which we then analyze to evaluate the revenue a minerobtains from it, and its eect on a miner’s absolute and relative share of the main-chain blocks.The attack allows an attacker to replace competitors’ main-chain blocks after the fact with a block of itsown, thus causing the replaced block’s miner to lose all transactions fees for the transactions contained withinthe block, which will be demoted from the main-chain. This block, although “kicked-out” of the main-chain,will still be eligible to be referred to by other main-chain blocks, thus becoming what is commonly called inEthereum an uncle.We proceed by dening multiple variants of this attack, and assessing whether any of these attacks has beenperformed in the wild. Surprisingly, we nd that this is indeed true, making this the rst case of a conrmedconsensus-level manipulation performed on a major cryptocurrency.Additionally, we implement a variant of this attack as a patch for Go Ethereum (geth), Ethereum’s mostpopular client, making it the rst consensus-level attack on Ethereum which is implemented as a patch. Finally,we suggest concrete xes for Ethereum’s protocol and implemented them as a patch for geth which can beadopted quickly and mitigate the attack and its variants.CCS Concepts: •Applied computing→Digital cash;•Security and privacy→Economics of security andprivacy;Distributed systems security.Additional Key Words and Phrases: cryptocurrency, blockchain, proof of work, consensus, securityACM Reference Format:Aviv Yaish, Gilad Stern, and Aviv Zohar. 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum.1, 1 (July 2022), 64 pages.Authors’ addresses: Aviv Yaish, aviv.yaish@mail.huji.ac.il, The Hebrew University, Jerusalem, Israel; Gilad Stern, Gilad.Stern@mail.huji.ac.il, The Hebrew University, Jerusalem, Israel; Aviv Zohar, avivz@cs.huji.ac.il, The Hebrew University,Jerusalem, Israel.Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without feeprovided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice andthe full citation on the rst page. Copyrights for third-party components of this work must be honored. For all other uses,contact the owner/author(s).©2022 Copyright held by the owner/author(s).https://doi.org/Publication date: July 2022. 2 Aviv Yaish, Gilad Stern, and Aviv Zohar1 INTRODUCTIONCryptocurrencies such as Bitcoin [77] and Ethereum [12] rely on an elaborate incentive system toencourage users to participate in operating the decentralized mechanism which underlies them andmaintain the mechanism’s integrity in the face of adversaries. Such participants are called miners.Thus, a cryptocurrency’s incentive mechanism is inherent to its security. Indeed, among themyriad cryptocurrencies and theoretical protocols which have arrived after Bitcoin, some havededicated considerable eorts in order to analyze existing mechanisms or design new ones tomake sure miners will not have an incentive to foul-play and game the system for their advantage[60, 67, 80, 95, 111].Ethereum, in particular, is known for adopting changes rapidly, without always carefully ex-amining them and the eect they might have on the incentives of miners [89,90]. Thus, changeswhich were designed to mitigate one attack [11], open the door for multiple new ones [85, 110].On the eve of the transition of Ethereum to a completely new mechanism, also known asThe Merge [31], we present a new incentive-driven attack on the current Ethereum mechanism.This attack is novel not only in that it relies on the new, unexplored foundations of timestampmanipulations, but also because it is always more protable than following the “honest” rules laiddown by the protocol’s designers, meaning that our attack strategy strictly dominates the honeststrategy.Previously, Ethereum miners were mostly known to manipulate Ethereum’s application layer,for example by exploiting vulnerabilities in smart contracts, which are applications built on top ofblockchains [14], while attacks on the underlying consensus were either entirely theoretical yetpractically infeasible, or targeted small implementation bugs which were quickly xed [2, 110].In our work, we introduce the rst consensus-level attack which is actually feasible to execute.Additionally, we provide the rst proof that a consensus-level attack was performed in the wild.Our Contributions. We make the following contributions:•We introduce a novel attack vector on proof-of-work (PoW) cryptocurrencies which relieson timestamp manipulations, instead of traditional ones such as block withholding [41, 88].•We provide a thorough description of a concrete attack called the riskless uncle maker (RUM)attack which relies on this new attack technique.•We prove that the RUM attack is riskless in Ethereum in the sense that an attacker whichutilizes it is guaranteed to make at least the same absolute and relative prots when comparedto mining according to the honest protocol.•We describe multiple variants of the attack.•We investigate the Ethereum blockchain and prove the attack was executed in the wild, thusproviding the rst conclusive evidence of consensus tampering in a major cryptocurrency.•We have written a fully-functioning implementation of a variant of the attack as a patch forgeth, Ethereum’s most popular client.•We provide several techniques to mitigate the attack and its variants, including a patch forgeth which prevents the attack altogether.A summary of our contributions is given in Table 1.Paper structure. The paper is structured as follows: we begin by reviewing the relevant backgroundinformation required for this work in Section 2, and then proceed to describe the paper’s modelin Section 3. We utilize the model to give an algorithmic description of the attack in Section 4,and then theoretically prove that the attack is riskless and guaranteed to be more protable thanmining honestly in Section 5. We describe the ngerprints which a successful execution of theattack leaves on the blockchain and prove that indeed such attacks have been performed in thePublication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 3Table 1. A comparison of our aack and previous ones.Uncle Selsh Stubborn Coin Energy Stretch &Maker Mining Mining Hopping Equilibria SqueezeAnalyzed on ✓ ✓ ✓ - - ✓EthereumDoesn’t require ✓- - ✓ ✓ ✓block withholdingAlways more✓- - - - -protable thanmining honestlyHas a patch for ✓- - - - -Ethereum clientswild in Section 6. We suggest mitigations for the attack in Section 7. We review related works inSection 8, and nally conclude in Section 9.2 BACKGROUNDWe will now briey go over the background knowledge required for understanding our work.The mechanism utilized by both Ethereum and Bitcoin is called PoW. It requires entities calledminers to collect user-made transactions into blocks. As blocks have some maximal capacity, userscan incentivize miners to prefer their transactions over competing ones by paying them transactionfees [20, 65, 72, 87].In order to create a block which will be considered valid under the PoW mechanism, minersmust expend tremendous computational resources to nd a solution to a cryptographic puzzle,a process which is also called mining. The solution for the puzzle is dened to be an input to acryptographic hash function such that the corresponding output will be lower than some targetvalue. The currently known best method for nding such an input is to perform a brute-forcesearch [19, 59, 96].Once this solution is found, it is included in the block and broadcasted to the network, witheach user validating the solution to ensure it is indeed correct. In order to compensate miners fortheir eorts, the mechanism allocates a certain amount of tokens to the creator of each valid block.These tokens are commonly called the block rewards. Cryptocurrencies commonly pursue a notionof giving miners a fair share of the rewards, meaning that the fraction of the all rewards whichthey earn should be equal to the fraction of computation which they contribute to upholding theunderlying mechanism [41, 80].In order to make sure that the diculty of the cryptographic puzzle is neither too easy forthe network nor does it exceed the computational resources of the network, cryptocurrenciesemploy a diculty-adjustment algorithm (DAA) [17,110] which periodically attempts to gauge theamount of computational resources currently available on the network and adjust mining dicultyaccordingly.In cryptocurrencies such as Ethereum, each block must reference at least one previous block,which is called the block’s parent. Thus, a chain of blocks is formed, also known as a blockchain.The rst and last blockchain blocks are usually respectively nicknamed the genesis and the tip ofthe blockchain, while the currently mined block is commonly called the pending block.Publication date: July 2022. 4 Aviv Yaish, Gilad Stern, and Aviv ZoharAs the blockchain contains all user-made transactions, it in essence provides some notion of“history”. Thus, the entire network must agree on some specic history in order to facilitate moneytransfers between users in a way which preserves the system’s integrity. A race or tie occurs ifthere are multiple possible chains, e.g. when a miner hears of two blocks at the same time. Usually,protocols dene a tie-breaking rule to pick between the dierent options. The chain which is pickedis referred to as the main-chain.In Ethereum, blocks which are mined after a tie can pick, in addition to a parent, up to two uncleblocks. Ethereum’s mechanism was designed to take such uncle blocks into consideration whendeciding on the network’s main-chain in the hopes that doing so would increase the mechanism’ssecurity [67]. The resulting structure is no longer a blockchain but rather a block directed-acyclic-graph (block-DAG) [67,93]. Although Ethereum relies on uncle blocks and thus on a block directed-acyclic-graph (block-DAG), for brevity we will refer to the resulting data structure as a block-chain.In order to participate in the Ethereum protocol, one must use an Ethereum client, meaning aprogram which implements the protocol’s rules. The most popular client is Go Ethereum (geth)[30,32,34,63], which is ocially endorsed by the Ethereum Foundation. Communication witha local client and with other nodes is performed using a standardized protocol based on remoteprocedure calls [105].For more details on cryptocurrencies see [1, 4, 78, 104].3 MODELWe proceed to formally dene the model used in the paper.3.1 Cryptocurrency SystemWe will begin our model description by giving precise denitions for Ethereum’s consensus andreward mechanisms. All notations and acronyms used in this section (and throughout the paper)are detailed in Appendix G.Block-DAG Structure. In Ethereum, each block must reference a parent block, and can referenceup to two uncle blocks; these are blocks that share a common ancestor with it (up to a depth of8blocks), but were not referenced by any main-chain block [27,108]. Uncles are also sometimescalled ommer blocks by the Ethereum Foundation [108]. An ommer is the equivalent gender-neutralterm for the same familial relation.Block Timestamps. Ethereum blocks store timestamps in the UNIX time format, which measurestime by counting the number of seconds elapsed since January 1st, 1970 [56]. Timestamps aresaved as integer values and thus do not have a resolution of less than one second. Using thesetimestamps, miners check the time that has passed between blocks and adjust mining diculty ifthe time exceeds some predened window.Ethereum enforces relatively strict requirements on timestamps compared to other cryptocur-rencies: a newly heard-of block’s timestamp cannot be more than 15 seconds in the future whencompared to the local clock, and it must be at least one second after its parent’s timestamp[21, 27, 108].Mining Diculty. Ethereum’s diculty-adjustment algorithm (DAA) strives to keep a rateof one block per 12−14 seconds [23,45,108]. It does so by lowering the diculty of the blockwhich is currently mined if too much time has passed, according to the block’s and its parent’stimestamps. Ostensibly, the mechanism’s designers hoped that this would prevent long stretches oftime wherein no new block is mined. Unfortunately, as we will show, such DAAs are susceptible tomanipulations.Publication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 5Formally, each block’s diculty depends on:•Its parent’s diculty, which we denote by𝑑.•The timestamp dierence from its parent, denoted as 𝑡.•If it references uncles or not: 𝑢def= 1 i has uncles.Using these, the diculty of the block is dened as the maximum between 217and the followingterm [24, 28, 108]:𝑑+ max 1 + 𝑢− ⌊ 𝑡9⌋,−99· ⌊ 𝑑2048⌋(1)For posterity, the diculty of the genesis block is 234. As Ethereum’s diculty has skyrocketedcompared to 217and was above 234since block 15, meaning that the diculty was higher for atleast 15·106blocks. Consequently, we use Eq. (1) as-is for conciseness. Additionally, to facilitateEthereum’s long-delayed migration to a new mechanism which does not rely on PoW, the DAAincreases diculty exponentially every 105blocks [89,90]. This is irrelevant in our setting andthus omitted.Tie Breaking. In Ethereum, a block can have just a single parent. There might be cases wheremultiple blocks can serve this role, for example if a miner sees multiple blocks at the same height.In such a scenario, it can only choose one of those blocks as a parent for its currently mined block,while the other blocks will be picked as uncles. We will term such events ties.As mining diculty determines the amount of work invested in each block, Ethereum relieson the notion of the total diculty (TD) of a block to break ties. The TD of a block is dened asthe simple sum of the diculties of the block itself and all of its main-chain ancestors [26]. Incase of ties between blocks, the one with a higher TD is chosen as the parent, and if blocks haveequal TDs miners will prefer the one they received earlier [22,25]. Ethereum’s mechanism is anapproximation of the one dened by [67] and is an attempt at incentivize publishing newly minedblocks quickly, thus discouraging withholding them [12].Mining Rewards. We denote the reward received for mining a main-chain block as𝑅ETH. Theminer of a block which references an uncle receives132 𝑅. The miner of the referenced uncle receivesa reward too, according to the depth of the most recent common shared ancestor of the two: if itis two blocks deep, the uncle’s miner gets78𝑅. The reward diminishes by18𝑅for each increase indepth, until reaching 0ETH [27, 89, 108].Example 1 provides an example of a block-DAG which is structured according to the aforemen-tioned consensus rules.Example 1. We will now go over four blocks and use them to illustrate the various denitions givenin Section 3.1. These blocks and their relations are depicted visually in Fig. 1.ParentUncleParentTimestamp32Difficulty4096Reward2.0625 ETHTimestamp27Difficulty4092Reward1.75 ETHTimestamp26Difficulty4094Reward2 ETHTimestamp0Difficulty4096Reward2 ETHParentFig. 1. A graphical depiction of the blocks of Example 1.Publication date: July 2022. 6 Aviv Yaish, Gilad Stern, and Aviv ZoharLet block𝑏0be the parent of blocks𝑏1and𝑢1, and let block𝑏2point to𝑏1as its parent, and𝑢1as itsuncle. Let 𝑏0’s timestamp be 0,𝑏1’s timestamp be equal to 26,𝑢1’s timestamp be 27, and 𝑏2be 32.If𝑏0has a diculty of 4096, then according to Eq. (1) the diculties of𝑏1and𝑢1should be 4094and 4092, correspondingly. Consequently, according to the same equation 𝑏2’s diculty is 4096.The standard block-reward for a main-chain Ethereum block which did not refer to uncles is 2ETH[108], so the miners of𝑏0and𝑏1earned 2ETH each, while the miner of𝑏2earned 2ETH, plus132 ·2ETHfor referencing𝑢1as its uncle, making the total reward earned by the𝑏2’s miner 2.065 ETH. Because𝑢1is parallel to𝑏2’s parent, the reward earned by𝑢1’s miner is78·2ETH, which amounts to 1.75 ETH.For an example of real Ethereum blocks which share the same relations as the blocks described here,see Example 2.3.2 Threat ModelWe will now describe the actors that interact with the cryptocurrency and the range of actionsavailable for each one.Actors. We model the network as being comprised of two parties, an honest miner who has atotal hash-rate of𝐻hashes-per-second, and an attacker that has a hash-rate of𝐴hashes-per-second.We will call the attacker’s fraction of the total hash-rate as its hash-ratio, and dene it as follows:𝛼def=𝐴𝐴+𝐻.Note that the honest miner need not necessarily be a single entity, but can be a mining pool oreven a number of mining pools, but for the sake of brevity we will mostly refer to it as a singleminer. Similarly, the attacker can be a mining pool, or a coalition of mining pools.Our attack and its analysis do not require looking at more than two consecutive blocks, whichaccording to historical data lasts an average of roughly 13 seconds (see Appendix F). Thus, wefollow the literature by assuming that miners cannot obtain or lose hash-power, no new minersenter the network, mining hardware is bought by actors in advance, and all associated costs (suchas electricity) are prepaid [41,49,57,88,94,114–116]. Indeed, historical data shows that the totalhash-rate active on the network does not change by much over such short periods [6].Attacker Objective. Ethereum, similarly to other cryptocurrencies, has a notion of fairnesswhich stipulates that in expectation a miner with a𝛾fraction of the hash-rate should mine𝛾of theblocks and obtain a 𝛾fraction of all mining rewards [41, 80, 108].Our attacker’s objective will be to mine more than its fair share of the blocks, e.g. more than𝛼of the blocks. As we will show, this will increase its rewards to be above the fair amount, too.Honest Mining. We dene the honest mining protocol similarly to other blockchain papers[41,49,94,110,111]: our honest miner follows the rules laid down in Ethereum’s yellow paper[108]. Thus, the honest miner will always mine on top of the block with highest TD, and will notwithhold blocks or manipulate block timestamps.Allowed Attacker Deviations. Our attacker can rationally deviate from the honest protocol,as long as blocks it produces are indeed valid according to Ethereum’s consensus rules [27,108].Specically, the attacker is free to manipulate the timestamps of blocks that it mines to be withinthe valid range dened in Section 3.1, and can mine on top whichever block it chooses. In order tocreate a clean separation between our attack and the previous literature [1,9,41,49,88,116], welimit our attacker by forbidding it from withholding blocks.4 THE UNCLE MAKER ATTACKWe will now describe our attack. Conceptually, the attack manipulates Ethereum’s DAA to createblocks which retroactively replace existing main-chain blocks, thus increasing an attacker’s sharePublication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 7of main-chain blocks beyond its fair share. Honest blocks that were “sidelined” in this manner canlater be referred to by main-chain blocks as uncles, thus we will term blocks created by our attackeras Uncle Makers.A major novelty of our attack is that it replaces blocks without using block withholding, whichis the common method used in the literature [41, 49, 57, 114–116].Recall that in case of ties between dierent chains, Ethereum’s protocol dictates that the one witha higher TD is picked as the main chain. As Ethereum’s DAA assigns mining diculty accordingto a block’s timestamp, an attacker can set the timestamp for the currently mined block to be lowenough to win in case of ties, whether as a preemptive defense mechanism, or to actively replaceexisting main-chain blocks. Unfortunately, as the block has a higher diculty, it is harder to mine.We will soon show that this can be avoided.4.1 Riskless Uncle MakingBy carefully picking when to execute the attack, we can make sure that the attacker’s blocks willhave a higher diculty when compared to the current tip of the blockchain, and thus will replaceit, but still will not have a higher diculty compared to the block which the attacker would’vemined had it been following the honest protocol.By doing so, we will allow our attacker to execute the attack without incurring any additionalmining “risk” when compared to mining honestly: the probability that mining the attack block willsucceed will be at least the probability of the attacker successfully mining an honest block, whilethe attacker’s share of the rewards will be higher than its fair portion. We call this attack a RUMattack.Let the tip of the blockchain be block𝑏1with a𝑡1time dierence relative to its parent𝑏0, anddenote the number of seconds that have passed since𝑏1’s timestamp by𝑡𝐻. According to thehonest protocol, the honest miner mines a block, which we will denote by𝑏𝐻, and sets the block’sparent to be𝑏1, and its timestamp dierence to be𝑡𝐻. See Fig. 2 for a graphical depiction of theaforementioned blockchain state.ParentParentParentFig. 2. The blockchain’s state when executing aRUM aack.ParentParentUncleParentFig. 3. The blockchain’s state aer a successfulRUM aack.If𝑡1∈[9,18), then as long as the honest miners still haven’t successfully mined a block and𝑡𝐻<9, an attacker who wishes to execute the RUM attack should mine a block on top of𝑏0, andset the block’s time dierence to be some value strictly lower than 9seconds, for example𝑡𝐴def=8seconds. If the attacker succeeds in mining this block in time, it should be published immediately.In any other case, the attacker should mine according to the honest protocol.Observe that the time we picked for𝑡𝐴increases𝑏𝐴’s diculty compared to𝑏1. Due to Ethereum’stie-breaking mechanism, if it is indeed mined successfully, it will take 𝑏1’s place as the new tip ofPublication date: July 2022. 8 Aviv Yaish, Gilad Stern, and Aviv Zoharthe main-chain. Thus, the honest miner will pick𝑏𝐴as the parent of its currently mined block, and𝑏1as its uncle, leading the current blockchain state to be as depicted in Fig. 3.Note that our attack replaced an honest main-chain block with an attacker block without relyingon withholding blocks. Instead, the attack actually requires the attacker to immediately publish itsblocks, standing in stark contrast to other attacks which rely on withholding blocks.An algorithmic description of the attack is presented in Algorithm 1. The algorithm follows theevent-driven model which was used by other works in the eld, such as [41, 43].5 THEORETICAL ANALYSISWe will now theoretically analyze the RUM attack using a series of theorems, relegating all proofsto Appendix D. Afterwards, we will analyze the block and reward share of an attacker whichexecutes the attack using a Markov decision process (MDP), similarly to other works in the eld[41, 49, 53, 57, 88, 110, 115, 116].In Theorem 1 we prove that the conditions specied in Section 4 for executing a RUM attack arenecessary, and that an attacker’s probability of successfully mining the attack block is equal to thethat of successfully mining an honest block.Theorem 1. Let the current tip of the main-chain be block𝑏1. Denote its parent as𝑏0, the parent’sdiculty as𝑑0, the timestamp dierence between them as𝑡1, and the dierence between the currenttime and 𝑏1’s timestamp as 𝑡𝐻.If the following conditions hold, then a rational attacker can execute a RUM attack:⌊𝑡𝐻9⌋= 0,⌊𝑡19⌋= 1Moreso, if 𝑑0≥222, these are the only values for which a RUM attack is possible.Remark 1. Any node active on the network, for example our attacker, can learn the values of𝑡1and𝑡𝐻.The former,𝑡1, is publicly available on the blockchain, as valid blocks must include their timestamps[108]. The latter,𝑡𝐻, can be obtained by sending a standard Ethereum remote procedure call (RPC)request to the honest miner, as responses contain the local time of the responder.The proof is detailed in full in Appendix D. Briey, we break the attack down to its dierentconstituents: the blocks generated by the attacker should be valid according to the system’sconsensus rules, the attacker should successfully replace honest blocks with the attacker’s blocks,and mining these blocks should be riskless, meaning that it should not be harder when comparedto mining honestly. Each constituent is handled via a series of claims which are then combined,culminating with Theorem 1.The proof of Theorem 1 shows that if the last block’s diculty is lower than 222, an attackermight have additional timeframes within which an attack is feasible. Remark 2 elaborates on this.Remark 2. Although a diculty of 222is permitted by Ethereum’s DAA, which places the lowerdiculty limit at 217, no block has ever had such a diculty, the closest being block number 6, whichhas a diculty of 232.We proceed to show in Theorem 2 that an attacker’s relative share of mainchain blocks exceedsthe fair share that can be obtained honestly.Theorem 2. Let there be some block𝑏0. If the attacker uses the RUM mining strategy, its expectedrelative share of main-chain blocks will be larger than mining honestly, while the absolute numberwill remain the same.Publication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 9As before, the proof is given in Appendix D. The proof relies on analyzing a MDP of the attack,which we describe in Appendix D.3.In Theorem 3 we prove the corresponding claim regarding an attacker’s share of the rewards.Theorem 3. For any block𝑏0, an attacker can increase its expected absolute and relative rewards byusing the RUM mining strategy instead of mining honestly.The proof for Theorem 3 is similar to that of Theorem 2. Again, it is given in full in Appendix D.Corollary 1. As Theorems 2 and 3 show, both the relative and absolute share of blocks and rewardsobtained by the attacker are higher when compared to mining honestly, thus a direct consequenceis that the relative and absolute share of honest miners are lower, meaning that the attack not onlybenets the attacker, but also harms its competitors.As Theorem 1 shows, the attack is riskless, meaning that the probability of successfully mining anattack block is equal to that of mining an honest block. By combining all of these results, one canobtain that the RUM mining strategy dominates the honest one.6 IN SEARCH OF LOST TIME: UNCLE MAKING IN THE WILDWe will now attempt to give a conclusive answer to a long-standing question: do miners attack theconsensus layer of major cryptocurrencies? The surprising answer is a resounding yes!To reach this armative answer, we crawled Ethereum’s blockchain using a standard Ethereumfull node and collected relevant data for all main-chain and uncle blocks starting from block15,226,042, down to 12,000,000. All the data we collected, and the code used to collect this dataand generate all the graphs presented in this section are provided in Appendix F.Most previous works usually only attempted to nd evidence for block withholding attacks,and have tried doing so by planting many nodes throughout the network, collecting data andthen analyzing it using various statistical methods. On the other hand, we show that the evidenceproving that miners attack the consensus layer is hiding in plain sight and can be obtained using asingle node and closely inspecting publicly available on-chain data. We cover these related worksand provide a more in-depth comparison with the current paper in Section 8.6.1 Ethereum Mining PoolsUsing the previously mentioned data, we identied Ethermine as the largest mining pool currentlyactive in Ethereum, consistently mining at least 22% of all main-chain blocks, more than any othermining pool in the past 3years.According to our analysis, the second largest mining pool for the same time-frame is F2Pool,which roughly amounts to about half as many main-chain blocks as Ethermine. Notably, F2Poolhas a considerable amount of hash-rate active on other cryptocurrencies, such as Bitcoin [71]. Thepool’s founder has made a relatively well publicized condemnation of competing mining pools,blaming them for attacking his own mining pool, but without providing any concrete proof [98].This is in stark contrast to the evidence that we uncover in this work which shows that, in fact,F2Pool are attacking other mining pools.6.2 Identifying Uncle Maker AacksBefore we examine real-world data, we would like to rst crystallize a few insights which willallow us to identify uncle maker-esque attacks.Miners that execute uncle maker attacks should have a higher than expected main-chain block share and lower than expected uncle block share. Recall that the RUM attackallows an attacker to replace main-chain blocks mined by other miners with a block of its own.Publication date: July 2022. 10 Aviv Yaish, Gilad Stern, and Aviv ZoharThus, it follows that miners which perform the attack will have fewer uncles and more main-chainblocks when compared to honest miners.Uncle maker attacks can be observed from block timestamps. As our attack relies onmanipulating block timestamps, one can attempt to uncover blocks which were created as part ofsuch an attack by carefully analyzing the timestamps of historical Ethereum blocks.By denition, the RUM attack requires an attacker to falsely set block timestamps to be earlierthan they are. Thus, it is reasonable to expect that main-chain blocks created by an attacker willhave an over-representation of low timestamp dierences relative to their parents.In comparison, timestamp dierences between honest blocks and their parents should be dis-tributed according to the exponential distribution [5,10,40,41,91,93], with a slight under-representation of low timestamp dierences due to propagation delay in the network [48, 62].Miners usually use a publicly identiable coinbase address. In order for a miner to receivethe rewards for the blocks that it mines, the miner must include an address to transfer the rewardto within a mined block, also called a coinbase address. Large mining pools commonly use a specicaddress for their block-rewards and advertise it, in the hopes it might attract new participants orhelp assert “political” control over the mined cryptocurrency [48].In spite of this, there is no mechanism in place to force mining pools to stick to a single addressthroughout their lifespan, and pools are free to change their address to a new secret one at will.For example, mining pools might do so when executing an attack, in order to cover their tracks.Still, it is common for works in the eld to assume that mining pools do identify themselves in atruthful manner [48,62,79,92,103,113]. Indeed, a large percentage of all Ethereum blocks belongto miners who identify their addresses using sites such as [35, 76].6.3 Block SharesWe will now attempt to apply our previous insights to real-world Ethereum data, starting with themain-chain and uncle shares of the 4largest mining pools in Ethereum, given in Fig. 4 and Fig. 5,respectively. Note that these top 4pools have mined a combined share of more than 50% of bothmain-chain and uncle blocks.Ethermine25%F2Pool13%0x5a...4c10%Hiveon8%Others43%Fig. 4. The 4largest mining pools’ share of main-chain blocks.Ethermine17%Nanopool15%0x5a...4c10%F2Pool9%Others49%Fig. 5. The 4largest mining pools’ share of uncleblocks.Publication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 11Previous works have shown that larger pools such as Ethermine have a “size-advantage” leadingthem to win in cases of ties more often when compared to smaller pool like F2Pool. This leads themto having a higher share of main-chain blocks and a lower share of uncle blocks when compared tosmaller mining pools, solely due to having more computational resources at their behest [68, 71].By comparing Figs. 4 and 5, it is apparent that F2Pool has considerably fewer uncles thanis expected for a mining pool of their size: Ethermine and 0𝑥5𝑎 . . .4𝑐maintain their respectivepositions with regards to both mainchain blocks and uncles, with Ethermine having the largestshare of both, and 0𝑥5𝑎 . . .4𝑐having the third largest share. On the other hand, F2Pool has thesecond largest share of mainchain blocks, but drops to the fourth place when it comes to uncleblocks.A metric which is commonly used to compare mining pools is the uncle rate, dened per-mineras the ratio between the number of uncles which the miner has mined for some time period, and thetotal amount of blocks of all kinds (uncle and main-chain) it mined during the same period. A lowerrate is better due to main-chain blocks receiving a higher block-reward and earning the fees for alltransactions contained within them. Fig. 6 depicts this metric over time for both Ethermine andF2Pool. Although both were relatively comparable in the year between July 2019 and September2020, F2Pool took the lead starting in October 2020.Jul '19 Dec '19 May '20 Oct '20 Apr '21 Sep '21Date3%4%5%6%Monthly uncle rateEthermineF2Pool0x99...e3Fig. 6. The monthly uncle rate for Ethermine,F2Pool and 0𝑥99. . . 𝑒3, defined per-miner as theratio between the number of uncle blocks it minedin some month and the total amount of blocks itmined that month.Jul '19 Dec '19 May '20 Oct '20 Apr '21 Sep '21Date05001000150020002500300035004000Amount of blocks with timestamp diff. divisible by 9EthermineF2Pool0x99...e3Fig. 7. The monthly amount of main-chain blockswith a timestamp dierence from their parentwhich is divisible by 9. Note that both F2Pool and0𝑥99. . . 𝑒3stop mining such blocks aer October’20.One could argue that F2Pool might have achieved this feat by investing in good network connec-tivity to other network nodes, thus propagating its blocks faster, leading its blocks to win ties byvirtue of arriving to peers earlier.In order to rule out this possibility, we will now turn to analyzing the timestamps of blocks overthis period.6.4 Block TimestampsRecall that according to Ethereum’s documentation [23,45,108], the target time-dierence betweenthe mining of two blocks is 12−14 seconds. Indeed, the average time dierence between mainchainblocks and their parents is 13.45 seconds, with the same comparison between uncle blocks andtheir parents yielding another reasonable average of 13.81 seconds.Publication date: July 2022. 12 Aviv Yaish, Gilad Stern, and Aviv ZoharThe average dierence might obscure more minute details, leading us to plot a histogram of thetimestamp dierences between main-chain blocks and their parents in Fig. 8, and between unclesand their parents in Fig. 9. Both histograms were truncated at 18 seconds to maintain readability.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18Timestamp difference from parent, in seconds0250005000075000100000125000150000175000200000Number of blocksFig. 8. Total number of main-chain blocks witha given timestamp dierence from their parent,since block 12,000,000.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18Timestamp difference from parent, in seconds0200040006000800010000Number of unclesFig. 9. Total number of uncle blocks with a giventimestamp dierence from their parent, sinceblock 12,000,000.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18Timestamp difference from parent, in seconds01000020000300004000050000Number of blocksMinersEthermineF2Pool0x5a...4cHiveonFig. 10. Number of main-chain blocks with agiven timestamp dierence from their parent,separated by mining pool, for the 4largest min-ing pools. Note that F2Pool has no blocks withtimestamp dierences divisible by 9, and an over-representation for a dierence of 8seconds.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18Timestamp difference from parent, in seconds0500100015002000Number of unclesMinersEthermineF2PoolHiveon0x5a...4cFig. 11. Number of uncle blocks with a giventimestamp dierence from their parent, sepa-rated by mining pool, for the 4largest miningpools. Note that pools except F2Pool have an over-representation of blocks with timestamp dier-ences divisible by 9, due to F2Pool’s aack.Fig. 9 looks precisely as predicted in Section 6.2 with regards to the honest scenario: it has a slightunder-representation at the 1second mark, and its trend seems to t the expected exponentialdistribution.On the other hand, Fig. 8 has quite a sizable under-representation of timestamp dierences whichare divisible by 9, and an over-representation at seconds 8and 17. This seems to match the expectedngerprint of an uncle maker-style attack.Publication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 136.5 Catching F2Pool Red-handedIn order to get to the bottom of the anomalies we observed so far, we created more detailedhistograms which separate blocks according to the identity of their miner. Specically, in Fig. 10we plot the per-miner histogram for the timestamp dierence between main-chain blocks and theirparents, and in Fig. 11 we do the same for uncles.Figs. 10 and 11 explain the reason for F2Pool’s advantage very clearly: F2Pool did not mine evena single main-chain block or uncle with a timestamp dierence which is divisible by 9since block11,064,754, which was mined almost two years ago. Whenever the honest timestamp dierenceshould have been 9seconds, they instead have falsely set it to be 8, as required to execute an unclemaker attack. We provide an example of a suspected uncle maker block by F2Pool in Example 2.Fig. 11 shows that F2Pool’s foolhardy behavior harms other mining pools, as can be deduced bylooking at the larger-than-expected number of uncles with a timestamp dierence of 9secondsmined by Ethermine, Hiveon and an unnamed pool which uses the address 0𝑥5𝑎 . . .4𝑐. This isdue to F2Pool using a timestamp manipulation tactic which precisely targets this time dierencewindow, while they mine honestly at all other windows.6.6 F2Pool’s Aack is not RisklessWe proved in Section 5 that in order for an uncle maker attack to be riskless, very specic conditionsmust hold. These conditions preclude the possibility of executing a riskless attack in certain timewindows, for example if the time since the last valid block was observed is at least 18 seconds. Yet,as Fig. 12 shows, F2Pool do not shy from executing uncle maker-style attacks even at later periodsbut only for time dierences which are divisible by 9, leading us to believe they employ a variantof the attack.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37Timestamp difference from parent, in seconds050001000015000200002500030000Number of blocks mined by F2PoolFig. 12. Number of main-chain blocks minedsolely by the F2Pool mining pool, with a giventimestamp dierence from their parent, sinceblock 12,000,000.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18Timestamp difference from parent, in seconds050001000015000200002500030000Number of blocksMinersF2Pool0x99...e30xbc...8e0xf2...04Fig. 13. Number of main-chain with a given times-tamp dierence from their parent, separated bymining pool, for mining pools suspected to ma-nipulate timestamps.6.6.1 Risky Uncle Maker Aack. One possibility is that F2Pool executes the attack if the expectedprot from it is higher when compared to mining honestly, even if it incurs additional risk. E.g. evenif the probability of mining the attack block is lower than the probability of mining an honest one.Due to this, we call this variant the risky uncle maker attack.Such a risky uncle maker attack can be protable in expectation under certain scenarios, forexample if another miner “snatched” transactions which pay exuberantly high fees and includedPublication date: July 2022. 14 Aviv Yaish, Gilad Stern, and Aviv Zoharthem in its block before the attacker, or if the attacker has a suciently high hash-rate and goodnetwork connectivity.6.6.2 Preemptive Uncle Maker Aack. Another option is that F2Pool, instead of actively trying toreplace existing blocks, actually attempts to preemptively assure their blocks will win in case ofties by setting block timestamps to be within an earlier 9second window when compared to thehonest timestamps. This increases mining diculty and makes sure their blocks have a higher TD,meaning that their blocks will be picked as main-chain blocks over competing honest blocks. Weterm this variant of the attack as a preemptive uncle maker attack.This type of attacks allows miners not to waste computation resources by mining on top of a tipthat has been made “stale” by another block mined on top of it, but which has not been received yet.If that is the case, attackers setting their clock to a second earlier can be assured that their minedblock will replace any block honestly mined in specic time intervals, which might be disseminatedthrough the network currently, but hasn’t reached the attackers yet.6.6.3 RUM is Hard to Implement. Lastly, we would like to raise the possibility that F2Pool choseto implement the attack which we observe in the wild simply because it was easier to implementthan any other attack, including RUM. In fact, we implemented an arguably less outrageouslyapparent variant of the observed attack as a patch for geth. In this patch we set geth’s clock to belate by exactly one second. This achieves the same eect as F2Pool’s attack, while producing amore natural-looking timestamp dierence curve. We provide additional details in Appendix F.6.7 Other AackersAlthough F2Pool is the largest mining pool which is currently engaging in uncle maker-esqueattacks, it is not the only one; Fig. 13 shows the timestamp histogram of three additional minerswhich use the same exact attack, meaning that they abstain from using timestamp dierenceswhich are divisible by 9.The second largest such attacker after F2Pool is 0𝑥99. . . 𝑒3. This miner did not have a name inEtherscan’s database, and thus we will call him Sneezy. Sneezy’s histogram spikes at the 8secondsmark to be almost twice as high than the corresponding bin at the 1second mark, while F2Pool’s8second bin is only roughly 20% taller, suggesting that Sneezy executes the attack over longerperiods of time.Indeed, as Fig. 6 shows, this aggressive attack is worthwhile, and has decreased Sneezy’s unclerate considerably, even moreso than it has beneted F2Pool. Fig. 7 shows the monthly amount ofblocks with a timestamp dierence which is divisible by 9for each one of Ethermine, F2Pool andSneezy. While Ethermine’s graph looks relatively uneventful, F2Pool’s and Sneezy’s drop to 0atalmost the same time. A closer inspection of the blockchain reveals that Sneezy started the attackat block 11,080,310, meaning slightly more than two days after F2Pool.7 MITIGATIONWe will now go over mitigation techniques that arise from the previously discussed results. It iswell known that cryptocurrencies are leary of making changes to their consensus mechanisms,oftentimes “forking” the blockchain and thus creating two communities, one which abides to theprevious consensus rules and rejects the change, and another which adopts it . Thus, we would liketo focus on solutions which are reasonable in scope, e.g. similar to previously adopted Ethereumimprovement proposals (EIPs) [29].Publication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 157.1 Minimize aacker flexibility by increasing the minimal diicultyIn the proofs given in Section 5, we have shown that if the minimal diculty is strictly less than20482, then an attacker could execute a riskless attack in less restrictive conditions than thosedescribed in Theorem 1.As we have mentioned in the same section, mining diculty did not come close to such adiculty in the seven years since Ethereum was launched, but the x is worthwhile for any smallcryptocurrency which is based on Ethereum’s mechanism and might reach such low levels ofmining diculty.The above mitigation was implemented in Appendix F.7.7.2 Reject competing chains more aggressivelyThe RUM attack and the variants which we observe in the wild can be mitigated completely byrejecting competing chains in a more aggressive manner.More concretely, denote the tip of the competing chain by𝑏′and of the local chain by𝑏. A minershould reject it if all of the following conditions hold:(1) If 𝑏and 𝑏′share a parent(2) If 𝑏has at least the same number of uncles as 𝑏′(3) If the timestamp of 𝑏′is less than the miner’s local clock by one second or moreIf at least one of these conditions do not hold, the miner should adhere to Ethereum’s existingprotocols.Notice that an attack block for either RUM or the variant which we observe in the wild mustfulll all of these conditions, thus if all honest miners would reject competing chains based on thiscriteria, the attack will be prevented.We would like to mention that the third condition is actually not as strict as it appears. Accord-ing to [62], 85% of blocks are propagated in less than 100 milliseconds, while in recent historypropagation time did not exceed 650 milliseconds [3, 7, 39].Additionally, although this mitigation is similar to already existing Ethereum consensus ruleswhich use a node’s local clock to reject blocks in some cases, we emphasize that such considerationsmight open the door for various attacks. Specically, we have not analyzed the implications of thismitigation with regards to any other attack besides the RUM attacks and the variations which wehave covered in this work.We have implemented this mitigation in Appendix F.7.7.3 Migrate to Proof-of-StakeAn obvious mitigation technique which will solve both this attack, and any other PoW-related one,is to migrate Ethereum’s consensus mechanism to proof-of-stake (PoS). This transition, which isalso called The Merge [31], is scheduled to happen by the end of 2022 (though it has been scheduledto happen since 2017 and has been postponed multiple times by now [13]).8 RELATED WORKWe will now review the major related works of the eld and compare these to our paper, whenappropriate. A summary is provided in Table 1. Additionally, in order to paint a complete pictureof the current research landscape, we surveyed a few additional related papers in Appendix E.Withholding Attacks. Most consensus-level attacks rely on block withholding and on anattacker’s ability to both immediately hear about new blocks, and broadcast withheld blocks tosome fraction of the network before this fraction hears of these new blocks. Usually, such attacksPublication date: July 2022. 16 Aviv Yaish, Gilad Stern, and Aviv Zohartheoretically allow miners to increase expected prots, although they do have a non-zero probabilityof failing and causing a loss. As far as we know, there is currently no software in place to facilitatethis attack.In contrast, we do not require such assumptions, instead relying on an attacker’s ability tomanipulate timestamps. This is indeed feasible, as seen in our empirical evaluation and by the gethpatch we provide which implements the attack.Examples of such attacks include the celebrated Selsh Mining attack [41], which increases anattacker’s share of the blocks beyond its share of the mining power. This is achieved by miningblocks and withholding them. Withheld blocks are published in a manner which discards blocksmined by honest parties. Variants of the attack were further explored in Bitcoin by [17,49,88] andin Ethereum by [43,51,52,85]. A notable extension of selsh mining is the Stubborn Mining attack,in which attackers continue mining on selsh forks even if these trail behind the honest chain[70, 79, 106].As both selsh and stubborn mining are not proven to be optimal mining strategies, several workshave attempted creating general frameworks for mining attacks which rely on block withholding,such as [57,114–116], which employ machine learning (ML) techniques to recreate classic resultsand derive new ones. These have the same pitfalls as the selsh-mining papers.Manipulating DAAs Without Withholding Blocks or Manipulating Timestamps. Astrand of research focused on directly manipulating DAAs to increase mining prots, thus avoidingblock withholding. All such attacks are not currently known to be implemented in software. Incontrast, our attack can be executed by applying a simple software patch.For example, in Coin Hopping attacks miners “hop” between cryptocurrencies and mine the onewhich is currently the most protable [74]. Certain DAAs are susceptible to cyclical mining dicul-ties, which can be exploited by miners that join when the diculty is low and leave when it is high[107]. These attacks assume miners can indeed “hop” between mining dierent cryptocurrencies ina minute’s notice and xed exchange-rates between the attacked cryptocurrencies, but these areknown to be extremely volatile and do not always move in unison [58, 111].Similarly but in the scope of just a single cryptocurrency, Energy Equilibria attacks show thatBitcoin miners can both minimize operational costs and manipulate mining diculty to increasethe average amount of rewards per unit of time by repeatedly turning their mining hardware onand o, but the protability of this mining strategy for a specic miner depends on the fraction ofmining expenses which it dedicates to electricity and whether this electricity is bought in advanceor not [44, 50].On the other hand, the Stretch & Squeeze attack presented in [110] focuses on increasing anddecreasing Bitcoin’s and Ethereum’s block-rates, and then using this to create interest-rate arbitragebetween decentralized nance (DeFi) lending platforms, which can be exploited to make a protby taking a large collateralized loan from one platform and depositing it in another. The market’sresponse to such an attack has not been explored, and it is reasonable to assume that such arbitragewill be closed by other players, thus voiding potential gains from being made.Timestamp Attacks. In Ethereum, timestamps have been mostly used to attack smart contracts[14]. An exception is the Stretch & Squeeze paper [110], that found two timestamp weaknessesin geth’s code. The rst is a simple bug that was quickly xed. The second weakness is inherentto Ethereum’s consensus and still remains; it allows miners to intentionally mine uncles with adiculty which is lower by 5% compared to the honest one. This can be used to increase miningdiculty and slow-down the blockrate, but was not included in the analysis performed in the paper.The Diculty Raising attack presented by [2] is an attack on Bitcoin’s DAA. Similarly to ourattack, it relies on manipulating timestamps in order to increase mining diculty and replacePublication date: July 2022. Uncle Maker: (Time)Stamping Out The Competition in Ethereum 17existing blocks. In contrast, it focuses on Bitcoin, and as claimed by the work, the attack is infeasibleand entirely theoretical. A framework for Bitcoin that allows deriving conditions which eliminatethe theoretical possibility of such an attack is analyzed in [47].Real-world Evidence of Attacks. Many have wondered why selsh mining and related attacksare not observed in the wild [57,79], with one glaring reason being the lack of concrete softwareimplementations to facilitate such attacks [100]. Some previous works relied on statistical methodsto detect abnormalities such as a large amount of blocks consecutively mined by a single miner,or a high number of forks, but have not found any conclusive evidence of a major attack [68,69],while [71] found that one Bitcoin mining pool performs coin-hopping, specically between Bitcoinand Bitcoin Cash, the latter of which is a fork of Bitcoin [64].Two exceptions are [71,110]. The former used data from Ethereum nodes to compare blocktimestamps with the actual block arrival times, and has concluded that the two are roughly similar.The latter claims that the last three years of Ethereum blocks do not bear the mark of timestampmanipulations, and has done so by looking at basic metrics such as the mean and median dierencesbetween blocks and their direct ancestors, which indeed are not indicative of any apparent manip-ulation. As we’ve shown, by looking at the histogram of timestamp dierences, it becomes clearthat, in fact, miners disregard the honest protocol and set timestamps to gain an unfair advantage.9 CONCLUSIONSIn this work, we have presented a novel attack on Ethereum’s consensus mechanism and multiplevariations on it, including an implementation of one such variation as a patch for geth, Ethereum’smost popular client.We have analyzed this attack and have proved that miners can execute it in a risk-less manner,thereby increasing both their relative share of blocks and their absolute and relative share of blockrewards.We have shown that this attack has been executed by Ethereum’s second largest mining pool,F2Pool, for over two years, thereby nding the rst-ever proof of an attack on the consensusmechanism of a major cryptocurrency.Finally, we have suggested concrete mitigation techniques which can be quickly implementeduntil Ethereum’s migration to PoS is nalized.