From: Matt Corallo <lf-lists@mattcorallo•com>
To: Anthony Towns <aj@erisian•com.au>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] Mining pools, stratumv2 and oblivious shares
Date: Tue, 27 Aug 2024 09:52:53 -0400 [thread overview]
Message-ID: <13cec02f-9012-4ba2-bb45-e00907a55357@mattcorallo.com> (raw)
In-Reply-To: <Zs2XQhcHe2srxLA4@erisian.com.au>
On 8/27/24 5:07 AM, Anthony Towns wrote:
> On Wed, Aug 21, 2024 at 10:28:35AM -0400, Matt Corallo wrote:
> Right, but that just sets some threshold where low hashrate members of a
> pool are indistinguishable from people attacking the pool. If there's no
> attack going on, that's fine, of course. To put some numbers to this: Ocean
> reportedly paid out ~10% more in reward for the same work compared to other
> pools [0].
>
> [0] https://x.com/ocean_mining/status/1825943407736533008
>
> To reverse that, you could do something like:
>
> * Take Ocean's current (honest) hashrate of 2160 PH/s, ie about 0.33% of global
> hashrate, or 3.35 blocks/week
> * Find ~22% of that to attack with, ie 475 PH/s (0.74 blocks/week)
> * Run the attack:
> - Ocean's new hashrate is 2635 PH/s
> - Ocean still only achieves 3.35 blocks/week
> - You collect ~18% of their reward (0.6 blocks/week)
> - Honest ocean miners collect the remainder 2.75 blocks/week)
> - If 3.35 blocks/week was making 1.1x the FPPS reward, 2.75 blocks/week
> is now only 0.9x the FPPS reward
> - Publish a google doc saying Ocean sucks, FPPS is much better
>
> If submitted through a single account, 475PH/s would be the third
> largest member of Ocean; and relatively easy to do statistical analysis
> on. If split up across perhaps 500 accounts, with less than a PH/s each,
> those accounts would not be in Ocean's top 80, and each individual account
> wouldn't be expected to find a block more often than once a decade or
> so. Submitting shares via tor, spending some time creating the accounts
> and making them look normal (ie, actually submitting the 0.6 blocks/week
> they're collectively expected to find), and receiving payouts over
> lightning seems like it would close out many of the obvious ways of
> telling that the accounts are all sybils.
>
> Maybe it's okay if the answer is just "analyse as best you can to find
> the real culprit, and if you can't, just drop all the low hashrate pool
> members". With an approach like that, you could decide something like
> "if there's an attack that lasts for two months, I'll boot out everyone
> who didn't find a block over that period" [1]. For someone with 0.02%
> of global hashrate (130 PH/s), there's about an 80% chance they'll find
> a block over two months, whereas for someone with 0.0012% (7.8 PH/s),
> there's a 90% chance they won't. So at that point, even if you're honest
> and you've invested $4M in ASICs (482x S21XP, 130 PH/s), you've still got
> a 20% chance of being booted out of the pool; and if your investment is
> only $240,000 (29x S21 XP, 7.8 PH/s), you've got a 90% chance of being
> booted out. For comparison, only the top three users on Ocean's dashboard
> report more than 130 PH/s, and 7.8 PH/s would put you in the top 25.
>
> (For comparison, each miner having to have at least 0.01% of global
> hashpower to be viable means there's at most 10k miners worldwide,
> which is about the same as the number of members in the SWIFT
> system. Alternatively, the low figure above was 29x S21's; the new ESMA
> recommendation [2] seems to consider you a threat to the environment /
> large scale miner with just 17x S21's...)
>
> Or you could look at it the other way round: Ocean accepting anonymous
> small miners seems like a nice thing now, but if it's also setting the
> pool up for failure by providing a way for an attacker to hide its attack,
> it might not actually be something that's good for the network.
Yep, I generally agree with all of this. It kinda is what it is, we can't do much to change it, and
pools do run the risk of getting attacked. For a PPLNS pool like Ocean, it'd mean the miners would
lose out. For a PPS pool, like nearly all others, it'd mean the pool goes out of business. Pick your
poison, I guess.
The one other thing to point out that you can do is pay out a bonus for the miner that finds a
block. This is (IIRC) what p2pool did, and what any decentralized pool worth its salt will do. That
at least adds some (hopefully non-trivial) cost to block withholding to disincentivize it, though of
course it comes at the cost of stable rewards...which was kinda the whole point of a pool.
>
>>> What I'm interested in is
>>> a pool that doesn't do those things: for example, a world where 5% of
>>> hashrate is from 60M BitAxe devices owned by 10M people, say.
>
> I'm interested in the scenario where there's a pool that supports large
> numbers of low hashrate miners, even in the face of an attack, and I
> just don't see a way in which statistical analysis can be good enough
> in that scenario.
>
> (I'm also not sure there's much difference between the thresholds for
> "can be confirmed to not be an attacker via statistical means" and "can
> viably solo mine". Pools being only for the miners that don't really
> need them doesn't seem great)
Another way to look at this is pooled mining isn't useful for miners that will find a block
approximately never :).
> With a PoW algorithm supporting oblivious shares, that's not the case:
> block withholding simply stops being an attack: if you withhold n shares,
> your payout drops by the value of n shares, and the pool's revenue drops
> by the expected value of n shares, the same as if you'd just turned
> your miner off briefly.
Sure, there are various schemes to prevent block withholding. Last I looked into it, though, they
all require a major PoW change, which I'm not sure is worth doing just to fix block withholding, sadly.
>>>> Adding more explicit "negotiation" to Stratum V2 work selection would defeat
>>>> the purpose - if the pool is able to tell a miner not to work on some work
>>>> it wants to, ...
>>> A pool is always able to do that -- they can simply mark the share as
>>> invalid after the fact and refuse to pay out on it, and perhaps make
>>> a blog post explaining their policy. The over-the-wire protocol isn't
>>> what provides that ability.
>> A pool can decline to pay out, yes, but the miner will still work on that
>> block. The point of custom work selection is that the miner will *always*
>> work on the block they want, no matter what. And if they mind it, they
>> broadcast it directly themselves. Anything else would defeat the point.
>
> If you mine a block, paying to a pool, but the pool is not paying you for
> shares, all you're doing is making a large donation to the pool operator,
> that at best might get passed on to other members of the pool, but won't
> be passed on to you. That's even less profitable than solo mining.
Sure, but this has nothing to do with custom work selection or StratumV2. You can always mine a
block for a pool and the pool can always decide to not pay out for that work. You should probably
use pools that aren't run by scammers.
> You can certainly say "the miners will never tell the pool the contents
> of their shares, and will never join a pool that expects that; pools
> only find out about txs when a successful block is mined and broadcast",
> and do a statistical analysis of shares vs blocks, but that again only
> works for miners with large hashrates.
>
> Without miners sharing the block templates for their shares with the
> pool, I don't see how a pool could preference miners who are picking
> "good" templates, vs mining empty blocks; if you're only getting the
> same reward as someone who's mining an empty block, it seems locally
> optimal to mine an empty block yourself, though that certainly doesn't
> seem globally optimal. If you're not validating the templates, but
> rewarding shares with templates that claim to give high fees, that also
> seems exploitable in ways that are harmful for the pool.
I never said anything about refusing to tell a pool the contents of shares. Quite the opposite, in
fact, in order to ensure StratumV2 work custom selection doesn't result in a degradation in pool
block propagation performance, pools should be getting the contents of shares from miners and should
prepare to forward that. They should also probably spot-check for validity, but more to detect
misconfiguration than active attacks.
>>>> The only
>>>> way any kind of centralized pooling with custom work selection adds any
>>>> value to Bitcoin's decentralization is if the clients insist on mining the
>>>> work they want to - whether on the pool or solo mining if the pool doesn't
>>>> want it.
>>>
>>> If you're really expecting miners are going to be constantly telling
>>> their pool "do exactly what I want or I solo mine", I think you're pretty
>>> likely to be disappointed by whatever the future holds... By its nature,
>>> solo mining is something that can only be done profitably by relatively
>>> few players at any given time; it's only potentially decentralised if the
>>> total market for Bitcoin ownership/usage is itself very small.
>>
>> You're totally missing the point that pools can just...pay out properly?
>
> Giving "why can't we all just get along" vibes there... They certainly
> could, but incentives for them to do otherwise don't go away just by
> wishing they would.
I don't buy that its in a pool's best interest to not pay out for the contract they have with their
users? How is trashing your business and getting sued in their best interest?
>> Or
>> if they don't people will create new pools that do? Not sure why you think
>> that's a far-fetched outcome.
>
> Sure, making it easy to create new pools is ideal. I think "just do
> statistical analysis to detect/prevent attacks" is already a pretty big
> impediment to that, though: it's hard to do, not automated, and likely
> requires some degree of secrecy to do well. Same as "oh, we just use
> heuristics to detect credit card fraud" vs "sign with your private key,
> and no one can reuse your signature or create a fake one": one requires
> a bunch of specialist knowledge that's hard to duplicate and is often
> ineffective, the other is something that can be done reliably by freely
> downloadable open source code.
Sure, but this again has nothing to do with StratumV2 or custom work selection...
> My chain of logic is:
>
> * I'd like to see mass-market mining be more viable (ie, lots of people each
> with small amounts of hashrate, vs a smaller number of large operations
> with large amounts of hashrate)
Yea, I would too, but before we rush to go do a fork to change the PoW to add oblivious PoW, I'd
really like to be convinced that its actually realistic that these kinds of miners can have more
than a few % of total network hashrate. If we can only get them up to a few %....who cares?
> * Small hashrate mining is only viable via altruism ("I'm supporting
> the network, and it's cheap"), irrationality ("I know it's bad odds
> for everyone else, but I'm lucky"), or pooled mining.
>
> * Altruism and irrationality don't work at scale, so I'd like to
> see pooled mining work well for small amounts of hashrate.
>
> * Pools that accept small miners will have a very hard problem
> preventing/addressing block withholding attacks, because statistical
> methods are not viable for people making a mining investment that's
> not in the six figure range.
>
> * We could make a very intrusive change to fix block kwithholding
> attacks entirely, by supporting oblivious shares, so that the miner
> can't tell which share will be a valid block.
>
> * Even if we did that, we'd still have to prevent rewarding miners
> for producing shares based on invalid templates,
Yea, one step at a time, mostly. But if the market did change somehow and small miners were shooting
for more than a few % of hashrate (I dunno, ASIC heaters become a thing?) and then we decide we
should fork in oblivious mining....
then I think statistical checking is much, much, much easier here. StratumV2 pools are already
expected to spot-check work and generally expected to always see block templates, so it becomes a
problem of "throw more CPU at it to verify more clients and reject more shares" (which if you have a
ton of shares could probably be done kinda efficiently through script validity and UTXO caching).
You could very reasonably rate-limit new template generation without breaking things, and require
some minimum threshold of miner hashrate (yay PoW for anti-DoS) and probably you'd be fine.
> if templates aren't
> being provided by the pool.
Sure, and if the templates are being provided by the pool then there's no value in having lots of
small miners :). Doesn't change your argument, just worth pointing out, I think.
Matt
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/13cec02f-9012-4ba2-bb45-e00907a55357%40mattcorallo.com.
prev parent reply other threads:[~2024-08-27 13:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-23 15:02 Anthony Towns
2024-07-23 18:44 ` Luke Dashjr
2024-07-31 18:00 ` Anthony Towns
2024-08-13 13:57 ` Matt Corallo
2024-08-16 2:10 ` Anthony Towns
2024-08-21 14:28 ` Matt Corallo
2024-08-27 9:07 ` Anthony Towns
2024-08-27 13:52 ` Matt Corallo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13cec02f-9012-4ba2-bb45-e00907a55357@mattcorallo.com \
--to=lf-lists@mattcorallo$(echo .)com \
--cc=aj@erisian$(echo .)com.au \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox