The Pissing Attack against Bitcoin

This generalizes the “empty-block attack” and has not been debunked.

I attended a Clubhouse debate today surrounding the so-called “Empty Block Attack” as popularized by Joe Kelly, Mike Kelly, and also Mike Green on a recent podcast. Unfortunately, a large part of the “debate” was Jimmy Song yelling that he had debunked the Empty Block Attack, while Mike and Joe trying to explain that what Jimmy had debunked was not the actual attack. After a bit of this wrangling, Jimmy, and some others in the room concluded, that “we can just invalidate the adversarial blocks.” This was not explained to any degree of satisfaction: Any acknowledgment that the nodes can simply identify and zap transactions that they don’t like is an acknowledgment that Bitcoin is not censorship proof — pretty much by definition. The discussion then turned to how unbecoming it was of Mike and Joe to not have sent this attack to the mailing list for approval first.

So in an attempt to avoid any confusion about the semantics of the empty block attack, I’m going to give a new name to a more general attack.

Definition. A Pissing Attack is when a heavily capitalized party signals, and follows through with, an intention to expend multiples of the security budget of a decentralized network, for an extended period of time, for the sole purpose of disrupting the network and making it unusable.

With the major definition out the way, we proceed to our main theorem.

Theorem. Every decentralized, unpermissioned, uncensorable network that is continuously maintained by economic incentives is vulnerable to a pissing attack.

I’m not going to define terms precisely, so this is actually more of a pseudo-theorem. This pseudo-theorem has an immediate Corollary:

Corollary. Bitcoin is either censorable, vulnerable to a pissing attack, or not maintained by economic incentives.

I’m going to start by giving the general economic argument for the theorem and follow by indulging a discussion of real-world scenarios and anticipate a few objections.

(Pseudo)proof. We can’t make this too general in a short post, so will we be content with a few basic assumptions about the network in question. In particular, the consensus mechanism must reward agents who maintain the security of the system. This is true of Proof of Work and any implementation of Proof of Stake.

Proposition 1. The security budget of a network must be less than the total value of the network.

This is fairly clear — you can’t reward someone inside a system unless the system intrinsically has something of value to give as a reward. You can’t pay someone in dollars on your blockchain unless your blockchain has dollars assetized into the blockchain. Note that the value of the network should include all the assets controlled by the network, hence could exceed the marketcap.

Now consider any participant in the security maintenance, making the rational decision whether or not to work with the network or against it. They must consider the total expected value they have to gain, now and in the future, against what they have to gain by working against the system. This could involve another utility function that may have other factors, including intangibles and charity towards the system.

Now each consensus mechanism has a consensus agreement. This is a Schelling Point. Schelling Points work if they are unique. In the absence of a Schelling Point, you don’t have a decentralized system, you have a politicized system with influencers and messages sent across the network debating the merits of various arrangements, or in other words, old-fashioned politics. So the network must adhere to the agreement. The moment it deviates from the agreement, it falls to the whim of whoever the wise men are determined to be, or maybe the mailing list mods, and it’s no longer an uncensorable, unpermissioned network.

Now when the pissing attack begins, the adversary offers a multiple of the security budget, to anyone willing and able to mess with the system. It’s difficult to describe this in general, but the economics generally work as follows. In order to participate in security, you must have something that is difficult or expensive to obtain or of finite supply. For example, staked coins in a network are of finite supply, and exohashes are expensive to produce. This is what prevents sybil attacks or nothing-at-stake attacks. So because whatever is being offered for security is not easy to obtain, the attacker can simply ask for the same proof that the network would require, but pay more for it. This is an important point so I’ll repeat it: If the decentralized network security model requires Proof-of-Something, that same Proof-of-Something can be given to the attacker as well.

At this point the participants have a decision: Defect on the network and accept the greater reward, or, cooperate with the network and receive the usual rewards. What complicates this decision is not just the immediate decision, but the options they expect to be available in the future. If the participant feels the network is secure, even if they were to defect, they might as well defect and reap the better reward today. If the participant feels the network is doomed and will eventually succumb, then even more so, it’s important to defect and recoup as much value as they can. Rational agents don’t fret about sunk costs, they look to the future.

In this manner, the adversary can entice a large body of the agents to defect. Having neutralized the usual security, at this point the adversary only needs to obtain a small amount of whatever is required to participate in the security in order to take over the system, be it stake or mining equipment. We’re leaving to the imagination the details of how participants can defect on the system or how the attacker can abuse the system. Again, all that is needed to destroy the consensus is to abuse the Schelling Point. The adversary has a whole continuum of possible attacks. The only way for the network to actively identify and thwart all possible attacks is to essentially set up a Ministry of Censorship.

Once the adversary has signaled that they intend to abuse the network for an extended time period, rational agents will defect. Even if most of the participants decide to hold strong, other participants will be allowed to defect with others hurting the system, and they certainly will do this, and every participant will be tempted to. There is only one Nash Equilibrium (apart from factoring in charity of the agents) in these conditions, namely, the situation where every participant defects. There’s only one reason that a rational agent would not defect: They believe that by holding strong, they are increasing the probability that they outlast the attack enough to justify forgoing the rewards in the meantime. This might be reasonable in some situations, but by scaling the scope of this attack, such a decision becomes irrational. The other reason that an agent would not defect is that they are not acting rationally, but out of charity towards the network.

This brings us to the conclusion: a decentralized network that is surviving a pissing attack is held together by charity. ∎

Back to Bitcoin

So how would this work in Bitcoin?

Suppose the US decided they’ve had enough, that Bitcoin is damaging their ability to issue Treasurys, and needs to go.

Let’s talk about these points in order. Each is feasible.

As it turns out, the way foundries like TSMC (the foundry Bitmain relies on) operate, is that they tier their customers. They don’t optimize just for revenue, but consistent demand. They treat their Tier I customers much better, and give them privileged allocations to foundry space. Bitmain, the largest ASIC manufacturer, is not a Tier I customer. They have to settle for scraps.urer, is not a Tier I customer. They have to settle for scraps.

So basically, TSMC doesn’t have a serious vested stake in Bitcoin. They have plenty of customers and the mining production is not Tier I. This means that if more money were thrown at the mining equipment, the output could increase significantly. The US has the money to sign an extended contract to this effect. TSMC could care less. They’ll take the money.

2. This seems pretty easy. If you’re actually hanging on to that Antminer s3 for whatever reason, the US will take it off your hands!

3. This is more fun to think about. One easy way is to simply clone Bitcoin (call it Anti-Bitcoin) with a new genesis block, modify some halving and difficulty modification parameters and pay anyone directly who cashes in the Anti-Bitcoin, so that the expected value is higher for mining the Anti-Bitcoin. For example, if you promise to pay the value of Bitcoin for each Anti-Bitcoin, and start with a 50 Anti-Bitcoin block reward, the difficulty will skyrocket rapidly as miners chase the better reward. This can be done with a smart contract on Ethereum.

Another way is to simply use an Ethereum smart contract to pay miners for garbage blocks that achieve some level of difficulty. (For the non-Bitcoin experts — the difficulty is metric on how many gazillion hashes a miner expects to produce in order to obtain a block reward — this is modified regularly as more miners enter the system. )

4. Abusing the network is fun to think about as well. It’s probably best to do this as randomly as possible, to completely demoralize anyone relying on the Bitcoin network. You allow some transactions through. Somedays you don’t. Somedays you let all the transactions through while secretly mining a longer chain which you foist to the network after it’s gone several blocks.

What about invalidateblock? Well, this requires a consensus outside of the agreed-upon consensus. We could agree to invalidate empty blocks, but what about blocks with 16 transactions? Jimmy Song suggested they would know how to identify the bad blocks because these are the ones that “don’t include my transaction”. But such an arrangement would essentially give Jimmy veto power over the blockchain, something not provided to all users, which is incredibly unBitcoin. There’s literally no way to determine which blocks are good and which ones aren’t. Any hard rule would be abused. For example, if it was decided that “you can’t do a reorg more than 9 blocks,” the US could know this rule and play with this, letting each string of valid blocks get to 7 or 8 before performing a reorg. There are reasons Satoshi didn’t include clauses like this, adding them arbitrarily will degrade the system. Wisemen trying to decide that certain addresses are good and others are bad is tantamount to censorship.

Again the details aren’t important. It’s an asymmetric game. It’s not a cat-and-mouse game, unless you think of the mouse as in a small empty room with no escapes. The attacker is agile and any wing of attack can coordinate secretly or openly, while the security protocol is not agile and can’t coordinate on a defense without using some sort of political governance decision-making. So this isn’t a situation of “you steal my stuff — I build a fence — you get a ladder — I build a bigger fence -” etc situation as someone suggested in the Clubhouse debate. The security mechanism for Bitcoin was agreed upon 12 years ago and there’s not a clear method for changing it, and this is by design.

Anyone who thinks you can just design an algorithm for deciding which blocks are good and which aren’t hasn’t thought about adversarial attacks for more than five minutes. You have to publish and agree upon the algorithm, and the adversary can see this. The network is at a disadvantage.

5) At some point, most people leave. Not everybody, but Tesla, and whatever the latest corporation to get in the game might be, their shareholders don’t want any part of this nonsense and they’re out. The US will allow their transaction from cold storage to Gemini to go through. The price drops to $200 and the US eases up, with the caveat: “If the price gets above $1500 we’ll get back in.” So the hobbyists stick with it and the US doesn’t care.