Malicious Reorgs Threaten Ethereum

Napoleon Bonaparte

Overview

As the name suggests, a blockchain is a series of records stored in blocks that are chained together to form a distributed ledger of what is considered the “truth” via majority consensus.

Miners can attempt to reorganize the most recent blocks in the chain if there is enough incentive — for example, to benefit financially from a hack or liquidation event. In order to do so, miners can form a cartel to reorganize the chain and orphan a particular block, thus preventing it from becoming part of the main chain and effectively rewriting history before the ink has dried.

The Scenario

For example, a DeFi protocol is exploited for $10 million. The protocol quickly puts together a bounty that will pay miners $1 million if they help reorganize the blockchain to orphan the block where the hack occurred. This is profitable for both parties.

The group of miners then agrees upon a particular block that was mined before the exploit, and that block becomes the new chain. As far as the network is concerned, the hack never happened. Alternatively, miners replace the block so they are the beneficiary of the exploited funds, rather than the original hacker.

Why Now?

Reorgs have always been possible, but coordinating a reorg attack is not a simple task. It is also expensive. According to Crypto51, it costs roughly $1.7 million per hour to gain enough hash power for a 51% attack. Of course, acquiring this hash power is difficult — it would require pools to merge or acquire additional hardware.

While you don’t necessarily need 51% of the hash power to successfully pull off a Time Bandit attack, the higher your hash power is, the higher your chance of success.

• The topic has been heating up lately due to public drama on Twitter after EdgarArout suggested creating a fork of the geth client that introduces an interface to make coordinating a reorg trivial for miners.
• Another developer, 0xbunnygirl, designed a contract that allows a simple mechanism for creating reorg “bounties” in the form of NFTs.
• Instead of needing off-chain communication and coordination, these bounties give users an easy way to offer miners payment in return for a reorg.
• There is also the possibility that miners — who will be made obsolete once Ethereum moves to Proof-of-Stake — feel that they have little to lose, and are simply more willing to disrupt the network.

Threat Level

With enough confirmations, finality is effectively achieved due to the ever increasing cost of reorgs. The concern applies primarily to recent blocks that are in the process of being confirmed. While it is technically feasible to reorg deep in the blockchain, it becomes exceedingly difficult and expensive, and there is little incentive to do so. Practically speaking, reorg attacks will only be noticeable by users because of increased confirmation times.

• ‍Some argue that Eth2 (Proof-of-Stake) is far less susceptible to reorg attacks, as finality is achieved after two epochs. Others argue that it is more susceptible.
• Ethermine — the largest Ethereum mining pool — has publicly stated that they have no interest in participating in these attacks.
• ‍THORChain devs have stated that the protocol can handle re-orgs, although it may cause disruption.

Wrap Up

Adversarial conditions are a delicate balance for distributed consensus protocols. Bringing to light the weaknesses that exist can expedite solutions that make the network stronger. On the other hand, breaking the network before those solutions can be developed is harmful.

Blockchains are intended to operate trustlessly regardless of the motivations of any individual actor, but at the end of the day, majority rules. Tools designed to lower the barrier of entry for “reorg cartel attacks” are morally dubious, but inevitable.

The real-world implications are unknown, and we may not see reorg attacks happen on a scale that is noticeable to the end user — especially with the largest mining pool condemning them — but only time will tell.

Angela Walch