Explain the reorganization attack after the merger of Ethereum

Recently, people have discussed the possibility of miners adopting a hypothetical modified Ethereum client that allows them to accept bribes and arrange transactions in selected blocks. (The main use case for this kind of bribery is to attack the DeFi protocol).

In this article, we will explain why this attack mode will be more difficult to execute after the Ethereum 2.0 merger.

What is the fork selection rule and why is it important?

The fork selection rule is a function evaluated by the client. It takes the set of blocks and other messages that have been seen as input, and outputs to the client what the “typical chain” is. Fork selection rules are necessary because there may be multiple valid chains to choose from (for example, if two competing blocks with the same parent are released at the same time).

Reorganization is a special event in which a block that was once part of the classic chain is no longer part of the classic chain because a competing block defeats it. Finality refers to the situation where the fork selection rules are so favorable for a block that the block is mathematically impossible to overlap (or at least economically infeasible).

In some fork selection rules (such as Tendermint), reorganization is impossible; the fork selection rules simply extend the existing block by adding any blocks that have passed BFT (Byzantine Fault Tolerance) consensus and finalized. chain. In other fork selection rules, reorganization is very frequent.

Explain the reorganization attack after the merger of Ethereum

What is the current state of Ethereum?

In a proof-of-work (PoW) blockchain like Ethereum, we usually see the “longest chain rule” (or more accurately, the “highest total difficulty chain rule”). This means that when the client discovers 2 blockchains, it will choose the one with the highest total difficulty (that is, the sum of the difficulty of all blocks in the chain).

For example, suppose the difficulty of a block can be 100 or 110, imagine the following scenario.

1. We start synchronization from block 1 with a difficulty of 100.

2. Blocks 2a and 3a are reached with a difficulty of 100 respectively. We insert them into our chain to form a fork with a total difficulty of 300.

3. Block 3b with a difficulty of 110 arrives, and 2a is announced as its parent, forming a fork with a total difficulty of 310. The fork selection rule will notice that the “heaviest” chain is now the second fork and will switch to it. This is a reorganization of 1 block, because only block 3a has been changed. Please note that these blocks are not completely discarded, because a new block may arrive, causing the fork to switch back to the first fork.

Blocks 4.2b and 3c arrive, and the difficulty of each block is 110, creating a new fork with a total difficulty of 320! This means that the difficulty of fork selection is 320. According to the fork selection rules, 2b will now be used instead of 2a, and 3c instead of 3b. These are all blocks in the previous classic chain. This is a recombination of 2 blocks.

You can see what will happen. If a new block 4a arrives and 3a is declared as its parent chain, the fork selection rule will switch back to the first fork, and so on.

Explain the reorganization attack after the merger of Ethereum

The impact of chain reorganization

Due to the delay, a brief reorganization has been happening all the time. Miner A and miner B may find a valid block at the same time, but due to the way the block is propagated in the p2p network, some blocks of the network will first see the block of A, and the other part will first see the block of B . If the difficulty of the two blocks is the same, there will be a tie, and the customer will either choose randomly or choose the block seen earlier. Normally, when the third miner C builds a block on block A or block B, the tie is eventually broken and the other block is forgotten. Occasionally, bad luck can lead to the reorganization of 2-5 blocks. Almost all reorganizations beyond this time are caused by extreme network failures, client errors, or malicious attacks.

Short-term reorganizations are not fatal, but they still have the following serious consequences for the network.

  • Node cost: When a reorganization occurs, since it must switch to a new fork, transactions may be rolled back or the state of the blockchain may be modified, so there will be some storage problems.
  • Decreased user experience: The possibility of re-forking means that users will have to wait longer to safely treat transactions involving them as “confirmations.” An important sub-case in this regard is that companies such as exchanges need to wait longer before accepting deposits.
  • Uncertainty of transaction background: When users send a transaction, they have a low degree of certainty about the context in which the transaction will be executed (for example, will the most recent N blocks be restored? It is worth noting that this increases This eliminates the possibility of unexpected failure of DeFi trading pairs, worse than expected trading results or harmful MEV withdrawals.
  • Increased the possibility of 51% computing power attacks: In a system driven by the longest chain rule, if the miners on the chain are reordered from B1 to B2, then the difficulty of B1 no longer helps to ensure the security of the chain. Attackers no longer need to defeat all honest miners, they only need to defeat the honest miners that have not been reorganized. If reorganization is frequent, this greatly simplifies the work of the attacker.

The worst possible scenario

In the worst case, frequent reorganization can completely invalidate the settlement guarantee of the blockchain and prevent it from continuing. Under normal circumstances, the “incentive compatibility” strategy of block producers should be to extend the longest chain. But what happens if the post-state of a block is profitable (for example, there is a very high fee or MEV, which can only be extracted by building a block directly after the block)? This issue has been discussed in the past in the context of Bitcoin without block rewards and selfish mining, and today is also discussed in the context of DeFi-related MEV in the Ethereum ecosystem.

Under these circumstances, there is a great incentive to try to “steal” fees or MEV through competition rather than extending the top of the classic chain. In the example below, the post-state of block 1 is profitable, and block 2a has already been mined. However, not 1 but 3 block producers choose to mine on the basis of block 1 instead of block 2a (to require any MEV exposed after block 1), which can be extended to any number of parties .

For obvious reasons, such a model opens the door to malicious 51% computing power attacks. We call miners who engage in this reorganization of mining tactics “myopic rationality” because the decision to do so may be rational in the short term. However, they have explicit (coin minters) or implicit (miners) long positions on Ethereum (because fees and block rewards are priced in Ethereum), which means that any such reduction in users’ exposure to Ethereum Trust attacks are against their ultimate interests, so it is irrational in the long run.

Ethereum after the merger and proof of equity

In Nakamoto PoW, the block is “serially” solidified in the fork selection. First, a block is mined. At this time, a competing block may reorganize it. If the block survives as part of the classic chain, after (average) 13 seconds, some other miners build a second block on it. At this point, a chain of two competing blocks is needed to reorganize it. As more blocks are built on it, the difficulty of re-org chain continues to increase, but the speed is very slow.

Ethereum’s beacon chain implements a PoS protocol called Gasper, and has a fork selection rule called LMD-GHOST. Contrary to Nakamoto PoW, there are two roles in the block production process.

  • Proposer:  The task of a validator is to propose a block.
  • Participants:  A group of validators vote to decide which block they think is the head of the classic chain. The vote of the appraiser is called “proof”, and they assign “weight” to the block. Controlling the appraiser means controlling the fork selection rules.

There is a “slot” every 12 seconds, which represents an opportunity to propose a block. For each time slot, a shuffle algorithm pseudo-randomly selects a committee composed of 1/32 of all validators, where one validator in each committee is the proposer and the rest are approvers. The reviewers vote in parallel on the blocks they consider to be part of the classic chain. Since the committee is sampled pseudo-randomly, there is no way for attackers to gather their verifiers into a single location.

Today, the beacon chain has 196,000 validators, which means that each slot has a committee of size 6125. Therefore, even the reconstruction of a single block is very difficult, because an attacker who controls only a few validators cannot defeat the tens of thousands of honest majority participants.

To get some intuition about why this is happening, let’s look at an example with 2 slots and 24 validators, 9 of which are malicious. The validators are divided into two committees, and due to random shuffling, opponents are unlikely to control more than 50% of any group they are assigned to and lead to a reorganization.

Explain the reorganization attack after the merger of Ethereum

More formally, the probability of a malicious actor with p% equity controlling a committee of N validators over 50% follows a binomial distribution (where k = N/2).

Explain the reorganization attack after the merger of Ethereum

Calculating the probability in different situations, we get the following table:

Explain the reorganization attack after the merger of Ethereum

We now understand that direct reorganization requires the attacker to control close to 50% of the validators.

If the attacker has 25-49% of validators, more subtle attacks are possible. However, there are known fixes for these attacks, which can be implemented unobtrusively, increasing security and approaching the unconditional 50%.

Finally, long-term recovery is impossible, because all blocks deep into the past 2 epochs are considered “finalized”, that is, it is impossible to recover the past. If the attacker causes the two conflicting blocks to be finalized (for example, by controlling 67% of the equity), the system will need to fall back to social intervention to recover.

Game Theory Used in Restructuring Strategy

Now that we have seen how the reorganization strategy works in different fork selection rules, it is worthwhile to use a simple game theory example to understand when a miner or verifier uses software that executes the reorganization strategy to make a profit. of.

We can use a reward matrix to describe each situation in layman terms, where “defect” means “download and use anti-fraud software.” The compensation is “short-sighted” and does not take into account the long-term consequences.

Satoshi Nakamoto work certificate

In the longest chain PoW, short-distance reorganization can use even a small part of the validator set for probabilistic reorganization. Occasionally there will always be some blocks with profitable post-states, so that even a success rate of 1-10% is worth trying to compete with the existing sub-blocks of the block.

Miners can be a medium-scale mining pool, relying on the possibility of finding the next 2-3 blocks in a row, or they can send part of their income into a contract that anyone can claim to bribe other operations People with the same software build on their chain and help it fight the existing classic chain.

Therefore, some miners may be tempted to run the reorg client.

Explain the reorganization attack after the merger of Ethereum


In Gasper, the reorganization of 1-64 slots is possible, but the attacker needs to control a large part of the entire validator set (because they cannot concentrate their bets on a specific slot, so they need to have enough The big chips are randomly selected within the range of the slots they want to attack). Unless a large number of other validators also use it at the same time, it is useless to use reorganized mining software.

Therefore, if 51% of verifiers have even the slightest altruism, then no one runs the reorganization software is a stable equilibrium state.

Explain the reorganization attack after the merger of Ethereum


In Tendermint, the situation is even cleaner: reorganization is impossible, and any violation of the finality of a single slot requires more than 1/3 of the validators to be cut off. Similar to Gasper’s situation, this also means that no one runs the reorganization software is a stable equilibrium.

Explain the reorganization attack after the merger of Ethereum

From the above we can see that although the use of “reorg geth” is possible in all cases, the fork selection rule based on the concept of parallel proof has an honest equilibrium state, and it will be more balanced than Nakamoto’s fork selection. stability.

Empirical talk

In the context of Ethereum, the most effective preventive measure is to further accelerate the merger work, especially to quickly realize credible capabilities, conduct “emergency mergers”, and transition the chain to PoS. The rush to merge carries a high risk and may damage the infrastructure, but if many miners start to attack the chain again, a credible promise will counteract this behavior.

The period close to the merger is the most risky, because the miners are still in charge of the system, but their time span is shortened. However, two factors mitigate this risk.

Ethereum miners are often at the same time (i) miners of other blockchains, and/or (ii) members of other identities in the Ethereum community, so they still have incentives for good behavior.

As the merger approaches, the difficulty, cost and risk of emergency mergers are also decreasing. A few months before the scheduled date of the merger, an emergency merger will be highly disruptive. Two weeks before the scheduled date of the merger, this will be a parameter setting for the customer to verify that the operator has completed the download.

After the merger, reorganization of verification will become a smaller problem because a single verifier or a small group of verifiers cannot be reorganized alone. To succeed, a reorganization attack must solve the extremely difficult coordination problem, which is to get most verifiers offline at the same time. However, some small risks still exist. If you want to further improve security, Ethereum can further adjust the fork selection rules to increase the requirement of reorganization attacks to the theoretical maximum of 50%, or find a way to directly move to the consensus of single-slot inality.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/explain-the-reorganization-attack-after-the-merger-of-ethereum/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-07-21 15:03
Next 2021-07-21 15:05

Related articles