Abstract: Byteball is a new kind of crypto currency platform based upon a Directed Acyclic Graph. Byteball can handle simple transfers of value but also smart contracts, Oracle, P2P payment in chat, ICO bot. In this paper we describe the scenario of a brute force attack aimed at taking the full control of the network by pulling it out of its legit witnesses hands. We then describe ancillary results we may have should our main goal not being met.

Introduction:

The Byteball network is built upon a DAG. It is an acyclic graph where end users post units through the mean of their Byteball wallet. Each submitted unit has an attached series of 12 Byteball addresses so called ‘witnesses addresses’ (they can also be seen as 12 attached labels). Those 12 witnesses are nothing more than 12 Byteball wallets always up and posting in the background, 24h a day, their own units to the DAG.

To be accepted by the graph a new unit must find a parent unit, already in the graph and meeting an hard coded criterion: the parent unit witnesses ordered labels must no differ more than 1 compared with the new unit witnesses ordered labels.

In other words if the parent unit witnesses list is [Pw1, Pw2, … , Pw11, Pw12] and the daughter unit witnesses list is [Dw1, Dw2, … , Dw11, Dw12] then there can be only one single value of i such as Pwi <>Dwi.

You can also think about a free molecule with 12 anchors which must find on a big protein a parent molecule with at least 11 similar anchors to have a positive match and peg with.

The role of the witnesses is essential because they show a path on the DAG which is used by each node at a later step to validate and turn into immutable information all new incoming units.

The concept of an attack:

Being understood that witnesses are nothing more than regular Byteball wallets posting at a slow but continuous flow, the idea is to DOS the witnesses posts by covering the DAG with units having a witness list +2 mutated compared with the witnesses witnesses list (yes, the doubled word is intentional). If this can be achieved , legit witnesses units will not be able to find any suitable parent unit to match with and therefore we will have the full control of the DAG from that point.

Practical scenario:

We will have 2 wallets. Wallet N°1 will have a witness list +1 mutated compared to the default list and wallet N°2 will have a witness list +1 mutated compared with wallet N°1 (and +2 mutated compared with the default witnesses list).

1step: just after we see a legit witness post we prepare the ground with wallet N°1 posting a few hundreds of units at a continuous flow near to the network max acceptable tps (15 tps) in the hope we are covering all legit units with our +1 mutated units.

2 step: wallet N°1 still posting, wallet N°2 starts posting at high rate too (hopefully wallet N°2 units find parents units within wallet N°1 units).

3 step: wallet N°1 gently starts decreasing its posts rate from 15 tps to 0 tps following a linear ramp (wallet N°2 is still posting at 15 tps).

4 step: Wallet N°2 is now alone posting at 15 tps some +2 mutated units in the hope we are covering all our +1 mutated units. We post twice as many units we had in step 1.

5 step: wallet N°2 stops posting.

Now we let the dust go down for 10 minutes…

What kind of result can we expect?

1Failure: Nothing much happens except some load on the network and a useless chaos. Some of our units pegged in pointless series, some were also rejected, there is still room for legit witnesses units in the DAG.

Or our +1 mutated units did not cover all legit parents units, therefore our +2 mutated units left room in the DAG for further legit parents units.

Or our +1 mutated units did well cover all legit units but our +2 mutated units did not cover all our +1 mutated units so here again there is room in the DAG for further legit parents units.

After a period of silence a “bip” on the Byteball explorer shows a new legit witness unit has arrived on the DAG. We have lost.

2 Success: Our attack has been successful, we do not see no more new legit witnesses posts on the Byteball explorer. All the network is halted. We now have the full control of the DAG. Legit users can not post anymore because all their new units would be +2 mutated from all available parents units on the DAG. From that point we can gently push +1 after +1 a full new set of 12 witnesses that end users would be forced to adopt or their Bytes can not be sent anymore.

3Useless DAG fork: We have grown a forked branch on the DAG. It is unlikely that legit users follow us and adopt our new branch witnesses. The main branch is still growing and it remains the only legit one.

Conclusion:

We have a valid scenario for an attack to be planed. As being a brute force approach it does not relies on fine code study but actually the hope is that the dev did a mistake while implementing his algorithm.

The attack date and time will be announced later in our slack. Stay tuned.

In the meantime, a few words from Byteball lead developper Anton Churyumov about this scenario: “excellent idea”.

By the way, in case of a successful attack, we can revert back to normal situation by posting a bunch of +1 mutated units from wallet N°1.

2018–02–16