The financial sector's enthusiasm for blockchain technology might be misplaced, according to a pair of Australian distributed computing experts.

The problem: if everyone in a consortium trusts each other, they don't need blockchains to protect themselves; if they don't, current blockchain protocols have a flaw that allows a bad actor to game the system.

Extract from the paper “The balance attack is simple: after the attacker introduces a delay between correct subgroups of equivalent mining power, it simply issues transactions in one subgroup. The attacker then mines sufficiently many blocks in another subgroup to ensure with high probability that the subtree of another subgroup outweighs the transaction subgroup’s. Even though the transactions are committed, the attacker can rewrite with high probability the blocks that contain these transactions by outweighing the subtree containing this transaction.” “The balance attack is simple: after the attacker introduces a delay between correct subgroups of equivalent mining power, it simply issues transactions in one subgroup. The attacker then mines sufficiently many blocks in another subgroup to ensure with high probability that the subtree of another subgroup outweighs the transaction subgroup’s. Even though the transactions are committed, the attacker can rewrite with high probability the blocks that contain these transactions by outweighing the subtree containing this transaction.” Gramoli's paper suggests the Ethereum R3 testbed of 50 banks shows if an attacker can reach even 10 per cent of mining power, if they can introduce a messaging delay of 30 minutes, they have a 50 per cent chance of a Balance Attack succeeding. From the Gramoli/Natoli paper: Balance Attack success probabilities

The warning comes from CSIRO/Data61 researcher Vincent Gramoli, lead author of an arXiv paper describing what he and colleague Christopher Natoli call “The Balance Attack” (the name comes from one aspect of their attack, that it's deployed against subgroups of nodes with balanced mining power).

In the finance/banking context, Gramoli says the problem is that blockchains are probabilistic, but for something like an inter-bank transfer, you need determinism. If the system enters a state in which it can't guarantee all transactions, downtime is the best solution.

Gramoli told The Reg “if the assumptions are not met, users should get a message that 'the system is not available, please try again later'”.

The consensus problem

When The Register spoke to Gramoli about the attack, he explained that like other distributed computing problems, blockchains have to solve the 30-year-old consensus problem.

The ledger is only accurate if all copies of it are the same; if an attacker can break that consensus, they can double-spend their currency.

As the paper puts it: “an attacker transiently disrupts communications between subgroups of similar mining power. During this time, the attacker issues transactions in one subgroup, say the transaction subgroup, and mines blocks in another subgroup, say the block subgroup, up to the point where the tree of the block subgroup outweighs, with high probability, the tree of the transaction subgroup.”

Gramoli told Vulture South that Bitcoin or Ethereum rely on two assumptions: “The first is that mining power … doesn't get concentrated into a small subset of participants. The second is network reliability – some messages will have to be propagated to a large subset of participants in a minimal amount of time.”

Blockchains' vulnerability to network delays is well known, Gramoli added. In the arXiv paper he and Natoli also relate variations in mining power to how much delay is needed, and “even though you don't delay the network for too long and only have small mining power, you can still introduce a Balance Attack … if the attacker can delay messages between groups of miners, they can potentially influence the outcome of the consensus.”

In a double-spending attack, you're using the same coins for two different transactions. This should be prevented by blockchains, but in the Balance Attack paper, Gramoli describes how a failure of consensus breaks that protection.

Double spending is simple

Gramoli: “Let's assume that Alice executes a transaction to a merchant that belongs to a group of miners. She waits long enough to see that there is no communication between subgroups, but the transaction is shared in the group and committed.

“Once she knows the transaction has been committed, she knows she will receive goods in the real world. But now, Alice can use her mining power to create more blocks, and to send them to another group of miners, such that when the network becomes reliable again, and messages are exchanged between subgroups, the blocks mined in subgroups that did not see original transaction will prevail over those who did see the first transaction.”

“What we realised is that if you don't pay attention to the way you deploy the blockchain … if you do not pay attention to the mining power that each individual has in the consortium, or to who are the participants exchanging messages, you risk that some member of the consortium could try to steal money”, Gramoli explained to The Register.

As fintech blockchain experiments now stand, that probably doesn't look like much of a problem: you can assume that the 50 banks running the R3 testbed all know each other.

Blockchain therefore resembles the early days of the Internet, when a lot of protocols were built and adopted by a bunch of university system operators who all knew each other by name. The assumptions that work in a setting like that don't scale.

Gramoli explained that one reason fintech likes the idea of blockchain consortiums is because they think it solves the problem of untrustworthy participants.

Blockchains are designed to be resilient against mistrust, which is only necessary if the first people in a consortium can't guarantee the integrity of latecomers.

“The first banks joining [blockchain consortia] want to protect themselves from member number seventy,” he said.

Unfortunately, attacks on the protocols demonstrate that today's blockchain protocols don't provide that guarantee. ®