Partitioning Attacks on BitcoinColliding Space Time and Logic

Muhammad Saad Victor Cook Lan Nguyendagger My T Thaidagger and Aziz MohaisenUniversity of Central Florida dagger University of Florida

saaducf victorcookknightsucfedu lannguyenufledu mythaiciseufledu mohaisencsucfedu

AbstractmdashBitcoin is the leading example of a blockchainapplication that facilitates peer-to-peer transactions without theneed for a trusted third party This paper considers possibleattacks related to the decentralized network architecture ofBitcoin We perform a data driven study of Bitcoin and presentpossible attacks based on spatial and temporal characteristics ofits network Towards that we revisit the prior work dedicatedto the study of centralization of Bitcoin nodes over the Internetthrough a fine-grained analysis of network distribution andhighlight the increasing centralization of the Bitcoin network overtime As a result we show that Bitcoin is vulnerable to spatialtemporal spatio-temporal and logical partitioning attacks withan increased attack feasibility due to the network dynamics Weverify our observations by simulating attack scenarios and theimplications of each attack on the Bitcoin network We concludewith suggested countermeasures

I INTRODUCTION

Blockchain is a new paradigm for distributed computingwith Bitcoin being its most popular application [41] [48] Dueto its high market share of over $110 billion USD [10] Bitcoinhas been a lucrative target of attack for adversaries who havebeen mainly targeting Bitcoinrsquos exchanges the blockchainfabric and nodes involved in Bitcoinrsquos network

In this paper we analyze the peer-to-peer model of cryp-tocurrencies and associated security In particular throughnetwork data analysis (sectIV) we uncover and exploit theincreasing centralization of Bitcoin nodes over the Internetthe non-uniform consensus among peers and the softwarediversity of Bitcoin clients to devise and optimize partitioningof the Bitcoin network We outline spatial temporal spatio-temporal and logical attacks exploiting various aspects ofBitcoin dynamics Some of those attacks are not new Forexample in 2014 an attacker from a malicious ISP hijackedIP prefixes of 19 Internet providers to isolate Bitcoin traffic andsteal $83000 USD worth of bitcoins [29] as an instance of thespatial attack This attack has been formalized and examinedin [3] Our work shows that the network has become morevulnerable due to increasing centralization

In 2017 13 ASes hosted 30 Bitcoin nodes while 50 ASeshosted 50 Bitcoin nodes [3] In our analysis started onFebruary 28 2018 we found that only 8 ASes host 30 ofBitcoin nodes and 24 ASes host 50 of Bitcoin nodes Atthe organization-level we found that only 13 organizationshost 50 of the Bitcoin nodes Among them only two orga-nizations host 657 of Bitcoin hashing rate with the lead-ing organization (AliBaba) having a 594 share of Bitcoinhashing rate At the network level we exploit the increasingcentralization (sectV-A) to show empirically that an adversary caneasily partition the network spatially through BGP hijackingcausing a ldquohard forkrdquo by controlling a limited number of ASesAt the AS level we show a pattern of IP prefix distribution

in some cases hijacking as little as 20 prefixes would give theadversary control over more than 80 of the Bitcoin nodesresiding within this AS At the organization-level we uncoverthat multiple ISPs control more than one AS amplifying thecentralization effect and facilitating new attack avenues

Unique to our study we exploit the non-uniform consen-sus among peers for optimized temporal attacks (sectV-B) Weobserved thatmdashdue to latency and malicious peer behaviormdashthere is a lag in consensus and block propagation Through ouranalysis we found that even 5 minutes after the publicationof a block asymp627 of nodes in the network remain behindthe latest block by one or two blocks We show that sucha behavior can be exploited to optimize an attack in whichthe adversary can feed false blocks to nodes and temporallypartition the network Considering the ethical ramifications oflaunching these attacks in practice we instead use simulation-based models to validate our findings Through simulationswe show that an attacker with asymp 30 hash power can misleadnodes that are behind the main chain

To optimize spatial and temporal attacks we explore thespatio-temporal attack vector (sectV-C) By observing that only5 ASes hosted asymp30 of synchronized nodes this attackconsiders them as more valuable targets thus reducing theattackerrsquos effort Observing the presence of more than 200 Bit-coin software versions demonstrating high software diversitywe outline a logical attack in which an adversary manipulatesthe client behavior to partition the network (sectV-D)

Little work has been done on measuring temporal behaviorsin the Bitcoin network for attacks Apostolaki et al [3]performed a data analysis on Bitcoin to understand AS-level centralization of nodes and miners and presented thepossibility of routing attacks However their work was limitedto spatial attacks at vantage points on the Internet which wedemonstrate more effective due to network centralizationContributions and Roadmap In summary we make thefollowing contributions 1) Through data-driven analysis weprovide deeper insights into the Bitcoin network by outliningcharacteristics distribution location and performance of fullnodes 2) Embracing various characteristics of the network wepropose several directions of attacks and validate them throughdata analysis and simulations We outline demonstrate modeloptimize and evaluate spatial temporal spatio-temporal andlogical attacks 3) We discuss possible countermeasures toaddress those attacks Through the rest of the paper in sectIIwe outline the Bitcoin network model and in sectIII we outlinethe threat model and adversarial capabilities We provide ourpreliminary analysis in sectIV In sectV we discuss the partitioningattacks on Bitcoin network and in sectVI we explore the possiblecountermeasures for each attack That is followed by relatedwork and conclusion in sectVII and sectVIII respectively

B2B1B3B2B1B4B3B2B1

B3B2B1B4B3B2B1

F1

Light Nodes

F2 F3 F4

F5Light Nodes

B4

Fig 1 Bitcoin illustration with full nodes and lightweight nodes Lightweightnodes only have the view that their associated full nodes provide Full nodesF1 F2 and F5 have updated views while F3 and F4 are 1-2 blocks behind

II THE BITCOIN NETWORK MODEL

The Bitcoin network consists of nodes connected in a peer-to-peer model Upon joining the network nodes connect toeach other using public IP addresses and use the gossipprotocol to exchange network information such as transactionsblocks and addresses There are special nodes in the networkcalled miners that are responsible for extending the blockchainby creating new blocks [44]

Ideally all the participating nodes in the network need tohave an updated copy of the blockchain but the growingsize of the chain makes it infeasible to be used on smartdevices For example the current blockchain size in Bitcoinis approximately 150GB [52] and if a user wants to useBitcoinrsquos services on his smart phone he might not be ableto download the complete blockchain and become part of thenetwork To address this problem third party services such asBlockchaininfo [33] provide an easy access to such clients bydownloading Blockchain and providing access to smart deviceusers Blockchaininfo maintains an active node in Bitcoin thatkeeps track of all transactions and blocks and replicates thenetwork view to all of its customers Therefore the currentBitcoin network is structured into full nodes that are activein the main network and lightweight nodes that use servicesof full nodes In Figure 1 we provide an illustration of thismodel For more information regarding the full nodes and thelightweight nodes we refer the reader to [26]

III THREAT MODEL

In this section we outline the basics of partitioning attackson Bitcoin and describe our threat model Through data-drivenanalyses we establish the modus operandi of the Bitcoinnetwork and describe capabilities needed by the adversaryto partition the network spatially and temporally Towardsthat we revisit Apostolaki et alrsquos work [3] (referred to asthe ldquoclassical attackrdquo) providing a baseline for partitioningattacks We highlight new targeted attacks on the network byintroducing temporal spatio-temporal and logical partitioningattacks which have not be identified before

For the spatial partitioning we assume the adversary tobe an autonomous system (AS) an ISP organization or anation-state An AS hosting a fewer Bitcoin nodes can launcha BGP attack on another AS that hosts more nodes As aresult it can hijack the Bitcoin traffic isolate the miningpower or simply harm the reputation of the target AS Fortemporal attacks we assume a malicious mining pool thatattempts to fork the network and deprive an honest minerfrom block rewards With soft forks the adversary aims tocreate a temporary imbalance in system ramifications suchas transaction processing and by hard forks it attempts to

permanently split the network with diverging views Finallyfor logical attacks we assume the adversary to be a softwaredeveloper capable of exploiting bugs in the Bitcoin softwareclient Additionally due to the centralization of Bitcoin trafficand a shift in country-level policies towards Bitcoin we do notexclude the possibility of a nation-state adversary As such anation-state can partition the network by blocking the flowof traffic through its ASes and organizations Countries suchas Bolivia Kyrgyzstan and Nepal have permanently bannedBitcoin and its exchanges [54] If China for example decidesto ban Bitcoin it will have a significant impact on the healthof the Bitcoin network since 60 of the mining traffic goesthrough China (as shown in Table IV)Adversarial View We assume that the adversary has a consis-tent view of the network similar to the one available to us forconducting our analysis The adversary will have access to thefollowing information 1) The top ASes and organizations thathost a maximum number of nodes and their distribution overtime 2) The temporal spread of block information among allnodes in the network upon block broadcast 3) The vulnerablenodes in the network based on their location uptime latencyconsensus time and neighboring peers 4) The vulnerablenetwork entities (ASes and organizations) based on their publicinformation such as BGP prefixes neighboring ASes locationand routing informationAdversarial Capabilities In the threat model adversarieshave unique capabilities For example a malicious AS ororganization will have the ability to announce false routinginformation to other ASes and separate the target AS fromneighboring nodes This in turn can disrupt the exchange oftransactions blocks and mining information thereby affectingfull nodes lightweight nodes and mining pools

For temporal partitioning the adversarial mining pool willhave a consistent view of the network which will allow it toidentify nodes that are behind the blockchain Obtaining thisinformation is not challenging since various Bitcoin crawlersare available and can be used to access the blockchain view ofnodes in Bitcoin [15] This can be exploited by the maliciousmining pool to identify vulnerable nodes that are 1ndash5 blocksbehind A malicious miner for instance can mislead thosenodes by propagating false information in the network Doingso may create a temporary or even a permanent partitioning inthe network where a group of nodes are misled into followinga counterfeit blockchain

IV PRELIMINARY ANALYSIS

A Data CollectionFor our analysis we crawled data from Bitnodes [15] which

is a Bitcoin service supported by Earncom [16] Bitnodesmaintains a persistent connection with all reachable nodes byrunning a full node that connects to the rest of the network Af-ter connecting with all nodes Bitnodes uses inventory message(inv) and data messages (getdata getblock gettransaction) toget recent blocks and transactions from each node (for moreinformation regarding these protocol messages we refer thereader to the Bitcoin protocol documentation [13]) For eachnode Bitnodes records the response time to calculate usefulinformation such as the latency the uptime and the latestblock etc From IP addresses it determines the correspondingAS organization and location of a node

We used the information provided by Bitnodes to developanother crawler atop Bitnodes to acquire data and store it in

our local database We ran the crawler on our campus serverfor two months and our complete dataset spans two months ofBitcoin network information with an aggregate size of 80GBIn summary we were able to collect the Bitcoin networkinformation sampled at every 10 minutes to analyze consensusdistribution after each published block and at every 1 minuteto observe consensus pruning in the network in-between thepublication of two successive blocks

B MethodologyIn our initial experiments first we cross-validated the infor-

mation provided by Bitnodes We mapped the crawled IP ad-dresses to a commercial-grade geo-mapping dataset obtainedfrom Digital Envoy (DE) [42] The DE dataset mapping ofBitnodes IP addresses validated the information in our datasetregarding ASes and organizations After establishing datareliability we performed a series of experiments to analyzethe configuration of the network and the distribution of nodesacross ASes and organizations The initial results gave us aholistic view of the network and its centralization which weused to describe spatial partitioning attacks

Next we analyzed the consensus distribution among nodesbased on their view of the blockchain We recorded the latestblock published by miners in the network and the most recentblock that every node had The difference between the twodenoted how far behind the node was from the network Asshown in Figure 1 nodes F3 and F4 are 1-2 blocks behindthe main chain Therefore they provide an outdated view ofnetwork to their lightweight nodes This information can beused by the attacker to lure them into a counterfeit networkby feeding them bogus blocks or a different blockchain Weleveraged this information to outline temporal partitioningattacks that can be launched on Bitcoin network to isolatenodes based on their outdated view Our results showed thatdynamics of Bitcoin network are not consistent over time andthere are vulnerable spots for an attacker who can connect toa group of nodes and partition themExperiments and Simulations We modelled and simu-lated partitioning attacks on Bitcoin based on the data thenetwork view and adversarial capabilities Our simulationsaccurately reproduced the vulnerable state of the network thatwas observed in our data analysis By causing non-targetedcommunication errors forks were created that resembled thoseoccurring naturally when the network is not synchronizedBitcoin forks have been observed up to a height of 13 andcan enable double-spending [35] As in the real network thesimulator resolved forks within two or three block intervalswith all nodes joining the longest chain The simulationshowed that partitioning attacks can create and exploit suchforks using targeted communication disruption holding themopen long enough to achieve attack objectives

C Measurements and ObservationsBelow we discuss some key observations we made during

the preliminary analysis on the Bitcoin network on February28 2018 We show the number of full nodes in the networkand their distribution with respect to IP addresses link speedlatency and block index

The network snapshot showed that there were 13635 fullnodes in the Bitcoin network This shows that the size of theactual network is small compared to SPV clients consideringthat Blockchaininfo alone hosts 23ndash5 million users [32] At

TABLE IOVERVIEW NODE CHARACTERISTICS OBSERVED ON FEB 28 2018 NOTETHAT THE IPV4 AND IPV6 NODES ARE SIMILAR IN LINK SPEED (MBPS)LATENCY AND UPTIME INDEX WHILE TOR NODES HAVE MUCH HIGHER

LINK SPEED AND LOW LATENCY

Link Speed Latency Index Uptime IndexType Count micro σ micro σ micro σIPv4 12737 2504 25880 070 045 068 044IPv6 579 2306 24536 086 035 067 042TOR 319 43267 10465 024 025 076 037

the time of data collection 11382 (8347) nodes were upwhile 2253 (1652) nodes were down Only 6155 (4514)nodes had the most updated copy of the blockchain while7480 (5486) were 1 or more blocks behind We also makeuse of peer information maintained by Bitnodes to characterizecertain properties of nodes including the latency index theuptime index and the block index Each of these indicatorscan be used to profile the given node in the network

Among the full nodes 12737 (9341) had IPv4 addresswhile 579 (424) had IPv6 address The remaining 319(233) full nodes had onion addresses meaning that theywere using TOR services to run Bitcoin The average linkspeed of the IPv4 and IPv6 was 2504 Mbps and 2306 Mbpsrespectively Their latency index block index and uptimeindex were also similar to one another On the other handTOR nodes had a high average links speed of 43267 Mbpsapproximately 17 times higher than the average link speed ofIPv4 and IPv6 nodes respectively Consequently they also hadlow latency and higher uptime index We report our findingsfrom preliminary analysis in Table I

V PARTITIONING ATTACKS ON BITCOIN

Based on our preliminary analysis we propose four typesof partitioning attacks that can be launched on the Bitcoinnetwork The fundamental premise of each attack is related tothe spatial positioning of nodes the topological symmetry ofthe network the temporal consensus over the blockchain stateor the client side software used by nodes to run Bitcoin Wedefine these attacks as spatial temporal spatio-temporal andlogical partitioning attacks respectively

A Spatial PartitioningIn this section we analyze the centralization of full nodes

and mining pools across ASes and organizations Towards thatwe revisit the prior work to evaluate the classical attack anddemonstrate that over time the Bitcoin network has furthercentralized and become more vulnerableAttack Objectives The objective of spatial partitioning is toisolate Bitcoin nodes The objective can be purely to isolateminers and restricting their access to the network or eclipsingan entire AS that hosts a large fraction of nodes A mining poolmight launch such an attack against its competitor to increaseits chances to publish more blocks A competing cryptocur-rency can launch this attack to affect Bitcoinrsquos reputationAttack Procedure In Figure 2 we provide an illustrationof a BGP attack which can be launched by a maliciousorganization or an AS In this attack the malicious ASannounces prefixes that belong to the victim AS As shownFigure 2 organizations D and E can launch BGP attacksagainst organization F and B respectively by broadcastingmore specific prefixes Moreover the attack can be mademore targeted by announcing prefixes addressing only Bitcoin

AS100 17000116

AS200 19000116

AS600 220500016 AS-700 230500016

AS300 180500016

AS500 2005050024

AS4002105050024

A B

C D

BGP Routing Among ASes

AS600 2205050024

AS-700 2305050024

AS500 200500016

AS400210500016

E

F

BGP Hijacking by D and E

Fig 2 Network topology consisting of organizations ASes and full nodesOrganizations D and E can launch BGP attacks against F and B respectively

TABLE IIA VIEW OF TOP TEN ASES AND ORGANIZATIONS IN BITCOIN ON

FEBRUARY 28TH 2018 THE TABLE SHOWS THAT BITCOIN IS MORECENTRALIZED WITH RESPECT TO ORGANIZATIONS THAN ASES AS24940

INTERCEPTS THE MAXIMUM BITCOIN TRAFFIC

ASes of Nodes Total Nodes Organizations of Nodes Total Nodes AS24940 1030 754 Hetzner Online GmbH 1030 754AS16276 697 511 Amazoncom Inc 756 554AS37963 640 469 OVH SAS 700 513AS16509 609 447 Hangzhou Alibaba 640 469AS14061 460 337 DigitalOcean LLC 503 369AS7922 414 304 Comcast Communication 414 304AS4134 394 289 No31 Jin-rong Street 394 289TOR 319 234 TOR 319 234AS51167 288 211 Contabo GmbH 288 211AS45102 279 205 Alibaba (China) 279 205

nodes This attack relies on two major factors the total numberof ASes and organizations and the total number of nodeshosted in each of them In particular if the total numberof ASes and organizations hosting full nodes is large theattack becomes costly Similarly if the number of nodes isconcentrated within a few ASes that makes a better targetrather than attacking arbitrary ASes with fewer nodes Toevaluate that we carried out two experiments to observethe total number of ASes hosting Bitcoin nodes and thedistribution of nodes among those ASesPractical Considerations Our results show that the fullnodes in Bitcoin are highly centralized at the AS and organi-zation level Compared to [3] the network has become evenmore centralized and more vulnerable to BGP hijacking androuting attacks In particular we observed that among the totalof 84903 ASes in the world [45] only 8 (00094) ASeshost 30 Bitcoin nodes 24 (0028) ASes host 50 while1660 (195) ASes host 100 Bitcoin nodes This shows asignificant difference in the number of ASes that host 50 and100 full nodes To understand that we plot CDF of ASesthat host the traffic of full nodes in Figure 3

Similarly we observed that the top 8 organizations in-tercepted 30 Bitcoin traffic and the top 13 organizationsintercepted 50 traffic collectively We also noticed that eachorganization controlled one or more ASes alluding to thepossibility of a fine-grained partitioning attack

In Table II we show the top 10 ASes and organizationsalong with the percentage of total nodes that they host Wegroup TOR nodes and treat them as a single AS AS24940hosts 754 nodes and its corresponding organization HetznerOnline also hosts 754 nodes meaning that the Bitcoin trafficrouted by Hetzner Online entirely goes through AS24940On the other hand Amazoncom routes 554 of the trafficwhile AS16276 intercepts 511 traffic This shows thatAmazoncom owns another AS besides AS16276 that alsoroutes traffic This model can be observed in Figure 2

As outlined in Figure 3 50 of the Bitcoin networkis hosted by 21 organizations and 24 ASes respectivelyMoreover 30 of the traffic is hosted by 8 organizations andASes respectively Prior work [3] done in 2017 showed that

0

02

04

06

08

1

0 2 4 6 8 10 12 14 16

CD

F o

f F

ull

Nodes

ASes and Organizations (x100)

OrganizationsASes

Fig 3 CDF of the Bitcoin full nodes in ASes and organizations

TABLE IIIDISTRIBUTION OF BITCOIN FULL NODES OVER TIME

2017 2018 Change ASes with 50 nodes 50 24 52ASes with 30 nodes 13 8 38

50 of the network was hosted by 50 ASes and 30 of thenetwork was hosted by 13 ASes To understand the changein the network let N1 be the number of nodes comprisingp of the network in 2017 Let N2 be nodes comprisingthe same p of the traffic in 2018 We define the changein the centralization of the network as C = (N1minusN2)times100

N1 and provide the results of change in Table III Notice thatover one year 50 nodes have been centralized by a factorof 52 The prior work did not look into the distribution ofnetwork with respect to organizations so we do not have abaseline for comparison Although it can be observed fromour data and plots that full nodes are more concentrated atthe organization level

Mining pools are another important part of Bitcoin sincethey are responsible for extending the blockchain and main-taining its state Mining pools consist of miners on the Internetcommunicating via a special mining protocol known as theldquoStratum Mining Protocolrdquo [14] All miners compute PoW andsend the result to the stratum server address specified by themining pool The stratum address is made public by the miningpool As such if the link to the stratum server is compromisedthe mining pool gets disconnected and its aggregate hash ratedecreases To analyze the distribution of stratum servers wecarried out two experiments First we gathered informationabout major mining pools in Bitcoin and their hash rate fromBlockchaininfo [8] results are reported in Table IV Nextwe selected the top 5 mining pools which had an aggregatehash rate of 65 of the total in the Bitcoin network We thencollected the stratum address of the selected mining pools fromtheir websites and traced the IP address corresponding to eachstratum address [9] [2] [22] We mapped each IP address tothe AS hosting the stratum server We found that 3 ASes had65 of Bitcoin mining pool traffic while one organizationldquoAliBabardquo alone had more than 50 of the Bitcoin miningpool traffic We report our results in Table IV In the lightof our threat model and given an adversary capable of BGPhijacking policy enforcement at an organization level orcollusion having an organization hosting more 50 of themining power makes such an attack even more effectiveAttack Validation In this section we will validate ourobservations and hypothesis regarding BGP hijacking on Bit-coin ASes and organizations BGP routing attacks on Internethappen frequently In 2008 a service provider from Pakistanhijacked Youtube traffic by announcing more specific BGPprefixes than the ones announced by Youtube [28] Similarly

TABLE IVTOP 5 MINING POOLS PER HASH RATE ASES AND ORGANIZATIONS657 MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONSALIBABA HAS A VIEW OF AT LEAST 60 OF THE MINING DATA WE

EXCLUDE THE REMAINING 12 MINING POOLS FROM THE STUDY AS THEIRTOTAL CONTRIBUTION TO HASH RATE IS MINIMAL

Mining Pool H Rate ASes OrganizationsBTCcom 25 AS37963 Hangzhou Alibaba

AS45102 AliBaba (China)Antpool 124 AS45102 AliBaba (China)ViaBTC 117 AS45102 AliBaba (China)BTCTOP 103 AS45102 AliBaba (China)

F2Pool 63 AS45102 AliBaba (China)AS58563 Chinanet Hubei

12 others 343 mdash mdash

0

02

04

06

08

1

0 20 40 60 80 100 120 140 160

Fra

ction o

f N

odes H

ijacked

Number of BGP Hijacks

AS24940 (51 prefixes)AS16276 (104 prefixes)AS37963 (454 prefixes)

AS16509 (2969 prefixes)AS14061 (1430 prefixes)

Fig 4 CDF of top 5 ASes vulnerable to BGP attacks The key shows totalBGP prefixes announced by AS For 8 ASes 80 nodes can be isolated byhijacking 20 BGP prefixes

in 2014 a Canadian ISP hijacked prefixes of 19 organiza-tions hosting Bitcoin traffic including Amazon OVH DigitalOcean LeaseWeb and Alibaba [29] In 2017 alone 14000BGP attacks were launched against major ASes [46]

To validate the attack and its impact we selected the top5 ASes from Table II and enumerated the IP addresses offull nodes hosted by these ASes Next we grouped the IPaddresses based on the BGP prefixes announced by each ASWe then calculated the number of BGP prefixes required toisolate a percentage of full nodes hosted by the AS As a resulta group of full nodes sharing the same BGP prefix can allbe compromised if the BGP prefix is hijacked We report ourfindings in Figure 4 where we show that except for AS1650995 of full nodes in all other ASes are vulnerable oncefewer than 40 BGP prefixes are hijacked AS24940 whichhosts 1030 nodes can be compromised by hijacking only 15BGP prefixes while it takes more than 140 BGP prefixesto compromise AS16509 which hosts 609 nodes Taking thenumber of isolated nodes as an advantage and the number ofprefixes to be hijacked as an effort AS24940 will be morecostly with smaller advantage than AS16509Implications Spatial partitioning is detrimental to the Bitcoinnetwork as it facilitates other major attacks including double-spending attacks eclipse attacks and the 51 attack Asshown in Table IV if an attacker hijacks 3 ASes he can isolatemore than 60 of the Bitcoin hash power As Figure 4 showsthat by hijacking 15 BGP prefixes the attacker can cut 95traffic of AS24940 that hosts 1030 full nodes By isolating thehash power an attacker can cause delays in the block creationand the transaction confirmation

If the attacker is a mining pool with lower hash rate itcan launch the attack on competing mining pools and deprivethem of their mining rewards By isolating a majority of thenetworkrsquos hash power the attacker can launch the 51 attackon Bitcoin which will grant him a permanent control overthe blockchain Furthermore in peer-to-peer settings nodesare responsible to relay blocks and transactions to each other

By hijacking a subset of nodes the attacker can introduce acascade effect in which propagation of blocks and transactionscan be stalled the attacker does not have to isolate all nodes byhijacking all BGP prefixes in an AS Isolating a major subsetof nodes can eclipse the entire AS

B Temporal PartitioningTemporal partitioning involves isolation of a group of nodes

in the network that are some blocks behind the rest of thenetwork As shown in Figure 1 three nodes have the mostupdated copy of the blockchain while nodes F3 and F4 are 1ndash2 blocks behind These nodes might be behind the main chaindue to a number of reasons such as the network latency a lowbandwidth software malfunctions or a malicious peer There-fore these nodes have an outdated view of the blockchainand remain vulnerable to partitioning attacks In Figure 5 weprovide an abstraction of the temporal attack that exploits thevulnerable nodes and introduces a soft fork in the networkAttack Objectives The objective of the temporal partitioningis the isolation and subversion of nodes or a group of nodeswithin the network Latency in updating the blockchain is awell known vulnerability of Bitcoin which is confirmed inour data Propagation delays are known to be key contributorstowards the latency [19] Propagation delays are influenced bythe number of hops between nodes due to sparse peering andthe time required by software clients to verify and forwarda block Solutions have been proposed that cluster nodesto reduce latency [49] [23] but the authors note this mayincrease the potential for partitioning attacks This indicatesa trade-off between spatial and temporal vulnerability Alsocontributing to the node latency are communication failuresand the behavior of nearby peers The adversary would seekto disrupt communication and control peers where the attackis launched It is inexpensive to setup new nodes on theBitcoin network for this purpose The adversary would wantto separate and control nodes which are not up to date withthe main network Under normal operation those nodes mighteventually catch up with the network but an adversary willprevent that from happeningAttack Procedure Analysis of Bitcoin nodes over a periodof days shows several times a day when a significant fractionof nodes are not up-to-date We report our findings in Figure 6In Figure 6 the x-axis denotes a time-index for networkobservations (one observation every 10 minutes in Figure 6(a)and Figure 6(b) and one every minute in Figure 6(c)) The y-axis is stacked meaning that curves are cumulative The greenpart shows nodes that are up-to-date the yellow part showsnodes that are 1 block behind and the purple part shows nodesthat are 2-4 blocks behind The remaining colors and theirdescriptions are in the figure

From Figure 6(a) we were able to make following obser-vations 1) Generally a majority of nodes (asymp 50) remainssynchronized on the blockchain state These nodes do not lagbehind in the main chain for a long duration 2) 10 nodes areforever behind the main blockchain They do not update theirblockchain and as such they have no benefit in the network3) 30-40 nodes in Bitcoin occasionally waver in terms oftheir view of the blockchain Possibly due to network latencyor consensus delay they lag behind the most recent block

To further study the distribution of consensus in the net-work we take a single day snapshot of the network to observeconsensus pruning among all nodes From the view of an

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

B2B1B3B2B1B4B3B2B1

B3B2B1B4B3B2B1

F1

Light Nodes

F2 F3 F4

F5Light Nodes

B4

Fig 1 Bitcoin illustration with full nodes and lightweight nodes Lightweightnodes only have the view that their associated full nodes provide Full nodesF1 F2 and F5 have updated views while F3 and F4 are 1-2 blocks behind

II THE BITCOIN NETWORK MODEL

The Bitcoin network consists of nodes connected in a peer-to-peer model Upon joining the network nodes connect toeach other using public IP addresses and use the gossipprotocol to exchange network information such as transactionsblocks and addresses There are special nodes in the networkcalled miners that are responsible for extending the blockchainby creating new blocks [44]

Ideally all the participating nodes in the network need tohave an updated copy of the blockchain but the growingsize of the chain makes it infeasible to be used on smartdevices For example the current blockchain size in Bitcoinis approximately 150GB [52] and if a user wants to useBitcoinrsquos services on his smart phone he might not be ableto download the complete blockchain and become part of thenetwork To address this problem third party services such asBlockchaininfo [33] provide an easy access to such clients bydownloading Blockchain and providing access to smart deviceusers Blockchaininfo maintains an active node in Bitcoin thatkeeps track of all transactions and blocks and replicates thenetwork view to all of its customers Therefore the currentBitcoin network is structured into full nodes that are activein the main network and lightweight nodes that use servicesof full nodes In Figure 1 we provide an illustration of thismodel For more information regarding the full nodes and thelightweight nodes we refer the reader to [26]

III THREAT MODEL

In this section we outline the basics of partitioning attackson Bitcoin and describe our threat model Through data-drivenanalyses we establish the modus operandi of the Bitcoinnetwork and describe capabilities needed by the adversaryto partition the network spatially and temporally Towardsthat we revisit Apostolaki et alrsquos work [3] (referred to asthe ldquoclassical attackrdquo) providing a baseline for partitioningattacks We highlight new targeted attacks on the network byintroducing temporal spatio-temporal and logical partitioningattacks which have not be identified before

For the spatial partitioning we assume the adversary tobe an autonomous system (AS) an ISP organization or anation-state An AS hosting a fewer Bitcoin nodes can launcha BGP attack on another AS that hosts more nodes As aresult it can hijack the Bitcoin traffic isolate the miningpower or simply harm the reputation of the target AS Fortemporal attacks we assume a malicious mining pool thatattempts to fork the network and deprive an honest minerfrom block rewards With soft forks the adversary aims tocreate a temporary imbalance in system ramifications suchas transaction processing and by hard forks it attempts to

permanently split the network with diverging views Finallyfor logical attacks we assume the adversary to be a softwaredeveloper capable of exploiting bugs in the Bitcoin softwareclient Additionally due to the centralization of Bitcoin trafficand a shift in country-level policies towards Bitcoin we do notexclude the possibility of a nation-state adversary As such anation-state can partition the network by blocking the flowof traffic through its ASes and organizations Countries suchas Bolivia Kyrgyzstan and Nepal have permanently bannedBitcoin and its exchanges [54] If China for example decidesto ban Bitcoin it will have a significant impact on the healthof the Bitcoin network since 60 of the mining traffic goesthrough China (as shown in Table IV)Adversarial View We assume that the adversary has a consis-tent view of the network similar to the one available to us forconducting our analysis The adversary will have access to thefollowing information 1) The top ASes and organizations thathost a maximum number of nodes and their distribution overtime 2) The temporal spread of block information among allnodes in the network upon block broadcast 3) The vulnerablenodes in the network based on their location uptime latencyconsensus time and neighboring peers 4) The vulnerablenetwork entities (ASes and organizations) based on their publicinformation such as BGP prefixes neighboring ASes locationand routing informationAdversarial Capabilities In the threat model adversarieshave unique capabilities For example a malicious AS ororganization will have the ability to announce false routinginformation to other ASes and separate the target AS fromneighboring nodes This in turn can disrupt the exchange oftransactions blocks and mining information thereby affectingfull nodes lightweight nodes and mining pools

For temporal partitioning the adversarial mining pool willhave a consistent view of the network which will allow it toidentify nodes that are behind the blockchain Obtaining thisinformation is not challenging since various Bitcoin crawlersare available and can be used to access the blockchain view ofnodes in Bitcoin [15] This can be exploited by the maliciousmining pool to identify vulnerable nodes that are 1ndash5 blocksbehind A malicious miner for instance can mislead thosenodes by propagating false information in the network Doingso may create a temporary or even a permanent partitioning inthe network where a group of nodes are misled into followinga counterfeit blockchain

IV PRELIMINARY ANALYSIS

A Data CollectionFor our analysis we crawled data from Bitnodes [15] which

is a Bitcoin service supported by Earncom [16] Bitnodesmaintains a persistent connection with all reachable nodes byrunning a full node that connects to the rest of the network Af-ter connecting with all nodes Bitnodes uses inventory message(inv) and data messages (getdata getblock gettransaction) toget recent blocks and transactions from each node (for moreinformation regarding these protocol messages we refer thereader to the Bitcoin protocol documentation [13]) For eachnode Bitnodes records the response time to calculate usefulinformation such as the latency the uptime and the latestblock etc From IP addresses it determines the correspondingAS organization and location of a node

We used the information provided by Bitnodes to developanother crawler atop Bitnodes to acquire data and store it in

our local database We ran the crawler on our campus serverfor two months and our complete dataset spans two months ofBitcoin network information with an aggregate size of 80GBIn summary we were able to collect the Bitcoin networkinformation sampled at every 10 minutes to analyze consensusdistribution after each published block and at every 1 minuteto observe consensus pruning in the network in-between thepublication of two successive blocks

B MethodologyIn our initial experiments first we cross-validated the infor-

mation provided by Bitnodes We mapped the crawled IP ad-dresses to a commercial-grade geo-mapping dataset obtainedfrom Digital Envoy (DE) [42] The DE dataset mapping ofBitnodes IP addresses validated the information in our datasetregarding ASes and organizations After establishing datareliability we performed a series of experiments to analyzethe configuration of the network and the distribution of nodesacross ASes and organizations The initial results gave us aholistic view of the network and its centralization which weused to describe spatial partitioning attacks

Next we analyzed the consensus distribution among nodesbased on their view of the blockchain We recorded the latestblock published by miners in the network and the most recentblock that every node had The difference between the twodenoted how far behind the node was from the network Asshown in Figure 1 nodes F3 and F4 are 1-2 blocks behindthe main chain Therefore they provide an outdated view ofnetwork to their lightweight nodes This information can beused by the attacker to lure them into a counterfeit networkby feeding them bogus blocks or a different blockchain Weleveraged this information to outline temporal partitioningattacks that can be launched on Bitcoin network to isolatenodes based on their outdated view Our results showed thatdynamics of Bitcoin network are not consistent over time andthere are vulnerable spots for an attacker who can connect toa group of nodes and partition themExperiments and Simulations We modelled and simu-lated partitioning attacks on Bitcoin based on the data thenetwork view and adversarial capabilities Our simulationsaccurately reproduced the vulnerable state of the network thatwas observed in our data analysis By causing non-targetedcommunication errors forks were created that resembled thoseoccurring naturally when the network is not synchronizedBitcoin forks have been observed up to a height of 13 andcan enable double-spending [35] As in the real network thesimulator resolved forks within two or three block intervalswith all nodes joining the longest chain The simulationshowed that partitioning attacks can create and exploit suchforks using targeted communication disruption holding themopen long enough to achieve attack objectives

C Measurements and ObservationsBelow we discuss some key observations we made during

the preliminary analysis on the Bitcoin network on February28 2018 We show the number of full nodes in the networkand their distribution with respect to IP addresses link speedlatency and block index

The network snapshot showed that there were 13635 fullnodes in the Bitcoin network This shows that the size of theactual network is small compared to SPV clients consideringthat Blockchaininfo alone hosts 23ndash5 million users [32] At

TABLE IOVERVIEW NODE CHARACTERISTICS OBSERVED ON FEB 28 2018 NOTETHAT THE IPV4 AND IPV6 NODES ARE SIMILAR IN LINK SPEED (MBPS)LATENCY AND UPTIME INDEX WHILE TOR NODES HAVE MUCH HIGHER

LINK SPEED AND LOW LATENCY

Link Speed Latency Index Uptime IndexType Count micro σ micro σ micro σIPv4 12737 2504 25880 070 045 068 044IPv6 579 2306 24536 086 035 067 042TOR 319 43267 10465 024 025 076 037

the time of data collection 11382 (8347) nodes were upwhile 2253 (1652) nodes were down Only 6155 (4514)nodes had the most updated copy of the blockchain while7480 (5486) were 1 or more blocks behind We also makeuse of peer information maintained by Bitnodes to characterizecertain properties of nodes including the latency index theuptime index and the block index Each of these indicatorscan be used to profile the given node in the network

Among the full nodes 12737 (9341) had IPv4 addresswhile 579 (424) had IPv6 address The remaining 319(233) full nodes had onion addresses meaning that theywere using TOR services to run Bitcoin The average linkspeed of the IPv4 and IPv6 was 2504 Mbps and 2306 Mbpsrespectively Their latency index block index and uptimeindex were also similar to one another On the other handTOR nodes had a high average links speed of 43267 Mbpsapproximately 17 times higher than the average link speed ofIPv4 and IPv6 nodes respectively Consequently they also hadlow latency and higher uptime index We report our findingsfrom preliminary analysis in Table I

V PARTITIONING ATTACKS ON BITCOIN

Based on our preliminary analysis we propose four typesof partitioning attacks that can be launched on the Bitcoinnetwork The fundamental premise of each attack is related tothe spatial positioning of nodes the topological symmetry ofthe network the temporal consensus over the blockchain stateor the client side software used by nodes to run Bitcoin Wedefine these attacks as spatial temporal spatio-temporal andlogical partitioning attacks respectively

A Spatial PartitioningIn this section we analyze the centralization of full nodes

and mining pools across ASes and organizations Towards thatwe revisit the prior work to evaluate the classical attack anddemonstrate that over time the Bitcoin network has furthercentralized and become more vulnerableAttack Objectives The objective of spatial partitioning is toisolate Bitcoin nodes The objective can be purely to isolateminers and restricting their access to the network or eclipsingan entire AS that hosts a large fraction of nodes A mining poolmight launch such an attack against its competitor to increaseits chances to publish more blocks A competing cryptocur-rency can launch this attack to affect Bitcoinrsquos reputationAttack Procedure In Figure 2 we provide an illustrationof a BGP attack which can be launched by a maliciousorganization or an AS In this attack the malicious ASannounces prefixes that belong to the victim AS As shownFigure 2 organizations D and E can launch BGP attacksagainst organization F and B respectively by broadcastingmore specific prefixes Moreover the attack can be mademore targeted by announcing prefixes addressing only Bitcoin

AS100 17000116

AS200 19000116

AS600 220500016 AS-700 230500016

AS300 180500016

AS500 2005050024

AS4002105050024

A B

C D

BGP Routing Among ASes

AS600 2205050024

AS-700 2305050024

AS500 200500016

AS400210500016

E

F

BGP Hijacking by D and E

Fig 2 Network topology consisting of organizations ASes and full nodesOrganizations D and E can launch BGP attacks against F and B respectively

TABLE IIA VIEW OF TOP TEN ASES AND ORGANIZATIONS IN BITCOIN ON

FEBRUARY 28TH 2018 THE TABLE SHOWS THAT BITCOIN IS MORECENTRALIZED WITH RESPECT TO ORGANIZATIONS THAN ASES AS24940

INTERCEPTS THE MAXIMUM BITCOIN TRAFFIC

ASes of Nodes Total Nodes Organizations of Nodes Total Nodes AS24940 1030 754 Hetzner Online GmbH 1030 754AS16276 697 511 Amazoncom Inc 756 554AS37963 640 469 OVH SAS 700 513AS16509 609 447 Hangzhou Alibaba 640 469AS14061 460 337 DigitalOcean LLC 503 369AS7922 414 304 Comcast Communication 414 304AS4134 394 289 No31 Jin-rong Street 394 289TOR 319 234 TOR 319 234AS51167 288 211 Contabo GmbH 288 211AS45102 279 205 Alibaba (China) 279 205

nodes This attack relies on two major factors the total numberof ASes and organizations and the total number of nodeshosted in each of them In particular if the total numberof ASes and organizations hosting full nodes is large theattack becomes costly Similarly if the number of nodes isconcentrated within a few ASes that makes a better targetrather than attacking arbitrary ASes with fewer nodes Toevaluate that we carried out two experiments to observethe total number of ASes hosting Bitcoin nodes and thedistribution of nodes among those ASesPractical Considerations Our results show that the fullnodes in Bitcoin are highly centralized at the AS and organi-zation level Compared to [3] the network has become evenmore centralized and more vulnerable to BGP hijacking androuting attacks In particular we observed that among the totalof 84903 ASes in the world [45] only 8 (00094) ASeshost 30 Bitcoin nodes 24 (0028) ASes host 50 while1660 (195) ASes host 100 Bitcoin nodes This shows asignificant difference in the number of ASes that host 50 and100 full nodes To understand that we plot CDF of ASesthat host the traffic of full nodes in Figure 3

Similarly we observed that the top 8 organizations in-tercepted 30 Bitcoin traffic and the top 13 organizationsintercepted 50 traffic collectively We also noticed that eachorganization controlled one or more ASes alluding to thepossibility of a fine-grained partitioning attack

In Table II we show the top 10 ASes and organizationsalong with the percentage of total nodes that they host Wegroup TOR nodes and treat them as a single AS AS24940hosts 754 nodes and its corresponding organization HetznerOnline also hosts 754 nodes meaning that the Bitcoin trafficrouted by Hetzner Online entirely goes through AS24940On the other hand Amazoncom routes 554 of the trafficwhile AS16276 intercepts 511 traffic This shows thatAmazoncom owns another AS besides AS16276 that alsoroutes traffic This model can be observed in Figure 2

As outlined in Figure 3 50 of the Bitcoin networkis hosted by 21 organizations and 24 ASes respectivelyMoreover 30 of the traffic is hosted by 8 organizations andASes respectively Prior work [3] done in 2017 showed that

0

02

04

06

08

1

0 2 4 6 8 10 12 14 16

CD

F o

f F

ull

Nodes

ASes and Organizations (x100)

OrganizationsASes

Fig 3 CDF of the Bitcoin full nodes in ASes and organizations

TABLE IIIDISTRIBUTION OF BITCOIN FULL NODES OVER TIME

2017 2018 Change ASes with 50 nodes 50 24 52ASes with 30 nodes 13 8 38

50 of the network was hosted by 50 ASes and 30 of thenetwork was hosted by 13 ASes To understand the changein the network let N1 be the number of nodes comprisingp of the network in 2017 Let N2 be nodes comprisingthe same p of the traffic in 2018 We define the changein the centralization of the network as C = (N1minusN2)times100

N1 and provide the results of change in Table III Notice thatover one year 50 nodes have been centralized by a factorof 52 The prior work did not look into the distribution ofnetwork with respect to organizations so we do not have abaseline for comparison Although it can be observed fromour data and plots that full nodes are more concentrated atthe organization level

Mining pools are another important part of Bitcoin sincethey are responsible for extending the blockchain and main-taining its state Mining pools consist of miners on the Internetcommunicating via a special mining protocol known as theldquoStratum Mining Protocolrdquo [14] All miners compute PoW andsend the result to the stratum server address specified by themining pool The stratum address is made public by the miningpool As such if the link to the stratum server is compromisedthe mining pool gets disconnected and its aggregate hash ratedecreases To analyze the distribution of stratum servers wecarried out two experiments First we gathered informationabout major mining pools in Bitcoin and their hash rate fromBlockchaininfo [8] results are reported in Table IV Nextwe selected the top 5 mining pools which had an aggregatehash rate of 65 of the total in the Bitcoin network We thencollected the stratum address of the selected mining pools fromtheir websites and traced the IP address corresponding to eachstratum address [9] [2] [22] We mapped each IP address tothe AS hosting the stratum server We found that 3 ASes had65 of Bitcoin mining pool traffic while one organizationldquoAliBabardquo alone had more than 50 of the Bitcoin miningpool traffic We report our results in Table IV In the lightof our threat model and given an adversary capable of BGPhijacking policy enforcement at an organization level orcollusion having an organization hosting more 50 of themining power makes such an attack even more effectiveAttack Validation In this section we will validate ourobservations and hypothesis regarding BGP hijacking on Bit-coin ASes and organizations BGP routing attacks on Internethappen frequently In 2008 a service provider from Pakistanhijacked Youtube traffic by announcing more specific BGPprefixes than the ones announced by Youtube [28] Similarly

TABLE IVTOP 5 MINING POOLS PER HASH RATE ASES AND ORGANIZATIONS657 MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONSALIBABA HAS A VIEW OF AT LEAST 60 OF THE MINING DATA WE

EXCLUDE THE REMAINING 12 MINING POOLS FROM THE STUDY AS THEIRTOTAL CONTRIBUTION TO HASH RATE IS MINIMAL

Mining Pool H Rate ASes OrganizationsBTCcom 25 AS37963 Hangzhou Alibaba

AS45102 AliBaba (China)Antpool 124 AS45102 AliBaba (China)ViaBTC 117 AS45102 AliBaba (China)BTCTOP 103 AS45102 AliBaba (China)

F2Pool 63 AS45102 AliBaba (China)AS58563 Chinanet Hubei

12 others 343 mdash mdash

0

02

04

06

08

1

0 20 40 60 80 100 120 140 160

Fra

ction o

f N

odes H

ijacked

Number of BGP Hijacks

AS24940 (51 prefixes)AS16276 (104 prefixes)AS37963 (454 prefixes)

AS16509 (2969 prefixes)AS14061 (1430 prefixes)

Fig 4 CDF of top 5 ASes vulnerable to BGP attacks The key shows totalBGP prefixes announced by AS For 8 ASes 80 nodes can be isolated byhijacking 20 BGP prefixes

in 2014 a Canadian ISP hijacked prefixes of 19 organiza-tions hosting Bitcoin traffic including Amazon OVH DigitalOcean LeaseWeb and Alibaba [29] In 2017 alone 14000BGP attacks were launched against major ASes [46]

To validate the attack and its impact we selected the top5 ASes from Table II and enumerated the IP addresses offull nodes hosted by these ASes Next we grouped the IPaddresses based on the BGP prefixes announced by each ASWe then calculated the number of BGP prefixes required toisolate a percentage of full nodes hosted by the AS As a resulta group of full nodes sharing the same BGP prefix can allbe compromised if the BGP prefix is hijacked We report ourfindings in Figure 4 where we show that except for AS1650995 of full nodes in all other ASes are vulnerable oncefewer than 40 BGP prefixes are hijacked AS24940 whichhosts 1030 nodes can be compromised by hijacking only 15BGP prefixes while it takes more than 140 BGP prefixesto compromise AS16509 which hosts 609 nodes Taking thenumber of isolated nodes as an advantage and the number ofprefixes to be hijacked as an effort AS24940 will be morecostly with smaller advantage than AS16509Implications Spatial partitioning is detrimental to the Bitcoinnetwork as it facilitates other major attacks including double-spending attacks eclipse attacks and the 51 attack Asshown in Table IV if an attacker hijacks 3 ASes he can isolatemore than 60 of the Bitcoin hash power As Figure 4 showsthat by hijacking 15 BGP prefixes the attacker can cut 95traffic of AS24940 that hosts 1030 full nodes By isolating thehash power an attacker can cause delays in the block creationand the transaction confirmation

If the attacker is a mining pool with lower hash rate itcan launch the attack on competing mining pools and deprivethem of their mining rewards By isolating a majority of thenetworkrsquos hash power the attacker can launch the 51 attackon Bitcoin which will grant him a permanent control overthe blockchain Furthermore in peer-to-peer settings nodesare responsible to relay blocks and transactions to each other

By hijacking a subset of nodes the attacker can introduce acascade effect in which propagation of blocks and transactionscan be stalled the attacker does not have to isolate all nodes byhijacking all BGP prefixes in an AS Isolating a major subsetof nodes can eclipse the entire AS

B Temporal PartitioningTemporal partitioning involves isolation of a group of nodes

in the network that are some blocks behind the rest of thenetwork As shown in Figure 1 three nodes have the mostupdated copy of the blockchain while nodes F3 and F4 are 1ndash2 blocks behind These nodes might be behind the main chaindue to a number of reasons such as the network latency a lowbandwidth software malfunctions or a malicious peer There-fore these nodes have an outdated view of the blockchainand remain vulnerable to partitioning attacks In Figure 5 weprovide an abstraction of the temporal attack that exploits thevulnerable nodes and introduces a soft fork in the networkAttack Objectives The objective of the temporal partitioningis the isolation and subversion of nodes or a group of nodeswithin the network Latency in updating the blockchain is awell known vulnerability of Bitcoin which is confirmed inour data Propagation delays are known to be key contributorstowards the latency [19] Propagation delays are influenced bythe number of hops between nodes due to sparse peering andthe time required by software clients to verify and forwarda block Solutions have been proposed that cluster nodesto reduce latency [49] [23] but the authors note this mayincrease the potential for partitioning attacks This indicatesa trade-off between spatial and temporal vulnerability Alsocontributing to the node latency are communication failuresand the behavior of nearby peers The adversary would seekto disrupt communication and control peers where the attackis launched It is inexpensive to setup new nodes on theBitcoin network for this purpose The adversary would wantto separate and control nodes which are not up to date withthe main network Under normal operation those nodes mighteventually catch up with the network but an adversary willprevent that from happeningAttack Procedure Analysis of Bitcoin nodes over a periodof days shows several times a day when a significant fractionof nodes are not up-to-date We report our findings in Figure 6In Figure 6 the x-axis denotes a time-index for networkobservations (one observation every 10 minutes in Figure 6(a)and Figure 6(b) and one every minute in Figure 6(c)) The y-axis is stacked meaning that curves are cumulative The greenpart shows nodes that are up-to-date the yellow part showsnodes that are 1 block behind and the purple part shows nodesthat are 2-4 blocks behind The remaining colors and theirdescriptions are in the figure

From Figure 6(a) we were able to make following obser-vations 1) Generally a majority of nodes (asymp 50) remainssynchronized on the blockchain state These nodes do not lagbehind in the main chain for a long duration 2) 10 nodes areforever behind the main blockchain They do not update theirblockchain and as such they have no benefit in the network3) 30-40 nodes in Bitcoin occasionally waver in terms oftheir view of the blockchain Possibly due to network latencyor consensus delay they lag behind the most recent block

To further study the distribution of consensus in the net-work we take a single day snapshot of the network to observeconsensus pruning among all nodes From the view of an

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

our local database We ran the crawler on our campus serverfor two months and our complete dataset spans two months ofBitcoin network information with an aggregate size of 80GBIn summary we were able to collect the Bitcoin networkinformation sampled at every 10 minutes to analyze consensusdistribution after each published block and at every 1 minuteto observe consensus pruning in the network in-between thepublication of two successive blocks

B MethodologyIn our initial experiments first we cross-validated the infor-

mation provided by Bitnodes We mapped the crawled IP ad-dresses to a commercial-grade geo-mapping dataset obtainedfrom Digital Envoy (DE) [42] The DE dataset mapping ofBitnodes IP addresses validated the information in our datasetregarding ASes and organizations After establishing datareliability we performed a series of experiments to analyzethe configuration of the network and the distribution of nodesacross ASes and organizations The initial results gave us aholistic view of the network and its centralization which weused to describe spatial partitioning attacks

Next we analyzed the consensus distribution among nodesbased on their view of the blockchain We recorded the latestblock published by miners in the network and the most recentblock that every node had The difference between the twodenoted how far behind the node was from the network Asshown in Figure 1 nodes F3 and F4 are 1-2 blocks behindthe main chain Therefore they provide an outdated view ofnetwork to their lightweight nodes This information can beused by the attacker to lure them into a counterfeit networkby feeding them bogus blocks or a different blockchain Weleveraged this information to outline temporal partitioningattacks that can be launched on Bitcoin network to isolatenodes based on their outdated view Our results showed thatdynamics of Bitcoin network are not consistent over time andthere are vulnerable spots for an attacker who can connect toa group of nodes and partition themExperiments and Simulations We modelled and simu-lated partitioning attacks on Bitcoin based on the data thenetwork view and adversarial capabilities Our simulationsaccurately reproduced the vulnerable state of the network thatwas observed in our data analysis By causing non-targetedcommunication errors forks were created that resembled thoseoccurring naturally when the network is not synchronizedBitcoin forks have been observed up to a height of 13 andcan enable double-spending [35] As in the real network thesimulator resolved forks within two or three block intervalswith all nodes joining the longest chain The simulationshowed that partitioning attacks can create and exploit suchforks using targeted communication disruption holding themopen long enough to achieve attack objectives

C Measurements and ObservationsBelow we discuss some key observations we made during

the preliminary analysis on the Bitcoin network on February28 2018 We show the number of full nodes in the networkand their distribution with respect to IP addresses link speedlatency and block index

The network snapshot showed that there were 13635 fullnodes in the Bitcoin network This shows that the size of theactual network is small compared to SPV clients consideringthat Blockchaininfo alone hosts 23ndash5 million users [32] At

TABLE IOVERVIEW NODE CHARACTERISTICS OBSERVED ON FEB 28 2018 NOTETHAT THE IPV4 AND IPV6 NODES ARE SIMILAR IN LINK SPEED (MBPS)LATENCY AND UPTIME INDEX WHILE TOR NODES HAVE MUCH HIGHER

LINK SPEED AND LOW LATENCY

Link Speed Latency Index Uptime IndexType Count micro σ micro σ micro σIPv4 12737 2504 25880 070 045 068 044IPv6 579 2306 24536 086 035 067 042TOR 319 43267 10465 024 025 076 037

the time of data collection 11382 (8347) nodes were upwhile 2253 (1652) nodes were down Only 6155 (4514)nodes had the most updated copy of the blockchain while7480 (5486) were 1 or more blocks behind We also makeuse of peer information maintained by Bitnodes to characterizecertain properties of nodes including the latency index theuptime index and the block index Each of these indicatorscan be used to profile the given node in the network

Among the full nodes 12737 (9341) had IPv4 addresswhile 579 (424) had IPv6 address The remaining 319(233) full nodes had onion addresses meaning that theywere using TOR services to run Bitcoin The average linkspeed of the IPv4 and IPv6 was 2504 Mbps and 2306 Mbpsrespectively Their latency index block index and uptimeindex were also similar to one another On the other handTOR nodes had a high average links speed of 43267 Mbpsapproximately 17 times higher than the average link speed ofIPv4 and IPv6 nodes respectively Consequently they also hadlow latency and higher uptime index We report our findingsfrom preliminary analysis in Table I

V PARTITIONING ATTACKS ON BITCOIN

Based on our preliminary analysis we propose four typesof partitioning attacks that can be launched on the Bitcoinnetwork The fundamental premise of each attack is related tothe spatial positioning of nodes the topological symmetry ofthe network the temporal consensus over the blockchain stateor the client side software used by nodes to run Bitcoin Wedefine these attacks as spatial temporal spatio-temporal andlogical partitioning attacks respectively

A Spatial PartitioningIn this section we analyze the centralization of full nodes

and mining pools across ASes and organizations Towards thatwe revisit the prior work to evaluate the classical attack anddemonstrate that over time the Bitcoin network has furthercentralized and become more vulnerableAttack Objectives The objective of spatial partitioning is toisolate Bitcoin nodes The objective can be purely to isolateminers and restricting their access to the network or eclipsingan entire AS that hosts a large fraction of nodes A mining poolmight launch such an attack against its competitor to increaseits chances to publish more blocks A competing cryptocur-rency can launch this attack to affect Bitcoinrsquos reputationAttack Procedure In Figure 2 we provide an illustrationof a BGP attack which can be launched by a maliciousorganization or an AS In this attack the malicious ASannounces prefixes that belong to the victim AS As shownFigure 2 organizations D and E can launch BGP attacksagainst organization F and B respectively by broadcastingmore specific prefixes Moreover the attack can be mademore targeted by announcing prefixes addressing only Bitcoin

AS100 17000116

AS200 19000116

AS600 220500016 AS-700 230500016

AS300 180500016

AS500 2005050024

AS4002105050024

A B

C D

BGP Routing Among ASes

AS600 2205050024

AS-700 2305050024

AS500 200500016

AS400210500016

E

F

BGP Hijacking by D and E

Fig 2 Network topology consisting of organizations ASes and full nodesOrganizations D and E can launch BGP attacks against F and B respectively

TABLE IIA VIEW OF TOP TEN ASES AND ORGANIZATIONS IN BITCOIN ON

FEBRUARY 28TH 2018 THE TABLE SHOWS THAT BITCOIN IS MORECENTRALIZED WITH RESPECT TO ORGANIZATIONS THAN ASES AS24940

INTERCEPTS THE MAXIMUM BITCOIN TRAFFIC

ASes of Nodes Total Nodes Organizations of Nodes Total Nodes AS24940 1030 754 Hetzner Online GmbH 1030 754AS16276 697 511 Amazoncom Inc 756 554AS37963 640 469 OVH SAS 700 513AS16509 609 447 Hangzhou Alibaba 640 469AS14061 460 337 DigitalOcean LLC 503 369AS7922 414 304 Comcast Communication 414 304AS4134 394 289 No31 Jin-rong Street 394 289TOR 319 234 TOR 319 234AS51167 288 211 Contabo GmbH 288 211AS45102 279 205 Alibaba (China) 279 205

nodes This attack relies on two major factors the total numberof ASes and organizations and the total number of nodeshosted in each of them In particular if the total numberof ASes and organizations hosting full nodes is large theattack becomes costly Similarly if the number of nodes isconcentrated within a few ASes that makes a better targetrather than attacking arbitrary ASes with fewer nodes Toevaluate that we carried out two experiments to observethe total number of ASes hosting Bitcoin nodes and thedistribution of nodes among those ASesPractical Considerations Our results show that the fullnodes in Bitcoin are highly centralized at the AS and organi-zation level Compared to [3] the network has become evenmore centralized and more vulnerable to BGP hijacking androuting attacks In particular we observed that among the totalof 84903 ASes in the world [45] only 8 (00094) ASeshost 30 Bitcoin nodes 24 (0028) ASes host 50 while1660 (195) ASes host 100 Bitcoin nodes This shows asignificant difference in the number of ASes that host 50 and100 full nodes To understand that we plot CDF of ASesthat host the traffic of full nodes in Figure 3

Similarly we observed that the top 8 organizations in-tercepted 30 Bitcoin traffic and the top 13 organizationsintercepted 50 traffic collectively We also noticed that eachorganization controlled one or more ASes alluding to thepossibility of a fine-grained partitioning attack

In Table II we show the top 10 ASes and organizationsalong with the percentage of total nodes that they host Wegroup TOR nodes and treat them as a single AS AS24940hosts 754 nodes and its corresponding organization HetznerOnline also hosts 754 nodes meaning that the Bitcoin trafficrouted by Hetzner Online entirely goes through AS24940On the other hand Amazoncom routes 554 of the trafficwhile AS16276 intercepts 511 traffic This shows thatAmazoncom owns another AS besides AS16276 that alsoroutes traffic This model can be observed in Figure 2

As outlined in Figure 3 50 of the Bitcoin networkis hosted by 21 organizations and 24 ASes respectivelyMoreover 30 of the traffic is hosted by 8 organizations andASes respectively Prior work [3] done in 2017 showed that

0

02

04

06

08

1

0 2 4 6 8 10 12 14 16

CD

F o

f F

ull

Nodes

ASes and Organizations (x100)

OrganizationsASes

Fig 3 CDF of the Bitcoin full nodes in ASes and organizations

TABLE IIIDISTRIBUTION OF BITCOIN FULL NODES OVER TIME

2017 2018 Change ASes with 50 nodes 50 24 52ASes with 30 nodes 13 8 38

50 of the network was hosted by 50 ASes and 30 of thenetwork was hosted by 13 ASes To understand the changein the network let N1 be the number of nodes comprisingp of the network in 2017 Let N2 be nodes comprisingthe same p of the traffic in 2018 We define the changein the centralization of the network as C = (N1minusN2)times100

N1 and provide the results of change in Table III Notice thatover one year 50 nodes have been centralized by a factorof 52 The prior work did not look into the distribution ofnetwork with respect to organizations so we do not have abaseline for comparison Although it can be observed fromour data and plots that full nodes are more concentrated atthe organization level

Mining pools are another important part of Bitcoin sincethey are responsible for extending the blockchain and main-taining its state Mining pools consist of miners on the Internetcommunicating via a special mining protocol known as theldquoStratum Mining Protocolrdquo [14] All miners compute PoW andsend the result to the stratum server address specified by themining pool The stratum address is made public by the miningpool As such if the link to the stratum server is compromisedthe mining pool gets disconnected and its aggregate hash ratedecreases To analyze the distribution of stratum servers wecarried out two experiments First we gathered informationabout major mining pools in Bitcoin and their hash rate fromBlockchaininfo [8] results are reported in Table IV Nextwe selected the top 5 mining pools which had an aggregatehash rate of 65 of the total in the Bitcoin network We thencollected the stratum address of the selected mining pools fromtheir websites and traced the IP address corresponding to eachstratum address [9] [2] [22] We mapped each IP address tothe AS hosting the stratum server We found that 3 ASes had65 of Bitcoin mining pool traffic while one organizationldquoAliBabardquo alone had more than 50 of the Bitcoin miningpool traffic We report our results in Table IV In the lightof our threat model and given an adversary capable of BGPhijacking policy enforcement at an organization level orcollusion having an organization hosting more 50 of themining power makes such an attack even more effectiveAttack Validation In this section we will validate ourobservations and hypothesis regarding BGP hijacking on Bit-coin ASes and organizations BGP routing attacks on Internethappen frequently In 2008 a service provider from Pakistanhijacked Youtube traffic by announcing more specific BGPprefixes than the ones announced by Youtube [28] Similarly

TABLE IVTOP 5 MINING POOLS PER HASH RATE ASES AND ORGANIZATIONS657 MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONSALIBABA HAS A VIEW OF AT LEAST 60 OF THE MINING DATA WE

EXCLUDE THE REMAINING 12 MINING POOLS FROM THE STUDY AS THEIRTOTAL CONTRIBUTION TO HASH RATE IS MINIMAL

Mining Pool H Rate ASes OrganizationsBTCcom 25 AS37963 Hangzhou Alibaba

AS45102 AliBaba (China)Antpool 124 AS45102 AliBaba (China)ViaBTC 117 AS45102 AliBaba (China)BTCTOP 103 AS45102 AliBaba (China)

F2Pool 63 AS45102 AliBaba (China)AS58563 Chinanet Hubei

12 others 343 mdash mdash

0

02

04

06

08

1

0 20 40 60 80 100 120 140 160

Fra

ction o

f N

odes H

ijacked

Number of BGP Hijacks

AS24940 (51 prefixes)AS16276 (104 prefixes)AS37963 (454 prefixes)

AS16509 (2969 prefixes)AS14061 (1430 prefixes)

Fig 4 CDF of top 5 ASes vulnerable to BGP attacks The key shows totalBGP prefixes announced by AS For 8 ASes 80 nodes can be isolated byhijacking 20 BGP prefixes

in 2014 a Canadian ISP hijacked prefixes of 19 organiza-tions hosting Bitcoin traffic including Amazon OVH DigitalOcean LeaseWeb and Alibaba [29] In 2017 alone 14000BGP attacks were launched against major ASes [46]

To validate the attack and its impact we selected the top5 ASes from Table II and enumerated the IP addresses offull nodes hosted by these ASes Next we grouped the IPaddresses based on the BGP prefixes announced by each ASWe then calculated the number of BGP prefixes required toisolate a percentage of full nodes hosted by the AS As a resulta group of full nodes sharing the same BGP prefix can allbe compromised if the BGP prefix is hijacked We report ourfindings in Figure 4 where we show that except for AS1650995 of full nodes in all other ASes are vulnerable oncefewer than 40 BGP prefixes are hijacked AS24940 whichhosts 1030 nodes can be compromised by hijacking only 15BGP prefixes while it takes more than 140 BGP prefixesto compromise AS16509 which hosts 609 nodes Taking thenumber of isolated nodes as an advantage and the number ofprefixes to be hijacked as an effort AS24940 will be morecostly with smaller advantage than AS16509Implications Spatial partitioning is detrimental to the Bitcoinnetwork as it facilitates other major attacks including double-spending attacks eclipse attacks and the 51 attack Asshown in Table IV if an attacker hijacks 3 ASes he can isolatemore than 60 of the Bitcoin hash power As Figure 4 showsthat by hijacking 15 BGP prefixes the attacker can cut 95traffic of AS24940 that hosts 1030 full nodes By isolating thehash power an attacker can cause delays in the block creationand the transaction confirmation

If the attacker is a mining pool with lower hash rate itcan launch the attack on competing mining pools and deprivethem of their mining rewards By isolating a majority of thenetworkrsquos hash power the attacker can launch the 51 attackon Bitcoin which will grant him a permanent control overthe blockchain Furthermore in peer-to-peer settings nodesare responsible to relay blocks and transactions to each other

By hijacking a subset of nodes the attacker can introduce acascade effect in which propagation of blocks and transactionscan be stalled the attacker does not have to isolate all nodes byhijacking all BGP prefixes in an AS Isolating a major subsetof nodes can eclipse the entire AS

B Temporal PartitioningTemporal partitioning involves isolation of a group of nodes

in the network that are some blocks behind the rest of thenetwork As shown in Figure 1 three nodes have the mostupdated copy of the blockchain while nodes F3 and F4 are 1ndash2 blocks behind These nodes might be behind the main chaindue to a number of reasons such as the network latency a lowbandwidth software malfunctions or a malicious peer There-fore these nodes have an outdated view of the blockchainand remain vulnerable to partitioning attacks In Figure 5 weprovide an abstraction of the temporal attack that exploits thevulnerable nodes and introduces a soft fork in the networkAttack Objectives The objective of the temporal partitioningis the isolation and subversion of nodes or a group of nodeswithin the network Latency in updating the blockchain is awell known vulnerability of Bitcoin which is confirmed inour data Propagation delays are known to be key contributorstowards the latency [19] Propagation delays are influenced bythe number of hops between nodes due to sparse peering andthe time required by software clients to verify and forwarda block Solutions have been proposed that cluster nodesto reduce latency [49] [23] but the authors note this mayincrease the potential for partitioning attacks This indicatesa trade-off between spatial and temporal vulnerability Alsocontributing to the node latency are communication failuresand the behavior of nearby peers The adversary would seekto disrupt communication and control peers where the attackis launched It is inexpensive to setup new nodes on theBitcoin network for this purpose The adversary would wantto separate and control nodes which are not up to date withthe main network Under normal operation those nodes mighteventually catch up with the network but an adversary willprevent that from happeningAttack Procedure Analysis of Bitcoin nodes over a periodof days shows several times a day when a significant fractionof nodes are not up-to-date We report our findings in Figure 6In Figure 6 the x-axis denotes a time-index for networkobservations (one observation every 10 minutes in Figure 6(a)and Figure 6(b) and one every minute in Figure 6(c)) The y-axis is stacked meaning that curves are cumulative The greenpart shows nodes that are up-to-date the yellow part showsnodes that are 1 block behind and the purple part shows nodesthat are 2-4 blocks behind The remaining colors and theirdescriptions are in the figure

From Figure 6(a) we were able to make following obser-vations 1) Generally a majority of nodes (asymp 50) remainssynchronized on the blockchain state These nodes do not lagbehind in the main chain for a long duration 2) 10 nodes areforever behind the main blockchain They do not update theirblockchain and as such they have no benefit in the network3) 30-40 nodes in Bitcoin occasionally waver in terms oftheir view of the blockchain Possibly due to network latencyor consensus delay they lag behind the most recent block

To further study the distribution of consensus in the net-work we take a single day snapshot of the network to observeconsensus pruning among all nodes From the view of an

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

AS100 17000116

AS200 19000116

AS600 220500016 AS-700 230500016

AS300 180500016

AS500 2005050024

AS4002105050024

A B

C D

BGP Routing Among ASes

AS600 2205050024

AS-700 2305050024

AS500 200500016

AS400210500016

E

F

BGP Hijacking by D and E

Fig 2 Network topology consisting of organizations ASes and full nodesOrganizations D and E can launch BGP attacks against F and B respectively

TABLE IIA VIEW OF TOP TEN ASES AND ORGANIZATIONS IN BITCOIN ON

FEBRUARY 28TH 2018 THE TABLE SHOWS THAT BITCOIN IS MORECENTRALIZED WITH RESPECT TO ORGANIZATIONS THAN ASES AS24940

INTERCEPTS THE MAXIMUM BITCOIN TRAFFIC

ASes of Nodes Total Nodes Organizations of Nodes Total Nodes AS24940 1030 754 Hetzner Online GmbH 1030 754AS16276 697 511 Amazoncom Inc 756 554AS37963 640 469 OVH SAS 700 513AS16509 609 447 Hangzhou Alibaba 640 469AS14061 460 337 DigitalOcean LLC 503 369AS7922 414 304 Comcast Communication 414 304AS4134 394 289 No31 Jin-rong Street 394 289TOR 319 234 TOR 319 234AS51167 288 211 Contabo GmbH 288 211AS45102 279 205 Alibaba (China) 279 205

nodes This attack relies on two major factors the total numberof ASes and organizations and the total number of nodeshosted in each of them In particular if the total numberof ASes and organizations hosting full nodes is large theattack becomes costly Similarly if the number of nodes isconcentrated within a few ASes that makes a better targetrather than attacking arbitrary ASes with fewer nodes Toevaluate that we carried out two experiments to observethe total number of ASes hosting Bitcoin nodes and thedistribution of nodes among those ASesPractical Considerations Our results show that the fullnodes in Bitcoin are highly centralized at the AS and organi-zation level Compared to [3] the network has become evenmore centralized and more vulnerable to BGP hijacking androuting attacks In particular we observed that among the totalof 84903 ASes in the world [45] only 8 (00094) ASeshost 30 Bitcoin nodes 24 (0028) ASes host 50 while1660 (195) ASes host 100 Bitcoin nodes This shows asignificant difference in the number of ASes that host 50 and100 full nodes To understand that we plot CDF of ASesthat host the traffic of full nodes in Figure 3

Similarly we observed that the top 8 organizations in-tercepted 30 Bitcoin traffic and the top 13 organizationsintercepted 50 traffic collectively We also noticed that eachorganization controlled one or more ASes alluding to thepossibility of a fine-grained partitioning attack

In Table II we show the top 10 ASes and organizationsalong with the percentage of total nodes that they host Wegroup TOR nodes and treat them as a single AS AS24940hosts 754 nodes and its corresponding organization HetznerOnline also hosts 754 nodes meaning that the Bitcoin trafficrouted by Hetzner Online entirely goes through AS24940On the other hand Amazoncom routes 554 of the trafficwhile AS16276 intercepts 511 traffic This shows thatAmazoncom owns another AS besides AS16276 that alsoroutes traffic This model can be observed in Figure 2

As outlined in Figure 3 50 of the Bitcoin networkis hosted by 21 organizations and 24 ASes respectivelyMoreover 30 of the traffic is hosted by 8 organizations andASes respectively Prior work [3] done in 2017 showed that

0

02

04

06

08

1

0 2 4 6 8 10 12 14 16

CD

F o

f F

ull

Nodes

ASes and Organizations (x100)

OrganizationsASes

Fig 3 CDF of the Bitcoin full nodes in ASes and organizations

TABLE IIIDISTRIBUTION OF BITCOIN FULL NODES OVER TIME

2017 2018 Change ASes with 50 nodes 50 24 52ASes with 30 nodes 13 8 38

50 of the network was hosted by 50 ASes and 30 of thenetwork was hosted by 13 ASes To understand the changein the network let N1 be the number of nodes comprisingp of the network in 2017 Let N2 be nodes comprisingthe same p of the traffic in 2018 We define the changein the centralization of the network as C = (N1minusN2)times100

N1 and provide the results of change in Table III Notice thatover one year 50 nodes have been centralized by a factorof 52 The prior work did not look into the distribution ofnetwork with respect to organizations so we do not have abaseline for comparison Although it can be observed fromour data and plots that full nodes are more concentrated atthe organization level

Mining pools are another important part of Bitcoin sincethey are responsible for extending the blockchain and main-taining its state Mining pools consist of miners on the Internetcommunicating via a special mining protocol known as theldquoStratum Mining Protocolrdquo [14] All miners compute PoW andsend the result to the stratum server address specified by themining pool The stratum address is made public by the miningpool As such if the link to the stratum server is compromisedthe mining pool gets disconnected and its aggregate hash ratedecreases To analyze the distribution of stratum servers wecarried out two experiments First we gathered informationabout major mining pools in Bitcoin and their hash rate fromBlockchaininfo [8] results are reported in Table IV Nextwe selected the top 5 mining pools which had an aggregatehash rate of 65 of the total in the Bitcoin network We thencollected the stratum address of the selected mining pools fromtheir websites and traced the IP address corresponding to eachstratum address [9] [2] [22] We mapped each IP address tothe AS hosting the stratum server We found that 3 ASes had65 of Bitcoin mining pool traffic while one organizationldquoAliBabardquo alone had more than 50 of the Bitcoin miningpool traffic We report our results in Table IV In the lightof our threat model and given an adversary capable of BGPhijacking policy enforcement at an organization level orcollusion having an organization hosting more 50 of themining power makes such an attack even more effectiveAttack Validation In this section we will validate ourobservations and hypothesis regarding BGP hijacking on Bit-coin ASes and organizations BGP routing attacks on Internethappen frequently In 2008 a service provider from Pakistanhijacked Youtube traffic by announcing more specific BGPprefixes than the ones announced by Youtube [28] Similarly

TABLE IVTOP 5 MINING POOLS PER HASH RATE ASES AND ORGANIZATIONS657 MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONSALIBABA HAS A VIEW OF AT LEAST 60 OF THE MINING DATA WE

EXCLUDE THE REMAINING 12 MINING POOLS FROM THE STUDY AS THEIRTOTAL CONTRIBUTION TO HASH RATE IS MINIMAL

Mining Pool H Rate ASes OrganizationsBTCcom 25 AS37963 Hangzhou Alibaba

AS45102 AliBaba (China)Antpool 124 AS45102 AliBaba (China)ViaBTC 117 AS45102 AliBaba (China)BTCTOP 103 AS45102 AliBaba (China)

F2Pool 63 AS45102 AliBaba (China)AS58563 Chinanet Hubei

12 others 343 mdash mdash

0

02

04

06

08

1

0 20 40 60 80 100 120 140 160

Fra

ction o

f N

odes H

ijacked

Number of BGP Hijacks

AS24940 (51 prefixes)AS16276 (104 prefixes)AS37963 (454 prefixes)

AS16509 (2969 prefixes)AS14061 (1430 prefixes)

Fig 4 CDF of top 5 ASes vulnerable to BGP attacks The key shows totalBGP prefixes announced by AS For 8 ASes 80 nodes can be isolated byhijacking 20 BGP prefixes

in 2014 a Canadian ISP hijacked prefixes of 19 organiza-tions hosting Bitcoin traffic including Amazon OVH DigitalOcean LeaseWeb and Alibaba [29] In 2017 alone 14000BGP attacks were launched against major ASes [46]

To validate the attack and its impact we selected the top5 ASes from Table II and enumerated the IP addresses offull nodes hosted by these ASes Next we grouped the IPaddresses based on the BGP prefixes announced by each ASWe then calculated the number of BGP prefixes required toisolate a percentage of full nodes hosted by the AS As a resulta group of full nodes sharing the same BGP prefix can allbe compromised if the BGP prefix is hijacked We report ourfindings in Figure 4 where we show that except for AS1650995 of full nodes in all other ASes are vulnerable oncefewer than 40 BGP prefixes are hijacked AS24940 whichhosts 1030 nodes can be compromised by hijacking only 15BGP prefixes while it takes more than 140 BGP prefixesto compromise AS16509 which hosts 609 nodes Taking thenumber of isolated nodes as an advantage and the number ofprefixes to be hijacked as an effort AS24940 will be morecostly with smaller advantage than AS16509Implications Spatial partitioning is detrimental to the Bitcoinnetwork as it facilitates other major attacks including double-spending attacks eclipse attacks and the 51 attack Asshown in Table IV if an attacker hijacks 3 ASes he can isolatemore than 60 of the Bitcoin hash power As Figure 4 showsthat by hijacking 15 BGP prefixes the attacker can cut 95traffic of AS24940 that hosts 1030 full nodes By isolating thehash power an attacker can cause delays in the block creationand the transaction confirmation

If the attacker is a mining pool with lower hash rate itcan launch the attack on competing mining pools and deprivethem of their mining rewards By isolating a majority of thenetworkrsquos hash power the attacker can launch the 51 attackon Bitcoin which will grant him a permanent control overthe blockchain Furthermore in peer-to-peer settings nodesare responsible to relay blocks and transactions to each other

By hijacking a subset of nodes the attacker can introduce acascade effect in which propagation of blocks and transactionscan be stalled the attacker does not have to isolate all nodes byhijacking all BGP prefixes in an AS Isolating a major subsetof nodes can eclipse the entire AS

B Temporal PartitioningTemporal partitioning involves isolation of a group of nodes

in the network that are some blocks behind the rest of thenetwork As shown in Figure 1 three nodes have the mostupdated copy of the blockchain while nodes F3 and F4 are 1ndash2 blocks behind These nodes might be behind the main chaindue to a number of reasons such as the network latency a lowbandwidth software malfunctions or a malicious peer There-fore these nodes have an outdated view of the blockchainand remain vulnerable to partitioning attacks In Figure 5 weprovide an abstraction of the temporal attack that exploits thevulnerable nodes and introduces a soft fork in the networkAttack Objectives The objective of the temporal partitioningis the isolation and subversion of nodes or a group of nodeswithin the network Latency in updating the blockchain is awell known vulnerability of Bitcoin which is confirmed inour data Propagation delays are known to be key contributorstowards the latency [19] Propagation delays are influenced bythe number of hops between nodes due to sparse peering andthe time required by software clients to verify and forwarda block Solutions have been proposed that cluster nodesto reduce latency [49] [23] but the authors note this mayincrease the potential for partitioning attacks This indicatesa trade-off between spatial and temporal vulnerability Alsocontributing to the node latency are communication failuresand the behavior of nearby peers The adversary would seekto disrupt communication and control peers where the attackis launched It is inexpensive to setup new nodes on theBitcoin network for this purpose The adversary would wantto separate and control nodes which are not up to date withthe main network Under normal operation those nodes mighteventually catch up with the network but an adversary willprevent that from happeningAttack Procedure Analysis of Bitcoin nodes over a periodof days shows several times a day when a significant fractionof nodes are not up-to-date We report our findings in Figure 6In Figure 6 the x-axis denotes a time-index for networkobservations (one observation every 10 minutes in Figure 6(a)and Figure 6(b) and one every minute in Figure 6(c)) The y-axis is stacked meaning that curves are cumulative The greenpart shows nodes that are up-to-date the yellow part showsnodes that are 1 block behind and the purple part shows nodesthat are 2-4 blocks behind The remaining colors and theirdescriptions are in the figure

From Figure 6(a) we were able to make following obser-vations 1) Generally a majority of nodes (asymp 50) remainssynchronized on the blockchain state These nodes do not lagbehind in the main chain for a long duration 2) 10 nodes areforever behind the main blockchain They do not update theirblockchain and as such they have no benefit in the network3) 30-40 nodes in Bitcoin occasionally waver in terms oftheir view of the blockchain Possibly due to network latencyor consensus delay they lag behind the most recent block

To further study the distribution of consensus in the net-work we take a single day snapshot of the network to observeconsensus pruning among all nodes From the view of an

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

TABLE IVTOP 5 MINING POOLS PER HASH RATE ASES AND ORGANIZATIONS657 MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONSALIBABA HAS A VIEW OF AT LEAST 60 OF THE MINING DATA WE

EXCLUDE THE REMAINING 12 MINING POOLS FROM THE STUDY AS THEIRTOTAL CONTRIBUTION TO HASH RATE IS MINIMAL

Mining Pool H Rate ASes OrganizationsBTCcom 25 AS37963 Hangzhou Alibaba

AS45102 AliBaba (China)Antpool 124 AS45102 AliBaba (China)ViaBTC 117 AS45102 AliBaba (China)BTCTOP 103 AS45102 AliBaba (China)

F2Pool 63 AS45102 AliBaba (China)AS58563 Chinanet Hubei

12 others 343 mdash mdash

0

02

04

06

08

1

0 20 40 60 80 100 120 140 160

Fra

ction o

f N

odes H

ijacked

Number of BGP Hijacks

AS24940 (51 prefixes)AS16276 (104 prefixes)AS37963 (454 prefixes)

AS16509 (2969 prefixes)AS14061 (1430 prefixes)

Fig 4 CDF of top 5 ASes vulnerable to BGP attacks The key shows totalBGP prefixes announced by AS For 8 ASes 80 nodes can be isolated byhijacking 20 BGP prefixes

in 2014 a Canadian ISP hijacked prefixes of 19 organiza-tions hosting Bitcoin traffic including Amazon OVH DigitalOcean LeaseWeb and Alibaba [29] In 2017 alone 14000BGP attacks were launched against major ASes [46]

To validate the attack and its impact we selected the top5 ASes from Table II and enumerated the IP addresses offull nodes hosted by these ASes Next we grouped the IPaddresses based on the BGP prefixes announced by each ASWe then calculated the number of BGP prefixes required toisolate a percentage of full nodes hosted by the AS As a resulta group of full nodes sharing the same BGP prefix can allbe compromised if the BGP prefix is hijacked We report ourfindings in Figure 4 where we show that except for AS1650995 of full nodes in all other ASes are vulnerable oncefewer than 40 BGP prefixes are hijacked AS24940 whichhosts 1030 nodes can be compromised by hijacking only 15BGP prefixes while it takes more than 140 BGP prefixesto compromise AS16509 which hosts 609 nodes Taking thenumber of isolated nodes as an advantage and the number ofprefixes to be hijacked as an effort AS24940 will be morecostly with smaller advantage than AS16509Implications Spatial partitioning is detrimental to the Bitcoinnetwork as it facilitates other major attacks including double-spending attacks eclipse attacks and the 51 attack Asshown in Table IV if an attacker hijacks 3 ASes he can isolatemore than 60 of the Bitcoin hash power As Figure 4 showsthat by hijacking 15 BGP prefixes the attacker can cut 95traffic of AS24940 that hosts 1030 full nodes By isolating thehash power an attacker can cause delays in the block creationand the transaction confirmation

If the attacker is a mining pool with lower hash rate itcan launch the attack on competing mining pools and deprivethem of their mining rewards By isolating a majority of thenetworkrsquos hash power the attacker can launch the 51 attackon Bitcoin which will grant him a permanent control overthe blockchain Furthermore in peer-to-peer settings nodesare responsible to relay blocks and transactions to each other

By hijacking a subset of nodes the attacker can introduce acascade effect in which propagation of blocks and transactionscan be stalled the attacker does not have to isolate all nodes byhijacking all BGP prefixes in an AS Isolating a major subsetof nodes can eclipse the entire AS

B Temporal PartitioningTemporal partitioning involves isolation of a group of nodes

in the network that are some blocks behind the rest of thenetwork As shown in Figure 1 three nodes have the mostupdated copy of the blockchain while nodes F3 and F4 are 1ndash2 blocks behind These nodes might be behind the main chaindue to a number of reasons such as the network latency a lowbandwidth software malfunctions or a malicious peer There-fore these nodes have an outdated view of the blockchainand remain vulnerable to partitioning attacks In Figure 5 weprovide an abstraction of the temporal attack that exploits thevulnerable nodes and introduces a soft fork in the networkAttack Objectives The objective of the temporal partitioningis the isolation and subversion of nodes or a group of nodeswithin the network Latency in updating the blockchain is awell known vulnerability of Bitcoin which is confirmed inour data Propagation delays are known to be key contributorstowards the latency [19] Propagation delays are influenced bythe number of hops between nodes due to sparse peering andthe time required by software clients to verify and forwarda block Solutions have been proposed that cluster nodesto reduce latency [49] [23] but the authors note this mayincrease the potential for partitioning attacks This indicatesa trade-off between spatial and temporal vulnerability Alsocontributing to the node latency are communication failuresand the behavior of nearby peers The adversary would seekto disrupt communication and control peers where the attackis launched It is inexpensive to setup new nodes on theBitcoin network for this purpose The adversary would wantto separate and control nodes which are not up to date withthe main network Under normal operation those nodes mighteventually catch up with the network but an adversary willprevent that from happeningAttack Procedure Analysis of Bitcoin nodes over a periodof days shows several times a day when a significant fractionof nodes are not up-to-date We report our findings in Figure 6In Figure 6 the x-axis denotes a time-index for networkobservations (one observation every 10 minutes in Figure 6(a)and Figure 6(b) and one every minute in Figure 6(c)) The y-axis is stacked meaning that curves are cumulative The greenpart shows nodes that are up-to-date the yellow part showsnodes that are 1 block behind and the purple part shows nodesthat are 2-4 blocks behind The remaining colors and theirdescriptions are in the figure

From Figure 6(a) we were able to make following obser-vations 1) Generally a majority of nodes (asymp 50) remainssynchronized on the blockchain state These nodes do not lagbehind in the main chain for a long duration 2) 10 nodes areforever behind the main blockchain They do not update theirblockchain and as such they have no benefit in the network3) 30-40 nodes in Bitcoin occasionally waver in terms oftheir view of the blockchain Possibly due to network latencyor consensus delay they lag behind the most recent block

To further study the distribution of consensus in the net-work we take a single day snapshot of the network to observeconsensus pruning among all nodes From the view of an

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

Synced Nodes

Behind Nodes

Attacker

Partitioned Blockchain

Fig 5 An illustration of the temporal attack The attacker establishes connections with nodes and identifies vulnerable nodes that have an outdated viewVulnerable nodes have have not been provided new blocks by surrounding peers which shows their weak relationshipconnectivity We annotate this weakrelationship with dotted lines The attacker feeds his copy of blocks to vulnerable nodes thereby partitioning the network into two conflicting chains

0 1000 2000 3000 4000 5000Complete View (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(a) General trend of the network

0 20 40 60 80 100 120 140One Day Snapshot (10 Minutes Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(b) One day snapshot

0 50 100 150 200 250Data Points (One Minute Apart)

0

2

4

6

8

10

of

Nod

es (x

1000

)

gt10 5-10 2-4 1 0

(c) Consensus between block propaga-tion

Fig 6 Temporal consensus in Bitcoin network Y-axis denotes number of nodes in 1000 In each figure green region denotes the up-to-date blocks Yellowregion denotes 1 block behind Purple blue and magenta regions represent nodes that are 2ndash4 5ndash10 and ge 10 blocks behind respectively Figure 6(a) showsthe overall network Figure 6(b) shows a day (March 25) that offers greater attack opportunity and Figure 6(c) shows consensus pruning during 10 minutes

attacker with higher granularity there is a better vantage pointto attack a group of nodes Focusing on a single day shownin Figure 6(b) we observed that some yellow and purple spikesare larger and wider than others The height of a spike denotesthe count of nodes that are behind the updated nodes whilethe width indicates the length of time for which they remainbehind the updated nodes

From Figure 6(b) with a closer look at the network wemade the following observations 1) Consensus pruning is notuniform across the network 2) The most frequent delay amongthe blocks is 1 block indicated by yellow region followed2-4 blocks indicated by the purple region 3) On variousoccasions yellow and purple spikes can reach up to 7000nodes approximately 90 of the network can be partitionedif an attacker isolates them

In Bitcoin on average a block is published after every 10minutes Once a block is published ideally the network isexpected to be synchronized within 10 minutes before thenext block is computed However network synchronizationis an artifact of time and fairness of the network In theprevious two experiments we observed that with fine grainedsampling on a given day the attacker can isolate a group ofnodes which are behind the main chain To further analyzethis behavior we performed another experiment that involvedper-minute sampling of network Our objective was to observethe distribution of consensus among peers immediately afterbroadcast of one block and before the broadcast of the nextone We plot the results obtained from the third experimentin Figure 6(c) It can be observed in the figure that thereare vulnerable spots in the network in which up to 90 ofthe network is 1-4 blocks behind As such the non-uniformconsensus pruning presented itself as an attack opportunitywhereby an attacker can find a time window to isolate agroup of targeted nodes In Figure 6(c) the width of nodesthat are behind show the attack time window while the heightrepresents the number of vulnerable nodes

This becomes an optimization problem to find the momentwhere a majority of nodes is behind for the longest attack

TABLE VTHE MAXIMUM NUMBER OF VULNERABLE NODES

T (minutes) ge 1 block ge 2 blocks ge 5 blocks

5 6280(6267) 3206(3199) 966(968)10 1761(2713) 1189(1187) 955(953)15 1141(1139) 1083(1081) 952(1200)20 1109(1397) 1023(1576) 947(1193)25 1070(1068) 1013(1561) 942(940)30 1042(1039) 984(982) 942(939)40 1040(1037) 984(982) 940(938)70 1036(1034) 976(974) 929(927)

200 908(908) 887(882) 821(816)

window The attackerrsquos timing constraints include the time tocalculate false blocks and establish connections to vulnerablenodes Hence to identify vulnerable nodes we formulate thetemporal attack as an optimization model Given a timestampt and a timing constraint T find the maximum number ofvulnerable nodes whose lagging time L(t) is at least TLagging time L(t) of a node is defined as minimum timing forthis node to catch up to the main blockchain if it lags behindat t The objectives of this formulation are as follows 1) Byidentifying maximum nodes that were lagging concurrentlyattacker could isolate them and mislead them with false blocks2) By investigating all possible timestamps an attacker couldfind an optimal time to attack those nodes

We identify nodes whose historical behaviors show theirvulnerability to temporal attacks and record their resultsin Table V Note that at any time the total number of nodesin Bitcoin fluctuates between 8kndash13k For any time windowwe are interested in finding the maximum percentage ofvulnerable nodes for that window As such the normalizationparameter represented by the total number of nodes at thattime may change which results in an increasing percentagefor a decreasing number of nodes in Table V For instancefor 6280 nodes the total number of nodes was 10020 whichis about 6267 On the other hand for 908 nodes the totalnumber of nodes was 10000 which approximates to 908We tested with a variety of timing constraints T and presentthe results that best suit the attacker The first column showsdifferent T values the secondthirdforth columns show the

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

maximum number of nodes that lag behind main chain for atleast 125 blocks respectively The decreasing of maximumnumber of nodes along with the increasing of timing con-straint shows the fact that the longer time it takes to implementan attack the fewer choice of vulnerable nodes is availableWe noticed that there were moments in which a majority ofnodes in the network (ge 50) was at least 1 block behind formore than 5 minutes and up to 20 nodes lagged behind themain chain for more than 15 minutes

With this information we perform a theoretical analysison the timing threshold T that is suitable for the attacker toisolate a targeted set of m nodes We assume the attackerwants to isolate m nodes which requires the attacker to createconnections to these nodes and feed them its own versionof block We model the required timing for this process asan exponential distribution by rate λ In 2015 the Bitcoincommunity switched from a traditional gossip-style protocolknown as trickle spreading to diffusion spreading in which theinformation propagates with independent exponential delaysThis method of modeling Bitcoin connections has been usedin prior work as well by Fanti et al [24] Using that thetiming of the attacker to connect to a node is

f(t) = λeminusλt F (t) = 1minus eminusλt (1)

where f(middot) F (middot) are probability density and cumulative dis-tribution functions Given timing assigned to isolate m nodesis T = (t1 tm) The probability that an attacker isolates mnodes under T derived from Cauchy inequality theorem is

ρ(T ) =mprodi=1

(1minus eminusλti) le(1minus

summi=1 e

minusλti

m

)m(2)

Theorem 1 (Cauchy Theorem) Let x1 x2 xn are n non-negative numbers then

nprodi=1

xi le(sumn

i=1 xin

)nlesumni=1 x

ni

n(3)

Both equalities occur if and only if x1 = x2 = = xnNow consider a timing constraint T in which the attacker

wants to isolate all m nodes This means that the timingassignment T should satisfy

summi=1 ti le T So

ρ(T ) le (1minus eminus λm T)m (4)

With timing constraint T the attacker will have at most(Tm

)choices for timing assignment T By union bound the

probability p to isolate m nodes within T is bounded by

p le b(m T) =

(T

m

)(1minus eminus λ

m T)m (5)

Given m b() is monotonically increasing by T Thereforegiven a successful probability p we can infer a lower boundof T by binary bisection We experiment with the relationshipamong values of m T and λ We set the targeted successfulrate of attacker p as 08 and test it with various values ofλ The results are recorded in table VI Column labels showdifferent values of m nodes that the attacker aims to isolateand row labels show values of λ Values in each cell denotethe bound of T such that within this bound the attacker canisolate m nodes under delay rate λ with probability of at least08 For example with λ = 08 and m = 500 it would takeonly 589 seconds (approximately 10 minutes) to isolate all m

TABLE VIMINIMUM TIMING CONSTRAINT T (SECONDS) TO ISOLATE m NODES

UNDER THE GIVEN RATE λ

λm

100 300 500 800 1000 1200 1500

04 142 424 705 1127 1610 2313 351705 133 397 661 1057 1320 1851 281406 127 379 630 1007 1258 1545 234507 122 365 607 970 1213 1455 201008 119 354 589 942 1177 1412 176509 116 346 575 920 1149 1379 1723

nodes with probability at least 08 500 is much smaller thannumber of vulnerable nodes in 10 minutes timing constraint(from table Table VI there can be 1761 vulnerable nodeswithin T = 10 minutes) Therefore we conclude that Bitcoinis highly vulnerable to temporal attacksSimulation and Attack Validation To validate the insightsobtained from our data and theoretical analysis we developeda simulation model in R to test temporal attacks The simulatorwas tested in base simulation scenarios such as zero and per-fect communication among nodes As an internal error checkand to make the simulation more realistic each simulated nodemaintains a 64-bit MD5 hash linked chain of values updated toits current fork By adjusting parameters the simulation wascapable of accurately representing the state of the network aswe observed in our dataset

The default number of Bitcoin peers is 8 which is used inour simulation Studies have shown that peers are distributedand can be associated with any AS [23] Our experimentaldata confirmed this distribution Following this the peerswere evenly distributed in terms of communication errors andlatency Peer communication failure rate is represented by amodel parameter typically around 10 percent failures Thelatency is represented by the number of communication timesteps per simulation block This is scaled according to thesimulation size Each time step represents one peer-to-peercommunication attempt for each node

The simulation was used to model information flow throughthe network under different attack scenarios A network of10000 nodes can be simulated using a square grid of size 100We ran simulations using the entire network For clarity a gridof size 25 (116 of the active nodes) is shown in the figuresThis grid ran faster is easier to read and well simulated exper-imental results Using different scaled network simulations wediscovered that the upper limit of Decker and Wattenhoferrsquosnode propagation delay Tdelay can be expressed as a ratio ofthe block interval divided by the network diameter Taking theinverse of this ratio we arrive at a non-dimensional parameterthe span ratio representing how many times information cantravel from one side of the Bitcoin network to the other duringthe block interval Assuming a square grid network diameter isproportional to the square root of the number of nodes A givenspan ratio Rspan with the Bitcoin block interval Tblock thusyields a maximum propagation delay to maintain the state of anetwork of N nodes Tdelay = Tblock(Rspan lowastN05) As theBitcoin network grows a smaller propagation delay is requiredto synchronize peers Specifically Tdelay is inversely related tothe square root of the number of nodes The maximum valueof Rspan in simulation was 20 corresponding to a 3 secondinterval per peer communication in the actual network of10000 nodes With reasonable values for the communicationfailure such a small time step resulted in a network that wasfully updated between blocks Therefore Rspan = 20 is agood target for blockchain synchronization

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

(a) Time Step 151 (b) Time Step 201 (c) Time Step 251

Fig 7 Simulation of temporal attack Figure 7(a) shows fork B emerging at node [77] Compare the color distribution to the peaks of Figure 6(c) aboveTwo blocks later in Figure 7(b) fork B has control of 16 of the nodes In Figure 7(c) the longer chain A overwhelms fork B but has lost synchronizationso cannot prevent emergence of a new fork C

Figure 7 shows a sample of results obtained from simula-tion where the attacker has 30 of the network hash rateOnce a portion of the network is isolated it can be sustainedwith successive forks since the isolated nodes naturally as-sume that block delays are due to network issues As suchthey do not know that new blocks are taking more time tocalculate due to the lower hash rate of the attacker Meanwhilethe main chain loses some of its hash rate and is thereforeless capable of responding Note that the cost of launching atemporal attack is much less than the spatial attack providedthat the attacker has the consistent view of the network asshown in Figure 6Implications Even a short term fork in the network wouldcause sufficient disruption to invalidate transactions Suchan attack is likely to result in significant loss to networkstakeholders Quantifying the impact of adverse events onBitcoin has been inconclusive [25][20] and is dependent uponuser perception [43] However once the targeted nodes areisolated as shown in Figure 5 the soft fork will create atemporary partition in the network The isolated nodes willbe following a counterfeit blockchain with different transac-tions from the main chain Therefore when nodes recoverfrom the fork the attackerrsquos blocks will be rejected and alltransactions belonging to legitimate users in those blocks willalso be reversed This will require a major update on the setof all UTXOrsquos at each node and a system-wide check onthe transactions being reversed Standing out in our analysisis the observation that Bitcoin has a level of asymmetricvulnerability With a market capitalization of o(1011) USD andnetwork configuration of o(104) nodes each full node is wortho(107) USD However the cost of disrupting the network isfar less than the value being impacted which makes Bitcoinan economically attractive target for temporal attacks

C Spatio-temporal PartitioningIn this section we analyze how an attacker can make use

of spatial and temporal distribution of nodes over time tofind vulnerable spots in the network through which he caneffectively isolate a group of nodes From our data analysiswe found the feasibility and cost of this attack compared tospatial and temporal partitioning Saptio-temporal analysis alsoprovides insights into the general behavior of nodes within anAS or an organization Therefore it is intuitive to investigatethe attributes of the overall topology of Bitcoin network inrelation to the ASes and organizationsAttack Objectives In this attack the aim of the adversaryis to split the network based on the networkrsquos vulnerability toboth the spatial and temporal partitioning As shown in Fig-ure 6(a) and Figure 6(b) the purple and yellow nodes are

vulnerable to temporal attacks However the attacker cannotlaunch the same attack on nodes lying in the green region(synced nodes) since they are up-to-date and will reject a falseblock These nodes can still be partitioned based on the BGPattack presented in spatial partitioning A combined effect ofboth attacks will be an optimized and targeted attack that willaffect the entire Bitcoin network

It is worth mentioning that for a BGP attack on nodes withinthe green region the attacker does not have to isolate all targetnodes Since these up-to-date nodes are connected with eachother therefore an attack on a subset of nodes can have acascade effect thereby compromising all other nodesAttack Procedure and Validation For a successful attackthe attacker will need information about the ASes and or-ganizations of the synced nodes as well as nodes that arebehind The feasibility of this attack depends on the adversarialcapabilities of the attacker To analyze that we elaborate thenetwork behavior from Figure 6(b) in Figure 8(a) The greenline indicates the number of nodes that are synced whileyellow and purple lines show nodes that are 1 block and 2ndash4blocks behind respectively

Per our threat model if the attacker is an AS it will preferto hijack BGP prefixes to damage Bitcoin As such it willprefer maximum nodes in the green region and minimumnodes in yellow and purple region to maximize the attackseverity If the attacker is a mining pool then it will launcha temporal attack and will prefer minimum nodes in greenregion and maximum nodes in other regions However ifthe attacker is a cloud service provider that has both routingand mining capabilities then it can launch both spatial andtemporal attacks Therefore the key aspect of spatio-temporalattack is that it is adjustable to the capabilities of an attacker

Although multiple attack scenarios and case studies canbe drawn for spatio-temporal partitioning but in the interestof space we illustrate one case study From our simulationswe observed that the temporal partitioning forks the networkat a faster rate than spatial attacks Therefore we assume acase in which cloud provider waits for minimum number ofsynced nodes and launches a spatio-temporal attack As seenin Figure 8(a) at two instances the number of synced nodesfalls as low as 3000 while the number of nodes that are 2ndash4 blocks behind go as high as 6000 nodes This can serveas an ideal attack opportunity to launch the spatio-temporalattack To isolate synced nodes the attacker needs to haveinformation about their ASes To analyze that we gatheredinformation about synced nodes and their corresponding ASesand organizations In Table VII we enlist the top 5 ASes andorganizations that hosted most synced nodes in Figure 8(a)

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

0

2000

4000

6000

8000

10000

12000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

Synced Nodes1 Block Behind

2-4 Block Behind

(a) One day snapshot

0

200

400

600

800

1000

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS4134

AS24940

(b) Top 1-2 synced nodes ASes

0

100

200

300

400

500

0 20 40 60 80 100 120 140

Nu

mb

er

of

No

de

s

Data Points

AS16276

AS16509

AS14061

(c) Top 3-5 synced nodes ASesFig 8 Spatial and temporal distribution of nodes for the day defined in Figure 6(b) For the synced nodes in Figure 8(a) we outline their distribution acrosstop five ASes in Figure 8(b) and Figure 8(c) On average AS4134 hosts most of the nodes

TABLE VIITOP 5 ASES THAT HOSTED ALL THE SYNCHRONIZED NODES

IN FIGURE 6(B) FOR 24 HOURS

AS Organization Nodes PercentageAS4134 No31 Jin-rong 993 957AS24940 Hetzner Online 830 798AS16276 OVH SAS 530 522AS16509 Amazoncom 417 419AS14061 DigitalOcean 332 323

We observed that 28 of synced nodes are hosted withinthe top 5 ASes We plot their hosting pattern over a full dayin Figure 8(b) and Figure 8(c) The cloud provider can spatiallyattack synced nodes by hijacking five ASes and temporallyattack the remaining nodesImplications Spatio-temporal attack is an optimized andtargeted attack that provides multiple attack opportunities to astrong adversary to take down the network with minimal effortAs demonstrated by our results in Figure 8 at a given timemore than 50 of nodes can be behind the main blockchainand vulnerable to temporal attacks Moreover at the sametime the remaining synced nodes can be attacked by hijackingBGP prefixes of their hosting ASes and organizations Theattacker can select a suitable trade-off between the laggingnodes and synced nodes based on the attackerrsquos capabilitiesand disrupt the network For a successful attack on syncednodes the attacker may just have to isolate a small number ofnodes that relay blocks to each other and due to the cascadeeffect remaining nodes will eventually collapse As such ifthe number of full nodes is small in a cryptocurrency suchas Bitcoin Cash or Litecoin the attacker can compromise theentire cryptocurrency by affecting the flow of valuable dataincluding transactions and blocks

D Logical Partitioning

The Bitcoin network is actuated by communication amongpeers each of which is a full node running software thatconforms to a protocol The protocol is defined by an opensource software project Bitcoin Core initially published bySatoshi Nakamoto on January 9 2009 [12] Since 2009 therehave been over 40 updates to Bitcoin Core with the latestv0160 released in February 2018 New versions build uponprevious ones with improved security performance and func-tionality Since the Bitcoin network is open to any client thatsatisfies the network protocol peers can run modified softwareOptional features such as SegWit [1] are implemented in thisway compatible with Bitcoin Core

Table VIII shows the distribution of Bitcoin software at thetime of our data collection along with their release date andpercentage of users We observed that 288 Bitcoin softwarevariants are used by full nodes The latest version of Bitcoin

TABLE VIIITOP 5 SOFTWARE VERSIONS USED BY BITCOIN FULL NODES ALONG WITH

THEIR RELEASE DATE LAG FROM THE DATE OF COLLECTION IN DAYSAND PERCENTAGE OF USERS

Index Version Release Date Lag Users 1 B Core v0160 02-26-2018 59 36282 B Core v0151 11-11-2017 166 27523 B Core v01501 09-19-2017 219 5014 B Core v0142 06-17-2017 313 4675 B Core v0150 04-22-2017 369 205

Core 0160 is used by only 36 of the nodes while 27use version 0151 The remaining 37 of the network uses286 different software clientsAttack Objectives The objective of the attacker would be togain the confidence of full nodes Changes may be subtle andnot perceived as threats Diverse incentives may be employedfor adoption In our scenario the attackerrsquos influence overthe software would be sufficient to optimize and magnify theeffects of the attackAttack Procedure Peer ldquodemocracyrdquo in software selectionhas served well but is vulnerable to attacks Over time amodified software variant might gain popularity by offeringbetter performance and features One example is Falcona custom Bitcoin client run by 10 nodes Falcon providesfaster connectivity and minimum delay during transactionpropagation [55] Falcon is not malicious but it demonstratesthe independence of peers to run a client that is not part ofBitcoin Core A hypothetical client that economizes the costof running a full node might gain general acceptance whileat the same time reducing the cost of controlling a significantportion of the network

In a more subtle scenario a malicious entity with cooperat-ing peers could modify the Bitcoin Core software after down-load The modifications may be surreptitious or proclaimedto be enhancements Nodes influenced by the attacker wouldseem normal but would be used to facilitate an attack Asimple example of permissible client modification would beto increase the number of peer connections [11] and help thespread of malicious blocks

In either case the software would provide a platform toenhance the partitioning attack During the attack modifiedclients could steal bitcoins from connected wallets isolatepeers from the network propagate false information in thenetwork and cause DoS attacks on neighboring peers Tofurther analyze vulnerabilities associated with Bitcoin softwareclients we mapped known client versions to the NationalVulnerability Database (NVD) From NVD we obtained 36reported vulnerabilities along with the vulnerability ID thepublishing date and the CVSS severity For instance avulnerability with ID CVE-2018-17144 shows that Bitcoinclients are vulnerable to a remote denial-of-service attack via

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

duplicate inputs This vulnerability can be found in all clientversions which puts the entire network at risk Some othernotable vulnerabilities reported in NVD are CVE-2017-9230CVE-2013-5700 and CVE-2013-4627 [18] For more detailswe refer the reader to [17]Implications Logical partitioning can be used to optimizeattacks and take advantage of nodes in the crippled networkWith each node valued at o(107) USD incentives exist todistribute and support software modifications especially ifnot obviously malicious Logical partitioning proceeds alongseveral tracks Bitcoin Core heterogenity and improvementproposals independent developer versions and publicly an-nounced hard forks such as Bitcoin Cash These collidewith spatial and temporal dimensions to create and optimizeopportunities for other network attacks

VI COUNTERMEASURES

To prevent spatial partitioning mining pools should spreadstratum servers across various ASes This can resist the cen-tralization of stratum servers and raise the attack cost since theattacker will have to hijack more BGP prefixes to isolate thetargeted pool Furthermore large Bitcoin exchanges such asCoinbase and Bitstamp should also host their full nodes acrossmultiple ASes to prevent spatial attacks In Bitcoin spatialpartitioning is an artifact of BGP hijacking and to counterthat Zhang et al [55] propose reactive and proactive defensestrategies that are based on the idea of ldquobogus route purgingand valid route promotionrdquo that can prevent BGP attacks onASes across the Internet

Temporal partitioning results from malicious peer behaviortowards nodes that are behind the main chain Although nodescan be behind due to various factors the absence of a trustedcentral authority makes them unaware of their condition Tocounter that we propose a simple yet effective scheme calledBlockAware which uses the expected block time to notify thenode about its blockchain view with respect to the network InBlockAware a node compares the timestamp of its latest blocktl and the current time tc Since the block time in Bitcoinis fixed at 600 seconds a difference between the two valuesexceeding 600 seconds (tcminustl gt 600) indicates a node has notreceived the latest block In such a situation the node can tryto connect to other nodes and query them for the latest blockAs part of our ongoing work we are prototyping BlockAwareover Bitcoin Core to defend against the temporal attacks

Vulnerability to logical partitioning is due to the opennetwork protocol A central authority to regulate client partici-pation would violate decentralization a fundamental principleof Bitcoin To remain the favored client Bitcoin Core mustcontinue to provide the best results for those who typicallywithout direct compensation accept the responsibility of run-ning a full node In Bitcoin ecosystem it would be reassuringfor more than 36 nodes to run the most up-to-date versionof Bitcoin Core However as diversity has long been knownto enhance network security [39] we do not advocate en-forcement mechanisms Therefore logical partitioning attacksremain a vulnerability to be considered

VII RELATED WORK

Spatial Partitioning The classic study on partitioning at-tacks was carried out by Apostolaki et al [3] based on thecentralization of Bitcoin network with respect to ASes and

highlighting the possibility of routing attacks with BGP pre-fixes Some notable work on the attack surface includes eclipseattacks [30] double-spending [34] Bitcoin transaction graphanalysis [47] anonymity in Bitcoin peer-to-peer model [36]and extracting intelligence from Bitcoin [51] [31]Blockchain Forks Temporal and spatio-temporal partitioningon the blockchain result in a fork that leads the affected nodesinto following a different blockchain As such forks havebeen widely studied in the community from the standpoint ofregular nodes and miners Decker and Wattenhofer [19] studiedthe occurrence of forks in the Bitcoin network They concludedthat propagation delay is the major factor that might result ina fork The results in our experiments have validated theirtheory since delay is the major factor that causes some blocksto stay behind the main chain Kwon et al [37] introduceda new form of blockchain fork known as the Fork AfterWithholding (FAW) attack which guarantees more rewardsthan block withholding attacks Eyal et al [21] proposed aByzantine fault tolerant blockchain protocol that addresses theproblems of forks Gervais demonstrated that double-spendingis possible due to block tampering [27]Consensus in Distributed Systems In a blockchain consen-sus about the state of the system is achieved with a consensusprotocol Bano et al [5] surveyed blockchain consensus pro-tocols along with their strengths and limitations In a similarvein Juri Mattila [40] analyzed blockchain consensus proto-cols and provided use cases for each scheme Sun et al [53]performed vulnerability analysis on distributed systems andproposed a trust evaluation framework to improve throughputand identify malicious peer behaviorRelated Attacks Other notable attacks on blockchain appli-cations include DDoS attacks DNS attacks selfish miningthe 51 attack and blockchain ingestion [50] [7] [6] Li etal [38] surveyed the security aspects of the blockchain bystudying attacks on popular blockchain applications includingBitcoin Ethereum and Monero Atzei et al [4] performedanalysis on vulnerabilities of smart contracts in Ethereum

VIII CONCLUSION

We examine various partitioning attacks on blockchain-based cryptocurrencies We demonstrate that the Bitcoin net-work is becoming increasingly centralized at the AS-levelmaking it more vulnerable to spatial partitioning Data col-lection and analysis demonstrate that consensus pruning ofthe Bitcoin network is non-uniform presenting optimizableopportunities for an attacker to fork the network by segregatingvulnerable nodes We study four forms of partitioning attackspatial temporal spatio-temporal and logical We validate ourattacks with simulations and discuss the implication of eachattack Finally we present possible countermeasures to thoseattacks To the best of our knowledge this is the first studyconducted to analyze the attack surface of Bitcoin coveringspatial temporal and logical dimensionsAcknowledgement This work is supported by Air ForceMaterial Command award FA8750-16-0301 Global ResearchLab program of the National Research Foundation NRF-2016K1A1A2912757 and NSF grant CNS-1814614

REFERENCES

[1] N Acheson ldquoWhat is segwitrdquo 2018 httpstinyurlcomy7d94hbu[2] Antpool ldquoAntpool stratum addressrdquo httpswwwantpoolcom 2018

[3] M Apostolaki A Zohar and L Vanbever ldquoHijacking bitcoin Routingattacks on cryptocurrenciesrdquo in IEEE Symposium on Security andPrivacy SP San Jose USA May 2017 pp 375ndash392 httpsdoiorg101109SP201729

[4] N Atzei M Bartoletti and T Cimoli ldquoA survey of attacks on ethereumsmart contracts sokrdquo in Proceedings of the 6th International Conferenceon Principles of Security and Trust - Volume 10204 2017 httpstinyurlcomyd832abs

[5] S Bano A Sonnino M Al-Bassam S Azouvi P McCorry S Meik-lejohn and G Danezis ldquoSoK Consensus in the Age of Blockchainsrdquo2017 httpsarxivorgabs171103936

[6] K Baqer D Y Huang D McCoy and N Weaver ldquoStressing out Bit-coin stress testingrdquo in International Conference on Financial Cryptog-raphy and Data Security Springer 2016 pp 3ndash18 httpdamonmccoycompapersbitcoin16-final22pdf

[7] M Bastiaan ldquoPreventing the 51-attack a stochastic analysis of twophase proof of work in bitcoinrdquo 2015 httpfmtcsutwentenlfilessprojects268pdf

[8] Blockchain ldquoHashrate distributionrdquo 2018 httpsblockchaininfopools[9] BTC ldquoBtccom stratum addressrdquo 2018 httpspoolbtccomhelpCenter

id=miner[10] CoinMarketCap ldquoCryptocurrency market capitalizations mdash coinmarket-

caprdquo 2018 httpscoinmarketcapcom[11] B Community ldquoModify number of bitcoin peersrdquo 2013 httpsgoogl

FggMtn[12] mdashmdash ldquoBitcoin core version historyrdquo 2018 httpsbitcoinorgen

version-history[13] mdashmdash ldquoBitcoin developer referencerdquo 2018 httpsbitcoinorgen

bitcoin-for-developersncom[14] mdashmdash ldquoStratum mining protocolrdquo 2018 httpsenbitcoinitwiki

Stratum mining protocol[15] mdashmdash ldquoBitnodes Global bitcoin nodes distributionrdquo 2018 https

bitnodesearncom[16] E Community ldquoEarn Earn money by answering messages and com-

pleting tasksrdquo 2018 httpsearncom[17] N Community ldquoNational vulnerability databaserdquo httpstinyurlcom

y9guktjx[18] CVE ldquoVulnerability details Cve-2017-9230rdquo 2018 httpswww

cvedetailscomcveCVE-2017-9230[19] C Decker and R Wattenhofer ldquoInformation propagation in the bitcoin

networkrdquo in Proceedings of 13th International Conference on Peer-to-Peer Computing IEEE P2P Trento Italy Sep 2013 pp 1ndash10 httpsdoiorg101109P2P20136688704

[20] J Donier and J-P Bouchaud ldquoWhy do markets crash bitcoin dataoffers unprecedented insightsrdquo vol 10 03 2015

[21] I Eyal A E Gencer E G Sirer and R van Renesse ldquoBitcoin-ng Ascalable blockchain protocolrdquo Mar 2016 httpstinyurlcomy7gxcdgr

[22] F2Pool ldquoF2pool stratum addressrdquo 2018 httpswwwf2poolcomhelp[23] M Fadhil G Owenson and M Adda ldquoLocality based approach to

improve propagation delay on the bitcoin peer-to-peer networkrdquo inSymposium on Integrated Network and Service Management (IM) May2017 httpsdoiorg1023919INM20177987328

[24] G C Fanti and P Viswanath ldquoDeanonymization in the bitcoin P2Pnetworkrdquo in Annual Conference on Neural Information ProcessingSystems 2017 Long Beach CA USA Dec 2017 pp 1364ndash1373httpstinyurlcomy72zgvtk

[25] A Feder N Gandal J T Hamrick and T Moore ldquoThe impact of DDoSand other security shocks on bitcoin currency exchanges evidence frommt goxrdquo J Cyber Secur vol 3 no 2 pp 137ndash144 Jun 2017

[26] A Gervais S Capkun G O Karame and D Gruber ldquoOnthe privacy provisions of bloom filters in lightweight bitcoinclientsrdquo in Computer Security Applications Conference ACSAC NewOrleans LA USA C N P Jr A Hahn K R B Butler andM Sherr Eds ACM Dec 2014 pp 326ndash335 [Online] Availablehttpsdoiorg10114526642432664267

[27] A Gervais H Ritzdorf G O Karame and S Capkun ldquoTampering withthe delivery of blocks and transactions in bitcoinrdquo in Proceedings ofthe 22nd ACM Conference on Computer and Communications Security(CCS) Denver Colorado Oct 2015 pp 692ndash705 httpsdoiorg10114528101032813655

[28] S Goldberg ldquoWhy is it taking so long to secure internet routingrdquoCommun ACM vol 57 no 10 pp 56ndash63 Sep 2014 httpdoiacmorg1011452659899

[29] A Greenberg ldquoHacker redirects traffic from 19 internet providersto steal bitcoinsrdquo Jun 2017 httpswwwwiredcom201408isp-bitcoin-theft

[30] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipseattacks on bitcoinrsquos peer-to-peer networkrdquo in Proceedings ofthe 24th USENIX Security Symposium (Security) WashingtonDC Aug 2015 httpswwwusenixorgconferenceusenixsecurity15technical-sessionspresentationheilman

[31] E Heilman L Alshenibr F Baldimtsi A Scafuro and S GoldbergldquoTumblebit An untrusted bitcoin-compatible anonymous payment hubrdquoin Network and Distributed System Security Symposium NDSS SanDiego USA Feb 2017 httpwpinternetsocietyorgndsswp-contentuploadssites25201709ndss201701-3HeilmanPaperpdf

[32] G Hileman and M Rauchs ldquoGlobal cryptocurrency benchmarkingstudyrdquo 2017 httpstinyurlcomlnx44cf

[33] B Info ldquoBitcoin block explorerrdquo 2018 httpsblockchaininfo[34] G Karame E Androulaki and S Capkun ldquoTwo bitcoins at the price

of one double-spending attacks on fast payments in bitcoinrdquo IACRCryptology ePrint Archive vol 2012 no 248 2012 httpeprintiacrorg2012248

[35] G O Karame E Androulaki M Roeschlin A Gervais and S CapkunldquoMisbehavior in bitcoin A study of double-spending and accountabil-ityrdquo ACM Trans Inf Syst Secur vol 18 no 1 pp 21ndash232 2015httpdoiacmorg1011452732196

[36] P Koshy D Koshy and P D McDaniel ldquoAn analysis of anonymity inbitcoin using P2P network trafficrdquo in International Conference on Fi-nancial Cryptography and Data Security FC Christ Church BarbadosMar 2014 pp 469ndash485 httpsdoiorg101007978-3-662-45472-5 30

[37] Y Kwon D Kim Y Son E Vasserman and Y Kim ldquoBe self-ish and avoid dilemmas Fork after withholding (faw) attacks onbitcoinrdquo in Proceedings of the 24th ACM Conference on Computerand Communications Security (CCS) Dallas TX OctndashNov 2017httpsdoiorg10114531339563134019

[38] X Li P Jiang T Chen X Luo and Q Wen ldquoA survey on the securityof blockchain systemsrdquo CoRR vol abs180206993 2018 httparxivorgabs180206993

[39] B Littlewood and L Strigini ldquoRedundancy and diversity in securityrdquo inProceedings of the 9th European Symposium on Research in ComputerSecurity (ESORICS) Sophia Antipolis France Sep 2004 httpsdoiorg101007978-3-540-30108-0 26

[40] J Mattila ldquoThe blockchain phenomenonndashthe disruptive potential ofdistributed consensus architecturesrdquo Tech Rep 2016

[41] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo 2008httpsbitcoinorgbitcoinpdf

[42] NetAcuity ldquoNetacuity and netacuity edge ip location technologyrdquo Feb2014 httpwwwdigitalelementcom

[43] M Polasik A I Piotrowska T P Wisniewski R Kotkowski andG Lightfoot ldquoPrice fluctuations and the use of bitcoin An empiricalinquiryrdquo International Journal of Electronic Commerce vol 20 no 1pp 9ndash49 Sep 2015 httpsdoiorg1010801086441520161061413

[44] B Reward ldquoBitcoin block reward halving countdownrdquo 2018 httpwwwbitcoinblockhalfcom

[45] RIR ldquoAutonomous systems in the worldrdquo 2018 httpstinyurlcomyaz73jnb

[46] A Robachevsky ldquo14000 incidents A 2017 routing security year inreviewrdquo Jan 2018 httpsgooglMtiVus

[47] D Ron and A Shamir ldquoQuantitative analysis of the full bitcoin trans-action graphrdquo in International Conference on Financial Cryptographyand Data Security FC Okinawa Japan Apr 2013 httpsdoiorg101007978-3-642-39884-1 2

[48] T Ruffing P Moreno-Sanchez and A Kate ldquoP2P mixing and unlink-able bitcoin transactionsrdquo in Proceedings of the 2017 Annual Networkand Distributed System Security Symposium (NDSS) San Diego CAFebndashMar 2017 httpstinyurlcomy99reaqs

[49] M F Sallal G Owenson and M Adda ldquoProximity awareness approachto enhance propagation delay on the bitcoin peer-to-peer networkrdquo inInternational Conference on Distributed Computing Systems ICDCSAtlanta USA Jun 2017 pp 2411ndash2416 httpsdoiorg101109ICDCS201753

[50] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data SecuritySpringer 2016 httpsdoiorg101007978-3-662-54970-4 30

[51] M Spagnuolo F Maggi and S Zanero ldquoBitiodine Extracting intelli-gence from the bitcoin networkrdquo in International Conference FinancialCryptography and Data Security Christ Church Barbados Mar 2014pp 457ndash468 httpsdoiorg101007978-3-662-45472-5 29

[52] Statista ldquoBitcoin blockchain size 2010-2017 mdash statisticrdquo 2018 httpstinyurlcomy8ys8evp

[53] Y L Sun Z Han W Yu and K J R Liu ldquoA trust evaluationframework in distributed networks Vulnerability analysis and defenseagainst attacksrdquo in 25th IEEE International Conference on ComputerCommunications INFOCOM Joint Conference of the IEEE Computerand Communications Societies Barcelona Spain Apr 2006 httpsdoiorg101109INFOCOM2006154

[54] S Williams ldquoBitcoin banned countriesrdquo 2017 httpstinyurlcomy8r5gdhl

[55] Z Zhang Y Zhang Y C Hu and Z M Mao ldquoPractical defensesagainst BGP prefix hijackingrdquo in Proceedings of the 2007 ACM Con-ference on Emerging Network Experimentand Technology CoNEXT New York USA Dec 2007 p 3 httpdoiacmorg10114513646541364658