BUIP038: Revert "sticky gate"
Proposer: Tom Harding
Submitted: 2016-11-27
Status: closed


Summary:

The implementation of BUIP001’s EB/AD emergent blocksize consensus has a
“sticky gate” behavior. While not widely understood, the sticky gate has
a significant effect on BU nodes’ ability to resist attacks from a
relatively small fraction of dedicated hashrate opposition.

This BUIP seeks to revert the “sticky gate” to resist this type of
attack.

Rationale:

The sticky gate is triggered by local observation of an accept-depth
(AD) override to an excessive block (EB). The “gate” opens when a count
of AD blocks are mined on top of an excessive block; it lets those
blocks through. The “sticky” part is that once opened, the gate sticks
open for 144 blocks. During that time, BU allows any size block for
144 more blocks – about one full day.

While the gate is fundamental to BU emergent consensus, it should not be
sticky. Risk is introduced by the combination of published AD values and
the daylong period devoid of blocksize checks, which present attacker a
way to disrupt the BU chain.

Attacker’s challenge is to create an excessive block, followed by AD
confirming blocks, before honest BU nodes can create a competing chain
of length AD+1. If an attacker can succeed in this, he has 144 blocks
which are permitted to be any size at all.

Attacker then submits as many enormous blocks as possible, to make them
a permanent part of the BU chain, straining all BU users, possibly
fragmenting the chain and/or pushing some users off the network.
Alternatively, he submits large blocks of various sizes, in an attempt
to maximize fragmentation when nodes come back online after 144
blocks.

Attacker’s likelihood of success during a single attempt to open the
sticky gate depends on the hashrate fraction q (of total BU hashrate)
that he dedicates to this purpose. The probability of success for AD=5
is as follows (review of this is very welcome):

q P[success]
0.05 0.00000580135
0.10 0.000295706
0.15 0.00265686
0.20 0.0116542
0.25 0.0343275
0.30 0.0782248
0.35 0.148684
0.40 0.246502
0.45 0.366877
0.50 0.5
0.55 0.633123
0.60 0.753498


Attacker is free to make another attempt, as soon as one attempt fails.
Such failure will take at most 11 blocks, so attacker can try
approximately 13 times per day. Therefore an attacker with 20% hashrate
has a worst-case success rate of approximately a 14% chance of
successfully overwhelming AD=5 within one day. The risk introduced by
the sticky gate is very high.

The goal of the sticky gate is to avoid nodes getting stuck when the
network moves to a larger block size. But the risk is unacceptable.
Instead of this automatic security reduction, regular nodes should
consider a higher EB value than they might otherwise use. Miners should
continue to immediately alert technical staff any time an invalid block
with valid PoW is seen for any reason, not just excessive block size.
Invalid blocks are very rare and always deserve close immediate
attention.

Specification:
Revert to the behavior that is documented in BUIP001 and that was
effective until March 8, 2016**.**

Implementation:

An implementation of the reversion is available in
PR#169.