From blockchain consensus back to Byzantine consensus
Introduction
The blockchain technology [1] promises to radically transform the way individuals and companies exchange digital assets and track securely ownership of these assets without the control of a central authority. At its heart lies a distributed ledger that is consistent with high probability when particular assumptions are fulfilled. In particular, the distributed set of participants guarantee its consistency despite potentially malicious participants that behave arbitrarily, also called Byzantine failures [2].
The novelty of blockchain is a genuine combination of well-known research results taken from distributed computing, cryptography and game theory. Its distributed nature guarantees the persistence of the ledger data. Its public key crypto-system offers the capabilities for a user to sign transactions that transfer assets from her account to other accounts. Its incentive mechanisms guarantee that a subset of participants maintain the validity of the transactions. And finally, a Byzantine tolerant consensus protocol aims at guaranteeing the integrity of the ledgers by defining a total order on newly appended blocks of transactions.
Put into the blockchain context, the consensus problem is for the non-faulty or correct processes of a distributed system to agree on one block of transaction at a given index of a chain of block. This consensus problem can be stated along three properties: (i) agreement: no two correct processes decided different blocks; (ii) validity: the decided block is a block that was proposed by one process; (iii) termination: all correct processes eventually decide. A protocol solving the consensus problem is necessary to guarantee that blocks are totally ordered, hence preventing concurrently appended blocks from containing conflicting transactions.
Today, with the recent advent of blockchains, various consensus implementations were proposed to make replicas reach an agreement on the order of blocks of transactions updating the distributed ledger. However, consensus has been known to be unsolvable since 1985. While existing protocols were designed these past three decades to solve consensus under various assumptions, it remains unclear what are the guarantees offered by blockchain consensus algorithms and what are the necessary conditions for these guarantees to be satisfied. While the source code of most blockchain protocols is publicly available, the theoretical ramifications of the blockchain abstraction are rather informal. As main blockchain systems, like Bitcoin [1] and Ethereum [3], are now used to trade millions of US$ every day,1 it has become crucial to precisely identified its theoretical ramifications to anticipate the situations where large volume of assets could be lost.
In this paper, we illustrate the danger of using proof-of-work blockchain without understanding precisely their guarantees by listing vulnerabilities that affect the predominant proof-of-work blockchain systems, namely Bitcoin and Ethereum.2 To this end, we describe the consensus algorithms at the heart of these two blockchain systems. We also relate these consensus algorithms to decades of research on the topic of distributed computing. More precisely, we identify situations where proof-of-work blockchain consensus is violated by: (i) presenting a survey of existing attacks against the Bitcoin consensus protocol and (ii) showing how Ethereum, which copes with some of these attacks, may suffer from recent attacks, namely the blockchain anomaly [4] and the balance attack [5]. We elaborate on the risks for users to misconfigure proof-of-work blockchain systems when deploying them as a private and consortium blockchains and our own experience with the settings of the R3 Ethereum testbed. The fact that both main proof-of-work blockchains are vulnerable allows us to conclude that more research is necessary to design safe consensus algorithms suited for blockchains.
The rest of the paper is organized as follows. Section 2 presents the general blockchain model. Section 3 introduces the classic Byzantine consensus problem and the probabilistic variant of it. Section 4 specifies the differences of the consensus algorithms used in Bitcoin and Ethereum. Section 5 describes the attacks against Bitcoin and two recent attacks against the Ethereum consensus algorithm. Section 6 redefines the Byzantine consensus in the light of the blockchain context. Section 7 discusses the consortium model and recent reliable consensus proposals. Section 8 concludes.
Section snippets
The general proof-of-work blockchain model
In this section we model a simple distributed system as a communication graph that implements a blockchain abstraction as a directed acyclic graph. We propose a high-level pseudocode representation of proof-of-work blockchain protocols in this model.
The consensus problem for the general model
Blockchain systems resemble replicated state machine [10] and aim at solving the consensus problem, so that for a given index all correct processes agree on a unique block of transactions at this index. Note that nodes may propose different blocks at the same index because remote miners solve cryptopuzzles in the time it takes to exchange their new resulting block—this is generally observed with a fork as we will explain in Section 4.2. The classic definition of consensus in the Byzantine
Main blockchain consensus algorithms
In this section we build upon Algorithm 1 to explore the differences and similarities of the consensus algorithms of Bitcoin and Ethereum, which are today’s predominant blockchain systems.
How proof-of-work blockchains can be unsafe
As a drawback of randomized consensus with deterministic termination, the safety properties of main blockchain systems can be violated. Research efforts were devoted to understand the impact of network delays and mining power distribution on the probability of agreement violations in Bitcoin and Ethereum, leading potentially to double spending, a formalization of which can be find in [27], [28], respectively. Building upon the tradeoff between termination and agreement mentioned in Section 3.3,
Defining the Blockchain Byzantine consensus
Perhaps the main reasons why large-scale blockchain systems suffer from such inconsistencies is that the existing consistent consensus solutions are inefficient due to the restrictive problem that they solve. In particular, safe blockchain typically use off-the-shelf algorithms (e.g., PBFT, BFTSmart) that solves the classic Byzantine consensus (Definition 1) as a blackbox. This typically prevents them from scaling to tens of nodes.
In the light of this limitation, we revisited the Byzantine
Refining the blockchain model for consortiums
As we discussed previously, the risk of safety violation of main blockchain systems stems from the impossibility of solving consensus deterministically in the general case, which also applies to the more general Blockchain Byzantine consensus ( Definition 4). There are however solutions that consist of restricting the model by listing additional assumptions under which an alternative blockchain system could be made both safe and live. The consortium model is getting traction for allowing a
Conclusion
While the blockchain technology is reshaping ownership tracking through distributed ledgers, it remains difficult for blockchain users to understand the guarantees this technology has to offer. This paper describes the causes of this difficulty in mainstream proof-of-work blockchain systems, namely Bitcoin and Ethereum. One cause is the probabilistic nature of its consensus algorithms: although it appears that one should wait longer to increase the probability of agreement in case of network
Vincent Gramoli is an academic at the University of Sydney and a senior researcher at Data61-CSIRO, Australia. Prior to this, he was affiliated with INRIA, University of Connecticut, Cornell University, University of Neuchâtel and EPFL, and received his Ph.D. from Université de Rennes and his Habilitation from UPMC Sorbonne University.
References (47)
- S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2008. URL...
- et al.
The Byzantine Generals Problem
ACM Trans. Program. Lang. Syst.
(1982) - G. Wood, ETHEREUM: A secure decentralised generalised transaction ledger, Yellow paper,...
- C. Natoli, V. Gramoli, The blockchain anomaly, in: Proceedings of the 15th IEEE International Symposium on Network...
- C. Natoli, V. Gramoli, The Balance Attack Against Proof-Of-Work Blockchains: The R3 Testbed as an Example, Tech. Rep....
- A. Black, Hashcash - A denial of service counter-measure, Tech. rep.,Cypherspace, 2002. URL...
- et al.
Practical byzantine fault tolerance and proactive recovery
ACM Trans. Comput. Syst.
(2002) - K. Croman, C. Decker, I. Eyal, A.E. Gencer, A. Juels, A. Kosba, A. Miller, P. Saxena, E. Shi, E.G. Sirer, D. Song, R....
- M. Vukolíc, The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication, in: Proceedings of the IFIP WG...
- X. Xu, C. Pautasso, L. Zhu, V. Gramoli, A. Ponomarev, A.B. Tran, S. Chen, The blockchain as a software connector, in:...
Impossibility of distributed consensus with one faulty process
J. ACM
Randomized protocols for asynchronous consensus
Distrib. Comput.
Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols
Signature-free asynchronous binary Byzantine consensus with , messages, and expected time
J. ACM
On availability for blockchain-based systems
Cited by (188)
Unraveling the MEV enigma: ABI-free detection model using Graph Neural Networks
2024, Future Generation Computer SystemsAn ETH-based approach to securing industrial Internet systems against mutinous attacks
2024, Information SciencesMulti-stage Proof-of-Works: Properties and vulnerabilities
2023, Theoretical Computer ScienceConsensus algorithm for medical data storage and sharing based on master–slave multi-chain of alliance chain
2023, High-Confidence ComputingA survey of blockchain consensus safety and security: State-of-the-art, challenges, and future work
2023, Journal of Systems and Software
Vincent Gramoli is an academic at the University of Sydney and a senior researcher at Data61-CSIRO, Australia. Prior to this, he was affiliated with INRIA, University of Connecticut, Cornell University, University of Neuchâtel and EPFL, and received his Ph.D. from Université de Rennes and his Habilitation from UPMC Sorbonne University.