Source: coinrevolution.com

Attacks on consensus

Attacks on the consensus mechanisms are well explored in the literature and new attack-strategies are actively researched. On a general level, two types of attacks on consensus can be identified. The first type is attacks aimed at “rewriting” the blockchain by replacing transactions or blocks from the perceived consensus. The well-known double-spending attack falls into this category.

In double-spending attack a validator or group of validators controlling sufficient hash-power pay for an asset with cryptocurrency, and receive delivery after the transaction is confirmed in the required number of blocks set by the counterparty. Parallel to this, the attacker secretly mines a sufficient number of blocks (a fork) to replace the perceived consensus chain with a longer competing chain to become the new consensus chain. A selfish mining-attack involves secretly validating parallel blocks (a fork) to replace the perceived consensus chain as the longest chain. A motive for such an attack is, inter alia, to maximize mining rewards and transaction fees. Attacks based on hash-power for rewriting the blockchain are costly to perform and prohibitively costly if the validators not participating in the attack control sufficient hash-power.

There are also other attacks that can be used to rewrite the blockchain less dependent on sufficient hash-power. An attacker who manages to crack the cryptography relied upon for validation, can beat the hash-power of the network and alter the blocks.  An attacker may also successfully convince the network to adopt a hard-fork with an altered transaction history.

The second main category of attacks is not directed at rewriting transactions, but influencing the transactions adopted by consensus. Such influence can either be directed at excluding certain transactions from being entered into the ledger at all, to delay such entry, or to alter the ordering of the entry of certain transactions. A special case of the latter is a so-called front-running attack, known from mainstream finance, where an attacker seeks financial gains from executing an order before another order. Such attacks do not necessarily need to be costly.

Several attacks can be used to support the other attacks. Eclipse-attacks and DDoS-attacks can be used to interfere with a participant’s communication with the network. A bribery-attack involves bribing validators to perform certain actions. An innovation with multiple cryptocurrencies and associated smart-contracts is that a smart-contract on one cryptocurrency can be used to enforce an attack on another. Bribes and side-payments necessary to create sufficient incentives be implemented in such a smart-contract.

The analysis of cryptocurrency consensus attacks is usually performed from the perspective of computer science and game theory. Some terms also used in legal contexts, such as “collusion” and “theft,” are often used, but this does not necessarily mean that the legal content of such terms applies. Still, the computer science and game theory literature can inform the analysis of attacks on consensus from a legal perspective.

With game theory models, one can deduce equilibrium outcomes according to various equilibrium concepts. One can investigate whether a successful attack is a possible equilibrium outcome. In some settings, several equilibria are possible, both where attacks are profitable and where they are not. Such analyses can be useful for legal purposes, but still, “good” and “bad” equilbria do not necessarily correspond with legal and illegal. For instance, if an attacker manages to provide validators with incentives to replace the current perceived consented ledger state with a secretly mined fork or to exclude or reorganize certain transactions, this does not necessarily mean that these rational miners do something illegal. Rather, it can be argued that they are playing by the rules by rationally adopting to the incentives provided by the protocol design. Such analyses may, however, inform legal analyses, because they can say something about the “goodness” of an outcome and the distribution of profits and losses, which may be relevant for liability analysis.

The computer science literature often uses a vulnerability, attack, and defense framework when analyzing attacks on consensus and other security issues. This framework can be useful for the analysis of legal liability, and the interrelation between these aspects can inform legal liability. Different agents may be liable for the vulnerabilities, attacks, and defenses. For instance, protocol developers may be liable for vulnerabilities, participants in attacks may be liable for attacks, and in some cases capable agents may be held liable for not executing defenses. The interrelation may also be important for liability in some contexts. The possibility of defending against attacks may in some cases constitute a legal defense against liability for an attack. Furthermore, protocol developers’ liability for vulnerabilities in a consensus mechanism may be mitigated by available defenses against attacks.

Generally, from a legal perspective, it is sometimes difficult to distinguish the attacks on consensus that should be considered compliant with the rules implied by the protocol from those that should not. The protocols provide rules on the consensus mechanism that applies to a cryptocurrency and how certain conflicts should be resolved, such as which block to build on in the case of forks. It is not obvious that all kinds of attacks can be considered to be in direct violation of the protocol even if such attacks are often presented as such in the literature. Assume, for instance, that an attack is executed by secretly mining blocks to replace the existing perceived consensus on the ledger state. If this is in violation of the protocol, such a chain should not have any chance of becoming the new perceived consensus. This might as well mean that the protocol is vulnerable by design. In other cases, the protocol rules seem less important in determining legal liability. For instance, if an agreement is made with respect to payment for delivery of goods and the payer reverses the payment by performing a double spending attack, this seems underhand regardless of the protocol.

Ultimately, it is the legal bases for liability and the harms covered by these bases that determine liability. Hence, the available legal bases and the harm covered by these legal bases are crucial. We first look at some legal bases that may cover the actions of the involved attackers. We then look into the extent to which protocol developers, trading platforms, and others can be held liable for vulnerabilities in the protocol that enable attacks.

Attackers’ liability

Some of the participants in an attack are participants in the cryptocurrency ecosystem, including protocol developers, validators, and oracles. A legal basis for responsibility could be to consider these stakeholders to be in some sort of implicit contractual relationship with the other users, implied by the protocols, which imposes some loyalty or fiduciary duties on these stakeholders. An attack could violate such duties.

Both civil fraud and criminal fraud are possible legal bases for establishing liability for an attack on consensus. A double-spending attack may be considered fraud against the victim. In this case, there is a victim who is deprived of promised payment. However, for other attacks, legal theories based on fraud theory are less clear. As described above, many attacks are directed at interfering with consensus not by directly defrauding specific victims but rather by maximizing profits from validation awards. In this case, fraud seems less applicable as a legal basis.

Tort law may also provide a liability basis separate from or together with other liability bases. Tort law gives victims the right to compensation for certain harm for civil wrongs. Tort law may cover intentionally created harm and harm caused by negligence. The question is, then, what kinds of attacks can be considered civil wrongs subject to tort liability? Unfortunately, there is no clear answer to this question. Pursuing legitimate objectives by legitimate means does not normally constitute a tort case. Hence, it would necessitate some special circumstances to require protocol developers to do something other than pursuing self-interests. As many attacks are driven by a profit motive entailed by the protocol it is far from obvious that these are torts (e.g. maximizing profits by working on parallel chains to the perceived consensus chain has a clear business rationale).

In practice, courts often base tort decisions on a complex set of factors, where cost–benefit analyses and moral judgments may play a role. Tort liability may apply to fraud-like situations or breach of trust in fiduciary-like situations. There are, however, obstacles to applying tort law. In some jurisdictions, tort law does not protect against purely economic loss for negligence, which may exclude certain tort cases.

There are also more specialized legal bases that may cover attacks, such as antitrust laws, financial regulations, and cybercrime laws. Those bases are discussed in more detail in the paper referred to below.

Protocol developers’ liability for protocol vulnerabilities

In the last section, we saw that protocol developers may be liable in their capacity of being participants in an attack. It is also possible to explore a liability for protocol developers in their capacity of being responsible for the protocol security features, including their resistance to attacks. Such liability is dependent on protocol developers’ ability to prevent harm, which means that it must be within the protocol developers’ causal capacity to foresee and prevent an attack.

 A basis for considering protocol developers liable is if they have violated fiduciary duties by not sufficiently protecting the users from attacks entailed by the protocols.

Tort law may also impose duties on protocol developers. I crucial question is when protocol developers can be liable for protocol failures due to negligence, for instance by failing to implement mechanisms to prevent attacks. Liability in this context may flow from insufficient testing and validation. Faults that likely would have been avoided with prudent testing could be considered negligent. Protocol developers could also be liable for not establishing good mechanisms to prevent harm from attacks if they occur. In computer science terms, this is fault tolerance. Given that not all vulnerabilities can be eliminated (fault-proofness), good arrangements for defenses might remedy the vulnerabilities. Cost–benefit and risk–utility assessments may also guide liability. Lack of protection of pure economic loss can constitute an obstacle for liability based on negligence.

While protocol-developers, in some cases, may be held liable for an attack on consensus via liability for vulnerabilities in the protocol, this does not seems to be a very general case. Attacks are, in many cases, an inevitable risk of cryptocurrencies beyond the control of the developers.  Enforcement issues are also an obstacle for liability. Still, one interesting observation is that protocol developers may be liable for vulnerabilities even if there are no bases for holding attackers liable.

Liability of cryptocurrency trading platforms and others for protocol vulnerabilities

Attackers and protocol developers might not be the easiest targets for enforcement. A common way to acquire cryptocurrencies is from exchanges and brokerage services, often in cooperation with wallet providers. Various legal bases might be used to make such trading platforms liable for harm due to vulnerabilities in the protocol of a cryptocurrency they sell or intermediate. They might be considered to have a fiduciary role on a contractual basis toward their customers. Such a claim is likely to be stronger if they claim to only provide cryptocurrencies satisfying certain quality requirements and standards, including sound attack-resistant protocols. Although the trading platforms are likely to fill their user agreements with liability waivers, courts may put them aside, especially for consumers.

In addition to the “official” documentation of cryptocurrency protocols (white papers), customers get a great deal of information on cryptocurrency protocols from various sources more or less connected to the cryptocurrency. While freedom of speech provides significant leeway for public discussions, commentators may be liable in certain cases. The question is if these commentators have some fiduciary duties making them susceptible to liability. One such case may arise if a trusted commentator vested in a particular cryptocurrency intentionally misinforms others on the features of a cryptocurrency protocol for personal gain. A trusted commentator negligently presenting the features of a protocol may be liable for harm to persons relying on the information, particularly if the commentator has provided “guarantees” or promises combined with an explicit or implicit urge to invest based on this information. Advisers providing advice and analyses in the capacity of commercial or regulated activities may be subject to stricter standards.

Conclusion

Legal liability seems to have a limited role in deterring attacks and holding attackers liable because of both the attacks not always being covered by legal norms and enforcement problems. Perhaps surprisingly, victims may in certain cases have a better case in holding protocol developers, trading platforms and advisers liable, because these may, in some cases, be held liable for vulnerabilities even if there is no basis for liability for the attackers themselves. They may also be easier targets for enforcement. Still, attacks on consensus seem to be an inevitable risk cryptocurrency users must live with, and the risk is, in most cases, assumed by the users, with no prospects of legal redress.

This blog is a short version of a paper by the author available here.

Peder Østbye is a lawyer and economist interested in the law and regulation of financial technology, such as legal responsibilities associated with cryptocurrency consensus. He is a special adviser at Norges Bank (the central bank of Norway) and has previous experience as a lawyer in private practice and in the competition authorities. This post is written in private capacity, and the views expressed do not necessarily reflect those of Norges Bank.