crypto

Report: How Bitmain Mines Coins in Secret

We often imagine blockchains as towers made of crystal. Bright, fascinating, landmarks looming above the fields of cryptography, data science and economics. Inspiring but also intimidating for those that approach them. The ledger of transactions is public, continuously validated by each participating full node. Every user can track funds as they jump from address to address or smart contracts as they get formed, used and expired.

Blockchains do not need arbiters or regulatory organisms, as the rules that govern them are enforced by every node. The process and the results are transparently visible to every participant.

Unlike the Proof of Work blockchains they serve, ASIC manufacturers usually fail to provide the same levels of transparency. Unknown amounts of hashrate owned for self-mining, undisclosed sizes of the batches they sell (so customers can’t estimate their profitability, which ends in saturated markets where no miner gets profit) or mining in secret before the release of the hardware are among their most criticized practices. The latter most case is especially concerning. Mining is a highly competitive process where all the miners share a fixed block reward according to their owned hashrate. When a next-generation ASIC is designed for a blockchain, its first owners will get most of the profits, as they quickly out-compete the previous generation of ASICs or the GPUs/CPUs they replace. By self-mining and not releasing the hardware to the public for a time, ASIC manufacturers can enjoy this privilege (and thus its profits) in exclusivity. In other words, they get a market advantage by out-competing their own customers.

Being that blockchains are a paradigm of transparency, unsurprisingly multiple cases of friction and confrontation have aroused between crypto communities and manufacturers over the last 2 years. The world’s manufacturer leader, Bitmain, has recently undergone a campaign of, in their own words, “radical transparency” and “dialogue with the cryptocurrency communities” (123 & 4). On its most recent blog entry , on July 25, 2018 we can read the following:

Zero tolerance policy against ‘secret mining’. (…) Bitmain itself has been unfairly accused of this practice. In the end, Bitmain values transparency and fair competition. We therefore remain opposed to this practice and maintain our long-held zero-tolerance policy regarding same

This assertion, however, goes drastically against the way Bitmain actually behaved on the Sia network at the end of last year. This article is aimed to provide evidence, abundantly explained, that shows how Bitmain mined in secret Siacoins during the two months previous to the presentation of their Sia miner back on January, among other dishonest practices. As readers might not be familiar with the context, I find important to narrate the events and the disruption caused on the Sia community and blockchain by Bitmain when they introduced their Sia miners.

Sia meets Bitmain:

Without any previous communication, on January 17th, Bitmain announced its Antminer A3 miner for the Sia network and opened the sale immediately. Batch 1 sold out after only a few minutes.

This should have not be an issue by itself for the community. However, six months before, the Sia core developers created an ASIC manufacturing subsidiary, Obelisk, opening pre-orders for what was believed it would be the first ASIC to hit the Sia network. Many contributors and community members in general participated on the pre-sale. The just-announced Bitmain A3 was going to hit the market first, many months ahead of Obelisk’s, ripping the expected profits of the latter. The last ingredient of the drama was the announcement that the Obelisk miner had on its design the backup capability of mining an alternative algorithm, and that a fork on the Sia network to embrace it would be enacted, invalidating Bitmain’s miners, if Bitmain showed damaging behavior against the Sia project. While reserved for a case of emergency, many community contributors, coders and moderators pushed for an unconditional fork. Among those who purchased the A3 on the Bitmain’s flash sale, there were contributors, coders and moderators to boot.

To fork or not to fork? Either choice would tear apart the community. Either choice the community would lose members and contributors. Some left it already even after the final decision. My anxiety, ATH. In the end it was decided not to fork. The echoes of the decision are still conditioning the life of the community and will haunt it for many years. For those interested on further details about this episode, I recommend this non-partisan timeline by the Sia contributor mtlynch and this recent talk from cofounder of Sia at the Zcon0 conference

crypto

The aggressive commercial arts of Bitmain did not help. While Bitmain claimed (and keeps claiming) they limited the sale to one miner per purchaser, the reality is that this policy was never enforced: during the days after the sale the A3-batch 1, it was easy to find pictures of basements with multiple A3 and even purchase receipts with multiple units. While Bitmain also claims they did not saturated the market, analyzing the steps on the hashrate chart of Sia (above) it is easy to calculate batch 1 consisted on around 13,000 units (0.81 TH/s per unit) and batch 2 on 20,000. Subsequent Bitmain batches overlap with the shipping of another manufacturer, Innosilicon, so it is not possible to calculate the size of these batches. There are, however, no reasons to believe they were any smaller. Anyway, the 33,000 units of the first two batches were enough to sink the ROI of the Bitmain A3 purchasers, that started to complain how their expected ROI was extending to more than six months or even beyond a year. In the end, Bitmain killed the profitability of their own customers by flooding the network with more miners than what the network macroeconomics could possibly sustain. And thus the hashrate kept scaling batch after batch of A3s and thanks also to the Innosilicon miners. Of course, this also ruined the possibilities of ROI of Obelisk backers.

Community consequences aside, releasing ASICs without warning could have had seriously devastating effects for the blockchain functionality. Without an appropriate Difficulty Adjustment Algorithm (DAA), the dramatic increase in hashrate that followed could have provoked the inclusion of thousands of blocks before the next difficulty adjustment. The file storage contracts of the Sia network measure time in blocks, what could have provoked multiple contracts to expire prematurely without the renters having time to renew them, driving to data loss. We were lucky that an optimized Difficulty Adjustment Algorithm was introduced just a few weeks before the Bitmain announcement. Nevertheless, this illustrates the dangers of unannounced ASIC introductions.

On the same release day of the A3, AntPool, the mining pool of Bitmain, opened a branch on the Sia network, becoming the sixth known pool of Sia. On the first days of the pool, their API showed a very small number of workers (<100) and hashrates around the five percent of the network. By March, the number of workers grew to several thousands and the hashrate to figures around twenty percent of the network, remaining in that level until the present date. All this info was recorded by SiaStats and can be accessed on https://siastats.info/pools/antpool  This apparent gradual grow of their hashrate, if true, would have been compatible with their vision against secret mining, as the pool only got organic grow after their batch 1 was delivered.

In any event, it has to be noted that the Sia community detected during November and December sudden spikes of the network’s hashrate accompanied by bursts of blocks mined by unknown pools, representing up to twenty five percent of the total blocks. Previously, the rate of these unknown pools remained under five percent. This data can be accessed at https://siastats.info/mining_pools in the chart “Mining pools evolution”. Some members suggested the possibility of Bitmain, others suggested alternatives, like the manufacturer Baikal (including myself). The time has proven those blocks were indeed Antpool’s, as we will analyze in a moment.

Despite the “radical transparency” messages from Bitmain, the fact is that Antpool is acting as the most opaque and dishonest mining pool on the Sia mining scene:

  • No signature on their mined blocks. Most of the pools in Sia use a single payout address for the block reward and a standard message on the arbitrary data field of the block. These two variables allow blockchain explorers to identify without doubt the pool that mined the block. Antpool instead has used so far more than 2600 different addresses and the arbitrary data of their blocks is an encrypted string, different each time. This prevents the independent validation of who mined the block.
  • Failure on reporting blocks. In absence of a signature, explorers must trust whatever Antpool claims on its site. To date, Antpool has only claimed 687 blocks. Their list of claimed blocks include multiple gaps of several thousands of blocks (see the image below). Considering their hashrate (around twenty percent of the network), these gaps are impossible statistically, meaning that they are refusing to report many of their blocks.

crypto

  • Fake claimed blocks. Their list of claimed blocks also include blocks owned without doubts by other pools. For instance, blocks 155407 and 152847 are actually blocks of F2pool, and we can be sure of this because the block reward is being paid to the publicly known mining address of F2pool `dc0cb4f6…`
  • Fake reported hashrates. SiaStats has records of the average reported hashrate of each pool in a daily fashion, by scoring what their websites/APIs indicate every thirty minutes. It also keeps records of the percentage of mined blocks by each pool. We don’t have reliable info about Antpool’s blocks but even if we assume that all the blocks mined by “Unknown” pools are Antpool’s too even the aggregated percent of blocks doesn’t match the hashrate reported by them (see the image below). While since the end of March they have reported roughly a 18% of the hashrate, the combined blocks of Antpool + Unknown represent roughly the 16%. That extreme bad luck is impossible considering we are analyzing four months of data. Instead, this means a misleading representation of their real hashrate, inflated more than a 36%. In PPLNS pools as them, higher hashrates drive to more stable payouts for miners. This means they are benefiting from this misrepresentation, deceiving miners making them believe they are more stable paying than what they really are.

… but you forget that the blockchain is transparent

However, even if Bitmain/Antpool tries to hide and obfuscate its activity, it doesn’t mean we can’t take a deep look at the blockchain to reveal the complete picture. We recently developed an open-source blockchain explorer with great analytical capabilities, as well as methodologies to find the blocks mined by Antpool even in absence of claiming. The need of this specific tracking came from the goal of SiaStats about providing transparency to the mining sphere of Sia: if Antpool grows their percentage of mined blocks, the Sia community needs to know it. If there is another secret pool emerging, we need to segregate the blocks of Antpool from the blocks of this secret pool to score its size. The Sia network can’t be safe if the community stays in the dark while a pool grows to a 51% of the hashrate in secret.

The methodology is not rocket science and it is simply based on following the movements of Siacoins on Antpool’s wallets. What follows is the explanation, explained in accessible terms.

Let’s start talking about transactions. In Sia, and many other blockchains, a wallet is composed by multiple addresses, and each address contains multiple “outputs” that need to be fully spent during a transaction. If Adam has a mining pool that mined seven blocks in different addresses, with a reward of 100 SC each, he will have a wallet with seven addresses and one output of 100 SC on each address. If Adam wants to send 650 SC to Bob, what the Sia wallet will do is collecting the seven outputs, send 650 coins to Bob, and create a new output with fifty coins that will be sent back to a new address of Adam’s wallet (different from the seven previous). In the real world, block rewards are never round and include many decimals (collected fees), while the amounts we send to people tend to be round. This makes the output that returns to the new address easy to identify, and addresses can be linked to a single wallet if one looks carefully to the blockchain.

Wallets have another feature: defragmentation. As Adam receives block payouts, once he has a lot of scattered outputs, the wallet will automatically consolidate them all into a single output in a new address of the wallet. This helps Adam to spend his coins in the future as the resulting transaction will be smaller in bytes. But it also means that all the input addresses, together with the resulting output address, become linked to the same wallet for an external observer.

Mining pool addresses are also easy to differentiate from the address of the miners that join the pool. The payouts that the pool sends to miners are sent in multi-output operations as in this example (sometimes with hundreds of payout outputs), so we can discriminate when coins abandon the wallet of the pool. These payouts also include one remaining amount that returns to the pool’s wallet. We can’t say initially which is that output… unless it is merged again in a defragmentation operation together with other already known addresses of the pool. It is also easy to say when the pool sends the coins to an exchange (so we do not assign incorrectly an exchange’s address to the pool): while pool addresses receive coins whose lineage connect to the coinbase of blocks (aka block rewards), exchanges addresses connect, after defragmentation operations, “upstream” with addresses of users, easily identifiable too (as they include small and rounded transactions, not connected in a few jumps with coinbases)

Left: From one claimed block, we can end up deducing many more

All the following links come from a blockchain explorer I own, SiaStats Navigator, but the transactions and addresses can be tracked as well using SiaHub’s explorer, of which I have no control. Let’s take a block mined by Antpool and claimed on their website (see image above) to perform a forward analysisblock #152134, mined on April 27th. Its payout was deposited on the address “9176b0…”. The coins were transferred on April 29th on the transaction “762cde…” to the address “b5078a…” in a wallet defragmentation operation. On May 17th this new address, together with more addresses being merged (more coinbases), sent 20 million SC to the address “2b87bb…” and immediately after that to the address “91d23b…”. This last address is what I consider a “master address” of Antpool, an address receiving round amounts of several millions, collecting block rewards and sending again millions that end up in payout addresses and cold wallets.

The most interesting thing about this address is that all the coinbases of their claimed blocks end up here, transiently. What if now we take the input transactions and trace back these coins up to their coinbases (a reverse analysis)? Will we be able to find new blocks not claimed by Antpool? The address “669029…” sent five million SC to the “master address” on January 1st. Some time before, on November 30th, this mentioned address received its balance from the defragmentation operation “cb3f5e…” that merged many coinbases with 35.88 SC from the address “c5a432…”. Those 35 SC came from another defragmentation on November 21st, that collected block payouts of multiple addresses as “065022…”This last address was the recipient of the block reward of Block #132592. Overall, in just four transaction “jumps”, we found the payout of an old and not claimed block by Antpool, that goes back to November 20th. The following schematic is a summary of the presented analysis:

From the direct analysis of claimed blocks, a reverse analysis can be performed to find secretly mined blocks

The oldest block we can track of Antpool is #132204, dated on November 17th, which means that Bitmain mined Siacoins in secret for exactly two months

Using an automated script, SiaStats found more than 2100 new blocks that Antpool rejects to claim. These blocks have been added to SiaStats databases, and more blocks are automatically being added as soon as their payouts are sent to known Antpool’s master addresses. The most interesting fact is that the oldest block we can track of Antpool is #132204, dated on November 17th, what means that Bitmain mined Siacoins in secret for exactly two months (as the Antminer A3 was presented on January 17th). Antpool collected 488 blocks in total thanks to their exclusivity using ASICs, using their brand new hardware in secret.

The secret mining activity of Bitmain

The apparent organic growth of the Antpool’s hashrate mentioned above was an illusion: in those two previous months, there was days they mined up to 25% of the blocks. Interestingly, there are two gaps in these months that correspond with spikes of “Unknown” pools (“Others” in the chart) of similar size as Antpool’s block rate (Dec 27- Jan 7 and Jan15 — Jan 17, see image above). The payouts of these blocks (sixty additional blocks in total) have not moved from their addresses on the last seven months. As that amount of hashrate can’t be created out of the thin air to vanish forever after a few days, this obviously means those blocks were mined by Antpool too.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.