EIP-1559 51% Attacks: Should you live in fear?
TL;DR: Answer
Yes, you should live in fear, but not because of EIP-1559. There exist today 51% mining attacks that are self-reinforcing, meaning it is profitable for people to join the attacker once they have started. EIP-1559 51% attacks are not self-reinforcing, it is always more profitable to defect from the attacker than it is to join them.
EIP-1559 Synopsis
Skip this section if you know what EIP-1559 is.
EIP-1559 is a proposed change to the way Ethereum handles gas pricing such that every block has a fixed block-wide ETH fee per gas (base fee) that automatically adjusts up/down based on current block space demand. If blocks are over-full, the base fee increases, if blocks are under-filled, the base fee decreases.
In order to prevent miners from faking full blocks (including garbage transactions of their own) to increase their future revenue by driving the base fee up, the base fee is burned rather than given to miners. Then, in order to incentivize miners to actually include transactions (which has opportunity cost to miners) rather than just mining empty blocks for the block reward, transactions include a separate per-gas miner bribe (AKA: gas premium, miner tip).
The expectation is that the base fee will account for *most* of the congestion related fee while the miner bribe will likely sit just above opportunity cost which is around 1 nanoeth (gwei) per gas. There is a minor exception here that it is expected that front runners and other people participating in gas price auctions for within-block positioning would be in the form of miner bribes, since it is the miner you are bribing to include your transaction in a certain position.
51% Attacks Against Proof of Work
This section has nothing to do with EIP-1559, but understanding 51% attacks against proof of work and the damage they can cause today is important when evaluating whether we need to be worried about 51% attacks against EIP-1559.
If you are a miner who has decision making control over 51% of hashing power for a proof of work coin you can execute a double spend attack. This attack basically lets you rewrite history by mining a side chain and then revealing it at some point in the future, presumably after you have received some irreversible off-chain payment for your on-chain asset. This is the most commonly discussed 51% attack but it is pretty hard to execute in reality because you need to have a sufficient amount of capital available to convert from on-chain asset to off-chain asset and you need one or more providers who are willing to make that trade. Given the cost of 51% attacking some of the larger blockchains, it ends up just not being worth the effort/cost because you simply cannot exit with enough money. Against smaller chains however we have seen this attack executed (multiple times) because you can move enough assets relative to the cost of attacking the chain to make the attack worth it.
Another, less discussed, 51% attack against proof of work is censorship (AKA: selfish mining attack). In this attack, you have your 51% of hashing power mine blocks, but you refuse to build on any block that wasn’t mined by your mining coalition. Since you have decision making power over 51% of the hashrate, this means that your chain will be the longest (eventually), and any blocks mined by anyone not part of your coalition will be ignored. The end result is that you will receive 100% of the block rewards instead of 51% of the block rewards, which means you double your income without doubling your work.
51% censorship attacks are possible right now against any chain where a coalition of miners can be formed that controls at least 51% of mining power. These attacks do not have any immediate negative impact on users aside from a period of difficulty adjustment which will eventually pass. The coalition doesn’t need to trust each other significantly, and any coalition member can see if another coalition member defects and kick them out of the coalition (or potentially disband the coalition if enough members defect).
The increased revenue from a 51% hashing power coalition executing a censorship attack against a PoW blockchain is about 2x, and all of that is pure profit(in theory it is even higher when you start to consider the macro-economic effects of censored hashing power being decommissioned over time and thus allowing the coalition to decrease the hashing power of the coalition over time).
It is worth noting that selfish mining attacks similar to the censorship attack described above start to become profitable at around 33% of hashing power, but that is a bit more complicated and out of scope for this article since all we care about here is comparing against 51% EIP-1559 attacks.
51% Attack Against EIP-1559
The most common version of the 51% attack against EIP-1559 goes something like this:
- Create a coalition of 51% of miners who all agree to mine empty blocks to drive the base fee down to 0.
- Once the base fee is at 0, there will be a permanent state of congestion which means the miner bribe will be the determining factor for whether a transaction is included or not, which puts us right back into our current situation where miner bribes (gas price) is the sole factor for inclusion.
- Profit from the high miner bribes.
It is worth noting up front that the worst case scenario here is that we end up right where we are now, with EIP-1559 effectively being a no-op compared to current gas pricing.
100% Attack
To better understand this attack lets take a look at what happens if there is a single miner that controls 100% of hashing power and they decided to do this.
First, they would need to mine empty blocks for a while in order to drive the base fee down from whatever it was at to something close to zero. During this time, they are receiving block rewards but they are not receiving any transaction fees. The base fee can only change by about 12.5% per block, which means that the base fee can half just about every 5 blocks assuming all blocks are empty, and it will reduce by 10 fold every about 17 blocks. It wouldn’t take particularly long to drive the base fee to epsilon, maybe an hour of empty blocks is enough for this attack.
Once the base fee is low enough, you want it to stay there. The easiest way to achieve this is to partition your hashing power in two and have half of it mine empty blocks and the other half mine double-full blocks (this means that the blocks are twice as big as the current gas target allows). In this situation, your empty blocks are still getting no transaction fees, but your double-full blocks are getting a bunch of transaction fees and without having to worry about the base fee eating into their transaction fee profits! Great, so we are now executing a profitable attack.
99% Attack
Lets imagine though that you only have 99% of hashing power, not 100% of hashing power. The attack plays out mostly the same except for during the initial part of the attack that 1% of defecting hashing power is earning fees while you are mining empty blocks with 99% of hashing power, and they also will slightly slow down the rate at which you drive the base fee down, so it will take you longer to hit your base fee target near 0.
Once you have reached your target, you still need 50% of all hashing power to be mining empty blocks, and the other 50% will be mining double-full blocks. Since 1% of hashing power is not part of your coalition, they will almost certainly be mining double-full blocks which means that only 49% of total hashing power (or 49.5% of your personal hash rate) will be getting those sweet double-full block transaction fees. This is probably still profitable for you overall, but it is even more profitable for that 1% miner who has 100% of their hashing power mining double-full blocks (compared to your 49.5%). The defector thinks your attack is great, because it is making them rich, but there is no way they would join you because the coalition is making less money per hash than the defector is.
51% Attack
Lets say that your coalition controls just 51% of the hashing power. Just as above, the 49% of defecting hashing power will almost certainly be mining double-full blocks which will almost entirely counter your attack. Driving the base fee to 0 will take you a very long time because for every 51 blocks you mine that move the base fee down by 12.5%, there are 49 blocks that move it up by 12.5%. You’ll get there eventually, but it probably means days or weeks of mining empty blocks while those defectors are pulling in sweet sweet transaction fees.
Once the base fee has been driven down sufficiently you’ll start doing the split mining strategy, and as before 50% of total hashing power mining empty blocks while the other 50% of total hashing power is mining double-full blocks. Since you only control 51% of hashing power, this means that 98% of your hashing power is mining empty blocks (no transaction fees) while just 2% of your hashing power is mining double-full blocks. Meanwhile, 100% of all of the defectors are mining double-full blocks and making good money on transaction fees. As before, the defectors all thank you for your service, but they would never join your coalition because it would mean they would lose 98% of their transaction fees to do so.
??% Attack
There exists a percentage hashing power where the coalition goes from possible but unprofitable (>50%) to profitable (≤100%). Where that threshold is depends on the amount that users are willing to pay for gas on average (e.g., 1 nanoeth vs 100 nanoeth). The attacker coalition will make less money during an attack than any defector would make during the attack, so it is always more profitable to defect while simultaneously advocating that the coalition should continue the attack (in other words, pretend to participate but don’t really).
That was a lot of words… should I worry?
51% attacks against Proof of Work cryptocurrencies are a serious problem. If a mining coalition starts censoring non-coalition miners they can turn a huge profit (2x). One of the big reasons that Proof of Stake is such a desirable feature is because it addresses this specific problem by creating an extra-protocol mechanism for severely punishing anyone who attempts an attack like this (worthy of its own blog post).
If EIP-1559 were in place, a 51% coalition could turn a nice profit for non-coalition members, but they would take a loss for themselves. A 99% coalition could turn a profit for themselves but a larger profit for any non coalition miners.
If you have 51% of hashing power, you are much better off just doing a censorship attack. Your profits will be way higher, it’ll be simpler, and after you are done you can then execute an attack against EIP-1559, as well as double spend for days, and do a bunch of other bad things.
So yes, you should be scared of 51% attacks, but EIP-1559 shouldn’t meaningfully change your fear of them since it is unprofitable to 51% attack, and yields far less benefits, even in theory, than executing a censorship attack.
