Open in app

Sign in

Write

Sign in

New forensic analysis of metadata and activity from the January 2021 Firo 50%+1 attack

Mitchell P. Krawiec-Thayer, PhD
9 min readDec 29, 2021

By Mitchell “Isthmus” Krawiec-Thayer

Reddit: u/mitchellpkt | Twitter: @mitchellpkt0 | Github: mitchellpkt

This article examines the large reorganization of the Firo blockchain in Jan 2021. The relevant background for understanding this analysis is discussed in the original post-mortem. The TL;DR is that a >1-day long reorg achieved double spending against exchanges. There were several odd characteristics, so we’ll explore the following:

  • Block attribution by coinbase transaction metadata analysis, which identified attacker activity prior to the previously-known attack window
  • Cross-chain block metadata analysis to reveal whether the attack was carried out by existing miners or fresh equipment
  • Individual device hashrate estimation based on individual nonce and block discovery times (this is believed to be a novel statistical analysis)
  • Estimation of attacker device count

All of the data and code to generate these plots and statistics can be found in this notebook and the repository that contains it. Thanks to Reuben at Firo for bringing this to my attention and providing the alternate chain block metadata.

Please note that shortly after the attack, Firo activated the ChainLocks mechanism, which is designed to leverage the masternode network to limit reorganizations like the one described below.

Attack summary based on metadata fingerprinting

The attacker was known to be active during a 358 block window from 338403 to 338760. During that time, they mined 98.6 % of blocks (353 of 358). The only blocks they did not mine were 338720, 338750, 338753, 338756, and 338759.

Each block mined by the attacker had a coinbase transaction with the tag “616e6f6e” (highlighted in example below), which decodes to “anon”.

The attack began on 18-Jan (at height 338403), however there was a single block (337396) with the “616e6f6e” / “anon” tag three days prior on 15-January. Perhaps this was a trial run? The remainder of this article focuses on the main activity beginning at 338403.

Attack progress analysis by cross-chain timestamp comparison

The below plot compares the progress of the attacker’s chains (now active blocks, red) versus the blocks produced by honest miners (blue). Hashrate on the honest chain was relatively constant before/during/after the attack, suggesting that the blocks were mined with additional equipment that was brought online to Firo just for the attack (rather than an existing Firo mining pool or farm temporarily departing from the honest chain to behave maliciously). This indicates that the attacker had significant material resources (enough equipment to overtake the entire pool of honest miners) and technical ability (privately coordinating a large performant GPU mining pool is not a trivial task).

How did the race for longest chain play out? As shown in the plot below, in some cases the attacker fell behind by as many as 10 blocks but continued to persevere. Halfway through, the attacker had an impressive 44-block lead, but then block production slowed and they quickly lost ground (perhaps intentionally to let the other chain catch up).

The above analysis is predicated on the assumption of accurate block timestamps. While the miner-selected timestamps theoretically may have been spoofed by the attacker, at first glance it appears that the they are likely organic (the timestamps don’t exhibit uniform spacing or other characteristics that would suggest artificial values).

Estimating the hashrate of individual devices

To begin analyzing the characteristics of the attacker’s devices, let’s examine the nonce search strategy employed by the attacker. Like the majority of Firo miners, the attacker’s miner workers each incremented a nonce upwards from zero until the block was found (this results in the observed nonce distribution shown below). Appendix A below this article extensively explores the nonce distribution in both honest and attack blocks.

Conveniently, when miners increment the nonce upwards from 0, its value tells us exactly how many hashes it took *that* worker to find *that* block. Thus dividing the nonce by the observed discovery time (for that block) yields a statistical estimate of that individual device’s hashrate! The PoW miner nonce simulator notebook includes an explanation for why this is the case:

For example, consider miners employing the nonce search strategy of starting at 0 and iterating upwards, and imagine that it takes about 10,000 hashes to mine a block on average.

Scenario 1: If these 10,000 hashes are being carried out by a single worker, then we expect to see nonces scattered throughout that range (e.g. nonce values around 7,000, 10,000, and 20,000 would not be surprising)

Scenario 2: If these same 10,000 hashes are divided between 1,000 workers in parallel, then one of them is statistically likely to find a block by the time that they are all 10 or 20 hashes in. (so a nonce value of 7,000 would be extraordinarily unlikely, because that would mean that no block was found in the first 7,000*(1,000 workers) = 7,000,000 hashes!

In the below plot, we apply this analysis to estimate the hashrate of the attacker’s devices. Each scatter point represents the estimated hashrate for a single block, and the black trace is the rolling median hashrate estimate.

If we compare (below) the attacker’s median per-device hashrate (red markers & red rolling median) against that of the honest chain (blue markers & black rolling median), we see that their devices were fast, but only 2x-5x the chain average. This suggests that they were probably using mid- to high- end GPUs (pulling 2,500–5,000 kH/s), not FPGAs or ASICs.

During the reorganization window the attacker had (at least) the same net hashrate as the honest network, but it was distributed across fewer devices; consequently the attacker’s workers generally had to iterate higher into the nonce range to find a winning value. This is even visible to the naked eye from on-chain data (see the spike starting at roughly 338400, highlighted by blue vertical lines in the second plot).

The below plot shows general Monte Carlo simulation results quantifying how the number of mining workers impacts the nonce distribution, as seen above. As we would intuitively expect, for a given fixed pool hashrate, dividing it among fewer workers forces each to search higher into the nonce space to find winning values.

Appendix B below this article contains more detailed information and plots about individual device hashrate distribution for both the honest/control blocks and for the attacker.

Estimate of attacker device count

Looking at the beginning & end of the attack in the plots above, we notice that the rate of block production across the forks was matched when attacker’s devices were puling ~2,500 kH/s. Since the overall hashrate that day was ~10 GH/s, we can ballpark that they had ~4,000 devices (this is a very rough order-of-magnitude estimate).

Implications beyond Firo

All proof of work coins should take note of this event as a real-world point of reference for attacker resources and sophistication. The individual or party behind the attack had:

  • Access to a large amount of equipment. Even if the above estimates (4,000 devices each at 2,500 kH/s) are off by 50%, the amount of physical equipment required to carry out the attack is significant.
  • Significant financial resources to dedicate to the attack. While a 50%+1 attack typically pays for itself in the end (since the attacker receives coinbase payments to offset mining costs, just like an honest miner would), it would have taken significant funding up-front to procure the equipment in the first place (whether purchased or rented). That is in addition to the 865,000 FIRO (at the time worth about $5,000,000) that was used in the double spending transactions.
  • Technical ability to coordinate a private fleet of performant miners with custom software. In addition to self-managing a lot of equipment, the attacker had to write or modify their software to implement bespoke adversarial features like isolated mining and double spending.

A basic requirement of Nakamoto consensus is that ledgers secured by proof of work must ensure that their fees and emission sufficiently incentivize honest miners to some target security level. In many cases this is poorly formalized, and often not quantified. Most networks are likely secure against a single non-technical hobbyist, and probably not secure against a large dedicated nation-state. With several million dollars and significant technical savvy, this Firo attacker is somewhere between these extremes, and should serve as a case study and reference point for a medium-scale adversary.

Thanks for reading! Enjoy the appendices below if you really want to nerd out and learn more about observed nonce distributions and hashrate estimations.

Questions, comments, estimate validation, or corrections? Secure contact: firo-forensics@mitchellpkt.com

Donations: PM8TJcTF5qC71cfEKERZiRHLwKUoXPWGaqePfaEtmnX6cfPTGP4n6A9y4tWZAaLzYvmJH8uaGDqhdjRLTLtnQvDgckhNCHNt2QPmRm9qfj1AMVwbty4M

Appendix A: Baseline nonce distribution

Looking at nonces from all blocks (see histogram below), it appears that 4 nonce search strategies are in use:

  • Start at 0 and iterate upwards (evidenced by the peak at 0 sloping down to 1e9)
  • Start at the halfway point and iterate upwards (evidenced by the smaller sawtooth at 2.15e9, see blue line for visual guide)
  • Start at the upper range and iterate downwards (evidenced by the mirrored sawtooth at the upper limit)
  • Sample randomly over the entire range (the baseline signal throughout the range)

To make sure that we’re only taking into account relevant data we must ask whether the nonce search strategy changed over time?

Yes! A few observations from the below plot:

  • Between heights 7,500 (red line) and 21,000 (lime line) the dominant strategy appears to be a uniform search over only the bottom half of the nonce range. I don’t think I have observed this in any other cryptocurrency.
  • Between heights 21,000 (lime line) and 120,000 (yellow line) the search was extended to cover the entire nonce range (uniformly).
  • While the strategy of iterating upwards from low nonces has always been present to some extent, it really picked up as the dominant strategy around height 120,000 (yellow line) onwards. (You can also see the subtle trace of the middle-upwards strategy).

Here are the attacker blocks, showing what appears to be an iterate-upwards-from-zero nonce search strategy:

Overlaying the two, we see that the attacker’s blocks (which are presumably all search-upwards-from-zero) exhibit a nonce distribution that is naturally biased towards lower values relative to the general honest chain (which includes a mix of search strategies).

Appendix B: Hashrate distribution estimation

The median value for estimated hashrate of an individual worker is ~1000 kH/s for the control case blocks (honest) and ~2500 kH/s for the attacker’s blocks. The median reflects a ‘typical’ device and will be much less than high-performance devices for mixed pools. The individual device hashrate estimation distributions for honest blocks and the attacker are shown below.

Firo
Cryptocurrency
Blockchain
Data Science
Research

--

--

Mitchell P. Krawiec-Thayer, PhD
Mitchell P. Krawiec-Thayer, PhD

Written by Mitchell P. Krawiec-Thayer, PhD

109 Followers
38 Following

Chief Scientist & President of Geometry Labs // Data Science and Protocol PrivEng for Monero Research Lab // aka Isthmus

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams