Greetings Eligius miners,
Wow...
First, thank you, everyone, for your support. It is, as always, greatly appreciated. It is good to know that the community supports our response to the withholding attack.
Next, I'll just clarify some of the points brought up by the attacker and others. Also, I'll venture to guess that “Brucexie” is at least in some way tied to the addresses in question, since the signed messages from our support ticket system were valid and they have knowledge of info in that ticket.
For reference, here are the messages they signed:
$ bitcoind verifymessage 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc "H+7mfdovWmJYeyhaPufu6vtXNMCDgtKGmNb+CaLitPJntwxVXr18bPKgV3PzejjdQcmCbcfEPnvnNc1Qz+IK1Yc=" "2014-05-20, LiYi, located at GuangZhou, China, hereby approves discussion of the Eligius mining performed with address 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc on Eligius ticket #668982."
true
$ bitcoind verifymessage 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u "IHx7y0wOgih7E0ecnFw9N/u/voJQ75kN5m9Qy1fq3aiFU1Ho7cHt6tH4rB5bDqcGV6d0HTHZMXD5u6WBnpqgNpE=" "2014-05-20, LiYi, located at GuangZhou, China, hereby approves discussion of the Eligius mining performed with address 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u on Eligius ticket #668982."
true
Before I continue, I think I need to once again make one thing clear: under no circumstances will we knowingly pay even a single satoshi to a discovered block withholder.
That said, let me give some more detail on all of this.
The attacker seems to only want to focus on mining post-May 3... after they supposedly stopped attacking. However, according to the stats database, they have used Eligius with the first address since mid-March. The second address was auto-tied in with the first based on IP and other metadata (see below for details).
Here are graphs of the attacker's hashrate on both addresses, 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc and 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u respectively:
While I didn't really want to go into statistics here, because they are only part of the picture, some people have requested them, and I previously stated I would disclose more data, so here it is:
The attacker submitted two blocks prior to commencing their withholding attack, at the beginning of their use of Eligius, on 2014-03-21 and 2014-03-22 (blocks 291,748 and 291,782 respectively). This appeared to be before they had their full hash power online, also.
Prior to 2014-05-03 (when I added them to the payout queue filter) the 17JkL94 address was paid a total of 429.19371155 BTC by Eligius. They also had 65.04471047 BTC in shelved shares at that time, for a total of 494.23842202 BTC worth of shares submitted. This works out to a
CDF of about 99.999998081747%, or around 18x difficulty worth of shares for their personal round… which has never happened on Eligius, or any other pool as far as I can tell, an impossibility. Theoretically, anything at all (your witness of someone committing murder, the cop's speed radar, etc etc) could just be "unlucky". But there comes a point where rational people (including courts and juries) start saying "certain". In this case, that line is
far crossed here.
Afterwards, they started mining on the second address, which I also added to the filter due to the obvious relation. (While obvious, this relationship between the addresses was also confirmed by the attacker later, and here.)
After they supposedly stopped their withholding attack, starting around 2014-05-07 (after over 55 days of withholding) they started finding blocks (still at a below average pace for their hash rate) and mined five additional blocks for Eligius.
In total there were 654.71340416 BTC worth of shares awarded to the attacker’s addresses under CPPSRB. The attacker also accumulated 67.77237472 BTC worth of shelved shares, for a total of 722.48577888 BTC worth of shares submitted to Eligius.
The 225.51969261 BTC is from awarded shares held from payout (shares credited to the attacker under CPPSRB). Since the attacker was withholding blocks, the attacker did not legitimately mine any shares and is not due any reward. The best we can do is not allow them to gain any further benefit from their attack and pass this portion of the loss on to them.
As far as I’m concerned, the attacker owes Eligius miners all of the BTC they obtained falsely during their withholding attack, a total of 429.19371155 BTC (not including the ~200 BTC they are demanding).
Along with the statistics against the miner, the miner actually admitted to another pool that they were executing a withholding attack. While they claimed this was unintentional, it doesn’t actually make a difference since miners lost revenue from their attack. Recent posts by the attacker once again change that story. Either way, the attacker has admitted they were withholding blocks. Properly distributing the coins erroneously awarded as a result is just a consequence of their attack.
Heck, the poster admitted the issue on this very forum, today:
We have some issue with our mining infrastructure, which caused BTCGuild froze our account on the beginning of May.
After a fast fix and a test on various pool include Eligius, we saw block solved (totally 5) on Eligius block page and think that the issue was resolved, then we switch back to BTCguild under its administrator's checking on the log of our share we mine after this incident.
But we found that Eligius refused to pay for shares of our test.
Long story short, through some detective work, some cooperation, and a decent amount of effort this attack has been confirmed beyond any doubt.
That said, I will be working towards my goal of properly awarding affected miners using the held work credit. This is not a trivial process and will take a bit of time since there is a lot of security in place to prevent this in the first place. These security setups will basically have to be taught why this change is legitimate so that it can happen. I will document everything thoroughly to ensure there is no question later as to the disposition of the funds and the changes made to distribute them. I will also be taking additional security precautions to ensure that I do not leave any avenue open that makes Eligius-side data less secure as a result of this.
At this point I’m considering this issue resolved and closed.
-wk