FAQs: July 2021 block withholding/re-organisation attack on the Bitcoin SV network

By Alex Speirs Published: July 15, 2021
Logo of Bitcoin Association

Last updated: July, 15 – 12pm (UKT)

In response to the block withholding/re-organisation attack on the Bitcoin SV network, Bitcoin Association has prepared answers to the most frequently asked questions that we and our representatives are receiving.

What has happened?

On June 24, 2021 and then again on July 1, 6 and 9, an unknown miner operating (as an apparent impersonator) under the ‘Zulupool’ moniker engaged in malicious block re-organisation attacks on the Bitcoin SV (BSV) network. This type of attack, known as a ‘block withholding’ attack, involves a malicious actor creating a chain of competing
blocks – re-written to the benefit of the attacker, i.e., containing double spends – in parallel with the correct chain. These malicious blocks are created in secret then released all at once to orphan the correct blocks from honest nodes.

The malicious nature of the attack was not initially clear from the first sets of block reorganisations on June 24 and July 1. Block reorganisations are a feature of the Bitcoin system when they occur organically and are used to align participants and nodes on the network; therefore, not all block re-organisations should be treated as problematic and analysis must be done to assess the nature of each situation.

However, using block reorganisations for double-spend attacks is highly illegal. The Bitcoin SV Infrastructure Team began extensively investigating the block re-organisations after learning of them. Further investigation after the July 6 block re-organisation revealed the deliberate and malicious nature of the activity, and then prompted immediate action by the Bitcoin SV Infrastructure Team to mitigate and respond.

The last re-organisation attack by the impersonating ‘Zulupool’ miner occurred on Friday, July 9. Protective measures have been implemented for the BSV network and there have been no further attacks since then. However, at this stage Bitcoin Association and the Bitcoin SV Infrastructure Team continue to treat this as an active situation, and we have a global team closely monitoring the network at all hours.

At this stage, neither Bitcoin Association nor the Bitcoin SV Infrastructure Team can confirm the exact identity or identities of the attackers. The malicious party is carrying out their attacks under the ‘Zulupool’ moniker. We do not believe that the malicious actor is the same ‘Zulupool’ that has long been associated with the Hathor miner of the same name. Instead, we believe the attacker is impersonating ‘Zulupool’.

Just a few months ago, an actor also using the same ‘Zulupool’ moniker carried out a deep block reorganisation of the Bitcoin ABC (BCHA) chain. While we cannot independently confirm that it is the same party who is behind the recent attacks on BSV, the BCHA chain incident had similarities in methodologies and characteristics with the reorganization attacks on BSV, and also used the same Zulupool name; these factors strongly suggest it is the same actor.

There are several reasons why a malicious party may attempt to attack the BSV blockchain (or any blockchain for that matter) in such a fashion. At this stage, however, in the absence of further information, we cannot conclusively determine the motives of the attacker.

Possible motives are:

– The most obvious reason to attempt a block withholding or re-organisation attack would be as part of an effort to double-spend and defraud – that is, spend the same BSV tokens several times by manipulating the records of the blockchain. When these types of attacks occur, it is generally exchanges – which tend to hold significant token liquidity – that are targeted. However, it is important to note that to date, neither Bitcoin Association, nor the Bitcoin SV Infrastructure Team, nor any exchanges with whom we are in contact, have received any reports of anyone claiming to be a victim of a double spend.

– Given that the Bitcoin ABC (BCHA) chain experienced a reorganisation incident with similar characteristics just a few months ago, it is possible that this is a coordinated campaign against competing implementations and chains of Bitcoin. While no direct losses or thefts have yet been attributed to the attack on the BSV blockchain, the response by exchanges to restrict BSV deposit and withdrawals and/or trading activities and the attending reputational harm caused by the attacks could indicate that the detrimental intangible impact was the primary goal, not a secondary repercussion.

– Another possibility is that the malicious actor is undertaking these block re-organisations to move coins around in an effort to obfuscate the history of certain coins and make them harder to track. If this is what is motivating the attacks, however, it has been entirely unsuccessful, as the heightened awareness and forensic tools being used to track and document the attacks have only served to draw attention to these transactions, in addition to providing the impetus to collect comprehensive evidence for all connected transactions.

BSV transactions have been double spent, but at this stage, there is no evidence that these fraudulent activities have been carried out to the detriment of another (innocent) party. It is possible that the malicious ‘Zulupool’ has been double-spending their own transactions.

Bitcoin Association, together with its development arm, the Bitcoin SV Infrastructure Team, have undertaken certain technical measures to respond to the malicious actions of the ‘Zulupool’ impersonating-miner and to mitigate the impact of any potential future attacks. This includes coordinating with miners and transaction processors on the Bitcoin SV network to implement both reactive and preventative measures – including fork detection tools that enable ecosystem participants and partners to move expeditiously in the face of attacks. Since these measures have been initiated, there have so far been no further attacks on the network.

Since the malicious nature of the re-orgs on the Bitcoin SV network were identified following the July 6 attacks, the Bitcoin SV Infrastructure Team have taken action to both help protect the network and collect evidence of the illegal activity. This information is being collated and shared at regular intervals with Bitcoin Association’s legal team. Bitcoin Association’s representatives have already started to contact relevant law enforcement authorities. Bitcoin Association is also preparing to submit criminal complaints in one or more relevant jurisdictions; its affected constituents may also initiate proceedings independently.

Bitcoin Association representatives have been in contact with BSV-supporting exchanges since the malicious activity was first identified. The Association also released a public statement about the situation on July 8, 2021.

It has been – and continues to be – our view that the primary response from exchanges should be to freeze deposits of any coins associated with the double-spend addresses.

In addition, Bitcoin Association believes an exchange will be adequately insulated from any negative impact of attacks if it: 1) actively monitors the blockchain for block re-orgs; and 2) as an interim protective measure, maintains or extends to at least 20 the number of block confirmations required before BSV deposits are considered valid. We believe this provides sufficient protection against the block reorg attacks. We do not believe exchanges need to completely halt all deposit, withdrawal and trading activity associated with BSV coins. However, Bitcoin Association can only act in an advisory capacity in this instance, as exchanges are independent and will act according to their own procedures and tolerances in such events.

Bitcoin Association continues to actively communicate with exchanges throughout this process, and are doing all that we can to support reinstatement of BSV deposit, withdrawal and trading services as soon as possible.

Each exchange will make its own decisions about when and how to re-enable BSV services. At this stage, we cannot provide exact timings for when BSV deposit, withdrawal or trading facilities will be active at your chosen exchange. Bitcoin Association and its representatives remain in contact with exchanges and will share any news and updates on this front, as and when it becomes available.

Any BSV kept at exchanges or that isn’t being actively transacted with an untrusted party remains unaffected by the attacks.

Yes. The Bitcoin SV network remains safe to use and is operating as it usually would. However, in the short term, Bitcoin Association recommends only sending and receiving BSV between identified parties where possible. When transacting with unknown or untrusted parties, for an interim period, we advise waiting for at least 20 block confirmations before considering the transaction safe and settled.

Yes. So long as the BSV app in question isn’t involved in illegal double-spending, the app will continue to operate unimpeded and unaffected.

Should you have any further inquiries, please direct them to:

Alex Speirs
Head of Communications
[email protected]