Bitcoin ‘spam attack’ stressed network for at least 18 months, claims software developer

There is evidence to indicate that Bitcoin’s network has been suffering a far greater workload than needed recently, according to the developer behind the bitcoin analytics platform OXT. The French developer, Laurent, told BraveNewCoin that he is “95% confident” that the 2015 “Stress Test” and “Flood Attack” events affected the number of bitcoin transactions as recently as January 2017.

The 20-year data analysis and visualization software development veteran says that Bitcoin has become his “main activity” since he first read Satoshi’s whitepaper in 2013. He built OXT using algorithms that “extract high level information from the raw data stored in the bitcoin blockchain,” and describes the free service as far more useful than a blockchain explorer, making it more like a blockchain forensics tool, such as Skry or Coinometrics.

- Laurent

The events in 2015 began with a series of blockchain stress tests conducted by the now defunct The company claimed that 10’s of thousands of transactions were sent across the bitcoin blockchain on multiple occasions. “By stress testing the system, we hope to make a clear case for the increased block size by demonstrating the simplicity of a large scale spam attack on the network,” stated a company representative.

The subsequent flood attack, in July 2015, saw 80,000 transactions simultaneously sent to Bitcoin’s mempool, the notoriously-overfull queue at the heart of bitcoin’s scaling debate. The mempool is a real-time list of unconfirmed transactions. These transactions exist in the form of Unspent Transaction Outputs, or UTXOs.

Unspent transaction outputs are important because fully validating nodes use them to figure out whether or not transactions are valid. All inputs to a transaction must be in the UTXO database for it to be valid. If an input is not in the UTXO database, then either the transaction is trying to double-spend some bitcoins that were already spent or the transaction is trying to spend bitcoins that don’t exist.

The initial flood attack transaction backlog was quickly cleared, with F2Pool mining a huge single block with most of the 80k transactions in it. The block was almost completely filled with 10-100 bit transactions. The Chinese mining pool was a dominant mining pool at the time, and is still one of the largest around.

However, OXT developer Laurent claims that two further waves of “fan out transactions” followed, one at the start of August and another at the start of September. As a result, around 13 million new UTXOs were added to the UTXO set.


The initial attack in 2015 was noisy, Laurent explained, but was not nearly as damaging to bitcoin was what would come next. “There was a lot of coverage in media and then we all forgot about this episode,” he recalled. “But here's the thing: this kind of attack has 2 stages and the second stage is the most damaging.”

Describing the 2015 events as a “temporarily clog” of the network, he said it “basically consumes a lot of bandwidth, space in the blockchain and space in the utxo set.” The intensity makes it very visible, but the ramifications, which Laurent has identified as continuing as late as January 2017, are “the insidious part” of the attack. Nobody notices this on the surface because “the attacker can dilute its intensity in time but its’ nuisances are definitely amplified.”

The effect doesn’t leave much evidence behind, while it “consumes more bandwidth, more space in the blockchain, and more cpu (for the verification of signatures),” Laurent explains. It does this because of the natural imbalance of UTXOs. “There's is very simple truth in Bitcoin, the utxos which have been created will be spent and the input of a transaction usually consumes far more resources than the corresponding output (by a factor of 4 for a basic P2PKH script).”

span attack2By watching tiny amounts of bitcoin, between 10 and 100 bits each time, to see how long each sat at each particular address before being sent, Laurent stumbled onto a clear pattern between July 2015 and the start of this year, which he claims is too specific to be a natural occurrence.

Laurent believes that the attack he uncovered, which he refers to as “moby dick,” explains the more recent mempool backlogs throughout 2016. “When we check the chart we can observe that the backlog was caused by a small number of txs (around 11k) having a huge size.”

The developer states that one explanation could be people trying to simulate growing on-chain activity, “in the context of the blocksize debate may be an explanation.” But it could be something totally different, he adds, “like people trying to hide some transactions in a flood of transactions justified by the excuse of a ‘political’ debate.”

Bitcoin core developer Peter Todd told BraveNewCoin that creating these transactions couldn’t have been done by just anyone. “The interesting thing about spam attacks is they cost a *lot* of money to do if you're not in control of or co-operating with a significant percentage of hashing power.”

Although the fees attached to the transactions were purposefully small, they would still be very cost prohibitive in order to achieve their goal of causing some kind of disruption. “If the fees aren't high enough that the spam txs are being mined,” Todd explained, “the attack doesn't accomplish all that much.” Laurent, for his part, isn’t as sure.

“We'll need an in-depth analysis to estimate the cost of this attack but it's likely that it wasn't so expensive (all things being relative).”

- Laurent