Question on scalability and spam attacks

Hi,

Having seen what goes on Bitcoin and Ethereum, it seems like NEM is also potentially quite vulnerable to spam attacks. This is because the fee fork makes it possible to fill up an entire 1 minute block of 120 transactions for just 6 XEM.

If users with high enough importance were just to automate transactions they could make the network unusable. Currently, there does not seem to be a strong risk of this but there is always the - ‘Some people just want to watch the world burn’ situation or a disgruntled ex dev situation.

There are also Ethereum ICO style problems whereby a popular mosaic sale could bring the network to a halt and we could also consider the situation that has occured on the EOS ICO a few times.The amount donated in a specific period is used to work out token distribution. This has led to some users effectively spamming the Ethereum network to prevent new transactions and hence get the tokens at lower than market rates.

Another scenario to consider is that someone on the inside could clog up the network to bring the price of XEM down and then produce an update to stop it being a problem,

What is the NEM approach for effectively dealing with attack situations? - A maximum number of transactions per hour? speeding up block time? increasing block size? reducing importance when transactions over a certain rate?

I know that catapult is continually given as the cure-all and will effectively be spam proof is it allows a vast number of transaction per minute, but until we have a timeline for that, it will be useful to know what the risk response plans are - anyone willing to share?

Thanks

1 Like

The NEM devs did a really good job of making a proper spam system with many parts to the formula. So first of all, if you make different accounts and spam yourself, the harvesters (NEM miners) like that and they will collect the fees, but the problem is if you fill up all the blocks to try to censor other transactions. So you are allowed to spam as long as you want to pay for it; you just make our harvesters happy. But let’s say all the blocks are full and now you are interfering with other people’s transactions. The accounts making so many transactions will have their fees raised and the regular accounts like mine and yours won’t.
But quickly the hacker learns that sending XEM back and forth between a few accounts makes his fees go ever increasingly higher.
So let’s say the hacker is really serious and he makes 5,000 accounts and is using each one just a little bit, but overall, it makes up network spam, and it is hard to raise the fees as it isn’t just one or a few accounts that can be penalized for spamming. Then it switches over to POI (Proof-of-Importance, NEM’s consensus algorithm — in contrast to POW and POS of other Blockchains).
See a regular account like yours or mine will probably have $100s or $1000s or maybe even $10,000s worth of vested XEM and good POI. If the network is having all these transactions come from different one-off accounts than the accounts with the highest POI get through. This is logical as the bigger POI accounts have the most invested in the system and are less likely to be spammers.
So to successfully pull off a spam attack that disrupts both your and my transactions and tries to censor us, the attacker has to 1) buy a ton of XEM and spread it out over A LOT of accounts, then 2) age it in over a long time over lots of accounts so that the accounts have POI higher than my account and your account. Then he can start to spam the network and by doing so keep my transactions and yours from being included in a block. Or so it seems because NEM takes censorship resistance to the next level now because then we can just raise our fee and he would then have to raise his fee to match our raises over all those accounts too. So basically, if somebody wants to put 100,000 XEM over 1,000 accounts, that means he needs to buy 100,000,000 XEM (almost $2,000,000 worth of XEM), then he needs to age it in, then he needs to send additional higher transaction fees, so yeah, good luck with that. We are talking about spending more than a million dollars and waiting weeks patiently and then spending more in fees, to attack a network, which would then make the market cap drop, which then he would have to sell at a big loss when exiting.

taken from https://medium.com/nem-distributed-ledger-technology-blockchain/what-value-does-nem-blockchain-add-to-currently-available-technologies-e-g-bitcoin-ethereum-5d5671405a4d

Thanks, I appreciate the answer.

It approach does seem elegant but I could not find the documentation which points to when fees may start to raise for a spammer. Having now checked the technical reference, I see that there is a fair share equation which limits the number of slots that a user can use in a block - tech ref document pg 14 and it would mean the spammer could voluntarily raise their fees which could get expensive. There also seems to be considerable attention paid to Sybil attacks and loop attacks in the technical reference document.

Overall, it does appear to be better thought out than must systems but I still consider that NEM does not yet have an effective solution to general network clog. This would really only be an issue if it becomes very popular and something like a popular ICO was to be run on the NEM Blockchain (with a limited period of purchase or a small cap on the size of a single purchase). However, I suppose this could fall into the realm of ‘good problem to have’ as the chain would start to heavily utilized.

You should also consider that the current limit is totally arbitrary. It’s set the way it is to make it possible to run very light nodes with low hardware requirements. It could be doubled tomorrow and all that would happen would be nodes that are to weak to handle the processing would fail. Supernodes could probably take it with ease. It’s just not neccessary right now.

Thanks - that is useful to know.