Hackers: lets hoard Zooz tokens!

La’Zooz is building a decentralized real-time ridesharing app mixed with cryptocurrency concepts. They are distributing Zooz tokens through proof-of-movement in order to bootstrap their app and get the necessary critical mass. While in theory this would provide a nice and fair token distribution, in practice it is not feasible to implement a “hacker proof” proof-of-movement algorithm.

La’Zooz developers are pretty aware that GPS data is easy to fake. Thus their Android app gathers a whole bunch of data, from phone contacts to nearby Wi-Fi networks and accelerometer data. They hope to use all this data on a “cocktail of algorithms” built to prevent proof spoofing. The truth is such data gathering sounds more menacing than some NSA projects while the cocktail of algorithms overcomplicates the system and adds little protection:

1. Proof-of-social-being algorithms — which […] looks at […] all users and the links between them, to filter out most faked users (bots).

Thus they send the entire contact list to their server, all that for a little reward, because, as they say:

it’s pretty easy to identify millions of bots, but it won’t reach easily a single or a few bots.

As a La’Zooz user I would be concerned about “a few bots” accumulating Zooz tokens with fake trips. That’s unfair for all other players.

2. Proof-of-location algorithms — which basically cross refer real-time-location data between different users, and between users and external data. […] we can ask the phone what is the temperature it sees.  If two people located at the same point report different answers, we may know one of them is cheating

First of all, that means we can only mine with an active internet connection. Thus La’Zooz may deplete our data plans.
Second, applying this in practice would get them a super high false negative rate. As Waldschrat2 pointed out:

other App users may be in a location with A/C (e.g. car, bus, office… – less than 25°C) – while the usual motobike drivers will have temperatures of 35°C+…

Similar problems happen if you compare available Wi-Fi networks: my smartphone’s antenna may be worse than that of other users, a bus might be blocking the signal, the Wi-Fi network may be temporarily offline or have changed name, etc.

Lastly, what about routes crossed only by a single user? There will be no data to cross reference there. Will they discard those? … Not fair.

3. Proof-of-movement algorithms — analysing the signals of movement [from the accelerometer] in a way that differentiate an authentic movement from an artificially created one. Of course, one can “record” his movement data, but then we’ll see multiplication of such data all over the place (assuming it’s used for many faked users).

What prevents an hacker from doing some little data permutations (tilt to the right instead of tilt to the left or whatever) to fool them?

These proof-of-movement heuristics are akin to Google’s PageRank cat-and-mouse game, but way harder. There will always be ways to fool them. Also, La’Zooz will never be able to release the full heuristics out in public… so much for transparency and getting community feedback. It’s doomed to security by obscurity.


Post scriptum

La’Zooz tried to mitigate this problem by giving non-tradeable tokens to road miners. These tokens can only be used inside their app to pay for rides. This brings little improvement, the system is still unfair for those who drive for miles in order to mine their tokens.

Furthermore, these tokens “become tradeable upon use”. Which appears to mean that a driver receiving them can trade them for a currency (e.g. BTC). Thus, imagine John the Hacker who controls two bots, A and B. Bot A can ride a fake ride with bot B (fakeable as explained above): voilá, B (aka John the Hacker) gets tokens which are exchangeable for BTC. In the end, if many hackers keep exploiting this vulnerability, Zooz tokens will devalue until their are worth nothing.

CPU-only coins vs supercomputers

It just crossed my mind how current CPU-only coins would handle a 51% attack coming from a supercomputer. I decided to make a quick calculation based on Monero (XMR), the current CPU coin with the biggest network hashrate. (Note: there are already GPU miners for Monero but their performance is the same as CPUs, check CPU Coin List).

At the time of writing, the network hashrate for Monero is 12.01 MH/s.
An Intel Xeon E5-2697v2 does 480 H/s.
The current biggest supercomputer, Tianhe-2, has 32,000 cores of Intel Xeon E5-2692 12C processors. Supposing a similar performance this gives it 32000×480=15360000= 15.36 MH/s. Now lets take into account the 48,000 Xeon Phi 31S1P co-processors with 57 64-bit x86 cores each. Supposing a moderate performance of 20 H/s per core we get 48000×57×20=54720000= 54.72 MH/s. It would be a total of 70.08 MH/s.

Therefore, Tianhe-2 would have no trouble doing a 51% attack on Monero. To avoid it, Monero network hashrate would have to grow 12x. Like Tianhe-2, many other supercomputers from the TOP500 list could do the attack.

One of the arguments by those who support Proof of Work (PoW) algorithms with an advantage for GPUs is that these give cryptocurrencies have better chances to withstand an attack coming from a big operation. The rational is that it is much easier for a hobbyist to build a multi-GPU system than a multi-CPU one. With roughly $2000 you can now build a 8x R7 265 miner. Tianhe-2 has 48,000 Xeon Phi which could have been substituted for GPUs. Imagining that, it would have 48000÷8= 6000 times more GPUs than the hobbyist. On the other hand, with the same $2000 the hobbyist could at most (really at most) build a 2x Xeon system. In comparison the Tianhe-2 would have 32000÷2= 16000 times more processors than the hobbyist.
If the same PoW algorithm with GPU advantage is ASIC-resistant it would also avoid the threat of big ASIC operations.

CPU PoW supporters would now argue that it is easier to get more people to mine with their PCs than to get more hobbyists to build small scale miners. I tend not to agree, specially if there is a good monetary incentive to mining.

Either way, what this ultimately shows is that a mix of PoW and Proof of Stake (PoS) continues to be the best solution found so far to secure a blockchain. You can read more about it on the Vitalik Buterin post On Stake.