DEV Community

Cover image for Bitcoin Dust Attacks: What They Are and How to Defend Against Them
Wilfrid Okorie
Wilfrid Okorie

Posted on

Bitcoin Dust Attacks: What They Are and How to Defend Against Them

#bitcoin #blockchain #tooling #rust

In the context of blockchain, dust is referred to as tiny amounts of any cryptocurrency that is uneconomical to spend.
An amount is considered uneconomical to spend when the transaction cost it incurs is greater than its value.

An attack is a malicious-intent action that attempts to do things like steal funds, exploit loopholes in rules, or disrupt the network. There are different types of attacks in Bitcoin. One of them is the Dust Attack.

How addresses/keys today in Bitcoin work:

Bitcoin uses Elliptic Curve Cyptography, which is a form of asymmetric cryptography involving a keypair instead of a key, where there is the private key, and there is the public key. Public keys are derived from private keys. They are secured by the discrete-log problem in math, which ensures that it is extremely difficult to work your way back from a public key to a private key. There are different forms of spend, but the basic rule is simple: public keys are associated with bitcoins recorded on the blockchain, and the controller of the keys (the holders of the corresponding private key) can spend the bitcoins, by addressing them to some other public key. Addresses are derived from public keys.
Now, the blockchain is a public network, implying that transactions there are completely visible, so that when a transaction happens, you can see what addresses are involved in the transactions, and the amounts spent.
Bitcoiners love their privacy however, so a natural solution is to control more than one keypair, so that you can send different addresses for different transactions, and make it more difficult for addresses to be traced to you.

Deterministic Key Generation: Tree of wallet keys generated from a single seed

Modern wallets have a clever way of doing this whereby from a seed, a private key can be derived, and a whole tree of child keys (private and public) can be derived. The whole idea is that each user has a master key, that gives birth to descriptors, that are used to deterministically derive new keypairs, to evolve into a whole tree of keys, so that any key in the tree can be parent to other keys, and there is no limit on the depth of the tree. More on this can be seen on the Bitcoin Book

What This Implies

This means that for every transaction you receive coins from, you could actually publish a different address, so that the coins could not be traced to you. There is also the concept of internal and external descriptors, where internal descriptors derive wallet addresses you never share - also called change descriptors, because you use them to make change for yourself in transactions. External descriptors derive addresses that are shared, for you to receive coins from other people.
The main point of descriptors and many addresses is privacy through non-reuse. Having these many addresses breaks transaction links, helps hide which output from a transaction is your change (since to the unknowing eye, it is not addressed to your wallet), it limits damages from key leak, so that if a private key gets leaked, just that address and its UTXOs are in danger, not your entire wallet.

Note: As you continue down this article, know that Bitcoin doesn't use the arithmetic balance model, but the UTXO model for amounts, so that you have units of cryptocurrency, instead of a constant you just subtract from when you want to spend. It is like different units of money in a physical wallet. Each unit is called an Unspent Transaction Output (UTXO)

Enter Dust Attacks

In dust attacks, an attacker is not directly after your coins. Instead, they want to uncover your identity, by plotting your identity graph - a map of which Bitcoin addresses belong to the same wallet. This can be used to deanonymize a person, so that you find out their total holdings. Knowledge of who holds how many bitcoins in the past has greatly led to threats, physical attakcs, abuse, torture, etc., so you want to protect yourself.
The knowledge can also be used to link a pseudonymous identity - yours, to a real-world activity.

How Dust Attacks Happen:

How Dust Attacks Happen

Step 1: Target Selection:
First of all, the attacker identifies the address(es) they want to deanonymize. This is done by looking at the blockchain directly, since transactions are public. They could get the address from anywhere at all.

Step 2: Dust Delivery:
Next, the attacker builds the dust delivery transaction. They can do this anyway, but to be economical, it is usually a single transaction, that sends tiny amounts (dust) to all target addresses simultaneously. This amount is chosen so carefully, it is most likely very very tiny, but not so tiny as it wouldn't make sense to spend economically, and above the relay floor, so that even if the victims might not notice it, nodes could relay it.

Step 3: Waiting/Monitoring:
Next, the attacker waits for the wallet owner to spend the outputs they sent. This could be a gamble, depending on how long it takes for the user to spend the coins. If somehow, the victim's wallet's coin selection algorithm picks any of these UTXOs, alongside a real UTXO, it becomes part of the graph.

Step 4: Clustering:
When the user spends this UTXO, the inputs reveal co-ownership, since all inputs to a transaction usually belong to one controller. The attacker now knows that these addresses in the transaction input belong to the target.

Step 5: Graph Expansion:
The attacker can now expand their knowledge graph of you, trace forward or backward, expand the graph, and get closer to whatever goal it is they have.

How To Combat dust attacks:

From the steps above as regards the How of dust attacks, the way to avoid dust attacks is simple: Do not spend the dust. More accurately, do not spend the dust on a canonical transaction. Instead, you can arrange transactions with no output to spend them, so that the entire dust goes into network fees and the trail ends there, or you could mix the dust through a coinjoin with other users' dust. Here it gets mixed with hundreds other dust UTXOs, and the link breaks.

I built a tool using Rust called Hoover that acts to identify dust attack UTXOs, and construct Partially Signed Bitcoin Transactions (PSBTs) that safely spend them to fees, and safely remove them from the users' wallets.

Hoover

Hoover: a tool that identifies dust attacks and sweeps

Hoover is one of many dust attack tools that have been created for this purpose, and they all have one general idea.
These dust attack tools take in your descriptors, internal and/or external, and register them. Then, on your command, it scans your wallet for dust UTXOs, showing them to you. Promptly, it constructs PSBTs for you to spend these transactions, with OP_RETURN output, so that there is no UTXO output. These PSBTs can then be taken and signed however you may, and broadcasted to the network as regular signed transactions.

One critical part of creating the PSBTs is that you do not create a PSBT that contains dust from multiple addresses. The consolidation must be per address, else it compromises the privacy it aims to protect.

Of course, these steps/processes differ from tool to tool, with different tools making innovations in different parts of the process, such as the nature of the PSBT.
In the same light, the part of the process Hoover does different is in the dust identification.

Usually, the tool would just check all the UTXOs to see which one is below or sometimes equal to the relay floor for that script type. Optionally, a user may configure their minimum number of sats for a UTXO to be considered non-dust, so that for a relay floor of 546 sats, a user may choose to remove every UTXO under 600 sats.
However, a user may by coincidence have a lot of UTXOs that are not economically unspendable, but might be dust attacks, and in this case, depending on how many of them they have, sweeping all from their wallet may be considered waste.
Another case is that depending on how sophisticated the attacker is, the attacker could send as high as 700 sats so that the user is much more likely to spend, and less likely to suspect as a dust attack UTXO, which increase the attacker's chances of succeeding in that attack.
Here is what Hoover does different: Hoover divides dust into different types. UTXOs under the relay floor for a particular script-type are automatically counted as dust, and since they are economically unspendable, they are added to the "psbt staging area".
Hoover goes further to inspect UTXOs as high as a configurable amount by the user, trying to detect dishonest patterns from the source, and marks the UTXO in the list by suspicion level. This results in a user knowing their UTXO may be from a dust attack, even if it is not canonical dust. Some of the flags used to detect these dishonest patterns are:

  1. Dust UTXOs received on a change address: this could be dust, or it could be a bit more than a dust UTXO, but your change addresses should not receive UTXOs from external parties in the first place. A person should only know your change address if they have been monitoring your transactions on the blockchain. This particular flag is highly suspicious.

  2. Multiple of your addresses receiving dust from same txid: this is also almost certainly from a dust attack, and the attacker has actually done their research well and almost accurately, and at this point, doing anything might help finally achieve their goal. The suspicion on this flag is also very high.

Red flags in a transaction that indicate dust attack patters

  1. Number of outputs of sending tx: this is another fingerprint of a dust attack. The outputs of the sending transaction are inspected. If a high ratio of these outputs are dust, as opposed to not, it is almost certainly a dust attack. The suspicion flag is also high, but not as high as the previous two.

  2. Suspicious round value: in case this wasn't caught by first type of dust, UTXOs with their values too close to, or exactly at the relay floor have to be inspected to be dust attack UTXOs. Other methods are used to check, but the fact that it is too close to the relay floor adds a suspicion weight as well to the UTXO.

  3. Same address sending dust in more than one tx: Catching dust from the same address more than once, even when not in the same transaction is also a bad flag.

There are more flags Hoover uses for detection (some still being implemented), but the idea is the same: In what context did my wallet receive this UTXO? That will tell whether or not the UTXO is a dust-attack UTXO, even for UTXOs above the canonical dust threshold.

Conclusion

When dust attacks succeed, an attacker successfully clusters your address. The attacker now knows you hold significant amounts in bitcoin, and you become a target for extortion; kidnapping or ransom has happened to known Bitcoin holders. For an individual, transaction history exposure could expose salary, spending habits, political donations. Every transaction you ever made/will ever make becomes readable in the context of your identity. Social engineering is also possible with this information in the hands of bad actors. They know when you received large amounts, which services you use, and can do terrible things, such as timely impersonation of such services.

What are some other flags you think would mean UTXOs probably are part of a dust attack campaign?

Top comments (0)