Using a world clock external to the network is trusting an oracle (aka 3rd party).
Zcash could limit the maximum amount the clock can be advanced, and reset it to that limit when a block with an advanced timestamp comes in. I think bitcoin added a limit of 2 hours very early on, and itâs probably still used. By doing this, it will limit how many blocks can be stolen, and it will add a limit to how fast the difficulty can drop. That is the reason for not making a shorter limit: if the difficulty needs to drop, you need to let drop by allowing the miner assign the correct time if it took a long time to solve the block. As a first guess, Zcash should use 1/4 what bitcoin did, which would be 30 minutes. Then he would not have been able to add 3000 seconds each time.
But there is already a limit of the difficulty dropping in Zcash, 16%. I have advised them to remove these limits (especially the up limit) because they switched to a good averaging method, but theyâre keeping the limits, which will enable all types of attacks to go on longer. This attack doubles the number of blocks stolen by keeping the limit to 8% rise per block. The reason for the limits no longer exist, which I explained at the same time I explained why they needed to go to an average of the past difficulties instead of last block (to remove the oscillations). The limits are no longer reducing the oscillations because any current oscillation is a real oscillation. The limits are uniquely helping attackers.
However, the limit going down does not directly enable more blocks to be stolen like the limit going up. It prevents other miners from getting something closer to a fair share when the attack stops. A limit of 2 hours between blocks with the selected averaging period of 17 blocks enables a maximum forced drop in difficulty to be about 1 - (2.5 min x 17) / (120 min + 2.5 x 16)= 70%. But if a 16% drop per block is going to be the limit, then it can be used to limit a time warp attack like this in an unexpected way:
As a first try to show to show what is simple but not good enough, solve for a fixed MaxTimeStamp advance to force no newest block. âSimpleâ means it will assume past blocks were coming in at average time: 0.16 = 1- (2.5 x 17) / (x + 2.5 x 16) => x = 10.5 minute max allowed time to next blockâs timestamp. But if an attacker does several N blocks in a row with a timestamp advanced 10.5 minutes ahead of the last, the difficulty will drop by 0.84^N and the time will advance ahead further, at some point enabling retarding times again to get blocks. This is not good so the max time needs to be adjusted dynamically: back-calculate max allowed next-block-time (and re-assign timestamp if exceeded) with:
0.16 = 1 - (2.5 x 17) / ( maxTimeStampIncrease + avgPast16TimeStampIncreases x 16)
And if solve time since last block is negative, assign timestamp as if solve time was average of past 17 blocks. This does not stop users colluding to always assign the max timestamp and thereby constantly lowering difficulty by 0.84^N until itâs free to everyone as fast as latency allows and the network thinks it is the year 1,000,000. Even with this protection, Someone reaching 33% network hashrate could still get difficulty to drop 0.95 per block indefinitely, providing free blocks to everyone within 3 hours. Itâs not more profitable anymore than their hashrate unless they have the lowest latency, but it would put a coin on an issuing schedule I think that is 4x faster. With a 2 hour limit, issuing I think could be 120 / 2.5 = 50x faster, destroying the coin. Has this been employed?
I believe this also removes need for using the median of past solve times in calculating the difficulty and the average can be used, which will reduce the errors and swings in difficulty and times to solve under normal non-attack conditions.
Problem solved?
To help more, remove the 8% up limit, which will infrequently be exceeded unless thereâs an attack, in which case it needs to raise.