I'm working on my own blockchain (not specifically bitcoin) implementation just to wrap my head around everything. One thing I'm not getting that also wasn't answered by the source code is how you check timestamps.
I understand the whole network time = median offset + local time thing, however I'm a bit fuzzy on how you check timestamps on previous blocks when you're initially downloading the chain. How do you know that you need to check the timestamp if you can't know if you're on the latest block?
You need to check two things. First you need to check that this block had a timestamp higher than the median of the past 11 blocks (it's a consensus rule). Second you need to check that the timestamp is not unacceptably far in the future. For historic blocks, it definitely won't be because the timestamp will be far in the past (as the block was created far in the past).
Latest block or not, it just needs to follow those rules. That does mean it's possible for a block with an invalid timestamp to become valid after some time has passed. But if it is invalid, nobody will be mining on it, so it's unlikely to remain part of the longest chain.
Wouldn't you only need to verify proof-of-work on the largest chain? Largest meaning the highest cumulative difficulty rather than number of blocks.
If you include a timestamp in each block, just have each node simply reject times that are out of order or too far from the current time, which will prevent people from mining on an invalid chain. "Current time" meaning nothing more than a few minutes in the future of now. Yes, even when dealing with an old chain.
Here is how it works:
If an invalid or malicious person spends hashrate to mine a block with a bad date, all the nodes in the network will see it and reject the block.
Because the block is rejected, everyone else keeps attempting to mine the same block, but with the correct timestamp. The window is: greater than the last block, less than a couple minutes from now.
Because most miners are on non-malicious nodes, they eventually produce a longer chain than the chain with the bad timestamp.
Because this good chain is longer, new nodes that sync the blockchain from scratch would simply pick the longest of the available chains (which is the good one).
This could still go wrong if the attacker has a large amount of hashrate (or luck) for an extended period of time, but this gets very expensive very fast. This is why it is sometimes good to wait a few blocks before assuming consensus.
In my toy blockchain implementation, I just went with two constraints:
1) every timestamp must be strictly larger than the one of the previous block (this makes difficulty calculation easier)
2) timestamps may not be in the future (except for a little wiggle room for unsynchronized clocks)
My reasoning was roughly as follows:
Miners are incentivized to pick very large timestamps, because the longer it takes to mine X blocks, the easier becomes the proof of work they need to solve, giving them more block rewards and transaction fees in the long run. But if they want the network to accept their blocks, they can't pick timestamps in the future, so the best they can do is pick the current time as their timestamp.
Your method is easily exploited by a malicious miner. Clocks across the network are going to have some inherent amount of skew. By forcing blocks to have incrementing timestamps and also by refusing to accept blocks in the future, you have made it easy for me as a miner to commit abuse. Instead of picking the exact current time, I will pick a time that is as far in the future as the network allows (taking full advantage of the wiggle room).
Because other miners are required to use a higher timestamp for their block to be valid, they have no ability to correct my outlier time. You have essentially allowed me to put the blocktime permanently forward by the allotted wiggle room, and also you have allowed me to consume all that space you allocated for miners who have clock skew.
It's overall a small attack, but highlights that even tiny decisions can have consequences that impact security. Bitcoin accounts for this by requiring that timestamps be greater than the median of the past 11 blocks, and that's enough to prevent one evil miner from forcing the block times forward for all blocks.
Yes, if the next block by an honest miner is very quick it will pick a timestamp of (wrong_timestamp + 1) instead of the actual time, but after a few blocks they will certainly able to use the correct time again.
But even if all miners decide to do as you say and always pick a date slightly in the future but inside the wiggle room, all that they achieve is a one-time very slight difficulty decrease, but by the next difficulty adjustment that's already lost because by then both the start date and end date of the period are offset by the same amount into the future.
It significantly increases the risk of network forks for people who don't have completely correct clocks. If a merchant has a clock that is off by 1 hour (they didn't adjust properly for daylight savings perhaps, or maybe they just have a really crappy clock), then it's possible they will not even be seeing the most recent 6 blocks, as all of them are 2 hours in the future (3 hours as seen by the merchant).
There are consequences to having blocks that are permanently set forwards beyond a one-time difficulty decrease of 0.6%.
AFAIK you don't need to check historical timestamps (beyond sanity checks) during initial block download (IBD).
What you need to consider is whether an attacker can manipulate historical timestamps to get you to follow the wrong blockchain. The answer is, they can't.
The only thing manipulating historical timestamps would accomplish is allow the attacker to change the historical difficulty of their alternative blockchain. But that doesn't enable them to add additional proof of work. The amount of total proof of work they can add to an alternative blockchain is not dictated by difficulty, but merely by how much hashrate they have poured into the chain.
Since total proof of work for a chain is the metric by which the "correct" blockchain is established we can conclude that manipulating historical timestamps doesn't make it any easier for an attacker to get you to follow their chain.
That's for IBD. Obviously you need to verify timestamps after IBD, since timestamps are used to adjust difficulty and that's a consensus critical rule.
A block's timestamp is frozen in its hash, which is validated by any node receiving a block (whether during initial block download or otherwise). Bitcoin and tinychain don't accept blocks with a timestamp in the future beyond some threshold (in both cases 2 hours).
I'd assume the correct thing to do is a vector clock, where each blocks time stamp is nothing more than a offset from the previous blocks.
It's easy to get most machines in agreement with how long a second is, but it's very very hard to get all nodes in agreement to what the exact time is.
I understand the whole network time = median offset + local time thing, however I'm a bit fuzzy on how you check timestamps on previous blocks when you're initially downloading the chain. How do you know that you need to check the timestamp if you can't know if you're on the latest block?