What is Your Opinion on How HIVE-Engine Handled Attacks Against It?

Evil exists in the world and it manifest in many different ways. Sometimes there are horrors and atrocities and at other times there are roadblocks against good things. Decentralized projects repeatedly get attacked at many places and in many ways. Through our fights against these attacks, we can build resilient like an immune system that get better when it survive a disease. Although it is not the end of the world, HIVE-Engine has been getting attacked for some time.

The free transactions were making it easier with the attacker simply renting Resource Credits when necessary. This is one of the few downsides of making a blockchain as cheap as possible to use. Overall I think the steps taken are necessary and most users are not affected by them.

Response From @aggroed on Discord

Hive Engine users, for the past several months Hive Engine has been experiencing a consistent spam attack. Malicious users are deliberately putting multiple transactions per block and spamming them from multiple accounts frequently in an effort to delay block processing and disturb regular use of Hive Engine. This has at times knocked witnesses out of rotation, delayed processing times, gotten RPCs off track, and caused other similar problems.

Our first approach to squash this malicious spam was to simply limit the number of transactions that a user could put in a single block. That has been an effective measure to slow the attack, but it didn't fully solve the problem as we've noticed an increase in annoying spam meant to cause delays processing blocks even with this transaction limit per block. These asshats simply made more accounts.

As a second approach we're implementing a transaction fee into hive engine transactions. Human users will not be impacted. This fix is going live on Monday May 26th, 2025. From that day forward any time an account requests multiple transactions in the same block (which is something only bots do) it will carry a 0.001 BEED/tx fee. You need to simply have BEED in your account and the contract will burn the appropriate amount of BEED at the time the multi-tx transaction occurs. If the account does not have the appropriate amount of BEED then the transactions will be denied.

If you don't know what BEED is it's a HBD equivalent for the hive engine platform. Users can burn a dollars worth of $bee (currently near 10 BEE) and receive a $BEED coin designed to have a stable value near $1/BEED. It's similar to how users can convert a certain amount of hive (currently near 4) into 1 HBD. Impacted users can purchase BEED on the market or use the BEE Dollar contract to convert BEE to BEED.

In the near future we'll be increasing the fee per transaction, but also allowing accounts to join a multi-tx exception list on a monthly basis that enables an account to not have to pay this fee. The anticipated monthly cost is 10BEED. The new multi-tx cost will increase to 0.1/TX/block (if you have 18 TX in a block you'll have to pay 1.8 BEED to process it or 10 BEED/Month to join the to list skip the requirement). This is admittedly meant to encourage all the bots to sign up for the monthly cost and help us track the activity of all the bots to make it easier to look for spam, abuse, and harm.

This monthly cost is not meant to be punitive to the current bot users. It's also not meant to impact human users as humans do not perform multi-tx transactions. If your bot can't generate $10 worth of value every month it doesn't make sense for us to host the transactions anyway or you can simply space your bots transactions out over time via single transaction blocks. While this is a minor financial inconvenience to someone with a handful of bots (and actually seems appropriate to charge high transaction volume users a small use fee, fee goes to BEE holders and not @ hive-engine) it is in fact a major financial inconvenience to someone with a large botnet and bad intentions towards Hive Engine as every bot spamming the platform will incur costs.

Further, we're introducing a "throttle list," which brings accounts down to 1 transaction per day. Accounts that are purposefully spamming Hive Engine with repetitive, random, or intentionally harmful transactions which appear to generate no value for Hive Engine or Hive Engine users will be put on the throttle list and may only do 1 transaction per day. Changing witness votes with 200 hundred accounts a thousand times a day per account is an example of a repetitive transactions with no value to hive engine. Bots that have paid for the monthly access simply to spam will find that their access to the list is cut off and their account is instead placed on the throttle list. The goal is not to block or steal assets. The point is to make sure accounts intentionally causing harm are blocked from doing so. We may later include a complete blackout list which would disable all transactions for a fiercely malicious account or botnet of them, but for now our next step is to limit to 1/tx per day.

The throttlelist is part of a contract, and contracts on Hive Engine are centralized. the @ hive-engine account and other accounts deputized by @ hive-engine can add and remove accounts from this list. It is however part of a contract and requires witnesses to allow hive-engine to add or remove names from the list. If I or deputies abuse this or any reason the witnesses deem appropriate they can block the @ hive-engine account, it's deputies, or the contract specifically from being updated. This balance allows for fast reaction time via a centralized authority, but also a distributed authority to make sure the central authority isn't abusing this power to stop bots generally from contracting on the Hive Engine platform.

This still leaves the possibility that one bad actor may create a hundred thousand accounts and spam 1 transaction per account per day, but there other costs associated with creating and enabling 100,000 accounts such that we think the risk is currently low for that kind of attack.
I'd like to thank the witnesses generally for their discussion on this topic as we designed a system with low impact on human users that could stop malicious bots from their network spam. I would like to thank endecs, bamlolx, and drewlongshot for coding this update, and eonwarped for reviewing and helping to implement it.

If you feel that you or your bot are going to be adversely affected-

• You can move your bot to single transactions and not face any fees.
• You can hold BEED in your account and pay the 0.001 BEED fee per transaction you log in a single block.
• You can contact me directly to be added manually to the multi-tx exception list where if you're on it your account does not have to pay the 0.001 BEED fee per transaction in a block (we're adding the feature where you can pay 10 BEED per month or in advance and keep your spot on this list, but it's all manual as of the deployment in a week)
• You can stop your bot if it's not producing 10 BEED worth of value in a month but doing tens of thousands of transactions
• you can stop purposefully spamming us with worthless transactions simply to cause harm to the platform, or continue to do it for fun but with a new price for that enjoyment.

We've received some initial feedback on our plans and are adapting slightly. Many well meaning community bots distribute rewards and are heavily reliant on tokens-stake, tokens-transfer, and tokens-issue. Upon initial release we're excluding those three transaction types from the from mult-tx fee requirements. These specific transactions are all lightweight in terms of processing time and are not a suspected primary attack vector. We'll monitor after initial roll out, and if we decide to ultimately include these 3 token contract actions we'll give 30 days or more notice at such time

Join Discord for More Information

I must warn you that Discord is one of the worst social media websites for your privacy. Make sure to use it sparingly and aimed at learning more about the projects and getting technical support when necessary.