When I say mine you say Coinhive ⚒

January, 4th 2018

Few weeks ago I started an experiment like a quick-and-dirty proof of concept around cryptocurrencies and web mining.
I choose Coinhive so as to see what it was possible to do with this tool.
I write here the results of my experiments and the tests I made of this API. Before that, let’s sum up the principles of blockchains and Monero ⛏

Note Coinhive is closed

⛏ About blockchains & cryptocurrencies

I won’t write too much lines about blockchains and cryptocurrencies, because it’s not a really new concept (brought out in 2008 by Satoshi Nakamoto with Bitcoin), and I should both talk about concepts of cryptanarchism, cypherpunk and cryptography. So, let’s make it short. And if you understand french-written slidedecks, go here ;-D

Blockchains can be seen as distributed decentralized ledgers or databases. No one owns a unique instance of the base but a number of nodes linked each others through peer-to-peer network. This aspect is one of the biggest advantage of the technology, the other relies on the impossibility to corrupt the data stored inside it within “pages” of the ledger called blocks. Due to hash operations, the content of a block is unfalsifiable and sustainable, and if a block has been altered the following will be too and so on.
There are several types of hash operations called Proofs of Work: Equihash for Zcash, Ethash for Ethereum, Hashcash for Bitcoin or CryptoNight for Monero. There will be also Proof of Stake instead of Proof Of Work for Ethereum but not for today. This mathematical competition is made between each node in order to choose the one which will be able to build the new block. Thus the successful node earns tokens (e.g. Bitcoin, Ether, Zcash, Monero or Dogecoin) and can spend them (e.g. in exchange places like Kraken, Changelly or Coinbase). Blockchains are public, and some of them (e.g. Monero, Dash and Zcash) can hide their data like transactions, fees, amount of used tokens or owners. For some blockchains, instead of just exchanging tokens, it is possible to store programs and define decentralized applications (ÐApps) using Ethereum or EOS. Cryptocurrencies can be called with their acronyms: BTC, BCH, BTG, ETH, ETC, ZEC, XMR respectively for Bitcoin, BitcoinCash, Bitcoin Gold, Ether, Ether Classic, Zcash and Monero. Some of these altcoins are in limited quantity (at most 21.000.000 for BTC) or not (XMR, ETH). Finally, altcoins are volatile and mainly used for speculation. And sometimes, there are funny crashes (see below).

Graph of values of BTC, ETH and XMR with a crash

(╯°□°)╯︵ ┻━┻ Ok buddy, and Coinhive? Soon, but before let’s talk about its currency: Monero.

⛏️ About Monero

Drawing about Monero

Monero is an opensource cryptocurrency launched in 2014. It is based on CryptoNote algorithm which protects privacy, contents and transactions. CryptoNote and the network in use, Kovri, obfuscate the data so as to make it quite impossible for an intruder to see what happens. Technologically Monero is quite awesome: Kovri is based on I2P’s specifications, encryption is everywhere, and several mechanisms like Ring Signatures (hiding senders), Ring Confidential Transactions (hiding amounts of XMR in transactions) and stealth addresses (protecting the receivers of the transactions) have been set up with the aim of protecting the blockchain. Yes, Monero is one of the most badass of cryptocurrencies. According to Bitinfocharts (on 01/03/2017) the USD value of 1 XMR was $379.65, the mining time to wait before a new block was around 2 minutes, the blockchain size was around 38 GB and the reward for the successful miner was around 5.5 XMR. Nice :)

(ノ`Д ́)ノ Please guy, don’t make another boring article about Monero, I want Coinhive! Ok, since we have introduced blockchains and Monero, let’s talk about Coinhive.

⛏️ “Hello Coinhive!”

Logo of Coinhive

What’s that?

I won’t write a too big paragraph about the history of Coinhive.
I just say that this tool is quite well-known today because of its use with Pirate Bay portals, and the Showtime case.
The idea behind is to provide a new way of remuneration: because more and more people use ad-blockers, it may be quite tricky to use advertisements to monetize a web site or an app. So, if we can mine Monero when the users are visiting our product? That’s why Coinhive is here.

Coinhive offers a JavaScript miner for the Monero blockchain, and it is really easy to integrate it inside a web project. The miner is run in the browser, and uses the CPU power of the users to try to mine new blocks. Due to the lack of API in Web standards, GPU are not really used with this API. Coinhive uses Monero thanks to of the lightweight of CryptoNight, and also because the calculational power to have to mine Monero can be medium.
The formula for the payouts is quite simple, Coinhive keeps around 30% of the benefits, and the remaining 70% are for the developer:
(solved-hashes / global-difficulty) * block-reward * 0.7

So, what are the features?

First, proof of work captchas!

Coinhive is not just another miner for Monero, or a tool for pirates or whatever press-groups can say. The project offers a new kind of captcha using… Proof of Work!
Instead of having to write a not-so-readable keyword, or click on ugly cars with several pictures, this captcha system makes users (in fact their browsers) need to compute a defined number of hashes so as to submit a form. Spams are prevented, it is far less boring that old-school captchas, and it might make developers earn a bit of Monero. The use is quite simple: add a reference to a script in HTML, add a div with the amount of hashes and the data key, and that’s all. The div will be replaced by additional content within an iframe.

Second, proof of work shortlinks!

Coinhive provides a feature related to shortlinks. Instead of using GAFA’s or other well-knowns URL shortener (please, consider using Frama.link), it is possible for the developer to define a short link with which users have to solve a number of hashes before being automatically forwarded to the target URL. It is quite interesting so as to prevent spams, click-bots or too curious spies.

The use is very simple, add the short link in your text content, and when the user clicks on, a new page will be opened in its browser with the state of the process.

Third, Monero mining — the clean way

The last feature, and the more known, is about mining.
After having defined public and private keys for the API, developers can integrate JavaScript glue and/or HTML components in a web page so as to set up the miner. In fact, it is a better idea to ask the user to allow the mining process, but on 01/03/2018 it remains possible to mine Monero silently. The use of this feature is as simple as the captcha feature: add a div in your page, add a script and that’s all. The div will contain an iframe with the widget of the miner. The widget itself is customizable, specially with colors, number of threads to use and the throttle. The higher the throttle is, the more busy will be the CPU.

... and the clean-or-not way.

Coinhive allows developers to use pure JavaScript glue to mine Monero instead of using widgets. This is this kind of tools some websites used, and they were in a dirty way I won’t show here. The cleaner way is to use the API which asks the user to grant the mining process. It is better to have resilient users choosing or not if you can mine than having lost a lot of them because of ninja mining. The code to inject is as simple of the others :

However it is not because there is no GUI that users cannot see the miner working. Indeed, if we look deeper with the task manager of the browser, we can see there is something quite busy on the web page. But no more details are available :-/

And a dashboard.

Finally Coinhive has a clean dashboard which sums up the hashrate (hashes/s), the total number of hashes and the pending payments. It lists also the “sites” you have defined (here “dwarf” defined for the demo in my web site). You can easily read that with this demo I’m not rich at all, and the XMR gain I may have will not refund the power supply costs. But who cares? It’s just for beauty of proofs of concepts :)

⛏️ Enter in the noice of the hive

Thus, and it is the purpose of this article, I tried the mining feature of Coinhive. I made it in a quick-and-dirty way, hide it in a dedicated location in my web site, and here I am. I tried this feature with 2 smartphones and 2 laptops using Firefox as web browser. I used the same configuration: 4 threads and 100% of speed (i.e. 1.0 for the throttle). The tests duration was around 1 hour. I choose this duration so as to be closer of a use case where someone watches a video on a streaming platform or uses its favorite web application (social network, tool in the cloud, etc.). Below are the specifications of the devices.

I put below the resulting hashes of each device. I can say I made these tests with only the miner and no more application opened. The device have not been rooted, jailbreaked or overclocked. The miner in use was the UI miner.

⛏️ And so what?

I can say that if I want to make users of web projects mine Monero using Coinhive, I will make it possible if they are using computers and not smartphones. With computers there are higher hashrates and maybe they can make me earn Monero tokens if the hashes are successful. But with all the last flagships of OEMs, I think it might be interesting to mine with them. Look at the specifications of the iPhone X, the Samsung Galaxy S8 or the Huawei Mate 10, it could worth :)

I will make new tests with new parameters so as to have better ouputs :) Moreover I want to look deeper in the browser so as to find more traces and logs related to the miner. Coinhive is not opensource, and I am the kind of person which wants to look deeper to trust the tools I use. I would like to make new tests with JavaScript pure miner, using Chrome, Opera, Safari and Edge. It may be interesting to make tests with several durations and speed of mining so as to find the good combination between them which permits to mine Monero units without impacting too much the users. In addition, I have felt that the fans of the laptops were noisy, and the smartphones were quite hot. So it has an impact on power consumption and temperature of the components. It may be interesting to keep an eye of these elements in the future tests.

The API of Coinhive is both really interesting and easy to use, and to my mind it is not a so bad example of what we can do with blockchains. Prevent spams, earn money for side projects or news-websites, monetize a web site even if users block advertisements, these are interesting ways of use. We can also integrate Coinhive to opensource projects or associations so as to help them to earn money and buy some supplies for examples.

Indeed malicious people and malwares can use the API to earn money silently, but I believe it is not a good reason at all to forbid this kind of tools.

Let’s see what will be the next cool features! ~=[,,_,,]:3