How to check if my mining pool is stealing my hashrate?

Identifying Hashrate Theft in Mining Pools

1. Compare your local hashrate monitor output with the pool dashboard. Run xmrig or lolMiner with verbose logging enabled and record the accepted shares per minute over a 30-minute window. Cross-check this against the pool’s reported hashrate for your worker ID during the same interval.

2. Inspect Stratum protocol traffic using wireshark filtered for port 3333 or 4444. Look for repeated mining.submit responses with status 'false' or 'duplicate' without corresponding mining.set_target updates — these indicate rejected shares not logged on your end but potentially counted elsewhere.

3. Verify share difficulty alignment. A legitimate pool assigns work with difficulty matching your declared hashrate. If your ASIC reports 120 TH/s but the pool consistently sends jobs at 0.5 G difficulty while peers at 100 TH/s receive 8 G jobs, the pool may be throttling your submissions.

4. Audit payout history against share count. Calculate expected BTC/ETH payout using the formula: (your shares / total pool shares) × block reward × (1 − pool fee). Discrepancies exceeding ±3% across three consecutive payouts warrant investigation.

5. Monitor connection persistence. Selfish mining pools sometimes drop low-performing workers mid-round. If your miner repeatedly reconnects within 90 seconds of submitting a valid share — especially when no network outage is observed — it may signal intentional disconnection to suppress your contribution.

Stratum Protocol Anomalies as Red Flags

1. Observe timestamp skew in Stratum messages. When mining.notify payloads arrive with server timestamps more than 5 seconds older than your system clock, it suggests the pool server is manipulating job issuance timing to misalign your nonce search space.

2. Detect cookie reuse across sessions. The mining cookie should change on every new mining.subscribe. Reuse of the same 8-byte cookie across multiple reconnections implies session impersonation or replay attacks targeting your worker identity.

3. Spot inconsistent job IDs. Valid Stratum requires monotonically increasing job_id values per worker. Jumping from job_id=7a3f to job_id=1c2b then back to job_id=7a40 signals job queue manipulation or parallel submission hijacking.

4. Check for missing mining.set_extranonce after subscription. This message must appear once per connection to initialize your extranonce space. Its absence forces your miner to use static nonces, drastically increasing duplicate share probability and enabling pool-side filtering.

Hardware-Level Verification Methods

1. Deploy an inline Stratum proxy like stratum-proxy between your miner and pool. Log all inbound and outbound JSON-RPC messages. Filter logs for 'id':null responses — these represent unsolicited pool-initiated commands that bypass your miner’s logic and may inject false difficulty adjustments.

2. Capture ASIC firmware telemetry via JTAG or UART debug pins. Compare raw chip-level hash attempts per second against pool-reported values. Discrepancies >7% suggest firmware-level interception or instruction injection by compromised pool firmware images.

3. Use power metering on the ASIC PSU. Correlate real-time wattage spikes with share submission timestamps. A consistent 120W spike every 2.3 seconds aligned with mining.submit confirms physical hashing activity; absence during claimed high-hash intervals indicates virtualized or throttled operation.

4. Validate nonce distribution entropy. Collect 10,000 accepted share nonces and run NIST SP 800-22 tests. Legitimate PoW yields uniform distribution. Skewed histograms — especially clustering near zero or max uint32 — indicate nonce truncation or pool-side forgery.

Common Misconfigurations Mistaken for Theft

1. Incorrect worker name formatting causing automatic rejection. Some pools require underscore-separated names like worker_01, while others reject anything containing dots or hyphens. A malformed name results in silent discard of all shares.

2. Stale share submission due to clock drift. If your miner’s system clock is off by more than 30 seconds from NTP-synchronized pool servers, submitted shares are marked stale and excluded from reward calculations without notification.

3. Firewall-induced packet fragmentation. Over-aggressive MSS clamping on home routers splits Stratum mining.submit payloads across multiple TCP packets. Pools rejecting fragmented submissions log them as invalid without exposing the root cause.

4. GPU memory overclock instability. Memory errors on AMD RX 6800 XT cards under sustained load produce corrupted share payloads. These fail SHA validation server-side but appear as “accepted” in local miner logs due to premature success flags.

Frequently Asked Questions

Q: Can a pool manipulate my hashrate without changing my worker statistics?Yes. Pools can assign lower-difficulty jobs selectively, inflate your displayed hashrate using smoothed averages while discarding high-value shares, or route your submissions through delayed relay nodes to artificially reduce effective participation in block-finding rounds.

Q: Does SSL/TLS encryption on Stratum prevent hashrate theft?No. TLS secures transport but does not validate job integrity. An attacker controlling the pool server can still issue malformed targets, reuse cookies, or drop submissions before encryption — all undetectable by TLS alone.

Q: Why do some pools show higher hashrate than my ASIC’s spec sheet?This occurs when pools apply rolling average smoothing over 10–15 minutes and include orphaned or stale shares in short-term calculations. It does not reflect actual computational contribution to block discovery.

Q: Is it possible to detect theft if the pool uses custom Stratum extensions?Yes. Custom extensions must still comply with JSON-RPC 2.0 framing. Analyze message frequency, payload size variance, and response latency outliers. Extensions lacking documented open specification often conceal nonce suppression or difficulty spoofing logic.