Alpesh Bhudia,Anna Cartwright,Edward Cartwright,Darren Hurley-Smith,Julio Hernandez-Castro

2023-08-01

Abstract:Consensus algorithms facilitate agreement on and resolution of blockchain functions, such as smart contracts and transactions. Ethereum uses a Proof-of-Stake (PoS) consensus mechanism, which depends on financial incentives to ensure that validators perform certain duties and do not act maliciously. Should a validator attempt to defraud the system, legitimate validators will identify this and then staked cryptocurrency is `burned' through a process of slashing. In this paper, we show that an attacker who has compromised a set of validators could threaten to perform malicious actions that would result in slashing and thus, hold those validators to ransom. We use game theory to study how an attacker can coerce payment from a victim, for example by deploying a smart contract to provide a root of trust shared between attacker and victim during the extortion process. Our game theoretic model finds that it is in the interests of the validators to fully pay the ransom due to a lack of systemic protections for validators. Financial risk is solely placed on the victim during such an attack, with no mitigations available to them aside from capitulation (payment of ransom) in many scenarios. Such attacks could be disruptive to Ethereum and, likely, to many other PoS networks, if public trust in the validator system is eroded. We also discuss and evaluate potential mitigation measures arising from our analysis of the game theoretic model.

Computer Science and Game Theory,Cryptography and Security

Caspar Schwarz-Schilling,Joachim Neu,Barnabé Monnot,Aditya Asgaonkar,Ertem Nusret Tas,David Tse

DOI: https://doi.org/10.48550/arXiv.2110.10086

2021-10-20

Abstract:Recently, two attacks were presented against Proof-of-Stake (PoS) Ethereum: one where short-range reorganizations of the underlying consensus chain are used to increase individual validators' profits and delay consensus decisions, and one where adversarial network delay is leveraged to stall consensus decisions indefinitely. We provide refined variants of these attacks, considerably relaxing the requirements on adversarial stake and network timing, and thus rendering the attacks more severe. Combining techniques from both refined attacks, we obtain a third attack which allows an adversary with vanishingly small fraction of stake and no control over network message propagation (assuming instead probabilistic message propagation) to cause even long-range consensus chain reorganizations. Honest-but-rational or ideologically motivated validators could use this attack to increase their profits or stall the protocol, threatening incentive alignment and security of PoS Ethereum. The attack can also lead to destabilization of consensus from congestion in vote processing.

Cryptography and Security

Z. Motaqy,G. Almashaqbeh,B. Bahrak,N.Yazdani

DOI: https://doi.org/10.1007/978-3-030-90370-1_16

2021-09-24

Abstract:Smart contract-enabled blockchains allow building decentralized applications in which mutually-distrusted parties can work together. Recently, oracle services emerged to provide these applications with real-world data feeds. Unfortunately, these capabilities have been used for malicious purposes under what is called criminal smart contracts. A few works explored this dark side and showed a variety of such attacks. However, none of them considered collaborative attacks against targets that reside outside the blockchain ecosystem. In this paper, we bridge this gap and introduce a smart contract-based framework that allows a sponsor to orchestrate a collaborative attack among (pseudo)anonymous attackers and reward them for that. While all previous works required a technique to quantify an attacker's individual contribution, which could be infeasible with respect to real-world targets, our framework avoids that. This is done by developing a novel scheme for trustless collaboration through betting. That is, attackers bet on an event (i.e., the attack takes place) and then work on making that event happen (i.e., perform the attack). By taking DDoS as a usecase, we formulate attackers' interaction as a game, and formally prove that these attackers will collaborate in proportion to the amount of their bets in the game's unique equilibrium. We also model our framework and its reward function as an incentive mechanism and prove that it is a strategy proof and budget-balanced one. Finally, we conduct numerical simulations to demonstrate the equilibrium behavior of our framework.

Computer Science and Game Theory,Cryptography and Security

Joachim Neu,Ertem Nusret Tas,David Tse

DOI: https://doi.org/10.48550/arXiv.2203.01315

2022-03-02

Cryptography and Security

Abstract:We present two attacks targeting the Proof-of-Stake (PoS) Ethereum consensus protocol. The first attack suggests a fundamental conceptual incompatibility between PoS and the Greedy Heaviest-Observed Sub-Tree (GHOST) fork choice paradigm employed by PoS Ethereum. In a nutshell, PoS allows an adversary with a vanishing amount of stake to produce an unlimited number of equivocating blocks. While most equivocating blocks will be orphaned, such orphaned `uncle blocks' still influence fork choice under the GHOST paradigm, bestowing upon the adversary devastating control over the canonical chain. While the Latest Message Driven (LMD) aspect of current PoS Ethereum prevents a straightforward application of this attack, our second attack shows how LMD specifically can be exploited to obtain a new variant of the balancing attack that overcomes a recent protocol addition that was intended to mitigate balancing-type attacks. Thus, in its current form, PoS Ethereum without and with LMD is vulnerable to our first and second attack, respectively.

Taro Tsuchiya,Liyi Zhou,Kaihua Qin,Arthur Gervais,Nicolas Christin

2024-09-20

Abstract:Strategies related to the blockchain concept of Extractable Value (MEV/BEV), such as arbitrage, front- or backrunning create an economic incentive for network nodes to reduce latency. A modified node, that minimizes transaction validation time and neglects to filter invalid transactions in the Ethereum P2P network, introduces a novel attack vector -- Blockchain Amplification Attack. An attacker exploits those modified nodes to amplify an invalid transaction thousands of times, posing a threat to the entire network. To illustrate attack feasibility and practicality in the current mainnet, we 1) identify thousands of similar attacks in the wild, 2) mathematically model propagation mechanism, 3) empirically measure model parameters from our two monitoring nodes, and 4) compare performance with existing Denial-of-Service attacks through local simulation. We show that an attacker can amplify network traffic at modified nodes by a factor of 3,600, and cause economic damages 13,800 times greater than the amount needed to carry out the attack. Despite these risks, aggressive latency reduction may still be profitable enough to justify the existence of modified nodes. To assess this tradeoff, we 1) simulate the transaction validation process in the local network and 2) empirically measure the latency reduction by deploying our modified node in the Ethereum testnet. We conclude with a cost-benefit analysis of skipping validation and provide mitigation strategies against this attack.

Cryptography and Security

Dimitris Karakostas,Aggelos Kiayias,Thomas Zacharias

2024-06-19

Abstract:We analyze bribing attacks in Proof-of-Stake distributed ledgers from a game theoretic perspective. In bribing attacks, an adversary offers participants a reward in exchange for instructing them how to behave, with the goal of attacking the protocol's properties. Specifically, our work focuses on adversaries that target blockchain safety. We consider two types of bribing, depending on how the bribes are awarded: i) guided bribing, where the bribe is given as long as the bribed party behaves as instructed; ii) effective bribing, where bribes are conditional on the attack's success, w.r.t. well-defined metrics. We analyze each type of attack in a game theoretic setting and identify relevant equilibria. In guided bribing, we show that the protocol is not an equilibrium and then describe good equilibria, where the attack is unsuccessful, and a negative one, where all parties are bribed such that the attack succeeds. In effective bribing, we show that both the protocol and the "all bribed" setting are equilibria. Using the identified equilibria, we then compute bounds on the Prices of Stability and Anarchy. Our results indicate that additional mitigations are needed for guided bribing, so our analysis concludes with incentive-based mitigation techniques, namely slashing and dilution. Here, we present two positive results, that both render the protocol an equilibrium and achieve maximal welfare for all parties, and a negative result, wherein an attack becomes more plausible if it severely affects the ledger's token's market price.

Computer Science and Game Theory,Cryptography and Security

Daji Landis,Nikolaj I. Schwartzbach

DOI: https://doi.org/10.48550/arXiv.2301.08523

2023-05-04

Abstract:We identify a subtle security issue that impacts the design of smart contracts, because agents may themselves deploy smart contracts (side contracts). Typically, equilibria of games are analyzed in vitro, under the assumption that players cannot arbitrarily commit to strategies. However, equilibria thus obtained do not hold in general in vivo, when games are deployed on a blockchain. Being able to deploy side contracts changes fundamental game-theoretic assumptions by inducing a meta-game wherein agents strategize to deploy the best contracts. Not taking side contracts into account thus fails to capture an important aspect of deploying smart contracts in practice. A game that remains secure when the players can deploy side contracts is said to be side contract resilient. We demonstrate the non-triviality of side contract resilience by analyzing two smart contracts for decentralized commerce. These contracts have the same intended functionality, but we show that only one is side contract resilient. We then demonstrate a side contract attack on first-price auctions, which are the transaction mechanisms used by most major blockchains. We show that an agent may deploy a contract ensuring their transaction is included in the next block at almost zero cost while forcing most other agents to enter into a lottery for the remaining block space. This benefits all the users, but is detrimental to the miners. This might be cause for re-evaluation of the use of auctions in transaction fee mechanisms. We show that the attack works under certain conditions that hold with high probability from natural distributions. The attack also works against the transaction mechanism EIP-1559. Our work highlights an issue that is necessary to address to ensure the secure deployment of smart contracts and suggests that other contracts already deployed on major blockchains may be susceptible to these attacks.

Computer Science and Game Theory,Cryptography and Security

Ulysse Pavloff,Yackolley Amoussou-Genou,Sara Tucci-Piergiovanni

2024-06-07

Abstract:In May 2023, the Ethereum blockchain experienced its first inactivity leak, a mechanism designed to reinstate chain finalization amid persistent network disruptions. This mechanism aims to reduce the voting power of validators who are unreachable within the network, reallocating this power to active validators. This paper investigates the implications of the inactivity leak on safety within the Ethereum blockchain. Our theoretical analysis reveals scenarios where actions by Byzantine validators expedite the finalization of two conflicting branches, and instances where Byzantine validators reach a voting power exceeding the critical safety threshold of one-third. Additionally, we revisit the probabilistic bouncing attack, illustrating how the inactivity leak can result in a probabilistic breach of safety, potentially allowing Byzantine validators to exceed the one-third safety threshold. Our findings uncover how penalizing inactive nodes can compromise blockchain properties, particularly in the presence of Byzantine validators capable of coordinating actions.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Xinrui Zhang,Rujia Li,Qin Wang,Qi Wang,Sisi Duan

DOI: https://doi.org/10.1145/3543507.3583252

2023-01-01

Abstract:As blockchain-based commercial projects and startups flourish, efficiency becomes one of the critical metrics in designing blockchain systems. Due to its high efficiency, Proof of Authority (PoA) Aura has become one of the most widely adopted consensus solutions for blockchains. Our research finds over 4,000 projects have used Aura and its variants. In this paper, we provide a rigorous analysis of Aura. We propose three types of time-manipulation attacks, where a malicious leader simply needs to modify the timestamp in its proposed block or delay it to extract extra benefits. These attacks can easily break the legal leader election, thus directly harming the fairness of the block proposal. We apply our attacks to a mature Aura project called OpenEthereum. By repeatedly conducting our attacks1 over 15 days, we find that an adversary can gain on average 200% mining rewards of their fair shares. Furthermore, such attacks can even indirectly break the finality of blocks and the safety of the system. Based on the deployment of Aura as of September 2022, the potentially affected market cap is up to 2.13 billion USD. As a by-product, we further discuss solutions to mitigate such issues and report our observations to official teams.

Nasser Alsalami,Bingsheng Zhang

DOI: https://doi.org/10.1109/iwqos49365.2020.9213064

2020-01-01

Abstract:Public blockchains can be abused to covertly store and disseminate potentially harmful digital content which poses a serious regulatory issue. In this work, we show the severity of the problem by demonstrating that blockchains can be exploited to surreptitiously distribute arbitrary content. More specifically, all major blockchain systems use randomized cryptographic primitives, such as digital signatures and non-interactive zero-knowledge proofs; we illustrate how the uncontrolled randomness in such primitives can be maliciously manipulated to enable covert communication and hidden persistent storage. To clarify the potential risk, we design, implement and evaluate our technique against the widely-used ECDSA signature scheme, the CryptoNote's ring signature scheme, and Monero's ring confidential transactions. Importantly, the significance of the demonstrated attacks stems from their undetectability, their adverse effect on the future of decentralized blockchains, and their serious repercussions on users' privacy and crypto funds. Finally, we present a generic framework to immunize blockchains against these attacks.

DOI: https://doi.org/10.1007/s10586-024-04579-0

2024-06-10

Cluster Computing

Abstract:Within the intricate dynamics of a blockchain system, participants with bounded rationality may engage in dishonest behavior, thereby disrupting the consensus of the system in the absence of incentive mechanisms. This vulnerability is particularly common in voting-based consensus mechanisms like Practical Byzantine Fault Tolerance (PBFT), yet existing analyses often overlook the rational perspectives of participants. In this paper, we introduce an evolutionary game-theoretic approach to extend the current incentive mechanisms, enhancing the system's stability and security. In permissioned blockchain environments, we developed a three-party evolutionary game model involving proposers, validators and auditors that dynamically assesses node strategies under various economic incentives and attack scenarios on an improved mechanism basis. Using replicator dynamic equations, we identified the conditions under which nodes converge to different evolutionarily stable strategies. Through simulation experiments, we validated the incentive mechanism's effectiveness in promoting honest participation and resisting bribery attacks. When dishonest nodes do not exceed 80%, the system can quickly evolve to the honest state and can cope with changes in the payoff for malfeasance, whereas the original mechanism could not reach the ideal state under any condition. This achievement is attributed to the design of the mechanism and the judicious adjustment of reward and punishment parameters. The research contributes valuable findings to the discourse on consensus security. It provides key insights for developing more robust and rational incentive mechanisms in future protocols.

computer science, information systems, theory & methods

Daji Landis,Nikolaj I. Schwartzbach

2024-10-17

Abstract:We propose a new, more potent attack on decentralized exchanges. This attack leverages absolute commitments, which are commitments that can condition on the strategies made by other agents. This attack allows an adversary to charge monopoly prices by committing to undercut those other miners that refuse to charge an even higher fee. This allows the miner to extract the maximum possible price from the user, potentially through side channels that evade the inefficiencies and fees usually incurred. This is considerably more efficient than the prevailing strategy of `sandwich attacks', wherein the adversary induces and profits from fluctuations in the market price to the detriment of users. The attack we propose can, in principle, be realized by the irrevocable and self-executing nature of smart contracts, which are readily available on many major blockchains. Thus, the attack could potentially be used against a decentralized exchange and could drastically reduce the utility of the affected exchange.

Computer Science and Game Theory

Haoqian Zhang,Mahsa Bastankhah,Louis-Henri Merino,Vero Estrada-Galiñanes,Bryan Ford

2023-05-01

Abstract:Blockchain systems often rely on rationality assumptions for their security, expecting that nodes are motivated to maximize their profits. These systems thus design their protocols to incentivize nodes to execute the honest protocol but fail to consider out-of-band collusion. Existing works analyzing rationality assumptions are limited in their scope, either by focusing on a specific protocol or relying on non-existing financial instruments. We propose a general rational attack on rationality by leveraging an external channel that incentivizes nodes to collude against the honest protocol. Our approach involves an attacker creating an out-of-band bribery smart contract to motivate nodes to double-spend their transactions in exchange for shares in the attacker's profits. We provide a game theory model to prove that any rational node is incentivized to follow the malicious protocol. We discuss our approach to attacking the Bitcoin and Ethereum blockchains, demonstrating that irrational behavior can be rational in real-world blockchain systems when analyzing rationality in a larger ecosystem. We conclude that rational assumptions only appear to make the system more secure and offer a false sense of security under the flawed analysis.

Computer Science and Game Theory,Cryptography and Security

Yifan Mao,Mengya Zhang,Shaileshh Bojja Venkatakrishnan,Zhiqiang Lin

2024-05-15

Abstract:Maximal extractable value (MEV) in which block proposers unethically gain profits by manipulating the order in which transactions are included within a block, is a key challenge facing blockchains such as Ethereum today. Left unchecked, MEV can lead to a centralization of stake distribution thereby ultimately compromising the security of blockchain consensus. To preserve proposer decentralization (and hence security) of the blockchain, Ethereum has advocated for a proposer-builder separation (PBS) in which the functionality of transaction ordering is separated from proposers and assigned to separate entities called builders. Builders accept transaction bundles from searchers, who compete to find the most profitable bundles. Builders then bid completed blocks to proposers, who accept the most profitable blocks for publication. The auction mechanisms used between searchers, builders and proposers are crucial to the overall health of the blockchain. In this paper, we consider PBS design in Ethereum as a game between searchers, builders and proposers. A key novelty in our design is the inclusion of future block proposers, as all proposers of an epoch are decided ahead of time in proof-of-stake (PoS) Ethereum within the game model. Our analysis shows the existence of alternative auction mechanisms that result in a better (more profitable) equilibrium to players compared to state-of-the-art. Experimental evaluations based on synthetic and real-world data traces corroborate the analysis. Our results highlight that a rethinking of auction mechanism designs is necessary in PoS Ethereum to prevent disruption.

Cryptography and Security

Yackolley Amoussou-Guenou,Bruno Biais,Maria Potop-Butucaru,Sara Tucci-Piergiovanni

DOI: https://doi.org/10.1093/rfs/hhad051

2023-06-16

Abstract:Abstract We study consensus in a protocol capturing in a simplified manner the major features of the majority of Proof of Stake blockchains. A committee is formed; one member proposes a block; and the others can check its validity and vote for it. Blocks with a majority of votes are produced. When an invalid block is produced, the stakes of the members who voted for it are “slashed.” Profit-maximizing members interact with adversaries seeking to disrupt consensus. When slashing is limited, free-riding and moral-hazard lead to invalid blocks in equilibrium. We propose a protocol modification producing only valid blocks in equilibrium. Authors have furnished an Internet Appendix, which is available on the Oxford University Press Web site next to the link to the final published paper online.

economics,business, finance

Junchao Chen,Suyash Gupta,Alberto Sonnino,Lefteris Kokoris-Kogias,Mohammad Sadoghi

2024-07-19

Abstract:Decentralized systems built around blockchain technology promise clients an immutable ledger. They add a transaction to the ledger after it undergoes consensus among the replicas that run a Proof-of-Stake (PoS) or Byzantine Fault-Tolerant (BFT) consensus protocol. Unfortunately, these protocols face a long-range attack where an adversary having access to the private keys of the replicas can rewrite the ledger. One solution is forcing each committed block from these protocols to undergo another consensus, Proof-of-Work(PoW) consensus; PoW protocol leads to wastage of computational resources as miners compete to solve complex puzzles. In this paper, we present the design of our Power-of-Collaboration (PoC) protocol, which guards existing PoS/BFT blockchains against long-range attacks and requires miners to collaborate rather than compete. PoC guarantees fairness and accountability and only marginally degrades the throughput of the underlying system.

Cryptography and Security,Databases,Distributed, Parallel, and Cluster Computing

Soubhik Deb,Robert Raynor,Sreeram Kannan

2024-01-11

Abstract:As of July 15, 2023, Ethererum, which is a Proof-of-Stake (PoS) blockchain [1] has around 410 Billion USD in total assets on chain (popularly referred to as total-value-locked, TVL) but has only 33 Billion USD worth of ETH staked in securing the underlying consensus of the chain [2]. A preliminary analysis might suggest that as the amount staked is far less (11x less) than the value secured, the Ethereum blockchain is insecure and "over-leveraged" in a purely cryptoeconomic sense. In this work, we investigate how Ethereum, or, more generally, any PoS blockchain can be made secure despite this apparent imbalance. Towards that end, we attempt to formalize a model for analyzing the cryptoeconomic safety of PoS blockchain, which separately analyzes the cost-of-corruption, the cost incurred by an attacker, and the profit-from-corruption, the profit gained by an attacker. We derive sharper bounds on profit-from-corruption, as well as new confirmation rules that significantly decrease this upper-bound. We evaluate cost-of-corruption and profit-from-corruption only from the perspective of attacking safety. Finally, we present a new "insurance" mechanism, STAKESURE, for allocating the slashed funds in a PoS system, that has several highly desirable properties: solving common information problem in existing blockchains, creating a mechanism for provably safe bridging, and providing the first sharp solution for automatically adjusting how much economic security is sufficient in a PoS system. Finally, we show that the system satisfies a notion of strong cryptoeconomic safety, which guarantees that no honest transactor ever loses money, and creates a closed system of Karma, which not only ensures that the attacker suffers a loss of funds but also that the harmed parties are sufficiently compensated.

Cryptography and Security,Networking and Internet Architecture

Martin Perešíni,Ivan Homoliak,Federico Matteo Benčić,Martin Hrubý,Kamil Malinka

DOI: https://doi.org/10.48550/arXiv.2305.16757

2023-05-26

Abstract:Several blockchain consensus protocols proposed to use of Directed Acyclic Graphs (DAGs) to solve the limited processing throughput of traditional single-chain Proof-of-Work (PoW) blockchains. Many such protocols utilize a random transaction selection (RTS) strategy (e.g., PHANTOM, GHOSTDAG, SPECTRE, Inclusive, and Prism) to avoid transaction duplicates across parallel blocks in DAG and thus maximize the network throughput. However, previous research has not rigorously examined incentive-oriented greedy behaviors when transaction selection deviates from the protocol. In this work, we first perform a generic game-theoretic analysis abstracting several DAG-based blockchain protocols that use the RTS strategy, and we prove that such a strategy does not constitute a Nash equilibrium, which is contradictory to the proof in the Inclusive paper. Next, we develop a blockchain simulator that extends existing open-source tools to support multiple chains and explore incentive-based deviations from the protocol. We perform simulations with ten miners to confirm our conclusion from the game-theoretic analysis. The simulations confirm that greedy actors who do not follow the RTS strategy can profit more than honest miners and harm the processing throughput of the protocol because duplicate transactions are included in more than one block of different chains. We show that this effect is indirectly proportional to the network propagation delay. Finally, we show that greedy miners are incentivized to form a shared mining pool to increase their profits. This undermines the decentralization and degrades the design of the protocols in question. To further support our claims, we execute more complex experiments on a realistic Bitcoin-like network with more than 7000 nodes.

Cryptography and Security

Michael Neuder,Daniel J. Moroz,Rithvik Rao,David C. Parkes

DOI: https://doi.org/10.48550/arXiv.1912.02954

2020-04-08

Abstract:Proof-of-Stake consensus protocols give rise to complex modeling challenges. We analyze the recently-updated Tezos Proof-of-Stake protocol and demonstrate that, under certain conditions, rational participants are incentivized to behave dishonestly. In doing so, we provide a theoretical analysis of the feasibility and profitability of a block stealing attack that we call selfish endorsing, a concrete instance of an attack previously only theoretically considered. We propose and analyze a simple change to the Tezos protocol which significantly reduces the (already small) profitability of this dishonest behavior, and introduce a new delay and reward scheme that is provably secure against length-1 and length-2 selfish endorsing attacks. Our framework provides a template for analyzing other Proof-of-Stake implementations for selfish behavior.

Cryptography and Security,Computer Science and Game Theory

Bulat Nasrulin,Georgy Ishmaev,Jérémie Decouchant,Johan Pouwelse

2023-07-05

Abstract:Possible manipulation of user transactions by miners in a permissionless blockchain systems is a growing concern. This problem is a pervasive and systemic issue, known as Miner Extractable Value (MEV), incurs highs costs on users of decentralised applications. Furthermore, transaction manipulations create other issues in blockchain systems such as congestion, higher fees, and system instability. Detecting transaction manipulations is difficult, even though it is known that they originate from the pre-consensus phase of transaction selection for a block building, at the base layer of blockchain protocols. In this paper we summarize known transaction manipulation attacks. We then present LØ, an accountable base layer protocol specifically designed to detect and mitigate transaction manipulations. LØ is built around accurate detection of transaction manipulations and assignment of blame at the granularity of a single mining node. LØ forces miners to log all the transactions they receive into a secure mempool data structure and to process them in a verifiable manner. Overall, LØ quickly and efficiently detects reordering, injection or censorship attempts. Our performance evaluation shows that LØ is also practical and only introduces a marginal performance overhead.

Cryptography and Security,Distributed, Parallel, and Cluster Computing