Security Threats to Blockchain Networks — 5 — Consensus Attacks
Where centralized systems operate on the basis of centralized permission, blockchain protocols proceed on the basis of decentralized consensus. While this is more secure in theory, the system is not flawless. All blockchains are susceptible to consensus hacking, thanks to the ability to simulate, force, or circumvent majority consent for a nefarious aim. Solutions can be found for some of these attacks, but ultimately, the only solution to the consensus problem may be scale.
The democratic nature of blockchain technology relies on the fact that it is permissionless. This refers to the fact that anyone can take part in the process of sending, receiving, and confirming transactions.
However, in order for transactions to take place, users still require the ‘permission’ of the decentralized network to ensure that the transactions are recorded properly and are valid. This is the Consensus process, and is foundational to the security of a blockchain, owing to the absence of a centralized entity or police force.
Since, therefore, everything in a blockchain happens by consensus, consensus hacking represents the most fundamental form of attack on a blockchain network. It theoretically allows a single user or group to re-write the history of the chain for their own financial benefit.
Just as different protocols (or “L1s”) are competing for users, different consensus mechanisms are competing for adoption by the various protocols. The two most common consensus mechanisms are Proof of Work (PoW) and Proof of Stake (PoS). ‘Proof’ refers to the evidence the consensus-giving group requires in order to approve the addition of a new block.
Proof of Work requires a block miner to solve a mathematical puzzle in order to reveal the cryptographic has value of the last recorded block. This provides proof to the other nodes in the network that sufficient ‘work’ has been done, and the miner is rewarded with the native token.
Proof of Stake awards the right to ‘forge’ a new block by lottery to a group of validators, each of whom has staked (committed for a given period) a certain number of native tokens. The more tokens a validator has, the more likely they are to be selected ‘slot leader’.
There are various consensus mechanisms in use, including modifications of the above, such as Delegated Proof of Stake (DPoS) and Proof of Authority (PoA). In this article, we are focussing on vulnerabilities in PoW and PoS, as they are the mechanisms of choice for the two main protocols, Bitcoin and Ethereum, respectively.
Some financial hacks on the blockchain target specific nodes or groups of nodes, with a view to blocking transactions or planting fake data. These attacks (which we call Network attacks ) can be thought of as similar to bank heists or train robberies.
Consensus attacks, by contrast, are more like an armed revolution culminating in a military coup, in that they aim for total control of all nodes. They are the mega-budget blockbusters of blockchain cybercrime.
The most basic form of consensus-based attack, logically, is to amass 51% or more of the total voting power. With this majority, it is possible to approve any transaction, including nefarious activities such as double-spending.
51% attacks are more than theoretical, and have been successfully carried out on several occasions. In 2018, a hacker managed to secure the majority of the voting power (hash power) of Bitcoin Gold, a PoW protocol. This made it possible to steal $18m over the course of a few days thanks to double-spending.
In theory, chains are helpless to prevent such activity (Bitcoin Gold suffered another 51% attack in 2020), as the attackers are — in a sense — staying within the rules of the consensus mechanism. That said, Bitcoin itself, the largest cryptocurrency by value, has never fallen victim to a 51% attack. This is in part due to the increasingly demanding nature of the Proof of Work challenges miners must solve in order to acquire hash power.
In general, the larger a chain becomes, the greater the difficulty involved in securing a majority stake, regardless of the consensus mechanism. In PoS systems, for example, acquiring 51% of the voting power would require a single hacker to stake a prohibitively large number of tokens.
Furthermore, a successful 51% attack has the potential to damage the reputation of the protocol, negatively impacting the value of the funds an attacker is able to mint, steal, or double-spend. The larger the network, the greater the potential for loss of value, and the more self-defeating the attack will be.
It is typically the mid-sized chains, or those with falling usage that become vulnerable as the volume of work or tokens needed to secure a majority sits in an achievable range for malicious actors. Ethereum Classic (Ethereum’s estranged older brother) was 51% attacked in 2020 three times in a single month, largely because it was cheap to do so.
Ultimately scale is the best defense.
The Sybil attack is a classic strategy from the world of traditional IT that can theoretically be applied in a blockchain setting to generate a fake majority.
It is named after a character in a novel who suffered from multiple personality disorder. The real-life person on whom the novel was based later revealed that the condition was faked.
Similarly, the Sybil attack rests upon the idea that one can create several fake identities (=multiple personalities) within a blockchain network. By drumming up an army of fake nodes, for instance, one can swamp the consensus algorithm by creating a synthetic 51% majority.
The best way to protect against any strategy that relies on fake identity is to increase the cost of creating these identities. In the case of PoW and PoS, it is costly to create vote-wielding entities, making Sybil attacks largely impractical.
However, as attempts to ‘democratize’ blockchain systems by making participation easier are proposed, it is important to keep the Sybil attack in mind as a potential threat.
While the above represent technically “legitimate” ways to hack the consensus mechanism, there are other methods that circumvent the requirements by outright deception.
An organized crime syndicate is probably the best analogy, as carrying these attacks out requires collusion between a number of actors responsible for creating new blocks (known as “mining pools”).
Typically, blocks are created, broadcast, and added to the chain one by one. In a classic short-range attack known as ‘Selfish Mining’, a group of miners or validators create a number of new blocks, but deliberately delay broadcasting the fact to the network.
When they have created a sufficient number of blocks to constitute a rival portion of chain, they broadcast these new blocks to the network simultaneously, as an alternative chain. This has the effect of pushing aside the other blocks that have been added by the other miners in the meantime. Thus, a new fork, or alternative recent history, is created, and any transactions that existed in the removed blocks will disappear along with them.
Another more straightforward short-range attack involves the payment of a bribe to a sufficiently large group of miners/validators, in return for their approval of dishonest transactions (e.g. double-spending).
It’s worth noting that PoS protocols are more susceptible to bribery, given that the energy required to create blocks is far less than in the case of PoW. This is the reason for the existence of Long-range attacks, a vulnerability that is a uniquely PoS-related problem, which we will cover next.
In the case of PoS systems, once a validator has acquired a large number of tokens, whether by earning or purchasing them, the actual process of creating new blocks does not require a huge amount of computational energy as in the case of PoW.
This creates a fundamental problem known as costless simulation or ‘ nothing-at-stake ‘. A malicious actor is able not only to create a short section of chain to supplant a given set of transactions, but to write a complete alternative history of the main chain going back as far as the genesis block (hence ‘long range’), if desired, without incurring any actual cost.
The second pillar of long-range attacks on PoS systems is the issue of ‘ weak subjectivity ‘. This refers to the fact that a new node, or a node that has been offline for an extended period, will not be able to discern the true main branch of a chain if two alternatives exist.
The third weapon the PoS system affords a potential long-range hacker is ‘precomputation ‘. The ability to publish or validate a new block is intended to be random, with validators holding higher amounts of tokens more likely to be selected. If a validator is able to deconstruct the selection methodology, he or she can increase the probability of being chosen without the need to acquire more tokens. More frequent opportunities to publish blocks mean a greater ability to create a new chain, which is instrumental to achieving a long-range hack.
Given these facts, there are various ways in which a long-range hack can be accomplished. In the so-called ‘simple’ version of the attack, the attacker creates a rival chain in secret, ensuring that the timestamps match those of the real chain so that nodes will be unable to distinguish between them.
If the timestamp approach is not possible, the attacker can attempt to obtain by theft or consent the private keys of a retired validator, to create ostensibly valid blocks in the rival chain (an approach known as Posterior Corruption). A third approach, known as Stake Bleeding involves a validator slowing down the growth of the main chain by deliberately skipping their turn to validate blocks there, while building their own chain in parallel.
Given that threat of long-range attacks is based on problems that are fundamental to PoS as a system, there is no way to fully prevent them from occurring. That said, a growing number of partial solutions are being tested to address specific types of attack (for example, Posterior Corruption can be addressed by adjusting key cryptography to preclude signing blocks in the past).
Denial of service
Not all consensus-related hacking is about seizing control with an aim of stealing or double-spending currency. The aim can also be to slow down or paralyze the network so that it cannot function as intended — i.e. prevent consensus rather than divert it to a specific end.
The most relevant concept from the world of traditional IT is Distributed Denial of Service (DDoS). DDoS is a blanket term for a sprawling variety of attacks that have dogged IT departments for years.
Broadly speaking, the aim of a DDoS attack is to confuse a system by generating an intense amount of activity (such as spurious requests) that creates an artificial bottleneck, overwhelming system resources and paralyzing some or all of the operations (hence ‘Denial of Service’).
The word ‘distributed’ refers to the method used by the attacker to create the activity overload, which is often achieved with a distributed army of bots, making it hard to anticipate. While the target of a traditional DDoS is typically a single point of failure, such as a web server, a blockchain network is itself distributed, making this mode of attack harder.
Nonetheless, the power of any network to process transactions is limited. By flooding the mempool with spam transactions, attackers can cause network congestions, software crashes, and node failures, as well as bloat the ledger with blocks that are full of fake events, while legitimate transactions are stalled.
There is a history of successful DDoS attacks on blockchains, with two of the most recent (Solana and Arbitrum) taking place on September 14, 2021. In the case of Solana, the backlog of transactions generated was so large that the network had to be hard forked (i.e. a reboot from an earlier point in history) in order to address the issue.
The counter-strategies for DDoS in blockchain settings are similar to those in traditional computing environments. It is in theory possible to prevent the attack by filtering suspect transactions out before they can cause overload issues.
This has its limits, as being overly stringent can lead to too many false negatives. The other strategy is to ensure enough redundant storage, processing power, and network bandwidth to ensure that failure is less likely, or at least less acute when it occurs.
In the case of PoS, because validators have the power to confirm or deny transactions, it is in their power to ‘blacklist’ certain addresses, leading to delays or ‘time-outs’. It is therefore possible to achieve the effect of a DDoS attack if enough validators decide to stop publishing blocks altogether.
The technical term for this collective inaction is ‘Liveness denial’ or BDoS (Blockchain Denial of Service). It differs from a traditional DDoS attack in that it is a collusion-based approach, as opposed to an external attempt to disrupt the system, and relies on inactivity rather than excess of activity. It is more difficult to solve than a standard DDoS attack as it is difficult to ‘force’ people to work. However, the financial repercussions of a persistent strike are likely to make these attacks temporary in nature.
Because consensus attacks strike at the heart of a blockchain’s integrity, they are likely to remain the most important challenge for protocols to solve.
The smaller scale exploits (short-range attacks) do not threaten the system as a whole, and are likely to have solutions through modifying parameters, as with bugs in any software. The issue of collusion between large players is unlikely to ever disappear, as long as power laws continue to govern the distribution of wealth.
The most secure system is one in which every actor has a shared interest in its survival. As chains grow in stature and adoption, therefore it is possible that the consensus problem may eventually solve itself.
For an overview of blockchain threats see Security Threats to Blockchain Networks — A Holistic Overview
Originally published at https://crypto.security on July 2, 2022.