TY - GEN
T1 - Short Paper
T2 - 23rd International Conference on Financial Cryptography and Data Security, FC 2019
AU - Kanjalkar, Sanket
AU - Kuo, Joseph
AU - Li, Yunqi
AU - Miller, Andrew
N1 - Publisher Copyright:
© 2019, International Financial Cryptography Association.
PY - 2019
Y1 - 2019
N2 - We present a new resource exhaustion attack affecting several chain-based proof-of-stake cryptocurrencies, and in particular Qtum, a top 30 cryptocurrency by market capitalization ($300M as of Sep ’18). In brief, these cryptocurrencies do not adequately validate the proof-of-stake before allocating resources to data received from peers. An attacker can exploit this vulnerability, even without any stake at all, simply by connecting to a victim and sending malformed blocks, which the victim stores on disk or in RAM, eventually leading to a crash. We demonstrate and benchmark the attack through experiments attacking our own node on the Qtum main network; in our experiment we are able to fill the victim’s RAM at a rate of 2MB per second, or the disk at a rate of 6MB per second. We have begun a responsible disclosure of this vulnerability to appropriate development teams. Our disclosure includes a Docker-based reproducibility kit using the Python-based test framework. This problem has gone unnoticed for several years. Although the attack can be mitigated, this appears to require giving up optimizations enjoyed by proof-of-work cryptocurrencies, underscoring the difficulty in implementing and deploying chain-based proof-of-stake.
AB - We present a new resource exhaustion attack affecting several chain-based proof-of-stake cryptocurrencies, and in particular Qtum, a top 30 cryptocurrency by market capitalization ($300M as of Sep ’18). In brief, these cryptocurrencies do not adequately validate the proof-of-stake before allocating resources to data received from peers. An attacker can exploit this vulnerability, even without any stake at all, simply by connecting to a victim and sending malformed blocks, which the victim stores on disk or in RAM, eventually leading to a crash. We demonstrate and benchmark the attack through experiments attacking our own node on the Qtum main network; in our experiment we are able to fill the victim’s RAM at a rate of 2MB per second, or the disk at a rate of 6MB per second. We have begun a responsible disclosure of this vulnerability to appropriate development teams. Our disclosure includes a Docker-based reproducibility kit using the Python-based test framework. This problem has gone unnoticed for several years. Although the attack can be mitigated, this appears to require giving up optimizations enjoyed by proof-of-work cryptocurrencies, underscoring the difficulty in implementing and deploying chain-based proof-of-stake.
UR - http://www.scopus.com/inward/record.url?scp=85075548280&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075548280&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-32101-7_4
DO - 10.1007/978-3-030-32101-7_4
M3 - Conference contribution
AN - SCOPUS:85075548280
SN - 9783030321000
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 62
EP - 69
BT - Financial Cryptography and Data Security - 23rd International Conference, FC 2019, Revised Selected Papers
A2 - Goldberg, Ian
A2 - Moore, Tyler
PB - Springer
Y2 - 18 February 2019 through 22 February 2019
ER -