Short Paper: I Can’t Believe It’s Not Stake! Resource Exhaustion Attacks on PoS

Sanket Kanjalkar, Joseph Kuo, Yunqi Li, Andrew Miller

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We present a new resource exhaustion attack affecting several chain-based proof-of-stake cryptocurrencies, and in particular Qtum, a top 30 cryptocurrency by market capitalization ($300M as of Sep ’18). In brief, these cryptocurrencies do not adequately validate the proof-of-stake before allocating resources to data received from peers. An attacker can exploit this vulnerability, even without any stake at all, simply by connecting to a victim and sending malformed blocks, which the victim stores on disk or in RAM, eventually leading to a crash. We demonstrate and benchmark the attack through experiments attacking our own node on the Qtum main network; in our experiment we are able to fill the victim’s RAM at a rate of 2MB per second, or the disk at a rate of 6MB per second. We have begun a responsible disclosure of this vulnerability to appropriate development teams. Our disclosure includes a Docker-based reproducibility kit using the Python-based test framework. This problem has gone unnoticed for several years. Although the attack can be mitigated, this appears to require giving up optimizations enjoyed by proof-of-work cryptocurrencies, underscoring the difficulty in implementing and deploying chain-based proof-of-stake.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 23rd International Conference, FC 2019, Revised Selected Papers
EditorsIan Goldberg, Tyler Moore
PublisherSpringer
Pages62-69
Number of pages8
ISBN (Print)9783030321000
DOIs
StatePublished - 2019
Event23rd International Conference on Financial Cryptography and Data Security, FC 2019 - St. Kitts, Saint Kitts and Nevis
Duration: Feb 18 2019Feb 22 2019

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11598 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference23rd International Conference on Financial Cryptography and Data Security, FC 2019
Country/TerritorySaint Kitts and Nevis
CitySt. Kitts
Period2/18/192/22/19

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Short Paper: I Can’t Believe It’s Not Stake! Resource Exhaustion Attacks on PoS'. Together they form a unique fingerprint.

Cite this