DETER: Denial of Ethereum

Txpool sERvices

Kai Li Yibo Wang Yuzhe Tang

Introduction: Denial of Ethereum Txpool sERvice

• Ethereum is the largest smart contract blockchain.
• Second highest market cap ($428 billion), only after Bitcoin.

2

Introduction: Denial of Ethereum Txpool sERvice

​

​

Typical* transaction workflow in Ethereum

• Clients sent txs to Ethereum nodes.
• A node buffers txs (unconfirmed) in txpool (a.k.a. mempool).
• The miner gets txs from mempool and include them in next block.

​

* Simplified workflow by discarding block/tx propagation.

3

a.k.a. Mempool

Figures are made with flaticon.com icons.

Introduction: Denial of Ethereum Txpool sERvice

​

​

Typical* transaction workflow in Ethereum

• Clients sent txs to Ethereum nodes.
• A node buffers txs (unconfirmed) in txpool (a.k.a. mempool).
• The miner gets txs from mempool and include them in next block.

Txpool is a critical component in an Ethereum node

* Simplified workflow by discarding block/tx propagation.

4

Introduction: Denial of Ethereum Txpool sERvice

​

​

​

​

RQ: Whether and how secure is Ethereum under Denial of Txpool Service (DETER)?

​

5

Introduction: Denial of Ethereum Txpool sERvice

​

​

​

​

RQ: Whether and how secure is Ethereum under Denial of Txpool Service (DETER)?

Importance: Consequences

• Miner cannot read unconfirmed txs; empty blocks, low miner revenue
• loss of miners, 51% attacks

6

Introduction: Denial of Ethereum Txpool sERvice

​

​

​

​

RQ: Whether and how secure is Ethereum under Denial of Txpool Service (DETER)?

Importance: Consequences

• Miner cannot read unconfirmed txs; empty blocks, low miner revenue
• loss of miners, 51% attacks
• Clients cannot get their txs included in blockchain.
• Frontrunning, loss of clients

7

Related Works: Blockchain DoS

Target blockchain component to attack:

• P2P networks [S&P’17, USENIX’15, S&P’20], mining-based consensus [CCS’20], transaction processing [FC’16, ICBC’19], smart contracts [EIP-150, NDSS’20] and DApp (decentralized application) services [NDSS’21].
• This work on txpool.

Assumption on attacker capability:

• Institutional attacker: [CCS’20, SP’17, SP’20, USENIX’15, FC’16]
• This work considers low-cost attacker
• Few other works consider low cost attacker via MEV and bribing miners [S&P’20],[USENIX’21],[FC’21],[SP’21],[EuroS&P19’]
• But they assume rational miners, which this work does not.

8

Threat Model: Denial of Txpool Service (DETER)

• Critical nodes:
• Few nodes operating popular Ethereum services, such as transaction relay (a.k.a. RPC services) and mining pools.

9

Attack Design: Flawed Admission Control in Txpool

• Txpool admits high-priced txs by evicting low-priced txs.
• Intended as defense against tx spamming [BITCOIN@FC’16].
• Assume all high/low-priced txs are profitable… Not true!

​

• Key idea: Misguide admission & occupy txpool by unprofitable txs.

10

Design: DETER Attack Template

• Template:
• In DETER, the attacker sends high-priced yet unprofitable tx ( ) to evict & victimize medium-priced profitable txs ( ).
• Why it works
• Txpool filled up with unprofitable txs, which are not included in blockchain.
• Lead to empty blocks and unhappy miners/clients
• Incur no/low cost to attackers
• Propose two attack variants following the template
• DETER-X and DETER-Z ...

11

Design: Evicting Pending Tx by Future Tx (DETER-X)

• DETER-X exploits future (a.k.a. orphan) transactions.
• What’re future txs?
• Tx nonce
• Tx of nonce 1 sent to an empty txpool is a pending tx.
• Tx of nonce 2 sent to an empty txpool is a future/orphan tx.
• The working of DETER-X
• Sending high-priced future txs to evict low-priced pending txs
• Zero Ether cost to attacker as future tx does not charge.

12

Design: Evicting Pending Tx by Future Tx (DETER-X)

13

Design: Evicting Pending Tx by Future Tx (DETER-X)

14

Design: Evicting Pending Tx by Future Tx (DETER-X)

admitting tx3 leads to

1. evict tx1

15

Design: Evicting Pending Tx by Future Tx (DETER-X)

admitting tx3 leads to

• evict tx1
• turn tx2 to future

16

Design: Evicting Pending Tx by Invalid Tx (DETER-Z)

• DETER-Z exploits latent invalid transactions.
• What’re latent invalid txs?
• Alice of 10 Ether,
• In tx1, Alice sends 9 Ether; in tx2, Alice sends 8 Ether.
• Txpool would admit both tx1 and tx2, but at least one is invalid
• The working of DETER-Z
• Sending high-priced latent invalid txs to evict low-priced pending txs
• Low Ether cost.

​

17

Evaluation: Attack Success Rates/Costs on Local Nodes

• Metric 1: Attack success rate (# of txs included)
• The lower than 100% rate due to spurious block production.
• Metric 2: Attacker’s Ether cost
• DETER-X is zero-cost by design
• DETER-Z incurs low cost (one tx fee).

​

18

Evaluation: Attack Success Rates by Probabilistic Model

• Model the time for the next block as a random variable following exponential distribution.
• Estimate attack success rate:

19

Evaluation: Real Networks Exploitable under DETER?

Network exploitability can be affected by

• Critical nodes are hidden from the attacker (node discoverability).
• Individual nodes may be configured to weaken DETER (node exploitability)

We conduct DETER attacks on testnet

We run very lightweight probes on the mainnet

20

Evaluation: Methods for Discovering Nodes

• To discover the critical node serving the backend of the service.
• Leveraging the client version “codename” disclosed through the service’s RPC interfaces.
• Launch “supernodes” to log all the message they receive and send.
• Find the critical node whose peer-discovery message matches the “codenames”.

21

Evaluation: Measure Testnet Exploitability

• Launching two supernodes joining Ropsten testnets.
• Using the node discoverability method to discover top miners.
• We respectively mount DETER-X and DETER-Z to attack the top 4 miners.
• During the attack, each block includes at most 1 transaction.

​

22

Evaluation: Estimate Mainnet Exploitability: Method

• Sending a pending transaction to be evicted by the future transaction
• Exploiting the transaction replacement capability in the standard Ethereum protocol
• For ethical concern, the test

affect only the low price txs.

​

23

Evaluation: Estimate Mainnet Exploitability: Results

• Send web3_clientVersion RPC queries to 8 well-known RPC services to find the unique codenames.
• Launch 8 “supernodes” to join the mainnet to discover the nodes serving the in the backend.
• Test by probing the nodes as described.

​

24

Mitigation: Proposed Schemes

Baseline mitigation scheme (M0)

• Decline any incoming future/invalid transaction.
• Overkill: there’re benign future txs, decreated miner revenue

More practical mitigation scheme (M1)

• Decline future/invalid txs that would have evicted pending txs.
• No eviction of valid tx that transforms other pending tx into future or invalid.

25

Mitigation: Evaluation

Implemented both schemes as middleware on Geth clients

Evaluated DETER success rates & miner revenue under normal tx workload.

26

Ethical Consideration

Ethical measurement on mainnet

• On mainnet, the test evicts at most 10% txs in the txpool.
• As remedy, we resent 10% txs after each test to “refill” the txpool.
• No impacts on txs already included in the block.

27

Bug Reporting

• Disclosed the vulnerabilities to Ethereum client developers, RPC services & mining pools.

​

• Bugs confirmed by all clients: Geth/OpenEthereum (Parity)/Besu/Nethermind, and major services
• Acknowledgements: Ethereum foundation and OpenEthereum for their generous bug bounty program.

​

• Quick fixes deployed and more fixes are in progress.

28

References

• [BITCOIN@FC’16] Khaled Baqer, Danny Yuxing Huang, Damon McCoy, and Nicholas Weaver, “Stressing Out: Bitcoin “Stress Testing””, the BITCOIN workshop 2016
• [USENIX’15] Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg. Eclipse attacks on bitcoin’s peer-to-peer network.
• [FC’16] Khaled Baqer, Danny Yuxing Huang, Damon McCoy, and Nicholas Weaver. Stressing out: Bitcoin "stress testing".
• [SP’17] Maria Apostolaki, Aviv Zohar, and Laurent Vanbever. Hijacking bitcoin: Routing attacks on cryptocurrencies.
• [EuroS&P’19] Fredrik Winzer, Benjamin Herd, and Sebastian Faust. Temporary censorship attacks in the presence of rational miners.
• [ICBC’19] MuhammadSaad,Laurent Njilla,Charles A.Kamhoua,Joongheon Kim,DaeHun Nyang, and Aziz Mohaisen. Mempool optimization for defending against ddos attacks in pow-based blockchain systems.
• [SP’20] Muoi Tran, Inho Choi, Gi Jun Moon, Anh V. Vu, and Min Suk Kang. A Stealth- ier Partitioning Attack against Bitcoin Peer-to-Peer Network.
• [SP’20] Philip Daian,Steven Goldfeder,TylerKell,YunqiLi,Xueyuan Zhao,Iddo Bentov, Lorenz Breidenbach, and Ari Juels. Flash boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges.
• [CCS’20] MichaelMirkin,YanJi,Jonathan Pang,Ariah Klages-Mundt,Ittay Eyal,and Ari Juels. Bdos: Blockchain denial of service.
• [NDSS’20] Daniel Pérez and Benjamin Livshits. Broken metre: Attacking resource metering in EVM.
• [NDSS’21] Kai Li, Jiaqi Chen, Xianghong Liu, Yuzhe Richard Tang, XiaoFeng Wang, and Xiapu Luo. As strong as its weakest link: How to break blockchain dapps at RPC service.
• [USENIX ‘21] Christof Ferreira Torres, Ramiro Camino, and Radu State. Frontrunner jones and the raiders of the dark forest: An empirical study of frontrunning on the ethereum blockchain.
• [FC’21] Majid Khabbazian,Tejaswi Nadahalli,and Roger Wattenhofer.Time Locked bribes.
• [SP’21] Itay Tsabary, Matan Yechieli, and Ittay Eyal. MAD-HTLC: because HTLC is crazy-cheap to attack.

29

​

​

​

​

30

Q/A

Dr. Yuzhe Tang

ytang100@syr.edu