Researchers have found a previously unknown way to execute a denial-of-service attack on a proof-of-work blockchain system.
The researchers, from Cornell Tech and the Technion Israel Institute of Technology, described the attack, which they call blockchain denial of service (BDoS) in a new academic paper they presented on October 20 at the 2020 ACM SIGSAC Conference on Computer and Communications Security.
They say that a BDoS is the first type blockchain attack that “exploits the reward mechanism to discourage miner participation.”
Traditional DoS attacks tend to target the web servers of organizations like banks, media companies, or internet infrastructure providers. The attacker bombards the servers with spam traffic, overloading it and making it unable to serve legitimate requests.
But a DoS attack is more difficult against a decentralized network. According to the authors, a DoS attack has never been successfully executed against a prominent cryptocurrency system.
Before the new research, it was thought this would require that the attacker obtain at least 51% of the network’s mining capacity. According to the researchers, the BDoS attack they’ve discovered would theoretically be able to “grind (Bitcoin’s) blockchain to a halt with significantly fewer resources” — as little as 21% of the network’s mining power (as of March 2020).
The attack works by targeting the system’s reward system in a way that discourages miner participation. Specifically, the attacker publishes a proof to the blockchain that signals to other miners that the attacker holds a mining advantage.
The researchers found that what they define as “rational” miners will stop mining if they detect that they are at a disadvantage. “If the profitability decrease is significant enough so that all miners stop mining, the attacker can stop mining too,” they write. “The blockchain thus grinds to a complete halt.”
The study authors add: “We find that Bitcoin’s vulnerability to BDoS increases rapidly as the mining industry matures and profitability drops.”
According to Ittay Eyal, a senior lecturer at Technion who co-authored the study, BDoS attacks are different from a type of attack called selfish mining, in which the attacker manipulates the system to get more than their fair share of rewards. In a BDoS attack, the attacker’s aim is to take down a proof-of-work cryptocurrency rather than reap rewards.
Eyal said the findings of the study pertain specifically to Bitcoin, but that’ it’s likely there are similar attacks against Ethereum. The researchers have not gathered any concrete results on this yet, he said.
They are also trying to continue characterizing the BDoS attack. “We still have many open questions,” said Eyal. “What’s the minimum possible cost for an attack? What kind of mitigations are there?”