Replay Attack

Chapter 0 Introduction

After the Ethereum hard fork, a large number of "replay attacks" occurred. Some exchanges claimed that they lost coins, and there were even more cases of users losing coins. So what exactly is a replay attack?

Chapter 1. "Replay Attack" in Computer Terms

The "replay attack" that occurred after the Ethereum hard fork is not the same as traditional computer terminology.

The traditional term "replay attack" refers to identity fraud. The definition on Wikipedia is very clear, as follows:

Assume that Alice authenticates herself to Bob. Bob asks her to provide a password as her identity information. Meanwhile, Eve eavesdrops on their communication and records the password. After Alice and Bob finish communicating, Eve contacts Bob, pretending to be Alice. When Bob asks for the password, Eve sends Alice's password, and Bob recognizes that the person communicating with him is Alice.

The "replay attack" caused by the Ethereum hard fork is not identity fraud. Transactions on one chain are often legal on another chain, and transactions can be re-broadcast on another chain, so it is called a "replay attack", but this is not an "attack" in essence.

Chapter 2: Ethereum Hard Fork: A Serious “Replay Attack”

Ethereum had a hard fork at block height 1.92 million, resulting in two chains, called ETH chain and ETH Classic chain, with tokens called ETH and ETHc. The addresses and private key generation algorithms on these two chains are the same, and the transaction formats are exactly the same, resulting in transactions on one chain being completely legal on the other chain. Therefore, a transaction you initiate on one chain can be rebroadcasted on the other chain and may also be confirmed. This is a "replay attack."

Let's use an example. The "replay attack" that occurred after the Ethereum hard fork was as follows:

1. Ethereum hard forked into two chains at block height 1920000, called ETH chain and ETH Classic chain, and the tokens on them are called ETH and ETHc respectively.

2. All ETH before the hard fork height is useful on both chains after the fork, that is, anyone holding ETH before the fork will automatically be given an equal amount of ETHc.

3. A user holds ETH before the hard fork height. The user sends a transaction to the exchange to recharge the ETH in his account through a local wallet whose private key he controls (this is the same for both ETH chain and ETH Classic chain wallets). However, both ETH chain and ETH Classic chain can recognize this transaction, which is a legal transaction and will be packaged. In other words, the user originally broadcast the transaction on one chain, but it can be "replayed" and broadcast on another chain. (You can broadcast it yourself with your wallet, or someone or a program may find your transaction information and broadcast it for you)

4. Because the user's recharge account is an offchain wallet for the user, if the exchange does not give it to you, you will lose the ETHc that should belong to you.

5. If the user stored ETH in an exchange before the hard fork height, in principle the exchange should provide the user with two currencies. When the user withdraws ETH from the exchange to the local wallet, the currency withdrawn happens to be the currency before the hard fork height. And you have installed two wallets on your own computer, namely the ETH chain wallet and the ETH Classic chain wallet, and the withdrawal address is generated on the ETH chain wallet, and then imported into the ETH Classic chain wallet by importing the private key. Then when you withdraw the currency, you can broadcast your withdrawal transaction on both chains, so that your two local wallets can receive the same amount of currency.

6. In step 5, if the user has only one wallet installed, such as the ETH chain wallet, then the other ETHc will not be received, but it will not be lost, because your private key for receiving coins is the same as your ETH chain. You just need to extract this private key and import it into the ETH Classic chain wallet.

7. In step 5, if the user withdraws ETH, it is to recharge to another exchange, such as withdrawing ETH from Yunbi to P.com. At this time, P.com only gives users one currency, namely ETH, so the user will lose ETHc. Who has the lost ETHc? P.com has it. If the user goes back to ask Yunbi Exchange for a copy of ETHc, and Yunbi is very kind and responsible and really gives it to him, then Yunbi is equivalent to losing a copy of ETHc.

8. For any coin held after the 9.2 million block height, the situation is more complicated. For example, a coin is sent from before the hard fork to an address 1 after the hard fork, and this address 1 is valid on both ETH and ETHc. Then the coin you received on the ETH chain is sent from address 1 to address 2 again. We record this transaction as transaction 2. This transaction is also valid on the ETH Classic chain and can be replayed. We record the replayed transaction as transaction 2′. But if there is a way to make transaction 2 send valid but make transaction 2′ invalid, that is, the coin on the ETH chain is successfully sent from address 1 to address 2, but the coin from address 1 to address 2 on the ETH Classic chain fails. In this case, the coin at address 2 on the ETH chain cannot be replayed on the ETH Classic chain when it is traded again.

9. In step 8, under what circumstances can transaction 2' fail to be sent? In other words, how can we solve the replay attack? One way is to launch a double-spending attack on transaction 2' after it is sent but before 0 confirmation. That is, use the same private key to sign transaction 2' again and send the coins to another address 3. If transaction 2' succeeds and transaction 2' fails, the coins in address 2 on the ETH chain and address 3 on the ETH Classic chain cannot be replayed.

Can transaction 2′ not be broadcasted on the ETH Classic chain? No, if you don’t broadcast it, someone will help you broadcast it. The transaction information is not encrypted. Who knows which bad guy will find your transaction information and broadcast it to you, and your coins on this branch will be sent to address 2 of this chain.

But if you want to make all ETH addresses and ETHc addresses (these two addresses are exactly the same, ETH addresses are also ETHc addresses) so that you have coins but I don’t, it is almost impossible to do it, because there are too many addresses. In other words, it is impossible to completely solve the replay problem with this method.

But for users, you can use this method to separate your ETH and ETHc, so that the two are in different addresses, so that you don't need to think about whether you need to replay the transaction on one chain to another chain. But the question is, who will launch a double-spending attack with 0 confirmation transactions? It seems difficult, so I think ordinary users basically can't do it. Exchanges should be able to do it.

10. Another way is to launch a 51% attack on one of the chains and directly destroy one of the chains, so that its computing power drops to zero and its height no longer rises, that is, the chain is dead. In this way, the problem is completely solved.

Or the price of one of the chains could drop to a very low level, so that no one cares about it anymore and no one bothers to replay the transaction.

Chapter 3 The impact of replay attacks on nodes in the Ethereum economic ecosystem

Ethereum is currently a big problem for users, because both ETH and ETHc have good economic volume, and if users cannot solve the possibility of their coins being replayed, it will be difficult for them to sell one coin while keeping the other. Otherwise, it can only be done with the assistance of conscientious exchanges. If the two coins exist for a long time, users will be confused, and any normal person will ask: "Why the hell is this happening!" Users are the ones who ultimately give Ethereum value. If users leave, what's the point of playing?

If a user can ignore one of the coins and only love the other, for example, only use ETH and not ETHc, then for the user, the replay attack is as if it does not exist. But how many people can do this? Knowing that they can get more money by replaying the transaction, who can not care!

If it is a new user, there is nothing to be confused about. If the new user buys one of the coins, it is difficult for him to have the opportunity to get another coin by replaying the transaction, unless the exchange is stupid.

Originally, users received a free copy of ETHc, but now they have to be careful with their coins to avoid losing them due to replay. This is the best of times, this is the worst of times.

At present, the economic activities of ETH and ETHc are basically still retained in the exchange. According to news reports, the exchange is now basically capable of resolving replay transactions. The previous losses have also been compensated and the responsibility has been divided with the users. Any ETH and ETHc, once it has passed through the exchange, is just one currency for the user. But the question is how the exchange resolves replay transactions. There are two solutions: not doing evil and doing evil. The scary thing is that doing evil is also legal (in accordance with the law of the Ethereum blockchain).

A good exchange will try to replay the transaction to another chain when receiving the user's ETH or ETHc. If the replay is successful, the user will be recharged with two coins. If it fails, the user will be recharged with one coin. Then the coins will be completely separated within the exchange so that only one chain exists. A bad exchange will only record the coin that the user recharged, and will replay the transaction. If it succeeds, the exchange will keep the money for itself.

There are smart exchanges and dumb exchanges. Smart exchanges will completely separate the two currencies that users deposit. When a user buys one of the currencies and withdraws the currency, the transaction cannot be replayed to another chain. Stupid exchanges will not separate the two currencies. When a user withdraws one currency, the transaction will be replayed to another chain. If successful, the user will get a sum of money for free.

What about miners and mining pools? It doesn’t matter. If they mine ETH, they can’t mine ETHc. Replay attacks are not a big problem for them, and newly mined coins cannot be replayed. After calculating the difficulty and price, they will mine whichever one is more profitable. It doesn’t matter.

There are still developers in the Ethereum economic ecosystem, and the Ethereum Foundation is currently embracing ETH Classic. How generous! I don’t understand.

Based on the above analysis, in the Ethereum economic ecosystem, users suffer the most trouble due to the existence of replay attacks; exchanges are subject to the test of conscience and technology; while miners and developers do not seem to be greatly affected.

I think everyone's confidence will be hit in this chaotic situation. If everyone wants to continue to make money on this chain, they have to find a way to kill one of them.

Chapter 4 Conclusion

At first everyone thought they were getting a free ETHc, but now they have to be careful with their coins to avoid losing them due to replay. This is the best of times, this is the worst of times.

(Thanks to Qiu Liang, CEO of Yunbi.com, for answering questions)