Detailed explanation of Ethereum soft fork DoS attack vectors, three types of people may launch such attacks

Nearly 10 days have passed since the DAO hack on June 17, when nearly $53 million worth of ether was transferred to a contract object nicknamed "Dark DAO". The mechanism of this attack has been widely discussed. Since then, white hat hackers have used the same vulnerability to transfer the remaining funds of the DAO to "White Hat DAO", with the value of this part of ether reaching about $100 million.

For 17 days, the hacker cannot use the funds in the Dark DAO contract, so for now, these funds will not go anywhere. During this period, the Ethereum community issued a statement that it would support freezing the funds in the Dark DAO by means of a soft fork. If all goes well, the soft fork will be activated on June 30, 2016, and buy more time for the community. However, what we are going to discuss today is an attack vulnerability caused by this soft fork.

In this post, we argue that the soft fork itself introduces a new attack vector for Denial of Service (DoS) attacks on Ethereum. We describe how these DoS attacks work, what effects they have on the Ethereum network, and what alternatives we might have. Interestingly, if the community understands such attacks, the actual effect of any DoS attack may be greatly reduced.

With that in mind, let's first look at this DOS scenario.

DOS attack soft fork

The soft fork implementation currently incorporated into the latest version of ethereum’s mining software, dubbed “DAO Wars,” would have deemed transactions from the Dark DAO contract invalid and rejected any blocks that included such transactions.

The intended effect is to freeze the attacker's funds: if a majority of miners accept the soft fork, they will ignore any blocks that contain transactions that helped the attacker move the Dark DAO funds. Then, the Dark DAO funds will be permanently disabled, the ether will be quarantined, and the White Hat DAO funds will be returned to The DAO investors, who will receive 70% of their original investment.

However, this soft fork creates a denial of service attack vector that, if exploited by a hacker, could prevent the network from processing valid transactions at a small cost. Specifically, an attacker could flood the network with transactions that perform difficult computations and execute a kill operation on the DAO contract.

Miners running the soft fork will eventually have to execute these transactions and then discard them, and this contract does not charge any fees.

An example of this type of malicious transaction is as follows:

 for(uint32 i=0; i < 1000000; i++) {
sha3('some data'); // costly computation
}
DarkDAO.splitDAO(...); // render the transaction invalid

root cause

Currently, Ethereum miners are able to resist denial of service attacks because of gas limits: the more computations they perform, the more gas they collect, and the more money the attacker has to spend. But when the soft fork is implemented, miners will be in a new position where they will end up having to perform a lot of work without collecting any compensation, and there is no penalty for the attacker. This soft fork will create a new and different kind of transaction, which is different from the transactions in the current protocol. Currently, the execution of a transaction is either successful and causes a state transition, or encounters an exception, in which case the state is restored. But after the soft fork is implemented, transactions that interact with the DAO will no longer fit into either category: they will not be able to execute, but they will not charge gas fees. It is inevitable that any soft fork that attempts to freeze stolen funds will cause this situation. Trying to include a transaction without the state transaction it should include will result in invalid blocks, and other nodes will not propagate these blocks. This provides an easy way for attackers.

Worse case scenario: miners will prioritize transactions with high gas prices. Since malicious transactions don't actually pay for gas, an attacker can set a very high gas price to trick miners into wasting their computing power. This could result in a block that does not process any valid transactions.

Attack Results

This DoS attack is not the end of the world: it does not cause further thefts, nor does it bring substantial benefits to the DAO hacker. The main result is that the Ethereum blockchain will contain a large number of empty blocks, as miners who support the soft fork (which is the majority) will waste their time processing invalid transactions generated by the soft fork rules. Miners who do not support the soft fork will mine more valid blocks, but these blocks will be discarded by the majority of miners who support the soft fork. Therefore, as long as the attack is taking place, Ethereum contracts will not be able to execute, or will proceed more slowly.

DoS attack defense is ineffective

Someone might try to prevent a soft fork DoS attack by examining the Dark DAO address contract code. This is called static analysis, but it is a naive attempt.

IP blacklisting is even worse

Someone has also proposed a possible approach that requires nodes in the network that execute received transactions to decide whether these transactions are soft fork standard (ie: not calling Dark DAO), and only send these transactions to miners if they are safe.

This is a terrible idea for three reasons: http://hackingdistributed.com/2016/06/28/ethereum-soft-fork-dos-vector/

A creative solution that is also harmful

Almost any protocol can be deployed as a soft fork, especially a general-purpose platform like Ethereum. In this specific case, we can modify all software that supports the soft fork, including all nodes, wallets, and exchanges, to use a different transfer format but continue to accept old transactions. This creates a backwards-compatible blockchain that maintains forward progress while eliminating the DoS vector.

But this would introduce unnecessary complications to a system that is clean, elegant, and freshly designed. This would be a big mistake for Ethereum, which would repeat Bitcoin’s Segwit soft fork mistake. This clever trick is not a technical debt, but a community debt.

Fortunately, code deployment takes time, and there is no such solution developed, tested, and implemented yet, which is good.

Some measures

Gas Limits: One possible way to reduce the effectiveness of the attacker's attack is to simply lower the transaction gas limit. This will freeze complex contracts, but it also limits the attacker. This is only a partial fix and may reduce the effectiveness of the attacker's attack, but it does not fundamentally solve the attack.

Ban spam addresses: Another possible solution is to ban any address that calls Dark DAO transactions. This means that the attacker cannot reuse the same address to spam the network, which in turn forces him to spend more time creating more wallet addresses. This can effectively reduce the effect of the attack, but it cannot completely eliminate the attack, and this solution needs to be implemented carefully to avoid causing more trouble.

Who would perform this kind of DoS attack?

It is common for network protocols to have opportunities for attacks that no one in the real world will do because they have no incentive to exploit them. Sadly, we are concerned that someone could launch such an attack against Ethereum.

There are three types of people who might perform this soft fork DoS attack, two of which are unlikely, and the third is quite dangerous.

1. Miners who do not support the soft fork may take this approach to attack miners who support the soft fork. Although we have seen this kind of malicious behavior in the Bitcoin world, it is still rare.

2. The DAO hacker may use this method to attack the miners who pay for the soft fork and make them abandon their support for the soft fork. We may see the hacker continue this attack until he is able to transfer his funds from the Dark DAO contract, which is sometime in July. However, Alex van de Sande also stated that the hacker is not the administrator of the Dark DAO, so even if the hacker is able to disrupt the miners to implement the soft fork, he will not be able to take the funds.

3. The most dangerous group is the "griefers", who may launch a DoS attack in order to short Ethereum, in order to make the price of Ethereum fall in the short term. Similarly, extremists who believe that cryptocurrency is a zero-sum game may also participate in sabotage. Of course, those who want to attack Ethereum miners may also participate. Because there is no cost for such an attack at present, these groups are likely to launch an attack.

Alternatives

No fork: One option is to avoid a fork, which could result in The DAO investors losing 30%-100% of their investment.

Stay committed to the soft fork: We can proceed with the soft fork as planned, fully aware of the potential for DoS attacks.

Hard Fork: From a technical perspective, a hard fork is the cleanest, simplest, and safest option, but the debate surrounding this option is not just technical, and we will avoid this option, although it is an interesting and valuable topic.

in conclusion

The soft fork currently deployed on Ethereum will cause a DoS attack vector. If the soft fork is activated as scheduled, the Ethereum community should be prepared for possible DoS attacks, which may cause the performance of the Ethereum network to degrade. We will urge the Ethereum community to reach a consensus as soon as possible and resolve the The DAO incident.