EOS “Transaction Congestion Attack”: Attackers Could Paralyze EOS Network with Minimal Cost

Image from web

Transaction congestion attack details

Figure 1 shows the execution procedure of a typical EOS transaction. A user uses cleos client or other ways to send a transaction request to an API node, API node processes the request, and eventually the request reaches to a BP and is included into a block.

Attack cost estimation

If the large amount of deferred transactions from the attacker all go onto EOS chain, it would cost huge CPU time from the attacker. But BP’s timed-out transactions don’t go onto EOS Mainnet, instead the transactions would be rolled back, so there is not cost of CPU time to the attacker. Although in reality, the CPU time is used up and normal transactions cannot be executed. At Current price of 50ms/EOS token, staking one EOS can block the EOS Mainnet several seconds, and the owner may get that EOS back after 24 hours. Therefore, with small amount of EOS tokens, an attacker can attack EOS Mainnet repeatedly and get those tokens back later, so her cost is close to zero.

Attack reproduction test

Based on the above analysis, we did a short confirmation test. Our test transactions included 100 and 300 deferred transactions, every deferred transaction would execute a dead loop til time out. Figure 3 shows the effect caused by the 300 deferred transactions:

Potential risk and effect

Unlike the security issues in the contract layer, loopholes in the blockchain layer could affect every participants in the ecosystem, including BPs, DApp developers, and every users.
Recently, PeckShield introduced blockchain security product, DAppShield, which can analyze hackers’ attack signatures, and warn DApp developers and provide repair suggestions. EOS.Win was the first victim of this type of attacks, but the attacker could try the attack on all other DApps and inflict much more damage.

Mitigations

We reported the issue to block.one soon after we identified it. They finished the patch in one day, which was efficient and impressive. With the patch, the denial-of-service loophole is fixed by limiting the CPU time of processing pending deferred transactions in each block, which reserves some CPU time for user-signed transactions. Now, most of the BPs of EOS Mainnet have been patched. We would like to point out that DApp developers should keep in mind that they cannot rely on TXs to be delivered and the timing of the delivery is not absolutely predictable.

Timeline

About us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store