Broken Metre: Attacking Resource Metering in EVM

Blockchain systems, such as Ethereum, use an approach called "metering" to assign a cost to smart contract execution, an approach which is designed to incentivise miners to operate the network and protect it against DoS attacks. In the past, the imperfections of Ethereum metering allowed several DoS attacks which were countered through modification of the metering mechanism. This paper presents a new DoS attack on Ethereum which systematically exploits its metering mechanism. We first replay and analyse several months of transactions, during which we discover a number of discrepancies in the metering model, such as significant inconsistencies in the pricing of the instructions. We further demonstrate that there is very little correlation between the execution cost and the utilised resources, such as CPU and memory. Based on these observations, we present a new type of DoS attack we call Resource Exhaustion Attack, which uses these imperfections to generate low-throughput contracts. To do this, we design a genetic algorithm that generates contracts with a throughput on average 200 times slower than typical contracts. We then show that all major Ethereum client implementations are vulnerable and, if running on commodity hardware, would be unable to stay in sync with the network when under attack. We argue that such an attack could be financially attractive not only for Ethereum competitors and speculators, but also for Ethereum miners. Finally, we discuss short-term and potential long-term fixes against such attacks. Our attack has been responsibly disclosed to the Ethereum Foundation and awarded a bug bounty reward of 5,000 USD.

[1]  C. Cordell Green,et al.  What Is Program Synthesis? , 1985, J. Autom. Reason..

[2]  Darrell Whitley,et al.  A genetic algorithm tutorial , 1994, Statistics and Computing.

[3]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2001, PODC '01.

[4]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[5]  Paul A. Watters,et al.  Statistics in a nutshell - a desktop quick reference , 2008 .

[6]  Elvira Albert,et al.  Automatic Inference of Upper Bounds for Recurrence Relations in Cost Analysis , 2008, SAS.

[7]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[8]  Emin Gün Sirer,et al.  Majority Is Not Enough: Bitcoin Mining Is Vulnerable , 2013, Financial Cryptography.

[9]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[10]  A. Murawski Foundations and Trends R © in Programming Languages , 2016 .

[11]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[12]  Xiapu Luo,et al.  Under-optimized smart contracts devour your money , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[13]  Zibin Zheng,et al.  A Detailed and Real-Time Performance Monitoring Framework for Blockchain Systems , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[14]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[15]  Ying Wang,et al.  An Adaptive Gas Cost Mechanism for Ethereum to Defend Against Under-Priced DoS Attacks , 2017, ISPEC.

[16]  Sumit Gulwani,et al.  Program Synthesis , 2014, Software Systems Safety.

[17]  Chris Dannen,et al.  Introducing Ethereum and Solidity: Foundations of Cryptocurrency and Blockchain Programming for Beginners , 2017 .

[18]  George Danezis,et al.  Chainspace: A Sharded Smart Contracts Platform , 2017, NDSS.

[19]  William J. Knottenbelt,et al.  Towards Safer Smart Contracts: A Survey of Languages and Verification Methods , 2018, ArXiv.

[20]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[21]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Yannis Smaragdakis,et al.  MadMax: surviving out-of-gas conditions in Ethereum smart contracts , 2018, Proc. ACM Program. Lang..

[23]  Vincent Gramoli,et al.  Vandal: A Scalable Security Analysis Framework for Smart Contracts , 2018, ArXiv.

[24]  Natasha Sharygina,et al.  Computing Exact Worst-Case Gas Consumption for Smart Contracts , 2018, ISoLA.

[25]  Yi Zhou,et al.  Erays: Reverse Engineering Ethereum's Opaque Smart Contracts , 2018, USENIX Security Symposium.

[26]  Albert Rubio,et al.  GASTAP: A Gas Analyzer for Smart Contracts , 2018, ArXiv.

[27]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[28]  Toby Murray,et al.  Empirically Analyzing Ethereum's Gas Mechanism , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[29]  Henry M. Kim,et al.  Understanding a Revolutionary and Flawed Grand Experiment in Blockchain: The DAO Attack , 2017, J. Cases Inf. Technol..