Ethereum is a blockchain designed to act as a decentralized computing platform where every node of the Ethereum network executes upon request the codes written in the blockchain. Those codes are usually referred to as smart-contracts and written in specific domain languages like Solidity before being compiled in opcodes for the Ethereum Virtual Machine (EVM).
On June 17th 2016 a code vulnerability was exploited in a highly-publicized smart-contract called The DAO (Decentralized Autonomous Organization). The DAO was a blockchain based venture capital fund that held 11.5 million ETH valued 50 millions USD at the time of the hack. The blockchain protocol itself didn’t misbehave but the event shed light on security issues of smart-contract programming languages. Since then many improvements have been made on best practices and smart-contract security by advocating for unitary testing, formal verification and better design. Ethereum Devcon2, held in Shanghai from September 19th to 21st, showcased many security discussions. The event could have been ruined by a large attack that started a few hours before but it failed to shut down the network. Ethereum remained afloat proving both its resilience and the haste of the developers to provide fixes. Let’s dive into the events of the last three months.
Part 1: recalibrating to handle denial of service
Part 2: introducing new features
Resisting denial of service : fluctuat nec mergitur
J.M.W. Turner — Snow Storm – Steam-Boat off a Harbour’s Mouth (1842)
At block 2,283,249, that is to say September 18th around 4am Shanghai time, a malicious contract was deployed on the Ethereum blockchain by the transaction 0x21090b64(…). The machine language (opcode) of the contract contains the operation PUSH20 that puts on the stack of the EVM a 20 bytes string “fromshanghaiwithlove”… The operation EXTCODESIZE was also present in the contract and used as an attack vector. This operation demands to read the size of the code in another Ethereum account and proved itself underpriced in the initial calibration specified by Ethereum yellow paper (cf. Gextcode appendix G).
Each opcode in the EVM is priced in gas which acts as an internal currency and a practical solution to the halting problem. When a user send a transaction to a smartcontract a set of opcodes is triggered with a gas count. The user can estimate the amount of gas the operation will require as opcodes are publicly readable on the blockchain. The user then choses its acceptable price for the gas in ether, the cryptocurrency of the Ethereum blockchain. This somewhat curious scheme of having a cryptocurrency (ether) and a subcurrency (gas) is actually a clever way to guaranty that the cost of executing a smart-contract won’t vary much with the price of the ether. Indeed the miners of the network can individually tweak the gas price they demand to include a transaction in the blockchain. Competition among miners puts pressure on the gas price as the price of ether in fiat currency rise. In the end the price of gas multiplied by the number of gas consumed is the fee for a transaction. If the provided fee turns out not to be enough for the request, the computation stops therefore handling the halting problem as the transaction runs “out of gas”.
A basic transaction can illustrate this balancing mechanism, transferring value between two addresses has a fixed cost of 21 000 gas. The average price of gas is 0.0000000231 ether nowadays and was 0.0000000600 ether a year ago. The valuation of ether against euro was multiplied by a factor 10 over that period. You can note that the gas didn’t follow the exact opposite pricing against ether.
If opcodes are properly calibrated there should be no opportunity for someone to carry a denial of service attack without paying a considerable price. The DoS attack consisted in flooding the network with transactions calling multiple underpriced operations resulting in overloading nodes. The attack mainly affected the node running Geth, the most popular implementation of Ethereum written in Go but had little on Parity (written in Rust) the second most popular Ethereum client. Contrary to Bitcoin where 96% of the clients derive from the Core implementation written in C++, Ethereum has several implementations handling operations with different constraints:
Name of the client (langage) – developpers
- Go-ethereum (Go) – Ethereum Foundation
- Parity (Rust) – Ethcore
- cpp-ethereum (C++)- Ethereum Foundation
- pyethapp (Python) – Ethereum Foundation
- Ethereum(J) (Java) –
- ruby-ethereum (Ruby) – Jan Xie
- ethereumH (Haskell) – BlockApps
Nightly rush in Shanghai
The attack happened the night before the start of Devcon2 gathering the vast majority of the Ethereum developers. The reaction was quick and adequate. The Go-Ethereum team were working on a fix while the mining pools adjusted the gas price.
From Shanghai with Love — 5am, the Go-Ethereum team counter-attacks in an improvised war-room at Hyatt on the Bund.
Credit: Alex van de Sande
Releasing the update 1.4.12 « From Shanghai, with love » of Geth wasn’t a breeze as the upload had to cross China’s Great Firewall. Consequently the start of Devcon2 was only delayed by 30 minutes. People were also tracking and analyzing suspicious activity in the blockchain to provide more intelligence regarding the attack. For example, the transation 0x5c19695f(…) with a message in German ‘‘Go home’’ (Fahrt nach Hause) was spotted and its author rapidly explained himself.
The attack didn’t stop there as more vulnerabilities were exploited leading to successive Geth versions over the next 30 days:
- From Shanghai, with love (1.4.12)
- Into the Woods (1.4.13)
- What else should we rewrite? (1.4.14)
- Come at me Bro (1.4.15) (Rust)
- Dear Diary (v1.4.16)
- Poolaid (v1.4.17)
- Note 7 (v1.4.18)
From September to October, the network slowed down but didn’t halt
J.M.W. Turner — Ulysses deriding Polyphemus (1829)
The attack was partially contained by a rise in gas price:
The average Gas Limit (i.e the maximum gas in a single block) was also reduced down to 500 000 gas by the miners:
Disparity among mining strategies and reactions led to more uncles being mined. Uncles are valid blocks but didn’t spread fast enough in the network. The average blocktime (i.e. the time between two blocks) remained at its constant rate of 14 seconds.
This turmoil delayed the deployment of some large smart-contracts while some were deployed in collaboration with mining pools. The attack was stopped by a hard fork on October 17th at block 2 457 000 implementing the recalibration of opcode gas.
J.M.W. Turner — Rain, Steam and Speed – The Great Western Railway (1844)
- End of Part 1 – Lessons learned
The denial of service attack itself costed around 150 ETH (1 650 USD) per day to the assailant without a clear financial upside to profit from on trading platforms as the price of ether remained relatively steady during the period. Some even argued that this attack was a philanthropic large scale stress test notably because the Ethereum Foundation has a bug bounty program. The attack also led to new ideas like setting up a gas market.
Non-obfuscating blockchains like Bitcoin and Ethereum hold assets that are non-fungible and allow tracking transactions to their origins. Investigations on the provenance of the attacker’s funds led to an old pooled mining activity. While solo miners can remain relatively anonymous, the miners that join a pool often let the pool know their IP address. The pool involved has been in communication with the Ethereum Foundation but no action has been taken yet.
The Ethereum’s blockchain ambition comes with a large surface of attack. Failure in the code of a smart-contract as well as lack of reactivity in network attacks have considerable consequences. This is a factor to take into account when designing a private of permissioned blockchain scheme. Ethereum public blockchain can rely on a reactive community of developers and miners, along with the security of publicly auditable codes. Part 2 of this post will make a review of mid-November to mid-December activity, let’s conclude this part with an answer to the question title of Genesis Mining’s article about the consequences of The DAO hack, Quo Vadis Ethereum ?
– Curro de furca in furcam et melior factus sum (I run from fork to fork and I improve myself)
J.M.W. Turner — Sun Setting over a Lake (vers 1840 — unfinished)