A gaggle of researchers within the Decentralized Methods Lab at UIUC found “a sequence of useful resource exhaustion vulnerabilities” that have an effect on quite a few proof-of-stake networks, together with Qtum.
To be clear, no funds had been ever in danger. The assault illustrated by the staff is a kind of denial-of-service (DoS) assault that may solely be run towards a single node at a time.
Nonetheless, now we have been in contact with these researchers for a number of months by means of the staff’s accountable disclosure of the bug. We respect the Decentralized System Lab’s analysis and the best way they went about making us conscious so we may repair the difficulty earlier than it was made public over the previous week.
The researchers offered two kinds of assaults:
- “No Stake” — header spam assault
- “Spent stake” — full blocks spam (not attainable on Qtum)
As said within the unique article, solely the “No Stake” vulnerability affected Qtum; nevertheless, now we have already mitigated the dangers of an assault from this vector in our 0.16.2 launch.
The “No Stake” assault consisted of two comparable however distinct assault vectors that might allow an attacker to trigger a peer to expire of reminiscence within the case of the primary assault vector or disk house within the case of the second assault vector.
The primary of those assault vectors was brought on by inadequate validation earlier than storing headers in reminiscence. A possible attacker may, subsequently, trigger friends to expire of reminiscence by flooding them with invalid headers. The explanation why this was attainable was that Qtum inherits Bitcoin’s headers-first function that was launched in model 0.10.Zero of Bitcoin. In Bitcoin, the header’s proof-of-work (PoW) is validated earlier than the header is saved in reminiscence. Nevertheless, there doesn’t exist any PoW in Qtum’s proof-of-stake (PoS) protocol and the PoS in Qtum can solely be totally validated as soon as the complete block is acquired because the coinstake transaction is positioned within the block. Due to this fact a possible assault may have been in a position to create numerous invalid headers and ship them to friends to trigger them to expire of reminiscence.
The second of those assault vectors was associated to how/when Qtum does full-block validation. In Qtum, full block validation and coinstake validation is carried out when a brand new block is acquired that has extra whole chainwork than the earlier tip’s chainwork. In impact, because of this full checking of the PoS is completed solely when a brand new block is appended to the present tip or when a fork’s tip is acquired that has extra whole chainwork than the present tip and subsequently triggers a block reorganization. Nevertheless, In earlier variations of Qtum, new blocks had been dedicated to disk if a node acquired a block with chainwork equal to or larger than the present tip’s chainwork. An attacker may, subsequently, make friends commit blocks to disk with out the friends totally validating the PoS and trigger them to expire of disk house.
Qtum’s v0.16.2, which was a beneficial replace included improved community safety and bug fixes within the type of:
- Implement community spam safety
- Solely request blocks from friends when their chainwork is strictly extra important than the present tip
- Add further header checks for PoS timestamp, block indexes, signature sort (LowS), synchronized and rolling checkpoints.
- Add current checkpoints
- Replace nMinimumChainWork, defaultAssumeValid and chainTxData
- Replace BLOCK_CHAIN_SIZE
- Repair failing Qt assessments in make test on OSX Mojave
- Repair getblocktemplate RPC for PoS blocks
- Repair assist messages for walletpassphrase and getnetworkhashps RPC’s
The block/disk assault required solely a slight adjustment to when Qtum commits blocks to disk. Blocks at the moment are dedicated to disk provided that the block is a part of a sequence whose tip’s chainwork is larger than the lively tip’s chainwork.
The header/reminiscence assault was mitigated by implementing detection of potential header spam and disconnecting and banning any offending peer. A number of checks that had been beforehand solely completed when the complete blocks had been acquired had been added to standalone header checking as properly. Reminiscent of ensuring that the signature contained within the header was within the appropriate format earlier than committing the header to reminiscence as massive invalid signatures could possibly be used to amplify header spam.
The community spam safety carried out in v0.16.2 detects friends who’re attempting to run such “No Stake” assaults and bans them. Now, nodes solely request blocks from friends when their chainwork is strictly larger than the present tip. Along with these countermeasures, we added further header checks for PoS timestamps, block indexes, signature sort (LowS), and synchronized and rolling checkpoints.
We imagine that these patches ought to render any assaults close to unattainable to execute due to the added complexity and safety features carried out. Regardless of this, we’re engaged on a extra complete repair that has handed our preliminary assessments, however since it’s a comparatively extra substantial change to the protocol, we require extra assessments.