1 Exploring the Attack Surface of : A Systematic Overview Muhammad Saad, Jeffrey Spaulding, Laurent Njilla, Charles Kamhoua, Sachin Shetty, DaeHun Nyang, and Aziz Mohaisen

Abstract—In this paper, we systematically explore the attack a decentralized autonomous organization that operates on surface of the Blockchain technology, with an emphasis on public Blockchain-based smart contracts, or pre-programmed rules . Towards this goal, we attribute attack viability in that govern the organization [48]. In August 2016, the attack surface to 1) the Blockchain cryptographic constructs, 2) the distributed architecture of the systems using Blockchain, worth $72 million USD were stolen from the exchange plat- and 3) the Blockchain application context. To each of those form Bitfinex in Hong Kong [49]. In June 2017, Bitfinex also contributing factors, we outline several attacks, including selfish experienced a distributed denial-of-service (DDoS) attack that mining, the 51% attack, Domain Name System (DNS) attacks, led to its temporary suspension. Several exchanges of distributed denial-of-service (DDoS) attacks, consensus delay and (a Blockchain-based distributed computing plat- (due to selfish behavior or distributed denial-of-service attacks), Blockchain forks, orphaned and stale blocks, block ingestion, form) have also suffered from DDoS attacks and DNS attacks wallet thefts, attacks, and privacy attacks. We frequently, hampering the service availability to the users. also explore the causal relationships between these attacks to Often times these attacks are launched on blockchain- demonstrate how various attack vectors are connected to one applications due to their popularity or the capital involved in another. A secondary contribution of this work is outlining their system. For instance, with Bitcoin, such attacks can cause effective defense measures taken by the Blockchain technology or proposed by researchers to mitigate the effects of these attacks devaluation of the , loss of mining rewards, and patch associated vulnerabilities. or even closure of cryptocurrency exchanges [29]. Bitcoin’s Blockchain is also targeted with dust or spam transactions Index Terms—Blockchain; Security; Attack Surface; Applica- tions; Peer-to-Peer Systems to delay the processing of legitimate transactions. In May, August, and November 2017, memory pools of Bitcoin were flooded with dust transactions to create stalls and delays in I.INTRODUCTION transaction verification, and to increase Bitcoin mining fee Blockchain technology is being explored in many inno- [33]. The transaction stall in November 2017, for example, vative applications, such as [1]–[3], smart resulted in a payment delay of $700 million USD worth contracts [4], [5], communication systems [6], [7], health care bitcoins [50]. Often the intent of such attacks is to motivate [8], [9], Internet of Things [10], [11], financial systems [12], the Bitcoin users to move to other cryptocurrencies with faster [13], censorship resistance [14], electronic voting [15], [16], transaction processing time. and distributed provenance [17]–[19], among others. Using Due to a publicly verifiable nature, Blockchain-based cryp- Blockchain’s transparent and fully distributed peer-to-peer tocurrencies are vulnerable to several fraudulent activities. Mt. architecture, these applications benefit from an append-only Gox, a Bitcoin currency exchange in Japan, was attacked by model in which “transactions” accepted in the Blockchain two malicious users who stole $460 million USD worth of cannot be modified [18], [20], [21]. The transparency of bitcoins [51]. The attackers gathered useful information from the Blockchain enables storing publicly verifiable and unde- Bitcoin’s Blockchain and engineered a fake transaction ripple niable records [22]. Furthermore, the Blockchain’s peer-to- to increase the market price. Due to such activities, Mt. Gox arXiv:1904.03487v1 [cs.CR] 6 Apr 2019 peer system provides verifiable maintenance without suffered a heavy loss and eventually became bankrupt. a centralized authority, thus addressing the single point-of- In May and June 2018, five Blockchain-based cryptocurren- failure and single point-of-trust [23]. For instance, Bitcoin (a cies; namely, Monacoin, , Zencash, , and popular cryptocurrency using Blockchain technology) takes Cash, were targeted by a 51% attack [52], leading to advantage of the aforementioned properties, making it easy a loss of $5 million USD. The attackers in each cryptocurrency to verify the history of financial transactions [24], [25]. were able to gain more than 51% of the networks’ hash rate Despite the functional features that Blockchain brings to which was used to rearrange transactions and prevent other the design space of these applications [43], recent reports miners from computing blocks. As a result, they were able to have highlighted the security risks associated with this tech- gain control over the Blockchain and perform double-spending nology [10], [44]–[47]. For instance, in June 2016 an unknown on valuable transactions [53], [54]. attacker managed to drain $50 million USD from “The DAO”, The security of Blockchain systems is important for their acceptability by potential users [55]. For example, investors M. Saad, J. Spaulding, and A. Mohaisen are with the Department of Computer Science at the University of Central Florida, Florida 32816, USA. take the security of Bitcoin into account when studying the L. Njilla is with the Air Force Research Laboratory, Rome, NY, USA. C. risks associated with their investments and use of this tech- Kamhoua is with the Army Research Laboratory, MD, USA. S. Shetty is with nology. Understanding the threats associated with Blockchain the Old Dominion University, VA, USA. D. Nyang is with INHA University, Incheon, South Korea. The work of D. Nyang was done while visiting the systems in general is a first step towards realizing the potential University of Central Florida. of applications built on it. To this end, this work is dedicated 2

TABLE I ATTACK VECTORS RELATED TO THE ATTACK CLASS IN BLOCKCHAINSYSTEMS.WEALSOSHOW, BYREFERENCINGTOTHEPRIORWORK, HOWEACH ATTACK AFFECTS THE ENTITIES INVOLVED WITH BLOCKCHAINSYSTEMS.FOR INSTANCE,ORPHANED BLOCKS AFFECT THE BLOCKCHAIN, THEMINERS, ANDTHEMININGPOOLS.

Attacks Blockchain Miners Mining Pools Exchanges Application Users Forks [26] Blockchain Structure X Orphaned blocks [27] X X X DNS hijacks [28] X X X X BGP hijacks [29] X X X Eclipse attack [30] X X Majority attack [31] X X X Peer-to-Peer System Selfish mining [32] X X X DDoS attacks [33] X X X Consensus Delay [34] X X X Block Withholding [34] X X Timejacking attacks [35] X X X Finney attacks [36] X X X Blockchain Ingestion [37] X Wallet theft [38] X X X Double-spending [39] X X Cryptojacking [40] X X Smart contract DoS [41] Blockchain Application X X X ≈ Reentracy attacks [42] X X ≈ Overflow attacks [42] X X ≈ Replay attacks [41] X X X X ≈ Short address attacks [42] X ≈ Balance attacks [41] X X to an in-depth look at the attack surface of Blockchain. compromise the system [57]. Therefore, while the public Blockchains are useful for an open access system, they are not We envision that Blockchain will be used in many appli- suitable for closed environments where the weak trust model cations, and we report on the attacks that could compromise creates attack opportunities. those applications. Namely, the taxonomy of Blockchain at- tacks in this paper is classified into three broad categories: 1) To address the shortcomings of public Blockchains and attacks associated with the mathematical techniques used for reduce the attack opportunities, private and permissioned creating the ledger (e.g., Blockchain forks, stale blocks, or- Blockchains are now used for various applications [58]. In pri- phaned blocks, etc.), 2) attacks associated with the peer-to-peer vate Blockchains, the access to system resources is restricted to architecture used in the Blockchain system, (e.g., selfish min- a chosen set of peers [59], [60]. These peers are screened prior ing, the 51% attack, consensus delay, DDoS attack, Domain to their induction in the application. Since the information Name System (DNS) attacks, After Withholding (FAW) about peers is known, their identities can be tied (or attributed) Attacks, etc.), and 3) attacks associated with the application to their behavior in order to prevent attacks. Although private context that uses the Blockchain technology (e.g., Blockchain Blockchains still act as agents of trust in permissioned settings, ingestion, double-spending, wallet theft [56], etc.). In this they are not significantly exposed to adversarial attacks due to paper, we mainly focus on the attack surface of public and a stronger trust model. Since the aim of this work is to explore permissionless Blockchains. Public Blockchains are suitable and understand the attack surface of Blockchains, it is natural for applications that provide open access to system resources to focus more on the public Blockchains. However, wherever while preserving user anonymity. These attributes are well necessary, we will also discuss the security and performance suited for a system that has a weak trust model and high of private Blockchains as well. provenance assurance requirements. The weak trust model Contributions. In summary, we make the following contribu- results from an application’s tolerance for adversaries who can tions int this paper. (1) We survey the possible attacks related game the system while staying anonymous. On the other hand, to the design constructs of Blockchains, the peer-to-peer high provenance means that anyone can access the publicly architecture, and the application-oriented use of Blockchains. available resources to transparently audit data. For instance, (2) We explore the origins of these attacks and the ways in in Bitcoin and Ethereum, any user can join the network by which they affect Blockchain applications and their users. running an Ethereum software client on their machine and (3) We also show the relationship between a sequence of participating in transaction processing. Since the Blockchain is attacks to outline how one attack can facilitate the possibility public, anyone outside the system can validate the authenticity of other attacks. Understanding these links can help devise a of transactions and blocks. Therefore, public Blockchains common cure that can fix multiple problems at the same time. remain a dominant component among Blockchain applications (4) Building on top of the prior work [45], [57], [61], for each as shown by the popularity of Bitcoin and Ethereum. On the attack class, we also explore the possible defense strategies other hand, the weak trust model exposes public Blockchains that have been proposed to harden the security of Blockchains. to a wide variety of attacks, allowing adversaries to easily Since many attacks related to a specific class have a common 3

TABLE II IMPLICATIONS OF EACH ATTACK ON THE BLOCKCHAINSYSTEMINTHELIGHTOFTHEPRIORWORK.FOR INSTANCE, FORKSCANLEADTOCHAIN SPLITTINGANDREVENUELOSS.AS A RESULT OF A FORK, ONEAMONGTHECANDIDATECHAINSISSELECTEDBYTHENETWORKWHILETHEOTHERS ARE INVALIDATED.THISLEADSTOINVALIDATIONOFTRANSACTIONANDREVENUELOSSTOMINERS.

Attacks Chain Splitting Revenue Loss Partitioning Malicious Mining Delay Info Loss Theft Blockchain Forks [26] X X Splitting Orphaned Blocks [27] X DNS hijacks [28] X X X BGP hijacks [29] X X X Eclipse attacks [30] X Majority attacks [31] P2P X X X System Selfish mining [32] X X DDoS attacks [33] X X Consensus Delay [34] X X Block Withholding [34] X X Timejacking attacks [35] X X X X Finney attacks [36] X Blockchain Ingestion [37] X Wallet theft [38] X X Double-spending [39] Cryptojacking [40] X X X Blockchain Smart contract DoS [41] X X X Application ≈ Reentracy attacks [42] X X ≈ Overflow attacks [42] X ≈ Replay attacks [41] X X ≈ Short address attacks [42] X X ≈ Balance attacks [41] X X defense or remedy, while others remain as open problems, we particularly related to security, as evident by the large security discuss combined countermeasures for each class. Moreover, surface. To that end, our work is an effort to highlight potential by highlighting the lessons learned, we also provide future vulnerabilities in Blockchains, with an emphasis on popular research directions towards a more systematic treatment of public Blockchain applications. We systematically analyze the Blockchain attack surface. (5) In Table I and Table II, various attack vectors and study their relationships. Alongside, we provide an overview of the Blockchain attack surface. We we also survey countermeasures and defenses to the various ascribe various attacks to attack classes with their implications. attack surface elements, and provide future research directions. Organization. The rest of the paper is organized as follows. Since various research and technology sections are in- In section II, we provide the motivation of this work. In sec- terested in using Blockchains, it is intuitive to explore a tion III, we give an overview of Blockchain its operations. deeper understanding of Blockchains’ attack surface to estab- In section IV, we review the design constructs of Blockchain lish foundations for their security. For instance, using public that enable various attacks, such as Blockchain forks, stale Blockchains in the financial sector may prevent fraud and and orphaned blocks. In section V, we look into the features data tampering, by the simply utilizing Blockains’ proper- of distributed networks that create possibilities for the 51% ties, although that also may expose sensitive information of attack, DNS attacks, DDoS attacks, consensus delays, etc. We financial transactions to adversaries. Similarly, organizations further describe the aspects of peer-to-peer architecture that that are exploring Blockchain-based smart systems [34], [67], enable the possibility of their potential misuse in Blockchain while might benefit immensely in addressing functional re- applications. In section VI, we outline the application-specific quirements, need to be aware of the programming languages’ vulnerabilities found in Blockchain and assess the threats that constraints and shortcomings, as well as compilation bugs they face. That is followed by discussion and open directions that may lead to data breach and critical assets loss. For this in section VIII, and the concluding remarks in section IX. research-driven efforts, we believe our work has the potential to offer future directions toward designing more secure and robust Blockchain solutions that may overcome some of those II.MOTIVATION AND TARGET AUDIENCE challenges as outlined in the rest of this survey. Some of these The motivation of this work is to derive attention to- challenges include constructing new consensus algorithms that wards the security vulnerabilities of Blockchain systems via are secure, scalable, and energy efficient [68]. Additionally, a systematic and comprehensive study. Recently, Blockchain they must also have the capability to prevent race conditions technology has gained significant attention and its applications that lead to attacks such as selfish mining, double-spending, are being explored in various domains [62], [63]. Blockchains majority attacks, and orphaned blocks [69], [70]. To facilitate are capable of augmenting trust and provide provenance in dis- the process of addressing those challenges, we supplement our tributed systems. While acknowledging their merits [64]–[66], work by surveying the existing countermeasures proposed in we argue that it is important to understand their shortcomings, the literature. These countermeasures can be used as building 4

Memory Pool Miner Validates Selected Transactions Block Hash Memory Pool 3. Computes Block. (Transaction 2 Not Selected) Previous Block Hash Transaction 1 Merkel Root Transaction 2 Transaction 2 Number of Transactions Transaction 3 4. Block Added Transaction 4 Transaction 4 2. Reward State of Memory Added to the 5. Transaction 1 Pool After Block 5 Memory Pool Transaction 3 Miner Transaction 4 Transaction 4 1. B1 B2 B3 B4 B5 Generated User A User B Blockchain Block 5 (B5)

Fig. 1. Transaction life-cycle in a PoW-based cryptocurrency. User A generates a transaction for user B. The transaction is stored in the memory pool along with other unconfirmed transactions. Miner validates transactions from memory pool, and computes a block. A valid block is added to the Blockchain. blocks for more secure and robust solutions. Byzantine fault tolerance (PBFT) [71]–[75]. The most popular In summary, the target audience of this work include both consensus algorithm widely used in Blockchains is PoW, academics, who are interested in understanding the attack followed by PoS and PBFT. We discuss them in the following. landscape of Blockchains, as well as practitioners, who might Proof-of-Work. In PoW Blockchains, peers in the network try be interested in understanding the existing solutions to those to solve a computationally expensive mathematical challenge. attacks, to utilize as building blocks, and both benefiting from For instance, the challenge in Bitcoin is to come up with a systematic analysis of the Blockchain attack surface. a nonce that when hashed with block data produces a hash value that is less than a target threshold set by the system. III.OVERVIEW OF BLOCKCHAINANDITS OPERATIONS All peers in the system use their computational power to Conceptually, Blockchain can be viewed as a repository of solve the mathematical challenge. The peer who comes up data that is tamper-evident due to its replication over all nodes with the solution wins the block race and mines a new block. in a peer-to-peer system. Transactions represent the events Once a block is broadcast to the network, each peer verifies that drive the Blockchain application (e.g., in cryptocurren- the solution and appends the block to his Blockchain. The cies, tokens are the transactions exchanged among the users). probability of winning a block race is proportional to the Blockchain applications use various consensus algorithms for computational power of participants. At the same time, there trust among peers over the state of the ledger. Moreover, the is a time restriction on the block mining [76], [77]. In Bitcoin, consensus algorithms ensure a consistent and transparent view the block time is set to 10 minutes. In other words, the network of the Blockchain, thereby resolving conflicts and forks. This expects a new solution to the block puzzle after every 10 is, no block is added to the Blockchain, until it fulfills the con- minutes. However, as the computational power increases, the ditions outlined by the consensus algorithm. Moreover, each chance of discovering a new block under 10 minutes increases. algorithm has unique functional and operational properties that To address that, the network dynamically adjusts the difficulty drive the consensus over the Blockchain. of the challenge according to the change in the computational While the consensus algorithms in Blockchains may vary, power of the miners. Oftentimes, more than one miner can however, the Blockchain data structure and its network archi- come up with a valid solution leading to Blockchain forks and tecture remain consistent across all applications. For instance, stale and orphaned blocks, which we discuss in section IV. in the two popular Blockchain applications, namely Bitcoin In Figure 1, we illustrate the transaction life-cycle in a and , the consensus algorithms are proof-of-work and proof-of-work (PoW)-based Blockchain application. User A proof-of-stake, respectively. Although they different in the way (sender) generates a transaction for user B (receiver). The the consensus is conducted, the two applications have the transaction is broadcast to the entire peer-to-peer network same Blockchain data structure in which the chain progresses where it is temporarily stored in a transaction repository in an append-only model and each block is linked to the known as the memory pool (mempool). In a peer-to-peer previous block through a one-way hash function. In both network, the mempool is a space allocated in the RAM of cryptocurrencies, the system replicas are connected in a peer- a full node that stores and relays transactions to other peers. to-peer model, maintaining a single copy of the ledger. In the To maintain the state of the Blockchain, there are special nodes following, we briefly discuss the popular consensus algorithms in the network known as the miners or verifiers, responsible along with the fundamental cryptographic primitives that are for verifying transactions and computing a block. The miners used in Blockchains. query the mempool and select the transactions of their choice to put into blocks. Usually transactions pay a mining fee which A. Consensus Algorithms can be viewed as an incentive given to the miners to mine the Some of the notable consensus algorithms used in transaction. Naturally, miners give priority to the transactions Blockchains include proof-of-work (PoW), proof-of-stake that pay higher mining fee. Transactions that are not selected (PoS), proof-of-activity (PoA), proof-of-capacity (PoC), proof- by the miners, stay in the mempool until some other miner of-burn (PoB), proof-of-knowledge (PoK), and the practical selects them for a new block. Transactions that do not get 5

Request Pre-Prepare Prepare Commit Reply Client H( )

prev: H( ) prev: H( ) prev: H( ) Primary

Transactions Transactions Transactions Replica

Replica Fig. 3. Cryptographic constructs of blocks in a Blockchain. Notice that the Replica entire hash of the previous block goes into the header of the next block. Therefore, if an attacker makes changes in the data of a block, he will be Fig. 2. Overview of PBFT protocol. The client issues a transaction to the required to change data in all subsequent blocks and correctly execute the primary replica. The primary replica then forwards it to other replicas who consensus protocol for each block. Since this is infeasible in practice, therefore jointly execute a four-phased protocol and approve the transaction. Assuming Blockchains are considered tamper-proof. f faulty replicas, the primary would require confirmation from at least 3f +1 replicas. PBFT is employed in permissioned and private blockchains. throughput and and low confirmation time. In terms of security, PBFT has low fault tolerance (≈ 33%) compared to PoW and mined for a long time, eventually get discarded. PoS (≈ 50%). However, since permissioned Blockchains have Proof-of-Stake. The second most popular consensus algorithm a stronger trust model, therefore, they are less vulnerable to in public Blockchains is proof-of-stake (PoS) [78], [79]. PoS adversarial attacks. It can also be observed in Table III, public was introduced to address the energy inefficiency of PoW. In Blockchains are more scalable than private Blockchains [83], PoS, the mining power of a user is determined by the total [84]. This can be attributed to the message complexity in- number of coins he owns. For each new block, an auction is volved in the transaction verification and the tolerance for carried out to select the candidate miner. Users place a bid Byzantine nodes. Since PBFT has high message complexity on the block and the one with the highest bid is selected as and low Byzantine fault tolerance, therefore, it cannot scale a miner. Therefore, in contrast to PoW, the hashing power well beyond few hundred nodes. Therefore, each consensus is replaced by the volume of assets owned by the user. The scheme has its own benefits and limitations. Therefore, de- more coins a users owns, the higher his chances of winning the pending upon the application model, a consensus scheme can block race. The replace of energy intensive mining with stake- be selected to meet the requirements. based mining, makes PoS energy efficient and secure against the majority attacks (section V-B). Unlike PoW, in PoS, all B. Blockchain Structure the cryptocurrency tokens are released prior to creation of the While the consensus schemes in Blockchains may vary, genesis block [80]. Therefore, when a new block is mined, it the cryptographic constructs of Blockchain are fundamentally does not introduce new coins in the system. However, miners the same across all applications [85], [86]. Each block in a are rewarded with transaction fee for their contributions. Blockchain consists of a header and a payload. The header PBFT. The third most popular Blockchain consensus protocol includes the primary information, such as the hash of the is called the practical byzantine fault tolerance (PBFT) [81], previous block, the merkle root, and the block timestamp. The [82] protocol. PBFT is widely used in private and permis- hash pointer connects each block to the previous block, thereby sioned Blockchains, where the network has a stronger trust forming a chain. Since hash functions are one-way and are model compared to PoS and PoW. In PBFT Blockchains, the collision resistant, Blockchain benefits from their properties to system is transposed into a group of active and passive repli- become immutable and tamper-proof [87], [88]. In Figure 3, cas. Among the active replicas, a primary replica is selected we illustrate this model of Blockchain, where blocks are linked who receives transactions from a client and sends them to through hash functions. the active replicas for execution. The process of execution In a Blockchain application, all nodes are connected in a is carried out in four stages, namely, pre-prepare, prepare, peer-to-peer architecture. This means that they use the gossip commit, and reply stage. In the pre-prepare phase, primary protocol to communicate information, including transactions sends transactions to all the active replicas. In the prepare and and blocks. Ideally, each peer is expected to maintain a copy commit phase, each active replica signs the transaction and of Blockchain. However, due to the append-only model, the exchange it with all the other replicas. In the reply stage, all growing size of Blockchain can put space constraint at the the active replicas send their response to the primary replica. node. To address that, various Blockchain applications allow The primary collects all the signed transactions and puts them the segmentation of nodes into full nodes and lightweight in a block. In Figure 2, we show the transaction verification nodes. The full nodes maintain a complete copy of Blockchain process in a PBFT Blockchain. Notice that compared to PoW and participate in transaction and block propagation. On the and PoS, PBFT has a higher message complexity. other hand, the lightweight nodes only keep the block header In Table III, we compare the popular consensus algorithms for the verification of a newly published block. used in the Blockchain applications. Notice that permissionless As stated earlier, several attacks on Blockchain technology Blockchains have low throughput and high confirmation time. are related to the constructs of the Blockchain itself, the Bitcoin has transaction throughput of 3–7 transactions per behavior of certain miners, and the peer-to-peer architecture second. In contrast, permissioned Blockchains have a high it is built upon. In the subsequent sections, we explore the 6

TABLE III ANOVERVIEWOFPOPULARCONSENSUSALGORITHMSUSEDIN BLOCKCHAINS.NOTICETHATPUBLICANDPERMISSIONED BLOCKCHAINSUSING POW, POS, AND DPOS HAVE HIGH SCALABILITY, LOWTHROUGHPUT, AND HIGH CONFIRMATION TIMES.INCONTRAST, PERMISSIONED BLOCKCHAINSUSING PBFT AND RAFT HAVE LOW SCALABILITY, LOW CONFIRMATION TIME, ANDHIGHTHROUGHPUT.

Properties PoW PoS DPoS PBFT RAFT Blockchain Type Permisssionless Permissionless Permissionless Permissioned Permissioned Participation Cost Yes Yes Yes No No Trust Model Untrusted Untrusted Untrusted Semi-trusted Semi-trusted Scalability High High High Low Low Throughput <10 <1,000 <1,000 <10,000 >10,000 Byzantine Fault Tolerance 50% 50% 50% 33% – Crash Fault Tolerance 50% 50% 50% 33% 50% Confirmation Time >100s <100s <100s <10s <10s

Old Old Old Old Old parent Bitcoin, with new rules and regulations. Therefore, Version Rules Rules ForkRules Rules forks can also be created to launch a new application.

New New New New New Version Rules Rules Rules Rules TIMELINE 1: Major Bitcoin Forks

Fig. 4. Hard Fork resulting from set of peers following conflicting rules due Jan 3, 2009 Bitcoin genesis block established to different client software versions. Hard forks can be irreversible at times and may lead to a permanent split in the Blockchain application. Dec 27, 2014 Bitcoin XT forked on Bitcoin Core

Jan 15, 2016 launched possible attacks associated with the Blockchain structure, attacks associated with the peer-to-peer architecture used in Feb 10, 2016 Bitcoin Classic forked on Bitcoin the Blockchain system, and attacks associated with the appli- Core cation services that use Blockchain technology (i.e., Bitcoin Aug 1, 2017 launched or Ethereum). We also supplement each section with possible Aug 23, 2017 Segregated Witness (Segwit) fork countermeasures that have been proposed by researchers to address those attacks. Nov 1, 2017 Bitcoin Gold launched

Nov 15, 2017 Segwit2x fork IV. BLOCKCHAIN STRUCTURE ATTACKS In this section, we look at the attacks related to the design Nov 28, 2017 Protest fork constructs of the Blockchain. These attacks emerge from the potential vulnerabilities of the Blockchain structures and as Intentional forks can either be soft or hard, the latter of such, they can compromise any Blockchain-based application. which occurs when new blocks that the network accepts appear invalid to pre-fork nodes. Soft forks, however, occur when some blocks appear invalid to post-fork nodes. In either case, A. Blockchain Forks a Blockchain fork represents an inconsistent state that can A fork represents a condition in which nodes in the network be exploited by adversaries to cause confusion, fraudulent have diverging views about that state of the Blockchain persist- transactions, and distrust within network [89]. ing over long periods of time or even indefinitely. These forks Figure 4 demonstrates a hard fork example that results from can be created unintentionally through protocol malfunctions peers following conflicting rules about the state of Blockchain. or incompatibilities in client software upgrades. Forks can Such hard forks may lead to a split in cryptocurrency. A also be caused by malicious intents such as implanting “Sybil major hard fork on Bitcoin occurred during August 2017, nodes” that follow conflicting validation rules or by carrying which led to the creation of Bitcoin Cash [90]. Another hard out “selfish mining” in race conditions as discussed further fork on Bitcoin occurred during October 2017, when Bitcoin in section V-A. Another form of fork occurs when users of Gold [91] was created. Some other notable forks in Bitcoin a Blockchain application create a child application from the include Bitcoin Classic, Bitcoin XT, and Bitcoin Unlimited. parent application. For example, in 2017, a group of Bitcoin However, due to insufficient user-base and miners, they could developers decided to increase the block size limit from 1MB not succeed as a separate cryptocurrency. to 8MB by developing a new Bitcoin client that was capable When hackers stole more than one third of the total digital of accepting 8MB blocks. However, their proposal was not cash owned by “The DAO” [48], Ethereum used a hard fork accepted by the majority of users, therefore, they created a to roll back transactions and retrieve millions of dollars’ worth hard fork on Bitcoin and released a new cryptocurrency called of ether (the “fuel” for the Ethereum network). However, this Bitcoin Cash. Bitcoin Cash was the child application of the required consensus by the majority of nodes in the network. 7

In such a scenario, if a consensus delay happens due to a Block 4 Block 5 majority attack or a DDoS event, fraudulent activities become somewhat difficult to deal with and prolonged delays can ultimately cause devaluation of cryptocurrency. In November Block 1 Block 2 Block 3 2017, the second version of Segregated Witness (SegWit2x) hard fork was proposed in Bitcoin, which aimed to increase the block size to 2MB. However, due to lack of consensus by Block 2 the majority, the planned hard fork was canceled. In Timeline 1, we provide a list of major forks on Bitcoin. These forks Fig. 5. Stale vs. orphaned blocks. Note that the stale block (block 2, bottom, resulted from a group of miners introducing new rules and and block 4) are valid but they are not part of the Blockchain. Orphaned a faction of peers switching to those rules. All these forks block (block 5) does not have its parent block (block 4) in the Blockchain. introduced a new version of Bitcoin. This is, we note that a fork may diminish if peers discontinue to follow the new rules and switch back to the old ones. For instance, this has been In cryptocurrencies such as Ethereum and Bitcoin, the witnessed in SegWit fork. Initially, a faction of network peers difficulty is a measure of how long it takes to compute a block, switched to SegWit version of Bitcoin, however, when they which is defined by a target value set by the network [94]. moved back to the old version in a protest, the fork ended. Based on the hashing power, the target is adjusted to keep block time under a predefined range (10 minutes for Bitcoin B. Stale Blocks and Orphaned Blocks and 12 seconds for Ethereum). The difficulty is recomputed based on the hashing power and the time taken by a series of Two forms of inconsistencies can occur with the consensus previous blocks: if hashing power increases, the probability of process that can leave valid blocks out of the Blockchain. finding a block under the expected time increases. The first form is a “stale block”, which is a block that was To adjust the probability, the difficulty is raised by increas- successfully mined but is not accepted in the current best ing the target value. In (1), we show how the expected time to Blockchain (i.e., the most-difficult-to-recreate chain). Stale compute a block E(T ) varies with the difficulty D and hash blocks occur mostly in the public Blockchains due to race rate of the network H . Here, E(T ) is measured in seconds, conditions. In race conditions, the miners actively try to find r D is the number of hashes required to solve the current target, the next block, and it is possible that two or more miners can and H is measured in hashes/second, that a target device can come up with a valid solution. The network eventually accepts r produce over a given string. H is the aggregate hashing power one of the winning blocks and discards the rest. As a result, r of all the miners H for i = 1, 2, . . . , n. In (2), we calculate the all other valid blocks unaccepted become stale blocks as i the time T (seconds), it takes for a single miner in H to they do not get attached to the main Blockchain. We will see b i compute a block, given a fixed block time set by the network in section V-A that a form of Blockchain attack known as T . For Bitcoin and Ethereum, the average block computation “selfish mining” can also lead to the creation of stale blocks n time T is 600 seconds and 12 seconds, respectively. in the network, which deprives an honest miner of its reward. n The other form of inconsistency is an “orphaned block”: a n block whose parent block’s hash field points to an unauthen- X D H = H ,E(T ) = (1) tic block that is detached from the Blockchain [92]. These r i H i=1 r inconsistencies can be introduced by an attacker or caused by Pn Tn × Hr Tn × i=1 Hi race conditions in the work of the miners. Stale blocks may Tb = Tb = (2) be initially accepted by the majority of the network, but they Hi Hi can be rejected later when proof of a longer Blockchain (i.e., From (1), it can be observed that when Hr remains constant the current best) is received that does not include that block. and the difficulty D is reduced, the expected block time E(T ) Figure 5 demonstrates a chain where stale and orphaned decreases. Intuitively, lower E(T ) means that in a defined blocks can be found. The first orphaned block in Bitcoin was network time Tn, more blocks will be produced. However, found on March 18, 2015, and that was the beginning of a in the Blockchain, only one block can be accepted. Such a period in which most orphaned blocks were created. The trend situation will lead to more orphaned blocks in the system. reduced in 2016, and from June 2017 to the date of this paper, In Figure 7, we plot difficulty, hash rate, block time and no orphaned block has been added to the list [93]. Orphaned orphaned blocks (also called uncle blocks) in Ethereum. It blocks are more frequently found in cryptocurrencies where can be noted in 7(f) that as the expected block time (from (2)) average block computation time is small. In Figure 6, we decreases, the number of orphaned and uncle blocks increases. plot the number of orphaned blocks that occurred in Bitcoin In Ethereum, this trend is high due to short block intervals and Ethereum from July 2016 to May 2018. In Ethereum, the which increase the possibility of block collision. Orphaned orphaned blocks are called Uncle blocks. The data in the figure blocks may also occur due to unpredictable delays in block has been normalized using min-max normalization to scale the propagation. A valid block may not reach majority of the data in the range [0, 1]. The min-max scaling is conducted as network peers due to network churns and propagation delays. xi−min(x) z = max(x)−min(x) . It can be observed from the figure that as In contrast, a competing block is able to easily propagate of June 2017, no orphaned block has been found in Bitcoin. through the network and get accepted by the majority. There- On the other hand, in Ethereum, Uncle blocks have increased fore, network behavior and delay distribution may also affect since November 2017. the number of orphaned blocks in a Blockchain system [92]. 8

and Ethereum use 71.12 Terawatt-hours and 4.2 Terawatt- 1 Orphaned Blocks hours (TWh) of electricity per-year, respectively, to find hashes 0.8 Expected Time required for valid PoW [97]–[99]. In Figure 8, we show the electricity consumption of Bitcoin compared to several 0.6 countries. Other than the excessive consumption of electricity, centralization of hashing rate among a few mining pools makes 0.4 the Blockchain application vulnerable to attacks including the majority attacks and double-spending (discussed in sec- 0.2 tion V-B and section VI-B), whereby if a miner acquires the Normalized Value 0 majority of a network’s hash rate, the miner will be able to gain control over the system. 2) PoS: (PoS) was introduced by King and Nadal in 2012 07/01/1609/01/1611/01/1601/01/1703/01/1705/01/17 [100] to make Blockchain applications more energy-efficient and raise the cost of a majority attack. Unlike PoW, which is Dates (mm/dd/yy) lottery-based, PoS uses a stake-based deterministic approach to select a validator and to publish a new block [101]. In Fig. 6. Orphaned Blocks in Bitcoin and Uncle blocks in Ethereum over the last two years. Notice that in Bitcoin, the rate of orphaned blocks has reduced. this approach, the validator is chosen by a bidding process, whereby candidate validators make a bid of their stake. The stake is the balance owned by the candidate validator and is TABLE IV used to deter cheating in the system. The candidate with the EVOLUTIONOFMININGHARDWARE.SINCE 2014, ONLY ASIC CHIPS, highest bid is chosen to mine the next block and if he tries WITHUPGRADEDVERSIONS, AREBEINGUSEDFORMINING. to trick the system with bogus transactions he risks losing his Hash Rate committed stake (balance). The process is deterministic since Type Model Year (MH/s) a validator is chosen prior to each bidding process. Therefore, CPU Xeon E5530 7.14 2009 blocks are published on their expected time without time GPU Radeon 5890 245 2010 deviations or delays. Moreover, to launch a majority attack on a PoS-based cryptocurrency, the attacker is required to acquire GPU Radeon 6990 800 2011 more than 50% of the cryptocurrency tokens [102]. While it is FPGA Xilinx Spartan 245 2012 relatively easier to acquire 50% hash rate in PoW, it is difficult FPGA Xilinx Spartan 850 2012 to obtain 50% coin. Therefore, compared to PoW, the cost for ASIC ASIC 130nm 12K 2013 launching a majority attack in PoS application is relatively ASIC ASIC 28nm 500k 2014 high, which makes the attack less feasible. ASIC ASIC 20nm 750k 2014 Although PoS serves as a “green” mining alternative of PoW and raises the attack cost for the majority attacks, it has some major caveats that have prevented its widespread adoption by C. Vulnerabilities in Consensus Mechanism the Blockchain community. In PoS, a rich validator may keep 1) Proof-of-Work: The most widely used consensus proto- on winning the bid for the next block to be validated, and col in cryptocurrencies is proof-of-work (PoW) which serves accumulate the block reward. As such, the rich validators in as an evidence for the effort put behind the computation of a the system gets richer for block confirmation, which makes valid block. As outlined in (1), the effort for computation of a PoS applications centralized around those validators. This block can be characterized as the number of hashes required challenges the fundamental premise of Blockchain technology to meet the difficulty parameter D set by the network. As as a decentralized system [103]. Moreover, unlike PoW, in which miners with limited resources may still have a chance the aggregate hash power of the network Hr increases, the of winning the lottery, small bidders in PoS are certain to lose difficulty is raised to keep the standard block time Tn within a defined range (10 minutes for Bitcoin). the bid for each coming block. In 7(a) and 7(d), we show the increase in difficulty and 3) PBFT: As pointed out in section III-B, in PBFT-based the aggregate hash rate of Bitcoin and Ethereum, respectively. private Blockchains, the system is grouped into a set of Since mining in PoW is a lottery-based system, miners use replicas that process transactions and contribute towards the sophisticated hardware with high hash rate to increase their block formation [71], [104]. The primary replica is responsible chances of winning the lottery. Among all PoW-based cryp- for ordering transactions and obtaining approvals from other tocurrencies, Bitcoin has the maximum hash rate. In particular, replicas. Once sufficient approvals are received, the primary and since 2010, miners in Bitcoin have switched from Central computes a block and broadcasts it to the network. PBFT Processing Unit (CPU), to graphics processing unit (GPUs) in is considered to be energy efficient with high transaction 2011, to Field Programmable Gate Array (FPGA) in 2012–13, throughput. However, it works under the assumption that the and finally to Application Specific Integrated Circuit (ASIC) primary replica faithfully executes the protocol and does not chips since 2014 to date [95]. We show this evolution of tamper with the ordering of transactions and blocks. This Bitcoin hardware, along with the hash rate, in Table IV. assumption may lead to a vulnerabilities in the permissioned One of the major problems with PoW is the excessive waste Blockchains. If the primary replica is compromised it may: of energy to find a valid solution [96]. At present, Bitcoin 1) discard the approvals obtained from other replicas and 9

1 1 1 Hash Rate Actual Time Bitcoin 0.8 Difficulty 0.8 Expected Time 0.8 Ethereum 0.6 0.6 0.6 0.4 0.4 0.4 0.2 0.2 0.2 Normalized Value Normalized Value Normalized Value 0 0 0

07/01/1609/01/1611/01/1601/01/1703/01/1705/01/17 07/01/1609/01/1611/01/1601/01/1703/01/1705/01/17 07/01/1609/01/1611/01/1601/01/1703/01/1705/01/1707/01/1709/01/1711/01/1701/01/1803/01/1805/01/18 Dates (mm/dd/yy) Dates (mm/dd/yy) Dates (mm/dd/yy) (a) Change in difficulty and hash rate of Bitcoin (b) Expected time E(T ) calculated from (2) (c) Orphaned Blocks per day plotted against the network during 2016-17 plotted against the actual time expected block time.

1 1 1 Difficulty Actual Time Block Time 0.8 Hash Rate 0.8 Expected Time 0.8 Uncle Blocks 0.6 0.6 0.6 0.4 0.4 0.4 0.2 0.2 0.2 Normalized Value Normalized Value Normalized Value 0 0 0

10/01/1501/01/1604/01/1607/01/1610/01/1601/01/1704/01/1707/01/1710/01/1701/01/18 10/01/1501/01/1604/01/1607/01/1610/01/1601/01/1704/01/1707/01/1710/01/1701/01/18 10/01/1501/01/1604/01/1607/01/1610/01/1601/01/1704/01/1707/01/1710/01/1701/01/18 Dates (mm/dd/yy) Dates (mm/dd/yy) Dates (mm/dd/yy) (d) Change in difficulty and hash rate of (e) Expected time E(T ) calculated from (2) (f) Uncle Blocks per day plotted against the Ethereum network during 2015-18. plotted against the actual time expected block time.

Fig. 7. Effect of hash rate and difficulty on the rate of orphaned blocks in Bitcoin and uncle blocks in Ethereum. For Ethereum, notice that when the difficulty sharply decreases with constant hash rate around October 2017, the expected and the actual time of block computation decreases sharply. As a result, the number of Uncle blocks increases. The sharp decrease in the difficulty is associated to a byzantium fork that reduced block rewards per block.

80 Another key challenge in PBFT-based private Blockchains is 71.2 71.7 72 their limited scalability and low tolerance to Byzantine nodes. 70 67.3 2 62.1 Low scalability results from the O(n ) message complexity 60 59.4 associated with the processing of a single transaction, as shown 50 in Figure 2. In PBFT, transaction execution is carried out in

40 four phases, namely pre-prepare, prepare, commit, and reply. In the prepare and commit phase, each peer is required to send 30 message to every other peer in the network. In aggregate, this

TWh per year 20 leads to enormous communication overhead which cannot be

10 expected to work efficiently at a large scale. Therefore, when the network size grows, the performance of PBFT is degraded 0 significantly. This is the key reason why PBFT-based private Chile Blockchains suffer from low scalability. Bitcoin Austria Colombia Switzerland C-Republic Finally, another limitation of PBFT-based private Blockchains is their low fault tolerance. Each transaction Fig. 8. Energy Profile of Bitcoin and other countries. C-Republic refers to requires approval from 3f +1 replicas, where f is the number Czech Republic. Note that Bitcoin’s consumption is compare able to countries. of faulty replicas or Byzantine nodes. In comparison with PoW and PoS, where the network can withstand up to 50% malicious entities, PBFT can only tolerate 33% malicious prematurely abort the execution, replicas. Provided that PBFT already suffers from low 2) rearrange the sequence of transactions to delay the veri- scalability, a lower fault tolerance increases the opportunity fication process and block generation, for an adversary to place malicious replicas in the network. 3) withhold transactions or blocks from other replicas, Currently, Bitcoin has over 10,000 active full nodes [105]. and/or This means that it can tolerate up to 5,000 faulty nodes. The 4) invalidate transactions even after obtaining approvals. cost of compromising 5,000 nodes is high, and the attack As such, private Blockchains always are subjected to the risk is therefore infeasible. However, in a PBFT-based private of a malicious primary who may compromise the system. Blockchain that consists of a 100 nodes, an attacker can However, since the identity of the primary is usually known succeed only by controlling 33 nodes. Low fault tolerance is to everyone, malicious activities of a primary can be tracked a major challenge in PBFT-based Blockchain applications. back, eventually. Considering the features and shortcomings of existing con- 10 sensus algorithms, there is a need for new consensus mecha- bn+1 nisms that are secure, scalable, and energy efficient. Currently, Mh this remains an active research area, with some notable recent progress made in this direction [106]–[108]. b1 b2 bn Ms

D. Countering Blockchain Structure Attacks bn+1 bn+2 bn+3 Resolving soft forks in a Blockchain network is a relatively easy process. All peers in the network can come to a consensus Fig. 9. Illustration of Selfish Mining. Selfish behavior of Ms forks the chain about the true state of the Blockchain and resume activities at bn+1 and discards Mh’s block. Mh’s block becomes a stale block. from there. Resolving hard forks can be challenging because conflicting chains can be lengthy with transaction activities dating back to the time of the conflict. Although the stakes of releasing them to the public upon discovery, these selfish rolling back from a hard fork are high, they can be resolved miners continue to mine their own private blocks to obtain a by the same principle of consensus as discussed earlier. As longer chain than the public Blockchain. These activities lead was the case with Ethereum, a hard fork was used to retrieve to a block race between the public chain of honest miners and money for the investors after “The DAO” was attacked [48]. the private chain of selfish miners. Once the public Blockchain Ultimately, the process of solving a fork depends upon the starts approaching the length of their private chain, selfish agreement of peers in the network and their stake in the fork. miners release their blocks to claim block rewards. Having In Ethereum, uncle blocks are also rewarded and made exceptional mining power may further help selfish miners win part of the Blockchain. Recently, the number of orphaned the block race. In Figure 9, we demonstrate how a selfish blocks in Bitcoin has decreased due to the shift towards mining attack is carried out. highly centralized mining networks and thus reducing the Consider a Blockchain with blocks (b1, b2, . . . , bn). Suppose probability of orphaned blocks prevalent in decentralized min- an honest miner Mh has successfully mined the next block ing networks. However centralized mining has other issues bn+1 and he publishes it. All the peers in the network validate such as unfairness in the network and the 51% attack. The and accept his block. At the same time, a selfish miner Ms other solution to avoid stale or orphaned blocks involves also computes the block bn+1. Instead of publishing his block, dynamic adjustment of network’s difficulty [109]. In Bitcoin, Ms chooses to withhold it and successfully mines two more the difficulty is adjusted every two weeks (2016 blocks). In blocks bn+2 and bn+3. Despite Mh ’s block being added to the meantime, if there is a sharp increase in the hash rate the Blockchain, we show that Mh can still be cheated while of the network or more miners join in, then the expected having a majority of network’s confidence in his block. Let the time of finding new block decreases (2). As a result, there hash value of Mh’s block bn+1 be lower than both the target is a higher likelihood of producing stale blocks. Therefore, a threshold and Ms’s block bn+1. If only these two blocks were dynamic difficulty adjustment helps in reducing the number of presented to the network, Mh’s block would be chosen (due stale and orphaned blocks. While there are effective techniques to its greater computational complexity) over Ms’s block and to counter forks and orphaned blocks, the area of consensus appended to the public Blockchain. remains open. Research efforts need to be dedicated to make However, after some time, Ms releases all of his blocks PoW more energy efficient, and PoS, more decentralized. bn+1 , bn+2, and bn+3 and forks the Blockchain at bn+1 In PBFT-based private blockchains, the key issue is limited . Due to the design protocols of Blockchain, the network scalability due to high message complexity. Moreover, PBFT will invariably shift to the longer chain belonging to Ms and has low fault tolerance which makes it vulnerable to attacks. discard the block bn+1 of Mh. The effort put forth by Mh In section V-H, we provide more details about making PBFT in computing his block will be wasted due to selfish behavior more scalable and secure. of Ms. The incentive in adopting this selfish mining strategy is maximizing block rewards by publishing a longer chain. V. BLOCKCHAIN’S PEER-TO-PEER SYSTEM It should be noted that excluding the Mh’s block bn+1 from the Blockchain does not destroy the block, rather it leads to The underlying peer-to-peer architecture is the primary another significant problem in the network known as “stale reason why certain guarantees are provided by a Blockchain, blocks” as shown in section IV-B. including security and accessibility. Counter intuitively, this Selfish mining attacks can produce undesirable results for peer-to-peer architecture that the Blockchain resides on ac- the rest of the network by invalidating the blocks of honest tually contributes to several attacks including selfish mining, miners who contribute to the Blockchain. Furthermore, all the the 51% attack, DNS attacks, distributed denial-of-service transactions in the honest miner’s block also get rejected. In attacks, eclipse attacks, fork after withholding attacks, and a situation where two selfish miners compete to add their consensus delay. In this section, we explore how these attacks chains to the network, the chances of a “Blockchain fork” can compromise the Blockchain applications. arise section IV-A. These forks can cause a delay of consensus in the network, which can further lead to other potential attacks A. Selfish Mining such as “double-spending” and “fork after withholding”, as The selfish mining attack [110] is a strategy opted by certain discussed in section VI-B. One selfish activity in the network miners who attempt to increase their rewards by deliberately has the potential to disrupt the overall network, and therefore keeping their blocks private [32], [111], [112]. Rather than it is imperative to study their relationship with one another. 11

B. The Majority Attack 1 x = 0.49 The majority attack also known as the 51% attack is well x = 0.45 known vulnerability in Blockchain-based applications that can 0.8 x = 0.40 be exploited when a single attacker, a group of Sybil nodes, x = 0.35 or a in the network attains the majority of 0.6 the network’s hash rate to manipulate the Blockchain. With majority of network’s hash rate, the attackers are able to 0.4 1) prevent transactions or blocks from being verified (thus making them invalid), 2) reverse transactions during the time 0.2 they are in control to allow double-spending, 4) fork the main Blockchain and split the network, and 3) prevent other Success Probability P(s) 0 miners (verifiers) from finding any blocks for a short period 0 2 4 6 8 10 12 14 of time. Under race conditions, the attackers with over 50% Number of blocks (k) hash rate are guaranteed to over take other miners and append their blocks in the Blockchain with high probability [52]. Fig. 10. Change in the success probability P (s) of majority attack with Also, these blocks can possibly have fraudulent or double- varying hashing power x and number of confirmations k. Notice that with spent transactions. For example, if an attacker performs a 0 confirmations, an attacker can always double-spend with any magnitude of hash power. In that case we describe the user to be optimistic. transaction in exchange for any product with Alice, it can replicate the same transaction with Bob and put it on the block. Transactions on Blockchains are not reversible, and TABLE V only one transaction can be considered valid. In the following, ATTACKCOSTREQUIREDTOLAUNCHTHE 51% ATTACK ON THE TOP SIX we elaborate the prospects of double-spending with majority BLOCKCHAIN-BASED CRYPTOCURRENCIES.HERE CAPDENOTESTHE MARKETCAPIN USD,ALGODENOTESTHEALGORITHMUSEDFOR attacks along with the mathematical primitives. BLOCKCONSENSUS, AND COST DENOTES THE ATTACK COST IN USD FOR 1) Caveats and realities: Mining pools do not always need LAUNCHINGTHE 51% ATTACK FOR ONE HOUR. 51% of the network’s hashing power to carry out the fraudulent SYSTEM CAP ALGO HASH RATE COST activities. As such, even with less hashing power, similar BITCOIN 112.7B SHA-256 35,604 PH/s 486K objectives can be achieved with a significant probability of ETHEREUM 49.5B Ethash 222 TH/s 347K success. To understand this issue, consider the scenario in B.CASH 14.9B SHA-256 5,023 PH/s 68K which a malicious mining pool with significant hash rate LITECOIN 5.7B 327 TH/s 60K carries out a transaction T x with a receiver. At the same 2.1B X11 2 PH/s 15K time, it generates a fraudulent double-spent transaction T y 2.3B CryptoNight 365 MH/s 17K from the same parent transaction to trick the receiver. The receiver, on the other hand, waits for k confirmations before releasing the product to the miner. The k confirmations mean cheating the receiver. that k subsequent blocks have been mined by the network after mining the transaction T x. During this process, the malicious 3) Applications and implications: A Blockchain-based ap- miner keeps mining blocks on his end with the double-spent plication for Internet of Things (IoT), known as “The Tangle” transaction T y and hopes to fork the Blockchain after he [113] can be theoretically compromised with one-third of the receives the product from the recipient. By forking the chain, hash power. Bahack et al. [114] show that the majority attacks the malicious miner will be able to invalidate the chain with are highly feasible with one quarter of the network’s hashing transaction T x, and will replace it with his own chain with power. There are online services such as Nicehash, that rent double-spent transaction T y. hashing power to miners on hourly basis [115]. A malicious mining pool can rent the computation power To launch a successful attack, the malicious miner needs for a few hours and launch the majority attack on the targeted to publish a longer chain with valid PoW so that the network cryptocurrency. Since major blockchain systems have a high switches to his forked version. Miner’s success depends on his aggregate hash rate, the renting cost to launch the 51% attack hash rate x as a fraction of the network’s hash rate and the on them is (naturally) high. In Table V, we outline the top number of confirmations k. To find the probability of success six Blockchain-based cryptocurrencies, and the cost required P (s) for the attacker, let x be the fraction of miner’s hashing to successfully launch the 51% attack, based on data obtained power and y be the fraction of remaining hashing power, where from “51crypto” [116]. We notice that Dash with a market x + y = 1 [110]. The success probability is: cap of 2.3 Billion USD can be compromised for one hour by ( 1 , if x > y spending only 17,000 USD (8 × 10−4% of the market cap). P (s) = x k 4) Case studies: A 51% attack is not beyond the realm of ( y ) , if x < y possibilities. In July 2014, a Bitcoin mining pool “GHash.IO” 2) Numerical results: In Figure 10, we show how P (s) acquired over 51% of the hash rate for one day [31], which changes with varying hash rate. Note that if the miner acquires raised many concerns in the press and media about Bitcoin half of the network’s hash rate, he can trick the recipient with and its vulnerabilities, and shed light on the general problem 100% success rate. Moreover, an attacker with hash rate less in Bitcoin-based systems. Although no malicious activity was than 50% can still succeed in forking the main chain and carried out, “GHash.IO” later shrunk in size when miners left 12

TABLE VI LOCATIONOFFULLNODESINTHREEMAJORCRYPTOCURRENCIES.– IN BITCOINREFERSTOTHENODESTHATUSE TOR SERVICES AND THEIR LOCATION CANNOT BE IDENTIFIED.

Bitcoin Ethereum Litecoin Rank Country Nodes Country Nodes Country Nodes 1 Unite States 2445 (24.98%) United States 6549 (37.99%) United States 79 (24.38%) 2 Germany 2445 (24.98%) China 2202 (12.77%) Russia 36 (11.12%) 3 China 675 (6.90%) Canada 1118 (6.49%) Germany 19 (6.49%) 4 France 663 (6.77%) Russia 846 (4.91%) China 17 (5.21%) 5 Netherlands 475 (4.85%) Germany 783 (4.54%) Netherlands 17 (5.21%) 6 Canada 369 (3.77%) United Kingdom 559 (3.24%) United Kingdom 16 (4.91%) 7 — 368 (3.76%) Netherlands 470 (2.73%) France 11 (3.42%) 8 United Kingdom 307 (3.14%) South Korea 429 (2.49%) Brazil 11 (3.42%) 9 Russia 296 (3.02%) France 399 (2.31%) Canada 11 (3.42%) 10 Japan 219 (2.24%) Japan 279 (1.62%) Hong Kong 11 (3.42%) its pool and eventually closed in October 2016. In August 2016, a group of attackers, known as “51 crew”, hijacked Attacker User two Ethereum Blockchains, namely Krypton and Shift, and managed to hijack 21,465 Kryptons worth of by double-spending. In May 2018, a group of malicious miners 2 3 2.2 4. acquired 51% hash rate in Bitcoin Gold and stole $18 million 1. . 2.2 2. USD worth of cryptocurrency [117]. In June 2018, four other Attacker poisons 2 User routed DNS cache to Attacker's notable Blockchain-based cryptocurrencies were also attacked; dig . se Network 2. sip ed namely Monacoin, Zencash, Verge, and Litecoin Cash. a.b.bi e. tc oin C. Network Attacks Bitcoin Attacker's Blockchain applications are decentralized and use peer-to- Network Network 22.22.22.2 peer network architecture as the medium of communication 33.33.33.3 between the network entities. In this section, we will look into the attacks associated with the peer-to-peer network and we will use as our example to provide details of Fig. 11. DNS resolution attack on Bitcoin. The attacker poisons DNS cache these attacks. The attacks associated to the Blockchain network and modifies the data. When a user queries the server to obtain IP addresses of peers who are accepting connections, he is routed to attacker’s network. include among others, the DNS attacks, spatial partitioning, The attacker can game the user by feeding him fake blocks and transactions. and Eclipse attacks. For each of these attacks, the goal of the attacker is to isolate users and miners from the real network, limit their access to the network resources, or create partition in the network and enforce conflicting rules among the peers. software client has a list of seeders that allow the network 1) DNS Attacks: When a node joins the Bitcoin network for discovery. If the attacker injects a fake list of seeders, the user the first time, it is not aware of the active peers in the network. will be compromised. As a result, the adversary can poten- To discover the active peers (identified by their IP addresses) tially isolate Blockchain peers and lead them to a counterfeit in the network, a bootstrapping mechanism is required. The network. In Figure 11, we illustrate how a DNS attack can be Domain Name System (DNS) can be used as a bootstrapping carried out by poisoning DNS cache. A node in Bitcoin net- mechanism, and DNS seeds are queried by nodes upon joining work has an IP address of 33.33.33.3 (for illustration purpose the network to obtain further information about other active only) while the attacker’s node in a counterfeit network has an peers. The initial DNS query returns one or more DNS A IP address 22.22.22.2. The attacker poisons the DNS cache to records along with their corresponding IP addresses of peers lure the user into the counterfeit network. The user makes the that are accepting incoming connections. Once the new node DNS query dig seed.bitcoin.sipa.be. and instead of responding establishes connections to the peers, it can send addr command with 33.33.33.3, the DNS resolver returns 22.22.22.2. As a with port numbers to establish connections with other peers. result, the user connects to malicious nodes in the counterfeit It has been mentioned in the developer’s guide of Bitcoin network and malicious nodes may feed false blocks to the user. systems [28] that the DNS opens a wide attack surface to For more on DNS security, we refer to the work in [118]. the Bitcoin networks in general. Namely, the DNS resolution 2) BGP hijacks and spatial partitioning: There are two is vulnerable to man-in-the-middle attacks (at the resolver types of nodes in most Blockchain applications, namely full side), cache poisoning, and stale records, among many others. nodes and lightweight nodes. Full nodes are the actual partici- For this attack, an adversary can either inject an invalid list pants in the network responsible for relaying blocks and trans- of seeder nodes in the open source Blockchain software, or actions and maintaining an updated copy of the Blockchain. poison DNS cache at the resolver. By default, the Blockchain Lightweight nodes do not maintain a Blockchain and only 13

TABLE VII 1 TOP 5 MININGPOOLSPERHASHRATE,ASES, AND ORGANIZATIONS. 65.7% OF MINING DATA GOES THROUGH ONLY THREE ORGANIZATIONS. ALIBABAALONEHASAVIEWOFATLEAST 60% OF THE MINING DATA. 0.8 WEEXCLUDETHEREMAINING 12 MININGPOOLSFROMTHESTUDYAS THEIR TOTAL CONTRIBUTION TO HASH RATE IS MINIMAL. 0.6 Organizations Mining Pool H. Rate % ASes ISP ASes AS37963 Alibaba BTC.com 25% 0.4 AS45102 AliBaba Antpool 12.4% AS45102 AliBaba CDF of Full Nodes 0.2 ViaBTC 11.7% AS45102 AliBaba BTC.TOP 10.3% AS45102 AliBaba 0 AS45102 AliBaba F2Pool 6.3% 0 2 4 6 8 10 12 14 16 AS58563 Chinanet ASes and Organizations (x100) 12 others 34.3% — —

Fig. 12. Distribution of full nodes in Bitcoin across ASes and ISPs (orga- nizations). Notice that less than 50 ASes and ISPs host more than 50% of nodes showing that the network is centralized and vulnerable to BGP attacks. To verify their results and further analyze the spatial vulnerability of Bitcoin network, we replicated their study and noticed that Bitcoin network has further centralized with use the services of full nodes to get access to the network. respect to ASes and ISPs. We crawled data from “Bitnodes”, Since lightweight nodes draw their view of the Blockchain an online service that maintains information related to full from the full nodes, when a full node is compromised all of nodes in Bitcoin [105]. In Figure 12, we plot the CDF of its associated lightweight nodes are also compromised. Full the spatial distribution of full nodes across ASes and ISPs in nodes in a Blockchain network are spatially distributed across the world. In Table VII, we show the distribution of mining the Internet. In Table VI, we show the spatial spread of full pools across ASes and ISPs in Bitcoin. Notice that 60% of the nodes in three major Bitcoin systems (cryptocurrency). In each hash rate is solely intercepted by AliBaba. Our results show system, a majority of the nodes is located in United States, that compared to the prior work by Apostolaki et al. [29], Germany, China, and Russia. The flow of traffic on the Internet the Bitcoin network has further centralized and become more is controlled by Internet Service Providers (ISPs), which own vulnerable to routing attacks. one or more Autonomous Systems (ASes), responsible for Case studies. Over the last few years, a number of BGP handling traffic routing. [119], [120]. attacks have been launched against ASes that host mining Spatial concentration of nodes within an AS or an ISP pools or cryptocurrency exchanges. In 2014, a malicious makes them vulnerable to routing attacks such as BGP hi- ISP in Canada announced BGP prefixes belonging to major jacking. An adversarial AS can hijack the traffic for a target ISPs including Amazon, OVH, Digital Ocean, LeaseWeb, and AS that hosts a majority of the Blockchain application nodes. Alibaba, and intercepted the traffic routed to mining pools. As This can disrupt the flow of valuable information, including a result, the attacker made a fortune of 83,000 USD. In April transactions and blocks, to the nodes being hosted by the 2018, BGP attacks were launched against MyEtherWallet.com, target AS. When the victim nodes are miners or mining pools, an open source web application used for exchanging Ethereum the attacker can substantially reduce the hash rate of the tokens online. Attackers managed to steal 152,000 USD from Blockchain application, thereby affecting the system activities. the web application [121]. In a mining pool, the miners communicate using stratum 3) Eclipse Attacks: Blockchain’s peer-to-peer system is overlay protocol. The stratum servers act as a dropzone where also vulnerable to a form of attack known as the eclipse attack miners submit their PoW. Stratum servers have a public IP [30], [112], [122], in which a group of malicious nodes isolates address that makes them vulnerable to routing attacks and its neighboring nodes using IP addresses, thereby compro- flood attacks. Apostolaki et al. [29] studied that by hijacking mising their incoming and outgoing traffic. For example in fewer than 100 border gateway protocol (BGP) prefixes in Bitcoin, a node can actively connect to all the other nodes Bitcoin, an attacker can isolate up to 50% of the network’s in the network, forming a node cluster. In the node cluster, hash rate. They further explored that 60% of all Bitcoin every peer is aware of the IP address of all other peers. With traffic traverses only three internet service providers (ISPs). sufficient compromised nodes in a cluster, the attacker can Every month, over a 100 Bitcoin nodes suffer from routing isolate honest nodes and change their Blockchain view. He attacks and BGP hijacks. Furthermore, they estimated that can control their incoming and outgoing traffic and feed them the routing attacks can delay block propagation by up to 20 with fake information regarding Blockchain and transactions. minutes. As mentioned in section IV-B, the average block In Figure 13, we illustrate this attack procedure. As long computation time in Bitcoin is 10 minutes. Therefore, the as the honest node maintains a connection with one other routing attacks can delay the propagation of two or more honest node, it is likely to receive the correct information blocks to a group of nodes. Such delays increase the likelihood to maintain the true state of the Blockchain. However, when of other attacks including Blockchain fork, consensus delay, the connection between the honest nodes is compromised, and double-spending. they will get surrounded by malicious nodes and become 14

Fig. 13. Eclipse attack on a cryptocurrency network. Here, blue nodes represent the honest nodes following the true state of Blockchain while the red nodes represent the malicious nodes that form a cluster around the blue nodes. If the connection between the honest nodes is compromised, the malicious nodes may feed fake blocks to the honest nodes and partition them from the network. As a result, the honest nodes end up having the wrong view of the Blockchain. vulnerable to the eclipse attack. When such nodes are fed 1 with fake transactions and blocks, they eventually develop the Mempool Size wrong view of the state of Blockchain and become part of the 0.8 Fee malicious node cluster. Furthermore, if another honest node establishes a connection with the malicious node cluster, it 0.6 is also exposed to the same vulnerability which leads to the cascade effect of propagation of fake transactions and blocks. 0.4 0.2

D. Distributed Denial of Service Attacks Normalized Value 0 One of the most common attacks on online services is the distributed denial-of-service (DDoS) attack [123]. Blockchain technology, and despite being a peer-to-peer system, is still 07/01/1609/01/1611/01/1601/01/1703/01/1705/01/1707/01/1709/01/1711/01/1701/01/1803/01/1805/01/18 prone to DDoS attacks. Blockchain-based applications, such as Bitcoin and Ethereum, have repeatedly suffered from these Dates (mm/dd/yy) attacks [124]–[128]. DDoS attacks manifest themselves in a number of ways, depending upon the application nature, Fig. 14. Bitcoin mempool size and average fee paid to the miner. It can be observed from the figure that as the mempool size is increases, the fee paid network architecture, and peers behavior. For example, in the to the miners also increases. Bitcoin network, the 51% attack can lead to denial-of-service. Specifically, if a group of miners acquire a significant hashing power, they can prevent other miners from adding their mined blocks to the Blockchain, invalidate ongoing transactions, and Bitcoin is 3-7 transactions per second. Throughput of Bitcoin cause service failure in the network. Intentional forks; forks is low compared to mainstream payment processors such as that are the result of malicious behavior; can turn into hard Visa Credit that can verify up to 2,000 transactions per second. forks, resulting in similar outcomes of denial-of-service. An adversary may exploit the aforementioned operational 1) Stress testing: Another possibility for the attack is due reality of the Bitcoin system by introducing Sybil identities; to the limited number of transactions per block a Blockchain the same adversary also may control multiple wallets. Further- application can process in a given time. For example, on more, using those identities, the adversary may issue several average, it takes the Bitcoin network 10 minutes to mine a dust transactions (e.g., 0.001 BTC per transaction) between block, which has a maximum size of 1MB. Although the the various Sybil identities under his control. By introducing a size of transactions in Bitcoin varies, the average size of a large number of transactions of small value over a short period transaction in Bitcoin is approximately 500 bytes, allowing of time, the network will be congested by creating blocks approximately 2,000 transactions per block on average—the containing those transactions, and service to legitimate users maximum number of transactions added to a block in Bitcoin in the network will be denied. As a result of this congestion is reported to be 2,210 [93]. Furthermore, the average time the adversary may as well launch other attacks; e.g., double- needed to mine a block, based on the predefined difficulty, is spending of tokens not mined due to the congestion. approximately 10 minutes. As such, for all current transactions One may argue that miners may choose which transactions in the network to be successfully included in the Blockchain, to include in a block. However, this is discouraged by design their number may not exceed 200 transactions per minute. in Bitcoin, as outlined by Satoshi. Blocks today even include Taking that into account, and the fact that each transaction transactions of value as low as 0.0001 BTC, which makes requires a minimum of two peers (identified by two different flooding the network with low-value transactions possible. public identifiers) to be involved in a transaction, the total 2) Mempool flooding: Another form of DDoS attack is active peers served by the network per minute (i.e. where carried out at the memory pools (mempools) of the cryp- a block containing their transaction will be mined) will not tocurrencies to increase the mining fee. As outlined in Fig- exceed 200 peers. Given these constraints, the throughput of ure 1, mempools act as a cache of unconfirmed transactions. 15

Although the block size is limited in the cryptocurrencies, the 1) The Finney attack: The Finney attack is a variant of mempool size has no size limit. However, users estimate the the double-spending attack in which a miner delays block size of mempools to prioritize their transactions. If there are propagation to double-spend his transaction [132], [133]. The more transactions in the mempool, then the competition for miner generates a transaction, computes a block, and chooses mining becomes high. To prioritize their transactions, users not to relay the block. In the meantime, he generates a start paying more mining fees as an incentive for miners. Saad duplicate of his previous transaction and sends it to a recipient. et al. [33], identified a low cost DDoS attack on Blockchain After the recipient accepts the transaction and delivers the applications in which the adversary along with Sybil nodes product, the miner publishes his previous block with the orig- may flood the mempools with unconfirmed transactions. Such inal transaction in it. Therefore, the previous transaction sent an attack creates panic among the legitimate users who are to the recipient becomes invalid and the miner successfully tempted to pay higher mining fee to prioritize their transactions double-spends transaction. while the attacker’s transactions do not get mined. As a result, The Finney attack has low success probability due to short the attacker launches a DDoS attack. block intervals and time sensitive attack procedure. The block 3) Case Studies: In Bitcoin, malicious users have been time in Bitcoin and Ethereum are 10 minutes and 15 seconds. flooding the mempool with dust transactions to make legit- If an attacker attempts to launch this attack on Ethereum, it imate users pay higher mining fees. On November 11, 2017, is unlikely that he will be able to 1) generate a double spent the Bitcoin mempool size exceeded 115k unconfirmed transac- transaction, 2) trick an optimistic receiver, 3) receive product tions, resulting in $700 million USD worth of transaction stall before confirmation, and 4) publish a block before any other [50]. In June 2018, again the mempool was attacked with 4,500 miner, within 15 seconds. Since the attack procedure is more unconfirmed spam transactions which increased the mempool time consuming than the block interval time, Finney attack is size by 45MB. The increased size led to a spike in the mining highly infeasible and as such, no case of Finney attack has yet fee and legitimate users were propelled to pay higher fee to been reported on any cryptocurrency. get their transactions mined [129]. In Figure 14, we plot the 2) Classical block withholding attack: The block withhold- mempool size and the mining fee of Bitcoin over the last two ing attack is launched against decentralized mining pools with years. We use min-max normalization to scale the data points. intent to harm the pool operator by withholding a valid PoW. 4) DDoS Attacks in Private Blockchains: In PBFT-based [134], [135]. In decentralized mining pools, all participants private Blockchains, a DDoS attack can be launched if consume electricity and CPU power to find a nonce whose the adversary controls ≈33% replicas [130]. In the private value of a hash with the block is less than the target threshold. Blockchains, the size of the network is known to the par- Once the valid solution is found, all participants are rewarded ticipating nodes, which allows the adversary to calculate the based on their aggregate effort put towards the computation number of sybil nodes he needs to introduce in the network of the solution. Since nonce finding is a lottery-based system, for an attack. Assuming that the adversary controls f sybil therefore, miners with less hash power may come up with a nodes such that the total network size is n < 3f + 1, then valid solution before other miners with a higher hash rate. In the attacker will be able to launch a DDoS attack to stop the the block withholding attack, a compromised miner in the pool verification process. For each transaction sent by the primary, finds the proof-of-work and chooses not to disclose it to the the sybil replicas will not reply with their approvals. Since the pool operator. Unaware of the compromised miner, the rest of primary will need approvals from at least 3f + 1 replicas, it the miners in the pool waste their resources to find the nonce will not be able to process any transaction, and the system and eventually lose the race. The malicious miner then can activities will be halted leading to a DDoS attack. collude with other mining pools and share the PoW with them In public Blockchains, launching such an attack can be for a higher reward, or even publish the block independently costly. The adversary needs to have either the majority of the with a different identity. Due to this unfair behavior of one total hash rate, the majority of stake, or control over 50% net- miner in the pool, the entire pool is deprived of block rewards. work peers. Considering that public Blockchain applications Another form of withholding attack is possible when two such as Bitcoin have more than 10,000 active full nodes [105], mining pools intentionally try to fork the Blockchain to create it is infeasible for the adversary to launch a successful attack. a network partition [89]. For instance let there be two mining On the other hand, in private Blockchains, the network size pools in a cryptocurrency, namely MpA and MpB, and MpA does not grow beyond a few hundred nodes, whereby the computes a valid block but decides not to publish it. MpA adversary needs to control only 33% replicas or just the waits for MpB to compute and publish the block. As soon primary replica, making the attack on private Blockchains as MpB releases its block, MpA also releases its block and more feasible. resulting in two valid blocks in the network. This will fork the Blockchain and nodes in the network will have a consensus disagreement upon receiving two valid blocks. Although this E. Block Withholding Attacks attack may partition the network, it may also cause loss to both The peer-to-peer network of cryptocurrencies can be ex- mining pools. Therefore, no such attack has been reported in ploited to create conflicting views about the Blockchain. any Blockchain application so far. Malicious nodes can intentionally mask, forge, or withhold 3) Fork after withholding attack: Another form of with- important information that needs to be relayed across the holding attack is known as the fork after withholding (FAW) network. Some of the known attacks of this nature are “The attack. Introduced by Kwon et al. [89], FAW is always more Finney Attack” and “Block Withholding Attack” [131]. rewarding than block withholding attacks. In the following, 16

block block, it sends getdata message back to A. Upon receiving the getdada message from B, A sends the block to B. Once B Verification has the block, it also authenticates the block and sends an inv inv Time v1(t) message to its neighbors. As Figure 15 shows, the maximum delay is incurred during authenticity check (v1(t) and v2(t)). getdata The other delays include transmission delays and propagation k bloc delays of messages and block. Transmission delays are subject to the size of block and messages while the propagation delays Verification Time v2(t) depend upon the bandwidth of the link between the nodes. In such conditions, intentional delays can be introduced inv in the network by propagating stale blocks or double-spent Node A Node B Node C transactions. The nodes which are not aware of stale blocks Fig. 15. Block propagation between nodes A, B, and C. Notice that the will respond with getdata messages and upon receiving the maximum time is consumed in block verification, v1(t) and v2(t). Consensus block, they will waste time in its verification. If an attacker delay can be caused by propagating false or stale blocks in the network. controls a set of sybil nodes in the node cluster section V-C, it can add significant delays among legitimate nodes in that cluster. The problem is further exacerbated for time-critical we outline the attack procedure of FAW. applications such as Blockchain-based peer-to-peer gaming, 1) A malicious miner joins two mining pools MpA and where resolution needs to be achieved within short time. MpB respectively. 2) The miner computes a valid PoW in In PBFT-based private Blockchains, an adversary can also mining pool MpA. 3) He withholds the solution and only cause consensus delay by using sybil nodes. As shown in publishes the block once MpB also publishes the block. 4) The Figure 2, a major component of transaction processing is network selects one block among the two. 5) The malicious the exchange of messages and signatures among participating miner gets rewarded either way. replicas. Especially, in the prepare and commit phase, each Kwon et al. [89] also show that if the FAW attack is replica sends its signatures to every other replica. As outlined launched by two or more mining pools against each other, then in section V-D, if the adversary controls more than 33% of the bigger mining pool will always win in the race condition. replicas, he can launch a DoS attack. On the other hand, if Therefore, the FAW attack is always more profitable than the adversary controls fewer replicas, he may still be able to selfish mining and block withholding. cause consensus delay in transaction processing [137], [138]. 4) Block Withholding in Private Blockchains: In private The sybil nodes can also send bogus signatures to the other Blockchains, the primary replica can launch a block with- replicas during the prepare phase and the commit phase. Since holding attack after receiving a confirmations from other each replica is then required to verify signatures, therefore, replicas. Private Blockchains work under the assumption that bogus signatures will cause additional verification overhead. the primary will faithfully execute the protocol. Moreover, the If the sybils continue to send such signatures, they can stall adversarial model assumes that the attacker controls a subset the completion of the commit phase and eventually cause a of faulty replicas among all the other replicas. However, if the delay in the reply phase. As a result, the primary will not adversary also controls the primary replica, he can withhold receive the required number of approvals for the transaction blocks and transactions from all other replicas. As shown in verification. This will cause consensus delay and reduce the Figure 2, the primary receives a transaction request from the throughput of the application. client and sends the transaction to other replicas to obtain their signatures. Finally, it computes the block when a sufficient G. Timejacking Attacks number of transactions are processed. However, if the primary In Bitcoin systems, such as Bitcoin, full nodes maintain an gets compromised, he may: 1) withhold a transaction issued by internal counter that denotes the network time. The network the client and abort the verification process, 2) delay the ver- time is obtained by receiving a version message ver from ification process by sending the transaction to fewer replicas, neighboring peers and calculating its median during the boot- 3) receive the signatures and discard them, 4) compute a block straping phase. If the median time of all the neighboring peers and withhold it from the rest of the network. In each case, the exceeds 70 minutes, the network time counter is automatically primary can launch a withholding attack to compromise the reverted to the system time of the node. This creates an attack system and delay the transaction processing. opportunity for malicious nodes which may connect to the target node as shown in Figure 13. In such case, the attacker F. Consensus Delay can feed varying timestamps with median value exceeding 70 Another attack associated with the peer-to-peer nature archi- minutes. Furthermore, in Bitcoin, for example, a node rejects tecture is the consensus delay, noticed by Geravis et al. [136]. a block if its timestamp exceeds the network time by 120 In this attack, an attacker may inject false blocks to add latency minutes. An attacker can compute a new block and set its or prevent peers from reaching consensus about the state of timestamp ahead of network’s timestamp by 50 minutes. The the Blockchain. In Figure 15, we illustrate the delays incurred attacker then, along with Sybil nodes, can slow the network during block propagation in Bitcoin. When node A receives a time of a target node by launching a timejacking attack against block, it authenticates the block and sends an inv message to it. As a result, the difference between the block time and the its neighbors including node B. If node B does not have the target node’s counter will exceed 120 minutes. As a result, if 17 the target node is presented with the block, it will reject it fee-based and age-based countermeasures to prevent DDoS and all the subsequent blocks. The target node eventually gets attack on Blockchain mempools. In their work, they shifted isolated from the activities of the main network. the transaction filtering process from the mining pools to the mempools. Their proposed countermeasures optimize the H. Countering Peer-to-Peer Attacks mempool size and raise the attack cost for the attacker while favoring legitimate users in the system. Prior research has been conducted to address the problem of selfish mining, and researchers have suggested several possible To prevent DNS-based attacks, extensive research has been solutions [110], [139]–[141]. Solat and Potop-Butucaru [142] carried out to equip the Blockchain systems with DNS attack proposed a “lifetime” for blocks that prevents block with- defenses [147]–[149]. Apostolaki et al. [29] proposed long- holding by selfish miners. If the expected lifetime of a block and short-term solutions for routing attacks. They propose expires (calculated by the honest miners), it is rejected by the routing-aware peer selections to maximize diversity of internet network. Heilman [140] impedes the profitability of selfish paths and limit the vantage points for attacks. They also pro- miners by introducing a defense scheme called “Freshness posed peer behavior monitoring to check abrupt disconnections Preferred.” Heilman [140] builds on top of the previous work and unusual latency in block delivery. by Eyal and Sirer [110] by adding unforgeable timestamps Other solutions to prevent delay attacks include end-to- to blocks and prefers blocks with more recent timestamps end encryption for message propagation. Another possible compared to older ones. His work reduces the incentive for approach to prevent spatial partitioning is the decentralized selfish miners to withhold their blocks for long periods of time. hosting of mining pools and full nodes over the Internet. As Eyal [26] modeled a game between two mining pools carrying shown in Table VI. 50% of Ethereum nodes are located within out block withholding and discovered miner’s dilemma, where two countries, which makes them vulnerable to a nation-state both mining pools suffer a loss in equilibrium. adversary. In order to prevent that, new nodes must be hosted Majority attacks have also been widely discussed with coun- on cloud services that have a higher geographical spread and termeasures proposed to overcome a monopoly in Blockchain network diversity. The dimensions we explored in this paper networks. Miller et al. [143] proposed changes to the PoW encourage additional research on Blockchain technology in the puzzle in Bitcoin in order to restrict coalitions of mining areas regarding DNS and DDoS attacks. pools for majority attacks. Their proposed design incorpo- To counter block withholding attacks [131], [141], [150], rates nonoutsourceable puzzles in PoW, in which mining [151], Schrijve et al. [152] introduced an incentive-compatible pools that outsource their mining work risk losing mining reward scheme that discourages a malicious miner from carry- rewards. Saad et al. [144] leveraged the expected transaction ing out withholding attacks against the targeted mining pool. confirmation height and the block publishing height to detect Rosenfeld [153] introduced a Honeypot technique to lure selfish mining behavior in PoW-based Blockchains. Using the rogue miners into a “trap”, thereby catching the miner who relationship between the two features, they created a “truth withholds valid solutions. Bag and Sakurai [151] proposed state” for each published block in order to distinguish between additional incentives for finding a valid solution for a block a legitimate block and a selfishly mined block. Also addressing in order to prevent mining collusion. Concurrent to their prior the 51% attack, Bastiaan [31] introduced the concept of “two work, Bag et al. [150] introduced a new scheme that blinds phase proof-of-work” (2P-PoW). 2P-PoW is a continuous-time the miners in the pool from the current target to obfuscate Markov chain (CTMC) model that incorporates two challenges their ability to distinguish between a partial and full PoW. for miners to solve instead of one. The states of the CTMCs Their proposed solution also binds the pool operator to fairly prevent the pool from increasing beyond an alarming size by distribute the reward to the winning miner. shrinking incentive for miners in the pool. 2P-PoW prevents The FAW attack can be countered by introducing times- large pools from creating a hegemony by either outsourcing a tampped beacons in the assignment given to the miners by major chunk of their hash rate or exposing the private keys of the pool operators [89]. As a response to each assignment, the pool operator. the miners calculate the partial proof-of-work and send the Johnson et al. [145] proposed a game-theoretic approach response to the pool operator embedded with the beacon value. to address DDoS attacks against mining pools. Other counter- The beacon value is updated after a few seconds to catch a measures include putting a cap on the minimum amount in the malicious miner if he withhold the valid solution and later transaction that a sender can have or increasing the block size propagates it in the network. However, the authors also noticed to accommodate more transactions. Yet another approach is to that this solution may not be practical in some situations reduce the difficulty in mining blocks so that more blocks can and conclude that FAW attacks remain an open problem for be mined with no transactions going to waste. Each of these the research community to address. To address the security propositions have their own caveats. issues in private Blockchains, several variants of PBFT protcol Increasing the block size might not be sufficient, since a have been proposed. Those protocols try to increase the powerful adversary can still stress the network by generat- fault tolerance beyond 33% [154], [155] and use hardware ing dust transactions. On the other hand, reducing difficulty assistance to detect the behavior of faulty replicas [156]. The will reduce the block time but it will increase the number key challenge in private Blockchains is the high message of orphaned blocks in the system and the overall size of complexity that restricts the scalability. As a result, in a small the Blockchain. At the time of writing this paper, Bitcoin network, the adversary can easily compromise 33% replicas. and Ethereum Blockchain size was recorded to be 162 GB To address this issue, Liu et al. [156] proposed a scalable and 450 GB, respectively [146]. Saad et al. [33] proposed Byzantine consensus with hardware assisted secret sharing, 18 which reduces the message complexity of PBFT to O(n). B. Double-Spending This can be leveraged to construct large private Blockchain In cryptocurrencies, double-spending refers to the use of networks that can withstand various forms of attacks. a one-time transaction twice or multiple times. To illustrate double-spending with an example, consider the following scenario. In cryptocurrency operations, a transaction transfers VI.APPLICATION ORIENTED ATTACKS the ownership of asset from a sender’s address to the receiver’s The Blockchain and associated peer-to-peer system are public address, and the value of the transaction is signed by separate from the application services using them. Based on the signer with a private key. Once the transaction is signed, it the nature of the Blockchain applications, they have their is broadcast to the network upon which the receiver validates own vulnerabilities and attack surface. Therefore, we expect a the transaction. The validation at the recipient’s end happens significant number of attacks related to various applications, when the receiver looks up the unspent transaction output of which we address in this section. Our analysis is primarily on the sender, verifies the sender’s signature, and waits for the applications such as cryptocurrencies and smart contracts. transaction to be mined into a valid block. The process takes a few minutes depending upon the size of the mempool, the throughput of the network, priority factor of the transaction, A. Blockchain Ingestion and Anonymity and the block computation time of the cryptocurrency. In Bitcoin, the average time of block mining is 10 minutes. Public Blockchains have a weak notion of anonymity, and In an environment of fast transactions [54], [160] or if a they provide open data accessibility to the public. As such, the receiver is optimistic, he may release the product to the sender analysis of the public Blockchain can reveal useful information before the transaction gets mined into the Blockchain. As to an adversary. This process is known as Blockchain ingestion such, this gives the sender an opportunity to sign the same and it might not be desirable to the Blockchain application or transaction and send it to another recipient. This behavior of its users. For example, a credit card company in the open mar- signing the same transaction with a private key and sending ket can use data analytics to delve into public information on it to two different receivers is known as double-spending. In the Blockchain and optimize its own schemes to compete with double-spending there are two transactions derived from the the digital currency. To demonstrate the potential exploitation same unspent transaction output of the sender, and only one of of the public data, Fleder et al. [37] used graph analysis to them gets incorporated into the Blockchain. In Figure 16, we create directed links between Blockchain data of Bitcoin and illustrate how a double-spending attack can be carried out in a associated identities of the wallet users. cryptocurrency. Consensus delay in the network section V-F, Mt. Gox incident. In 2013, two attackers exploited the BGP attacks, flood attack on mempools, or the 51% attack sec- public nature of Bitcoin Blockchain to carry out fraudulent tion V-B can cause additional latency in the verification transactions and create a fake demand of bitcoins at multiple and propagation process, which increase the chances of an exchanges. The main target of attack was Mt. Gox; the biggest adversary to perform double-spending. In March 2013, due Bitcoin exchange in Japan in 2013. The attackers frequently to a soft fork, a successful double-spending transaction worth carried out a sequence of fraudulent transactions at Mt. Gox. $10,000 USD was carried out in Bitcoin. Since the Blockchain is public, the rate of transactions was noted by other exchanges too and it was assumed as if the overall demand of the coins had increased. As a result, the C. Cryptojacking price of Bitcoin increased from $150 USD to $1,000 USD Cryptojacking is a form of an attack that is launched towards the end of 2013. The trade carried out at Mt. Gox on web and cloud-based services to illegally perform PoW by the attackers was not backed by the real coins, which for Blockchain-based cryptocurrencies without consent [161], eventually led to the bankruptcy of the exchange. [162]. The most recent as well as the most prevalent form Illegal Activities. Anonymity in Blockchain-based cryptocur- of cryptojacking is the in-browser cryptojacking, which turns rencies provides lucrative opportunities for miscreants to carry websites into mining pools [163]. PoW requires processor out fraudulent activities. As such, cryptocurrencies have be- intensive mathematical calculations which usually involves come a popular source of funds transfer for illicit activities finding a target hash value. As the aggregate hash rate of associated with the Deep Web [157], [158]. Since the use of fiat the cryptocurrency network increases, the associated difficulty currency leaves traces on Blockchains that can be tracked by to compute a block also increases. To meet the difficulty law enforcement, cryptocurrencies on the other hand, preserve requirements, sophisticated hardware such as GPUs and ASIC the anonymity of the user. This is a key reason why various chips [91] are used by miners. Mining pools expand their countries have banned the use of cryptocurrencies [159]. hashing capability by inviting more miners to join their pool Blockchains are tamper-proof, append-only, and decentral- and purchasing expensive hardware with better computation ized; once a transaction is committed, it cannot be reversed. capabilities. As a result, the mining process in major Bitcoin This has led to various irreversible scam activities online, systems becomes an expensive and competitive game that where users are tricked into sending money through Bitcoin prevents small miners from mining blocks independently. ATMs. Furthermore, the absence of a central authority makes 1) Cloud-based Cryptojacking: To compensate for that, it harder to claim fraud and expect reimbursement. Therefore, malicious miners have found a way of to expand their hash design constructs of Blockchain applications can be exploited power by hijacking processors of remote devices for mining. to facilitate cyber crimes and online frauds. This attack is known as the covert mining, or cryptojacking 19

Balance User A Memory Pool Transaction 1 3 Miner Validates Selected Transactions on 3. Block Hash ti Computes Block. (Transaction 3 Rejected) ac Transaction 2 Previous Block Hash . ns 2 ra Transaction 3 Merkel Root T Number of Transactions Transaction 4 Block Added Transaction 5 4. T Coinbase Reward ra Transaction 2 1 ns . ac Transaction 4 ti Miner on 2 Transaction 5

B1 B2 B3 B4 B5

User B User C Blockchain Block 5 (B5)

Fig. 16. Double-spending attack carried out by User A. User A has Transaction 1 in his balance. Using that as an input, he generates Transaction 2 and sends it to user B. Then he generates Transaction 3 from the an already spent Transaction 1. When miner queries the mempool, he can either select Transaction 2 or Transaction 3. If Transaction 3 gets rejected, user C suffers the loss.

100 100 100 Cryptojacking browar.bz browar.bz Coinhive seriesfree.to seriesfree.to 80 Monero megapastes.com megapastes.com 80 legendaoficial.net 80 legendaoficial.net 60 60 60 40 40 40

Popularity Index 20 % CPU Usage % CPU Usage 20 20 0 0 0 0 5 10 15 20 25 30 0 5 10 15 20 25 30 06/01/1707/01/1708/01/1709/01/1710/01/1711/01/1712/01/1701/01/1802/01/1803/01/1804/01/1805/01/1806/01/1807/01/18 Dates (yy/mm/dd) Time (Seconds) Time (Seconds) (a) Google popularity index (b) Percentage CPU usage by four cryptojacking (c) Percentage CPU usage by four cryptojacking websites when JavaScript is enabled websites when JavaScript is disabled

Fig. 17. (a) shows the Google search index for the terms “Cryptojacking”, “Coinhive”, and “Monero.” Notice that towards the end of 2017, there has been a rise in the Google search for the three terms which coincides with timing of large scale cryptojacking attack. In (b) and (c) we show the effect of four cryptojacking websites with an without JavaScript enabled. Cryptojacking consumes high CPU power upto 100% which can affect critical CPU operations. attack, and it involves hijacking a target device to perform cryptojacking on the website’s visitors machines. PoW calculations for the attacker. Initially, these attacks were Coinhive is the most popular platform for cryptojacking launched against cloud service providers, where malicious attacks on websites, and it is linked to the cryptocurrency users performed covert mining operations on virtual machines called Monero [166]. In Figure 19, we provide the JavaScript and exhausted cloud resources. This behavior was first noticed cryptojacking code used by attackers to bind victim website to by Tahir et al. [40], where they also proposed countermeasures their account at Coinhive. The code listing shows that when a in the form of a software tool called “MineGuard” to effec- browser loads coinhive.min.js file, it establishes a WebSocket tively detect and stop covert mining operations in cloud. connection with coinhive server and passes the attacker’s key 2) Web Cryptojacking: Cryptojacking was brought to the to bind with the dropzone server. It then receives a target and web in 2017, and has been soaring in popularity as shown submits the corresponding hashes to the server over the same in Figure 17(a). Web-based cryptojacking is used by attack- socket connection [167]. The throttling parameter controls ers who inject malicious JavaScript code into websites that the hash rate of the victim device and is adjustable to the secretly mine tokens without the consent of their visitors. In requirement of the attacker. browser-based cryptojacking, the web browser on the client In Figure 17(b) and Figure 17(c), we plot the processor device executes JavaScript code that establishes a WebSocket usage of four cryptojacking websites with JavaScript enabled connection with a remote dropzone server. The server then and disabled. It can be noticed that each website uses different sends the target to the client, which computes hashes for PoW CPU power when JavaScript is enabled, indicating varying and transmits them back to the server. During this process, the thresholds of throttling parameters. Figure 17 also shows that device owner remains unknown of this background activity when the JavaScript is disabled, the browser cannot execute and seamlessly continues to browse the website. In-browser the malicious script and is unable to perform cryptojacking. cryptojacking not only poses a major privacy threat, it also In-browser cryptojacking is a relatively new attack related harms the performance of the visiting device, since PoW- to the PoW-based Blockchain applications, therefore no prior based hash computations are processor-intensive and may lead research is available that looks into the operations and effects to excessive CPU usage and battery drainage. To further of this attack. However, owing to the incidents reported in the facilitate these attacks, online platforms such as coinhive and news, it can be inferred that cryptojacking is becoming popular crypto-loot [164], [165] emerged in 2017, to provide simple over time. In 17(a), we show the popularity index of the terms code snippets for the attackers and website owners. Those “Cryptojacking”, “Coinhive”, and “Monero”, as recorded by services bind websites with their platform service and perform Google analytics based on the search count [168]. The results 20

(a) Cryptojacking (b) Coinhive (c) Monero

Fig. 18. Heatmap of the global distribution of Google searches for each term. Notice that US is the most prevalent country in all three search results. Moreover there is more similarity in the search for Coinhive and Monero.

TOP 5 SOFTWAREVERSIONSUSEDBY BITCOINFULLNODESALONGWITH 1 B. Core v0.16.0 02-26-2018 59 36.28% Fig. 19. Malicious JavaScript code that links a website to Coinhive. 2 B. Core v0.15.1 11-11-2017 166 27.52% 3 B. Core v0.15.0.1 09-19-2017 219 5.01% 4 B. Core v0.14.2 06-17-2017 313 4.67% in 17(a), show that since October 2017, there has been a rise in 5 B. Core v0.15.0 04-22-2017 369 2.05% the search for each term, indicating the interest shown by the users in cryptojacking. Additionally, in Figure 18, we show the global distribution of these searches. digital currency was stolen from 260 accounts. In January 3) Case studies: Cryptojacking is considered as an emerg- 2015, ’s Bitcoin wallet was hacked, resulting in a ing threat to the security and privacy of Bitcoin systems, by loss of $5.1 million USD worth bitcoins [172]. the research community. Symantec’s latest Internet Security Threat Report (ISTR) reveals that cryptojacking attacks on Key Exposure and Theft. A well-known problem in websites have increased by 8500% during 2017 [169]. In Blockchain-based cryptocurrencies is private key exposure and February 2018, a large scale cryptojacking attack was launched theft. If the attacker acquires the private key belonging to a that compromised more than 4000 websites worldwide includ- user, he can sign and generate a new transaction on behalf ing the websites of UK National Health Service (NHS) and US of the user, and possibly spend his balance to unauthorized Federal Judiciary [167]. UK’s National Cyber Security Centre recipients. Brengel et al. [173] studied the key leakage in (NCSC) has declared cryptojacking a “significant threat” in its Bitcoin by studying the Bitcoin Blockchain for ECDSA nonce yearly cyber security report [170]. reuse. Their results show that ECDSA nonce reuse is misused in Bitcoin to generate transactions on behalf of users. Sim- ilarly, Breitner et al. [174] performed cryptanalytics attacks D. Wallet Theft on Bitcoin, Ethereum, and Ripple to expose their private Where credentials, such as keys, associated with peers in keys. They used a lattice-based algorithm to compute private the system are stored in a digital wallet, the “wallet theft” ECDSA keys that were used in biased signatures. attack arises with certain implications on the application. Software Client Vulnerabilities. Public Blockchain applica- For example, in Bitcoin, the wallet is stored un-encrypted tions such as Bitcoin and Ethereum have open-source software by default, allowing an adversary to learn the credentials clients that enable users to connect with the network. Over associated with it and the nature of transactions issued by it. time, new software versions are released, implementing new Even when a wallet is safely guarded on the host, launching rules and upgrades. An upgrade is also released to patch a malware attack on the host will allow the adversary to steal vulnerability in an old version. In Bitcoin, the Bitcoin Core the wallet. Finally, with many third-party services enabling v0.15 and below are vulnerable to denial-of-service attacks. storage of wallets, those services can also be compromised This vulnerability was patched in the newly released v0.16. and the wallets can be leaked to an adversary [48]. However, not all nodes download the newly released version. Case studies. In December 2017, $63 million USD worth They continue with the old software client and remain exposed bitcoins were stolen from the wallet of a cryptocurrency to its vulnerabilities. In Table VIII, we show the diversity in company, NiceHash [171]. During the hack, the entire contents adoption of a Bitcoin software client. Notice that only 36.28% in NiceHash’s Bitcoin wallet were stolen. In November 2017, of the nodes are using the most updated software version that Treasury wallet was hacked and $31 million USD is immune to the denial-of-service attack. worth bitcoins were stolen from it. Also in November 2017, Moreover, the open-source code can be exploited by an $280 million USD worth of ether was locked up after a user adversary to release a new update with a malicious code and deleted the code in the digital wallet hosted by a company bugs. If a user installs the software, it can provide access to named Parity Technologies. In July 2016, the social media the attacker who can launch various attacks including DDoS, Blockchain “” was attacked and $85,000 USD worth balance theft, etc.. It is therefore necessary to download the 21 software client from a trusted platform. // Vulnerable Smart Contract mapping (address -> uint) private userBalance; function withdraw() public{ E. Attacks in Smart Contracts uint WithdrawAmount = userBalance[msg.sender]; if (!(msg.sender.call.value(WithdrawAmount)())) { As new applications are built on top of Blockchain, their throw; }// Caller's code executed and it can own limitations along with Blockchain vulnerabilities, create a make recursive call to withdraw() again. userBalance[msg.sender] = 0; new attack surface. Smart contracts belong to the generation of } Blockchain 2.0 and in this section, we will explore the attack possibilities in smart contracts. The most well known smart Fig. 20. Reentrancy attack on smart contract code [41]. A major problem contract application in digital world is Ethereum, which uses with calling external contracts is that they alter the control flow of the code that the running contract does not anticipate. In this contract, an external call programming language for coding contracts. Solidity is made before the user’s balance is set to 0. [175] is a contract oriented language, influenced by Javascript, Python and C++. Deficiencies in programming language, ex- // DoS attack ecution environment, and coding style can lead to a series contract Malicious_Auction { address presentLeader; of attacks. In Figure 20, we demonstrate a vulnerable smart uint maxBid; contract code that steals a sender’s balance. “The DAO” had a function bid() payable { similar vulnerability in their smart contract which resulted in require(msg.value > maxBid); require(presentLeader.send(maxBid));// a loss of $50 million USD. Some of the well known attacks Refund the old leader, if it fails then on Ethereum smart contracts include reentrancy attack, over revert and under flow attacks, replay attacks, short address attacks presentLeader = msg.sender; and reordering attacks [42], [176]. maxBid = msg.value;}} 1) Reentrancy attacks: In reentrancy attack, if the user does Fig. 21. DoS attack on a vulnerable smart contract in which the malicious not update the balance before sending ether, an attacker can bidder may revert funds to the old leader and prevent other bidders from steal all the ether stored in the contract by recursively making calling the bid() function. As such the malicious bidder remains the leader of calls to the call.value() method in a ERC20 token. As such, a the auction for as long as he wants. careless user may lose his entire balance in the contract if he forgets to update his balance. 5) Forcible balance transfer: In vulnerable smart contract 2) DoS attacks: DoS attack in smart contract enables codes, forcible balance transfer to the contract can occur a malicious actor to keep funds and authority to himself. without a fallback function. This can be used to exhaust the Consider an example of a smart contract auction in which gas limit and disallow the final transaction. a malicious bidder tries to become the leader of an auction illustrated in Figure 22. The vulnerable contract prevents refunds to the old leader of the contract and makes the attacker F. Replay attacks the new leader. Moreover, it cancels all the bid() requests The replay attack involves making one transactions on two sent by other bidders and keeps the attacker as the leader different Blockchains. For instance, when a cryptocurrency of the auction. Another form of DoS attack in Ethereum forks into two separate currencies, users hold equal assets on smart contract involves exploiting the gas limit set by the both ledgers. A user has an option of carrying out a transaction contract Figure 21. In Ethereum, if the overall gas consumed on any one of the two chains. In replay attacks, the attacker by the smart contract upon execution exceeds the gas limit, sniffs the transaction data on one ledger and replays it on the the contract transaction fails. An attacker can exploit this by other ledger. As such, the user loses assets on both chains. A adding multiple addresses with refund needs. Upon execution, simple case can be drawn from Ethereum. the gas required to refund those addresses may exceed the total In Ethereum, a transaction signed on one Blockchain is valid gas limit, thereby cancelling the final transaction. on all Blockchains. Therefore, a transactions made on a test 3) Overflow attacks: An overflow in a smart contract hap- network can be replicated on the public network to steal funds. 256 pens when the value of the type variable (2 ) is exceeded. Although Ethereum has taken countermeasures to prevent For instance, in a smart contact of online betting, if someone replay attacks by incorporating chainID in transactions, users 256 sends large amount of ether, exceeding (2 ), the value of the who do not enable this wallet feature remain vulnerable. bet would be set to 0. Although exchange of an ether value greater than (2256) is unrealistic, but it remains a programming vulnerability in smart contracts written in Solidity. G. Countering Application Oriented Attacks 4) Short address attacks: The short address attack exploits Attacks on Blockchain applications have various possible a bug in Ethereum’s virtual machine to make extra tokens countermeasures. For example, to secure blocks, it is advised on limited purchases. The short address attack is mostly to keep backups of the wallet and secure the keys used for applicable on ERC20 tokens. For this attack, the attacker signing transactions. Passwords are easy to compromise, and creates an Ethereum wallet ending with 0 digit. Then he makes using a strong password is required as a defence against brute- a purchase on the address by removing the last 0. If the force attack. However, changing passwords does not change contract has a sufficient balance, then the buy function does the keys secured by them, making those keys vulnerable due not check the sender’s address and Ethereum’s virtual machine to a previous compromised password. Wallet encryption, a appends missing 0 to complete the address. As a result, for standard practice in the original Bitcoin design, is highly rec- each 1000 tokens bought, the machine returns 256000 tokens. ommended to cope with vulnerable keys. Other mechanisms to 22

// DoS attack on Gas Limit contract Vulnerable { struct Payee { function () payable { address addr; revert(); } uint256 value;} function somethingBad() { Payee[] payees; require(this.balance > 0); uint256 nextPayeeIndex; // Do something bad function payOut() { }} uint256 i = nextPayeeIndex; while (i < payees.length && msg.gas > 200000) { Fig. 24. Vulnerable contract code that allows forcible balance transfer to the payees[i].addr.send(payees[i].value); contract without a fallback function. i++;} nextPayeeIndex = i;} access to the blacklist can easily circumvent detection by using Fig. 22. DoS attack exploiting the gas limit in a vulnerable smart contract. The attacker initiates a list of addresses that demonstrate the need for the a relay server between the host and the dropzone server. As of refund. Once all the addresses are refunded, the overall gas used by the smart now, cryptojacking and its defences are open challenges and contract exceeds its gas limit. require more attention from the community. mapping (address => uint256) public userBalance; VII.RELATED WORK // Vulnerable code function transfer(address _to, uint256 _value) { The work surveyed for paper includes the prior research // Check if the sender has sufficient balance efforts towards the study of Blockchain applications and require userBalance[msg.sender] >= _value); their security vulnerabilities. In doing so, we also con- // Compute new balance userBalance[msg.sender] -= _value; sulted the Comprehensive Academic Bitcoin Research Archive userBalance[_to] += _value; } (CABRA) [181], a comprehensive list of over 900 research papers that keep track of ongoing research in Blockchain Fig. 23. Overflow attack. When the sender’s balance is being checked, the contract code does not take into the account if the balance exceeds the value systems. CABRA is influenced by a chronological list of 2256. In such a case, the balance will be set to 0 by default and overflow Blockchain papers maintained by Brett Scott [182]. From these attack can be launched. useful repositories, we curated a list of relevant papers for this study, as starting pointers. There have been several attempts at understanding the attack cope with wallet security include insurance, which technically surface of Blockchains by various surveys, which we contrast does not address the problem by remedying its consequences. to our work in the following. Towards analyzing the attack A backup of the keys and wallet is essential because if the surface of Blockchains, Li et al. [183] surveyed various se- keys are lost, then access to wallet is not possible, and if curity aspects of Blockchains by studying popular Blockchain some attacker deletes the wallet, all the coins are lost. applications including Bitcoin, Ethereum, and Monero. They New models of cryptocurrency, such as “”, provide evaluated the robustness of Blockchain applications against chain anonymity to the transactions, the users, and the amount popular attacks and the risk factor associated with each attack. exchanged. As such, the shielded architecture of “Zcash” Although comprehensive in the survey of attacks, their work, Blockchain prevents block ingestion attacks. The double- however, does not look into countermeasures. Conti et al. [57] spending attack is easily addressed in fast networks, but not surveyed security and privacy of Bitcoin. Although Bitcoin when the network is characterized by high latency and longer is a motivating example to analyze the attack surface of block mining times. One possible approach to deal with the Blockchains in general, however, Blockchains have evolved problem is utilizing one-time (or a few time) signatures, such beyond Bitcoin and their attack surface has increased accord- as XMSS [177], which reveal the private key of the user if he ingly. Furthermore, their work does not cover new attacks tries to double-spend. However, this requires the change in the related to Blockchain applications such as cryptojacking, current signature algorithms that Blockchain applications have among others. Tara et al. [184], explored the utilization of used. Other proposals include reducing the difficulty parameter the Blockchain technology in providing distributed security of a Blockchain to enable swift block mining, which is a services. They mainly focused on the use of Blockchains reasonable approach, except that it would further facilitate to provide services including authentication, confidentiality, selfish mining and the rate of stale blocks. provenance, and integrity assurance. In contrast, our work is All major attacks on smart contracts in Ethereum are either dedicated to the abuse of Blockchains and their applications. related to the vulnerabilities in programming platforms or care- Anderson et al. [185], looked into the use of new consen- less programming practices. These attacks can be prevented by sus schemes in emerging Blockchain applications such as patching vulnerabilities in Ethereum virtual machine (EVM) and Peercoin. They also surveyed various security and avoiding programming mistakes in smart contracts. [42]. features of these applications with an emphasis on smart To counter covert mining in cloud, [40] et al. proposed contracts. In a similar context, Atzei et al. [61] also explored “MineGuard” that detects anomalous use of processor in Vir- various attacks limited to Ethereum smart contracts. Compared tual Machines. To mitiage in-browser cryptojacking, reputable to the existing literature, our work goes beyond the state- web browsers, including Chrome and Firefox have, launched of-the-art in outlining new attacks, their implications, their web extensions that actively detect WebSocket connections defenses, and relevant case studies. that trasnmit PoW [178]–[180]. However, as of now, the Kiran and Stanett [187] perform risk analysis on Bit- extensions use a blacklisting approach to spot the WebSocket coin, spanning its vulnerabilities and attack surface. They traffic which has its limitations. For example, an attacker with also explore the risk factors associated with the economics 23

TABLE IX COUNTERMEASURES AND THEIR EFFECTIVENESS RELATED TO THE ATTACKS SURFACE OF BLOCKCHAINS.HERE, , , DENOTEOPENPROBLEM, FEASIBLESOLUTIONS, ANDINFEASIBLESOLUTIONS. # H#

ATTACKS COUNTERMEASURES EFFECTIVE? Forks Joint consensus [48] Blockchain Structure Orphans Increase block time [109] # DNS hijacks Routing-awareness [29], [147] BGP hijacks Routing-awareness [29], [147] # Eclipse attacks Peer monitoring [112] # Majority attacks Two-phased proof-of-work [31] # Peer-to-Peer System Selfish mining Time-stamping blocks [139]–[142] H# DDoS attacks Increase block size [33] # Consensus Delay Peer monitoring [112] # Block Withholding Enforce PoW submission [142] # Timejacking attacks Synchronized clocking H# Finney attacks Increase block reward [36] # Blockchain Ingestion Encrypted Blockchains [186] H# Wallet theft Backups, wallet insurance [38] H# Double-spending OTS schemes [177] Cryptojacking Mineguard [40] H# Smart contract DoS Patch EVM [41] Blockchain Application ≈ reentracy attacks Patch EVM [42] # ≈ replay attacks Secure programming [42] # ≈ overflow attacks Patch EVM [41] ≈ short address attacks Patch EVM [42] # ≈ balance attacks Secure programming [41] # of Bitcoin and cryptocurrency market in general, including add a penalty to the transaction verification time. Therefore, deflation, volatility, and complicity. Becker et al. [96], out- this solution partially addresses the problem. Additionally, in lined challenges and security risks associated with PoW-based Figure 25, we provide an illustration of various attacks and Blockchain applications. Moubarak et al. [188] explored the their countermeasures. Note that some countermeasures may security challanges of three major Blockchain applications, address more than one attack, thereby indicating a common namely Bitcoin, Ethereum, and . However, their cure. This can be used to motivate future research directions work was more directed towards the application attacks and in prioritizing defenses. did not consider the attacks related to the Blockchain’s cryp- tographic constructs and P2P fabric. A. Blockchain Structure Attacks Carlsten et al. [189], analyzed the security features of Analyzing the problems associated to Blockchain’s math- Bitcoin in the absence of Block rewards. Since the number ematical constructs, Eyal et al. [34], proposed a Byzantine of coins in Bitcoin are deterministic and the coinbase rewards fault tolerant Blockchain protocol that addresses the problems will eventually end when all the coins are mined, the stake of of Blockchain fork. Decker and Wattenhofer [171] observed miners in the system will take a paradigm shift which might information propagation in Bitcoin network and introduced a influence the security properties of Bitcoin. As such, there is an model that explains the formation of Blockchain forks. From implicit belief that this might not change the attack surface of their results, they concluded that delays in block propagation Bitcoin. However, in [189], the authors outline the limitations are the primary cause of Blockchain forks. Kiffer et al. of this belief and present new attack avenues and their effects. [190] analyzed the design space of Ethereum and studied a As Blockchain applications are evolving, they are being large-scale fork that partitioned Ethereum into two separate targeted with new and more sophisticated attacks every day. networks (Ethereum and ). They further In this paper, we look into the prior work and also cover the analyzed the impact of the fork on users, mining pools, and emerging vulnerabilities and attacks on Blockchain applica- the two networks, by exploring the possible gains and security tions. We also report the major incidents and case studies vulnerabilities from the outcome. related to each attack and provide future directions for research and analysis. In Table IX, we outline the possible counter- measures and their effectiveness for each attack discussed in B. Peer-to-Peer System our work. The criterion of determining the effectiveness of Towards routing attacks and spatial partitioning of Bitcoin, a countermeasure is how fully or partially it addresses the Apostolaki et al. [29] noticed that by hijacking fewer than problem. For instance, one way to reduce orphaned blocks is 100 border gateway protocol (BGP) prefixes in Bitcoin, an to increase the block time in Ethereum. However, this may also attacker can isolate up to 50% of the network’s hash rate. 24

selfish mining and block withholding. Heilman used unforge- Attacks able timestamps to raise the threshold of mining power to carry Fork out selfish mining. Bastiaan [31] proposed a defense against Orphans the 51% attack by a stochastic analysis of two phased proof-of- DNS Countermeasures work (2P-PoW), initially proposed by by Eyal and Sirer [192]. BGP Joint Consensus 2P-PoW prevents the hash rate of a mining pool from growing Eclipse Increase Block Time beyond a limit. It does so by forcing the pool owners to either Majority Routing Awareness reduce their hash power or give up their private keys. Selfish Mining Peer Monitoring The domain of DDoS attacks on Blockchains and mempools DDoS remain an open problem and as such, countermeasures are 2P-PoW Delay being proposed which include: increasing throughput, increas- Time-Stamp Blocks Withholding ing block size, and limiting the size of the transactions. Since Enforce Submission Timejacking Increase Block Size DDoS attacks manifest themselves in a different way in a peer- Finney to-peer architecture, as opposed to a centralized system, their Synchronized Clocks Injestion prevention also requires non-conventional approaches [33]. Increase Reward Wallet Theft Encrypted Blockchain Double-Spending Backup, Insurance C. Blockchain Application Attacks Cryptojacking OTS Signatures DoS (SC) Prior work has been done to look in to the attack av- MineGuard Reentracy enues related to the Blockchain applications including, double- Replay Patch EVM spending, smart contracts, wallet thefts etc.. However, as Secure Programming Overflow new applications are emerging, and Blockchains are evolving

Short Address into Blockchain 3.0, their attack surface is broadening and posing new challenges for security and privacy. Rosenfeld Balance [193] performed quantitative analysis on successful double- spending scheme under varying hash rate and number of Fig. 25. Relationship among various attacks on blockchains along with confirmations. Solà et al. [53] use a modified signature scheme their countermeasures. Some attacks have common countermeasures which provides future directions towards a common cure. that exposes the private key of the double-spender in fast transactions. Their proposed method protects an optimistic user in Bitcoin who might be willing to deliever the product before the confirmation of the received transaction. Atzei et They further analyzed that Bitcoin hosting is highly centralized al. [46] analyzed possible attacks on Ethereum smart contracts and 13 ISP’s have a view of more than 30% total mining with emphasis on the DAO attacks. They categorize the traffic. High centralization makes Bitcoin vulnerable to routing attacks based on the vulnerabilities associated with Ethereum attacks, delay attacks, and DNS attacks. They also show that programming language “Solidity”, Ethereum Virtual Machine over a 100 Bitcoin nodes become victims to BGP hijacks, (EVM), and the Ethereum Blockchain. Chen et al. [194] every month. In this paper (section V-C), we verify the findings introduced an adaptive gas cost mechanism for Ethereum to of Apostolaki et al. [29] and show that over time, Bitcoin defend against under-priced denial-of-service attacks. Luu et network has further centralized with respect to ASes and ISPs al. [195], investigated various possibilities through which an offering greater vulnerability to partitioning attacks. adversary can compromise smart contracts in Ethereum. They Bradbury [191] reviewed various attacks on Bitcoin, namely, also developed a symbolic execution tool OYENTE, which the 51% attack, code-based attacks, double-spending, and dust actively finds and patches bugs in Ethereum smart contracts. transactions. Inspired from the Block Withholding (BWH) To observe Blockchain ingestion attacks and privacy leakage attack, Kwon et al. [89] presented the Fork After Withholding on Bitcoin, Fanti and Viswanath [196] studied the anonymity (FAW) attack which guarantees more rewards to the mining properties of Bitcoin’s peer-to-peer and concluded that the pools. In nash equilibrium, when two mining pools carry network has weak security properties. To enhance privacy and out BWH attack against each other, they both suffer a loss. anonymization in Bitcoin, Ziegeldorf et al. [197] proposed However in current Bitcoin system, the rewards for FAW decentralized mixing services and shuffle protocols that reduce attacks are at least 56% more than BWH attacks. the chances of transaction tractability. Although conventional Eyal and Sirer [110] modeled the mining process of attacks on Blockchains have been addressed by the commu- Blockchains and concluded that Bitcoin mining protocol is not nity, new attacks such as cryptojacking and mempool flooding incentive compatible. They also postulated that higher rewards have not been explored in depth. By drawing attention to them can lead to new miners joining the selfish mining pool and as in this paper, we hope that active research will be carried our such, can lead to the possibility of a majority attack. Optimal to build countermeasures for these attacks. selfish mining strategies have been studied by Sapirshtein et al. [139]. In their work, they analyzed the fraction of resources required to carry out a successful selfish mining attack. They VIII.DISCUSSIONAND OPEN DIRECTIONS also provide bounds under which a Blockchain system can be Blockchains have become popular in recent years owing to considered secure against such an attack. Heilman [140] and the increasing use of decentralized systems and the growing Solat and Potop-Butucaru [142] proposed countermeasures for need for tamper-proof data management. As such, they are 25 being used in several domains such as IoT, health care, compete for block rewards [206]. The race condition eventu- electronic voting, e-government solutions, and supply chain ally facilitates attacks such as selfish mining, the 51% attack, [198]–[205]. However, prior to the integration of such legacy double-spending, forks, and stale blocks. To address the energy systems with Blockchains, it is pertinent to fully understand inefficiency and avoid race conditions, PoS has been proposed their security properties and the attack surface. It might be that uses an auction process for block mining. However, we possible that a conventional application, hoping to improve its have shown that PoS can create network centralization and security model, may further be exposed to a higher risk by unfairness in system. Although PBFT has served well as an using Blockchains. For example, delay-sensitive applications alternative to PoS and PoW in private Blockchains, however, it in supply chains cannot afford unusual latency in transaction suffers from high message complexity and low scalability. This propagation and data-sensitive applications such as electronic stands as a major challenge for its usage in public Blockchains. voting cannot afford a double-spent transaction. While these We have also shown that the increasing programming flex- attacks might be infeasible in conventional client-server model, ibility of smart contracts have made conventional Blockchain using Blockchains might create new attack avenues for them. applications more vulnerable. In Ethereum, for example, the An adversary can launch consensus delay attacks to stall reentrancy attack and the overflow attack can be launched to information propagation in the supply chain or create a double- steal the user’s balance. Such attacks cannot be launched on spent transaction to invalidate the vote of a legitimate user. Bitcoin, Ripple, and Zcash which do not offer programming Moreover, as mentioned in section IV, once a fraudulent flexibility to users. Additionally, we have reported that the activity is part of the Blockchain, the system will require a use of a Blockchains at the application layer also creates major hard fork to reverse the transaction. Therefore, the use new attack avenues. For example, by exploiting the open- of Blockchains may bring new attack avenues on an otherwise source client software, an attacker can get access to his private secure application. In the light of these changes, we believe keys and balance. Therefore, the application-oriented use of it is important and timely to perform a systematic treatment Blockchains needs to be carefully addressed to avoid attacks. of Blockchain attack surface to expose its vulnerabilities and In summary, the key takeaways of our work point towards: outline new threat models for emerging applications. As an 1) more secure deployment of Blockchains in distributed outcome of our research, in the following, we discuss the key environment, 2) development of fair and efficient consensus lessons learned as well as the open directions that can navigate algorithms, and 3) careful interaction of Blockchain layer with the future research. the application layer to avoid vulnerabilities and attacks.

A. Key Lessons B. Open Challenges From our analysis, we noticed that the peer-to-peer ar- Some of the open challenges in the Blockchains attack chitecture of Blockchains is the most dominant class of the surface are shown in Table IX. It can be observed that routing Blockchain attack surface. In public Blockchains particularly, attacks do not have effective countermeasures and current the topological asymmetry of the network can be easily Blockchain applications have not taken initiatives to address exploited to compromise the system. Moreover, and since the them. For example, as shown in Table VII, if a malicious public Blockchains are permissionless, the network remains ISP hijacks ASes owned by Alibaba, it can hijack more than impartial towards legitimate users as well as the adversary. 50% of the Bitcoin hash rate. As a result, block generation in This property further weakens the security model since the Bitcoin will stall, leading to delays in transaction confirmation. adversary has an open access to all the resources. If we analyze the spatial behavior of Bitcoin [105], we Moreover, the network layer allows external entities to observe an increase in the centralization of nodes over time, influence the internal operations of the Blockchain application. indicating that the network is not responding to the threats of a For example, an ISP, external to the Blockchain network, can hijack. Also shown in Table IX, certain policies of Blockchain hijack BGP prefixes to isolate peers. If such an attack is applications have created attack avenues that remain an open launched against a mining pool, the hash rate of the network problem. In Bitcoin and Ethereum, the block size limit and will be affected leading to transaction stall. Other external the block generation time have led to flooding attacks and adversaries include competing Blockchain applications, nation delays [33]. These applications should revise their policies to states, cloud service providers, and DNS servers, that can prevent such attacks. Furthermore, a developing problem that disrupt the flow of traffic to affect the activities of the target most Blockchain applications are likely to encounter in future Blockchain application. While the effect of external entities is their high storage footprint. Due to the append-only model, can be reduced by using private Blockchains, however, this Blockchains linearly grow in size leading to a high storage may only partially solve the problem. Private Blockchains can cost. While this problem appears trivial in cryptocurrencies, it strengthen the network conditions by limiting the exposure of will become significant when Blockchains will be introduced system information, however, they also limit the scope of the in data intensive applications such as supply chains. A naïve application by allowing selective peers to participate. solution is the use of payment channel networks to offload the Another takeaway from our work is the need to develop transaction activity from the main Blockchain [207], [208]. energy efficient and secure consensus protocols that may However, the use of payment channels obscures the data substitute PoW and PoS. Through Bitcoin, we have learned transparency on the main Blockchain and may also suffer from that PoW is highly energy inefficiency. Moreover, PoW also privacy issues. Therefore, more research is required to come leads to the race conditions in Blockchains in which miners up with effective solutions. 26

IX.CONCLUSION [13] F. Holotiuk, F. Pisani, and J. Moormann, “The impact of blockchain technology on business models in the payments industry,” in Towards In this paper, we explore the attack surface of Blockchain Thought Leadership in Digital Transformation: 13. Internationale technology. We attribute attacks to the cryptographic con- Tagung Wirtschaftsinformatik, St.Gallen, Switzerland, Feb, 2017. structs of the blockchain, the underlying communication ar- [Online]. Available: http://aisel.aisnet.org/wi2017/track09/paper/6 [14] E. Heilman, F. Baldimtsi, and S. Goldberg, “Blindly signed chitecture, and the context in which they are applied. In contracts: Anonymous on-blockchain and off-blockchain bitcoin doing so, we highlight major threats and ongoing defense transactions,” in Financial Cryptography and Data Security - research activities. We believe that various attacks against International Workshops, BITCOIN, VOTING, and WAHC, Christ Church, Barbados, Feb 2016,, pp. 43–60. [Online]. Available: Blockchain can be still launched, not withstanding the current https://doi.org/10.1007/978-3-662-53357-4_4 and existing defenses, and that some of those attacks can be [15] G. G. Dagher, P. B. Marella, M. Milojkovic, and J. Mohler, used to facilitate several others. By outlining these attacks and “Broncovote: Secure voting system using ethereum’s blockchain,” in Proceedings of the 4th International Conference on Information surveying their countermeasures, we highlight new research Systems Security and Privacy, ICISSP, Funchal, Madeira - Portugal, directions that need to be pursued towards more secure and Jan 2018, pp. 96–107. [Online]. Available: https://doi.org/10.5220/ effective use of Blockchains. 0006609700960107 [16] F. S. Hardwick, R. N. Akram, and K. Markantonakis, “E-voting Acknowledgement. This work is supported by Air Force with blockchain: An e-voting protocol with decentralisation and Material Command award FA8750-16-0301. voter privacy,” CoRR, vol. abs/1805.10258, 2018. [Online]. Available: http://arxiv.org/abs/1805.10258 REFERENCES [17] M. M. Eljazzar, M. A. Amr, S. S. Kassem, and M. Ezzat, “Merging supply chain and blockchain technologies,” Computing Research [1] L. Mauri, S. Cimato, and E. Damiani, “A comparative analysis Repository (CoRR), vol. abs/1804.04149, 2018. [Online]. Available: of current cryptocurrencies,” Proceedings of the 4th International https://goo.gl/5wMVJS Conference on Information Systems Security and Privacy, ICISSP [18] G. Baruffaldi and H. Sternberg, “Chains in chains - logic and , Funchal, Madeira - Portugal, Jan. 2018, pp. 127–138. [Online]. challenges of blockchains in supply chains,” in 51st Hawaii Available: https://doi.org/10.5220/0006648801270138 International Conference on System Sciences (HICSS), Hilton [2] G. Danezis and S. Meiklejohn, “Centrally banked cryptocurrencies,” Waikoloa Village, Hawaii, USA, Jan 2018. [Online]. Available: in Proceedings of the 2016 Annual Network and Distributed System http://aisel.aisnet.org/hicss-51/in/digital_supply_chain/3 Security Symposium (NDSS), San Diego, CA, Feb. 2016. [Online]. [19] N. Fotiou and G. C. Polyzos, “Decentralized name-based security Available: http://wp.internetsociety.org/ndss/wp-content/uploads/sites/ for content distribution using blockchains,” in IEEE Conference on 25/2017/09/centrally-banked-cryptocurrencies.pdf Computer Communications Workshops, INFOCOM, San Francisco, [3] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and CA, USA, Apr 2016, pp. 415–420. [Online]. Available: https: E. W. Felten, “Research perspectives and challenges for bitcoin and //doi.org/10.1109/INFCOMW.2016.7562112 cryptocurrencies,” IACR Cryptology ePrint Archive, vol. 2015, p. 261, [20] M. Zhang and Y. Ji, “Blockchain for healthcare records: A data 2015. [Online]. Available: http://eprint.iacr.org/2015/261 perspective,” PeerJ PrePrints, vol. 6, p. e26942, 2018. [Online]. [4] A. E. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou, “Hawk: Available: https://doi.org/10.7287/peerj.preprints.26942v1 The blockchain model of cryptography and privacy-preserving smart [21] M. Mettler, “Blockchain technology in healthcare: The revolution starts contracts,” in Proceedings of the 37th IEEE Symposium on Security here,” in 18th IEEE International Conference on e-Health Networking, and Privacy (Oakland), San Jose, CA, May 2016, pp. 839–858. Applications and Services, Munich, Germany, Sep 2016, pp. 1–3. [Online]. Available: https://doi.org/10.1109/SP.2016.55 [Online]. Available: https://doi.org/10.1109/HealthCom.2016.7749510 [5] K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Gollamudi, [22] G. Zyskind, O. Nathan, and A. Pentland, “Decentralizing privacy: G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T. Sibut- Using blockchain to protect personal data,” in 2015 IEEE Symposium Pinote, N. Swamy, and S. Z. Béguelin, “Formal verification on Security and Privacy Workshops, SPW, San Jose, CA, USA, May of smart contracts: Short paper,” in Proceedings of the 23rd 2015, pp. 180–184. [Online]. Available: https://goo.gl/kTNim3 ACM Conference on Computer and Communications Security [23] A. Back, M. Corallo, L. Dashjr, M. Friedenbach, G. Maxwell, (CCS), Vienna, Austria, Oct. 2016, pp. 91–96. [Online]. Available: A. Miller, A. Poelstra, J. Timón, and P. Wuille, “Enabling blockchain http://doi.acm.org/10.1145/2993600.2993611 innovations with pegged sidechains,” 2014. [6] P. K. Sharma, S. Rathore, and J. H. Park, “Distarch-scnet: [24] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Online, Blockchain-based distributed architecture with li-fi communication https://bitcoin.org/bitcoin.pdf, 2008. for a scalable smart city network,” IEEE Consumer Electronics [25] T. Ruffing, P. Moreno-Sanchez, and A. Kate, “P2P mixing and Magazine, vol. 7, no. 4, pp. 55–64, 2018. [Online]. Available: unlinkable bitcoin transactions,” in Proceedings of the 2017 https://doi.org/10.1109/MCE.2018.2816745 Annual Network and Distributed System Security Symposium [7] K. Fan, Y. Ren, Y. Wang, H. Li, and Y. Yang, “Blockchain-based (NDSS), San Diego, CA, Feb.–Mar. 2017. [Online]. Available: efficient privacy preserving and data sharing scheme of content-centric https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/ network in 5g,” IET Communications, vol. 12, no. 5, pp. 527–532, p2p-mixing-and-unlinkable-bitcoin-transactions/ 2018. [Online]. Available: https://doi.org/10.1049/iet-com.2017.0619 [26] I. Eyal, “The miner’s dilemma,” in Proceedings of the 36th [8] R. Guo, H. Shi, Q. Zhao, and D. Zheng, “Secure attribute-based IEEE Symposium on Security and Privacy (Oakland). San Jose, signature scheme with multiple authorities for blockchain in electronic CA: IEEE, May 2015, pp. 89–103. [Online]. Available: https: health records systems,” IEEE Access, vol. 6, pp. 11 676–11 686, 2018. //doi.org/10.1109/SP.2015.13 [Online]. Available: https://doi.org/10.1109/ACCESS.2018.2801266 [27] C. Decker and R. Wattenhofer, “Information propagation in the bitcoin [9] D. Rakic, “Blockchain technology in healthcare,” in Proceedings of network,” in 13th IEEE International Conference on Peer-to-Peer the 4th International Conference on Information and Communication Computing, IEEE P2P , Trento, Italy, Sep 2013, pp. 1–10. [Online]. Technologies for Ageing Well and e-Health, Funchal, Madeira, Available: https://doi.org/10.1109/P2P.2013.6688704 Portugal, March 2018., pp. 13–20. [Online]. Available: https: [28] —, “Bitcoin developer guide.” [Online]. Available: https://bitcoin.org/ //doi.org/10.5220/0006531600130020 en/developer-guidepeer-discovery [10] E. F. Jesus, V. R. L. Chicarino, C. V. N. de Albuquerque, and A. A. [29] M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking bitcoin: de A. Rocha, “A survey of how to use blockchain to secure internet of Routing attacks on cryptocurrencies,” in Proceedings of the 38th things and the stalker attack,” Security and Communication Networks, IEEE Symposium on Security and Privacy (Oakland). San Jose, vol. 2018, pp. 9 675 050:1–9 675 050:27, 2018. [Online]. Available: CA: IEEE, May 2017, pp. 375–392. [Online]. Available: https: https://doi.org/10.1155/2018/9675050 //doi.org/10.1109/SP.2017.29 [11] P. K. Sharma, S. Singh, Y. Jeong, and J. H. Park, “Distblocknet: [30] Y. Marcus, E. Heilman, and S. Goldberg, “Low-resource eclipse A distributed blockchains-based secure SDN architecture for iot attacks on ethereum’s peer-to-peer network,” IACR Cryptology networks,” IEEE Communications Magazine, vol. 55, no. 9, pp. ePrint Archive, vol. 2018, p. 236, 2018. [Online]. Available: 78–85, 2017. [Online]. Available: https://goo.gl/UBv1Sf [12] H. Hyvärinen, M. Risius, and G. Friis, “A blockchain-based approach http://eprint.iacr.org/2018/236 towards overcoming financial fraud in public sector services,” Business & Information Systems Engineering, vol. 59, no. 6, pp. 441–456, 2017. [Online]. Available: https://doi.org/10.1007/s12599-017-0502-4 27

[31] M. Bastiaan, “Preventing the 51%-attack: a stochastic analysis of [55] M. Pilkington, “Blockchain technology: principles and applications,” two phase in bitcoin,” 2015. [Online]. Available: Research handbook on digital transformations, p. 225, 2016. https://goo.gl/nJsMzV [56] A. Dmitrienko, D. Noack, and M. Yung, “Secure wallet-assisted offline [32] T. Leelavimolsilp, L. Tran-Thanh, and S. Stein, “On the preliminary bitcoin payments with double-spender revocation,” in Proceedings investigation of selfish mining strategy with multiple selfish of Asia Conference on Computer and Communications Security miners,” CoRR, vol. abs/1802.02218, 2018. [Online]. Available: (ASIACCS), Abu Dhabi, United Arab Emirates, Apr 2017, pp. 520– http://arxiv.org/abs/1802.02218 531. [Online]. Available: http://doi.acm.org/10.1145/3052973.3052980 [33] M. Saad, M. T. Thai, and A. Mohaisen, “POSTER: deterring [57] M. Conti, S. K. E, C. Lal, and S. Ruj, “A survey on security and ddos attacks on blockchain-based cryptocurrencies through mempool privacy issues of bitcoin,” CoRR, vol. abs/1706.00916, 2017. [Online]. optimization,” in Proceedings of Asia Conference on Computer and Available: http://arxiv.org/abs/1706.00916 Communications Security, ASIACCS, Incheon, Republic of Korea, Jun [58] T. T. A. Dinh, J. Wang, G. Chen, R. Liu, B. C. Ooi, and K. Tan, 2018, pp. 809–811. [Online]. Available: https://goo.gl/4kgiCM “BLOCKBENCH: A framework for analyzing private blockchains,” [34] I. Eyal, A. E. Gencer, E. G. Sirer, and R. van Renesse, “Bitcoin-ng: in International Conference on Management of Data, SIGMOD A scalable blockchain protocol,” in Proceedings of the 13th USENIX Conference, Chicago, IL, USA, May 2017, pp. 1085–1100. [Online]. Symposium on Networked Systems Design and Implementation Available: https://doi.org/10.1145/3035918.3064033 (NSDI), Santa Clara, CA, Mar. 2016, pp. 45–59. [Online]. Available: [59] G. Baralla, S. Ibba, M. Marchesi, R. Tonelli, and S. Missineo, https://goo.gl/VGN4yw “A blockchain based system to ensure transparency and reliability [35] C. A. Vyas and M. Lunagaria, “Security concerns and issues for in food supply chain,” in International Workshops on Parallel bitcoin,” in the proceedings of National Conference cum Workshop on Processing, Turin, Italy, Aug 2018, pp. 379–391. [Online]. Available: Bioinformatics and Computational Biology, NCWBCB, 2014. https://doi.org/10.1007/978-3-030-10549-5_30 [36] H. Finney, “The finney attack(the bitcoin talk forum).” [60] A. Ahmad, M. Saad, M. Bassiouni, and A. Mohaisen, [37] M. Fleder, M. S. Kester, and S. Pillai, “Bitcoin transaction graph “Towards blockchain-driven, secure and transparent audit logs,” analysis,” CoRR, vol. abs/1502.01657, 2015. [Online]. Available: in International Conference on Mobile and Ubiquitous Systems: http://arxiv.org/abs/1502.01657 Computing, Networking and Services, MobiQuitous, New York [38] T. Bamert, C. Decker, R. Wattenhofer, and S. Welten, “Bluewallet: The City,USA, Nov 2018, pp. 443–448. [Online]. Available: secure bitcoin wallet,” in International Workshop on Security and Trust https://doi.org/10.1145/3286978.3286985 Management. Springer, 2014, pp. 65–80. [61] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on [39] S. Dilhani, Elli, “Transaction verification model over double spending ethereum smart contracts sok,” in Proceedings of the 6th International for peer-to-peer digital currency transactions based on Blockchain Conference on Principles of Security and Trust - Volume 10204. New architecture,” 2012, pp. 24–31. York, NY, USA: Springer-Verlag New York, Inc., 2017, pp. 164–186. [40] R. Tahir, M. Huzaifa, A. Das, M. Ahmad, C. A. Gunter, [Online]. Available: https://doi.org/10.1007/978-3-662-54455-6_8 F. Zaffar, M. Caesar, and N. Borisov, “Mining on someone [62] A. Ouaddah, A. A. E. Kalam, and A. A. Ouahman, “Fairaccess: a new else’s dime: Mitigating covert mining operations in clouds and blockchain-based access control framework for the internet of things,” enterprises,” in Proceedings of the 20th International Symposium Security and Communication Networks, vol. 9, no. 18, pp. 5943–5964, on Research in Attacks, Intrusions and Defenses (RAID), Atlanta, 2016. [Online]. Available: https://doi.org/10.1002/sec.1748 GA, USA, Sep. 2017, pp. 287–310. [Online]. Available: https: [63] K. Christidis and M. Devetsikiotis, “Blockchains and smart contracts //doi.org/10.1007/978-3-319-66332-6_13 for the internet of things,” IEEE Access, vol. 4, pp. 2292–2303, 2016. [41] Ethereum, “Ethereum contract security techniques and tips.” [Online]. [Online]. Available: https://doi.org/10.1109/ACCESS.2016.2566339 Available: https://github.com/ethereum/wiki/wiki/Safety [64] A. Miller, I. Bentov, R. Kumaresan, and P. McCorry, “Sprites: Payment [42] M. Grincalaitis, “The ultimate guide to audit a smart contract,” Sep channels that go faster than lightning,” CoRR, vol. abs/1702.05812, 2017. [Online]. Available: https://goo.gl/TD7suo 2017. [Online]. Available: http://arxiv.org/abs/1702.05812 [43] S. Underwood, “Blockchain beyond bitcoin,” Commun. ACM, [65] J. Lind, O. Naor, I. Eyal, F. Kelbert, P. R. Pietzuch, and E. G. Sirer, vol. 59, no. 11, pp. 15–17, 2016. [Online]. Available: http: “Teechain: Reducing storage costs on the blockchain with offline //doi.acm.org/10.1145/2994581 payment channels,” in Proceedings of the 11th ACM International [44] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the Systems and Storage Conference, (SYSTOR) HAIFA, Israel, Jun 2018, p. security of blockchain systems,” CoRR, vol. abs/1802.06993, 2018. 125. [Online]. Available: http://doi.acm.org/10.1145/3211890.3211904 [Online]. Available: http://arxiv.org/abs/1802.06993 [66] L. Lundbaek, A. C. D’Iddio, and M. Huth, “Optimizing governed [45] I.-C. Lin and T.-C. Liao, “A survey of blockchain security issues and blockchains for financial process authentications,” CoRR, vol. challenges.” IJ Network Security, vol. 19, no. 5, pp. 653–659, 2017. abs/1612.00407, 2016. [Online]. Available: https://goo.gl/DwDEkW [46] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks [67] M. Minaei, P. Moreno-Sanchez, and A. Kate, “R3C3: cryptographically on ethereum smart contracts sok,” in Proceedings of the 6th secure censorship resistant rendezvous using cryptocurrencies,” IACR International Conference on Principles of Security and Trust - Cryptology ePrint Archive, vol. 2018, p. 454, 2018. [Online]. Volume 10204, 2017, pp. 164–186. [Online]. Available: https: Available: https://eprint.iacr.org/2018/454 //doi.org/10.1007/978-3-662-54455-6_8 [68] G. Bissias, B. N. Levine, A. P. Ozisik, G. Andresen, and [47] M. C. K. Khalilov and A. Levi, “A survey on anonymity and A. Houmansadr, “An analysis of attacks on blockchain consensus,” privacy in bitcoin-like digital cash systems,” IEEE Communications CoRR, vol. abs/1610.07985, 2016. [Online]. Available: http://arxiv. Surveys and Tutorials, vol. 20, no. 3, pp. 2543–2585, 2018. [Online]. org/abs/1610.07985 Available: https://doi.org/10.1109/COMST.2018.2818623 [69] S. Goldberg and E. Heilman, “Technical perspective: The rewards of [48] D. Siegel, “Understanding The DAO Attack,” https://www.coindesk. selfish mining,” Commun. ACM, vol. 61, no. 7, p. 94, 2018. [Online]. com/understanding-dao-hack-journalists/. Available: https://doi.org/10.1145/3213006 [49] C. Baldwin, “Bitcoin worth 72 million stolen from bitfinex exchange [70] F. Ritz and A. Zugenmaier, “The impact of uncle rewards in Hong Kong,” http://reut.rs/2gc7iQ9, Aug 2016. on selfish mining in ethereum,” in IEEE European Symposium [50] F. Memoria, “700 million stuck in 115,000 unconfirmed bitcoin trans- on Security and Privacy Workshops,EuroS&P W, London, United actions,” Nov 2017. [Online]. Available: https://www.cryptocoinsnews. Kingdom. IEEE, Apr 2018, pp. 50–57. [Online]. Available: com/700-million-stuck-115000-unconfirmed-bitcoin-transactions/ https://doi.org/10.1109/EuroSPW.2018.00013 [51] R. McMillan, “The inside story of mt. gox, bitcoin’s 460 million usd [71] S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, disaster,” 2014. [Online]. Available: https://www.wired.com/2014/03/ S. Meiklejohn, and G. Danezis, “Consensus in the age of bitcoin-exchange/ blockchains,” CoRR, vol. abs/1711.03936, 2017. [Online]. Available: [52] B. Community, “The 51% attack,” October 2017. [Online]. Available: http://arxiv.org/abs/1711.03936 https://learncryptography.com/cryptocurrency/51-attack [72] M. Bellare and P. Rogaway, “Random oracles are practical: A [53] C. Pérez-Solà, S. Delgado-Segura, G. Navarro-Arribas, and paradigm for designing efficient protocols,” in Proceedings of the J. Herrera-Joancomartí, “Double-spending prevention for bitcoin 1st ACM Conference on Computer and Communications Security, zero-confirmation transactions,” IACR Cryptology ePrint Archive, vol. Fairfax, Virginia, USA, Nov 1993, pp. 62–73. [Online]. Available: 2017, p. 394, 2017. [Online]. Available: http://eprint.iacr.org/2017/394 http://doi.acm.org/10.1145/168588.168596 [54] G. O. Karame, E. Androulaki, and S. Capkun, “Double-spending [73] A. Juels and J. G. Brainard, “Client puzzles: A cryptographic fast payments in bitcoin,” in Proceedings of the 19th ACM countermeasure against connection depletion attacks,” in Proceedings Conference on Computer and Communications Security (CCS), of the Network and Distributed System Security Symposium, (NDSS), Raleigh, NC, Oct. 2012, pp. 906–917. [Online]. Available: http: San Diego, California, USA, 1999. [Online]. Available: http: //doi.acm.org/10.1145/2382196.2382292 //www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/juels.pdf 28

[74] A. Castor, “A short guide to Blockchain consensus protocols,” May on Cryptocurrencies and Blockchains for Distributed Systems, 2017. [Online]. Available: https://goo.gl/kdR2r4 CRYBLOCK@MobiSys, Munich, Germany, Jun 2018, pp. 77–81. [75] M. Saad and A. Mohaisen, “Towards characterizing blockchain-based [Online]. Available: https://goo.gl/AYJ68C cryptocurrencies for highly-accurate predictions,” in IEEE Conference [91] T. Hanke, “Asicboost - A speedup for bitcoin mining,” CoRR, vol. on Computer Communications Workshops, INFOCOM Workshops, abs/1604.00575, 2016. [Online]. Available: https://goo.gl/izrW1m Honolulu, HI, USA. IEEE, April 2018, pp. 704–709. [Online]. [92] L. A. de la Porte, “The bitcoin transaction system,” Utrecht. Nether- Available: https://doi.org/10.1109/INFCOMW.2018.8406859 lands, 2012. [76] D. Fullmer and A. S. Morse, “Analysis of difficulty control in bitcoin [93] “Bitcoin block explorer - Blockchain,” http://bit.ly/1srPhPs. and proof-of-work blockchains,” CoRR, vol. abs/1812.10792, 2018. [94] B. Community, “Difficulty in Bitcoin.” [Online]. Available: https: [Online]. Available: http://arxiv.org/abs/1812.10792 //en.bitcoin.it/wiki/Difficulty [77] M. Bartoletti, S. Lande, and A. S. Podda, “A proof-of-stake protocol [95] Greene, “A brief mining hardware,” Feb for consensus on bitcoin subchains,” in In Financial Cryptography and 2018. [Online]. Available: https://thenextweb.com/hardfork/2018/02/ Data Security - FC Workshops, Sliema, Malta, Apr 2017, pp. 568–584. 02/a-brief-history-of-bitcoin-mining-hardware/ [Online]. Available: https://doi.org/10.1007/978-3-319-70278-0_36 [96] J. Becker, D. Breuker, T. Heide, J. Holler, H. P. Rauer, and [78] W. Y. M. M. Thin, N. Dong, G. Bai, and J. S. Dong, “Formal analysis R. Böhme, “Can we afford integrity by proof-of-work? scenarios of a proof-of-stake blockchain,” in 23rd International Conference on inspired by the bitcoin currency,” in The Economics of Information Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Security and Privacy, 2013, pp. 135–156. [Online]. Available: Australia, December 12-14, 2018. IEEE, 2018, pp. 197–200. [Online]. https://doi.org/10.1007/978-3-642-39498-0_7 Available: https://doi.org/10.1109/ICECCS2018.2018.00031 [97] A. de Vries, “Bitcoin’s growing energy problem,” Joule, vol. 2, no. 5, [79] G. Gui, A. Hortaçsu, and J. Tudon, “A memo on the proof-of-stake pp. 801–805, 2018. mechanism,” CoRR, vol. abs/1807.09626, 2018. [Online]. Available: [98] A. Kang, “Bitcoin’s growing pains: Intermediation and the need for an http://arxiv.org/abs/1807.09626 effective loss allocation mechanism,” Mich. Bus. & Entrepreneurial L. [80] T. Duong, A. Chepurnoy, L. Fan, and H. Zhou, “Twinscoin: A Rev., vol. 6, p. 263, 2016. cryptocurrency via proof-of-work and proof-of-stake,” in Proceedings [99] Digiconomist, “Bitcoin energy consumption index,” 2018. [Online]. of the 2nd ACM Workshop on Blockchains, Cryptocurrencies, and Available: https://digiconomist.net/bitcoin-energy-consumption Contracts, BCC@AsiaCCS 2018, Incheon, Republic of Korea, June 4, [100] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with 2018, S. V. Lokam, S. Ruj, and K. Sakurai, Eds. ACM, 2018, pp. proof-of-stake,” self-published paper, August, vol. 19, 2012. 1–13. [Online]. Available: https://doi.org/10.1145/3205230.3205233 [101] P. Gazi, A. Kiayias, and A. Russell, “Stake-bleeding attacks on [81] S. D. Angelis, L. Aniello, R. Baldoni, F. Lombardi, A. Margheri, proof-of-stake blockchains,” IACR Cryptology ePrint Archive, vol. 5, and V. Sassone, “PBFT vs proof-of-authority: Applying the CAP p. 248, 2018. [Online]. Available: http://eprint.iacr.org/2018/248 theorem to permissioned blockchain,” in Proceedings of the Second [102] A. Kiayias, I. Konstantinou, A. Russell, B. David, and R. Oliynykov, Italian Conference on Cyber Security, Milan, Italy, February 6th - to “A provably secure proof-of-stake blockchain protocol,” IACR - 9th, 2018., ser. CEUR Workshop Proceedings, E. Ferrari, M. Baldi, Cryptology ePrint Archive, vol. 2016, p. 889, 2016. [Online]. and R. Baldoni, Eds., vol. 2058. CEUR-WS.org, 2018. [Online]. Available: http://eprint.iacr.org/2016/889 Available: http://ceur-ws.org/Vol-2058/paper-06.pdf [103] P.-Y. Chang, M.-S. Hwang, and C.-C. Yang, “A blockchain-based [82] H. Sukhwani, J. M. Martínez, X. Chang, K. S. Trivedi, and A. Rindos, traceable certification system,” in International Conference on Security “Performance modeling of PBFT consensus process for permissioned with Intelligent Computing and Big-data. Springer, 2017, p. 363. blockchain network (hyperledger fabric),” in 36th IEEE Symposium on [104] Y. Yang, “Linbft: Linear-communication byzantine fault tolerance Reliable Distributed Systems, SRDS 2017, Hong Kong, Hong Kong, for public blockchains,” CoRR, vol. abs/1807.01829, 2018. [Online]. September 26-29, 2017. IEEE Computer Society, 2017, pp. 253–255. Available: http://arxiv.org/abs/1807.01829 [Online]. Available: https://doi.org/10.1109/SRDS.2017.36 [105] Bitnodes, “Global bitcoin nodes distribution.” [Online]. Available: [83] S. Kim, Y. Kwon, and S. Cho, “A survey of scalability solutions https://bitnodes.earn.com/ on blockchain,” in International Conference on Information and [106] R. Pass and E. Shi, “Thunderella: Blockchains with optimistic Communication Technology Convergence, ICTC 2018, Jeju Island, instant confirmation,” in International Conference on the Theory Korea (South). IEEE, Oct 2018, pp. 1204–1207. [Online]. Available: and Applications of Cryptographic Techniques, Tel Aviv, Israel, ser. https://doi.org/10.1109/ICTC.2018.8539529 Lecture Notes in Computer Science, J. B. Nielsen and V. Rijmen, [84] A. Chauhan, O. P. Malviya, M. Verma, and T. S. Mor, “Blockchain Eds., vol. 10821. Springer, April 2018, pp. 3–33. [Online]. Available: and scalability,” in International Conference on Software Quality, https://doi.org/10.1007/978-3-319-78375-8_1 Reliability and Security Companion, QRS Companion, Lisbon, [107] T. Rocket, “Snowflake to avalanche: A novel metastable consensus Portugal. IEEE, July 2018, pp. 122–128. [Online]. Available: protocol family for cryptocurrencies,” 2018. https://doi.org/10.1109/QRS-C.2018.00034 [108] C. Berger and H. P. Reiser, “Scaling byzantine consensus: A broad [85] J. A. Garay and A. Kiayias, “Sok: A consensus taxonomy in the analysis,” in Workshop on Scalable and Resilient Infrastructures for blockchain era,” IACR Cryptology ePrint Archive, vol. 2018, p. 754, Distributed Ledgers, Rennes, France. ACM, Dec 2018, pp. 13–18. 2018. [Online]. Available: https://eprint.iacr.org/2018/754 [Online]. Available: https://doi.org/10.1145/3284764.3284767 [86] C. Cachin and M. Vukolic, “Blockchain consensus protocols in [109] Y. Velner, J. Teutsch, and L. Luu, “Smart contracts make bitcoin the wild (keynote talk),” in International Symposium on Distributed mining pools vulnerable,” in Financial Cryptography and Data Computing, DISC, Vienna, Austria, Oct 2017, pp. 1:1–1:16. [Online]. Security Sliema, Malta, April 2017, pp. 298–316. [Online]. Available: Available: https://doi.org/10.4230/LIPIcs.DISC.2017.1 https://doi.org/10.1007/978-3-319-70278-0_19 [87] O. Konashevych and M. Poblet, “Is blockchain hashing an effective [110] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is method for electronic governance?” in Annual Conference on vulnerable,” in Financial Cryptography and Data Security. Springer, Legal Knowledge and Information Systems Annual Conference, 2014, pp. 436–454. Groningen, The Netherlands, ser. Frontiers in Artificial Intelligence [111] C. Grunspan and R. Pérez-Marco, “On profitability of selfish and Applications, M. Palmirani, Ed., vol. 313. IOS Press, Dec mining,” CoRR, vol. abs/1805.08281, 2018. [Online]. Available: 2018, pp. 195–199. [Online]. Available: https://doi.org/10.3233/ http://arxiv.org/abs/1805.08281 978-1-61499-935-5-195 [112] K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: [88] F. Chen, Z. Liu, Y. Long, Z. Liu, and N. Ding, “Secure scheme against Generalizing selfish mining and combining with an eclipse attack,” compromised hash in proof-of-work blockchain,” in International in IEEE European Symposium on Security and Privacy, EuroS&P Conference on Network and System Security, Hong Kong, China, 2016, Saarbrücken, Germany, March 21-24, 2016, 2016, pp. 305–320. ser. Lecture Notes in Computer Science, M. H. Au, S. Yiu, [Online]. Available: https://doi.org/10.1109/EuroSP.2016.32 J. Li, X. Luo, C. Wang, A. Castiglione, and K. Kluczniak, Eds., [113] “Thetangle.org - tangle explorer and statistics.” [Online]. vol. 11058. Springer, Aug 2018, pp. 1–15. [Online]. Available: Available: https://thetangle.org/ https://doi.org/10.1007/978-3-030-02744-5_1 [114] L. Bahack, “Theoretical bitcoin attacks with less than half of the [89] Y. Kwon, D. Kim, Y. Son, E. Vasserman, and Y. Kim, “Be selfish and computational power (draft),” arXiv preprint arXiv:1312.7013, 2013. avoid dilemmas: Fork after withholding (faw) attacks on bitcoin,” in [115] Nicehash, “Largest crypto-mining marketplace.” [Online]. Available: Proceeding of ACM CCS, Dallas, TX, Oct.–Nov. 2017, pp. 195–209. https://www.nicehash.com/ [Online]. Available: http://doi.acm.org/10.1145/3133956.3134019 [116] B. Community, “Pow 51% attack cost.” [Online]. Available: [90] M. A. Javarone and C. S. Wright, “From bitcoin to bitcoin https://www.crypto51.app/ cash: a network analysis,” in Proceedings of the 1st Workshop [117] J. Roberts, “Bitcoin spinoff hacked in rare ’51% attack’.” [Online]. Available: http://fortune.com/2018/05/29/bitcoin-gold-hack/ 29

[118] A. R. Kang, J. Spaulding, and A. Mohaisen, “Domain name system [142] S. Solat and M. Potop-Butucaru, “Zeroblock: Preventing selfish mining security and privacy: Old problems and new challenges,” CoRR, 2016. in bitcoin.” arXiv preprint arXiv:1605.02435, 2016. [Online]. Available: http://arxiv.org/abs/1606.07080 [143] A. Miller, A. E. Kosba, J. Katz, and E. Shi, “Nonoutsourceable [119] L. Gao, “On inferring autonomous system relationships in the scratch-off puzzles to discourage bitcoin mining coalitions,” in ACM internet,” IEEE/ACM Trans. Netw., vol. 9, no. 6, pp. 733–745, 2001. SIGSAC Conference on Computer and Communications Security, [Online]. Available: https://doi.org/10.1109/90.974527 Denver, CO, USA, Oct 2015, pp. 680–691. [Online]. Available: [120] M. Kumar and S. Kumar, “Improving routing in large networks inside http://doi.acm.org/10.1145/2810103.2813621 autonomous system,” Int. J. Systems Assurance Engineering and [144] M. Saad, L. Njilla, C. Kamhoua, and A. Mohaisen, “Countering Management, vol. 5, no. 3, pp. 383–390, 2014. [Online]. Available: selfish mining in blockchains,” CoRR, 2018. [Online]. Available: https://doi.org/10.1007/s13198-013-0179-0 https://www.cs.ucf.edu/~mohaisen/doc/cnc19bc.pdf [121] A. Greenberg, “Hacker redirects traffic from 19 internet providers to [145] B. Johnson, A. Laszka, J. Grossklags, M. Vasek, and T. Moore, “Game- steal bitcoins,” Jun 2017. [Online]. Available: https://www.wired.com/ theoretic analysis of DDoS attacks against bitcoin mining pools,” in 2014/08/isp-bitcoin-theft/ Financial Cryptography and Data Security. Springer, 2014, p. 72. [122] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, [146] J. Göbel and A. E. Krzesinski, “Increased block size and bitcoin “Eclipse attacks on bitcoin’s peer-to-peer network,” in USENIX blockchain dynamics,” in 27th International Telecommunication Security Symposium, Washington, D.C., USA, Aug 2015, pp. Networks and Applications Conference, ITNAC Melbourne, Australia, 129–144. [Online]. Available: https://www.usenix.org/conference/ Nov 2017, pp. 1–6. [Online]. Available: https://goo.gl/rz4zoB usenixsecurity15/technical-sessions/presentation/heilman [147] P. Silva, “Dnssec: The antidote to DNS cache poisoning and other dns [123] A. Wang, A. Mohaisen, and S. Chen, “An adversary-centric attacks,” A F5 Networks, Inc. Technical Brief, 2009. behavior modeling of ddos attacks,” in 37th IEEE International [148] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based Conference on Distributed Computing Systems, (ICDCS), Atlanta, defense mechanisms countering the DoS and DDoS problems,” ACM GA, USA, Jun 2017, pp. 1126–1136. [Online]. Available: https: Computing Surveys (CSUR), vol. 39, no. 1, p. 3, 2007. //doi.org/10.1109/ICDCS.2017.213 [149] J. Etheridge and R. Anton, “System and method for detecting and coun- [124] M. Vasek, M. Thornton, and T. Moore, “Empirical analysis of denial- tering a network attack,” Sep. 13, 2002, US Patent App. 10/243,631. of-service attacks in the bitcoin ecosystem,” in Financial Cryptography [150] S. Bag, S. Ruj, and K. Sakurai, “Bitcoin block withholding attack: and Data Security. Springer, 2014, pp. 57–71. Analysis and mitigation,” IEEE Trans. Information Forensics and [125] P. Muncaster, “World’s largest bitcoin exchange bitfinex crippled by Security, vol. 12, no. 8, pp. 1967–1978, 2017. [Online]. Available: DDoS,” http://bit.ly/2kqo6HU, Jun 2017. https://doi.org/10.1109/TIFS.2016.2623588 [126] C. Cimpanu, “Bitcoin trader hit by "severe DDoS attack" as bitcoin [151] S. Bag and K. Sakurai, “Yet another note on block withholding price nears all-time high,” http://bit.ly/2lA5iT6, Feb 2017. attack on bitcoin mining pools,” in 19th International Conference on [127] Jeffrey Wilcke, “The ethereum network is currently undergoing a DoS Information Security ISC, Honolulu, HI, USA, Sep 2016, pp. 167–180. attack,” http://bit.ly/2cwlB0D, Oct 2016. [Online]. Available: https://doi.org/10.1007/978-3-319-45871-7_11 [128] Vitalik Buterin, “Ethereum responds to recent DDoS attack,” http://bit. [152] O. Schrijvers, J. Bonneau, D. Boneh, and T. Roughgarden, “Incentive ly/2gcrn9d, Sep 2016. compatibility of bitcoin mining pool reward functions,” in 20th [129] C. Mempool, “Report: Bitcoin (btc) mempool shows backlogged International Conference on Financial Cryptography and Data transactions, increased fees if so?” Jun 2018. [Online]. Available: Security FC, Christ Church, Barbados, Feb 2016, pp. 477–498. https://goo.gl/LsU6Hq [Online]. Available: https://doi.org/10.1007/978-3-662-54970-4_28 [130] M. Castro and B. Liskov, “Practical byzantine fault tolerance and [153] M. Rosenfeld, “Analysis of bitcoin pooled mining reward systems,” proactive recovery,” ACM Trans. Comput. Syst., vol. 20, no. 4, pp. 398– CoRR, 2011. [Online]. Available: http://arxiv.org/abs/1112.4980 461, 2002. [Online]. Available: https://doi.org/10.1145/571637.571640 [154] G. S. Veronese, M. Correia, A. N. Bessani, L. C. Lung, and [131] D. K. Tosh, S. Shetty, X. Liang, C. A. Kamhoua, K. A. Kwiat, and P. Veríssimo, “Efficient byzantine fault-tolerance,” IEEE Trans. L. Njilla, “Security implications of Blockchain cloud with analysis Computers, vol. 62, no. 1, pp. 16–30, 2013. [Online]. Available: of block withholding attack,” in Proceedings of the 17th IEEE/ACM https://doi.org/10.1109/TC.2011.221 International Symposium on Cluster, Cloud and Grid Computing. [155] T. Distler, C. Cachin, and R. Kapitza, “Resource-efficient byzantine IEEE Press, 2017, pp. 458–467. fault tolerance,” IEEE Trans. Computers, vol. 65, no. 9, pp. 2807–2819, [132] Mark, “The finney attack,” Oct 2017. [Online]. Available: https: 2016. [Online]. Available: https://doi.org/10.1109/TC.2015.2495213 //bitcoincoreacademy.com/the-finney-attack/ [156] J. Liu, W. Li, G. O. Karame, and N. Asokan, “Scalable [133] S. Exchange, “What is a finney attack?” [Online]. Available: https: byzantine consensus via hardware-assisted secret sharing,” IEEE //bitcoin.stackexchange.com/questions/4942/what-is-a-finney-attack Trans. Computers, vol. 68, no. 1, pp. 139–151, 2019. [Online]. [134] L. Luu, R. Saha, I. Parameshwaran, P. Saxena, and A. Hobor, Available: https://doi.org/10.1109/TC.2018.2860009 “On power splitting games in distributed computation: The case of [157] C. Janze, “Are cryptocurrencies criminals best friends? examining bitcoin pooled mining,” in IEEE 28th Computer Security Foundations the co-evolution of bitcoin and darknet markets,” in Americas Symposium, CSF 2015, Verona, Italy, 13-17 July, 2015, 2015, pp. Conference on Information Systems, AMCIS, Boston, USA, 397–411. [Online]. Available: https://doi.org/10.1109/CSF.2015.34 August 2017. [Online]. Available: http://aisel.aisnet.org/amcis2017/ [135] S. Exchange, “What is a block withholding attack?” [Online]. InformationSystems/Presentations/2 Available: https://goo.gl/ccAsAi [158] R. Stokes, “Virtual money laundering: the case of bitcoin and [136] A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun, “Tampering the linden dollar,” Information & Communications Technology with the delivery of blocks and transactions in bitcoin,” in ACM Law, vol. 21, no. 3, pp. 221–236, 2012. [Online]. Available: SIGSAC Conference on Computer and Communications Security, https://doi.org/10.1080/13600834.2012.744225 Denver, CO, USA, Oct 2015, pp. 692–705. [Online]. Available: [159] S. Williams, “Bitcoin banned countries,” 2017, https://tinyurl.com/ http://doi.acm.org/10.1145/2810103.2813655 y8r5gdhl. [137] M. Castro and B. Liskov, “Practical byzantine fault tolerance,” in [160] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and USENIX Symposium on Operating Systems Design and Implementation S. Capkun, “Misbehavior in bitcoin: A study of double-spending and (OSDI), New Orleans, Louisiana, USA, M. I. Seltzer and P. J. Leach, accountability,” ACM Trans. Inf. Syst. Secur., vol. 18, no. 1, pp. 2:1– Eds. USENIX Association, Feb 1999, pp. 173–186. [Online]. 2:32, 2015. [Online]. Available: http://doi.acm.org/10.1145/2732196 Available: https://dl.acm.org/citation.cfm?id=296824 [161] M. Nadeau, “What is cryptojacking? how to prevent, detect, and [138] H. Xu, Y. Long, Z. Liu, Z. Liu, and D. Gu, “Dynamic practical recover from it,” May 2018. [Online]. Available: https://goo.gl/DdGq1i byzantine fault tolerance,” in IEEE Conference on Communications [162] R. Li and C. Kyle, “What is cryptojacking?” Jan 2018. [Online]. and Network Security, CNS, Beijing, China. IEEE, May 2018, pp. Available: https://hackerbits.com/programming/what-is-cryptojacking/ 1–8. [Online]. Available: https://doi.org/10.1109/CNS.2018.8433150 [163] M. Saad, A. Khormali, and A. Mohaisen, “End-to-end analysis of [139] A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining in-browser cryptojacking,” CoRR, vol. abs/1809.02152, 2018. [Online]. strategies in bitcoin,” in Financial Cryptography and Data Security. Available: http://arxiv.org/abs/1809.02152 Springer, 2016, pp. 515–532. [164] Coinhive, 2018. [Online]. Available: https://coinhive.com/ [140] E. Heilman, “One weird trick to stop selfish miners: Fresh bitcoins, a [165] CryptoLoot, “Earn more from your visitors,” 2018. [Online]. Available: solution for the honest miner,” in Financial Cryptography and Data https://crypto-loot.com/ Security. Springer, 2014, pp. 161–162. [166] M. Community, “Monero: Home,” 2018. [Online]. Available: [141] N. T. Courtois and L. Bahack, “On subversive miner strategies and https://getmonero.org/ block withholding attack in bitcoin digital currency,” arXiv preprint arXiv:1402.1718, 2014. 30

[167] J. Condliffe, “A cryptojacking attack hit thousands of websites, [190] L. Kiffer, D. Levin, and A. Mislove, “Stick a fork in it: including government ones,” 2018. [Online]. Available: https: Analyzing the ethereum network partition,” in Proceedings of //goo.gl/FPgTo9 the 16th ACM Workshop on Hot Topics in Networks HotNets, [168] Google, “Google analytics and trends,” 2018. [Online]. Available: Palo Alto, CA, USA, Nov 2017, pp. 94–100. [Online]. Available: https://goo.gl/9sSpGL http://doi.acm.org/10.1145/3152434.3152449 [169] D. Singh, “Cryptojacking attacks rose by 8,500% globally in 2017: [191] D. Bradbury, “The problem with bitcoin,” Computer Fraud & Security, report,” 2018. [Online]. Available: https://goo.gl/qpGcZy vol. 2013, no. 11, pp. 5–8, 2013. [170] NCSC, “The cyber threat to uk business 2017-2018 report,” Apr 2018. [192] I. Eyal and E. G. Sirer, “How to disincentivize large bitcoin mining [Online]. Available: https://www.ncsc.gov.uk/cyberthreat pools,” http://bit.ly/1srPhPs, June 2014. [171] B. Peterson, “Thieves stole potentially millions of dollars in bitcoin in [193] M. Rosenfeld, “Analysis of hashrate-based double spending,” CoRR, a hacking attack on a cryptocurrency company,” Dec 2017. [Online]. vol. abs/1402.2009, 2014. [Online]. Available: https://goo.gl/MREcpK Available: https://goo.gl/znceAF [194] T. Chen, X. Li, Y. Wang, J. Chen, Z. Li, X. Luo, M. H. Au, [172] W. Duggan, “The 12 biggest cryptocurrency hacks in and X. Zhang, “An adaptive gas cost mechanism for ethereum history.” [Online]. Available: https://www.benzinga.com/fintech/17/ to defend against under-priced dos attacks,” in 13th International 11/10824764/12-biggest-cryptocurrency-hacks-in-history Conference on Information Security Practice and Experience ISPEC, [173] M. Brengel and C. Rossow, “Identifying key leakage of bitcoin Melbourne, VIC, Australia, Dec 2017, pp. 3–24. [Online]. Available: users,” in International Symposium on Research in Attacks, Intrusions, https://doi.org/10.1007/978-3-319-72359-4_1 and Defenses RAID, Heraklion, Crete, Greece, ser. Lecture Notes in [195] L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making Computer Science, M. Bailey, T. Holz, M. Stamatogiannakis, and smart contracts smarter,” in ACM SIGSAC Conference on Computer S. Ioannidis, Eds., vol. 11050. Springer, Sept 2018, pp. 623–643. and Communications Security, Vienna, Austria, E. R. Weippl, [Online]. Available: https://doi.org/10.1007/978-3-030-00470-5_29 S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, [174] J. Breitner and N. Heninger, “Biased nonce sense: Lattice attacks Eds. ACM, Oct 2016, pp. 254–269. [Online]. Available: https: against weak ecdsa signatures in cryptocurrencies,” Cryptology ePrint //doi.org/10.1145/2976749.2978309 Archive, Report 2019/023, 2019, https://eprint.iacr.org/2019/023. [196] G. C. Fanti and P. Viswanath, “Anonymity properties of the bitcoin [175] M. Wohrer and U. Zdun, “Smart contracts: security patterns in the P2P network,” CoRR, vol. abs/1703.08761, 2017. [Online]. Available: ethereum ecosystem and solidity,” in 2018 International Workshop http://arxiv.org/abs/1703.08761 on Blockchain Oriented Software Engineering, IWBOSE@SANER, [197] J. H. Ziegeldorf, R. Matzutt, M. Henze, F. Grossmann, and Campobasso, Italy, Mar 2018, pp. 2–8. [Online]. Available: K. Wehrle, “Secure and anonymous decentralized bitcoin mixing,” https://doi.org/10.1109/IWBOSE.2018.8327565 Future Generation Comp. Syst., vol. 80, pp. 448–466, 2018. [Online]. [176] ConsenSys, “Consensys/smart-contract-best-practices.” [Online]. Available: https://doi.org/10.1016/j.future.2016.05.018 Available: https://github.com/ConsenSys/smart-contract-best-practices/ [198] T. M. Fernández-Caramés and P. Fraga-Lamas, “A review on the blob/master/docs/known_attacks.md use of blockchain for the internet of things,” IEEE Access, vol. 6, [177] A. Hülsing, D. Butin, S. Gazdag, and A. Mohaisen, “Xmss: pp. 32 979–33 001, 2018. [Online]. Available: https://doi.org/10.1109/ extended hash-based signatures,” 2015. [Online]. Available: https: ACCESS.2018.2842685 //www.ietf.org/id/draft-irtf-cfrg-xmss-hash-based-signatures-10.txt [199] G. Perboli, S. Musso, and M. Rosano, “Blockchain in logistics and [178] AntiMiner, “Anti miner - no 1 coin minerblock,” 2018. [Online]. supply chain: A lean approach for designing real-world use cases,” Available: https://goo.gl/BiwzUU IEEE Access, vol. 6, pp. 62 018–62 028, 2018. [Online]. Available: [179] CoinMiner, “Coin miner block,” 2018. [Online]. Available: https: https://doi.org/10.1109/ACCESS.2018.2875782 //goo.gl/MWPNv4 [200] G. Wood, “Ethereum: A secure decentralised generalised transaction [180] AdGuard, “Adguard adblocker,” 2018. [Online]. Available: https: ledger,” Ethereum Project Yellow Paper, vol. 151, 2014. //goo.gl/AXg186 [201] K. Lee, J. I. James, T. G. Ejeta, and H. Kim, “Electronic voting service [181] C. Decker, “cdecker/btcresearch,” Jan 2018. [Online]. Available: using Blockchain,” The Journal of Digital Forensics, Security and Law: https://github.com/cdecker/btcresearch JDFSL, vol. 11, no. 2, p. 123, 2016. [182] B. Scott, “Bitcoin academic research.” [On- [202] P. Noizat, “Blockchain electronic vote,” Handbook of Digital Currency: line]. Available: https://docs.google.com/spreadsheets/d/ Bitcoin, Innovation, Financial Instruments, and Big Data, p. 453, 2015. 1VaWhbAj7hWNdiE73P-W-wrl5a0WNgzjofmZXe0Rh5sg/edit#gid=0 [203] T. I. Ron and S. Attias, “The effect of Blockchain technology in the [183] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the gaming regulatory environment.” Gaming Law Review, vol. 21, no. 6, security of blockchain systems,” CoRR, vol. abs/1802.06993, 2018. pp. 459–460, 2017. [Online]. Available: http://arxiv.org/abs/1802.06993 [204] G. Karame, “On the security and scalability of bitcoin’s blockchain,” [184] T. Salman, M. Zolanvari, A. Erbad, R. Jain, and M. Samaka, “Security in ACM SIGSAC Conference on Computer and Communications services using blockchains: A state of the art survey,” CoRR, vol. Security, Vienna, Austria, Oct 2016, pp. 1861–1862. [Online]. abs/1810.08735, 2018. [Online]. Available: http://arxiv.org/abs/1810. Available: https://doi.org/10.1145/2976749.2976756 08735 [205] F. Tschorsch and B. Scheuermann, “Bitcoin and beyond: A technical [185] L. Anderson, R. Holz, A. Ponomarev, P. Rimba, and I. Weber, “New survey on decentralized digital currencies,” IEEE Communications kids on the block: an analysis of modern blockchains,” CoRR, vol. Surveys and Tutorials, vol. 18, no. 3, pp. 2084–2123, 2016. [Online]. abs/1606.06530, 2016. [Online]. Available: http://arxiv.org/abs/1606. Available: https://doi.org/10.1109/COMST.2016.2535718 06530 [206] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, [186] G. Kappos, H. Yousaf, M. Maller, and S. Meiklejohn, “An empirical and S. Capkun, “On the security and performance of proof of analysis of anonymity in zcash,” CoRR, vol. abs/1805.03180, 2018. work blockchains,” in ACM SIGSAC Conference on Computer and [Online]. Available: http://arxiv.org/abs/1805.03180 Communications Security, Vienna, Austria, Oct 2016, pp. 3–16. [187] M. Kiran and M. Stanett, “Bitcoin risk analysis,” NEMODE Policy [Online]. Available: https://doi.org/10.1145/2976749.2978341 Paper, 2015. [Online]. Available: http://hdl.handle.net/10454/10717 [207] S. Werman and A. Zohar, “Avoiding deadlocks in payment [188] J. Moubarak, E. Filiol, and M. Chamoun, “On blockchain security channel networks,” in International Workshop on Data Privacy and relevant attacks,” in IEEE Middle East and North Africa Management, Cryptocurrencies and Blockchain Technology DPM and Communications Conference, MENACOMM, 2018, pp. 1–6. [Online]. CBT, Barcelona, Spain, Sept 2018, pp. 175–187. [Online]. Available: Available: https://doi.org/10.1109/MENACOMM.2018.8371010 https://doi.org/10.1007/978-3-030-00305-0_13 [189] M. Carlsten, H. A. Kalodner, S. M. Weinberg, and A. Narayanan, “On [208] R. Yu, G. Xue, V. T. Kilari, D. Yang, and J. Tang, “Coinexpress: A the instability of bitcoin without the block reward,” in Proceedings fast payment routing mechanism in blockchain-based payment channel of the ACM Conference on Computer and Communications Security networks,” in International Conference on Computer Communication SIGSAC, Vienna, Austria, Oct 2016, pp. 154–167. [Online]. Available: and Networks ICCCN, Hangzhou, China, Aug 2018, pp. 1–9. [Online]. http://doi.acm.org/10.1145/2976749.2978408 Available: https://doi.org/10.1109/ICCCN.2018.8487351