Dismantling the Ethereum State Problem: A Serious Little-Known Threat

With this blog post, the purpose is to formally disclose a serious threat to the Ethereum platform. Before the Ethereum Berlin hard fork, this threat was real. Let's start with some background on Ethereum and state. The Ethereum state consists of a patricia-merkle trie (a prefix tree). This article will not go into too much detail, as the state grows, the branches on this tree become denser and denser. Each account added is a leaf. Between the root of the tree and the leaf itself, there are many "intermediate" nodes. In order to find a given account or "leaf" in this huge tree, it needs to resolve somewhere around 6-9 hashes from the root to the intermediate nodes to finally resolve the last hash, which is will point to the data we are looking for. In short: For every Trie lookup performed to find an account, 8-9 parse operations are performed. Each parse operation is a database lookup, and each word database lookup can be any number of real disk operations. The number of disk operations is hard to estimate, but since the trie key is a cryptographic hash (collision resistant), the key is "random", which is worst case scenario for any database. As Ethereum grows, it will be necessary to increase the gas price for operations accessing the trie. This was performed in Tangerine Whistle at block height 2,463,000 in October 2016, which included EIP150. EIP150 drastically increased the gas cost of certain operations after the so-called "Shanghai attack" and made a series of changes to prevent DoS attacks. Dogecoin DOGE has risen by nearly 15% in the past 24 hours: Jinse Finance reported that according to Coingecko data, Dogecoin DOGE has risen by nearly 15% in the past 24 hours, currently rising to $0.093593, with a market value of $12,831,289,134. The encryption media Decrypt stated that it is not clear why Dogecoin will rebound on Black Friday, but David Gokhshtein, founder of Gokhshtein Media, disclosed on social media that he feels that Vitalik Buterin and Elon Musk will jointly develop Dogecoin. [2022/11/26 20:47:37] Another gas increase was also implemented in the Istanbul upgrade, namely block height 9,069,000 in December 2019. In this upgrade, EIP 1884 is activated. EIP 1884 introduces the following operational cost changes: SLOAD is increased from 200 to 800 gas, BALANCE is increased from 400 to 700 gas (SELFBALANCE is reduced), and EXTCODEHASH is increased from 400 to 700 gas. In March 2019, Martin Swende made some measurements of EVM opcode performance. This investigation led to the creation of EIP-1884. A few months before EIP-1884 went online, the "Broken Meter" paper was officially published (September 2019). Two Ethereum security researchers (Hubert Ritzdorf and Matthias Egli) collaborated with one of the paper's authors, Daniel Perez, to "weaponize" a vulnerability, which they submitted to the Ethereum bounty program. This is on October 4, 2019. WhaleAlert: 1,000 BTCs were transferred from Xapo to Binance: Jinse Finance News, according to WhaleAlert data, 1,000 BTCs (approximately $21,386,536) were transferred from Xapo to Binance. [2022/8/19 12:36:31] We recommend that you read that submission in its entirety, it is a well-written report. On a channel dedicated to discussing cross-client security, developers from Geth, Parity, and Aleth were informed about the commit that day. The essence of the vulnerability is to trigger random trie queries. A very simple variant is: In their report, the researchers executed this payload via eth_call to a node synced to mainnet, these are the amounts executed when using 10M gas: 10M with EXTCODEHASH (400 gas) Gas attack Parity: ~90s Geth: ~70s Use EXTCODESIZE (700gas) to launch 10M gas attack Parity: ~50s Geth: ~38s It is obvious that the changes introduced by EIP 1884 did have an impact in reducing the attack, but not enough. That's true ahead of Devcon Osaka. During Devcon, knowledge of the issue was shared among mainnet client developers. We also had a meeting with Hubert and Mathias and Greg Markou (ETC staff from Chainsafe). ETC developers also received the report. Meta will launch a new Meta account login method: Golden Finance reported that Meta will launch a new login method called Meta account next month, which will enable users to use products that may have previously required a Facebook account. At launch, users will be able to use their Meta accounts to register and log in to the company's Quest hardware, a feature that will appear on other Meta devices in the future, the company said. Users can choose to link their Meta account with their Facebook and Instagram accounts or not. Unlike Facebook accounts, users are free to have multiple Meta accounts, the company said. This change will address the concerns of some VR users, who will have the option to sign up for a Meta Account and a \"Meta Horizon Profile\" which will replace an Oculus Account. It's a sea change for the company as it grows its Metaverse, and demonstrates the bigger opportunity for Meta to reshape its social graph to offer more ways to be social. (techcrunch) [2022/7/8 1:59:03] As 2019 draws to a close, we know we have bigger problems than we previously expected, with malicious transactions potentially causing block intervals to increase to minutes. To make matters worse, developers are already dissatisfied with EIP-1884, which broke some contract procedures, and users and miners are anxious to increase the gas limit. Furthermore, just two months later in December 2019, Parity Ethereum announced that it was quitting work on Ethereum, while OpenEthereum took over the maintenance of the codebase. The British Digital Regulatory Cooperation Forum released a special report on "Pros and Cons of Algorithms": News on May 11, recently, the British Digital Regulatory Cooperation Forum (DRCF) published a study entitled "Pros and Cons of Algorithms: Common Views from Four Digital Regulators" paper. As mentioned in the paper, representatives of the Digital Regulatory Cooperation Forum come from the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Communications Office (Ofcom). Although each regulator has a different remit, there are still overlapping areas of common interest. Accordingly, the Digital Regulatory Cooperation Forum identified the following six cross-cutting focus areas in the context of algorithmic processing, including transparency, fairness, access to information, infrastructure resilience, individual autonomy, and healthy competition, and derived six key takeaways:( 1) Algorithms provide many benefits to individuals and society, and these benefits can increase with continued innovation; (2) Harm can occur intentionally or unintentionally; (3) Those who use algorithms often understand their origins and limitations (4) Algorithmic processing lacks visibility and has the potential to undermine accountability; (5) "People in the loop" is not a surefire way to prevent harm; (6) Members of the Digital Regulatory Cooperation Forum are currently concerned about Risk understanding is limited. [2022/5/11 3:05:37] Afterwards a new client coordination channel was created where Geth, Nethermind, OpenEthereum and Besu developers continued to coordinate. We realized that we had to take two approaches to address these issues. One way is to use the Ethereum protocol and somehow solve the problem at the protocol level. Better not to break the contract, better not to punish "good" behavior, but still try to prevent attacks. American telecommunications giant Verizon intends to enter the fields of NFT, Web 3 and Metaverse: According to news on January 30, according to the recruitment information for partner managers released by American telecommunications giant Verizon on LinkedIn, the company plans to enter NFT, Web 3 and Metaverse and other fields. According to the recruitment information, Verizon requires candidates to have the ability to lead work related to 5G, gaming, VR, AR, NFT, Web 3, metaverse content-zce and other new immersive content-zce formats and applications. Verizon Chief Creative Officer Andrew McKechnie said: "Metaverse allows us to meet consumers in a new virtual world, which can reimagine our world and how we engage users on a deeper level. [2022/1/30 9:22:46] The second way is through software engineering, by changing the data model and structure in the client. The first iterative update on how to handle these types of attacks can be viewed here. In February 2020, the solution was officially released in the form of EIP 2583. The idea behind it is to simply add a penalty whenever a Trie lookup results in a miss. However, Peter found a workaround for this idea - a "shielding relay" attack - which puts an upper limit (about 800 gas) on the effective range of this penalty. The problem with fines for misses is that first a lookup needs to be done to determine that a fine must be imposed. However, if there is not enough gas left to make the penalty, it indicates that the outstanding fee has been enforced. Even if it does result in an exception being thrown, it's possible to wrap these state reads into nested calls. External callers are allowed to continue to repeat the attack without paying a (full) penalty. Therefore, this EIP is deprecated while we look for better alternatives. Alexey Akhunov explored the concept of Oil, which is a second source of "gas", but is fundamentally different from gas because it is invisible to the executive layer and can lead to transactions Global restore. Martin made a similar proposal in May 2020, for Karma. When iterating on these plans, Vitalik Buterin recommends only increasing the gas cost and maintaining access lists. In August 2020, Martin and Vitalik started to iterate, which later became EIP-2929 and EIP-2930. EIP-2929 effectively solves many previous problems. Contrary to EIP-1884 (increase cost unconditionally), it only increases cost for content-zce not yet accessed. This resulted in a net cost increase of less than one percent. Also, like EIP-2930, it doesn't break any contract flow and it can be tuned further by increasing the gas cost (without interrupting operations). On April 15, 2021, they all go live with the Berlin upgrade. In October 2019, Peter's attempt to solve this problem was to take dynamic state snapshots. A snapshot is a secondary data structure used to store the Ethereum state in a flat format, which can be constructed completely online during the live operation of a Geth node. The benefit of snapshots is that it acts as an accelerated structure for state access: instead of providing O(log N) disk reads (x LevelDB overhead) for accessing accounts/storage slots, snapshots can provide direct O(1) access time (x LevelDB overhead). Snapshots support O(1) per-entry iteration of accounts and storage, which enables remote nodes to retrieve sequential state data much cheaper than before. The presence of snapshots also enables more exotic use cases, such as offline trimming of state Tries or migration to other data formats. The downside of snapshots is that the original account and storage data are effectively duplicated. For mainnet, this means using an additional 25GB of SSD space. The idea of dynamic snapshots has been started in the middle of 2019, the main purpose is to be the enabler of snap synchronization. At the time, the Geth team was working on a number of "big projects". Offline state pruning Dynamic snapshot + snap sync LES state distribution via shard state However, in the end it was decided to prioritize snapshots entirely, deferring other projects for the time being. These laid the foundation for what would become the snap/1 synchronization algorithm. Merged into mainnet in March 2020. With the release of the Dynamic Snapshot feature, we have some breathing room. It would be painful if the Ethereum network were attacked, yes, but at least it would be possible to notify users about enabling snapshots. The entire snapshot generation will take a significant amount of time, and the snapshots will not be synced yet, but the network will at least continue to function. In March-April 2021, the snap/1 protocol was rolled out in geth, making it possible to use a new snapshot-based algorithm for synchronization. While still not the default synchronous mode, this is a major improvement in making snapshots not only useful as attack protection, but also for users. In terms of agreement, the Berlin upgrade will be officially implemented in April 2021. Here are some benchmarks made in our AWS monitoring environment: Berlin before upgrade, no snapshot, 25M gas: 14.3s Berlin before upgrade, with snapshot, 25M gas: 1.5s Berlin after upgrade, no snapshot, 25M gas: ~ 3.1s after Berlin upgrade, with snapshot, 25M gas: ~0.3s (rough) figure means that Berlin upgrade reduces the efficiency of the attack by 5 times, snapshot reduces the efficiency of the attack by 10 times, and reduces the attack impact by 50 times in total times. We estimate that currently on the main network (15M gas), creating a block may take 2.5-3s to execute on a geth node without a snapshot. As state grows, this number will continue to deteriorate (for non-snapshot nodes).

Tags：

NEAR