EOS Weakness Allows Two DoS Attacks, Aelf Confirms it Doesn’t Have the Same Weakness
Blockchain networks are regularly targeted by hackers, and one of the most common types of attacks on Blockchain systems are Denial-of Service (DoS) attacks. Denial-of-Service attacks are generally accomplished by flooding the targeted network with unnecessary requests to overload the system to prevent legitimate requests on network from being executed.
A more advanced method of DoS is a Distributed-Denial-of-Service (DDoS) attack which is performed by utilizing several machines to attack one server or network. In this article, we will discuss a specific EOS weakness that resulted in two Transaction Congestion Attacks that first occurred on January 10th, 2019. We will also analyze how the Aelf platform is designed to ensure that there is no vulnerability to this specific type of breach.
The EOS network is built to allow user-signed transactions to schedule deferred transactions to take place in the future. The problem is that deferred transactions are prioritized over user-signed transactions which in turn denies access to future user-signed transactions. As explained above, if the attacker creates a large amount of deferred transactions with dead loops it could cause a timeout by over congesting the network and use up all the CPU’s power, with an end result of paralyzing the EOS Blockchain.
EOS.Win Gambling dApp and EIDOS Token Airdrop Transaction Congestion Attack Examples
With this specific attack the hackers targeted a gambling Decentralized Application (dApp) called EOS.Win. The attack differed from most DoS attacks because it targeted the blockchain layer instead of the usual contract layer. The hackers who executed this intrusion exploited a DoS loophole by creating many deferred trash transactions to stop block producers from producing blocks with valid transactions. This attack was probably the most critical denial-of-service loophole ever found on the EOS Network.
If this type of attack was completed on a mass scale it could lead to all the dApps on the network not functioning correctly. This specifically would affect gambling applications that hold a large amount of digital assets, potentially resulting in a massive asset loss and severely affect the further development of the EOS ecosystem. This isn’t the only time this weakness has caused an issue, with the latest attack occurring in Oct this year.
The EOS protocol’s weakness towards different types of DoS or transaction congestion attacks so far have not been addressed and have actually been labelled as ‘expected behaviour’ as the blockchain functions normally. On October 31st, 2019 another attack involving the creation of an airdrop onto the EOS blockchain by a company called EIDOS made headlines. The purpose of the airdrop was to give free EIDOS tokens to users for sending EOS tokens back and forth on the network. After sending EOS tokens back and forth the user also generates a small amount of EIDOS tokens in a process like mining.
The major problem began when this process was repeated by many users and drastically reduced the capability and speed of the EOS blockchain. This airdrop was probably created on purpose to expand the understanding of the EOS network and the issues the platform faces in relation to different types of DoS attacks.
Solutions to Prevent Similar Attacks from Occurring on the Aelf Blockchain Network
Aelf built their protocol without the function to defer transactions, a specific type of transaction scheduled to occur in the future. This specific design characteristic is the main reason why most types of Denial-of Service attacks and Distributed-Denial-of-Service attacks that occur on the EOS mainnet are just not possible on the Aelf platform.
If a congestion attack occurs on the Aelf Network, it is always isolated to the individual side chain and will not affect any other contracts because it is only possible to have 1 contract in each Side-Chain. This point is better explained in section 4.1.1 of the Aelf Whitepaper. This is a built-in security measure that does not allow the Main-Chain to be affected by congestion attacks. The Aelf blockchain also incorporates a special random number generation tool called Aelf random number contract standard (ACS6) that ensure strong security for the network overall.
The inability for the EOS blockchain and EOS dApps to properly utilize effective random number generation tools has been criticized at length. In essence, the random number generator developed for the above dapp relies on the transactions in a future block. Simply sending deferred transactions gives the user the potential to control the number generated. Aelf has designed a more secure and built in random number generator that can be utilized by any developer building a dapp on top of the platform.
A random number is calculated from the block hashes of all block producers involved in a particular round. This method means it is much harder to control the random number generated and attack a smart contract that relies on it. Resulting in a more secure and reliable random number generator and minimizes excess and unnecessary work carried out by the dapp developers.
It is important to learn from each other by utilizing a diverse range of approaches in any technological industry. As Distributed Ledger Technology (DLT) continues to advance we must continue to work together to solve security challenges and understand different approaches to solve these complex occurrences. Aelf continues work to design it’s protocol in a secure way that could potentially be utilized to help prevent similar DoS attacks from occurring on other blockchain networks moving forward.