Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Nurgle: Exacerbating Resource Consumption in Blockchain State Storage via MPT Manipulation

Zheyuan He, Zihao Li, Ao Qiao, Xiapu Luo, Xiaosong Zhang, Ting Chen, Shuwei Song, Dijun Liu, Weina Niu

TL;DR

A novel attack surface, i.e., the state storage, in blockchains, is unveiled, i.e., the first Denial-of-Service attack targeting the state storage, and Nurgle, the first Denial-of-Service attack targeting the state storage is designed.

Abstract

Blockchains, with intricate architectures, encompass various components, e.g., consensus network, smart contracts, decentralized applications, and auxiliary services. While offering numerous advantages, these components expose various attack surfaces, leading to severe threats to blockchains. In this study, we unveil a novel attack surface, i.e., the state storage, in blockchains. The state storage, based on the Merkle Patricia Trie, plays a crucial role in maintaining blockchain state. Besides, we design Nurgle, the first Denial-of-Service attack targeting the state storage. By proliferating intermediate nodes within the state storage, Nurgle forces blockchains to expend additional resources on state maintenance and verification, impairing their performance. We conduct a comprehensive and systematic evaluation of Nurgle, including the factors affecting it, its impact on blockchains, its financial cost, and practically demonstrating the resulting damage to blockchains. The implications of Nurgle extend beyond the performance degradation of blockchains, potentially reducing trust in them and the value of their cryptocurrencies. Additionally, we further discuss three feasible mitigations against Nurgle. At the time of writing, the vulnerability exploited by Nurgle has been confirmed by six mainstream blockchains, and we received thousands of USD bounty from them.

Nurgle: Exacerbating Resource Consumption in Blockchain State Storage via MPT Manipulation

TL;DR

A novel attack surface, i.e., the state storage, in blockchains, is unveiled, i.e., the first Denial-of-Service attack targeting the state storage, and Nurgle, the first Denial-of-Service attack targeting the state storage is designed.

Abstract

Blockchains, with intricate architectures, encompass various components, e.g., consensus network, smart contracts, decentralized applications, and auxiliary services. While offering numerous advantages, these components expose various attack surfaces, leading to severe threats to blockchains. In this study, we unveil a novel attack surface, i.e., the state storage, in blockchains. The state storage, based on the Merkle Patricia Trie, plays a crucial role in maintaining blockchain state. Besides, we design Nurgle, the first Denial-of-Service attack targeting the state storage. By proliferating intermediate nodes within the state storage, Nurgle forces blockchains to expend additional resources on state maintenance and verification, impairing their performance. We conduct a comprehensive and systematic evaluation of Nurgle, including the factors affecting it, its impact on blockchains, its financial cost, and practically demonstrating the resulting damage to blockchains. The implications of Nurgle extend beyond the performance degradation of blockchains, potentially reducing trust in them and the value of their cryptocurrencies. Additionally, we further discuss three feasible mitigations against Nurgle. At the time of writing, the vulnerability exploited by Nurgle has been confirmed by six mainstream blockchains, and we received thousands of USD bounty from them.
Paper Structure (37 sections, 2 theorems, 5 equations, 10 figures, 5 tables, 1 algorithm)

This paper contains 37 sections, 2 theorems, 5 equations, 10 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Blockchain basic concepts
  4. Blockchain state storage of MPT structure
  5. Exacerbating consumed resource in MPT
  6. Threat model
  7. Observation of blockchain state storage
  8. Heavy burden of state maintenance
  9. Flaw of the gas mechanism
  10. The design and implementation of Nurgle
  11. The design of Nurgle
  12. The implementation of Nurgle
  13. Evaluation
  14. How do computing resources affect Nurgle?
  15. How does Nurgle threaten blockchains?
  16. ...and 22 more sections

Key Result

Lemma 1

Given a leaf node node$_{\textsl{\scriptsize v}}$ that the length of the unique part of its indexing is greater than 2, if Nurgle can collide out nodes nodes$_{\textsl{\scriptsize insert}}$ whose common prefix length with node$_{\textsl{\scriptsize v}}$ is at most x, then node$_{\textsl{\scrip

Figures (10)

  • Figure 1: The workflow of Nurgle. The attacker first submits the crafted payload by transactions to the P2P network. Once the transactions are included in the blockchain, they can manipulate the state storage of the MPT structure, and finally impair the performance of the blockchain.
  • Figure 2: The left part shows state storage in the MPT structure. We display the flat layout of corresponding information at the right part to facilitate intuitive understanding.
  • Figure 3: A simplified MPT, constructed by two leaf nodes with indexing as 111234d and 111d12f. The extension node ( 111) handles the common prefix ( 111) of the two leaf nodes' indexing. The branch node forks to point the two leaf nodes by two pointers (i.e., 2 and d). Finally, the two leaf nodes keep the unique part of their indexing as 34d and 12f.
  • Figure 4: After inserting a leaf node 111d1f3 into the MPT, the leaf node 12f splits into an extension node, a branch node, and two leaf nodes. Finally, the MPT is proliferated with new nodes, and its depth is deepened into two layers. Newly generated nodes are marked with red dotted lines.
  • Figure 5: There are two transactions $\textsl{\footnotesize tx}_1$ and $\textsl{\footnotesize tx}_2$ transferring Ether, and each of them consumes 21,000 units of gas. However, when executing $\textsl{\footnotesize tx}_1$ and $\textsl{\footnotesize tx}_2$, the number of nodes in MPT to be updated (§\ref{['sec_background_state']}) is different (marked as red and purple boxes in Fig. \ref{['gas_incon_demo']}). After finalizing the two transactions, although the two transactions cost the same amount of gas, they consume different resources for updating the MPT.
  • ...and 5 more figures

Theorems & Definitions (4)

  • Lemma 1
  • proof : Proof of Lemma \ref{['lem_attack']}
  • Lemma 2
  • proof : Proof of Lemma \ref{['lem_multitarget']}