A group of researchers from the University of Sydney published a paper that provides details to a new blockchain vulnerability called the “Balance attack.” The paper uses theoretical and practical analysis to describe the exchange between a network delay and the potential mining power needed by an attacker to successfully execute a double spend. According to the paper:
“One can exploit the Balance attack to violate the persistence of the main branch, hence rewriting previously committed transactions, and allowing the attacker to double spend.”
The paper uses statistical data quantified and derived from the R3 consortium to prove that a single miner only needs 20 minutes to successfully execute the attack. The authors then demonstrated the attack across an Ethereum private chain alongside a distributed system with similar settings as the R3 consortium.
The Balance attack disrupts the blockchain’s main branch by delaying communication between node clusters that retain balanced mining power. Only five percent of mining power is needed to perform the attack. The whitepaper describes mining power as the number of hashes the miner can test per second. Once the proper mining power is recovered, an attacker would broadcast his or her transactions to two different subgroups of nodes, the “Transaction subgroup” and the “Block subgroup.” This action is performed until the Block subgroup offsets the tree created by the Transaction subgroup and subsequently contributes to a double transaction.
The attack is made possible by exploiting the logic of the GHOST (Greedy Heaviest-Observed Sub-Tree) protocol, a procedure that maintains accountability of all stale blocks (e.g., uncle and/or sibling blocks). The GHOST protocol allows for the mining of a blockchain branch in isolation from the rest of the nodes on the network. This allows for two blocks to be simultaneously discovered at the same time before finally altering the process. Although the GHOST protocol is specific to Ethereum, Christopher Natoli and Vincent Gramoli demonstrate that all proof-of-work (PoW) cryptocurrency protocols (e.g., Bitcoin) are susceptible to the Balance attack by presenting a model for PoW blockchains, which outlines the algorithmic differences between the Nakamoto and GHOST procedures.
Ever since the June 2016 DAO hack, blockchain industry experts have become more security conscious. The attack left the DAO’s decentralized investment fund short around $50 million and dropped the price of Ether significantly. Since then, the Ethereum community has patched the wound and moved forward by improving the ecosystem. The discovery of the Balance attack vulnerability, however, shows that there is still room for improvement to securing the blockchain infrastructure for Ethereum and other blockchain-based platforms. Given that governments and financial organizations are unlikely to adopt a potentially vulnerable system, a resolution to this problem is a top priority for the blockchain community.