Ethereum Denial Of Service

Denial of Service (DoS) attacks are a significant threat to the stability and security of decentralized applications (DApps) on the Ethereum blockchain. This comprehensive blog post explores the nature of DoS attacks in Ethereum, their various forms, real-world examples, and best practices for mitigation. The goal is to provide an in-depth understanding suitable for a doctoral thesis.

Introduction to Denial of Service (DoS) Attacks

Denial of Service (DoS) attacks aim to disrupt the normal functioning of a service, making it unavailable to its intended users. In the context of Ethereum, DoS attacks can target smart contracts and decentralized applications (DApps), causing them to become unresponsive or fail to execute their intended logic.

Importance of Understanding DoS Attacks

DoS attacks can have severe consequences, including:

  • Disruption of critical services.
  • Financial losses due to unavailability or erroneous execution of smart contracts.
  • Reduced trust in the security and reliability of the Ethereum network.

 

Denial of Service (DoS) in Ethereum: A Comprehensive Study

Denial of Service (DoS) in Ethereum: A Comprehensive Study

Types of DoS Attacks in Ethereum

DoS attacks in Ethereum can take various forms, including:

  1. Block Gas Limit Attacks
  2. Unexpected Reverts
  3. Griefing Attacks
  4. Underpriced Operations

Block Gas Limit Attacks

Ethereum transactions require gas, a unit of computational effort. The block gas limit is the maximum amount of gas that can be spent in a single block. Attackers can exploit this limit to perform DoS attacks by submitting transactions that consume an excessive amount of gas.

Example of Block Gas Limit Attack

An attacker can create a contract with a function that consumes a large amount of gas, filling up a block’s gas limit and preventing other transactions from being included.

contract GasGuzzler {
function consumeGas() public {
while (true) {
// Infinite loop consuming gas
}
}
}

Unexpected Reverts

Unexpected reverts occur when a smart contract function fails due to a revert statement, causing the entire transaction to fail. Attackers can exploit this by crafting transactions that trigger reverts in targeted contracts.

Example of Unexpected Revert

contract Vulnerable {
function withdraw(uint256 amount) public {
require(balances[msg.sender] >= amount, “Insufficient balance”);
// Potential for unexpected revert if the condition fails
msg.sender.call{value: amount}(“”);
}
}

If msg.sender reverts the call, it can disrupt the contract’s intended functionality.

Griefing Attacks

Griefing attacks are a form of DoS where the attacker incurs a cost to cause disproportionate inconvenience or loss to the victim. These attacks are designed to make the target’s operations more expensive or less efficient.

Example of Griefing Attack

In a decentralized exchange, an attacker can submit numerous small orders, filling the order book and making it expensive for legitimate users to place orders.

contract Exchange {
function placeOrder(uint256 amount) public {
// Adding small orders to fill the order book
orders.push(Order(msg.sender, amount));
}
}

Underpriced Operations

Some operations in Ethereum may be underpriced in terms of gas cost relative to the computational resources they consume. Attackers can exploit these operations to launch DoS attacks by executing them repeatedly at a low cost.

Example of Underpriced Operation

Prior to EIP-1884, certain opcodes were underpriced, allowing attackers to perform DoS attacks by executing these opcodes repeatedly.

contract UnderpricedOp {
function performUnderpricedOp() public {
for (uint256 i = 0; i < 1000; i++) {
// Perform underpriced operation
}
}
}

Real-World Examples of DoS Attacks in Ethereum

The Shanghai Attacks

In September 2016, Ethereum experienced a series of DoS attacks known as the Shanghai attacks. The attacker exploited underpriced operations and created contracts that consumed a significant amount of gas, disrupting the network.

Analysis of the Shanghai Attacks

  • Underpriced Operations: The attacker used operations that were computationally expensive but required low gas fees.
  • High Gas Consumption: Contracts were designed to consume excessive gas, filling blocks and delaying other transactions.

The Parity Wallet DoS

In November 2017, a vulnerability in the Parity multisig wallet contract was exploited, causing a DoS condition that locked up millions of dollars worth of Ether.

Analysis of the Parity Wallet DoS

  • Self-Destruct Function: The attacker exploited the wallet’s selfdestruct function to permanently disable the wallet.
  • Loss of Funds: Users were unable to access their funds, causing significant financial losses.

Best Practices for Mitigating DoS Attacks

Use Gas-Efficient Code

Writing gas-efficient code is crucial to prevent block gas limit attacks. Optimize smart contracts to minimize gas consumption.

Example of Gas Optimization

contract Optimized {
uint256[] public data;

function addData(uint256[] memory newData) public {
for (uint256 i = 0; i < newData.length; i++) {
data.push(newData[i]);
}
}
}

Implement Proper Error Handling

Proper error handling ensures that unexpected reverts do not disrupt contract functionality. Use the try/catch syntax to handle errors gracefully.

Example of Error Handling

try externalContract.someFunction() {
// Success logic
} catch {
// Failure handling
}

Avoid Underpriced Operations

Stay informed about EIPs (Ethereum Improvement Proposals) and avoid using underpriced operations. Regularly update contracts to reflect changes in gas pricing.

Example of Avoiding Underpriced Operations

Monitor the gas costs of opcodes and adjust contract logic accordingly to avoid exploitation.

Rate Limiting and Throttling

Implement rate limiting and throttling mechanisms to prevent abuse of contract functions by malicious actors.

Example of Rate Limiting

contract RateLimited {
mapping(address => uint256) public lastCallTime;
uint256 public constant cooldown = 1 minutes;

function limitedFunction() public {
require(block.timestamp >= lastCallTime[msg.sender] + cooldown, “Rate limit exceeded”);
lastCallTime[msg.sender] = block.timestamp;
// Function logic
}
}

Regular Security Audits

Conduct regular security audits with professional auditors to identify and mitigate potential vulnerabilities, including those that could lead to DoS attacks.

Conclusion

Denial of Service (DoS) attacks in Ethereum pose significant risks to the stability and security of decentralized applications. By understanding the various forms of DoS attacks, analyzing real-world examples, and implementing best practices for mitigation, developers can create more resilient and secure smart contracts.

Source

  1. EtherClue: Digital investigation of attacks on Ethereum smart contracts: This study explores various attack vectors, including DoS vulnerabilities related to gas limits and call-stack depth. It provides insights into how these vulnerabilities are exploited and how to detect them. Read more here.
  2. SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts: This paper discusses methods for detecting DoS vulnerabilities using both static and dynamic analysis techniques, offering a comprehensive framework for identifying and mitigating these threats. Read more here.
  3. Speculative Denial-of-Service Attacks in Ethereum: This research highlights effective attacks against Ethereum’s defenses, including conditional gas exhaustion and resource clogging, providing practical examples of how these attacks are executed. Read more here.