With This blog post will reveal a grave threat to the security Ethereum Platform Up to the present, there was a clear danger Berlin It It is not easy to fork.
Condition
Let’s Start Some background Ethereum And State.
The Ethereum The State is comprised of a patriciamerkle trioe and a tree containing prefixes. This While I won’t go into too much detail, but suffice to state that the branches get denser with each passing year. Each Another Sheets are made with bead. Between There There are many factors which can influence the root and leaf characteristics of the tree. “intermediate” nodes.
To Search For more information or to open an account “leaf” In This enormous tree has 6-9 musthes. This include the root, intermediate and final nodes leading to the data. We You searched for
In Simple terms: 8-9 operations will be performed when a test search for an account is done. Each The Database lookup to resolve operation is a database searching. Each Database search can be used to include all disk operations. The It It is hard to determine how many disk operations were performed. However, the trie keys are cryptographic, which makes it possible to estimate their number. “random”It This is the worst-case scenario for any database.
As Ethereum As The economy has grown, so it was necessary for us to increase gas prices for those who have access to the trie. This It It was done in Tangerine Whistle In The block 2,463,000 In October 2016: FOOT 150. EIP 150 raised gasoline prices and made other changes to protect against DoS attacks. “Shanghai attacks.”
Another This The result was an increase in the Istanbul Update, Bulk 9,069,000 In December 2019. In This Update EIP 1884 activated.
EIP-1884 introduced the following changes.
- BURDEN It It Was of 200 You You can find out more at 800 gas,
- BALANCE It It Was of 400 You You can find out more at 700 Gasoline (and cheaper) SELF-BALANCING) was added,
- EXTCODEHASH It It Was of 400 You You can find out more at 700 gas,
Problems)
In March 2019, Martin Swende Was Doing some Measurements The EVM opcode performance That EIP-1884 was born out of research. The The document was published several months before EIP-1884 went live. broken meter Published (September 2019).
Two Ethereum Security Experts Hubert Ritzdorf And Matthias EgliThe paper’s co-author was partnered by. Daniel PerezThey ‘weaponized’ an exploit they submitted to the authorities. Ethereum Bug Bounty This It It was on October 4, 2019.
We We Recommend that you review the Shipping As It This comprehensive report is well-written.
On The This channel’s developers are committed to client-to-client security. Geth, Parity?, Aleth They The presentation was made earlier in the day.
The The Exploit’s purpose? To generate random test search results. An An easy alternative would be:
jumpdest ; Jump Label at the beginning of the loop Gas ; get a 'random' Value On the stack extcodesize ; trigger trie lookup pop ; The The extcodesize result should not be considered. push1 0x00 ; jump label dest jump ; Jump Rewind to the beginning
In The Researchers ran the payload on nodes in sync with the mainnet. eth_callThese What were their numbers at the time they were run with? 10M gas:
- 10M gas exploitation using EXTCODEHASH (at 400 gasoline)
- 10M gas exploitation using EXTCODESIZE (at 700 gasoline)
As It Although it is clear that EIP1884 had an impact on the reduction of attacks’ effects, it was not enough.
This Was Right before Devcon In Osaka. During DevconThe The problem was well-known to mainnet client developers. We Also With Hubert And MathiasAs As well Greg Markou (From ChainsafeThey ETC employed them. The The report was also sent to ETC developers.
As 2019 was over and we knew we faced bigger problems than we anticipated. Malicious Transactions can result in blocks of up to 30 minutes. Adding These Further complicating matters was the fact that certain contract streams were broken by the EIP-1884, which caused a lot of anger from the developer community. Users Blockgas limit increase was desired by miners.
AlsoTwo It was finally in place months later. December 2019, Parity Ethereum Announced His Open was the exit from this sceneEthereum The Maintenance of the code base was transferred from me.
A new channel was established for customer coordination. Geth, NethermindOpenEthereum And Besu The Developers continued to cooperate.
The solutions)
We We Realized that this would require a dual approach. One Approach It would be best to concentrate on the Ethereum Protocol layer to solve the problem. Preferably Without violating contracts, it is best to not penalize ‘good behavior’ while still managing attacks.
The The Software engineering is the second option. This It involves changing the data structures or models within clients.
protocol work
The The The first attempt to cope with these attacks is Here. In February It Officially launched in 2020 EIP 2583. The The The idea behind this is to increase the penalty for every test quest that fails.
However, Peter The Solution was found in “protected relay” AttackThis law establishes a limit of 800 on the maximum penalty that may be applied to an offense.
The The problem is with Failure Please read and comply with the conditions To The first step in determining whether a penalty should be taken is to search for it. But If If there is not enough gasoline to pay the penalty then unpaid consumption will be assessed. Although This A release will be possible. These The status reads can then been wrapped in nested calling, allowing the external caller to continue their attack without having pay the full penalty.
ThereForeWe We searched for an alternative and eventually the EIP was dropped.
- Alexey Akhunov The Idea of Oil Secondary Source “gas”But It was inherently different gasIt It would be invisible to the execution layer and could cause global transaction rollbacks.
- Martin Another similar proposal was also prepared. KarmaIn May 2020.
While You These schemes can be continued to be worked on. Vitalik Buterin It It was suggested that gas prices should be raised and that access lists be maintained. In August 2020, Martin And Vitalik We We began to imagine what we might do. EIP-2929 And His partner-eip EIP-2930.
Many EIP-29929 effectively resolved these issues.
- Unlike EIP-1884 was a cost-increaser. It increased indefinitely for things that were not yet accessed. This This This leads to a mere Increases Sub-percentage In Net costs
- AlsoIt It is impossible to interrupt any contract flow when it is used with EIP-2930.
- And It Can be tuned further without breaking anything by using high gas prices
On April 15, 2021, both were released in conjunction with the Sedan You can do better.
development work
Peter’s This The issue was tried to be resolved. Dynamic State snapshotsIn October 2019.
A snapshot is a secondary structure that stores the state of an object. Ethereum You can create a flat format online and use it during live operation. Geth node. The The The snapshot is a great benefit It Acts as a throttle structure to allow state accesses.
- Instead Doing OR (register N). disk reads (x LevelDB overhead). To The snapshot is available to access an account/storage area. OR(1) Access Timex LevelDB overload
- Snapshot Iteration Storage and accounts OR(1) Complexity Per input allows remote nodes access to sequential data at a lower cost than ever before.
- The The Snapshot can also be used to prove health and migrate to other formats.
The The The drawback of the snapshot is that both the raw account information and storage data are effectively duplicated. In In In the case for mainnet, this would mean an extra 25GB Storage There is plenty of space for SSDs.
The idea of the dynamic snapshot had already started in mid-2019, with the main goal of being an enabler for nap Sync At At At the time, several were available “big projects” The The geth team was involved in.
- Offline state pruning
- Dynamic Snapshots + Instant Sync
- LES state distribution via fragmented state
HoweverIt Snapshots were given top priority. Other projects were placed on hold. These This This laid the foundation for all that would follow. snap/1 sync up algorithm. Merged In March 2020.
With The “dynamic snapshot” We There was some breathing space to allow functionality to be released into the wild. In Case The Ethereum If If a network is attacked it will be difficult but it will still be possible to notify users about how to restore the snapshot. The Whole Snapshot generation is slow and the network doesn’t have a way to sync them.
Tying The strings
In March-April 2021 snap/1 The Protocol was used in geth. This This makes it possible for synchronization using the new snapshot based algorithm. While While While it’s not the default sync option at this time, it’s an important step in making snapshots useful as both protection and a significant enhancement to users’ experience.
On Protocol Side, Sedan The Update was made in April 2021.
Some Below Here are some benchmarks taken from the AWS monitoring environment
- Pre-Berlin, no snapshots, 25M gas: 14.3s
- Pre-BerlinHave a look at these photos. 25M gas: 1.5s
- Post-Berlin, no snapshots, 25M gas: ~3.1s
- Post-BerlinHave a look at these photos. 25M gas: ~0.3s
The Numbers It is approximated that Sedan The Attack’s effectiveness was decreased by 5xThe Snapshot reduces it by 10xThe Total amount of 50x Impact Reduce
We It It is believed that currently there are approximately Mainnet (15M gas), It It would be possible to create blocks 2.5-3s To run in a Geth Node Without Snapshots This Number As the state grows, it will continue to fall (for those who are not able take snapshots nodes).
If Rebates They are used for increasing gas consumption within a single block. This This may be further enhanced by an additional factor of (max). 2x . With EIP 1559The The gas limit of the block is more elastic, allowing for greater flexibility. 2x (the ELASTICITY_MULTIPLER) in temporary bursts.
Regarding The It is possible to carry out this attack; the attacker would need a block of ether to do so.15 M Gas In 100Gwei It Is 1.5 ether).
why reveal now
This Threat It has been “open secret” It This has been known for some time. It was not publicly disclosed in error until recently and has been referenced in ACD calls multiple times without providing specific details.
Since The Berlin Update We are long gone. Since We believe that geth nodes use snapshots by default. However, transparency is possible because the threat to privacy is not high enough. We We believe it is time for an open and honest disclosure of what really happened. scene.
It’s It It is important that the community knows the reasons behind any changes that could adversely impact the user experience.
This This Post was written by Martin Holst Swende And Peter Szilagyi On April 23, 2021. It Was shared with another EthereumOnGoing -based projects April 26, 2021; publically announced May 18, 2021.
