As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service

Li, Kai; Chen, Jiaqi; Liu, Xianghong; Tang, Yuzhe; Wang, Liu

doi:10.14722/ndss.2021.23108

Cited by 23 publications

(13 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Marketplace selection. In line with the previous work [70], we use DAPPRADAR [11], a popular tracker of dApps, to choose marketplaces for analysis. We initially selected 7 out of a total of 35 marketplaces (Table 1) listed in DAPPRADAR.…”

Section: Data Collectionmentioning

confidence: 99%

Understanding Security Issues in the NFT Ecosystem

Das¹,

Bose²,

Ruaro³

et al. 2021

Preprint

View full text Add to dashboard Cite

Non-Fungible Tokens (NFTs) have emerged as a way to collect digital art as well as an investment vehicle. Despite having been popularized only recently, over the last year, NFT markets have witnessed several high-profile (and high-value) asset sales and a tremendous growth in trading volumes. However, these marketplaces have not yet received much scrutiny. Most academic researchers have analyzed decentralized finance (DeFi) protocols, studied attacks on those protocols, and developed automated techniques to detect smart contract vulnerabilities. To the best of our knowledge, we are the first to study the market dynamics and security issues of the multi-billion dollar NFT ecosystem.In this paper, we first present a systematic overview of how the NFT ecosystem works, and we identify three major actors: marketplaces, external entities, and users. We study the design of the underlying protocols of the top 8 marketplaces (ranked by transaction volume) and discover security, privacy, and usability issues. Many of these issues can lead to substantial financial losses. During our analysis, we reported 5 security bugs in 3 top marketplaces; all of them have been confirmed by the affected parties. Moreover, we provide insights on how the entities external to the blockchain are able to interfere with NFT markets, leading to serious consequences. We also collect a large amount of asset and event data pertaining to the NFTs being traded in the examined marketplaces, and we quantify malicious trading behaviors carried out by users under the cloak of anonymity. Finally, we studied the 15 most expensive NFT sales to date, and discovered discrepancies in at least half of these transactions.

show abstract

Section: Data Collectionmentioning

confidence: 99%

Understanding Security Issues in the NFT Ecosystem

Das¹,

Bose²,

Ruaro³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Specifically, there may be supernodes that connect to all other nodes, "bridge" nodes that control the connection to the backend of critical services, and topology-critical nodes removing which may lead to partitioned networks. Directing denial-of-service attacks onto these critical nodes, using attack vectors recently discovered [34,35], can lead to consequences such as crippled blockchain services and the censorship of individual transactions.…”

Section: Implication To Blockchain Securitymentioning

confidence: 99%

“…A blockchain system relies on an underlying peer-to-peer (P2P) network to propagate information including recent transactions and blocks. The topology of the P2P network is foundational to the blockchain's availability under network partitions, its security against a variety of attacks (e.g., eclipsing targeted nodes [29], denial of specific node service [34,35], and deanonymization of transaction senders [20,33]), and its performance (e.g., mining power utilization [27] and the quality of RPC services [4,7,14]). Details are in § 3.…”

Section: Introductionmentioning

confidence: 99%

TopoShot: Uncovering Ethereum's Network Topology Leveraging Replacement Transactions

Li,

Tang,

Chen

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Ethereum relies on a peer-to-peer overlay network to propagate information. The knowledge of Ethereum network topology holds the key to understanding Ethereum's security, availability, and user anonymity. However, an Ethereum network's topology is stored in individual nodes' internal routing tables, measuring which poses challenges and remains an open research problem in the existing literature.This paper presents T S , a new method uniquely repurposing Ethereum's transaction replacement/eviction policies for topology measurement. T S can be configured to support Geth, Parity and other major Ethereum clients. As validated on local nodes, T S achieves 100% measurement precision and high recall (88% ∼ 97%). To efficiently measure the large Ethereum networks in the wild, we propose a non-trivial schedule to run pair-wise measurements in parallel. To enable ethical measurement on Ethereum mainnet, we propose workload-adaptive configurations of T S to minimize the service interruption to target nodes/network.We systematically measure a variety of Ethereum networks and obtain new knowledge including the full-network topology in major testnets (Ropsten, Rinkeby and Goerli) and critical sub-network topology in the mainnet. The results on testnets show interesting graph-theoretic properties, such as all testnets exhibit graph modularity significantly lower than random graphs, implying resilience to network partitions. The mainnet results show biased neighbor selection strategies adopted by critical Ethereum services such as mining pools and transaction relays, implying a degree of centralization in real Ethereum networks.

show abstract

“…Our proof-of-concept patch is based on MetaMask in version 10.0.3 and consists of approximately 100 lines of JavaScript code. 13 Limitations: Note that we do not prevent DeFi sites from making an active effort to learn the user's real Ethereum address. The user's real address can easily be determined by taking the wallet balance and searching the blockchain for an address that has that exact balance.…”

Section: Design and Implementation Detailsmentioning

confidence: 99%

“…12 The derived address is essentially a fresh Ethereum address and therefore contains no Ether. 13 The code is available at https://github.com/brave-experiments/defi-privacy-measurements. Fig.…”

Section: Design and Implementation Detailsmentioning

confidence: 99%

Security, Privacy, and Decentralization in Web3

Winter¹,

Lorimer²,

Snyder³

et al. 2021

Preprint

View full text Add to dashboard Cite

Much of the recent excitement around decentralized finance (DeFi) comes from hopes that DeFi can be a secure, private, less centralized alternative to traditional finance systems but the accuracy of these hopes has to date been understudied; people moving to DeFi sites to improve their privacy and security may actually end up with less of both.In this work, we improve the state of DeFi by conducting the first measurement of the privacy and security properties of popular DeFi applications. We find that DeFi applications suffer from the same kinds of privacy and security risks that frequent other parts of the Web. For example, we find that one common tracker has the ability to record Ethereum addresses on over 56% of websites analyzed. Further, we find that many trackers on DeFi sites can trivially link a user's Ethereum address with pii (e.g., name or demographic information) or phish users. This work also proposes remedies to the vulnerabilities we identify, in the form of improvements to the most common cryptocurrency wallet. Our wallet modification replaces the user's real Ethereum address with site-specific addresses, making it harder for DeFi sites and third parties to (i) learn the user's real address and (ii) track them across sites.

show abstract

As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service

Cited by 23 publications

References 15 publications

Understanding Security Issues in the NFT Ecosystem

Understanding Security Issues in the NFT Ecosystem

TopoShot: Uncovering Ethereum's Network Topology Leveraging Replacement Transactions

Security, Privacy, and Decentralization in Web3

Contact Info

Product

Resources

About