VeriBlock Foundation Discloses MESS Vulnerability In Ethereum Classic Blockchain
The Vulnerability Would Render Ethereum Classic Perpetually Unable To Confirm Transactions
the team behind the VeriBlock® Blockchain project, which extends Bitcoin’s Proof-of-Work (“PoW”) security to the world’s blockchains in an entirely Decentralized, Trustless, Transparent, and Permissionless (“DTTP®”) manner, published details on a critical security vulnerability in Ethereum Classic’s MESS protocol they disclosed to ETC developers last October, prior to the activation of the consensus technology on the mainnet.
The VeriBlock team intentionally omitted one detail from the disclosure to give ETC devs and their community additional time to deactivate the vulnerable technology before it is exploited in the real world. The viability of the attack can be demonstrated without this detail, and the team will provide a version of the disclosure including the omitted detail to any Ethereum Classic developers who want to investigate the vulnerability further.
Following a successful 51% attack against Ethereum Classic in January of 2019 and three consecutive attacks in August of 2020, which resulted in the theft of over $5M worth of cryptocurrency, the Ethereum Classic community adopted the MESS (“Modified Exponential Subjective Scoring”) consensus technology on Oct. 11, 2020, in an attempt to prevent future 51% attacks on the network.
MESS builds on a subjective scoring solution originally proposed in 2014 and expanded upon in 2016 by Ethereum Founder Vitalik Buterin.
However, the subjective nature of MESS introduced a much more damaging vulnerability, VeriBlock Co-Founder and CTO Maxwell Sanchez explains. “Subjective scoring means two different nodes can permanently disagree on the correct state of the blockchain. Our disclosure explains how an attacker could exploit this subjectivity to permanently fracture the network into disjoint partitions, rendering the blockchain unable to achieve global consensus and perpetually preventing the confirmation of transactions.”
As the VeriBlock team’s security disclosure demonstrates, an attacker can not only fracture the network but also stabilize the attack over a period of several hours to fabricate a state where Ethereum Classic can no longer converge on a single global blockchain state.
Recommended AI News: Expereo Acquires Global Managed Internet Access Provider, Brodynt
The team also notes that the vulnerability is not due to an implementation mistake or incorrect parameterization of the protocol, but rather the fundamental nature of technologies like MESS.
“At the time of discovery last October, the exploit would have cost somewhere around $10K to execute using hashing power readily available on hashrate marketplaces like NiceHash, we estimate the attack could still be executed for less than $50K, and sufficient hashrate is currently available for rental to successfully pull off the attack,” notes Sanchez.
In addition to publishing the vulnerability disclosure, the VeriBlock team has also open-sourced their simulation environment, allowing anyone to run a demonstration of the attack themselves to understand how the exploit works.
“While the economic motivation of a bifurcation attack is much more nuanced than a 51% attack, the existence of derivative markets where attackers could short ETC certainly provide sufficient financial incentive for this type of attack,” explains Sanchez.
Recommended AI News: IDC Survey Illustrates the Growing Importance of Developers to the Modern Enterprise