A recent study by a research team from University of Illinois at Urbana has revealed that 25 proof-of-Stake coins are at risk of attacks after their source code was examined by the researchers.
Proof-of-Stake coins are those that replace mining with coin staking. The new coins are minted by the staked coins which makes holders of most coins able to mint more cryptocurrencies on the network.
Although it has been praised for its energy-saving feature unlike proof-of-work, there are concerns that the system is not as secure as proof-of-work. By using existing coins to mint new ones it was shown by the study that a malicious actor could exploit some networks.
The False Stake Attack
According to the Decentralized Lab of the University which conducted the study, the attack involves a node staking small volume of coins using false data to overwhelm regular nodes staking larger volume of coins.
Over time, the attackers could gain control of other nodes and displace them to the point that they could carry out a 51 percent attack on the network. The approach of this “false stake” attack is to crash legitimate nodes and take control of them.
A successful false stake attack could make the attacker the dominant node that invariably receives most of the staking rewards on the network. The attacker may at a benign level contain the stake of other nodes and reap the most profit.
Concerns Over Proof of Stake Coins
It has been argued in the past that the security of the proof-of-stake rests in the assurance that the dominant nodes staking the most coins would not destabilize the network with 51 percent attack on the network since they are the highest beneficiaries and have everything to lose from such attacks.
The new vulnerability shows that a low staking node can actually take over the network using false stake attack.
Bitcoin Copycat Coins Mostly Vulnerable
According to the researchers although the crypto industry is yet to witness these attacks as the vulnerability is hitherto unknown. The report also stated that coins that modified their code base from Bitcoin are mostly at risk.
The analysts said that the vulnerable coins are those that started with the Bitcoin code but moved over to proof-of-work due to the high energy demand of proof-of-work which has made mining bitcoins expensive.
Peercoin was the first cryptocurrency to adopt this transition. The coin has since had several forks and coins that adopted similar modification strategy. In the report the researchers wrote:
“We call the vulnerabilities we found ‘Fake Stake’ attacks. Essentially, they work because PoSv3 implementations do not adequately validate network data before committing precious resources (disk and RAM). The consequence is that an attacker without much stake (in some cases none at all) can cause a victim node to crash by filling up its disk or RAM with bogus data. We believe that all currencies based on the UTXO and longest chain Proof-of-Stake model are vulnerable to these ‘Fake Stake’ attacks.”
Networks Contacted By Researchers in October
The researchers said they contacted most of the affected coins even though they couldn’t reach some. In response the networks added codes that would make the attack difficult but the researchers are saying that this is not a permanent solution. According to the team, adding codes should not be an alternative to full data validation by the networks.
The researchers said that proof of work is underrated because most networks overlook its important role in network security. The reason is that they view the issue mainly from economic perspective. It pointed out that Bitcoin’s security is based mainly on this,
“Proof-of-Work also plays a second, somewhat less appreciated role, which is guarding access to a node’s limited resources, such as disk, bandwidth, memory, and CPU. In a permission-less cryptocurrency network, peers must not be trusted. So, to prevent against resource exhaustion attacks, Bitcoin nodes first check the PoW for any received blocks before committing more resources, such as storing the block in RAM or on disk. However, it turns out that checking a Proof-of-Stake is a lot more complicated and context-sensitive than validating a Proof-of-Work.”
From the report, proof-of-stake networks must always be up-to-date in keeping track of all chains in the network. It stated that other networks that are vulnerable to the attack includes NAVcoin, Qtum, Emercoin and Particl also stated:
“Validating these off-the-main-chain blocks is difficult. To fully validate the block, you need the set of unspent coins (UTXOs) at the time of the previous block. Bitcoin keeps the UTXO set for the current tip of the best chain, but not for all the other past blocks a fork could start from.”
