网络与信息安全学报 (Apr 2022)
Defense scheme for the world state based attack in Ethereum
Abstract
Ethereum is taken as the representative platform of the second generation of blockchain system.Ethereum can support development of different distributed applications by running smart contracts.Local database is used to store the account state (named world state) for efficient validation of transactions, and the state root is stored in the block header to guarantee the integrity of the state.However, some researches revealed that the local database could be easily tempered with, and attackers can issue illegal transactions based on the modified account state to obtain illegitimate benefits.This world-state based security problem was introduced, and the preconditions for attack were analyzed.Compared with the two common security threats under the PoW (proof of work) consensus, it was found that when the attacker controls the same mining computing power, the world-state based attack brought higher risk, and the success rate approached 100%.In order to deal with this threat, a practical scheme for attack detection and defense was proposed accordingly.The secondary verification and data recovery process were added to the Ethereum source code.The feasibility and complexity of the proposed scheme was evaluated with single-machine multi-threading experiments.The proposed scheme improves Ethereum’s tolerance to malicious tampering of account state, and is applicable to other blockchain platforms applying local database for transaction validation, such as Hyperledger Fabric.In addition, the time and computational overhead brought by the proposed scheme are not prominent, so it has good applicability and induces acceptable impact on the performance of original system.
Keywords