68 comments

[ 1.2 ms ] story [ 89.8 ms ] thread
the image in the article is really appropriated, the Turing complete VM of ethereum is a black hole of bugs, on the Genesis, some really bad engineering decisions were made and probably now is too late to change it.
Well... As it is Turing complete you could just as well say that it is a black hole of awesome stuff. Which, of course, is true of any Turing complete language.
> black hole of awesome stuff

that loses your funds, that is the bad part.

Awesome stuff does not lose your funds. That would negate the awesomeness of the stuff.
The image is an eclipse, not a black hole.
visually an eclipse is just a 'Black Hole in the Sky' :)
the eclipse and the "event horizon" images are somewhat similar.
IIUC it's not a bug in the VM that is Turing complete and run the "smart contracts". The bug is in the surrounding code that tries to connect to the real network of the other Ethereum users and decides if the connection is trustworthy. So a similar attack could be run against other coins. [The article says that Bitcoin is safer, but the article doesn't explain why. Can someone give more details?]
>The article says that Bitcoin is safer, but the article doesn't explain why. Can someone give more details?

We wrote a paper [0] in 2015 performing eclipse attacks against Bitcoin. You can watch me talk about it here [1]. At the time it required an attacker with 400 IP addresses. Many of our countermeasures were adopted by Bitcoin-core raising the difficulty of the attack even further. In fact at this very moment I am still working on adding some of our countermeasures to Bitcoin-core [2].

In our attack on Ethereum, only 2 IP addreses were required. We discuss this in our paper:

>"We present new eclipse attacks showing that, prior to the disclosure of this work in January 2018, Ethereum’s peer-to-peer network was significantly less secure than that of Bitcoin. Our eclipse attackers need only control two machines, each with only a single IP address. [..] By contrast, the best known off-path eclipse attacks on Bitcoin [23] require the attacker to control hundreds of host machines, each with a distinct IP address. For most Internet users, it is far from trivial to obtain hundreds (or thousands) of IP addresses. This is why the Bitcoin eclipse attacker envisioned by [23] was a full-fledged botnet or Internet Service Provider, while the BGP-hijacker Bitcoin eclipse attacker envisioned by [17] needed access to a BGP-speaking core Internet router. By contrast, our attacks can be run by any kid with a machine and a script."

-Low-Resource Eclipse Attacks on Ethereum's Peer-to-Peer Network [3]

[0]: https://eprint.iacr.org/2015/263.pdf

[1]: https://www.usenix.org/node/190891

[2]: https://github.com/bitcoin/bitcoin/pull/9037

[3]: http://www.cs.bu.edu/~goldbe/projects/eclipseEth

Out of curiosity, what "really bad engineering decisions" are those?
My view, of course, every decision as a trade-off, everything i say is controversial

- The main ledger and smart contracts should be separated, everyone smart contract is public, why??

the smart contracts should be run on several specific sidechains. Why if I buy a crypto kittie everyone as to know and store the transaction for all eternity.

Wait sharding is coming, yes but will reduce the security guarantees.

There are different solutions for that in the works, from sharding to plasma, etc.. and those have their own challenges & tradeoffs (namely in terms of security, etc..)

However engineering decisions 'on genesis' was over 3-4 years ago and at that time doing a blockchain with smart contracts was already challenge on itself. It's not really fair to take the knowledge and lessons from the present day and claim those in the past without that knowledge made horrible decisions. It's a bit like blaming google for not starting angular 1 with the functionality of angular 4, or saying that John Resig should have created Babel and ES7 features instead of creating jQuery.

> However engineering decisions 'on genesis' was over 3-4 years ago and at that time doing a blockchain with smart contracts was already challenge on itself. It's not really fair

Sorry when I heard about Ethereum plans 4 years ago, I tough it as a terribly bad idea then (I didn't invest because of this, I should have invested stupid me) in 2013 the increase size of blockchain was already an ongoing problem, I simply tought if a decentelized ledger is already problematic to store, let's put a lot of more information on it, it's madness..

> The main ledger and smart contracts should be separated, everyone smart contract is public, why??

You might find Blockstack interesting.

(I don’t have a connection. I’ve just started to explore this space, and have some of those same questions.)

[1] https://blockstack.org/

[2] Jude, “What is the difference between blockstack and Ethereum?”, Blockstack forum, March ‘17. https://forum.blockstack.org/t/what-is-the-difference-betwee...

[3] Alid Castano, “What is the difference between Blockstack and Ethereum?”, Sept. 13 ‘17. https://www.quora.com/What-is-the-difference-between-Blockst...

[4] Alid Castano, “Why I’m betting on Blockstack to save the decentralized internet”, Sept. 12 ‘17. https://medium.com/@alidcastano/why-im-betting-on-blockstack...

> You might find Blockstack interesting.

I didn't know this project I normally hate ICO's (including the original Ethereum ICO) from what I have read on the information you so kindly shared it looks like a much more sensible approach to the distributed permissionless application problem, let's see how it goes.

The whole point of a blockchain is publicly accessible records of the transactions. Why not run your cryptokitties on a private server then? The performance and efficiency would destroy your blockchain version but no one can see what is happening so it can be verified by everyone as true.
Imperative programming languages in a global machine state
This wasn't a flaw with Ethereum itself or its protocol, but rather an issue with one of the its client implementations (go-ethereum), other clients like Parity, Harmony, etc.. are unaffected.
The article states it's only been discovered and mitigated in geth, allegedly the most popular ethereum client; whether other clients are vulnerable is unknown.

This statement from ethereum/geth developer Felix Lange even hedges on how completely the vulnerability has been mitigated, which may not bode well for ethereum in general:

>We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources...

He did go on to mention his belief alternative ethereum client Parity isn't vulnerable, so there's that at least.

Is there any other field of computer security where this argument is acceptable? Usable security matters. Ecosystems matter. You cannot put a boundary somewhere in the middle of what the end user sees and call your security job done.

When people majorly botch x509 cert validation because the spec is so monstrously complex that's still a problem with x509.

Ethereum specifically chose to develop around multiple clients to mitigate the risks of implementation errors such as this. It would be ideal if all were perfect from the start, but no software is, security or otherwise.
One can't claim the Web is broken just because a bug was found in one of the many browsers.
A thing I've noticed about cryptocurrency news. The people that are pro cryptocurrency are often far too optimistic and sometimes are not the most academic people. However I've also noticed that those that constantly critique cryptocurrency are often so wrong about their assumptions it's just pointless reading on. It's so hard to actually get a reasonable discussion about cryptocurrency.
Maybe we should create some discussion system where in order to post you need proof of expertise (PoE)
Well it’s hard to be negatively exposed to crypto so the discussion will be biased.
You can short crypto on Cboe and CME. A few minutes on the internet will reveal other means for shorting crypto.
Excellent, and we need to release the token that you will get based on PoE.
Maybe you could count number of Ph.D contributors? I bet Bitcoin has as many or more than every other project combined.
Why do you believe that?
IOTA has a lot of PhD contributors, allegedly
Citation needed. Appeal to authority, with no evidence of competency.
Like Math CAPTCHA, only deeper and with more subject matter versions? One of the math forums (Cut the Knot?) had something like this, that actually required (I think) calculus.

Reputation systems such as HN itself are another approach. These might not scale; or they might require an eigentrust-like system to scale; or scaling via eigentrust might create and reinforce the same kind of filter bubbles we see on social media. Who decides who’s a climate expert?

Steemit is an attempt at a blockchain-based reputation system. Whenever I’ve looked, it’s been dominated by low-quality content, mostly about crypto itself. Maybe this is growing pains, or maybe a reputation system needs a different go-to-market (that bootstraps from an existing platform or community), or maybe wedding reputation to crypto — or at least to crypto that pays out — just isn’t a good idea. (You didn’t exactly suggest that, either; I just riffed my way over to it.)

This idea was what lead to the split up of Jimmy Wales and Larry Sanger on Wikipedia. Sanger went and created Citizendium which was supposed to be wikipedia with only credentialed authors and a panel of peer review.

By all accounts Citizendium failed pretty spectacularly.

I’ve noticed this with Tesla, too.

I imagine that if people could take short or long positions* in programming languages and technologies, it would be difficult to find the current quality of reviews and discussion around those topics.

I’ve been a fan of futarchy and prediction markets, but this phenomenon gives me pause.

* I’m aware that investing time, effort or credibility in a technology is taking a long position in it, but direct financial positions seem to incentivize a different class of behavior (EDIT: probably because they require an investment only of money, rather than of these other resources that produce commitment or knowledge).

Reasonable discussion doesn’t happen on the internet (serious).
I'd say reasonable discussion doesn't happen between strangers.
My experience is that reasonable discussion is a higher percentage of internet discussion than it is of in person discussion. But maybe I hang out in different places to you on the internet, or perhaps the people I spend time with in real life are insufficiently interested in 'reasonable discussion'.
Actually, that's a reasonable statement.

Uh oh. This reasoning is unreasonably self-contradictory.

Maybe not on Reddit, which has an average age and IQ lower than here (in my very strong opinion).

But on the Internet, which is really to say in written form, there's more room for attention span and dissection of arguments. In person, in conversation, you have attention span issues, you have failure to break down definitions and thus people arguing sideways against one another, etc.

It's harder to cheat in the written word.

Even hacker news has a rediculously low signal to noise compared with, say, well moderated community debate or other in person discussion.
There are more than 1500 coins and tokens on the market, I’d wager that you could find a cryptocurrency project that fit almost everything that’s said in those discussions.
That's how you can tell that cryptocurrency really is a from of money... only money could lead to this many strawman arguments and online mudslinging :-)
Don't lump all cryptocurrency together. There are plenty of people who are strong believers in Bitcoin's more simple value proposition of electric cash and more simple scripting language than the complicated ethereum system.
> those that constantly critique cryptocurrency are often so wrong about their assumptions it's just pointless reading on

People often criticize 'crypto' on the basis of technology, but are wrong about the market because the market is driven by psychology, and often disregards the tech.

Like, people might say "oh, so-and-so is vaporware because it's literally just a whitepaper and an empty github repo", and then people go "pfft, whatever you don't understand their vision" - and the value goes up 50x over two weeks.

A thing I've noticed about cryptocurrency news. The people that are pro cryptocurrency are often far too optimistic and sometimes are not the most academic people. However I've also noticed that those that constantly critique cryptocurrency are often so wrong about their assumptions it's just pointless reading on. It's so hard to actually get a reasonable discussion about cryptocurrency.

It might be because of the intersection of different disciplines. For example, a math genius won't necessarily understand law, politics and/or economic policy.

The others probably won't understand math.

A marketing / CEO type might understand the business angle.

Don't even get me started with 'journalists' who have to report on any of these areas. It's hard.

There's some sort of Peter Principle effect where people from the various fields present themselves (perhaps sometimes accidentally) as experts in the other areas. Sorry, but knowing advanced cryptographic algorithms doesn't give you the authority such that I'm going to believe your predictions about law or politics. If you're an MBA/marketing type, hearing you talk about asymmetric encryption sometimes leads me to cringe.

Meanwhile, the people who actually COMMENT on cryptocurrency news are the worst. They range from "there's nobody home in the head" types that type in all-caps comments that look more like wishes about 'the moon', or perhaps some attack against the FED and money-printing that they repeat; to baby boomers who scream about tulips and that you can't touch the digital assets.

It's a disaster of information overload. The best you can do is observe, place your bets (if you're the betting type) and watch passively.

I'm not sure if you are just following these lambo-moon kids on the internet. There are many many smart people working in the cryptocurrency. Just start following Naval Ravikanth, Adam Back, Balaji Srinivasan, Meltem Demirors et al.
I once had a very expensive chat with Naval and I told him that I was fairly confident that Mt Gox was insolvent. He was quite confident that it wasn't. Lesson: Don't trust anybody in crypto. I'm glad I didn't.
Discussion are commonly emotional, rather then rational - it's freedom, it's getting rid of banks, it's a scam, it's a secret project by the NSA, etc... and it's also politically charged topic, and everyone has an opinion, because a lot of people own crypto currency/mine or at least know someone who has. Its rare to see so many people interested in a given topic.

There are great resources, although the are commonly rather vertical, then horizontal by topic. E.g. there is a lot of great technical information out around Bitcoin, how it works, wiki pages that discuss the code and algorithms in details - really useful stuff, e.g: https://bitcoin.org/en/developer-guide

Its rare though to find a more "cross-disciple" assessment/analysis of crypto currencies (political, economic impcat, society changes,...). If anyone has good resources, please share.

Most of the worthwhile discussion happens on email lists and old clunky forums. There used to be subreddits that were decent, but that time has passed.
For those interested, here's the paper: https://www.cs.bu.edu/~goldbe/projects/eclipseEth.pdf

Here's the partial-implementation of Countermeasure 2 in geth: https://github.com/ethereum/go-ethereum/pull/16069

Of note, this fix is still susceptible to attacks, though still an improvement:

> Since geth v1.8.0 still allows the attacker to freely craft node IDs that land in specific buckets, the partial implementation of Countermeasure 2 in geth v1.8.0 means that for a given victim’s table, there can be at most 10 attacker node IDs associated with each attacker IP address. While this improves on the situation prior to geth v1.8.0 (where we could eclipse our victim using just one or two IP addresses), it does not raise the bar for attackers quite as high as we had hoped.

Still making my way through the paper and the PR to identify other things fixed. Here's the entire 1.8 release: https://github.com/ethereum/go-ethereum/releases/tag/v1.8.0

> The fix for the second attack involved limiting the number of outgoing connections a target can make to the same /24 chunk of IP address to 10. The changes are designed to make it significantly harder to completely isolate a user from other legitimate users.

Maybe it is the way the article is written, or how I've read it, but the original flaw involved just 2 nodes w/ 2 IP address. This fix sounds like you need 2 nodes w/ 2 IP addresses that don't have the same /24 octal? Is it that much more difficult?

> When even a single node presents users with a different version of the blockchain, they will be warned of an error that effectively defeats the attack.

Doesn't this just mean the attacker has to make sure to control all 13 connections before starting the attack?

This is an attack on the Kademlia DHT.

Why exactly does Ethereum use Kademlia anyway?

Kademlia's main purpose is to find content distributed among a small percentage of nodes.

Ethereum doesn't need this, since the entire blockchain is stored on every node.

And does the attack also work against other applications that use Kademlia, such as IPFS and I2P?

There are some fun systemic probabilistic attacks based on peer discovery.

One such principle which doesn't need many attacking nodes, rely on peers self-clustering themselves over time is the following :

You divide the peer network in 2 groups. Using a few number of attacking nodes, when a peer from one group ask you for a node you know, you answer with a peer from the same group. Then each peer from each group is more likely to recommend a peer from the same group. Over time bias accumulate, and cluster forms, with very few bridges between the two groups which you control.

Obviously it can be mitigated easily by adding some hard-coded "central" nodes or monitoring the network.

Afaik robust peer discovery in p2p network is still not solved.

After CryptoKitties, it's difficult to take Ethereum seriously.
That's like saying "after the fart app, it's hard to take iOS seriously".
I don't really take iOS all that seriously, either.

Of all the things anyone would trade for money Cryptokitties is really riding the line between smart and so dumb it devalues the concept of Ethereum, which might have been the point.

So...because we got hamsterdance.com at one point I guess that means the internet is hard to take seriously?
Hamsterdance.com was a masterpiece of early Internet adoption. Try to get anything that viral.

Ethereum is a weak attempt at money laundering.

Isn't relying on IP diversity as a measure of attack difficulty a bad assumption in the first place? If an attacker has access to the cable outside my home, then they can pretend to control as many IPs as they want.

It seems to me that the most reliable defense against eclipse attacks is to just compare the block rate of the longest chain we know about to the historical average. If the block rate is roughly normal, then either we're seeing the real longest chain, or an attacker has acquired nearly 50% of hash power, which is unlikely.

The same idea works with proof of stake -- if the participation rate drops substantially below the historical average, we're probably not seeing the main chain, and we shouldn't consider anything final until the participation rate return to normal.

> Isn't relying on IP diversity as a measure of attack difficulty a bad assumption in the first place? If an attacker has access to the cable outside my home, then they can pretend to control as many IPs as they want.

If an attacker has access to the cable outside your home they have already won, it's game over.

>It seems to me that the most reliable defense against eclipse attacks is to just compare the block rate of the longest chain we know about to the historical average. If the block rate is roughly normal, then either we're seeing the real longest chain, or an attacker has acquired nearly 50% of hash power, which is unlikely.

Block creation have high variance. Over short periods of time, say a few hours no blocks being announced is fairly common. Over long periods of time how do you know the mining power has not decreased or increased at a slow rate than your person prediction.

>The same idea works with proof of stake -- if the participation rate drops substantially below the historical average, we're probably not seeing the main chain, and we shouldn't consider anything final until the participation rate return to normal.

Interesting you can design PoS systems such that if not a quorum of stake is online, no new blocks are created. Algorand has some very neat properties in this regard.

> If an attacker has access to the cable outside your home they have already won, it's game over.

Not if I'm looking at the block times or PoS participation rates. The attacker can feed me their own fork while preventing me from seeing the actual highest-difficulty chain, but their fork will be suspiciously weak, so I'll know not to trust it.

> Block creation have high variance. Over short periods of time, say a few hours no blocks being announced is fairly common. Over long periods of time how do you know the mining power has not decreased or increased at a slow rate than your person prediction.

Yeah; with Bitcoin you would need to wait several hours to get a good estimate of hash power. With more granular blockchains like Ethereum you could get a good estimate more quickly.

>Not if I'm looking at the block times or PoS participation rates. The attacker can feed me their own fork while preventing me from seeing the actual highest-difficulty chain, but their fork will be suspiciously weak, so I'll know not to trust it.

Would be really interested to read a paper that invents a confirmation sureness metric based on distances between block times which takes into account eclipse attacks.