TY - GEN
T1 - NURGLE: Exacerbating Resource Consumption in Blockchain State Storage via MPT Manipulation
AU - He, Zheyuan
AU - Li, Zihao
AU - Qiao, Ao
AU - Luo, Xiapu
AU - Zhang, Xiaosong
AU - Chen, Ting
AU - Song, Shuwei
AU - Liu, Dijun
AU - Niu, Weina
PY - 2024/5
Y1 - 2024/5
N2 - Blockchains, with intricate architectures, encompass various components, e.g., consensus network, smart contracts, decentralized applications, and auxiliary services. While offering numerous advantages, these components expose various attack surfaces, leading to severe threats to blockchains. In this study, we unveil a novel attack surface, i.e., the state storage, in blockchains. The state storage, based on the Merkle Patricia Trie, plays a crucial role in maintaining blockchain state. Besides, we design NURGLE, the first Denial-of-Service attack targeting the state storage. By proliferating intermediate nodes within the state storage, NURGLE forces blockchains to expend additional resources on state maintenance and verification, impairing their performance. We conduct a comprehensive and systematic evaluation of NURGLE, including the factors affecting it, its impact on blockchains, its financial cost, and practically demonstrating the resulting damage to blockchains. The implications of NURGLE extend beyond the performance degradation of blockchains, potentially reducing trust in them and the value of their cryptocurrencies. Additionally, we further discuss three feasible mitigations against NURGLE. At the time of writing, the vulnerability exploited by NURGLE has been confirmed by six mainstream blockchains, and we received thousands of USD bounty from them.
AB - Blockchains, with intricate architectures, encompass various components, e.g., consensus network, smart contracts, decentralized applications, and auxiliary services. While offering numerous advantages, these components expose various attack surfaces, leading to severe threats to blockchains. In this study, we unveil a novel attack surface, i.e., the state storage, in blockchains. The state storage, based on the Merkle Patricia Trie, plays a crucial role in maintaining blockchain state. Besides, we design NURGLE, the first Denial-of-Service attack targeting the state storage. By proliferating intermediate nodes within the state storage, NURGLE forces blockchains to expend additional resources on state maintenance and verification, impairing their performance. We conduct a comprehensive and systematic evaluation of NURGLE, including the factors affecting it, its impact on blockchains, its financial cost, and practically demonstrating the resulting damage to blockchains. The implications of NURGLE extend beyond the performance degradation of blockchains, potentially reducing trust in them and the value of their cryptocurrencies. Additionally, we further discuss three feasible mitigations against NURGLE. At the time of writing, the vulnerability exploited by NURGLE has been confirmed by six mainstream blockchains, and we received thousands of USD bounty from them.
M3 - Conference article published in proceeding or book
SP - 128
EP - 128
BT - 2024 IEEE Symposium on Security and Privacy
ER -