Decentralized Systems Lab at University of Illinois Asks, “Are Your Funds Safe From Fake Stake Attack?”
Over 25 Proof-of-Stake (PoS) networks have been deemed vulnerable to a “fake stake” attack. In a new report by the University of Illinois at Urbana Champaign’s Decentralized Systems Lab, several attack vectors against many proof-of-stake coins were discovered.
What is Proof Of Fake Stake Attack?
Proof-of-Stake (PoS) cryptocurrencies, particularly those based on chain-based PoSv3 (Proof-of-Stake version 3), are comparable to Bitcoin in that they use the UTXO model and longest chain consensus rules. The fundamental difference is that they substitute the Proof-of-Work with proof-of-ownership of coins. Potential benefits of the PoS approach range from reducing environmental impact to better security against 51% attacks. Many cryptocurrencies are in fact forks (or at least descendants) of Bitcoin’s codebase, with the PoS functionality grafted in. However, some design ideas are copied over insecurely, leading to new vulnerabilities that did not exist in the parent codebase.
These vulnerabilities have been called “Fake Stake” attacks. Basically, they work because PoSv3 implementations do not appropriately validate network data before allocating valuable resources. The consequence is that an attacker without much stake can cause a victim node to crash by filling up its disk or RAM with counterfeit data. The University’s team believes that all currencies based on the UTXO and longest chain Proof-of-Stake model are vulnerable to these “Fake Stake” attacks.
While the “fake stake” attacks are simple in principle, they underscore a difficult design challenge: some ideas that make sense in Proof-of-Work do not translate over securely to Proof-of-Stake. Given the high degree of code sharing from Bitcoin Core as “upstream” among PoSv3 cryptocurrencies, it is essential for the top technical minds of blockchain should look at it closely.
Staking nodes in conflict with an attacking node might have no indication as to why their software is failing. Some of the blockchains that have implemented fixes for this vulnerability are Qtum, Emercoin, Particl and Nav Coin.