Scavenging Attacks in "Post-Smuggling Era"

Author：Knownsec 404 Blockchain Security Research Team
Date：2018/8/20
Chinese version：https://paper.seebug.org/673/

0x00 Introduction

August 01, 2018, the Knownsec 404 Blockchain Security Research Team has published a paper(Exhilarating Coin, Maverick Thief – Various Coin Stolen Tricks of Ethereum JSON-RPC Interface) which has introduced “Smuggling Vulnerability” and “ether and tokens stealing in ‘Post-Smuggling Era'”. It has revealed three ways of stealing: Offline Attack, Replay Attack, Blast Attack.

We also found a supplementary to these attacks in further research: Scavenging Attacks. The attackers resort to the miner or have the computing power to get the right to package the transaction into the block. They construct a transaction with a gasPrice of 0 on an attacked node in the “Smuggling Vulnerability”, waiting for the users to unlock the signature account broadcast. The attackers also set a malicious node to receive the transaction and pack the qualified transactions to implement 0 gas transfer. Through this kind of attack, they can obtain all the ether which are not enough or barely enough to pay the fee on the node. And to a certain extent, it can prevent the race of other attackers. It’s a paragon like “gathering wool”.

In addition, after gathering enough residues of ether, the attackers stared at the tokens in the accounts which had been stolen. Until now, some tokens in the stolen accounts are still being attacked by “Scavenging Attacks” for gathering small amount tokens.

This article will start with a 0 gas transaction, simulate and recurrent the actual process of stolen currency and analyze the key points of the success of scavenging attack.

0x01 Starting with a 0 gas Transaction

In the blockchain system, each transaction should come with a portion of gas and the corresponding gasPrice as a fee. This fee will be rewarded to the miners who completed the package when the transaction is packaged into the block.

In the “Exhilarating Coin, Maverick Thief – Various Coin Stolen Tricks of Ethereum JSON-RPC Interface” we have mentioned an attacker account that uses the Ethereum JSON-RPC interface 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.(https://etherscan.io/address/0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464) The attackers scan the open RPC port on the public network and construct a high-fee transaction request. Once the user unlocks his account, the balance is transferred to the attackers’ account or the contract account created by the attackers.

When analyzing the transaction information of the account, we found a transaction that wasn’t in common sense. We can start with it.

The transaction address:

0xb1050b324f02e9a0112e0ec052b57013c16156301fa7c894ebf2f80ac351ac22
(https://https://etherscan.io/tx/0xb1050b324f02e9a0112e0ec052b57013c16156301fa7c894ebf2f80ac351ac22)

Function: transfer(address _to, uint256 _value)

MethodID: 0xa9059cbb
[0]:  000000000000000000000000957cd4ff9b3894fc78b5134a8dc72b032ffbc464
[1]:  000000000000000000000000000000000000000000000000000000000abe7d00

Although the transaction from 0x00a329c0648769a73afac7f9381e08fb43dbea72
(https://etherscan.io/address/0x00a329c0648769a73afac7f9381e08fb43dbea72) to Minereum Token(the attacker’s contract) has a few user balance, the transaction uses all the balance of the account as the value of interacting with the contract. It uses a normal amount of gas, but the gasPrice is set to 0.

As mentioned above, the attackers will use a higher fee to ensure the success of their transaction. The miners will sort the gasPrices of each transaction in the txpool of this node in reverse order, and preferentially package the high gasPrice transaction into the subsequent blocks. There are countless transactions happening all the time in this world. The lowest gasPrice for a transaction was 3Gwei on the last 7 days. How did this 0 gas transaction happen and how it was packaged into the block?

0X02 Ideas Analysis

In the blockchain system, anyone can join the blockchain network and become one of the nodes, participating in keeping accounts, mining and other operations. The core of the credibility and decentralization of the blockchain is the consensus mechanism.

Consensus Mechanism

In Ethereum, the miner packs the hash value of the previous block, the transaction with a high cost in txpool, the timestamp, etc., and continuously calculates the nonce to mine. The miner who first obtains the qualified nonce value will have the right to book, gets the fee and mining reward. The miner will broadcast the obtained block and it will be verified by the other nodes. If there is no error, the new block is considered to be generated and the blockchain height is increased. This is the process of each node generates a new block to maintain consensus.

There are two issues need to be confirmed to complete 0 gasPrice transactions.

• Whether the miner will accept the transaction and package it.
• Whether the remaining nodes reach a consensus on the block containing this transaction when it is received.

Next, we will test the operations related to the 0 gasPrice transactions. Finding out how 0 gas transactions are generated, how they accepted by txpool, whether the block that was packaged with the 0 gas transaction could be recognized, and answer to the above question was confirmed.

0x03 0 gas Transaction Test

a.Single Node Test

First, let’s confirm whether the transaction can enter the node’s txpool and enable a test chain. Its default RPC port is 8545 and uses a python web3 package to initiate a 0 gasPrice transfer.

geth --networkid 233 --nodiscover --verbosity 6 --ipcdisable --datadir data0 --rpc --rpcaddr 0.0.0.0 console

The first node initiates the transfer script and unlocks the accounts before transferring the account.

from web3 import Web3, HTTPProvider
web3 = Web3(HTTPProvider("http://localhost:8545/"))

print(web3.eth.accounts)
# Unlock your account before transferring money
web3.eth.sendTransaction({
    "from":web3.eth.accounts[0],
    "to":web3.eth.accounts[1],
    "value": 10,
    "gas":21000,
    "gasPrice":0,
})

Interaction result

> txpool.content
{
  pending: {},
  queued: {}
}
> eth.getBalance(eth.accounts[0])
800000000
> personal.unlockAccount(eth.accounts[0],'sissel')
true
> INFO [08-14|11:20:14.972] Submitted transaction                    fullhash=0x72e81751d2517807cabad24102d3cc2f0f4f2e8b92f1f106f1ee0bf6be734fe4 recipient=0x92636b228148e2824cB8d472Ef2F4e76f2F5059C
> txpool.content
{
  pending: {
    0x092fda221a114FA702e2f59C217C92cfEB63f5AC: {
      3: {
        blockHash: "0x0000000000000000000000000000000000000000000000000000000000000000",
        blockNumber: null,
        from: "0x092fda221a114fa702e2f59c217c92cfeb63f5ac",
        gas: "0x5208",
        gasPrice: "0x0",
        hash: "0x72e81751d2517807cabad24102d3cc2f0f4f2e8b92f1f106f1ee0bf6be734fe4",
        input: "0x",
        nonce: "0x3",
        r: "0x1eca20e3f371ed387b35ca7d3220789399a3f64c449a825e0fa7423b96ce235c",
        s: "0x35a58e5cb5027c7903c1f1cc061ae846fb5150186ebbabb2b0766e4cbfc4aee6",
        to: "0x92636b228148e2824cb8d472ef2f4e76f2f5059c",
        transactionIndex: "0x0",
        v: "0x42",
        value: "0xa"
      }
    }
  },
  queued: {}
}
> miner.start(1)
INFO [08-14|11:20:35.715] Updated mining threads                   threads=1
INFO [08-14|11:20:35.716] Transaction pool price threshold updated price=18000000000
null
INFO [08-14|11:20:35.717] Starting mining operation
> INFO [08-14|11:20:35.719] Commit new mining work                   number=115 txs=1 uncles=0 elapsed=223µs
> mINFO [08-14|11:20:36.883] Successfully sealed new block            number=115 hash=ce2f34…210039
INFO [08-14|11:20:36.885] ? block reached canonical chain          number=110 hash=2b9417…850c25
INFO [08-14|11:20:36.886] ? mined potential block                  number=115 hash=ce2f34…210039
INFO [08-14|11:20:36.885] Commit new mining work                   number=116 txs=0 uncles=0 elapsed=202µs
> miner.stop()
true
> eth.getBalance(eth.accounts[0])
799999990

The 0 gas transaction initiated by the first node is successful, and the transaction is successfully packaged into the block after mining.

b.Multi-node Consensus test

Now let’s join another node.

geth  --datadir "./" --networkid 233 --rpc  --rpcaddr "localhost" --port 30304 --rpcport "8546" --rpcapi "db,eth,net,web3" --verbosity 6 --nodiscover console
> admin.nodeInfo
> admin.addPeer()
> admin.peers

The first node still uses the script to initiate a 0 gas transaction, and its txpool was successfully appended. But the second node illegally rejected the transaction because of gasPrice.

TRACE[08-15|10:09:24.682] Discarding invalid transaction           hash=3902af…49da03 err="transaction underpriced"

> txpool.content
 []

We found the parameters related to this in the configuration of the geth.

--txpool.pricelimit value    Minimum gas price limit to enforce for acceptance into the pool (default: 1)

Change it to 0 when it starts, but the transaction still does not appear in the txpool of the second node.

转载请注明：IAMCOOL » Scavenging Attacks in "Post-Smuggling Era"