The vulnerability would render Ethereum Classic perpetually unable to confirm transactions.
GEORGE TOWN, Cayman Islands, July 8, 2021 (Newswire.com) - Today, the team behind the VeriBlock® Blockchain project, which extends Bitcoin's Proof-of-Work ("PoW") security to the world's blockchains in an entirely Decentralized, Trustless, Transparent, and Permissionless ("DTTP®") manner, published details on a critical security vulnerability in Ethereum Classic's MESS protocol they disclosed to ETC developers last October, prior to the activation of the consensus technology on the mainnet.
The VeriBlock team intentionally omitted one detail from the disclosure to give ETC devs and their community additional time to deactivate the vulnerable technology before it is exploited in the real world. The viability of the attack can be demonstrated without this detail, and the team will provide a version of the disclosure including the omitted detail to any Ethereum Classic developers who want to investigate the vulnerability further.
Following a successful 51% attack against Ethereum Classic in January of 2019 and three consecutive attacks in August of 2020, which resulted in the theft of over $5M worth of cryptocurrency, the Ethereum Classic community adopted the MESS ("Modified Exponential Subjective Scoring") consensus technology on Oct. 11, 2020, in an attempt to prevent future 51% attacks on the network.
MESS builds on a subjective scoring solution originally proposed in 2014 and expanded upon in 2016 by Ethereum Founder Vitalik Buterin.
However, the subjective nature of MESS introduced a much more damaging vulnerability, VeriBlock Co-Founder and CTO Maxwell Sanchez explains. "Subjective scoring means two different nodes can permanently disagree on the correct state of the blockchain. Our disclosure explains how an attacker could exploit this subjectivity to permanently fracture the network into disjoint partitions, rendering the blockchain unable to achieve global consensus and perpetually preventing the confirmation of transactions."
As the VeriBlock team's security disclosure demonstrates, an attacker can not only fracture the network but also stabilize the attack over a period of several hours to fabricate a state where Ethereum Classic can no longer converge on a single global blockchain state.
The team also notes that the vulnerability is not due to an implementation mistake or incorrect parameterization of the protocol, but rather the fundamental nature of technologies like MESS.
"At the time of discovery last October, the exploit would have cost somewhere around $10K to execute using hashing power readily available on hashrate marketplaces like NiceHash. Today, we estimate the attack could still be executed for less than $50K, and sufficient hashrate is currently available for rental to successfully pull off the attack," notes Sanchez.
In addition to publishing the vulnerability disclosure, the VeriBlock team has also open-sourced their simulation environment, allowing anyone to run a demonstration of the attack themselves to understand how the exploit works.
"While the economic motivation of a bifurcation attack is much more nuanced than a 51% attack, the existence of derivative markets where attackers could short ETC certainly provide sufficient financial incentive for this type of attack," explains Sanchez.
The VeriBlock team also proposed VeriBlock PoP as a 51% attack protection mechanism for ETC approximately six weeks prior to the activation of MESS on ETC Mainnet, and are internally testing a testnet of Ethereum Classic using their own Bitcoin-based Proof-of-Proof security technology (in lieu of MESS) for the ETC community to test, and invites any Ethereum Classic developers interested in further understanding the exploit or anyone interested in helping test VeriBlock-Secured Ethereum Classic to reach out to email@example.com.
About the VeriBlock Foundation
The VeriBlock Foundation is a Cayman Islands nonprofit committed to increasing awareness and adoption of the VeriBlock Blockchain and its Proof-of-Proof security protocol. VeriBlock inherits security from Bitcoin in a completely Decentralized, Trustless, Transparent, and Permissionless ("DTTP®") manner, following the same attributes that made Bitcoin great, and allows any other blockchain to reinforce their existing security with the full Proof-of-Work power of Bitcoin in the same manner.
Source: Veriblock, Inc.