Following the "Thread": Toward Finding Manipulatable Bottlenecks In Blockchain Clients
This program is tentative and subject to change.
Blockchain clients are the fundamental element of blockchain network, each keeping a copy of the blockchain’s ledger. They play a crucial role in ensuring the network’s decentralization, integrity, and stability. As complex software systems, blockchain clients are not exempt from bottlenecks. Some bottlenecks create new attack surfaces, where attackers deliberately overload these weak points to congest client’s execution, thereby causing denial of service (DoS). We call them manipulatable bottlenecks. Existing research primarily focuses on a few such bottlenecks, and heavily relies on manual analysis. To the best of our knowledge, there has not been any study proposing a systematic approach to identify manipulatable bottlenecks in blockchain clients.
To bridge the gap, this paper delves into the primary causes of bottlenecks in software, and develops a novel tool named ThreadNeck to monitor the symptoms that signal these issues during client runtime. ThreadNeck models the clients as a number of threads, delineating their inter-relationship to accurately characterize client’s behavior. Building on this, we can identify the suspicious bottlenecks and determine if they could be exploited by external attackers. After applying ThreadNeck to four mainstream clients developed in different programming languages, we totally discover 13 manipulatable bottlenecks, six of which are previously unknown. At the time of writing, three CVEs have been assigned.
This program is tentative and subject to change.
Thu 19 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 11:50 | |||
10:30 20mTalk | DAppFL: Just-in-Time Fault Localization for Decentralized Applications in Web3 Technical Papers Zhiying Wu Sun Yat-sen University, Jiajing Wu Sun Yat-sen University, Hui Zhang Sun Yat-sen University, Ziwei Li Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen University, Qing Xia Institute of Software at Chinese Academy of Sciences, Gang Fan n, n, Yi Zhen n.n. DOI | ||
10:50 20mTalk | LENT-SSE: Leveraging Executed and Near Transactions for Speculative Symbolic Execution of Smart Contracts Technical Papers Peilin Zheng Sun Yat-sen University, Bowei Su Sun Yat-sen University, Xiapu Luo The Hong Kong Polytechnic University, Ting Chen University of Electronic Science and Technology of China, Neng Zhang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University | ||
11:10 20mTalk | Following the "Thread": Toward Finding Manipulatable Bottlenecks In Blockchain Clients Technical Papers Shuohan Wu Hong Kong Polytechnic University, zihao li The Hong Kong Polytechnic Universituy, Hao Zhou Hong Kong Polytechnic University, Xiapu Luo The Hong Kong Polytechnic University, Jianfeng Li Xi'an Jiaotong University, Haoyu Wang Huazhong University of Science and Technology | ||
11:30 20mTalk | DeFort: Automatic Detection and Analysis of Price Manipulation Attacks in DeFi Applications Technical Papers Maoyi Xie Nanyang Technological University, Ming Hu Singapore Management University, Ziqiao Kong Nanyang Technological University, Cen Zhang Nanyang Technological University, Yebo Feng Nanyang Technological University, Haijun Wang Xi'an Jiaotong University, YUE XUE MetaTrust Labs, Hao Zhang MetaTrust Labs, Ye Liu Nanyang Technological University, Yang Liu Nanyang Technological University DOI |