Following the “Thread”: Toward Finding Manipulatable Bottlenecks in Blockchain Clients
Blockchain clients are the fundamental element of the blockchain network, each keeping a copy of the blockchain’s ledger. They play a crucial role in ensuring the network’s decentralization, integrity, and stability. As complex software systems, blockchain clients are not exempt from bottlenecks. Some bottlenecks create new attack surfaces, where attackers deliberately overload these weak points to congest client’s execution, thereby causing denial of service (DoS). We call them manipulatable bottlenecks. Existing research primarily focuses on a few such bottlenecks, and heavily relies on manual analysis. To the best of our knowledge, there has not been any study proposing a systematic approach to identify manipulatable bottlenecks in blockchain clients.
To bridge the gap, this paper delves into the primary causes of bottlenecks in software, and develops a novel tool named ThreadNeck to monitor the symptoms that signal these issues during client runtime. ThreadNeck models the clients as a number of threads, delineating their inter-relationship to accurately characterize the client’s behavior. Building on this, we can identify the suspicious bottlenecks and determine if they could be exploited by external attackers. After applying ThreadNeck to four mainstream clients developed in different programming languages, we totally discover 13 manipulatable bottlenecks, six of which are previously unknown.
Thu 19 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 11:50 | BlockchainTechnical Papers at EI 3 Sahulka Chair(s): Konstantinos (Kostis) Sagonas Uppsala University and Nat. Tech. Univ. of Athens | ||
10:30 20mTalk | DAppFL: Just-in-Time Fault Localization for Decentralized Applications in Web3 Technical Papers Zhiying Wu Sun Yat-sen University, Jiajing Wu Sun Yat-sen University, Hui Zhang Sun Yat-sen University, Ziwei Li Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen University, Qing Xia Institute of Software at Chinese Academy of Sciences, Gang Fan Ant Group, Yi Zhen Independent DOI | ||
10:50 20mTalk | LENT-SSE: Leveraging Executed and Near Transactions for Speculative Symbolic Execution of Smart Contracts Technical Papers Peilin Zheng Sun Yat-sen University, Bowei Su Sun Yat-sen University, Xiapu Luo Hong Kong Polytechnic University, Ting Chen University of Electronic Science and Technology of China, Neng Zhang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University DOI File Attached | ||
11:10 20mTalk | Following the “Thread”: Toward Finding Manipulatable Bottlenecks in Blockchain Clients Technical Papers Shuohan Wu Hong Kong Polytechnic University, Zihao Li Hong Kong Polytechnic University, Hao Zhou Hong Kong Polytechnic University, Xiapu Luo Hong Kong Polytechnic University, Jianfeng Li Xi’an Jiaotong University, Haoyu Wang Huazhong University of Science and Technology DOI | ||
11:30 20mTalk | DeFort: Automatic Detection and Analysis of Price Manipulation Attacks in DeFi Applications Technical Papers Maoyi Xie Nanyang Technological University, Ming Hu Nanyang Technological University, Ziqiao Kong Nanyang Technological University, Cen Zhang Nanyang Technological University, Yebo Feng Nanyang Technological University, Haijun Wang Xi’an Jiaotong University, Yue Xue MetaTrust Labs, Hao Zhang MetaTrust Labs, Ye Liu Nanyang Technological University, Yang Liu Nanyang Technological University DOI | ||