research-article

Exploring Unfairness on Proof of Authority: Order Manipulation Attacks and Remedies

Authors:

Yang XiangAuthors Info & Claims

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Pages 123 - 137

https://doi.org/10.1145/3488932.3517394

Published: 30 May 2022 Publication History

Abstract

Proof of Authority (PoA) is a type of permissioned consensus algorithm with a fixed committee. PoA has been widely adopted by communities and industries due to its better performance and faster finality. In this paper, we explore the unfairness issue existing in the current PoA implementations. We have investigated 2,500+ in the wild projects and selected 10+ as our main focus (covering Ethereum, Binance smart chain, etc.). We have identified two types of order manipulation attacks to separately break the transaction-level (a.k.a. transaction ordering) and the block-level (sealer position ordering) fairness. Both of them merely rely on honest-but-profitable sealer assumption without modifying original settings. We launch these attacks on the forked branches under an isolated environment and carefully evaluate the attacking scope towards different implementations. To date (as of Nov 2021), the potentially affected PoA market cap can reach up to 681,087 million USD. Besides, we further dive into the source code of selected projects, and accordingly, propose our recommendation for the fix. To the best of knowledge, this work provides the first exploration of the unfairness issue in PoA algorithms.

Supplementary Material

MP4 File (ASIA-CCS22-fp319.mp4)

Presentation video: This video presents the work on exploring the unfairness issue existing in the proof of authority (PoA) algorithm. It first studies the notion of fairness in the context of blockchain and proposes two types of attacks on transaction/block order manipulation. Then, it shows how to apply these attacks to two PoA implementations, namely, Clique and Aura. Furthermore, it provides corresponding simulations, evaluations, and countermeasures.

Download
132.50 MB

References

[1]

Proof-of-authority chains. https://openethereum.github.io/Proof-of-Authority-Chains, 2016.

[2]

Stefano De Angelis, Leonardo Aniello, Roberto Baldoni, Federico Lombardi, Andrea Margheri, and Vladimiro Sassone. Pbft vs proof-of-authority: Applying the cap theorem to permissioned blockchain. 2018.

[3]

Gavin Wood et al. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151(2014):1-32, 2014.

[4]

Ethereum parity. https://www.parity.io/, 2021.

[5]

Ethereum geth. https://geth.ethereum.org/, 2021.

[6]

Kovan testnet. https://kovan-testnet.github.io/website/, 2021.

[7]

Ingo Weber, Qinghua Lu, An Binh Tran, et al. A platform architecture for multi-tenant blockchain-based systems. In 2019 IEEE International Conference on Software Architecture (ICSA), pages 101--110. IEEE, 2019.

[8]

Vechain blockchain. https://www.vechain.org/, 2021.

[9]

Deploy ethereum proof-of-authority consortium solution template on azure. https://docs.microsoft.com/en-us/azure/blockchain/templates/ethereum-poa-deployment, 2021.

[10]

Igor Barinov, Vadim Arasev, Andreas Fackler, Vladimir Komendantskiy, Andrew Gross, Alexander Kolotov, and Daria Isakova. Proof of stake decentralized autonomous organization. 2019.

[11]

Clique. https://github.com/ethereum/EIPs/issues/225, 2021.

[12]

Binance smart chain. https://github.com/binance-chain/whitepaper/blob/master/WHITEPAPER.md, 2021.

[13]

Launch enterprise-ready blockchain networks on aws in minutes with kaleido-a consensys solution. https://aws.amazon.com/blogs/apn/launch-enterprise-ready-blockchain-networks-on-aws-in-minutes-with-kaleido-a-consensys-solution/, 2021.

[14]

Poa. https://www.poa.network/, 2021.

[15]

Rinkeby: Ethereum testnet. https://www.rinkeby.io//#stats, 2021.

[16]

Quorum github repository. https://github.com/ConsenSys/quorum, 2021.

[17]

G.oerli network. https://goerli.net/, 2022.

[18]

Apla blockchain. https://apla.readthedocs.io/en/latest/concepts/consensus.html, 2021.

[19]

High performance blockchain (hpb) -- consensus. https://github.com/hpb-project/go-hpb/tree/master/consensus, 2021.

[20]

Yonatan Sompolinsky and Aviv Zohar. Secure high-rate transaction processing in bitcoin. In International Conference on Financial Cryptography and Data Security (FC), pages 507--527. Springer, 2015.

[21]

Yonatan Sompolinsky and Aviv Zohar. Accelerating bitcoin's transaction processing, fast money grows on trees, not chains. Cryptology ePrint Archive, 2013.

[22]

Mahimna Kelkar, Fan Zhang, Steven Goldfeder, and Ari Juels. Order-fairness for byzantine consensus. In Annual International Cryptology Conference (CRYPTO), pages 451--480. Springer, 2020.

Digital Library

[23]

Mahimna Kelkar, Soubhik Deb, and Sreeram Kannan. Order-fair consensus in the permissionless setting. IACR Cryptol. ePrint Arch., 2021:139, 2021.

[24]

Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, and Ari Juels. Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In 2020 IEEE Symposium on Security and Privacy (SP), pages 910--927. IEEE, 2020.

[25]

Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc V Le, and Arthur Gervais. High-frequency trading on decentralized on-chain exchanges. In 2021 IEEE Symposium on Security and Privacy (SP), pages 428--445. IEEE, 2021.

[26]

Robinson Dan and Konstantopoulos Georgios. Ethereum is a dark forest. 2021.

[27]

Clique in go-ethereum. https://github.com/ethereum/go-ethereum/blob/master/consensus/clique/clique.go, 2021.

[28]

HPB. Pr report (hpb). https://github.com/hpb-project/go-hpb/pull/82/, 2022.

[29]

Consensus in ethereum classic (etc). https://github.com/etclabscore/core-geth/blob/master/consensus/clique/clique.go, 2021.

[30]

Consensus in olecoin. https://github.com/Olecoin/olechain/blob/master/consensus/clique/clique.go, 2021.

[31]

Parinya Ekparinya, Vincent Gramoli, and Guillaume Jourjon. The attack of the clones against proof-of-authority. In 27th Annual Network and Distributed System Security Symposium (NDSS), 2020.

[32]

Qin Wang, Jiangshan Yu, Shiping Chen, and Yang Xiang. Sok: Diving into dag-based blockchain systems. arXiv preprint arXiv:2012.06128, 2020.

[33]

Christof Ferreira Torres, Ramiro Camino, et al. Frontrunner jones and the raiders of the dark forest: An empirical study of frontrunning on the ethereum blockchain. In 30th USENIX Security Symposium (USENIX Security), pages 1343--1359, 2021.

[34]

Christopher Natoli and Vincent Gramoli. The balance attack against proof-of-work blockchains: The r3 testbed as an example. arXiv preprint arXiv:1612.09426, 2016.

[35]

Clique in consensys. https://github.com/ConsenSys/quorum/blob/master/consensus/clique/clique.go, 2021.

[36]

Posa in binance smart chain. https://github.com/binance-chain/whitepaper/blob/master/WHITEPAPER.md#proof-of-staked-authority, 2021.

[37]

Poa in polygon(matic) chain. https://github.com/maticnetwork/bor/tree/master/consensus/clique, 2021.

[38]

Clique in openethereum. https://github.com/openethereum/openethereum/blob/main/crates/ethcore/src/engines/clique/mod.rs, 2021.

[39]

Poa network. https://github.com/poanetwork/openethereum/blob/main/ethcore/src/engines/clique/mod.rs, 2021.

[40]

Clique in gochain. https://github.com/gochain-io/go-ethereum/blob/master/consensus/clique/clique.go, 2021.

[41]

Consensus in daisy. https://github.com/ivoras/daisy/blob/18f27b8469b8684f19dff59dc39c5457e45e4fd2/blockchain.go#L206, 2021.

[42]

Proposals in exx. https://cex.ethereum-express.com/files/whitepaper.pdf, 2021.

[43]

Clique in hpb. https://github.com/hpb-project/go-hpb/blob/master/consensus/prometheus/chain_verification.go, 2021.

[44]

Confirmation procedures in aplaproject. https://github.com/AplaProject/go-apla/blob/8e17a21423289ea4aeb0d9021cfb46e283acf217/packages/block/block.go, 2021.

[45]

Consensus in tomochain. https://github.com/tomochain/tomochain/blob/722d85a8318ba4fcfaffd91d9855acb29217ecaa/consensus/posv/posv.go#L746, 2021.

[46]

Validation procedures in vechain. https://github.com/vechain/thor/blob/master/consensus/validator.go, 2021.

[47]

Proposals in kovan. https://github.com/kovan-testnet/proposal, 2021.

[48]

Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais. Attacking the defi ecosystem with flash loans for fun and profit. In International Conference on Financial Cryptography and Data Security (FC), pages 3--32. Springer, 2021.

Digital Library

[49]

Qin Wang, Rujia Li, Qi Wang, and Shiping Chen. Non-fungible token (nft): Overview, evaluation, opportunities and challenges. arXiv preprint arXiv:2105.07447, 2021.

[50]

Pancakeswap. https://pancakeswap.finance/, 2021.

[51]

Lewis Gudgeon, Sam Werner, Daniel Perez, and William J Knottenbelt. Defi protocols for loanable funds: Interest rates, liquidity and market efficiency. In Proceedings of the 2nd ACM Conference on Advances in Financial Technologies (AFT), pages 92--112, 2020.

Digital Library

[52]

Copeland Tim. Mistake sees $69,000 cryptopunk sold for less than a cent. https://www.theblockcrypto.com/post/113546/mistake-sees-69000-cryptopunk-sold-for-less-than-a-cent, 2022.

[53]

Chain generation process in hpb. https://github.com/hpb-project/go-hpb/blob/master/consensus/prometheus/chain_generation.go, 2021.

[54]

High performance blockchain (hpb) -- hardware generated random number. https://github.com/hpb-project/hardware-random-number-case, 2021.

[55]

Sisi Duan, Michael K Reiter, and Haibin Zhang. Beat: Asynchronous bft made practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (AsiaCCS), pages 2028--2041, 2018.

Digital Library

[56]

Sisi Duan, Michael K Reiter, and Haibin Zhang. Secure causal atomic broadcast, revisited. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 61--72. IEEE, 2017.

[57]

Chrysoula Stathakopoulou, Signe Rüsch, Marcus Brandenburger, and Marko Vukolić. Adding fairness to order: Preventing front-running attacks in bft protocols using tees. In 2021 40th International Symposium on Reliable Distributed Systems (SRDS), pages 34--45. IEEE, 2021.

[58]

Silvio Micali, Michael Rabin, and Salil Vadhan. Verifiable random functions. In 40th Annual Symposium on Foundations of Computer Science (FOCS), pages 120--130. IEEE, 1999.

Digital Library

[59]

Castro Miguel and Liskov Barbara. Practical byzantine fault tolerance. In Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 173--186, 1999.

[60]

Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Decentralized Business Review, page 21260, 2008.

[61]

Viswanath Pramod. Lecture 16: Bridging bft protocols with the longest chain protocol. https://courses.grainger.illinois.edu/ece598pv/sp2021/lectureslides2021/ECE_598_PV_course_notes16_v2.pdf, 2021.

[62]

Qin Wang, Jiangshan Yu, Zhiniang Peng, Van Cuong Bui, Shiping Chen, Yong Ding, and Yang Xiang. Security analysis on dbft protocol of neo. In International Conference on Financial Cryptography and Data Security (FC), pages 20--31. Springer, 2020.

Digital Library

[63]

Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP), pages 51--68. ACM, 2017.

Digital Library

[64]

Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), pages 3--33. Springer, 2018.

[65]

Yackolley Amoussou-Guenou, Antonella Del Pozzo, Maria Potop-Butucaru, and Sara Tucci-Piergiovanni. Correctness and fairness of tendermint-core blockchains. arXiv preprint arXiv:1805.08429, 2018.

[66]

Elaine Shi. Analysis of deterministic longest-chain protocols. In 2019 IEEE 32nd Computer Security Foundations Symposium (CSF), pages 122--12213. IEEE, 2019.

[67]

Xuefeng Liu, Gansen Zhao, Xinming Wang, Yixing Lin, Ziheng Zhou, Hua Tang, and Bingchuan Chen. Mdp-based quantitative analysis framework for proof of authority. In 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pages 227--236. IEEE, 2019.

[68]

Cyril Naves Samuel, Severine Glock, Francc ois Verdier, and Patricia Guitton-Ouhamou. Choice of ethereum clients for private blockchain: Assessment from proof of authority perspective. In 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pages 1--5. IEEE, 2021.

[69]

Kentaroh Toyoda, Koji Machi, Yutaka Ohtake, and Allan N Zhang. Function-level bottleneck analysis of private proof-of-authority ethereum blockchain. IEEE Access, 8:141611--141621, 2020.

[70]

Tien Tuan Anh Dinh, Ji Wang, Gang Chen, Rui Liu, Beng Chin Ooi, and Kian-Lee Tan. Blockbench: A framework for analyzing private blockchains. In Proceedings of the 2017 ACM International Conference on Management of Data (SIGMOD), pages 1085--1100, 2017.

Digital Library

[71]

Sara Rouhani and Ralph Deters. Performance analysis of ethereum transactions in private blockchain. In 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), pages 70--74. IEEE, 2017.

[72]

Ittay Eyal and Emin Gün Sirer. Majority is not enough: Bitcoin mining is vulnerable. In International conference on Financial Cryptography and Data Security (FC), pages 436--454. Springer, 2014.

[73]

Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC), pages 315--324, 2017.

Digital Library

[74]

Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena. Smartpool: Practical decentralized pooled mining. In 26th USENIX Security Symposium (USENIX Security), pages 1409--1426, 2017.

[75]

Andrew Miller, Ahmed Kosba, Jonathan Katz, and Elaine Shi. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 680--691, 2015.

Digital Library

[76]

Avi Asayag, Gad Cohen, Ido Grayevsky, et al. A fair consensus protocol for transaction ordering. In 2018 IEEE 26th International Conference on Network Protocols (ICNP), pages 55--65. IEEE, 2018.

[77]

Leemon Baird. The swirlds hashgraph consensus algorithm: Fair, fast, byzantine fault tolerance. Swirlds Tech Reports SWIRLDS-TR-2016-01, Tech. Rep, 2016.

[78]

Vivek Bagaria et al. Prism: Deconstructing the blockchain to approach physical limits. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 585--602, 2019.

[79]

Serguei Popov. The tangle. White paper, 1(3), 2018.

[80]

Qin Wang and Rujia Li. A weak consensus algorithm and its application to high-performance blockchain. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pages 1--10. IEEE, 2021.

Digital Library

[81]

Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP), pages 51--68, 2017.

Digital Library

Cited By

Alnajjar MKiraz MAl-Bayatti AKardas S(2024)Mitigating MEV attacks with a two-tiered architecture utilizing verifiable decryptionEURASIP Journal on Wireless Communications and Networking10.1186/s13638-024-02390-42024:1Online publication date: 13-Aug-2024
https://doi.org/10.1186/s13638-024-02390-4
de Morais ALins FRosa N(2024)Selecting Blockchain Consensus Algorithms Integrations for IoT-based EnviromentsProceedings of the 13th Latin-American Symposium on Dependable and Secure Computing10.1145/3697090.3697100(116-125)Online publication date: 26-Nov-2024
https://dl.acm.org/doi/10.1145/3697090.3697100
Miglani AKumar N(2024)A Blockchain Based Matching Game for Content Sharing in Content-Centric Vehicle-to-Grid Network ScenariosIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.332282625:5(4032-4048)Online publication date: May-2024
https://doi.org/10.1109/TITS.2023.3322826
Show More Cited By

Index Terms

Exploring Unfairness on Proof of Authority: Order Manipulation Attacks and Remedies
1. Information systems
  1. Information systems applications
    1. Decision support systems
2. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Time-manipulation Attack: Breaking Fairness against Proof of Authority Aura
WWW '23: Proceedings of the ACM Web Conference 2023

As blockchain-based commercial projects and startups flourish, efficiency becomes one of the critical metrics in designing blockchain systems. Due to its high efficiency, Proof of Authority (PoA) Aura has become one of the most widely adopted consensus ...
Relay-volunteered multi-rate cooperative MAC protocol for IEEE 802.11 WLANs

In IEEE 802.11, the rate of a station (STA) is dynamically determined by link adaptation. Low-rate STAs tend to hog more channel time than high-rate STAs due to fair characteristics of carrier sense multiple access/collision avoidance, leading to ...
Airtime Fairness for IEEE 802.11 Multirate Networks

Under a multi rate network scenario, the IEEE 802.11 DCF MAC fails to provide air-time fairness for all competing stations since the protocol is designed for ensuring max-min throughput fairness and the maximum achievable throughput by any station gets ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

May 2022

1291 pages

ISBN:9781450391405

DOI:10.1145/3488932

General Chairs:
Yuji Suga
Internet Initiative Japan Inc., Japan
,
Kouichi Sakurai
Kyushu University, Japan
,
Program Chairs:
Xuhua Ding
Singapore Management University, Singapore
,
Kazue Sako
Waseda University, Japan

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '22

Sponsor:

SIGSAC

ASIA CCS '22: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2022

Nagasaki, Japan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
309
Total Downloads

Downloads (Last 12 months)80
Downloads (Last 6 weeks)13

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alnajjar MKiraz MAl-Bayatti AKardas S(2024)Mitigating MEV attacks with a two-tiered architecture utilizing verifiable decryptionEURASIP Journal on Wireless Communications and Networking10.1186/s13638-024-02390-42024:1Online publication date: 13-Aug-2024
https://doi.org/10.1186/s13638-024-02390-4
de Morais ALins FRosa N(2024)Selecting Blockchain Consensus Algorithms Integrations for IoT-based EnviromentsProceedings of the 13th Latin-American Symposium on Dependable and Secure Computing10.1145/3697090.3697100(116-125)Online publication date: 26-Nov-2024
https://dl.acm.org/doi/10.1145/3697090.3697100
Miglani AKumar N(2024)A Blockchain Based Matching Game for Content Sharing in Content-Centric Vehicle-to-Grid Network ScenariosIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.332282625:5(4032-4048)Online publication date: May-2024
https://doi.org/10.1109/TITS.2023.3322826
Wang QYu GChen S(2024)Cryptocurrency in the Aftermath: Unveiling the Impact of the SVB CollapseIEEE Transactions on Computational Social Systems10.1109/TCSS.2024.338849511:5(5839-5857)Online publication date: Oct-2024
https://doi.org/10.1109/TCSS.2024.3388495
Jo YPark C(2024)Enhancing Ethereum PoA Clique Network with DAG-based BFT Consensus2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634410(655-659)Online publication date: 27-May-2024
https://doi.org/10.1109/ICBC59979.2024.10634410
Benkou SAsimi AMbarek L(2024)E-Health Blockchain: Conception of a New Smart Healthcare Architecture Based on Deep Reinforcement LearningArtificial Intelligence, Data Science and Applications10.1007/978-3-031-48573-2_14(91-99)Online publication date: 30-Jan-2024
https://doi.org/10.1007/978-3-031-48573-2_14
Tan JGoyal SSingh Rajawat AJan TAzizi NPrasad M(2023)Anti-Counterfeiting and Traceability Consensus Algorithm Based on Weightage to Contributors in a Food Supply Chain of Industry 4.0Sustainability10.3390/su1510785515:10(7855)Online publication date: 11-May-2023
https://doi.org/10.3390/su15107855
Guidi BMichienzi A(2023)From NFT 1.0 to NFT 2.0: A Review of the Evolution of Non-Fungible TokensFuture Internet10.3390/fi1506018915:6(189)Online publication date: 24-May-2023
https://doi.org/10.3390/fi15060189
Zhang XLi RWang QWang QDuan S(2023)Time-manipulation Attack: Breaking Fairness against Proof of Authority AuraProceedings of the ACM Web Conference 202310.1145/3543507.3583252(2076-2086)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583252
Zhao HPacheco AStrobel VReina ALiu XDudek GDorigo M(2023)A Generic Framework for Byzantine-Tolerant Consensus Achievement in Robot Swarms2023 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS)10.1109/IROS55552.2023.10341423(8839-8846)Online publication date: 1-Oct-2023
https://doi.org/10.1109/IROS55552.2023.10341423
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents