Research Pulse Issue #2 02/26/21

  1. Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures
    Authors: Yiwen Hu, Sihan Wang, Guan-Hua Tu, Li Xiao, Tian Xie, Xinyu Lei, and Chi-Yu Li

Nowadays, Bitcoin is the most popular cryptocurrency. With the proliferation of smartphones and the high-speed mobile Internet, more and more users have started accessing their Bitcoin wallets on their smartphones. Users can download and install a variety of Bitcoin wallet applications (e.g., Coinbase, Luno, Bitcoin Wallet) on their smartphones and access their Bitcoin wallets anytime and anywhere. However, it is still unknown whether these Bitcoin wallet smartphone applications are secure or if they are new attack surfaces for adversaries to attack these application users. In this work, we explored the insecurity of the 10 most popular Bitcoin wallet smartphone applications and discovered three security vulnerabilities. By exploiting them, adversaries can launch various attacks including Bitcoin deanonymization, reflection and amplification spamming, and wallet fraud attacks. To address the identified security vulnerabilities, we developed a phone-side Bitcoin Security Rectifier to secure Bitcoin wallet smartphone application users. The developed rectifier does not require any modifications to current wallet applications and is compliant with Bitcoin standards.


  1. Revisiting the Fairness and Randomness of Delegated Proof of Stake Consensus Algorithm
    Authors: Qi Wang, Ming Xu, Xiangxue Li, and Haifeng Qian

There are many disparate conceptualizations to secure a cryptocurrency network. Bitcoin relies on the proof-of-work mechanism and heterogeneous altcoins use proof-of-stake. Delegated Proof-of-Stake (DPoS), known to be a fast, efficient, decentralized, and highly flexible blockchain design, further offers some interesting reshaping that are well worth deliberating. In DPoS consensus, a panel of trusted parties (called committee of producers in the paper) has to be established, with all of its members eligible to create blocks and prevent non-trusted parties from participating. Deterministic selection of block producers allows transactions to be confirmed in an expected average of 1 second. The paper revisits the security properties of DPoS and reinforces the fairness and randomness for the algorithm without sacrificing its performance. We first scrutinize the limitations of the DPoS consensus, including predictability of producers, bribing producers, and lack of task incentivizing. We then introduce a cascade progressive-like ranking to judge the behaviour of the producers, and the producer who does not contribute to the network at the current interaction will be committed to a lower chance of being qualified for the coming involvement. More specifically, we conceptualize the tweaking parameters and the weights for the producers and bring in the weighted committee to measure the contributions of the producers. The weighted committee is a multiset derived from the committee and the weights specify the multiplicities of the elements (the producers). A pseudo-random process is also formulated to squeeze out the producer probabilistically from the weighted committee for creating the blocks. This unpredictability of the producers amplifies the randomness of the network and gives rise to a more secure and reliable cryptocurrency system. The proposal aspires to be beneficial for practical applications and the practitioners are as well encouraged to customize case-by-case the tweaking parameters and the pseudo-random process.


  1. Monero Bulletproofs+ Security Audit
    Authors: Suyash Bagad, Omer Shlomovits, and Claudio Orlandi

The Monero Research Lab announced [11] the implementation of Bulletproofs+ [5], a zero-knowledge proving system set to be used for range proofs in Monero. The Bulletproofs+ framework is planned to replace the existing Bulletproofs zero-knowledge proving system for range proofs. The Bulletproofs+ protocol ensures smaller proof sizes, faster proof generation as well as faster verification with aggregation of multiple proofs. This would result in lighter transactions on the Monero blockchain, faster generation in wallets and also enable faster verification on the end of the network participants. This report describes the results of the security assessment of Monero’s implementation of Bulletproofs+ by ZenGo X. The review of Monero’s Bulletproofs+ was conducted between January 17 and February 13, 20211 for a total of 40 man-days of study.


  1. Establishing Bounds for Miner Revenue in EIP-1559
    Authors: Hasu and Georgios Konstantopoulos

We believe that the impact of EIP-1559 on both miner revenue and ETH holders has not been well explored. The main reason this analysis has been difficult before is that miner-extractable value has started to make up a large share of miner revenue due to constant arbitrage opportunities in Defi.

Link: Establishing Bounds for Miner Revenue in EIP-1559 - Deribit Insights

  1. Interdependencies between Mining Costs, Mining Rewards and Blockchain

    Authors: Pavel Ciaian, d’Artis Kancs, and Miroslava Rajcaniova

This paper studies to what extent the cost of operating a proof-of-work blockchain is intrinsically linked to the cost of preventing attacks, and to what extent the underlying digital ledger’s security budgets are correlated with the cryptocurrency market outcomes. We theoretically derive an equilibrium relationship between the cryptocurrency price, mining rewards and mining costs, and blockchain security outcomes. Using daily crypto market data for 2014–2021 and employing the autoregressive distributed lag approach – that allows treating all the relevant moments of the blockchain series as potentially endogenous – we provide empirical evidence of cryptocurrency price and mining rewards indeed being intrinsically linked to blockchain security outcomes.


  1. On the Impact of Attachment Strategies for Payment Channel Networks
    Authors: Kimberly Lange, Elias Rohrer, and Florian Tschorsch

Payment channel networks, such as Bitcoin’s Lightning Network, promise to improve the scalability of blockchain systems by processing the majority of transactions off-chain. Due to the design, the positioning of nodes in the network topology is a highly influential factor regarding the experienced performance, costs, and fee revenue of network participants. As a consequence, today’s Lightning Network is built around a small number of highly-connected hubs. Recent literature shows the centralizing tendencies to be incentive-compatible and at the same time detrimental to security and privacy. The choice of attachment strategies therefore becomes a crucial factor for the future of such systems. In this paper, we provide an empirical study on the (local and global) impact of various attachment strategies for payment channel networks. To this end, we introduce candidate strategies from the field of graph theory and analyze them with respect to their computational complexity as well as their repercussions for end users and service providers. Moreover, we evaluate their long-term impact on the network topology.


  1. The effect of propagation delay on the dynamic evolution of the Bitcoin blockchain
    Authors: Moustapha BA

This paper analyzes the selfish-mine strategy in the Bitcoin blockchain introduced in 2013 by I. Eyal and E. G. Sirer. This strategy could be used by a colluding pool of miners to earn more than their fair share of the mining revenue and in consequence to force other honest miners to join them to decrease the variance of their revenues and make their monthly revenues more predictable. It is a very dangerous dynamic that could allow the rogue pool of miners to go toward a majority by accumulating powers of news adherents and control the entire network.Considering that the propagation delay of information between any two miners in the network, which is not negligible and follows a normal distribution with mean proportional to the physical distance between the two miners, and a constant variance independent of others’ delays, we prove that no guarantee can be given about the success or failure of the selfish-mine attack because of the variability of information propagation in the network.


  1. Risk Framework for Bitcoin Custody Operation with the Revault Protocol
    Authors: Jacob Swambo and Antoine Poinsot

Our contributions with this paper are twofold. First, we elucidate the methodological requirements for a risk framework of custodial operations and argue for the value of this type of risk model as complementary with cryptographic and blockchain security models. Second, we present a risk model in the form of a library of attack-trees for Revault – an open-source custody protocol. The model can be used by organisations as a risk quantification framework for a thorough security analysis in their specific deployment context. Our work exemplifies an approach that can be used independent of which custody protocol is being considered, including complex protocols with multiple stakeholders and active defence infrastructure.


  1. CustodyBlock: A Distributed Chain of Custody Evidence Framework
    Authors: Fahad F. Alruwaili

With the increasing number of cybercrimes, the digital forensics team has no choice but to implement more robust and resilient evidence-handling mechanisms. The capturing of digital evidence, which is a tangible and probative piece of information that can be presented in court and used in trial, is very challenging due to its volatility and improper handling procedures. When computer systems get compromised, digital forensics comes into play to analyze, discover, extract, and preserve all relevant evidence. Therefore, it is imperative to maintain efficient evidence management to guarantee the credibility and admissibility of digital evidence in a court of law. A critical component of this process is to utilize an adequate chain of custody (CoC) approach to preserve the evidence in its original state from compromise and/or contamination. In this paper, a practical and secure CustodyBlock (CB) model using private blockchain protocol and smart contracts to support the control, transfer, analysis, and preservation monitoring is proposed. The smart contracts in CB are utilized to enhance the model automation process for better and more secure evidence preservation and handling. A further research direction in terms of implementing blockchain-based evidence management ecosystems, and the implications on other different areas, are discussed.