1. I Can’t Believe It’s Not Stake! Resource Exhaustion Attacks on PoS 2019 Blockchains FinancialCryptography ProofOfStake
    Sanket Kanjalkar, Joseph Kuo, Yunqi Li, and Andrew Miller
    [View PDF on ifca.ai]
    [Show BibTex Citation]

    author = {Kanjalkar, Sanket and Kuo, Joseph and Li, Yunqi and Miller, Andrew},
    year = {2019},
    month = {09},
    pages = {62-69},
    title = {Short Paper: I Can’t Believe It’s Not Stake! Resource Exhaustion Attacks on PoS},
    isbn = {978-3-030-32100-0},
    doi = {10.1007/978-3-030-32101-7_4}

We present a new resource exhaustion attack affecting several chain-based proof-of-stake cryptocurrencies, and in particular Qtum, a top 30 cryptocurrency by market capitalization ($300M as of Sep ’18). In brief, these cryptocurrencies do not adequately validate the proof-of-stake before allocating resources to data received from peers. An attacker can exploit this vulnerability, even without any stake at all, simply by connecting to a victim and sending malformed blocks, which the victim stores on disk or in RAM, eventually leading to a crash. We demonstrate and benchmark the attack through experiments attacking our own node on the Qtum main network; in our experiment we are able to fill the victim’s RAM at a rate of 2MB per second, or the disk at a rate of 6MB per second. We have begun a responsible disclosure of this vulnerability to appropriate development teams. Our disclosure includes a Docker-based reproducibility kit using the Python-based test framework. This problem has gone unnoticed for several years. Although the attack can be mitigated, this appears to require giving up optimizations enjoyed by proof-of-work cryptocurrencies, underscoring the difficulty in implementing and deploying chain-based proof-of-stake.