by Surya Bakshi (UIUC, IC3, Offchain Labs), Sarah Allen (IC3, Flashbots), Lorenz Breidenbach (IC3, Chainlink Labs), Jim Ballingall (IC3), Haaroon Yousaf (IC3), Patrick McCorry (IC3, Arbitrum Foundation), Giannis Kaklamanis (Yale University), Vivian Jeng (Ethereum Foundation), Jayamine Alupotha (IC3, University of Bern), Mariarosaria Barbaraci (IC3, University of Bern), Abhimanyu Rawat (UPF Barcelona) on June 20, 2024
The team behind Boquila, a proof of concept to obscure identifiable information from third-party websites, took the top spot at this year’s hackathon. We sat down with Mariarosaria Barbaraci and Jayamine Alupotha, two members of the winning team, to talk about what they built and their experience at this year’s IC3 Blockchain Camp.
by Philipp Schneider (University of Bern, IC3) with contributions by Ignacio Amores-Sesar (University of Bern, IC3), and Christian Cachin (University of Bern, IC3) on May 17, 2024
In a three part series, we look at the “Snow” protocols that address the fundamental consensus problem and were introduced in a whitepaper by a group associated with AvaLabs that pioneered the Avalanche blockchain infrastructure. This is a post that consists of three parts. Part 1 appears here, part 2 and part 3 appear on the Crypto@Bern blog. This first part gives an overview of these Snow protocols and a summary of our findings.
by Orestis Alpos (University of Bern), Ignacio Amores-Sesar (University of Bern, IC3), Christian Cachin (University of Bern, IC3), Michelle Yeo (National University of Singapore) on May 10, 2024
The problems of maximal-extractable value (MEV) and front-running attacks have plagued decentralized finance (DeFi) in the recent years. We tackle the problem of sandwich attacks in general and introduce a protocol to transform any blockchain consensus algorithm into a new one that has the same security, but in which sandwich attacks are no longer profitable. Our protocol is fully decentralized with no trusted third parties or heavy cryptographic primitives. It makes existing blockchains resilient to such attacks in exchange for increased latency until consensus becomes final and by adding a small computational overhead.
by James Austgen, Andrés Fábrega, Sarah Allen, Kushal Babel, Mahimna Kelkar, and Ari Juels on January 16, 2024
Decentralized Autonomous Organizations (DAOs) are increasingly popular, and already managing many billions of dollars in treasuries. Their decentralized governance is a transformative new way of organizing communities. But as they grow, DAOs will face a new and potent threat to their decentralization - Dark DAOs. A Dark DAO is a private smart contract that targets a legitimate DAO, attacking its voting integrity by enabling vote-buying among its users. First considered in 2018, Dark DAOs haven’t yet appeared in the wild — but only because DAOs are not very decentralized today. As DAOs continue on a path to higher decentralization, Dark DAOs will inevitably surface. Vote-buying may be illegal in political elections, but in DAOs it’s probably legal. It’s legal in shareholder voting and there’s even a marketplace to facilitate it. Vote-buying in DAOs would follow the trend in Web3 of monetizing everything from people’s friends to maximal-extractable value (MEV).
by James Austgen, Andrés Fábrega, Sarah Allen, Kushal Babel, Mahimna Kelkar, and Ari Juels on December 04, 2023
Decentralized Autonomous Organizations, or DAOs, promise to revolutionize the ways that communities collaborate. The ‘D’ in DAO — the decentralization — is the critical ingredient. But the way most people in the Web3 community reason about DAO decentralization today is flawed. It fails to point the way toward sound DAO governance. Today, people commonly view decentralization in DAOs — and other Web3 projects — entirely in terms of how tokens are distributed among addresses. The Gini coefficient and similar measures of wealth inequality — such as entropy of token holdings — are popular metrics for this purpose. A high Gini coefficient over addresses in a DAO is “bad” - it means high concentration — dominant control by whales and other large holders. A low Gini coefficient, on the other hand, is “good,” indicating even distribution of tokens. Our new research shows that there are gaping blind spots in this view of DAO decentralization. Happily, we also show that it’s possible to do better.
by Haoqian Zhang on October 03, 2023
The name “front-running” came from when a broker needs to deliver the clients’ orders to the trading desk physically. The term vividly describes how it works - an attacker who knows a large order could run ahead to execute a trade before the client’s order goes through. What is the incentive for someone to do that? Here is an example that explains why. Suppose a broker receives a large order from a client, say, buy 500,000 shares of a company’s stock. The order is big enough to drive up the share’s price. Knowing this information, an attacker can place his small order, say 10,000 shares of the same stock, before the large order. The attacker can sell his shares at a higher price when the price goes up after the large order went through. The formal definition of front-running is a practice of benefiting from the advanced knowledge of pending transactions. Although benefiting some entities involved, this practice puts others at a significant financial disadvantage, making this behavior illegal in traditional markets with established securities regulations.
by Andrew Miller, Nerla Jean-Louis, Yunqi Li, and James Austgen on August 25, 2023
Enhancing smart contract privacy is a critical stride towards the development of more useful blockchain applications. Trusted execution environments (TEEs) or secure enclaves are being used in multiple networks (Secret Network, Oasis Network, Obscuro, etc) to enable privacy without significantly increasing computational costs. However, the utilization of TEEs also brings forth challenges, specifically in designing secure network architectures that fully capitalize on the strengths of TEEs while mitigating potential risks. Our recent paper detailing several attacks on these TEE based blockchain networks that broke user privacy guarantees without doing the hard work of breaking into the TEE hardware.
by Kushal Babel, Nerla Jean-Louis, Mahimna Kelkar, Yunqi Li, Carolina Ortega Perez, Aditya Asgoankar, Sylvain Bellemare, Ari Juels, and Andrew Miller on June 12, 2023
TLDR - The Sting Framework (SF) is a new idea for bolstering the security of systems at risk of information leakage. SF addresses the case where a corrupt service (called a Subversion Service) arises that enables adversaries to exploit such leakage. SF presumes a player, called an informer, that wishes to alert the community to the presence of the corrupt service — either as a public service or to claim a bounty. SF enables the informer to generate a publicly verifiable proof that the corrupt service exists.
by Kushal Babel, Yan Ji, Ari Juels, and Mahimna Kelkar on April 17, 2023
In today’s blockchain landscape, the life of a transaction is nasty, brutish, and short. Or, as some put it, a blockchain like Ethereum is a “dark forest” — a reference to a popular sci-fi novel in which the universe is filled with predatory civilizations.
by Patrick McCorry on March 15, 2023
A very interesting talk by Kelvin Fichter argues that zk rollups do not exist and how rollups actually work. Let’s take a fun snippet from it.
by Ariah Klages-Mundt on March 14, 2023
7 of the largest 10 stablecoins depegged as a massive bank run effect rippled across crypto. What happened and what the lessons are for the space. Starting Friday, March 11, and persisting through the weekend, most major stablecoins lost their peg and stablecoin liquidity virtually evaporated.
by Phil Daian on March 07, 2023
In this post, we take a look at trends in MEV that we believe have the opportunity to centralize and weaken the core mission and value proposition of cryptocurrency. We argue that the most important only exit from a future where power dynamics in cryptocurrency become centralized and predatory is through geographic decentralization. We then explore the relationship between geographic decentralization and privacy, which in our opinion will be a dominant economic phenomenon in the next decade of MEV evolution.
by Ari Juels on January 26, 2023
Independence from centralized institutions is among the most important of the revolutionary ideas at the heart of crypto. If you keep your crypto assets in a centralized exchange, the exchange holds them on your behalf. That means complete dependence on the integrity of the exchange. If it’s hacked or collapses, your funds can disappear.
by James Austgen, Kushal Babel, Vitalik Buterin, Phil Daian, Ari Juels, and Mahimna Kelkar on January 16, 2023
In a paper we've released today, we introduce a new cryptographic notion that we call proofs of complete knowledge (CK). We also report on a prototype that offers a path to making CK practical for use with smartphones.
by Andrew Miller on December 13, 2022
Last week the rest of the team and I posted a research preprint that included a vulnerability disclosure affecting Secret Network. Secret Network is the first smart contract system based on Trusted Execution Environments (TEEs) to go live in production. However, there are several rival projects with closely related tech that have launched public testnets, namely Oasis, Phala, and Obscuro. Our disclosure kicked off a broader discussion, with all these projects reaching out and/or making public statements (Phala’s), (Oasis’s), (Secret’s) explaining to what degree they would have been affected and about the mitigations they have in development. The four projects have been building most independently of each other, but TEE/SGX compromise presents a common threat to all of them, suggesting an opportunity to work together.
by James Austgen, Kushal Babel, Phil Daian, Ari Juels, and Mahimna Kelkar on September 30, 2022
Atomic NFTs introduce new cryptographic techniques in order to enable NFT creators to prevent fractionalization of their NFTs. Our work promises to give creators stronger control over how their NFTs are bought and sold. We stress that Atomic NFTs are a preliminary research concept. More research needs to be done to make them truly practical. We believe, however, that practicality is on the horizon and that Atomic NFTs could someday become a standard option in NFT creation.
by Ari Juels on September 26, 2022
Museums exist not just to house original works of art, but as shrines to be visited by art lovers. Physical works of art — oil paintings, for instance — look very different in person than in posters or digital images. I've spent twenty minutes staring at this Vermeer in person. I can assure you that the sacred hush magically rendered by the artist in the original painting is all but obliterated in reproduction. There’s another facet to appreciation of art, though, one that’s not just about brushstrokes or esthetic nuance. Why, after all, do people flock to see the Mona Lisa when they can barely make it out through the ten-foot thick protective barrier of tourists?
by Florian Suri-Payer and Natacha Crooks on August 27, 2022
Applications want to retain database functionality when decentralizing their systems. Unfortunately, straightforward designs atop today's blockchain system fall short of this task. The current separation between the ordering layer and the application materialization layer in blockchain based designs precludes the design of expressive, and high performance transactional systems. In our recent work Basil - Breaking up BFT with ACID (transactions) we explore how to merge these layers for improved scalability and usability.
by Ari Juels on July 20, 2022
Bitcoin and blockchains - the technology that makes cryptocurrencies such as Bitcoin possible - have become inescapable phenomena in finance and even popular culture. Despite their rise in popularity, though, there is considerable bewilderment around blockchains and their capabilities. In this talk, Ari Juels, the Weill Family Foundation and Joan and Stanford I. Weill Professor at Cornell Tech and Co-Director of the Initiative for CryptoCurrencies and Contracts (IC3), will aim to demistify this intriguing technology. He will explain how blockchains mean much more than Bitcoin and indeed how blockchain-based digital apes may be harbingers of our future in leisure and the arts. We hope to see you at this virtual event.
by Youer Pu, Lorenzo Alvisi and Ittay Eyal on June 21, 2022
The Nakamoto consensus protocol works in a permissionless model, where nodes can join and leave without notice. However, it guarantees agreement only probabilistically. Is this weaker guarantee a necessary concession to the severe demands of supporting a permissionless model? We show that, at least in a benign failure model, it is not. We present Sandglass, the first permissionless consensus algorithm that guarantees deterministic agreement and termination with probability 1 under general omission failures. Like Nakamoto, Sandglass adopts a hybrid synchronous communication model, where, at all times, a majority of nodes (though their number is unknown) are correct and synchronously connected, and allows nodes to join and leave at any time.
by Weizhao Tang, Lucianna Kiffer, Giulia Fanti and Ari Juels on May 25, 2022
In traditional financial systems, time equals money and network latency - i.e., the time for messages to travel in a network - has an outsized impact. Recently, network latency has become critical in blockchain peer-to-peer (P2P) networks as well. Among other impacts, low-latency connections in P2P networks can advantage arbitrageurs by giving them the ability to exploit the trades of other users for financial gain. In this blog post, we summarize a recent paper of ours that explores P2P network latency. We present Peri, a practical strategy that selects peers with low latencies from a local view of the P2P network. we demonstrate how startegic agents, i.e., self-interested P2P network actors, can use Peri to manipulate network latency to their advantage.
by Sarah Allen, Ari Juels, Mukti Khaire, Tyler Kell and Siddhant Shrivastava on April 25, 2022
Fine artists exercising unprecedented control of their own markets, high tech art, cartoon images of rocks selling for millions of dollars, scams, cult-like followings - the NFT market has it all! In this post, we will briefly survey the traditional art market abd the NFT fine art market. The convergence of these things - NFT technology and the traditional art market - leads us to make predictions for the future of the market and technology.
by James Grimmelmann, Yan Ji and Tyler Kell on March 21, 2022
Many NFT and DAOs are designed to provide new or more convenient ways to own and sell creative works. Beeple's EVERYDAYS - The First 5000 Days sold at auction for $69 million. Some observers think that the Bored Ape Yacht Club's spectacular rise is due to its permissive copyright approach. Some artists and developers are diving in head-first.
by Ittay Eyal and Ittai Abraham on March 07, 2022
The Selfish mining attack against blockchain protocols was discovered and formalized in 2013 by Eyal and Sirer (also see our blog post). The Bitcoin community has mentioned similar types of attacks in 2010. This attack remains a vulnerability of all operational blockchains we are aware of. For Bitcoin's blockchain algorithm (under reasonable network assumptions), a coalition controlling over 1/4 of the mining power can improve its revenue using this attack.
by Itay Tsabary, Alex Manuskin, and Ittay Eyal on February 03, 2022
Prominent smart contracts, e.g., roll-ups, critically rely on timely confirmations of their transactions. Sadly, that's not how blockchain works, as confirmation times depend on transactions fees, where the required fee is determined by the volatile fee market. We present LedgerHedger, the first smart contract that facilitates a reservation for a future transaction confirmation. LedgerHedger is secure, incentive-compatible, and has low overhead for practical future-transaction parameters.
by Mahimna Kelkar on November 16, 2021
In current blockchain consensus protocols, a single miner or validator unilaterally controls the inclusion and ordering of transactions in a block. This form of temporary centralization is entirely at odds with the goals of decentralization. It also poses an acute problem for decentralized finance (DeFi). Arbitrageurs today are engaged in rampant collusion with miners to reorder transactions and extract profit at the expense of ordinary DeFi users. In the process of doing so, arbitrageurs are also participating in systemic bribery and even threatening the consensus stability of blockchains. So far in 2021, the impact of opportunistic transaction recording - often called MEV or miner/maximum extractable value - has exceeded $550 million by one conservative estimate.
by Ittay Eyal on November 16, 2021
Securing digital assets like cryptocurrencies and NFTs is a tricky business, as demonstrated by numerous losses and heists. The challenge of storing digital assets applies equally to individuals and to larger actors - from companies to cryptocurrency exchanges to the largest financial services corporates. Digital assets are secured (almost exclusively) with cryptographic signing keys. But from the early days of Bitcoin it was clear that our mechanisms, which worked perfectly well in the olden days, are inadequate. Our mobile devices are (maybe) secure enough for our emails, but not for cash. Plastic cards work for authorizing transactions if we can cancel them with a phone call, but that's not the case with digital cash that has no 'undo'. Indeed, for securing digital assets it is not uncommon to use multiple keys.
by Tyler Kell, Haaroon Yousaf, Sarah Allen, Sarah Meiklejohn, and Ari Juels on September 22, 2021
Have you been offered the chance to earn unlimited passive income in cryptocurrency for life with no risks using a new technology called a smart contract? Congradulations! You may have just encountered a smart contract pyramid scheme.
by Yunqi Li, Sylvain Bellemare, Mikerah Quintyne-Collins, and Andrew Miller on April 21, 2021
In this post, we show how to provide pivacy for smart contracts in a general purpose way by using "Multiparty Computation (MPC) as a Sidechain". In this model, smart contract developers can label any of their member fields as "secret".
by Ari Juels, Ittay Eyal, and Mahimna Kelkar on March 07, 2021
There's a simple word for projects that seek to advantage miners while systematically exploiting blockchain users, say three researchers.
by Jun-You Liu, Surya Bakshi, Shreyas Gandlur, Ankush Das, and Andrew Miller on February 15, 2021
Payment channels are one of the fundamental approaches for scaling cryptocurrency networks. In the academic cryptography literature on payment channels, it has been effective to use universal composability (UC) framework as a way of rigorously modeling and giving security definitions. However, there's been a big gap between the UC model and the actual software implementations of payment channels that have been designed and maintained by cryptocurrency developers, not getting as much benefit from the UC as we could. SaUCy is a project that aims to bridge the world of cryptocurrency developers with the UC framework.
by Deepak Maram and Harjasleen Malvai on January 12, 2021
Decentralized identity systems allow users to gather and amnage their own credentials under the banner of self-created decentralized identifiers (DIDs). The key focus of DIDs is on shifting the control of a credential into users' hands. Existing decentralized identity proposals, however, suffer from several problems. First and foremost, how do you bootstrap an ecosystem of credential issuers? It is unlikely that most existing legacy providers suddenly switch and issue such credentials. Second, like with cryptocurrencies, DID systems burden users with managing their own keys creating a significant risk of key loss. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users. We address these problems by introducing CanDID in our new paper.
by Patrick McCorry on December 08, 2020
We have focused on building a non-custodial relayer, Infura Transaction Service (ITX), that takes a pre-signed message (e.g. meta-transaction), packs it into an Ethereum transaction and then gradually bumps the fee until it is mined in the blockchain.
by Scott Bigelow, Phil Daian, Stephane Gosselin, Alex Obadia, and Tina Zhen on November 23, 2020
Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.
by Scott Bigelow, Phil Daian, Stephane Gosselin, Alex Obadia, and Tina Zhen on November 23, 2020
Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.
by Sarah Allen, Srdjan Capkun, Ittay Eyal, Giulia Fanti, Bryan Ford, James Grimmelmann, Ari Juels, Kari Kostiainen, Sarah Meiklejohn, Andrew Miller, Eswar Prasad, Karl Wust, and Fan Zhang on September 04, 2020
Many central banks are considering, and some are even piloting, central bank digital currency. This column provides an overview of important considerations for central bank digital currency design. While central banks already provide wholesale digital currency to financial institutions, a retail central bank digital currency would expand access to more users and provide opportunities for innovative central banking. The design must balance these benefits with the potential risks created by retail central bank currency deployment.
by Sarah Allen, Srdjan Capkun, Ittay Eyal, Giulia Fanti, Bryan Ford, James Grimmelmann, Ari Juels, Kari Kostiainen, Sarah Meiklejohn, Andrew Miller, Eswar Prasad, Karl Wust, and Fan Zhang on July 23, 2020
In this paper, we enumerate the fundamental technical design challenges facing CBDC designers, with a particular focus on performance, privacy, and security. Through a survey of relevant academic and industry research and deployed systems, we discuss the state of the art in technologies that can address the challenges involved in successful CBDC deployment. We also present a vision of the rich range of functionalities and use cases that a well-designed CBDC platform could ultimately offer users.
by Itay Tsabary, Matan Yechieli, and Ittay Eyal on June 22, 2020
In this post, we outline the attack and its analysis, and the MAD-HTLC solution.
by Benjamin Chan and Elaine Shi on May 14, 2020
In this post, we described an extraordinarily simple blockchain protocol called Streamlet. Consensus is a complex problem and has been studied since the 1980s. More recently, blockchain research has spawned many new works aiming for performance and ease-of-implementation. However, simple, understandable protocols remain elusive, and that's where Streamlet comes in.
by Ittay Eyal on February 26, 2020
Proof of Work (PoW) Blockchains implement a form of State Machine Replication (SMR). Unlike classical SMR protocols, they are open, i.e., anyone can join the system, and the system incentivizes participants, called miners, to follow the protocol. Therefore, unlike classical SMR protocols, reasoning about blockchain security relies not only on bounding the number of malicious participants. One should crucially ask whether miners are indeed incentivized to follow the prescribed protocol. This is the topic of this post.
by Tiancheng Xie, Jiaheng Zhang, Yupeng Zhang, Charalampos Papamanthou, and Dawn Song on February 12, 2020 at 10:00 AM
Libra is a zero-knowledge proof protocol that achieves extremely fast prover time and succinct proof size and verification time. Not only does it have good complexity in terms of asymptotics, but also its actual running time is well within the bounds of enabling realistic applications. It can be applied in areas such as blockchain technology and privacy-preserving smart contracts. It is currently being implemented by Oasis Labs. This blog post is based on a paper authored by Tiancheng Xie, Jiaheng Zhang, Yupeng Zhang, Charalampos Papamanthou and Dawn Song.
by Michael Mirkin, Yan Ji, Jonathan Pang, Ariah Klages-Mundt, Ittay Eyal, and Ari Juels on December 17, 2019
We have discovered a denial-of-service attack on Bitcoin-like blockchains that is much cheaper than previously described attacks. Such blockchains rely on incentives to provide security. We show how an attacker can disrupt those incentives to cause rational miners to stop mining.
by Itay Tsabary, Alexander Spiegelman, and Ittay Eyal on December 04, 2019
Proof-of-work (PoW) mechanisms secure about 80% of the $250B cryptocurrency market. PoW requires system participants to expend computational resources, and protects the system from attackers who cannot expend resources at an equivalent rate. These systems operate in the permissionless setting and compensate their users with cryptocurrency, having a monetary value. As cryptocurrency prices sore so do the invested resources, and Bitcoin expenditures alone are 0.24% of the global electricity consumption. Arguably, this is superfluous, and lowering the ecological footprint justifies settling for a lower attack threshold.
by Yujin Kwon, Jian Liu, Minjeong Kim, Dawn Song, and Yongdae Kim on September 30, 2019
Decentralization is an essential factor the should be inherently considered in the design of blockchain systems. Even though people design systems for good decentralization, in practice, we often observe that blockchain systems are highly centralized. Bitcoin and Ethereum, as representative examples, are already well known to be highly centralized in terms of network and mining. In fact, poor decentralization appears not only in PoW-based coins but also in coins adopting other mechanisms such as proof-of-stake (PoS) and delegated proof-of-stake (DPoS).
by Bryan Ford and Rainer Böhme on September 23, 2019
If you think you have designed a permissionless decentralized system that is cleverly secured based on rationality assumptions, you haven't. This blog post, based partly on ideas from Rainer Böhme's talk at the recent BDLT Summer School in Vienna, sketches an argument that rationality assumptions are self-defeating in open permissionless systems with weak identities.
by Fan Zhang, Steven Goldfeder, and Ari Juels on September 03, 2019 at 02:00 PM
An oracle is a service that provides data to smart contracts or other systems. Oracles obtain their data from trusted websites. But even those that relay data correctly cannot safely access users' web-session data, because they can't enforce privacy. DECO is a privacy-preserving oracle protocol. Using cryptographic techniques, it lets users prove facts about their web (TLS) sessions to oracles while hiding privacy-sensitive data. DECO can make private and public web data accessible to a rich spectrum of applications, for blockchains and traditional (non-blockchain) systems.
by Aman Ladia and Andrew Miller on July 17, 2019
ZeroWallet is a new protocol that uses zero knowledge proofs to secure private keys with low-entropy passwords. It provides the convenience of brain wallets with a security guarantee comparable to third party multi-sig setups.
by Amani Moin and Kevin Sekniqi on May 07, 2019 at 09:30 AM
Some algorithmic stablecoins have proposed incorporating price feeds by asking their token holders. In this post, we point out that this mechanism is broken because of a fundamental incentive misalignment.
by Deepak Maram, Fan Zhang, and Ari Juels on April 05, 2019 at 09:00 AM
Achieving true decentralization requires decentralized cryptography. CHURP is a cryptographic protocol for secret sharing in decentralized settings. In such a setting where nodes may come and go, traditional secret sharing (e.g., Shamir's) is no longer secure. Featuring several fundamental innovations, CHURP accomplishes the mission while being 2300x more efficient than previous schemes!
by Soumya Basu, David Easley, Maureen O'Hara, and Emin Gün Sirer on January 22, 2019 at 11:31 AM
We describe why the fee market is fundamentally broken and propose an alternative fee mechanism that fixes the issues with the current fee market.
by Ethan Cecchetti, Ian Miers, and Ari Juels on August 06, 2018 at 06:00 PM
Ever raise a quarter billion dollars and need to solve a really hard problem? Well, neither did we, but we've been talking to Filecoin about helping solve one of theirs.
by Philip Daian, Tyler Kell, Ian Miers, and Ari Juels on July 02, 2018 at 03:22 PM
We explore the space of trust-minimizing coordination mechanisms for on-chain vote buying and exploitation in the permissionless model.
by Fan Zhang, Phil Daian, Iddo Bentov, and Ari Juels on January 18, 2018 at 09:30 AM
Suppose that N players share cryptocurrency using an M-of-N multisig scheme. If N-M+1 players disappear, the remaining ones have a problem: They've permanently lost their funds. In this blog, we propose a solution to this critical problem using the power of the trusted hardware.
by Karen Levy on January 17, 2018 at 01:00 PM
Guest blogger Prof. Karen Levy describes how contracts often include terms that are unenforceable, purposefully vague, or never meant to be enforced, how this helps set expectations, and what this means for smart contracts.
by Adem Efe Gencer, Soumya Basu, Ittay Eyal, Robbert van Renesse, and Emin Gün Sirer on January 15, 2018 at 07:37 AM
We have been examining the state of the Bitcoin and Ethereum networks over time. In a recent study, we examine the level of decentralization in these two networks, with some interesting takeaways for the future.
by Emin Gün Sirer on December 25, 2017 at 08:05 AM
Devising a lottery based off of a blockchain is a lot harder than it seems. Also, this is a parable for the Bitcoin blockchain debate.
by Phil Daian and Lorenz Breidenbach on December 13, 2017 at 08:00 AM
This post argues that the recently proposed EIPs to rescue the frozen ethers are dangerous.
by Lorenz Breidenbach, Phil Daian, Ari Juels, and Florian Tramèr on August 28, 2017 at 05:01 AM
We discuss a novel scheme for preventing (miner) frontrunning in Ethereum.
by Emin Gün Sirer on August 26, 2017 at 01:55 PM
Between miners, businesses and developers, people think that the developers have their best interests at heart. I discuss why this is a fallacy.
by Iddo Bentov, Lorenz Breidenbach, Phil Daian, Ari Juels, Yunqi Li, and Xueyuan Zhao on August 13, 2017 at 01:45 PM
This post examines decentralized exchanges
by Emin Gün Sirer on July 31, 2017 at 04:20 AM
Shenanigans at Bitfinex are poised to mess up their accounting, confuse the price of BCC, and potentially bankrupt the already-bankrupt exchange.
by Lorenz Breidenbach, Phil Daian, Ari Juels, and Emin Gün Sirer on July 22, 2017 at 09:47 AM
We do a deep-dive into Parity's multisig bug.
by Emin Gün Sirer on July 20, 2017 at 05:18 AM
The bug in the Parity multisig wallet that caused the loss of $30M has the same root cause as a bug in the BitGo multisig wallet that I found a year ago.
by Patrick McCorry, Ethan Heilman, and Andrew Miller on July 11, 2017 at 07:20 PM
A new atomic trade protocol to allow two parties to publicly pledge support for different forks in the event a blockchain splits into two.
by Emin Gün Sirer and Phil Daian on June 19, 2017 at 10:18 AM
Bancor just raised $144M through the biggest ICO in history. We describe why their approach is flawed.
by Yan Ji, Ari Juels, and Fan Zhang on May 15, 2017 at 10:01 AM
Town Crier is an oracle service for smart contracts.
by Maria Apostolaki, Aviv Zohar, and Laurent Vanbever on May 01, 2017 at 10:48 AM
Cryptocurrencies are vulnerable to attacks targeting the network routing layer. In this guest post, Apostolaki, Zohar and Vanbever show that BGP attacks are back, and this time, they have a high value target.
by Emin Gün Sirer on April 05, 2017 at 08:48 PM
My quick reaction to the latest salvo of shots fired in the war between Core developers and miners.
by Emin Gün Sirer on February 27, 2017 at 10:33 AM
BitFury has been mining smallest-transactions-first. We argue why this is bad for Bitcoin.
by Phil Daian and Ari Juels on February 23, 2017 at 12:23 PM
Blockchains are beginning to turn green. This post describes some of the IC3 research in this direction.
by Adem Efe Gencer and Emin Gün Sirer on February 15, 2017 at 10:18 AM
We characterize the state of the Bitcoin network as of this year, and discover that it has improved by 70% in terms of bandwidth compared to last year alone.
by Adem Efe Gencer and Emin Gün Sirer on February 10, 2017 at 10:10 AM
Miniature world is an evaluation platform which provides a principled way of evaluating different blockchain proposals.
by Jim Ballingall on January 09, 2017 at 08:42 AM
As regulators take a closer interest in cryptocurrencies, IC3 faculty weigh in on if and how they should be regulated.
by Joshua Lind, Ittay Eyal, Peter Pietzuch, and Emin Gün Sirer on December 22, 2016 at 09:10 AM
We unveil a new technology for secure, high throughput, low latency Bitcoin transactions using secure hardware, on the current Bitcoin network.
by Adem Efe Gencer and Emin Gün Sirer on December 06, 2016 at 02:35 PM
We introduce the first workable sharding solution for blockchains.
by Philipp Jovanovic on August 04, 2016 at 12:57 PM
We introduce a novel consensus mechanism that greatly improves security, throughput, and transaction confirmation latency of blockchain-based cryptocurrencies.
by Emin Gün Sirer on August 03, 2016 at 07:20 AM
The Bitfinex attack, and similar heists from Bitcoin exchanges, are preventable with a small extension to Bitcoin.
by Emin Gün Sirer on July 19, 2016 at 06:15 PM
The Ethereum hard fork is in a few days. Having looked at the proposed hard fork code, I discuss what I believe is the weakest part of the HF code.
by Emin Gün Sirer on July 17, 2016 at 12:07 PM
Following a hard fork, there will be two chains. In cross-chain replay attacks, one can attack a smart contract by moving transactions from one chain to the other. Post describes a potential attack.
by Emin Gün Sirer on July 13, 2016 at 10:45 AM
Reentrancy bugs are difficult to catch. This distilled, illustrative example shows how even a diligently-written contract with invariant checks can go wrong.
by Ittay Eyal and Emin Gün Sirer on July 11, 2016 at 02:42 PM
We describe a general Decentralized Escape Hatch mechanism, suitable for DAOs and other smart contracts.
by Tjaden Hess, River Keefer, and Emin Gün Sirer on July 05, 2016 at 01:14 PM
Our discovery of a DoS vulnerability in Ethereum turns out to be a point of strength and censorship resistence for the currency.
by Tjaden Hess, River Keefer, and Emin Gün Sirer on June 28, 2016 at 09:22 AM
We identify a DoS vulnerability with Ethereum's proposed soft-fork for The DAO, and urge the community to be prepared for attacks, and to speed up the timetable for resolving the hard fork decision.
by Bill Marino on June 23, 2016 at 10:11 AM
IC3's resident lawyer-techie discusses why smart contracts need escape hatches and how to implement them.
by Phil Daian on June 18, 2016 at 01:11 AM
This post describes how the hacker who took $50+M from The DAO did it.
by Emin Gün Sirer on June 17, 2016 at 09:45 AM
The DAO was just hacked and a few million ether is missing. Here are my quick thoughts on what this means and where we go from here.
by Zikai Alex Wen and Andrew Miller on June 16, 2016 at 01:15 PM
In this post, we examine just how prevalent the recently discovered "unchecked-send" bug is in real, live, deployed Ethereum contracts, with the aid of an automated analysis tool we have developed.
by Emin Gün Sirer on June 13, 2016 at 09:15 AM
The DAO is under pressure to turn itself into a Ponzi. I explain the "natural-born Ponzi" mechanisms, and call for the community to be on guard for such proposals.
by Dino Mark, Vlad Zamfir, and Emin Gün Sirer on May 27, 2016 at 01:35 PM
We just published a draft article, urging a moratorium on The DAO until some security patches can be applied.
by Emin Gün Sirer on May 04, 2016 at 09:40 AM
I point out some of the pitfalls I see my colleagues fall into as Craig Wright's Satoshi saga unfolds.
by Emin Gün Sirer on May 02, 2016 at 04:00 PM
Craig Wright has made yet another claim to be Satoshi Nakamoto. This post describes what it takes to make a credible claim.
by Christian Decker and Emin Gün Sirer on April 29, 2016 at 08:48 AM
There was a bitcoin transaction carrying a $137K fee. This posts examines why transactions might carry such large fees, and rules out some explanations.
by Emin Gün Sirer on April 25, 2016 at 08:48 AM
There was a series of heists at ShapeShift, followed by an offered explanation. That offered explanation has more holes in it than Swiss cheese.
by Emin Gün Sirer on April 05, 2016 at 10:55 AM
My take on how software gets bloated, using a cautionary tale from the telephony world, with applications to Bitcoin.
by Emin Gün Sirer on March 01, 2016 at 12:15 PM
Some people claim that Bitcoin is eventually consistent. They are wrong. This post tries to dispel the myth and explain the right way to evaluate the consistency guarantees of distributed systems.
by Malte Möser, Ittay Eyal, and Emin Gün Sirer on February 29, 2016 at 01:15 PM
Bitcoin vaults have the potential to stop Bitcoin thefts from Bitcoin clients. This post answers some frequently asked questions about them.
by Malte Möser, Ittay Eyal, and Emin Gün Sirer on February 26, 2016 at 09:00 AM
We have come up with a simple and elegant technique for implementing hack-proof Bitcoin vaults, to deter Bitcoin thefts.
by Emin Gün Sirer on January 05, 2016 at 10:40 AM
Evidently, a requirement for becoming a CEO at a Bitcoin exchange or payments company is to believe that your company has no power and works entirely at the discretion of the miners. I try once again to correct this myth.
by Emin Gün Sirer on January 01, 2016 at 03:40 PM
I make the case that Bitcoin users have just as much of a say, or more, than all the miners combined. They wield this power through exchanges, and the exchanges need to live up to their responsibilities.
by Emin Gün Sirer and Ittay Eyal on December 30, 2015 at 09:30 AM
In an effort to bring the fruitless Bitcoin block size debate to a close, this post outlines Bitcoin-Unified, an approach to accommodate both small and large blocks.
by Emin Gün Sirer on December 23, 2015 at 11:00 AM
The phrase "developing the fee market" gets used a lot in Bitcoin circles. This post makes the case that this is a thinly veiled euphemism for jacking up the fees.
by Emin Gün Sirer on December 22, 2015 at 01:30 PM
Some people say that "if Bitcoin relies on altruism, then it has already failed." Bitcoin relies heavily on altruism, and it has not failed.
by Emin Gün Sirer on December 16, 2015 at 03:30 PM
I try to lay to rest a bad way to account for Bitcoin network costs and a flawed argument for exorbitantly high fees.
by Emin Gün Sirer on December 10, 2015 at 11:43 AM
The press is doing a fresh manhunt for Satoshi again. This post focuses on one of the effective techniques to recognize Satoshi if he were to walk among us.
by Emin Gün Sirer on December 02, 2015 at 02:13 PM
Peter Tschipper has been looking into compressing the Bitcoin messages on the wire using generic compressors. In this post, I discuss why generic compressors will not work well with Bitcoin, make the case for a custom compressor, and suggest that we run a community challenge to develop the best compressor.
by Emin Gün Sirer on November 13, 2015 at 12:08 PM
A modest suggestion on how to proceed with the block size debate, wherein we suggest explicitly defining the criteria for evaluating block size increase proposals.
by Ittay Eyal and Emin Gün Sirer on November 09, 2015 at 12:08 PM
We review some of the feedback we received on Bitcoin-NG and discuss why every new permission-less ledger would be better off with NG compared to the alternatives.
by Ittay Eyal and Emin Gün Sirer on October 14, 2015 at 01:05 PM
We introduce a new technique for increasing the throughput and reducing the latency, at the same time, of blockchain-based protocols
by Ittay Eyal on August 17, 2015 at 02:35 PM
The recent Bitcoin blocksize debate demonstrates the need for a robust governance structure.
by Emin Gün Sirer on December 17, 2014 at 10:40 AM
There is a new craze in the Bitcoin world, and it's not good for Bitcoin.
by Ittay Eyal on December 03, 2014 at 12:15 PM
In a new analysis of Bitcoin mining, Ittay Eyal shows that the equilibrium between miners is unstable, and identifies a stable equilibrium that might, as a side effect, reduce the size of open, public mining pools.
by Emin Gün Sirer on November 30, 2014 at 09:17 AM
State of computer security remains dismal, as evidenced by the lengths Bitcoin users must go through to secure their digital assets.
by Emin Gün Sirer on June 19, 2014 at 05:56 PM
This is a quick blog post to dispel a common Bitcoin misconception/myth involving voting power.
by Ittay Eyal and Emin Gün Sirer on June 18, 2014 at 02:03 PM
We outline a small change to the Bitcoin mining protocol that rules out big, public mining pools. It preserves the current investment in Bitcoin by both existing users and by existing miners. It presents a fix to GHash's recent 51% excursion.
by Ittay Eyal and Emin Gün Sirer on June 16, 2014 at 02:35 PM
There seems to be a lot of confusion over the kinds of attacks that a Bitcoin mining monopoly can engage in. We clarify the space of attacks available to a Bitcoin mining monopoly.
by Ittay Eyal and Emin Gün Sirer on June 13, 2014 at 02:05 PM
A Bitcoin mining pool, called GHash and operated by an anonymous entity called, just reached 51% of total network mining power today. Bitcoin is no longer decentralized. This note describes what we should do about it.
by Emin Gün Sirer on May 27, 2014 at 12:10 PM
Recent leaks of Mt. Gox trading history has caused people to claim that massive market manipulation was taking place. I argue that there is no evidence for this.
by Emin Gün Sirer on April 06, 2014 at 12:15 PM
The real story of how weak NoSQL systems allowed users to make money out of the thin air and brought down two Bitcoin exchanges, one permanently.
by Emin Gün Sirer on April 05, 2014 at 05:00 PM
A quick summary of the red flags that preceded the demise of Neo & Bee, the latest Bitcoin startup from Cyprus.
by Emin Gün Sirer on March 22, 2014 at 09:08 AM
A story that explains every public utterance by a man who wrote his own SSH server in PHP.
by Emin Gün Sirer on March 01, 2014 at 09:35 AM
There are lots of theories about what may have happened at Mt. Gox. This post examines what may not have happened, and how to avoid that which did happen.
by Ittay Eyal and Emin Gün Sirer on January 15, 2014 at 12:25 PM
How to detect when someone in the network is engaged in selfish mining
by Ittay Eyal and Emin Gün Sirer on January 01, 2014 at 11:13 PM
BTC Guild released a number of blocks in quick succession, making some people worry that they are selfish mining. We discuss the evidence.
by Robert Escriva on November 27, 2013 at 04:53 PM
Bitcoin was having problems with LevelDB. We identified and fixed the bug. In this article, we'll talk a little about LevelDB, Bitcoin, and our fix.
by Ittay Eyal and Emin Gün Sirer on November 25, 2013 at 03:15 PM
New measurements show that successful selfish mining attacks are quite feasible.
by Giray Pultar, Selcuk Pultar, and Emin Gün Sirer on November 21, 2013 at 07:53 AM
Bitcoin's unique features allow it to be used to for social causes. A cash boycott is one such way to affect social change.
by Emin Gün Sirer on November 19, 2013 at 08:41 AM
The Feds testified exuberantly in favor of Bitcoins yesterday, driving the BTC price through the roof to $900 USD. This is my quick reaction to what happened and what we should do about it.
by Ittay Eyal and Emin Gün Sirer on November 17, 2013 at 02:40 PM
There is now a visual simulator for our selfish mining attack.
by Ittay Eyal and Emin Gün Sirer on November 14, 2013 at 09:45 AM
There have been some early, and often misplaced, responses to the vulnerabilities we discovered in the Bitcoin system. This post addresses them.
by Ittay Eyal and Emin Gün Sirer on November 10, 2013 at 10:36 AM
Came across a video describing how Bitcoin works for a non-techie audience.
by Ittay Eyal and Emin Gün Sirer on November 09, 2013 at 11:55 AM
The claim that our results were previously known to the Bitcoin community is specious.
by Ittay Eyal and Emin Gün Sirer on November 08, 2013 at 11:21 AM
Fairweather mining has been suggested to argue that selfish mining would be a short-lived strategy, but fairweather mining analysis is flawed because it does not take proofs of work into account.
by Emin Gün Sirer on November 06, 2013 at 10:30 AM
Policy regarding comments.
by Ittay Eyal and Emin Gün Sirer on November 05, 2013 at 10:30 AM
Some clarifications and answers to frequently asked questions about the selfish mining attack on Bitcoin.
by Ittay Eyal and Emin Gün Sirer on November 05, 2013 at 10:30 AM
If the health of your cryptocurrency requires Gordon Gekko to make sacrifices, it is doomed.
by Ittay Eyal and Emin Gün Sirer on November 04, 2013 at 10:30 AM
We discovered an attack against the Bitcoin mining protocol that can have a significant impact on the Bitcoin community.
by Emin Gün Sirer on June 20, 2013 at 09:05 AM
Introducing Virtual Notary, a free, novel service for attesting to online facts.