Blogs

The following blog post was originally published on 2 July 2018, in Hacking, Distributed (HD) — the site (run by Gün Sirer) where IC3 blog posts were originally published. When HD went offline, the post disappeared. We’re reviving it now, seven years later, because its ideas have proven to be so prescient. Its focus was on how trusted execution environments (TEEs) could be used to attack voting systems through private smart-contracts for bribery. For this idea, we coined the term Dark DAOs.

Risk-Aware Restaking took first place at this year’s IC3 Blockchain Camp hackathon. We sat down with project lead Roi Bar-Zur (Technion, IC3) to find out what they built, the technical hurdles they overcame during the hackathon, and what’s next for their project.

The authors examine interactive authentication mechanisms that could enhance wallet security, helping crypto users transact more safely.

Public key cryptography (PKC) is a fundamental technology that is a key enabler to the Internet and the whole client-server paradigm. Without public key cryptography there would be no cryptocurrencies, no online bank accounts, no online retail, etc.

The team behind Boquila, a proof of concept to obscure identifiable information from third-party websites, took the top spot at this year’s hackathon. We sat down with Mariarosaria Barbaraci and Jayamine Alupotha, two members of the winning team, to talk about what they built and their experience at this year’s IC3 Blockchain Camp.

In a three part series, we look at the “Snow” protocols that address the fundamental consensus problem and were introduced in a whitepaper by a group associated with AvaLabs that pioneered the Avalanche blockchain infrastructure. This is a post that consists of three parts. Part 1 appears here, part 2 and part 3 appear on the Crypto@Bern blog. This first part gives an overview of these Snow protocols and a summary of our findings.

The problems of maximal-extractable value (MEV) and front-running attacks have plagued decentralized finance (DeFi) in the recent years. We tackle the problem of sandwich attacks in general and introduce a protocol to transform any blockchain consensus algorithm into a new one that has the same security, but in which sandwich attacks are no longer profitable. Our protocol is fully decentralized with no trusted third parties or heavy cryptographic primitives. It makes existing blockchains resilient to such attacks in exchange for increased latency until consensus becomes final and by adding a small computational overhead.

Decentralized Autonomous Organizations (DAOs) are increasingly popular, and already managing many billions of dollars in treasuries. Their decentralized governance is a transformative new way of organizing communities. But as they grow, DAOs will face a new and potent threat to their decentralization - Dark DAOs. A Dark DAO is a private smart contract that targets a legitimate DAO, attacking its voting integrity by enabling vote-buying among its users. First considered in 2018, Dark DAOs haven’t yet appeared in the wild — but only because DAOs are not very decentralized today. As DAOs continue on a path to higher decentralization, Dark DAOs will inevitably surface. Vote-buying may be illegal in political elections, but in DAOs it’s probably legal. It’s legal in shareholder voting and there’s even a marketplace to facilitate it. Vote-buying in DAOs would follow the trend in Web3 of monetizing everything from people’s friends to maximal-extractable value (MEV).

Decentralized Autonomous Organizations, or DAOs, promise to revolutionize the ways that communities collaborate. The ‘D’ in DAO — the decentralization — is the critical ingredient. But the way most people in the Web3 community reason about DAO decentralization today is flawed. It fails to point the way toward sound DAO governance. Today, people commonly view decentralization in DAOs — and other Web3 projects — entirely in terms of how tokens are distributed among addresses. The Gini coefficient and similar measures of wealth inequality — such as entropy of token holdings — are popular metrics for this purpose. A high Gini coefficient over addresses in a DAO is “bad” - it means high concentration — dominant control by whales and other large holders. A low Gini coefficient, on the other hand, is “good,” indicating even distribution of tokens. Our new research shows that there are gaping blind spots in this view of DAO decentralization. Happily, we also show that it’s possible to do better.

The name “front-running” came from when a broker needs to deliver the clients’ orders to the trading desk physically. The term vividly describes how it works - an attacker who knows a large order could run ahead to execute a trade before the client’s order goes through. What is the incentive for someone to do that? Here is an example that explains why. Suppose a broker receives a large order from a client, say, buy 500,000 shares of a company’s stock. The order is big enough to drive up the share’s price. Knowing this information, an attacker can place his small order, say 10,000 shares of the same stock, before the large order. The attacker can sell his shares at a higher price when the price goes up after the large order went through. The formal definition of front-running is a practice of benefiting from the advanced knowledge of pending transactions. Although benefiting some entities involved, this practice puts others at a significant financial disadvantage, making this behavior illegal in traditional markets with established securities regulations.

Enhancing smart contract privacy is a critical stride towards the development of more useful blockchain applications. Trusted execution environments (TEEs) or secure enclaves are being used in multiple networks (Secret Network, Oasis Network, Obscuro, etc) to enable privacy without significantly increasing computational costs. However, the utilization of TEEs also brings forth challenges, specifically in designing secure network architectures that fully capitalize on the strengths of TEEs while mitigating potential risks. Our recent paper detailing several attacks on these TEE based blockchain networks that broke user privacy guarantees without doing the hard work of breaking into the TEE hardware.

TLDR - The Sting Framework (SF) is a new idea for bolstering the security of systems at risk of information leakage. SF addresses the case where a corrupt service (called a Subversion Service) arises that enables adversaries to exploit such leakage. SF presumes a player, called an informer, that wishes to alert the community to the presence of the corrupt service — either as a public service or to claim a bounty. SF enables the informer to generate a publicly verifiable proof that the corrupt service exists.

In today’s blockchain landscape, the life of a transaction is nasty, brutish, and short. Or, as some put it, a blockchain like Ethereum is a “dark forest” — a reference to a popular sci-fi novel in which the universe is filled with predatory civilizations.

A very interesting talk by Kelvin Fichter argues that zk rollups do not exist and how rollups actually work. Let’s take a fun snippet from it.

7 of the largest 10 stablecoins depegged as a massive bank run effect rippled across crypto. What happened and what the lessons are for the space. Starting Friday, March 11, and persisting through the weekend, most major stablecoins lost their peg and stablecoin liquidity virtually evaporated.

In this post, we take a look at trends in MEV that we believe have the opportunity to centralize and weaken the core mission and value proposition of cryptocurrency. We argue that the most important only exit from a future where power dynamics in cryptocurrency become centralized and predatory is through geographic decentralization. We then explore the relationship between geographic decentralization and privacy, which in our opinion will be a dominant economic phenomenon in the next decade of MEV evolution.

Independence from centralized institutions is among the most important of the revolutionary ideas at the heart of crypto. If you keep your crypto assets in a centralized exchange, the exchange holds them on your behalf. That means complete dependence on the integrity of the exchange. If it’s hacked or collapses, your funds can disappear.

In a paper we've released today, we introduce a new cryptographic notion that we call proofs of complete knowledge (CK). We also report on a prototype that offers a path to making CK practical for use with smartphones.

Last week the rest of the sgx.fail team and I posted a research preprint that included a vulnerability disclosure affecting Secret Network. Secret Network is the first smart contract system based on Trusted Execution Environments (TEEs) to go live in production. However, there are several rival projects with closely related tech that have launched public testnets, namely Oasis, Phala, and Obscuro. Our disclosure kicked off a broader discussion, with all these projects reaching out and/or making public statements (Phala’s), (Oasis’s), (Secret’s) explaining to what degree they would have been affected and about the mitigations they have in development. The four projects have been building most independently of each other, but TEE/SGX compromise presents a common threat to all of them, suggesting an opportunity to work together.

Atomic NFTs introduce new cryptographic techniques in order to enable NFT creators to prevent fractionalization of their NFTs. Our work promises to give creators stronger control over how their NFTs are bought and sold. We stress that Atomic NFTs are a preliminary research concept. More research needs to be done to make them truly practical. We believe, however, that practicality is on the horizon and that Atomic NFTs could someday become a standard option in NFT creation.

The Roosevelt Island Cornell Tech Tata Innovation Center is hosting The Initiative for CryptoCurrencies and Contracts an NFT Gallery Opening on Monday 3. You're invited to learn all about NFT Art.

Museums exist not just to house original works of art, but as shrines to be visited by art lovers. Physical works of art — oil paintings, for instance — look very different in person than in posters or digital images. I've spent twenty minutes staring at this Vermeer in person. I can assure you that the sacred hush magically rendered by the artist in the original painting is all but obliterated in reproduction. There’s another facet to appreciation of art, though, one that’s not just about brushstrokes or esthetic nuance. Why, after all, do people flock to see the Mona Lisa when they can barely make it out through the ten-foot thick protective barrier of tourists?

Applications want to retain database functionality when decentralizing their systems. Unfortunately, straightforward designs atop today's blockchain system fall short of this task. The current separation between the ordering layer and the application materialization layer in blockchain based designs precludes the design of expressive, and high performance transactional systems. In our recent work Basil - Breaking up BFT with ACID (transactions) we explore how to merge these layers for improved scalability and usability.

Bitcoin and blockchains - the technology that makes cryptocurrencies such as Bitcoin possible - have become inescapable phenomena in finance and even popular culture. Despite their rise in popularity, though, there is considerable bewilderment around blockchains and their capabilities. In this talk, Ari Juels, the Weill Family Foundation and Joan and Stanford I. Weill Professor at Cornell Tech and Co-Director of the Initiative for CryptoCurrencies and Contracts (IC3), will aim to demistify this intriguing technology. He will explain how blockchains mean much more than Bitcoin and indeed how blockchain-based digital apes may be harbingers of our future in leisure and the arts. We hope to see you at this virtual event.

The Nakamoto consensus protocol works in a permissionless model, where nodes can join and leave without notice. However, it guarantees agreement only probabilistically. Is this weaker guarantee a necessary concession to the severe demands of supporting a permissionless model? We show that, at least in a benign failure model, it is not. We present Sandglass, the first permissionless consensus algorithm that guarantees deterministic agreement and termination with probability 1 under general omission failures. Like Nakamoto, Sandglass adopts a hybrid synchronous communication model, where, at all times, a majority of nodes (though their number is unknown) are correct and synchronously connected, and allows nodes to join and leave at any time.

In traditional financial systems, time equals money and network latency - i.e., the time for messages to travel in a network - has an outsized impact. Recently, network latency has become critical in blockchain peer-to-peer (P2P) networks as well. Among other impacts, low-latency connections in P2P networks can advantage arbitrageurs by giving them the ability to exploit the trades of other users for financial gain. In this blog post, we summarize a recent paper of ours that explores P2P network latency. We present Peri, a practical strategy that selects peers with low latencies from a local view of the P2P network. we demonstrate how startegic agents, i.e., self-interested P2P network actors, can use Peri to manipulate network latency to their advantage.

Fine artists exercising unprecedented control of their own markets, high tech art, cartoon images of rocks selling for millions of dollars, scams, cult-like followings - the NFT market has it all! In this post, we will briefly survey the traditional art market abd the NFT fine art market. The convergence of these things - NFT technology and the traditional art market - leads us to make predictions for the future of the market and technology.

Many NFT and DAOs are designed to provide new or more convenient ways to own and sell creative works. Beeple's EVERYDAYS - The First 5000 Days sold at auction for $69 million. Some observers think that the Bored Ape Yacht Club's spectacular rise is due to its permissive copyright approach. Some artists and developers are diving in head-first.

The Selfish mining attack against blockchain protocols was discovered and formalized in 2013 by Eyal and Sirer (also see our blog post). The Bitcoin community has mentioned similar types of attacks in 2010. This attack remains a vulnerability of all operational blockchains we are aware of. For Bitcoin's blockchain algorithm (under reasonable network assumptions), a coalition controlling over 1/4 of the mining power can improve its revenue using this attack.

Prominent smart contracts, e.g., roll-ups, critically rely on timely confirmations of their transactions. Sadly, that's not how blockchain works, as confirmation times depend on transactions fees, where the required fee is determined by the volatile fee market. We present LedgerHedger, the first smart contract that facilitates a reservation for a future transaction confirmation. LedgerHedger is secure, incentive-compatible, and has low overhead for practical future-transaction parameters.

In current blockchain consensus protocols, a single miner or validator unilaterally controls the inclusion and ordering of transactions in a block. This form of temporary centralization is entirely at odds with the goals of decentralization. It also poses an acute problem for decentralized finance (DeFi). Arbitrageurs today are engaged in rampant collusion with miners to reorder transactions and extract profit at the expense of ordinary DeFi users. In the process of doing so, arbitrageurs are also participating in systemic bribery and even threatening the consensus stability of blockchains. So far in 2021, the impact of opportunistic transaction recording - often called MEV or miner/maximum extractable value - has exceeded $550 million by one conservative estimate.

Securing digital assets like cryptocurrencies and NFTs is a tricky business, as demonstrated by numerous losses and heists. The challenge of storing digital assets applies equally to individuals and to larger actors - from companies to cryptocurrency exchanges to the largest financial services corporates. Digital assets are secured (almost exclusively) with cryptographic signing keys. But from the early days of Bitcoin it was clear that our mechanisms, which worked perfectly well in the olden days, are inadequate. Our mobile devices are (maybe) secure enough for our emails, but not for cash. Plastic cards work for authorizing transactions if we can cancel them with a phone call, but that's not the case with digital cash that has no 'undo'. Indeed, for securing digital assets it is not uncommon to use multiple keys.

Have you been offered the chance to earn unlimited passive income in cryptocurrency for life with no risks using a new technology called a smart contract? Congradulations! You may have just encountered a smart contract pyramid scheme.

In this post, we show how to provide pivacy for smart contracts in a general purpose way by using "Multiparty Computation (MPC) as a Sidechain". In this model, smart contract developers can label any of their member fields as "secret".

There's a simple word for projects that seek to advantage miners while systematically exploiting blockchain users, say three researchers.

Payment channels are one of the fundamental approaches for scaling cryptocurrency networks. In the academic cryptography literature on payment channels, it has been effective to use universal composability (UC) framework as a way of rigorously modeling and giving security definitions. However, there's been a big gap between the UC model and the actual software implementations of payment channels that have been designed and maintained by cryptocurrency developers, not getting as much benefit from the UC as we could. SaUCy is a project that aims to bridge the world of cryptocurrency developers with the UC framework.

Decentralized identity systems allow users to gather and amnage their own credentials under the banner of self-created decentralized identifiers (DIDs). The key focus of DIDs is on shifting the control of a credential into users' hands. Existing decentralized identity proposals, however, suffer from several problems. First and foremost, how do you bootstrap an ecosystem of credential issuers? It is unlikely that most existing legacy providers suddenly switch and issue such credentials. Second, like with cryptocurrencies, DID systems burden users with managing their own keys creating a significant risk of key loss. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users. We address these problems by introducing CanDID in our new paper.

We have focused on building a non-custodial relayer, Infura Transaction Service (ITX), that takes a pre-signed message (e.g. meta-transaction), packs it into an Ethereum transaction and then gradually bumps the fee until it is mined in the blockchain.

Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.

Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.

Many central banks are considering, and some are even piloting, central bank digital currency. This column provides an overview of important considerations for central bank digital currency design. While central banks already provide wholesale digital currency to financial institutions, a retail central bank digital currency would expand access to more users and provide opportunities for innovative central banking. The design must balance these benefits with the potential risks created by retail central bank currency deployment.

In this paper, we enumerate the fundamental technical design challenges facing CBDC designers, with a particular focus on performance, privacy, and security. Through a survey of relevant academic and industry research and deployed systems, we discuss the state of the art in technologies that can address the challenges involved in successful CBDC deployment. We also present a vision of the rich range of functionalities and use cases that a well-designed CBDC platform could ultimately offer users.

In this post, we outline the attack and its analysis, and the MAD-HTLC solution.

In this post, we described an extraordinarily simple blockchain protocol called Streamlet. Consensus is a complex problem and has been studied since the 1980s. More recently, blockchain research has spawned many new works aiming for performance and ease-of-implementation. However, simple, understandable protocols remain elusive, and that's where Streamlet comes in.

Proof of Work (PoW) Blockchains implement a form of State Machine Replication (SMR). Unlike classical SMR protocols, they are open, i.e., anyone can join the system, and the system incentivizes participants, called miners, to follow the protocol. Therefore, unlike classical SMR protocols, reasoning about blockchain security relies not only on bounding the number of malicious participants. One should crucially ask whether miners are indeed incentivized to follow the prescribed protocol. This is the topic of this post.

We have discovered a denial-of-service attack on Bitcoin-like blockchains that is much cheaper than previously described attacks. Such blockchains rely on incentives to provide security. We show how an attacker can disrupt those incentives to cause rational miners to stop mining.

Proof-of-work (PoW) mechanisms secure about 80% of the $250B cryptocurrency market. PoW requires system participants to expend computational resources, and protects the system from attackers who cannot expend resources at an equivalent rate. These systems operate in the permissionless setting and compensate their users with cryptocurrency, having a monetary value. As cryptocurrency prices sore so do the invested resources, and Bitcoin expenditures alone are 0.24% of the global electricity consumption. Arguably, this is superfluous, and lowering the ecological footprint justifies settling for a lower attack threshold.

Decentralization is an essential factor the should be inherently considered in the design of blockchain systems. Even though people design systems for good decentralization, in practice, we often observe that blockchain systems are highly centralized. Bitcoin and Ethereum, as representative examples, are already well known to be highly centralized in terms of network and mining. In fact, poor decentralization appears not only in PoW-based coins but also in coins adopting other mechanisms such as proof-of-stake (PoS) and delegated proof-of-stake (DPoS).

If you think you have designed a permissionless decentralized system that is cleverly secured based on rationality assumptions, you haven't. This blog post, based partly on ideas from Rainer Böhme's talk at the recent BDLT Summer School in Vienna, sketches an argument that rationality assumptions are self-defeating in open permissionless systems with weak identities.

ZeroWallet is a new protocol that uses zero knowledge proofs to secure private keys with low-entropy passwords. It provides the convenience of brain wallets with a security guarantee comparable to third party multi-sig setups.