Security flaws found in 26 low-end cryptocurrencies

A group of four academics from the University of Illinois at Urbana-Champaign in the US has discovered two security flaws that impact 26 (Proof-of-Stake, PoS) cryptocurrencies.

The two security flaws, researchers said, "allow a network attacker with a very small amount of stake to crash any of the network nodes running the corresponding software."

The vulnerabilities are extremely dangerous because they can allow an attacker to crash rival network nodes to gain a 51 percent majority for his own malicious servers and be in a position to control a currency's entire blockchain transactions, a state that could favor fraudulent operations and the theft of user funds.

Researchers explained their findings in a Medium blog post published yesterday, January 22. The first of the two vulnerabilities has been explained in finer detail in a research paper that the University of Illinois team plans to present at the Financial Cryptography 2019 conference next month.

"Many cryptocurrencies are in fact forks (or at least descendants) of Bitcoin's codebase, with the PoS functionality grafted in," the researchers wrote on Medium. "However, some design ideas are copied over insecurely, leading to new vulnerabilities that did not exist in the parent codebase."

"We call the vulnerabilities we found 'Fake Stake' attacks," researchers said. "Essentially, they work because PoSv3 implementations do not adequately validate network data before committing precious resources (disk and RAM)."

"The consequence is that an attacker without much stake (in some cases none at all) can cause a victim node to crash by filling up its disk or RAM with bogus data."

The researcher team says it discovered the two issues last August and began contacting affected cryptocurrencies in October. Some cryptocurrency dev teams weren't informed because their GitHub account appeared to have become inactive.

A list of impacted cryptocurrencies is available below, also available online, here.

StratisX is listed in the table, but by the time researchers published their work, the cryptocurrency switched from the vulnerable C++ codebase to a new C# port that wasn't vulnerable to the Fake Stake attacks.

Most of the vulnerable cryptocurrencies are low-end virtual currencies, with Qtum being the highest-ranked on the CoinMarketCap index, on position #30.

Some cryptocurrencies deployed mitigations, but the research team doesn't appear to be satisfied with the way some dev teams patched the reported bugs.

"All these mitigations make the attack difficult to carry out but are still no substitute for full validation," they said.

Demo code for reproducing the two vulnerabilities is available on GitHub, in case the developers of other PoS-based cryptocurrencies want to test their code for Fake Stake attacks as well.

2018's worst cryptocurrency scams, cyberattacks (in pictures)

More security coverage:

• DHS issues security alert about recent DNS hijacking attacks
• Temporary fix available for one of the two Windows zero-days released in December
• Mystery still surrounds hack of PHP PEAR website
• Websites can steal browser data via extensions APIs
  
• Security researchers take down 100,000 malware sites over the last ten months
• Popular WordPress plugin hacked by angry former employee
• Apple to host 2,000 free coding lessons at European stores CNET
  
• 62% of all Internet sites will run an unsupported PHP version in 10 weeks TechRepublic