Over 25 Proof-of-Stake (PoS) cryptocurrency networks are identified vulnerable to ‘fake stake’ attack. If experts are to be believed, this vulnerability can enable a node with a very small stake to overwhelm competing nodes with false data and crash them. And when the competing nodes are gone, the attacking nodes will have a majority of stake on the crypto network. This can allow it to conduct a 51% attack as the only validating node.
The ‘fake stake’ attack was brought to limelight by Decentralized Systems Lab at the University of Illinois at Urbana Champaign. Researchers there when analyzing cryptocurrency codebases noted that when all the coins affected had begun with a Bitcoin codebase and dropped in PoS as an alternative to Bitcoin’s Proof-of-Work. In their analysis researchers wrote:
We call the vulnerabilities we found ‘Fake Stake’ attacks. Essentially, they work because PoSv3 implementations do not adequately validate network data before committing precious resources (disk and RAM). The consequence is that an attacker without much stake (in some cases none at all) can cause a victim node to crash by filling up its disk or RAM with bogus data. We believe that all currencies based on the UTXO and longest chain Proof-of-Stake model are vulnerable to these ‘Fake Stake’ attacks.
What makes the cryptocurrency networks vulnerable is that affected coins (including Peercoin and Qtum) “do not adequately validate network data before committing precious resources (disk and RAM).”
The researchers began contacting affected cryptocurrencies in October last year, but they failed to reach to all of them. They observed that many affected crypto projects had introduced code that made them much harder to perform. The researchers went on to conclude that the increase in difficulty of the attack is not an adequate substitute for requiring full validation of data.
The Proof-of-Work (PoW) is considered to be more than just a means for competitive mining and increased security in Bitcoin. It is said that PoW acts as a guard to access to a node’s limited resources, namely disk, bandwidth, memory, and of course CPU. One means to avert resource exhaustion attacks is that Bitcoin nodes must first check the PoW for any received blocks and only then commit additional resources, like storing the block in RAM or on disk. One major drawback is that checking a Proof-of-Stake is a more complicated and context-sensitive method than validating a Proof-of-Work.
In conclusion, Proof-of-Stake systems must keep track of all chains in progress. Any existing chain in the network can become the longest, and the node must follow the longest. Closely tracking competing chains is difficult. Researchers explain:
Validating these off-the-main-chain blocks is difficult. To fully validate the block, you need the set of unspent coins (UTXOs) at the time of the previous block. Bitcoin keeps the UTXO set for the current tip of the best chain, but not for all the other past blocks a fork could start from.
Adopting this design can help boost the resources required to participate in the network as a staking node. All the staking nodes with an attacking node might have no notion as to why their software is failing. The blockchains that have implemented fixes to overcome the vulnerability are Qtum, Emercoin, Particl, and NavCoin.