Short Paper: I Can’t Believe It’s Not Stake! Resource Exhaustion Attacks on PoS

  • Sanket KanjalkarEmail author
  • Joseph KuoEmail author
  • Yunqi LiEmail author
  • Andrew MillerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)


We present a new resource exhaustion attack affecting several chain-based proof-of-stake cryptocurrencies, and in particular Qtum, a top 30 cryptocurrency by market capitalization ($300M as of Sep ’18). In brief, these cryptocurrencies do not adequately validate the proof-of-stake before allocating resources to data received from peers. An attacker can exploit this vulnerability, even without any stake at all, simply by connecting to a victim and sending malformed blocks, which the victim stores on disk or in RAM, eventually leading to a crash. We demonstrate and benchmark the attack through experiments attacking our own node on the Qtum main network; in our experiment we are able to fill the victim’s RAM at a rate of 2MB per second, or the disk at a rate of 6MB per second. We have begun a responsible disclosure of this vulnerability to appropriate development teams. Our disclosure includes a Docker-based reproducibility kit using the Python-based test framework. This problem has gone unnoticed for several years. Although the attack can be mitigated, this appears to require giving up optimizations enjoyed by proof-of-work cryptocurrencies, underscoring the difficulty in implementing and deploying chain-based proof-of-stake.


  1. 1.
    Azouvi, S., Maller, M., Meiklejohn, S.: Egalitarian society or benevolent dictatorship: the state of cryptocurrency governance. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 127–143. Springer, Heidelberg (2019). Scholar
  2. 2.
    Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 142–157. Springer, Heidelberg (2016). Scholar
  3. 3.
    Böhme, R., Christin, N., Edelman, B., Moore, T.: Bitcoin: economics, technology, and governance. J. Econ. Perspect. 29(2), 213–38 (2015)CrossRefGoogle Scholar
  4. 4.
    Brown-Cohen, J., Narayanan, A., Psomas, C.A., Weinberg, S.M.: Formal barriers to longest-chain proof-of-stake protocols. arXiv preprint arXiv:1809.06528 (2018)
  5. 5.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). Scholar
  6. 6.
    Fan, L., Zhou, H.S.: A scalable proof-of-stake blockchain in the open setting (or, how to mimic nakamoto’s design via proof-of-stake). Cryptology ePrint Archive, Report 2017/656 (2017).
  7. 7.
    Juels, A., Brainard, J.G.: Client puzzles: a cryptographic countermeasure against connection depletion attacks. In: NDSS, vol. 99, pp. 151–165 (1999)Google Scholar
  8. 8.
    Narayanan, A., Bonneau, J., Felten, E., Miller, A., Goldfeder, S.: Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction. Princeton University Press, Princeton (2016)zbMATHGoogle Scholar
  9. 9.
    O’Dwyer, K., Malone, D.: Bitcoin mining and its energy footprint. In: IET Conference Proceedings. The Institution of Engineering & Technology (2014)Google Scholar
  10. 10.
    Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.C.: Portcullis: protecting connection setup from denial-of-capability attacks. ACM SIGCOMM Comput. Commun. Rev. 37(4), 289–300 (2007)CrossRefGoogle Scholar
  11. 11.
    Pass, R., Shi, E.: Fruitchains: a fair blockchain. In: Proceedings of the ACM Symposium on Principles of Distributed Computing, pp. 315–324. ACM (2017)Google Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.University of Illinois Urbana Champaign (UIUC)UrbanaUSA

Personalised recommendations