Disclosure letter: Liveness Attacks against the Vechain Thor Consensus

Report date: May 25, 2024

Attacking target: Vechain Thor consensus protocols

The whitepaper claims its liveness as

In a practical synchronous model, new blocks could always be finalized.

Key deliveries
Our attack undermines VeChain’s finalization mechanism (in particular, FOB VIPs/assets/vip220.pdf at master · vechain/VIPs · GitHub). By coordinating N/3 malicious block proposers (N represents the total number of nodes) —to vote ‘0’ on the blocks they generate, and leveraging the chain’s fork-choice protocol (similar to the method used in Attack II), we strategically cause the next N/3 blocks produced by honest nodes to be discarded. Consequently, the proportion of proposers voting ‘1’ fails to reach the necessary two-thirds majority, rendering the blocks unable to achieve finalization. This effectively disrupts the Vechain’s finalization mechanism.

Attacking strategy
In particular, by employing tactics such as refusing to vote and delaying the broadcasting of blocks, our attack creates forks and reduces the count of honest voters to below two-thirds. This prevents the latest block on the chain from being finalized, effectively undermining the chain’s finalization mechanism and liveness property.

To clearly explain our strategy, we consider the current time as T, and label the time for the n-th block in the future as T+N. We refer to the n-th malicious actor as M(n) and the n-th honest node as H(n). Here’s how the attack unfolds:

1. Every malicious actor votes 0 on the blocks they produce.
2. These malicious actors then create blocks and share them only with each other.
3. After a period, specifically at time T+2N, all malicious actors release their blocks to the entire network.

pasted image 0 (2)1600×527 94.9 KB

The above tactic creates two separate chains of blocks, each n blocks long. Based on how the network decides between competing chains, the blocks from the malicious actors, M(n), end up being chosen as the best blocks. This occurs between T+N+1 and T+2N. Consequently, the blocks from the n honest nodes are discarded, or “rolled back”. Since less than two-thirds of the total voters cast a positive vote, the network fails to finalize these blocks. This disrupts the chain’s ability to reach a consensus on the most recent valid block.

We put more details as follows: Vulnerability Report: Adaptive Attacks against the Vechain Thor Consensus | by Vulnerabilities and Exposures | Jun, 2024 | Medium

The original post of a potential liveness attack on the VeChainThor blockchain is a correct and true statement. The described attack vector suggests that if one-third of the nodes collude, they can prevent the finalization of the network. However, this vulnerability is not unique to the VeChainThor blockchain but applicable to many blockchains.

The attack involves a single or group of malicious actors controlling one-third of the validator nodes. By voting ‘0’ on blocks they generate and coordinate their actions, they can disrupt the consensus mechanism. This prevents the necessary two-thirds majority required for block finalization, effectively stalling finalization of the network. It is worth noting that blocks will continue to be produced, transactions will continue to be processed and the gain will continue to grow.

It’s crucial to understand that this type of attack is not confined to the VeChainThor blockchain. For example; if a group of miners controls 51% of the Bitcoin mining power, they could disrupt the network by generating empty blocks or creating competing forks, preventing transaction confirmations. On Ethereum similar vulnerabilities exist where collusion among a significant number of validators can impede finalization.

While the attack is theoretically possible, several factors mitigate its feasibility;
Economically speaking it would cost approximately $29 million, at the current market value, for a single or group of entities to control and operate one-third of the validator nodes in the network. This high entry barrier significantly reduces the risk of such an attack.

The Know Your Customer (KYC) procedures that are part of the VeChainThor blockchain Proof of Authority (PoA) mechanism ensures that validators are verified, reducing the likelihood of a single entity gaining control over a significant portion of the network.

VeChain aims for a diverse set of validators on the VeChainThor blockchain which are geographically and organizationally diverse. This diversity is critical in preventing collusion and ensuring that no single entity can easily control one-third of the validators.

VeChain’s governance structure promotes decentralization, making it difficult for a single entity to gain undue influence.

Continuous monitoring and auditing of validator activities help detect and mitigate any coordinated malicious actions early.

In conclusion while the theoretical possibility of a liveness attack exists, VeChainThor’s robust economic barriers, stringent PoA mechanism, strive for validator diversity and decentralized governance significantly mitigate the risks. It is important to continue enhancing these measures and remaining vigilant against potential threats to ensure the ongoing security and stability of the VeChainThor blockchain.

A Theoretical Look at Finality in VeChain’s PoA Model

Recently, I came across this blog post which outlines how VeChain achieves fast finality under a PoA-based design. The mechanism is quite interesting and reflects a common practice in the industry, including Ethereum—namely, adding finality guarantees to accelerate transaction confirmation.

VeChain claims:

“In a practical synchronous model, new blocks could always be finalized.”

This claim suggests that, under synchrony assumptions, every new block can be finalized promptly and reliably. However, from a theoretical security perspective—particularly under the standard assumption that up to 1/3 of participants can be Byzantine—this statement unfortunately does not hold.

A Theoretical Analysis

As stated in the referenced post, in each round, VeChain assigns 86 slots to proposers, chosen independently and uniformly at random from a set of 101 sealers.

Assuming 1/3 of the sealers are malicious (i.e., about 34 out of 101), we want to know the probability that at least 67 honest sealers are selected at least once during the 86 slots. This threshold is necessary to reach a 2/3 supermajority and finalize a block.

The probability that a particular sealer is not selected in a given round is:

(100 / 101)^86 ≈ 0.4250

So the probability that a sealer is selected at least once is:

1 - (100 / 101)^86 ≈ 0.5750

Letting this be the success probability p, the number of sealers selected at least once follows a binomial distribution B(101, p). We then compute the probability that at least 67 honest sealers are selected in a round:

P[at least 67 honest sealers selected] ≈ 0.0438

Since finalization typically requires two consecutive rounds with ≥2/3 honest participation, the overall finalization probability for a block becomes:

0.0438^2 ≈ 0.0019

This is extremely low, meaning that—even in a synchronous network—it is highly unlikely for blocks to be finalized under this setup when 1/3 of the sealers are Byzantine.

Final Thoughts

Admittedly, assuming a 1/3 malicious stake that remains active and adversarial is a strong and pessimistic assumption. In practice, this might not always be the case. However, from a theoretical standpoint, it shows that VeChain’s design cannot guarantee finality under standard adversarial models.

This highlights a broader issue: when protocols claim “always-final” guarantees, it’s important to ask under what assumptions those guarantees truly hold.