Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manipulating deposit contract to gain an early majority #1446

paulhauner opened this issue Oct 24, 2019 · 2 comments


Copy link

@paulhauner paulhauner commented Oct 24, 2019

This issue describes a feasible way to gain a dishonest majority in the first two epochs.


  • The shuffling of the first two epochs is determined only by the number of active validators (v).
  • v can only vary by at most n, where n = eth1_gas_limit / gas_for_deposit (I think this is ~100).

Gaining an early dishonest majority

If an attacker can control their index in the deposit tree (this seems feasible), then it would take n * (SLOTS_PER_EPOCH / 2) validators to ensure they control 50% of the validators in either the first or second epochs.


Influencing future shuffling

An attacker with a block-producer majority gains the standard 1-bit of control by submitting/withholding a block.

Additionally, an attacker can also choose thier randao reveal (to some degree) by choosing their private key. Note that the attacker has a long time (now until genesis) to compute these private keys.

Some rough calculations show that gaining full control of future shufflings is infeasible, but some degree of control is possible.

Breaking eth1 linking

If used with above attack (influencing future shuffling), it may be feasible for the attacker to produce a majority of the blocks the ETH1_VOTING_PERIOD and break the eth1-linking.

We have not looked into the feasibility of this attack.

Additional Comments

Setting v seems to be an instance of "eth1 transaction ordering attack" on smart contracts. Here are some ways to set v:

  • Be an eth1 miner and supress transactions.
  • Use known gas-war techniques to manipulate the ordering of deposits.
    • 1 ether deposits can be used to cheapen this attack.

This comment has been minimized.

Copy link

@djrtwo djrtwo commented Oct 25, 2019

As discussed, Paul and I agreed that the simplest way to avoid this attack is to use the eth1_block_hash as the initial randao_mix for the genesis state. Even if an attacker can control the sort of v, the attacker is not likely to have more than a few bits of influence on the given eth1 genesis block hash. Thus even if they can bias this initial shuffling, it won't be in such a magnitude that would be beneficial to carrying out the above attacks.

protolambda added a commit that referenced this issue Oct 25, 2019
…eth1 hash
protolambda added a commit that referenced this issue Oct 25, 2019
…eth1 hash
djrtwo added a commit that referenced this issue Oct 28, 2019
Implement solution for #1446, based on suggested use of eth1 hash

This comment has been minimized.

Copy link

@djrtwo djrtwo commented Oct 28, 2019

closed via #1447

@djrtwo djrtwo closed this Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.