Unrealized manipulating attack

Security
1

Unrealized manipulation attack

Building on the 3 kinds of one-epoch inactivation attack in [1] and collusive Byzantine strategies, we propose six new Unrealized manipulation attack strategies. These attacks exploit collusion among adversaries to keep the honest chain inactive, and then use a single adversarial block with sufficient votes to connect to an unrealized block and reorganize the honest blocks on the chain, causing losses to honest validators. The specific strategy below illustrates the idea:

Strategy 1

un-1-exante+sandwich.png
un-1-exante+sandwich.png1986Ă—552 46.8 KB

  1. During epochs e and e\!+\!1, except for slot t and slot t\!+\!32, all Byzantine votes are collusively sent only to the final Byzantine proposer v_k in epoch e\!+\!1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t\!+\!18), and withholds releasing b_k.
  2. Launch a sly-ex-ante attack against the honest validators in epoch e, and perform a single sly-sandwich attack against the honest validators in epoch e\!+\!1.
  3. In epoch e\!+\!2, the Byzantine proposer at slot t\!+\!64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Strategy 2

un-2-exante+4s.png
un-2-exante+4s.png1980Ă—570 55.6 KB

  1. During epochs e and e+1, except for slot t, all Byzantine votes are collusively sent only to the final Byzantine proposer v_k in epoch e+1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t+18), and withholds releasing b_k.
  2. Launch a sly-ex-ante attack against the honest validators in epoch e, and perform one sly-1/3-slot-withhold attack against the honest validators in epoch e+1.
  3. In epoch e+2, the Byzantine proposer at slot t+64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Strategy 3

un-3-sandwich+sandwich.png
un-3-sandwich+sandwich.png1896Ă—477 48.9 KB

  1. During epochs e and e+1, except for slot t+32, all Byzantine votes are collusively sent only to the final Byzantine proposer v_k in epoch e+1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t+18), and withholds releasing b_k.
  2. Launch a sly-sandwich attack against the honest validators in epoch e, and also launch a sly-sandwich attack against the honest validators in epoch e+1.
  3. In epoch e+2, the Byzantine proposer at slot t+64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Strategy 4

un-4-sandwich+4s.png
un-4-sandwich+4s.png2016Ă—484 51.9 KB

  1. During epochs e and e+1, all Byzantine votes are collusively sent only to the final Byzantine proposer v_k in epoch e+1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t+18), and withholds releasing b_k.
  2. Launch a sly-sandwich attack against the honest validators in epoch e, and launch a sly-1/3-slot-withhold attack against the honest validators in epoch e+1.
  3. In epoch e+2, the Byzantine proposer at slot t+64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Strategy 5

un-5-4s+sandwich.png
un-5-4s+sandwich.png1560Ă—497 39.8 KB

  1. During epochs e and e+1, except for slot t+32, all Byzantine votes are collusively sent only to the Byzantine proposer v_k in the last slot of epoch e+1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t+18), and withholds releasing b_k.
  2. Launch a sly-1/3-slot-withhold attack against the honest validators in epoch e, and launch a sly-sandwich attack against the honest validators in epoch e+1.
  3. In epoch e+2, the Byzantine proposer at slot t+64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Strategy 6

un-6-4s+4s.png
un-6-4s+4s.png1496Ă—392 35 KB

  1. During epochs e and e+1, all Byzantine votes are collusively sent only to the Byzantine proposer v_k in the last slot of epoch e+1. This proposer does not continue to extend the current honest chain; instead, it sets the parent to be the first block in epoch e that contains 1/3 voting weight (the block proposed at slot t+18), and withholds releasing b_k.
  2. Launch a sly-1/3-slot-withhold attack against the honest validators in epoch e, and also launch a sly-1/3-slot-withhold attack against the honest validators in epoch e+1.
  3. In epoch e+2, the Byzantine proposer at slot t+64 proposes b_{k2} with parent b_k, and releases b_k and b_{k2} simultaneously within the first 4 seconds so as to justify cp_e and roll back the honest branch.

Attack Extension Strategies

In fact, the six attack strategies we described above are only the most basic “take-what-you-get” strategies. In real attack scenarios, we can further leverage the three kinds of one-epoch inactivation attack in [1] to keep additional epochs inactive, thereby amplifying the attack. For example, for the six strategies above, if the proposer at slot t+64 is Byzantine; or if the proposer at slot t+64 is honest while the proposers at slots t+63 and t+62 are both Byzantine; or if the proposer at slot t+64 is honest while the proposers at slots t+63 and t+65 are Byzantine, then the adversaries can proceed to launch a third-stage one-epoch inactivation attack that causes epoch e+2 to become inactive. Immediately afterwards, the Byzantine proposer in the last slot of epoch e+2 can set as parent the first block in epoch e that contains \frac{1}{3} of the voting weight, thereby rolling back an additional epoch of honest blocks and attestations…

By the way, for all the attack strategies above, if b_{k2} is the block of the first slot then it is unnecessary to launch a one-epoch inactivation attack against epoch e+1. If b_{k2} is a later block, then that one-epoch inactivation attack must be carried out.

References

[1]Fang, Y. (2025, October 27). One-Epoch Inactivation and Pistol Attacks. Ethresear.Ch. https://ethresear.ch/t/one-epoch-inactivation-and-pistol-attacks/23351

1 Like
2

Hello, thank you for your efforts. I would like to ask the following questions:

  1. Why should the byzantine votes be sent to the last Byzantine proposer in epoch e+1?
  2. I think once b_k is released, it can already justify the checkpoint of epoch e. Why is b_{k2} still needed?
3

Thank you very much for your questions. First, b_k can be sent to any Byzantine proposer in epoch e+1 that is not involved in the one-epoch inactivation attack, and it can be released before the unrealized justified slot of the next epoch.
Second, if b_k is released with a delay, then b_{k2} is not necessary to justify cp_e. Thanks again.