Humans are a critical link to the security of any complex system, and blockchains are no exception. Sometimes, even basic assumptions are not met in practice; we observed that some service providers or users do not properly check transactions, whether purposefully (for latency benefits) or inadvertently (due to operational mistakes). These unexpected behaviors pose new challenges to blockchain security. The first part of this talk will examine a network layer vulnerability—a “blockchain amplification attack.” Some Ethereum nodes appear to sidestep transaction validations to achieve lower latency, making them vulnerable to a flood of invalid transactions. We quantify its attack damage through mathematical modeling, network monitoring, and local simulation, and compare it with the potential economic gains of latency reduction. The second part focuses on a wallet-level attack—“blockchain address poisoning.” Attackers generate addresses resembling the victim’s recipient’s address to fool the victim into sending their assets to the attacker by mistake. We develop a detection algorithm to scan two years of Ethereum and Binance Smart Chain (BSC), characterize attack patterns, extrapolate large attack groups, and bound the attacker’s computational capability through measurement and simulation. We will also discuss our initiatives to make our research accessible to end users.
