Updates:

Originally posted on Oct 22 2016 as “The Ongoing Ethereum Attacks (Work In Progress)”, but renamed after finding the links to the mining pools.

05:55 Oct 23 2016 UTC – First estimate of the number of accounts created by the SUICIDE opcode is 19,041,840 by retrieving the information from Parity. The original estimate was manually computed by viewing the transactions in etherscan.io, which did not pick up most of the empty accounts. Compare to 777,647 real accounts. That’s why your syncing has been taking such a long time.

13:48 Oct 25 2016 UTC – added further analysis by /r/Jey_s_TeArS to the bottom of the Summary section.

21:47 Oct 25 2016 UTC – added comment by /r/DwarfPool to the bottom of the Summary section.

Table of contents

Summary

The Ethereum network has been undergoing a series of attacks since the Devcon2 Ethereum Developers Conference on Sep 18 2016. The Ethereum network activated a hard fork on Oct 19 2016 that successfully stopped the spam transaction attack. Less than a day after the hard fork, a new wave of attacks was executed by the attacker, but these attacks have had less impact on the Ethereum network.

The attacks have , for the moment at least. The attacker may have given up as the second wave of attacks have had little impact on the network.

The attacker’s transactions have been anonymous until now. The tracing of the transactions below eventually led to the transactions showing that the attacker has used the services of the and mining pools. These mining pool transactions could reveal the attacker’s IP address, assuming none of the accounts involved have had their private keys stolen.



Whether anyone will pursue the attacker is unknown at this point in time. The attacker could be the same , or someone who wants us to think that. Some of the attacking accounts donated a few Classic ethers (ETC) to the , the same account . And both attackers made the same measly order of donation to the Ethereum Classic development fund.

One positive aspect of these attacks is the improvement of the security of the Ethereum network while still in it’s early phase.

Overall, the Ethereum network kept on chugging along despite the repeated attacks. Many nodes crashed in the first attack, but due to the diversity in node clients, the network continued running. With the spam transaction attacks, node clients were slowed down especially nodes with limited RAM and non-solid state storage. With the many millions of empty account attack, node clients were slowed down further. Users had trouble syncing their full node wallets. Transactions could not be submitted with normal fees – some transactions fees were raised up to 45x the normal fee as this prioritises the transactions. Large smart contracts could not be deployed as the miners were advised to lower the gasLimit to reduce the effects of the spam transactions. Some miners started mining blocks with zero transactions for fear of slowing down their nodes. But the network kept on chugging along and hopefully will . A very nice resilient network decentralised over nodes.

Update 13:48 Oct 25 2016 UTC – User on the reddit post writes:

Following the quick I made on the way back from Shanghai I was pointing to an address almost empty now and was initially funded by a tx from shapeshift among other tx from shapeshift: I have been harassing the customer service of shapeshift and obtained this two BTC tx used to fund some of the attackers address

If you care to carry on investigating let me know if I can be of any help.

Click here for /r/Jey_s_TeArS's "quick analysis".

Hope it helps, I had great fun in Shanghai with you guys… The contract involved : edit bis: looks like the attack is now (2315287) slowing down last tx to the contract involved was made 1 hours ago . Some the adresses listed below also interacted with what looks like a copy of the attacking contract edit bis bis Tx to the contract are now (2318227) going fast and with low fees (0.006) but multiple attacking transactions get included in blocks see The current fee for the DoS tx seems to be settled now at 0.027 eth. If a tx is included in a block every 15 sec, this attack is costing 6.48 eth per hour or 155.52 eth per day. At 2312624, the sum of the balances of the addresses calling the contract (see below) is 150 eth, so expect at least 24 hours of trouble. edit: I guess due to the pools and miners adapting their gaslimit and gasprice the tx fee of the attacker is now up to 0.03465 (+28%) The Contract creator: Note that this address has created a lot of similar contracts 6 days ago between block 2271721 and block 2272038 and resumed creating contract 4 days ago at 2282288 to 2283381 This address is almost empty now and was initially funded by a tx from shapeshift: There are 15 addresses related to the contract so far (analysis done at 2312453 ) and 1 address (a contract) that received a transaction from it. You can watch it on : There are 10 address calling the contract that have the same pattern of creation, those addresses where all loaded from Poloniex between 2300996 and 2301016 :

















This address was funded multiple times (all initially from shapeshift) and is also calling the contract: There is only one address that received something from the contract: Note that this is a contract created by the same person (0x0c35a2… ) 5 days ago at 2282288 Furthermore those 3 addresses are also related to the contract and probably used for testing, receiving funds 6 days ago around bloc 2278648 :



This “testing addresses” lead to this contract address : the address that created currently used contract (0x0c35a2e…) interacted with it.



Update 21:47 Oct 25 2016 UTC – User on the reddit post writes:

IP addresses are known a long time ago, I write also to ethcore-team ISP of attackers. But how can it help?

Update 01:18 Oct 22 2016 UTC – A Perl script and the raw data for the 6 known offensive contracts is available in .

Posted on and .

The First Wave Of Attacks

The first attack started on block at Sep-18-2016 06:04:56 PM +UTC (01:04:56 Sep 19 Shanghai time) and targeted the go-ethereum geth clients, causing a across the network. Part of the design of the Ethereum network is the diversity of node clients. While geth (implemented in Go) crashed, Parity (implemented in Rust) and EthereumJ (implemented in Java) kept the network running.

was released on Sep 19 with the code change.

The Offensive Transactions

The offensive transactions were both:

geth memory crash transaction – in @ Sep-18-2016 06:04:56 PM +UTC from to contract

Spam DoS transaction – in at Sep-18-2016 06:04:56 PM +UTC from to contract

The geth Memory Crash Contract

The geth memory crash contract :

Was created in in at Sep-18-2016 05:56:48 PM +UTC from

Sent : First in at Sep-18-2016 05:59:17 PM +UTC geth memory crash trigger in at Sep-18-2016 06:04:56 PM +UTC Last in at Sep-21-2016 05:08:37 PM +UTC The list of accounts sending the transaction are:



The Spam DoS Transaction Contract

The spam DoS transaction contract :

Was created in in at Sep-18-2016 05:18:59 PM +UTC from

Sent : First in at Sep-18-2016 06:04:56 PM +UTC Last in at Oct-04-2016 04:46:37 PM +UTC The list of MANY accounts sending the transaction include: . This was funded from ShapeShift2 in at Sep-08-2016 02:08:32 PM +UTC . This was funded from Poloniex in at Sep-21-2016 03:51:18 PM +UTC . This was funded from at Oct-01-2016 01:58:01 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC. . This was funded from ShapeShift in at Sep-17-2016 11:00:54 PM +UTC . This was funded from Poloniex in at Sep-21-2016 03:49:32 PM +UTC . This was funded from at Oct-01-2016 02:11:03 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC. . This was funded from Poloniex in at Sep-21-2016 03:49:04 PM +UTC . This was funded from Poloniex in at Sep-21-2016 03:48:12 PM +UTC . This was funded from ShapeShift in at Sep-17-2016 10:45:54 PM +UTC . This was funded from ShapeShift in at Sep-17-2016 10:42:28 PM +UTC . This was funded from at Oct-01-2016 02:11:03 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC. This was funded from at Oct-01-2016 02:11:03 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC. . This was funded from Poloniex in at Sep-21-2016 03:48:29 PM +UTC . This was funded from Poloniex in at Sep-21-2016 03:51:04 PM +UTC

Has the following opcodes (only the beginning shown), showing the offensive EXTCODECOPY opcode:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 PUSH2 0x2800 PUSH1 0x00 DUP1 PUSH20 0x4ce312538aa0b69740cbabfbfd8a2a8e628f660d EXTCODECOPY PUSH1 0x00 JUMPDEST DUP1 MLOAD PUSH13 0x01000000000000000000000000 SWAP1 DIV PUSH20 0x66726f6d7368616e67686169776974686c6f7665 SWAP1 XOR EXTCODESIZE POP PUSH1 0x14 ADD DUP1 PUSH2 0x2800 EQ ISZERO PUSH2 0x001e JUMPI POP PUSH2 0x2800 PUSH1 0x00 DUP1 PUSH20 0x89ad4426e629368ecb9d63ab01e5ca538fbdc1a4 EXTCODECOPY . . .

The Account Bloat Attack

The attacker sent low cost transactions to create many millions of empty accounts on the Ethereum blockchain, slowing down the processing of the Ethereum node clients.

Update 05:55 Oct 23 2016 UTC – First estimate of the number of accounts created by the SUICIDE opcode is 19,041,840 by retrieving the information from Parity. The original estimate was manually computed by viewing the transactions in etherscan.io, which did not pick up most of the empty accounts. Compare to 777,647 real accounts. That’s why your syncing has been taking such a long time.

User on the reddit post provided two address involved in the creation of the many millions of empty accounts:

SUICIDE empty account creator contract – . This contract was created in from , which was funded from Poloniex and is traced above. This contracts: First in at Oct-11-2016 03:55:16 PM +UTC Last in at Oct-13-2016 10:36:09 PM +UTC Has executed against it, 1 for the creation and 4750 to execute the offensive code. Of the 4750 transaction, 4746 generated 500 empty accounts each and the last 4 ran out of gas and only generated 121 empty accounts. In total ~ (4 x 121) + (4,746 x 500) = 2,373,484 empty accounts were created. Here’s one of the 500 empty account creation transaction listing:

And here’s one of the empty accounts created:



CREATE empty account creator contract – . This contract was created in in at Oct-12-2016 12:16:02 AM +UTC from , which was mined 434 days ago and is traced below. First in at Oct-12-2016 12:20:16 AM +UTC Last in at Oct-18-2016 01:50:28 PM +UTC Has transactions executed against it, 1 for creation and 34,148 to execute the offensive code Each of the 34,148 transactions created an empty account. Here’s one of the creation transaction:

And here’s one of the empty accounts created:



A total of ~2,373,484 + 34,148 = 2,407,632 empty accounts were created. This is what the next state bloat hard fork intends to clean up.

The Gas Reprice Hard Fork

, activated a Gas Reprice hard fork on at Oct-18-2016 01:19:31 PM +UTC rendering the spam DoS transactions above obsolete.

The Second Wave Of Attacks

As reported in , a new wave of attacks commenced less than a day after the Gas Reprice hard fork involving the two following contracts:





The Second Wave – The First Contract

The contract :

Was created in in at Oct-19-2016 09:38:25 AM +UTC) from . The ethers from this account were over 434 days ago.

Sent : First in at Oct-19-2016 09:42:42 AM +UTC Last in at Oct-19-2016 12:22:11 PM +UTC



The Second Wave – The Second Contract

The contract :

Was created in in at Oct-19-2016 11:36:21 AM +UTC from . The ethers from this account were over 434 days ago.

Sent : First in at Oct-19-2016 11:41:53 AM +UTC Last in at Oct-20-2016 12:27:05 PM +UTC The reason why this stopped ?temporarily is because all the accounts including , , and ran out of ethers, and the attacker must be asleep.



Bingo!

The account was funded in at Oct-12-2016 11:07:27 PM +UTC from :

Account was funded in at Oct-12-2016 07:26:30 PM +UTC from :

Account was funded from Ethpool in at Aug-09-2015 12:17:46 AM +UTC and DwarfPool1 in at Mar-08-2016 03:36:49 AM +UTC many times until at May-26-2016 06:06:47 PM +UTC:

Some of these pools require IP addresses that the miner is mining from to confirm the miner’s credentials.

requires IP address confirmation for change in account setting, and stores the miner’s IP address and would therefore have an association between the miner’s account and IP address:



And here is the attacker’s :



The attacker earned around 26 ETH mining at DwarfPool in April 2016. This is the equivalent of about 125 Mhs, or 4 x R9 390X GPUs (my 125 Mhs solo miner earned 5 blocks or ~ 25 ETH in the same period):



User asked on “How could the ip be used? Couldn’t be using a proxy or vpn?”.

The attacker could use a proxy, VPN or ?TOR to hide their IP address, but it is highly unlikely they would have done so. It is far easier to hide the association between your IP address and your Ethereum mining rewards account just by solo mining. And this pool mining was conducted before the idea of The DAO was floated, with the juicy USD 50 million bug in the code. The attacker could have planned these attacks well in advance, but why would they bother pool mining if they could just solo mine anonymously with higher profitability compared to pool mining via a proxy/VPN/?TOR that adds some latency in the pool mining process?

I think it was a slip up using a traceable account to mount the attacks.



So my guess would be – a C, C++, Java, Assembly Language developer, mid 30s to mid 40s, male, small time miner with the rig small enough to fit in the unit or house, basement or garage, 5 foot 8 inches, long hair :-). And the IP address will point directly to the attacker’s home, but someone will have to get the IP address from DwarfPool and then find out the physical address or owner from the ISP. I don’t know whether the three-letter-acronym agencies would bother. We could set up a prediction event on or and place our bets.

The Ethereum Classic And The DAO Hacker Connection

User on the reddit post wrote:

It hasn’t come up yet in the thread, but 15 hrs after the attacks finished they dumped into account . This is our public etc dev account, and is not involved with the attack. The funds received will be frozen, same as the dao funds received as far as I’m concerned.

As traced on , The DAO hacker donated 1000 ETCs out from their 3642408.5276 ETC (~ USD 3.7 million) The DAO hack booty to the same in at Sep-05-2016 22:34:13 UTC. This same account was sent ETCs from some of the spam DoS transaction accounts listed above, including 1.7754 ETCs from the account in at Oct-20-2016 12:28:31 UTC.

Coordinated Spam Or Lone Operative

A lone operative could easily have been behind the attack as the sending out of the spam transactions can be easily automated.

Meanwhile, multiple people were banned for a day from the Polo TrollBox while overexcitedly discussing whether the attacks was the work of “coordinated spam or lone operative”.