Content uploaded by Faisal Haque Bappy
Author content
All content in this area was uploaded by Faisal Haque Bappy on Nov 24, 2020
Content may be subject to copyright.
This work has been accepted at the 19th IEEE International Conference on Trust, Security and Privacy in Computing and
Communications (IEEE TrustCom 2020)
Modelling Attacks in Blockchain Systems using
Petri Nets
Md. Atik Shahriar∗, Faisal Haque Bappy∗, A. K. M. Fakhrul Hossain∗, Dayamoy Datta Saikat∗,
Md Sadek Ferdous∗ †, Mohammad Jabed M. Chowdhury‡and Md Zakirul Alam Bhuiyan §
∗Department of Computer Science & Engineering, Shahjalal University of Science & Technology, Sylhet, Bangladesh
†Imperial College Business School, Imperial College London, London, UK
‡Department of Computer Science & Information Technology, La Trobe University, Melbourne, Australia
§Department of Computer & Information Sciences, Fordham University, NY, USA
Email: {md.atikshahriar728, hbfaisal66, a.k.m.fakhrul.hossain, dayamoydatta96}@gmail.com,
sadek-cse@sust.edu, m.chowdhury@latrobe.edu.au, mbhuiyan3@fordham.edu
Abstract—Blockchain technology has evolved through many
changes and modifications, such as smart-contracts since its
inception in 2008. The popularity of a blockchain system is due to
the fact that it offers a significant security advantage over other
traditional systems. However, there have been many attacks in
various blockchain systems, exploiting different vulnerabilities
and bugs, which caused a significant financial loss. Therefore,
it is essential to understand how these attacks in blockchain
occur, which vulnerabilities they exploit, and what threats they
expose. Another concerning issue in this domain is the recent
advancement in the quantum computing field, which imposes
a significant threat to the security aspects of many existing
secure systems, including blockchain, as they would invalidate
many widely-used cryptographic algorithms. Thus, it is important
to examine how quantum computing will affect these or other
new attacks in the future. In this paper, we explore different
vulnerabilities in current blockchain systems and analyse the
threats that various theoretical and practical attacks in the
blockchain expose. We then model those attacks using Petri nets
concerning current systems and future quantum computers.
Index Terms—Blockchain, Security, Quantum Computing,
Petri Net, STRIDE, Attack Modelling, Threat Modelling
I. INTRODUCTION
Blockchain technology (or blockchain in short) has emerged
as a fundamental technology that offers security through
cryptography and consensus mechanisms and addresses single
point-of-failure and single point-of-trust issues. The trans-
parency and immutability of the blockchain enable storing
publicly provable and indisputable records [1]. Moreover, the
introduction of smart-contracts in blockchain has expanded its
utility horizon beyond crypto-currency [2]. Indeed, blockchain
is being applied in many application domains: from cryptocur-
rencies to Internet of Things (IoT), healthcare, & financial
systems, supply chain management, and so on.
Although blockchain is considered more secure than many
traditional systems, recent reports have shown the security
risks correlated with this technology. For example, in the first
half of January 2019, Coinbase, a digital currency exchange,
observed repeated deep reorganisations of the Ethereum Clas-
sic blockchain, most of which contained double-spending
worth $1.1 million [3]. As of February 2018, it has been
estimated that hackers have stolen nearly $2 billion worth
of crypto-currency in total since the beginning of 2017 [4].
The most (in)famous attack in the history of the blockchain
may be the DAO attack on Ethereum stealing more than $60
million [5]. Attackers stole $450 million from MtGox by
exploiting transaction mutability in Bitcoin in March 2014,
which caused the Bitcoin trading platform to go bankrupt
[6]. $72 million worth of Bitcoins were stolen from Bitfinex,
another currency exchange platform, in 2016 [7]. All those
attacks were performed using classical computers. On the other
hand, the quantum computing paradigm is advancing quite
fast. Soon, we may get quantum computers more powerful
than current supercomputers. Advancements in the quantum
computing field will pose a significant threat to the security
aspects of many existing secure systems, including blockchain,
as they would invalidate many widely-used cryptographic
algorithms, creating a new avenue for attackers. To ensure
a wide-range adoption of blockchain systems, it is crucial
to understand how these attacks in blockchain occur, which
vulnerabilities they exploit, and what threats they expose. This
paper aims to explore this avenue.
Contributions. In this paper, we explore various vulnerabil-
ities that current blockchain systems have and the vulnera-
bilities that are only exploitable by quantum computers. We
also model the associated threats in blockchain by STRIDE,
a threat modelling framework, to find out which threats they
expose. Lastly, we explore a wide range of attacks, which
can be performed both with classical computers and quantum
computers, and model them using Petri nets.
Structure. In Section II, we discuss the background on threat
and attack modelling, blockchain, and quantum computing.
In Section III, we review some related works. In Section IV,
we present various vulnerabilities within blockchain systems.
In Section V, we explore a wide-range of blockchain attacks
along with their Petri net models and present the associated
threat model using STRIDE. This is followed by a conclusion
in Section VI.
II. BACKGROU ND
In this section, we present a brief background on vulner-
abilities, threats and attacks (Section II-A), threat modelling
arXiv:2011.07262v1 [cs.CR] 14 Nov 2020
using STRIDE (Section II-B), attack modelling using Petri net
(Section II-C), different aspects of blockchain (Section II-D)
and quantum computing (Section II-E).
A. Vulnerabilities, Threats and Attacks
Vulnerabilities are simply weaknesses in a computer system
or network to force a system to act in ways it is not intended
to. A threat to a computer system or network is a set of
circumstances that can cause a loss or harm by interrupting the
operation, functioning, integrity, or availability of the network
or system. It can be malicious, accidental, or natural. Humans
usually cause malicious and accidental threats. Attacks are
specific techniques or actions deliberately used to harm a
system or interrupt the regular services of a computer system
or network by exploiting various vulnerabilities. Although
threats and attacks both can exploit a system’s vulnerabilities,
attacks are always intentional, whereas threats may not.
B. Threat modelling
Threat modelling is a technique to help identify and priori-
tise potential threats, attacks, vulnerabilities, or the absence of
appropriate safeguards and countermeasures that can affect a
system or network. There are many threat modelling methods.
Some well-known threat modelling methods are STRIDE,
VAST, PASTA, Trike, Attack tree, and Octave [8]. In this
paper, we will only focus on the STRIDE methodology as
it has been claimed to be more complete than other models
[9], [10]. STRIDE, proposed by Loren Kohnfelder and Praerit
Garg in 1999 while at Microsoft [11], is an acronym consisting
of first letters from Spoofing, Tampering, Repudiation, Infor-
mation disclosure, Denial of service, and Elevation of privilege
threats. STRIDE helps to identify potential threats in a system
that must be mitigated to ensure the system’s security.
C. Petri net
Petri net is a formal mathematical model for studying
asynchronous and concurrent processes in distributed systems.
It is also known as a place/transition (PT) net. Carl Adam Petri
first introduced it in 1962 [12]. It is a directed bipartite graph
where there are two types of nodes, places, and transitions.
Directed arcs connect the places and the transitions and shows
which places are preconditions (input) and which places are
postconditions (output) after transitions occur. Arcs can only
connect places to transitions or transitions to places. Places can
hold tokens. Places can store an infinite amount of tokens, but
transitions cannot store tokens at all. The state or marking of
a Petri net is its distribution of tokens among places. A simple
net containing all the elements of a Petri net is shown in Figure
1, where the circles denote places, and the rectangle denotes
a transition.
Formally, a Petri net can be defined as a tuple N=
(P, T , F, M0), where Pand Tare disjoint finite sets of places
and transitions respectively with P∩T=φ,Fis a set of arcs
(or incidence function) where F⊆(P×T)∪(T×P), and
M0is the initial marking where M0:P→ {1,2,3, ...}.
The application of Petri nets for attack modelling was first
shown by J.P. McDermott as an alternative to attack trees [13].
Fig. 1. A simple Petri Net
He inspected that Petri nets are better at capturing concurrent
operations in the successions of an attack. From then on, Petri
nets have been used for modelling both physical and cyber
attacks in various systems and networks.
D. Blockchain
Since the early stage of computer technology, computer
scientists were trying to create a fully digital and decen-
tralised currency that no central authority can control. Satoshi
Nakamoto was the first to solve this classic problem by
merging some already existing technologies, such as cryptog-
raphy, peer-to-peer (P2P) network, and distributed consensus
using Proof of Work, to pioneer the idea behind Bitcoin
[14], the very first successful digital (crypto-)currency. Satoshi
Nakamoto first introduced blockchain as the underlying tech-
nology of Bitcoin [14]. Blockchain is a distributed, immutable,
cryptographically linked, and growing list of a public repos-
itory of records where consensus can be established among
trustless parties without the interaction of any intermediary.
Another revolutionary concept in blockchain is called Smart-
contract, first proposed by Nick Szabo in the 1990s [15] and
was introduced in Ethereum by Vitalik Buterin in 2013 [16].
Smart-contracts, equipped with a blockchain system, enable
immutable, trustless, and transparent distributed computing
and autonomous code execution, which has a wide range
of applications in different domains. There are two types
of blockchains, permissionless or public, where anyone can
participate and permissioned or private where only authorised
entities can participate. In this research, we will focus on
public blockchain systems only. Next, we explore different
aspects of a blockchain.
Transaction and Block: In a blockchain, a transaction is a
signed data structure representing a transfer of a value/data.
Transactions are broadcast over a blockchain network and
added into the memory pool (called mempool). Various special
nodes called miners collect and include those transactions into
blocks. Blocks are a collection of transactions, tagged with a
timestamp, and a hash of the previous block.
Mining: Mining is the method in which transactions are ver-
ified and added into a block of the blockchain ledger. Mining
also produces new crypto-currencies. The special nodes that
mine are called miners. Mining pools are formed when miners
start mining collectively.
Consensus Mechanism: Consensus mechanism, a crucial
component in any blockchain system, is a mechanism to
achieve necessary consensus or agreement on a single value
of a data or a particular network state among trustless par-
ties in distributed or multi-agent systems. There are mainly
three types of consensus mechanisms used by various public
blockchains. They are Proof of Work (PoW), Proof of Stake
(PoS), and Delegated Proof of Stake (DPoS) [17].
E. Quantum Computing
Unlike classical computers, quantum computers are made of
particles (such as superconducting ions, trapped ions) acting as
qubits. Because of having a completely different architecture,
these particles can use some quantum mechanical phenomena
such as superposition and entanglement. A quantum system
containing Nqubits can generate up to 2Nquantum states
using superposition and perform operations on all of these
2Nstates [18] at a time. However, the classical counterpart
can only operate on a single state at a single moment. Hence,
the quantum machine can be up to exponentially faster than
classical ones in some ways. A crucial quantum algorithm
is Shor’s algorithm [19]. It can factorise any number expo-
nentially faster than the best known classical algorithm and
also can solve discrete logarithm problems. Another popular
quantum algorithm is Grover’s search algorithm, which can
search any intended item from Nunsorted items with up to
only √Nqueries and give a quadratic speedup [20].
III. REL ATED WORK
Although there have been some recent studies on blockchain
security, very few of them systematically examined the vul-
nerabilities and threats to blockchain systems and the cor-
responding real attacks. Saad et al. surveyed for papers on
blockchain applications and their security vulnerabilities after
consulting over 900 research papers in blockchain systems
[21]. Li et al. conducted a systematic exploration of the
security risks and real attacks to popular blockchain systems
between 2009 and May 2017 and analysed their corresponding
vulnerabilities [22]. Lee et al. analysed the security and
vulnerabilities of blockchain systems through a systematic
approach [23]. Kabashkin developed a model of risk influence
on the effectiveness of blockchain operation [24].
Howard Poston mapped blockchain security threats to
STRIDE [25]. Sadek et al. also argued the resilience of an
architecture of a blockchain-based system against frequent
security attacks using STRIDE [26]. Anna et al. described
the main attack vectors of blockchain technology in [27].
Chen et al. described how Petri nets can be used to model
coordinated cyber-physical attacks [28]. Pinna et al. introduced
a novel approach, based on a Petri net model to analyse
the blockchain [29]. However, there is no research that has
modelled blockchain attacks using Petri nets.
IV. VULNERABILITIES AND ATTACK S
Various changes, fixes, and reformations have been done
over the core concept of blockchain given by Satoshi
Nakamoto [14]. The more the field expanded, the more vul-
nerabilities were introduced. Some vulnerabilities are specific
to particular blockchain systems, while others are common to
every blockchain system. There are mainly six categories of
vulnerabilities found in various blockchain systems.
A. Cryptographic algorithm vulnerabilities
Most blockchain systems use Elliptic Curve Digital Sig-
nature Algorithm (ECDSA) for generating the public-private
key pair that ensures the ownership of digital assets. A
vulnerability in ECDSA was discovered through which an
attacker can recover a user’s private key [30]. All elliptic
curve cryptography algorithms are based on the assumption
that the discrete logarithm problem on an elliptic curve is
difficult to solve. Unfortunately, this assumption only holds
with any classical computer. However, an attacker with a
mature quantum computer may quickly solve this discrete
logarithm problem in a short time using Shor’s algorithm [19].
Breaking ECDSA can be used to perform an Impersonation
attack.
SHA256 is another cryptographic (hashing) algorithm
widely used in most blockchain systems for generating the
hash of transactions and blocks. Other popular hash algorithms
are Ethash, SCrypt, X11, Equihash, RIPEMD160 [17]. Al-
though these hash functions are secure for classical computers,
quantum computers will be able to break many security
features of those algorithms. For example, Grover’s search
algorithm can find collisions of hashes in a feasible time to
take down the security of a blockchain [31]. An attacker with
a quantum computer will be able to hash faster than any other
classical computers and generate blocks much faster than the
whole blockchain network. It can lead to 51% attack,Double
Spending attack, or Selfish-Mining attack.
B. Consensus mechanism vulnerabilities
Various consensus mechanisms are used in various
blockchain systems. Depending on the consensus mechanism,
the verification of transactions and the selection of blocks
can be different. The longest chain rule can be exploited for
various attacks, such as 51% attack,Selfish Mining attack,
Double Spending attack, and Finney attack and the GHOST
protocol can be exploited for the Balance attack [32].
C. Mining pool vulnerabilities
Mining pools can bring various degrees of centralisation in
a decentralised system like blockchain. Large mining pools
control a significant amount of computational power. If large
mining pool collude and start mining combinedly, they can
perform a 51% attack and Double Spending attack. Also,
mining pools can be a big target for attackers. A miner inside
a mining pool can perform a Block Withholding attack.
D. Smart-contract vulnerabilities
Smart-contracts are one of the most vulnerable parts of the
blockchain. Nicola et al. systematically investigated twelve
types of vulnerabilities in smart-contracts [33]. Loi et al. found
four kinds of potential security bugs in smart-contracts by a
symbolic execution tool called Oyente [34]. Those bugs are
timestamp dependence, transaction ordering dependence, reen-
trancy vulnerability, and mishandled exceptions. The recursive
call bug, a reentrancy vulnerability, was exploited to perform
the famous DAO attack [35], causing Ethereum to be forked
and leading to another attack called the Replay attack.
E. Design/Architectural vulnerabilities
Various design faults and architectural vulnerabilities can
help attackers to perform an attack. For example, Eclipse at-
tacks can take advantage of various design flaws in Ethereum,
such as peer’s identity, peer selection strategy, inbound vs.
outbound connections, and reboot and erase [36]. DDOS attack
can also be performed by exploiting the block size limit and
mempool flooding.
F. Network vulnerabilities
Being a P2P network blockchain is highly vulnerable to
Sybil attack,Eclipse attack, and Block Discarding attack.
Many attacks, such as Balance attack, and Double Spending
attack, take advantage of propagation delays in the network.
Many blockchain systems use DNS (Domain Name System)
protocols for node discovering, which can be exploited to per-
form DNS attack. Internet traffic can be maliciously diverted
to attackers by falsely claiming ownership of IP prefixes to
perform the BGP Hijacking attack.
G. Summary
Above, we have identified many attacks in blockchain
systems that exploit six vulnerabilities discussed above. We
summarise our findings in Table Iwhere the interrelation
between these vulnerabilities and attacks are illustrated. In the
table, the symbols “ ” and “ ” have been used to signify if a
specific threat is related to a vulnerability or not respectively.
TABLE I
BLOCKCHAIN VULNERABILITIES &ASS OC IATE D ATTACKS
Attacks
Vulnerabilities
Cryptographic Algorithm
Smart-contract
Consensus Mechanism
Mining Pool
Design/Architecture
Network
51% Attack
Impersonation Attack
Sybil Attack
Eclipse Attack
Selfish-Mining Attack
Double Spending Attack
Finney Attack
DDOS Attack
DNS Attack
BGP Hijacking Attack
Block Withholding Attack
Balance Attack
Replay Attack
V. ATTACK & THR EAT MODELLING
In this section we present our attack modelling using Petri
nets (Section V-A) and threat modelling using STRIDE for the
identified attacks (Section V-B).
A. Attack Modelling
At first, we model the identified threats using Petri nets. For
each attack, we present a brief summary of its method, then
present the Petri net and its associated pre and postconditions.
For some attacks, we also explain the transitions methods in
Petri nets. Transition methods for other attacks are similar and
hence excluded for brevity.
51% Attack: PoW based blockchains are particularly suscep-
tible to a 51% attack [37] which can be launched in two ways.
The first and straight forward way is to physically gather more
than 50% computation resources for mining. The concentration
of mining power into a few mining pools increases the
possibility of this attack. The other way is to use the power of
quantum parallelism. Grover’s search algorithm using quantum
computing makes it possible to search a suitable hash or its
collisions using only √Nqueries in the worst case from N
possible hashes, hence, gives a quadratic boost compared to
the classical counterparts. This enables an attacker, with a high
probability, to mine a block faster than others and consequently
to launch a 51% attack using enough quantum resources [31].
Other PoS and DPoS blockchains are also susceptible to this
attack if attackers have enough staking or voting power [37].
•Preconditions:
P1Attacker has majority hash power
P1aIn PoW based blockchains, any of the following:
P1a1Attacker has more than 50% hashing power of
the entire blockchain.
P1a2Attacker has enough quantum resources.
P1bAttacker has more than 50% stakes of the total
stakes in a PoS based blockchain.
P1cAttacker has more than 50% voting power in a
DPoS based blockchain.
P2Attacker has a previous block’s hash.
•Transitions:
T1Generate blocks without broadcasting, thus create
an offspring of the blockchain isolated from other
blockchain nodes.
T2Make the isolated offspring of the blockchain longer
than the public blockchain by generating blocks more
quickly than the whole network.
T3Broadcast the isolated version of the blockchain to the
rest of the network.
•Postconditions:
P3Censor/block transactions.
P4Hamper usual mining activities of other miners.
P5Reverse transactions for a Double Spending attack.
P6Control the market price of cryptocurrencies.
P7Force other miners to either leave the blockchain or
join the mining pool of the attacker.
•Petri net for the this attack is presented in Figure 2.
P1
ATTACK
P1
P1
P1
P1
P1
P2
T1T2T3
P3
P4
P5
P6
P7
a2
a1
a
b
c
Fig. 2. Petri Net of 51% Attack
Impersonation Attack: In this attack, an attacker pretends to
be someone else and uses the victim’s property to be benefited
from it. The attacker mostly targets high officials as victims.
Impersonation attacks can be a threat in two ways. The attacker
can steal a private key physically or forge a private key by
solving the discrete logarithm problem using Shor’s Algorithm
with quantum resources [38] in polynomial time, enabling the
attacker to forge a victim’s private key of their bitcoin wallet
and make transactions.
•Preconditions:
P1The attacker has enough quantum resource which is
capable of solving a discrete logarithm problem.
P2The attacker has obtained the curve parameters which
were used in the ECDSA algorithm to make the public-
private key pair.
P3The attacker may somehow steal the private key phys-
ically.
•Postconditions:
P4Forge the private key of the owner’s bitcoin wallet
using quantum resources.
P5Impersonate the owner of the private key by making
transactions.
•Petri net for this attack is presented in Figure 3.
ATTACK
P3
P1
P4P5
P2
Fig. 3. Petri Net of Impersonation Attack
Sybil Attack: The name Sybil in Sybil attack was taken from
the subject of a 1973 book, Sybil, and was first suggested in
2002 by Brian Zill at Microsoft Research [39]. In this attack,
an attacker creates multiple nodes in a P2P network that appear
as different unique nodes to other nodes. In reality, all those
nodes belong to a single attacker or a group of attackers.
Various blockchains have tried to mitigate the effect of this
attack by implementing various consensus mechanisms. Still,
a Sybil attack can be possible. Sybil attack also makes way
for other attacks, such as Eclipse attack, DDoS attack, and
Double Spending attack [40].
•Preconditions:
P1The attacker has to create more and more virtual nodes
using fake identities.
•Postconditions:
P2Prevent blocks mined by other nodes from propagating
into the network by outvoting the honest nodes.
P3Perform a Double Spending attack by increasing the
block propagation time by not sending the new block
to other nodes [41].
P4Surround an honest node using the fake nodes and
prevent it from connecting to other honest nodes. It
can also be done for performing an Eclipse attack.
P5Conduct a DDoS attack using fake nodes by sending
huge amounts of traffic through the network.
•Petri net for this attack is presented in Figure 4.
P1
P2
P3
P4
P5
ATTACK
Fig. 4. Petri Net of Sybil Attack
Eclipse Attack: This attack has many similarities with the
Sybil attack. However, one significant difference between these
attacks is that, while a Sybil attack targets the whole network,
Eclipse attack concentrates on a particular node of the network
that can either be a miner or just a normal node. This attack
obscures and filters a node’s view of the entire network by
monopolising all of the victim node’s incoming and outgoing
connections. A lot of other attacks can be executed by taking
advantage of this attack, such as 51% attack, Double Spending
attack, and Selfish Mining attack.
•Preconditions:
P1The attacker has created sufficient amounts of fake
nodes. It can be done by a Sybil attack (P1a) or in
other ways (P1b).
P2The attacker has filled in the victim node’s internal
“node address table” with invalid addresses and ad-
dresses of those fake nodes.
P3The attacker has made a valid node restart by another
attack.
•Postconditions:
P4Filter the view of the whole network for the victim
node.
P5Weaken other competitor miners by eclipsing them.
P6On a large scale, gain 51% hashing power by eclipsing
other miners.
P7Perform a 0-confirmation Double Spending attack by
only eclipsing the victim node.
P8Perform an N-confirmation Double Spending attack by
eclipsing a miner along with the victim node.
P9Boost the effort of a selfish miner by deliberately
dropping blocks that were found by the eclipsed miners
and compete with the blocks found by the attacker.
•Petri net for this attack is presented in Figure 5.
ATTACK
P1
P1P1
P2P3
P4
P5
P7
P8
P9
P6
a
b
Fig. 5. Petri Net of Eclipse Attack
Selfish-Mining Attack: This attack is a strategic attack per-
formed by a miner or a mining pool that holds a significant
amount of mining power or acquires enough quantum re-
sources to gain a revenue larger than its mining power ratio. A
selfish miner or mining pool can invalidate a chain by suddenly
introducing a longer chain that the miner kept hidden from
the public blockchain network. It has been shown that this
attack is one kind of Block Discarding attack, and it has been
criticised for being not very realistic and not very practical
[42]. A Selfish-Mining attack can facilitate other attacks, such
as 51% attack and Double Spending attack [43].
•Preconditions:
P1The attacker has a previous block’s hash.
P2The attacker has created a private chain forking from
the public blockchain by mining blocks privately.
P3The attacker has made the private chain longer than
the public chain (T1) by finding more blocks. It can be
possible either by acquiring significant computational
power (P3a) or enough quantum resources (P3b).
•Transitions:
T2Not publish the private chain to the network for a
strategic amount of time.
T3Take one of the following paths:
T3aPublish the private chain when the private chain is
one single block longer than the public chain.
T3bWithhold the chain for further gain that can result
in 3 types of Stubborn-Mining attack (P8) [44].
•Postconditions:
P4Gain a strategic advantage over other network partic-
ipants, resulting in revenue more than the attacker’s
mining power ratio.
P5Make honest miners wasting their computing power by
luring them to keep on working on blocks that leads to
a dead-end without gaining any reward. It may force
the honest miners to either become selfish themselves
or join a selfish mining pool.
P6At an extreme level, gain 51% hashing power of the
blockchain network.
P7For every successful Selfish-Mining attack, there is a
high probability of successfully launching a Double
Spending attack by the selfish miner [43].
•Petri net for this attack is presented in Figure 6.
ATTACK
P3
P3
P1
P2
P3
P4
P5P6
P7
P8
T1T2
T
3
T
3
ATTACK
b
a
b
a
Fig. 6. Petri Net of Selfish-Mining Attack
Double Spending Attack: One of the main goals of the
consensus mechanism in blockchain is to ensure that a crypto-
currency cannot be duplicated digitally and spent twice or
more. However, in certain circumstances, it has been proved
that spending a currency twice or more can still be possible,
referred to as Double Spending (DS) attack. There are two
variants of this attack, 0-confirmation DS attack, and N-
confirmation DS attack.
The 0-confirmation DS attack, also known as Race attack,
is likely to happen in fast payment systems where a merchant
releases a product to a consumer for a transaction that has
not been confirmed yet by the blockchain network [45]. The
attacker performs this attack with the help of one or more
helpers, and it has a high probability of succeeding even if
the attacker has no computation power at all.
The N-confirmation attack is difficult to perform as it re-
quires the possession of a significant amount of computational
power or acquisition of enough quantum resources for modify-
ing N blocks of the blockchain network. This attack depends
on the value of N and the attacker’s computational power.
Nevertheless, even if the attacker has less computational
power, there is always a probability of succeeding in the attack
[46]. Other attacks such as 51% attack, Selfish-Mining attack,
Eclipse attack, and Sybil attack can significantly improve the
probability of this attack.
•Preconditions:
P1For 0-confirmation DS attack -
P1aA transaction is received by the victim node.
P1bAnother transaction conflicting with the previous
transaction is confirmed by the blockchain network
with the help of some helpers.
P1cBefore the attack is detected, the service of the
victim is received by the attacker.
P2For N-confirmation DS attack -
P2aThe attacker has acquired enough computational
power (P2a1) or quantum resources (P2a2).
P2bA transaction is sent to the victim. After the victim
got N-confirmation, the attacker has published a
private chain that does not include the previous
transaction and that is longer than N (T1).
•Postconditions:
P3Spend the same digital currency twice or more.
•Petri net for this attack is presented in Figure 7.
Finney Attack: This attack [47] is a variant of the 0-
confirmation DS attack and is complicated to use in practice as
P1
P1
P2
P2
P1
P2
P2
T1
P1
P2
P3
c
a
b
a
b
a1
a2
ATTACK
ATTACK
Fig. 7. Petri Net of Double Spending Attack
it requires a time-sensitive procedure. The lower the attacker’s
hash rate, the less chance he has of carrying out the attack.
If the attack is intended to obtain any illiquid good, it is hard
to manage the need for this good [48]. Acquisition of enough
quantum resources can facilitate the attacker.
•Preconditions:
P1The attacker has made a transaction from one address
to another address, both controlled by the attacker.
P2The attacker has mined a block that includes the previ-
ous transaction without broadcasting the transaction. It
can be done either by having a certain computational
power (P2a) or acquiring enough quantum resources
(P2b). The block is not broadcast if found.
P3The attacker has made the same transaction again from
the attacker’s address to a merchant’s address.
P4The merchant accepts the unconfirmed second transac-
tion. Then, the attacker publishes the previously mined
block (T1).
•Postconditions:
P5Invalidate an uncorfirmed transaction.
P6Spend the same crypto-currency twice.
•Petri net for this attack is presented in Figure 8.
ATTACK
P2
P2
P2
P1
P3
P4
P5P6
T1
b
a
Fig. 8. Petri Net of Finney Attack
DDOS Attack: Distributed Denial of Service (DDoS) attack
is used for a complete or partial service disruption. Two types
of DDoS attacks can be found on blockchains. In the classical
attack, the attacker tries to exploit the limitation in block size
and generate dust (spam) transactions that obtain the space and
prevent other transactions from being mined [49]. The other
DDoS attack targets mempools by suffocating them with a
flood of unconfirmed transactions.
•Preconditions:
P1The attacker has exploited the block size limit to
overwhelm blocks with low-valued spam transactions.
P2The transactions have a greater-than-zero age (con-
firmation score) that is enough to pay the relay and
mining fee.
P3The exchange rate of transactions is higher than the
network output.
•Postconditions:
P4Cause delay in the verification of legitimate transac-
tions.
P5Stop crypto-currency circulation or block processing
for a while.
P6Make crypto-currency vulnerable to flood attacks.
P7Flood mempools with unconfirmed dust transactions.
•Petri net for this attack is presented in Figure 9.
P1
P2
P4
P5
P6P7
ATTACK
P3
ATTACK
Fig. 9. Petri Net of DDOS Attack
DNS Attack: Resolution of the Domain Name System (DNS)
may trigger vulnerabilities in a blockchain-based system for
DDoS attack, Man-in-the-middle attack (at the resolver side),
cache poisoning, and old records [21]. When a new node
is connected to the network, the active peers (identified by
IP addresses) need to be discovered through a bootstrapping
mechanism. DNS can be used as a bootstrapping mechanism
for querying the active nodes. To launch this attack, an attacker
may either insert an invalid list of seed nodes into the open-
source blockchain program or poison the resolver’s DNS
cache.
•Preconditions:
P1DNS is used as the bootstrapping mechanism.
P2DNS caches have been poisoned by the attacker.
•Postconditions:
P3Make Bitcoin or other crypto-currencies vulnerable to
many different attacks like Man-in-the-middle attack,
DDoS attack.
P4Isolate blockchain peers and divert them to fabricated
networks.
•Petri net for this attack is presented in Figure 10.
P1
P2
P3
P4
ATTACK
Fig. 10. Petri Net of DNS Attack
BGP Hijacking Attack: BGP (Border Gateway Protocol)
hijacking is done by falsely claiming ownership of IP address
groups, called IP prefixes, which may not be owned, regulated,
or redirected to and allows the attackers to divert Internet
traffics maliciously. Internet Service Providers (ISPs) controls
the traffic flows on the internet as they own one or more
Autonomous Systems (ASes) which handle the traffic routing
[50]. Full nodes, nodes that maintain a full copy of the
network state, are distributed spatially within an AS or ISP
over the Internet [21], and they become vulnerable to the BGP
hijacking attack. An attacker can hijack the traffic of a target
AS where the majority of the blockchain nodes are hosted.
•Preconditions:
P1The nodes are spatially spread over an AS or ISP.
P2The attacker has announced a smaller range of IP
addresses than other ASes.
P3The attacker has offered a shorter route to certain
blocks of IP addresses.
•Postconditions:
P4Reduce the hash rate of the blockchain system.
P5Block propagation can be delayed by up to 20 minutes.
P6Increase the possibility of other attacks such as Dou-
ble Spending Attack, Balance, Consensus delay, and
Blockchain fork.
•Petri net for this attack is presented in Figure 11.
P1P6
P4
P5
ATTACK
P2
P3
Fig. 11. Petri Net of BGP Hijacking Attack
Block Withholding Attack: This attack can only be executed
by a miner who is a part of a mining pool based on PoW con-
sensus. In this attack, the dishonest miner (attacker), submits
all shares to the operator but does not submit valid blocks,
if found, to the operator. Instead, the attacker withholds the
blocks for two types of attack, Sabotage, and Lie in Wait
[51]. In the Sabotage attack, the attacker does not submit any
block at all. However, in the Lie in Wait attack, the attacker
postpones submitting the blocks for some time and uses them
to mine where the reward is most [51]. It is claimed in [42]
that the Sabotage attack can be profitable for the attacker. The
attacker can use quantum resources to increase the probability
of finding blocks.
•Preconditions:
P1The attacker is a miner of a mining pool. The attacker
mines usually and submits all shares to the pool
operator for gaining trust.
P2The attacker has found a block either by normal mining
(P2a) or by using enough quantum resources (P2b).
•Transitions can be any of the following two:
T1Either not submit the block at all to perform a Sabotage
attack.
T2Use the block to mine where the reward is most to
perform a Lie in Wait attack.
•Postconditions:
P3Earn more from mining than usual.
P4Harm the mining pool by depriving it of getting the
reward of blocks.
P5On a large scale, destroy a mining pool.
•Petri net for this attack is presented in Figure 12.
ATTACK
P2
P2
P2
P1
P4P5
P3
T2
T1
ª
bATTACK
Fig. 12. Petri Net of Block Withholding Attack
Balance Attack: Ethereum uses a modified version of Greedy
Heaviest-Observed Sub-Tree (GHOST) [16]. This creates
ground for a new type of attack called Balance attack. In this
attack, an attacker delays communications between subgroups
of similar mining power for some time to double-spend
successfully [32]. It is evident that to execute this attack
successfully, the attacker needs both a significant hashing
power (or enough quantum resources) and delay time [32].
•Preconditions:
P1The attacker has delayed communication between two
subgroups of similar mining power.
P2The attacker has issued a transaction in one sub-
group where the service provider belongs. The trans-
action should get enough confirmation to convince the
provider of its validity.
P3The attacker continues mining in another subgroup and
tries to create a chain that outweighs the chain mined
by the previous subgroup. He may have significant
hashing power (P3a) or quantum resources (P3b).
•Postconditions:
P4Deliberately influence the branch selection process.
P5Invalidate a confirmed transaction.
P6Spend the same crypto-currency twice.
•Petri net for this attack is presented in Figure 13.
ATTACK
P3
P3
P3
P1
P5P6
P2
P4
ª
b
Fig. 13. Petri Net of Balance Attack
Replay Attack: A replay attack happens when an attacker
sniffs a packet from one blockchain and replays it to another
blockchain. As a result, the victim loses assets in both chains.
If the packet is an authenticated packet, the replay attack
will enable the attacker to authenticate as someone else and,
subsequently, access another person’s resources or data [52].
A replay attack does not mean that anyone else has control
over a user’s money. It will only clone an existing transaction
from the recently forked blockchain and render the same one
in the old blockchain.
•Preconditions:
P1A hard fork has occurred in the chain to generate two
chains sharing the exact same transaction history.
P2The attacker has copied some transactions from the old
chain and broadcast in the new chain.
•Postconditions:
P3One transaction is validated twice in the blockchain.
P4User loses his assets in both old and new chains.
•Petri net for this attack is presented in Figure 14.
P1
P2
P3
P4
ATTACK
Fig. 14. Petri Net of Replay Attack
TABLE II
COR REL ATIO N OF ATTACK S,I NCE NT IVE S AN D QUAN TU M EFFE CT
Attacks
Influenced
Attacks
Possible
Motivations
Quantum
Effect
1. 51% Attack ⇒6
Financial gain
Harm others
Harm to the system
2. Impersonation Attack Financial gain
Harm others
3. Sybil Attack
⇒4
⇒6
⇒8
Financial gain
Harm others
Harm to the system
4. Eclipse Attack
⇒6
⇒5
⇒1
Financial gain
Harm others
5. Selfish-Mining Attack ⇒6
⇒1
Financial gain
Harm to the system
6. Double Spending Attack Financial gain
Harm others
7. Finney Attack ⇒6Financial gain
Harm others
8. DDoS Attack Harm to the system
9. DNS Attack ⇒8 Harm to the system
10. BGP Hijacking Attack
⇒8
⇒6
⇒12
Financial gain
Harm others
Harm to the system
11. Block Withholding Attack Financial gain
Harm to the system
12. Balance Attack ⇒6Financial gain
Harm others
13. Replay Attack ⇒6Financial gain
Harm others
Summary: As one attack in blockchain systems can lead to
another attack, there is a correlation among them. Another vital
thing about attacks is the incentives behind them. Attackers
attack mainly for their personal gain, but it may not be true
all the time. Also, it is clear that not all attacks are impacted by
quantum computing. To clarify these issues, we summarise the
correlation of various attacks, motivations, and their quantum
effects in Table II, with symbols “ ” and “ ” implying
impacted by a quantum effect or not respectively. According to
the table, Sybil, Eclipse, and BGP attacks have influenced the
highest number of attacks: three. For example, Sybil attack has
influenced Eclipse, DDoS and Double Spending attacks, and
so on. The principal motivations of these attacks are financial
gains; however, attacks are also launched to cause harm to
persons or systems. Finally, seven out of thirteen, more than
50% of attacks, are impacted by quantum computing.
B. Threat Modelling
Every attack in any system exposes some threats, which is
true for any blockchain system as well. To model the threats
from the identified attacks, we have utilised STRIDE. The
modelled threats against the attacks are presented in Table
III with symbols “ ” and “ ” implying to have a correlation
between an attack and threat and no correlation respectively.
TABLE III
STRIDE THREAT MODELLING OF ATTACKS IN BLOCKCHAIN
Attacks S T R I D E
51% Attack
Impersonation Attack
Sybil Attack
Eclipse Attack
Selfish-Mining Attack
Double Spending Attack
Finney Attack
DDOS Attack
DNS Attack
BGP Hijacking Attack
Block Withholding Attack
Balance Attack
Replay Attack
As per the table, all identified attacks have a direct impact on
at least one STRIDE threat. Among the attacks, Impersonation
exposes the highest threats, five out of six, whereas Selfish-
Mining, Double Spending, Finney, DNS, and Balance attacks
expose the lowest threat: one. On the contrary, tampering is
the most exposed threat by those attacks.
VI. CONCLUSION
In this paper, we have explored several attacks for
blockchain systems using classical and quantum computing.
We have modelled those attacks using Petri nets and mod-
elled the associated threats using STRIDE to illustrate their
impact relations with those attacks. We have also analysed the
main vulnerabilities that typical blockchain systems have. We
believe that, blockchain in the quantum computing era will
be much more vulnerable. Therefore, more research should
be carried towards that direction. In future, we will focus on
private blockchain systems which have been excluded in this
research.
REFERENCES
[1] M. S. Rahman, A. Al Omar, M. Z. A. Bhuiyan, A. Basu, S. Kiyomoto,
and G. Wang, “Accountable cross-border data sharing using blockchain
under relaxed trust assumption,” IEEE Transactions on Engineering
Management, 2020.
[2] A. Al Omar, M. Z. A. Bhuiyan, A. Basu, S. Kiyomoto, and M. S. Rah-
man, “Privacy-friendly platform for healthcare data in cloud based on
blockchain environment,” Future generation computer systems, vol. 95,
pp. 511–521, 2019.
[3] M. Nesbitt. (2019, Mar.) “Ethereum Classic (ETC) is currently
being 51% attacked”. Accessed: 2020-08-13. [Online]. Available:
https://tinyurl.com/coinbasedeepEthereum
[4] M. Orcutt. (2019, Feb.) “Once hailed as unhackable, blockchains
are now getting hacked”. Accessed: 2020-08-13. [Online]. Available:
https://tinyurl.com/blockchainHacked
[5] D. Siegel. (2016, Jun.) “Understanding The DAO Attack”. Accessed:
2020-08-13. [Online]. Available: https://tinyurl.com/coindeskDAO
[6] J. Adelstein and N.-K. Stucky, “Inside the Biggest Bitcoin Heist in
History,” The Daily Beast, May 2016, accessed: 2020-08-13. [Online].
Available: https://tinyurl.com/dailyBeastMtGox
[7] C. Baldwin, “Bitcoin worth $72 million stolen from Bitfinex exchange
in Hong Kong,” Reuters, Aug. 2016, accessed: 2020-08-13. [Online].
Available: https://tinyurl.com/reutersBitfinex
[8] (2019, Aug.) “Stride, VAST, Trike, & More: Which Threat Modeling
Methodology is Right For Your Organization?”. Accessed: 2020-08-15.
[Online]. Available: https://tinyurl.com/rightThreatModeling
[9] S. Lipner and M. Howard, “The security development lifecycle sdl: A
process for developing demonstrably more secure software,” in IEEE:
Annual Computer Security Applications Conference, 2006.
[10] M. N. Johnstone, “Threat modelling with stride and uml,” 2010.
[11] L. Kohnfelder and P. Garg, “The threats to our products,” Microsoft
Interface, Microsoft Corporation, vol. 33, 1999.
[12] C. A. Petri, “Communication with automata,” 1966.
[13] J. P. McDermott, “Attack net penetration testing,” in Proceedings of the
2000 workshop on New security paradigms, 2001, pp. 15–21.
[14] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”
Manubot, Tech. Rep., 2019.
[15] N. Szabo, “Formalizing and securing relationships on public networks,”
First Monday, 1997.
[16] V. Buterin et al., “A next-generation smart contract and decentralized
application platform,” white paper, vol. 3, no. 37, 2014.
[17] M. S. Ferdous, M. J. M. Chowdhury, M. A. Hoque, and A. Col-
man, “Blockchain consensus algorithms: A survey,” arXiv preprint
arXiv:2001.07091, 2020.
[18] S. Aaronson, “The limits of quantum computers (draft),” Issue of
scientific American.
[19] P. W. Shor, “Polynomial-time algorithms for prime factorization and
discrete logarithms on a quantum computer,” SIAM review, vol. 41, no. 2,
pp. 303–332, 1999.
[20] E. Borbely, “Grover search algorithm,” arXiv preprint arXiv:0705.4171,
2007.
[21] M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and
A. Mohaisen, “Exploring the attack surface of blockchain: A systematic
overview,” arXiv preprint arXiv:1904.03487, 2019.
[22] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security
of blockchain systems,” Future Generation Computer Systems, vol. 107,
pp. 841–853, 2020.
[23] J. H. Lee et al., “Systematic approach to analyzing security and
vulnerabilities of blockchain systems,” Ph.D. dissertation, Massachusetts
Institute of Technology, 2019.
[24] I. Kabashkin, “Risk modelling of blockchain ecosystem,” in Interna-
tional Conference on Network and System Security. Springer, 2017,
pp. 59–70.
[25] H. Poston. “Threat Modeling for the Blockchain”. Accessed: 2020-08-
10. [Online]. Available: https://tinyurl.com/hPostonThreat
[26] M. S. Ferdous, M. J. M. Chowdhury, K. Biswas, N. Chowdhury, and
V. Muthukkumarasamy, “Immutable autobiography of smart cars lever-
aging blockchain technology,” Knowledge Engineering Review, vol. 35,
no. 3, p. 17, 2020.
[27] A. Katrenko and M. Sotnichek. (2018, Nov.) “Blockchain Attack
Vectors: Vulnerabilities of the Most Secure Technology”. Accessed:
2020-08-11. [Online]. Available: https://tinyurl.com/aprioritAttack
[28] T. M. Chen, J. C. Sanchez-Aarnoutse, and J. Buford, “Petri net modeling
of cyber-physical attacks on smart grid,” IEEE Transactions on smart
grid, vol. 2, no. 4, pp. 741–749, 2011.
[29] A. Pinna, R. Tonelli, M. Orr´
u, and M. Marchesi, “A petri nets model for
blockchain analysis,” The Computer Journal, vol. 61, no. 9, pp. 1374–
1388, 2018.
[30] H. Mayer, “ECDSA security in bitcoin and ethereum: a research survey,”
CoinFaabrik, June, vol. 28, p. 126, 2016.
[31] E. O. Kiktenko, N. O. Pozhar, M. N. Anufriev, A. S. Trushechkin, R. R.
Yunusov, Y. V. Kurochkin, A. Lvovsky, and A. Fedorov, “Quantum-
secured blockchain,” Quantum Science and Technology, vol. 3, no. 3, p.
035004, 2018.
[32] C. Natoli and V. Gramoli, “The balance attack against proof-of-
work blockchains: The r3 testbed as an example,” arXiv preprint
arXiv:1612.09426, 2016.
[33] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum
smart contracts (sok),” in International conference on principles of
security and trust. Springer, 2017, pp. 164–186.
[34] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart
contracts smarter,” in Proceedings of the 2016 ACM SIGSAC conference
on computer and communications security, 2016, pp. 254–269.
[35] V. Buterin. (2016, Jun.) “CRITICAL UPDATE Re: DAO
Vulnerability”. Accessed: 2020-08-14. [Online]. Available: https:
//tinyurl.com/ethereumDAO
[36] (2018, Mar.) “Eclipse Attacks on Blockchains’ Peer-to-
Peer Network”. Accessed: 2020-08-11. [Online]. Available:
https://tinyurl.com/ioTexEclipse
[37] S. Sayeed and H. Marco-Gisbert, “Assessing blockchain consensus and
security mechanisms against the 51% attack,” Applied Sciences, vol. 9,
no. 9, p. 1788, 2019.
[38] M. Roetteler, M. Naehrig, K. M. Svore, and K. Lauter, “Quantum
resource estimates for computing elliptic curve discrete logarithms,” in
International Conference on the Theory and Application of Cryptology
and Information Security. Springer, 2017, pp. 241–270.
[39] J. R. Douceur, “The sybil attack,” in International workshop on peer-
to-peer systems. Springer, 2002, pp. 251–260.
[40] S. Zhang and J.-H. Lee, “Double-spending with a sybil attack in
the bitcoin decentralized network,” IEEE Transactions on Industrial
Informatics, vol. 15, no. 10, pp. 5715–5722, 2019.
[41] P. Swathi, C. Modi, and D. Patel, “Preventing sybil attack in blockchain
using distributed behavior monitoring of miners,” in 2019 10th Inter-
national Conference on Computing, Communication and Networking
Technologies (ICCCNT). IEEE, 2019, pp. 1–6.
[42] N. T. Courtois and L. Bahack, “On subversive miner strategies and
block withholding attack in bitcoin digital currency,” arXiv preprint
arXiv:1402.1718, 2014.
[43] A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining
strategies in bitcoin,” in International Conference on Financial Cryp-
tography and Data Security. Springer, 2016, pp. 515–532.
[44] K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: Gener-
alizing selfish mining and combining with an eclipse attack,” in 2016
IEEE European Symposium on Security and Privacy (EuroS&P). IEEE,
2016, pp. 305–320.
[45] G. O. Karame, E. Androulaki, and S. Capkun, “Double-spending fast
payments in bitcoin,” in Proceedings of the 2012 ACM conference on
Computer and communications security, 2012, pp. 906–917.
[46] M. Rosenfeld, “Analysis of hashrate-based double spending,” arXiv
preprint arXiv:1402.2009, 2014.
[47] Hal. (2011, Feb.) “Best practice for fast transaction acceptance -
how high is the risk?”. Accessed: 2020-08-11. [Online]. Available:
https://tinyurl.com/bitcoinFinney
[48] “What is a Finney attack?”. Accessed: 2020-08-11. [Online]. Available:
https://tinyurl.com/stackFinney
[49] K. Baqer, D. Y. Huang, D. McCoy, and N. Weaver, “Stressing out:
Bitcoin “stress testing”,” in International Conference on Financial
Cryptography and Data Security. Springer, 2016, pp. 3–18.
[50] L. Gao, “On inferring autonomous system relationships in the internet,”
IEEE/ACM Transactions on networking, vol. 9, no. 6, pp. 733–745,
2001.
[51] M. Rosenfeld, “Analysis of bitcoin pooled mining reward systems,”
arXiv preprint arXiv:1112.4980, 2011.
[52] N. Abdullah, A. Hakansson, and E. Moradian, “Blockchain based
approach to enhance big data authentication in distributed environment,”
in ICUFN’ 2017. IEEE, 2017, pp. 887–892.
