As we introduced in our previous blog post [25], the term Maximal Extractable Value (MEV) refers to the highest amount of value that can be extracted from a blockchain by a producer/validator during the process of creating a block. This can be achieved by including, excluding, or rearranging the order of transactions.

MEV is a relatively novel topic with many unexplored security consequences. For instance, on April 3rd, 2023, a malicious validator node operator exploited a vulnerability in the mev-boost-relay [26], the most popular MEV relay, to get access to the transaction bundle content, even when the block was created to fail the validation to be accepted by the beacon chain nodes. With the obtained list of transactions, the attacker could execute a front-running attack, earning 20 million USD from the victim block bundle builders.

The following graphic explains how the normal flow of block creation in Ethereum among validators, builders, and relays should work [27]:

Typically, block proposers (consensus validators) should blindly sign block headers created by block builders and then wait until the blocks are already announced to the network to be able to access the block content (the transactions). Hence, the proposers cannot steal the MEV created by the block builders. However, a vulnerability in the relay software allowed a malicious proposer to modify a block header with corrupt data that the network should not accept.q The relay assumed the signed block as valid and returned the block content to the proposer, which instead extracted the MEV for itself. It then created another valid block that was accepted by the network, therefore stealing the builder's profit.

Here [28], you can see the vulnerability disclosure write-up with a more detailed explanation and countermeasures taken by the developers. One of the mentioned countermeasures is that the relay does not send the block content directly to the block proposer; instead, it has to read it from the network when it's accepted. This approach is only partially practical because a malicious proposer could run many validator nodes or even launch an eclipse attack on the network so it can see the block's content much faster and try to front-run the relay. Tikuna may help detect such eclipse attacks and alert the affected relays.

As we see here, malicious validators are becoming a worrying reality. Monitoring the behavior of validators can help identify those trying to take advantage of the blockchain network. At Sakundi [21], we are developing technologies to monitor the blockchain using AI technologies that may help detect such malicious validators.

In the upcoming series of posts, we will be exploring other topics related to MEV in the context of blockchain technology. Stay tuned for more!

Have questions? Contact us today to find out more about our services.

We are thrilled to announce the completion of the first phase of our Tikuna project! After months of hard work, dedication, and collaboration, we are excited to share the results of the first round of the Ethereum Foundation (EF) academic research grant. We will highlight our project's milestones and examine our team's findings in this blog post.

Overview​

Blockchain security is becoming increasingly relevant in today's cyberspace, and it is essential to strengthening each layer's security in its architecture. Our project focuses on the lowest level layer in the blockchain, particularly the P2P network that allows the nodes to communicate with each other and share information. This layer is a vital component of any blockchain, including Ethereum, due to the decentralized nature of its architecture. However, the P2P network layer may be vulnerable to several attacks, such as a Distributed Denial of Service (DDoS), eclipse attacks, or Sybil attacks. Consequently, this layer is still prone to many threats inherited from P2P networks, and there is a need to analyze and understand them by collecting data and extracting insights from the network behavior to reduce those risks. We introduce Tikuna, an open-source tool for monitoring and detecting potential attacks on the Ethereum blockchain network at an early stage. Tikuna employs an unsupervised Long Short-Term Memory (LSTM) method based on Recurrent Neural Networks (RNNs) for anomaly detection to find attacks on the P2P layer. Empirical results indicate that the proposed approach significantly improves detection performance, with the ability to detect and classify attacks, including Eclipse attacks, Covert Flash attacks, and others that target the Ethereum blockchain P2P network layer, with high accuracy.

Our project aimed to implement Tikuna, a proof-of-concept P2P network security monitoring system for the Ethereum blockchain. With Tikuna, we aim to enhance the visibility of the status of the P2P network. The project is composed of three primary deliverables as follows:

1. Development of an open-source P2P monitoring solution accessible to the EF community.
2. Creation of dashboards to visualize different monitoring aspects of the P2P network.
3. A draft research paper to present the scientific findings of our Tikuna approach.

Tikuna, the first project in Latin America to get academic research funding from the Ethereum Foundation, has created a novel strategy to increase awareness of the P2P network's security state. We are proud to contribute to advancing blockchain safety and enhancing the Ethereum blockchain's security. To learn more about Tikuna, visit our website [19].

Phase I roadmap​

Meaningful findings​

We introduce three main contributions:

• Our proposed machine learning anomaly detection approach can detect several attacks at the Ethereum P2P layer using peer event trace data in a simulation environment using the protocol labs’ framework testground.

• We demonstrate how to detect eclipse attacks in a mainnet node by extracting custom-generated connection log data from the Ethereum client Prysm and utilizing an LSTM neural network.

• We developed a custom exploit implementing a real-world eclipse attack. It was tested against a modified Prysm client in mainnet, so it did not forward spam to the network. With this, we could test the effectiveness of our approach.

Our team's initial step was to conduct in-depth research and analysis to gain a thorough understanding of the various existing P2P security approaches, i.e., state of the art techniques. Based on this, we developed a comprehensive plan of action outlining our Tikuna approach and methodology.

Subsequently, we proceeded to implement an LSTM based approach for Ethereum blockchain network security monitoring and anomaly detection. Additionally, our team developed and implemented three dashboards aimed at enhancing P2P security. These dashboards are the Ethereum P2P Network Status dashboard, the Beacon Node Monitor, and the Eclipse Attacks Dashboard.

Finally, throughout the development process, we rigorously tested our approach to ensure that it was functional. We also conducted several experiments in two distinct network environments, i.e., the simulated testground and the Ethereum mainnet, to thoroughly evaluate the effectiveness as well as the performance of the Tikuna approach.

The following is a sample of the training data used for Tikuna in the Ethereum mainnet, consisting of discovery connection data (UDP) from honest and simulated attacking peers. The normal data was collected from several nodes during 3 days under regular operation, and the malicious data was gathered from a single victim Ethereum node, using our developed exploit. Each line has several input features, including timestamp, IP, and Port removed from the peer table, IP and Port added to the peer table, and bucket where the peer is added.

The model and simulations​

We have used RNNs for our research. They are a type of model frequently utilized for processing sequential data such as time series. These models are specialized for processing a sequence of values that are a function of time. RNNs can scale to long sequences that would not be practical for networks without sequence-based specialization. Most recurrent networks can also process sequences of variable length.

One of these models is especially of interest to this research. The long short-term memory model (LSTM) uses a gating mechanism to ensure proper information propagation through many time steps. LSTM networks have a specific memory cell and can capture long-term dependencies in sequential data. LSTM are valuable tools for language modeling problems. LSTM networks are a version of recurrent neural networks useful for long interrelated sequences of data. LSTM was chosen in this research for anomaly detection to find malicious discovery connections to an Ethereum client.

Following there is an example of the ML model output for mainnet where we obtained the best results detecting eclipse attacks, with 1’000,000 regular connection log lines for training and around 3,000 lines of eclipse attack logs for evaluation:

2023-03-06 18:52:07,641 P7 INFO Epoch 84/100, training loss: 1.98741
2023-03-06 18:52:07,661 P7 INFO Evaluating test data.
2023-03-06 18:52:18,910 P7 INFO Finish inference. Show iteration top-k results:
2023-03-06 18:52:19,272 P7 INFO {'f1': '0.847', 'Recall': '0.883', 'Precision': '0.813', 'Accuracy': '0.866'}
2023-03-06 18:52:19,284 P7 INFO {'f1': '0.804', 'Recall': '0.757', 'Precision': '0.858', 'Accuracy': '0.846'}
2023-03-06 18:52:19,296 P7 INFO {'f1': '0.740', 'Recall': '0.645', 'Precision': '0.868', 'Accuracy': '0.811'}
2023-03-06 18:52:19,308 P7 INFO {'f1': '0.704', 'Recall': '0.588', 'Precision': '0.879', 'Accuracy': '0.794'}
2023-03-06 18:52:19,320 P7 INFO {'f1': '0.683', 'Recall': '0.554', 'Precision': '0.889', 'Accuracy': '0.785'}

We used standard measures metrics for intrusion detection with ML, such as f1, recall, precision, and accuracy. Please review the Github repository and stay tuned for our research paper publication if you want more details.

Dashboards​

As part of our research, our team considered it important to demonstrate the results we obtained as well as a possible implementation. To achieve this, we created three Grafana dashboards that are integrated with Prometheus. These dashboards capture monitoring metrics and display the behavior of the P2P network, neighborhood, and Prysm node in real-time.

• Ethereum P2P Network Status: The information that is displayed on the Ethereum P2P Network Status dashboard comes from our Prysm node and is obtained by monitoring the port 8080. It gives data on the neighborhood area as well as how this node interacts with the other nodes in the blockchain. This comprises the number of connected peers, the current and head slot, the various types of P2P libraries that are linked to our node together with their ratings, as well as information on the participation rate and network liveness of the P2P network. In addition to this, it provides information concerning validators, such as their total numbers, the status of their accounts, and the average amount of ether in their balances.

Fig. 1 The Ethereum P2P network status dashboard

• Beacon Node Monitor: This dashboard belongs to the infrastructure of our own Ethereum node, which displays information such as the use of CPU, RAM, disk space, bandwidth within the network, and details about storage space. This information was retrieved from the Kubernetes cluster that serves as the host for the consensus node, which is the infrastructure in our particular instance.

Fig. 2 The beacon node monitor dashboard

• Eclipse Attacks Dashboard: The creation of the final dashboard required the development of an interface that could record the potential eclipse attacks discovered by our machine learning algorithm and then input those records into the AlertManager component of Prometheus. After that, Grafana creates a table that displays a row for each identified eclipse attack in a given node.

Fig. 3 The eclipse attacks dashboard

At Tikuna, we believe that making a more secure and reliable P2P network requires accessibility and transparency, which is why we have developed a comprehensive User section for our proof-of-concept. Our User section offers detailed instructions and tutorials that guide users of all technical levels through the installation process and explain how to interpret the information presented in the dashboards. With Tikuna, a wider audience can benefit from our P2P monitoring system. We are proud to contribute to advancing blockchain security through our innovative ideas and commitment to user-friendly solutions. To learn more about Tikuna and how to use our monitoring system, visit our website [19] and browse through our User section.

The research paper​

We are currently working on a draft research paper that is based on the findings and results obtained during this research grant. Once we receive feedback from EF, we intend to submit the research paper to an International Conference. The research paper is organized into five main chapters. The first chapter is an introduction to the Ethereum blockchain, which emphasizes the importance of understanding the risks associated with P2P blockchain networks and developing security-focused solutions to ensure their reliability. It also highlights the three main contributions of the paper, which include a proposed machine learning approach for detecting attacks in the P2P layer, a method for detecting eclipse attacks using custom-generated connection log data and LSTM neural networks, and a custom exploit for eclipse attack testing against a modified Prysm client in mainnet. The second chapter, titled "Related Work", provides an overview of the most recent works that address the security challenges of the Ethereum blockchain P2P networks. The third chapter introduces the Tikuna approach by describing each of the three steps and discussing the various types of blockchain P2P network attacks. The fourth chapter evaluates the effectiveness of the Tikuna approach using a simulation and mainnet connection dataset. The last chapter presents a summary of the proposed work, conclusions, and potential future research directions. Finally, the authors acknowledge that the work presented was supported by the Ethereum Foundation Academic Research Grants.

Next steps​

We take immense pride in our team's accomplishments, and we extend our gratitude to everyone who played a part in ensuring the project's success. Our team's expertise, dedication, and collaborative ethos were crucial to delivering the first phase of the Tikuna project. This is just the beginning of our project as we aim to further develop Tikuna as a tool to contribute to the Ethereum community and other Blockchains. Our efforts will be focused on identifying additional attacks, minimizing false positives, detecting real-world incidents, and incorporating different Blockchain (including Ethereum) node clients. Moreover, we intend to investigate other areas of research where Tikuna can be utilized, such as Maximal Extractable Value (MEV).

We have applied for the second round of the EF academic research grants. Please see our application here. If you are interested in learning more about Tikuna or working with us, we welcome the opportunity to collaborate with you. Kindly reach out to us, and we'll be happy to hear from you.

Here you can find the Tikuna's full source code.

Although there are advances in cybersecurity, many applications need robust security features. Currently, aside from product quality concerns, the software has numerous adversaries that are attempting to break the lines in order to exploit or sabotage its conditions.

The situation is similar to that of Web 3, and it may even be more severe due to the involvement of factors such as digital assets (crypto or NFTs). Even if the blockchain and its consensus algorithm are used as the basis for carrying out the backend procedures of these technologies, they still have dozens of security vulnerabilities that are found over time by hackers whose objective is not to contribute to the ecosystem. Imagine a large, decentralized network in which hundreds of innovative or newly emerging projects are competing to use it as a platform for the development of their apps. This is a real-world occurrence that takes place on the Ethereum blockchain. As of right now, the increasing levels of hacks, chasing funds, or oversights by institutions, such as the most recent FTX issue, have positioned blockchain cybersecurity as the shelter behind the perfection of its operations. Exchanges, smart contracts, tokens, and decentralized applications are all components of the system that are subjected to quality and security verification as part of the auditing process. Hacks to decentralized finance protocols resulted in the theft of 156 million dollars in just four months during the year 2021. Aside from the fact that this amount represents a significant loss for both individuals and businesses, it is also a sign on a qualitative level, indicating that protocols require integration and maintenance with regard to computer security.

This is something that the Tikuna team is fully aware of. Therefore, we are trying to make an essential contribution to the blockchain community as well as the field of cybersecurity via the development and provision of techniques that help with the early detection/monitoring of threats for the Ethereum P2P network. Moreover, the presence of systems that can enforce and monitor decentralized environments before the occurrence of these unfavorable events instills a greater sense of confidence and intense anticipatory ownership. As an open-source solution, users will have the ability to use the data that is provided in order to improve the integration of security measures. Finally, we are working hard to make the use of blockchain products more secure and predictable, which are both highly valued in the digital world.

Cybersecurity systems are complex and play a fundamental role in various applications. Even in highly secure and decentralized systems like blockchain networks, there are cases in which the dApps, average users, or the network itself are exposed to many daily risks. Due to certain vulnerabilities, numerous businesses are interested in fostering research and development of security-focused solutions, which is precisely why our team is developing Tikuna.

Tikuna is a proof-of-concept P2P network security monitoring system for the Ethereum blockchain. Using Machine Learning techniques, it will extract security and performance insights for detecting relevant incidents and improving visibility to the security state of the P2P network. This proposed research project has been approved and supported by the Ethereum Foundation with an award of USD 102,200 to start the development process.

Tikuna team has approached this 2022 opening in the area of P2P Network to the Ethereum Foundation Academic Grants. We are the only team in Latin America that received approval and funding from ETH Foundation. This is the official announcement published by them.

The team behind Tikuna​

The project Tikuna is led by both Edenia and Sakundi. Edenia operates an independent decentralized blockchain infrastructure and develops Web3 products. Sakundi is a blockchain security and privacy-focused research organization that provides Artificial Intelligence-powered security monitoring solutions for blockchain businesses and distributed apps.

What is the problem that Tikuna is trying to solve?​

Tikuna proposes an open-source solution that provides visibility into the nodes’ status, allowing for the early detection of P2P attacks. This tool will provide the ETH Community with an extra resource for preventing or reporting incidents that could affect thousands of transactions and/or applications running on this blockchain.

What will be the final research project deliverable of Tikuna, in this first stage?​

The project aims to empower the Ethereum community by providing them with an intelligent, state-of-the-art tool capable of accumulating security-related data from the state of the P2P network and enhancing network visibility by offering insights about its current state. A handy feature we plan to develop is an interactive dashboard that allows users or organizations to make queries of the nodes.

Steps toward the future….​

Tikuna is an innovative solution that will support Ethereum's blockchain security, more so, in the evolution to PoS (Proof-of-Stake), where nodes play a bigger role in block validation with their participation. With how fast Web3 expands and how many applications use participating networks, we reckon that Tikuna has the potential to become a multi-chain solution. We plan to further expand Tikuna to different networks that use PoS or DPoS as their consensus mechanism.