Cardano’s network demonstrated remarkable resilience during a DDoS attack, maintaining operations without the need for a system reboot. The impact was minimal, with only a slight speed reduction observed. For instance, the decentralized exchange SundaeSwap successfully processed 5,013 orders amidst the attack. Developers at AnastasiaLabs detected the attack and confiscated ADA from the attacker. Upon realizing their funds were being siphoned in response to their actions, as revealed in a tweet, the attacker ceased the DDoS attack. A DDoS attack can be evaluated as unsuccessful. The attack demonstrated Cardano’s resilience and was certainly an interesting stress test for the network.
The DDoS Attack
On June 24, 2024, at 2:58 PM, Cardano faced a DDoS attack that concluded on June 25 at 6:44 AM. The attacker executed the attack using three distinct wallets, flooding the network with transactions containing scripts.
The number of transactions initiated from each wallet is as follows:
Wallet 1: 1,458 transactions
Wallet 2: 1,856 transactions
Wallet 3: 2,107 transactions
Investigations revealed that the initial funding for these wallets originated from the Kraken exchange.
The Cardano community would appreciate it if Kraken could provide information about the following wallets:
Addr1qxv5hrukg48vse5lve0458ahsh4j6xjrpknhwr8elm0aarqfws07lvvnq45xvjsywj0egfskqlm4hpk8jk0twgqjjzcsavhzy6
The core strategy of the DDoS attack was to flood the network with spam transactions containing scripts, aiming to exhaust its resources. This would potentially prevent regular users from accessing the network.
Given that Cardano operates as a distributed network, each full node is required to validate transactions. This also applies to spam transactions, which are valid transactions for which fees are paid. Even with validators deserializing 194 junk scripts (~16kb each) per transaction the validators were fine processing spam transactions.
The attacker tried to exploit the vulnerability when executing scripts. The size of reference scripts currently has no impact on transaction fees. However, the script must be processed, which involves doing some work. However, the execution of the script requires the cost of CEK setup and reference input, which increases the size of the transaction and thus the fee.
The DDoS attack resulted in a higher load on the network, surpassing normal levels. Stake Pool Operators (SPOs) have been negatively affected by a higher number of height battles. Despite these issues, the Cardano blockchain continued to operate effectively, with only minor delays in transaction processing times and some reduction in chain density.
The attack was an interesting stress test for Cardano and proof of resilience. Over 1.8M transactions were processed by Cardano during the DDoS attack.
Cardano has reached 40 TPS.
The eUTxO explorer also responded promptly to the attack. It was able to visualize the attack.
How the Attacker Lost the Money
The attack was stopped after developers from AnastasiaLabs pointed out how to get ADA from the attacker. When registering a staking script, a deposit of 2 ADA is required by the protocol. Deregistration of the script requires validation to be able to reclaim the deposit.
No validations were implemented in the 194 scripts used by the attacker meaning no restrictions have been defined on who can reclaim a deposit. Each validation always succeeded. This enabled deregistration for everyone, as the validation was always successful and the transaction fee was lower than the deposit obtained.
A Hotfix is Available
The attacker could think more about the attack and then repeat it under different conditions.
The team directly investigated the underlying issue and identified the root cause. It has successfully deployed a hotfix which is available in the new node version 8.12.1.
I hereby request all SPOs to upgrade to the new version.