CertiK Logo
Products
Company
Cancel
Back to all stories
Blogs
Threat Modeling the Merge - 3 Things That Could Go Wrong
9/14/2022
Threat Modeling the Merge - 3 Things That Could Go Wrong

The Merge is just hours away. It’s one of the biggest open-source software engineering events in recent memory, and its significance may not become fully apparent until well into the future.

The name comes from the fact that two distinct chains are “merging”: Ethereum’s existing execution layer with the Beacon Chain. The Beacon Chain was deployed on December 1st, 2020 and is secured by Proof of Stake, rather than the Proof of Work that has powered Ethereum since its inception.

This is no small feat. While the Merge is expected to be a seamless upgrade for users, there are some behind-the-scenes security implications of this massive technical undertaking.

In this post, we’ll lay out three possible pain points pre-Merge and then come back to revisit them once the transition has taken place to see how they panned out.

1: ChainID Replay Attacks

Replay attacks could lead to users unknowingly compromising their assets on Ethereum’s main chain through activity on a forked chain that shares the same ChainID.

A replay attack involves copying a transaction on one chain and broadcasting it on another without the original sender’s permission. This is only possible if two chains share the same identification number: ChainID.

Until quite recently, there was no indication that the miner consortium behind the Ethereum Proof of Work fork (ETH PoW or ETHW) was aware of this issue. This would have meant that transactions on the main Proof of Stake Ethereum chain could be duplicated on ETHW.

That might not be such a big issue if you don’t intend on interacting with the PoW fork. If all you care about is your assets on the PoS chain, then what happens to your (potentially close to worthless) assets on the ETHW chain is of little concern.

But what if you did see a future for the ETHW chain? You might play around with it, sending your assets from one wallet to another or interacting with DeFi platforms. Maybe you send some ETHW to a friend to convince them to come over to the chain. Maybe you send them half of your ETHW, which as a fork is nowhere near as valuable as ETH on the main chain. Assets with a value of, for example, $100 on ETHW could be worth $10,000 on ETH.

If the ChainID numbers are identical the transactions you make on ETHW could be almost effortlessly replayed on Ethereum’s main chain.

You could end up sending your friend not just half of your low-valued ETHW, but half of the life savings you were holding in ETH too. And sending too much money to a friend is one of the best case scenarios. An attacker could set up a malicious protocol on ETHW, taking advantage of the lack of clarity around the chain’s viability to trick some users into granting unlimited token allowances. Once these allowances are confirmed on ETHW, they can be rebroadcast to the main chain.

Clearly, this would be an issue. And it was a very real concern as recently as a week ago, when a Coinbase engineer requested on Github that ETHW clarify the ChainID code it would be using.

ChainID Github Engineer Source: @FrankieIsLost

The ETHW team responded, clarifying that their chain would use an ID of 10001 rather than 1, which Proof of Stake Ethereum will continue to utilize after the Merge.

Likelihood: Low, after the largest likely fork of Ethereum addressed the issue a week out from the Merge. For replay attacks to be a problem, a fork of the main chain would need to deliberately choose to utilize the same ChainID. This choice would greatly compromise the utility of the chain, as it would mean the forked chain could not exist alongside Ethereum without replay attacks being a possibility. This would discourage usage of the chain, and without usage it would have no value and no future.

Final Verdict: As of Merge +10 hours: There has been no major problem with replay attacks. Ethereum PoW (ETHW) confirmed that the project had chosen a ChainID value of 10001, distinguishing it from the main Ethereum chain whose ChainID is 1.

This removes what could have been a serious source of replay attacks on Ethereum. However, there is at least one other hypothetical method of executing a replay attack.

A minority of EIP-721 contracts cache the domain separator, which contains data including ChainID. If an ETHPoW contract had cached a domain separator with the obsolete ChainID value of 1, this would open up the possibility of rebroadcasting any execution of the contract on the main PoS chain.

The following function will update ChainID to the correct value.

CACHED DOMAIN SEPARATOR

Contracts built on external libraries that have already addressed this issue are not at risk.

2: The Network Fails to Reach Finalization

If there are any unforeseen issues with client configuration, validators may not be able to reach consensus on blocks in the new Proof of Stake regime, leaving the network in limbo.

The 12 minute period between the initiation of the Merge and the finalization of Proof of Stake Ethereum on mainnet will be the most critical moment in the network’s history to date. This is where anything that is going to go wrong is likely to do so.

Network finalization is the proof of the pudding, it’s when we can accurately consider Ethereum to have successfully completed the Merge.

So when will Ethereum 2.0 reach network finality?

While Bitcoin and Ethereum use blocks as confirmation of activity on the networks, Ethereum 2.0 uses epochs. An epoch comprises 32 slots, and each slot is open for 12 seconds. This makes an epoch last for 384 seconds, or six minutes and twenty four seconds. In each of these slots, a validator is randomly chosen to propose a block.

Two epochs – a total of 64 blocks – need to be confirmed by a ⅔ majority of active Ethereum 2.0 validators for the network to reach finality. This process has been running smoothly on the Beacon Chain for nearly two years. However, the Merge is taking place in a live environment with billions of dollars of value at stake.

Validators may be unable to reach consensus for a couple of reasons:

Client misconfiguration leading to invalid blocks being proposed The rejection of valid blocks by improperly configured validator nodes

Neither of these are particularly likely, given the amount of time validators have had to ensure they are prepared for the Merge. Yet out of an abundance of caution, users should avoid transacting on Ethereum until the network has reached finality.

Major exchanges have announced that they will halt deposits and withdrawals during the 12 minutes that it is expected to take the network to finalize.

“There will be no funds at risk,” Ethereum core developer Marius Van Der Wijden told Decrypt. “I myself wouldn't send, like, $100 million during those 12 minutes. But 12 minutes after, the chain finalizes. Then everything should be fine. Then we can start celebrating.”

Likelihood: Low, thanks to the efforts of Ethereum developers and the months of preparation by validators, but still greater than zero.

Final Verdict: Ethereum merged as seamlessly as planned. The execution layer joined with the Beacon Chain's consensus layer and Ethereum transitioned to Proof of Stake. While technically it's the validators that confirm the two epochs that define a finalized Merge, the eyes of everyone who isn't a validator node were turned to Vitalik. And when he spoke the words, the Merge was confirmed.

Vitalik confirms Merge Source: @VitalikButerin

3: Recentralization Risk

*Proof of Stake introduces a number of complexities on the part of validators, and the Merge sends us down a long and difficult path of increasing centralization. * One of the major selling points of the Merge, apart from its estimated 99.95% reduction in energy consumption, is its democratization of contribution to the network. The transition to Proof of Stake means you no longer need to invest in costly mining equipment to contribute to the network’s security. Now, you only need to invest in the underlying asset itself: ETH. Anyone who holds a minimum of 32 ETH can run their own validator node, and anyone who doesn’t hold quite that amount (which would currently cost you over $50,000) can stake with a third-party entity like Lido, Coinbase, Kraken, Binance and many other exchanges and staking services.

The four platforms listed above together custody more than 60% of all staked ETH. Users pool their ETH with these validators, who pay out the staking rewards earned. This is a similar mechanism to mining pools, and there is a similar concentration of hashrate among the top mining pools.

Dune Analytics Ethereum 2.0 Stakers Dashboard

Yet Proof of Stake introduces some considerations for validators that miners in a Proof of Work network do not encounter. BitMEX Research laid out the responsibilities of validators specifically regarding OFAC sanctions.

Miners in a PoW system have essentially three options:

  • Ignore the OFAC rules
  • Refuse to include OFAC banned transactions in blocks you produce
  • Refuse to build on top of a chain that includes OFAC banned transactions

However, PoS validators have many more options (and thus responsibilities):

  • Refuse to include “OFAC banned” transactions in blocks they produce
  • Refuse to attest to blocks which contain OFAC banned transactions
  • Produce and attest to blocks which comply with OFAC rules, even when they conflict with non-compliant blocks
  • Refuse to produce blocks on top of blocks which contain OFAC banned transactions
  • Refuse to attest to blocks in a chain which contains OFAC banned transactions
  • Refuse to include attestations to blocks with OFAC banned transactions in blocks they produce
  • Refuse to include attestations to blocks in a chain with OFAC banned transactions in blocks they produce
  • Ignore the OFAC rules

The fact that many of these entities have major presences in the United States means they may come under significant pressure to apply sanctions at the base layer.

Coinbase founder Brian Armstrong came forward to announce that his company will not yield to such pressure, preferring to shut down their staking service instead of compromising the integrity of the network.

Brian Armstrong Censorship Source: @brian_armstrong

But there are still questions to be answered. How would Ethereum respond to this sudden evaporation of 15% of the network’s stake? How about Coinbase’s shareholders who see a lucrative opportunity for the company to earn income with OFAC-compliant staking, and aren’t so keen on passing up that opportunity in the name of crypto’s ideological values?

Ethereum developer Terence Tsao said that he would consider censorship at the base layer as an attack on the network. “We'll be monitoring these companies to see how they are behaving. If they behave maliciously, we can forcefully eject them through social governance.”

Likelihood: Moderate, in the long run. Proof of Stake introduces new responsibilities for validators, responsibilities that miners on the Proof of Work network have not had to confront. While assurances from companies like Coinbase that they will not engage in censorship are promising, it remains to be seen how the game theory will play out.

Final Verdict: As expected, the largest validators began proportionally receiving the largest share of the rewards. Ethereum's level of decentralization is an ongoing topic of debate in the politics of the network. While some may wish for a more diverse staking environment, the largest post-Merge Ethereum validators control a (slightly) smaller proportion of the network's total power than Bitcoin miners do of theirs. However, complicating this is the fact that it is more complex to unstake your ETH and switch validator than it is to direct your hardware's hashing power to a different Bitcoin mining pool. Decentralization will continue to be one of the most important variables in future debate and development.

All in all, the Merge went about as smoothly as could be expected. ChainID problems are out of the hands of PoS Ethereum now, and can be considered as one of the unforeseen costs of operating in an open-source, decentralized environment where anything and everything can be forked. Overall, ETH 2.0 is a major update to the network, and the work of the developers who made it happen cannot be overstated. While this is an early step in the mission towards more scalability and security outlined by Ethereum developers, the success of the Merge shows that the talent and determination needed to achieve these goals are not in short supply.