Is Stellar As Secure As
You Think?
Minjeong Kim (KAIST), Yujin Kwon (KAIST), Yongdae Kim (KAIST)
Overview
Stellar is one of the top ten cryptocurrencies in terms of market capitalization, which is an open platform that connects people and several entities to provide payment service, including cross-border transactions . To complete one consensus round in Stellar, each node in Stellar forms a quorum slice consisting of nodes that are trusted by the node, and then receives specific messages from nodes in the quorum slice.
Simply speaking, we analyze Stellar, whose security is highly dependent on the structure of the quorum slices. More specifically, we investigate the current quorum slices in Stellar, analyze the structure of quorum slices, and measure the influence of each node quantitatively using two metrics, PageRank (PR) and the newly proposed NodeRank (NR). The results show that the Stellar system is significantly centralized. Thereafter, to determine how the centralized structure can have a negative impact on the Stellar system, we study the cascading failure caused by deleting only a few nodes (i.e., validators) in Stellar. We show that all of the nodes in Stellar cannot run Stellar consensus protocol if only two nodes fail. To make matters worse, these two nodes are run and controlled by a single organization, the Stellar foundation.
In summary, our contributions are as below:
- We analyze FBA and prove that it is not superior to PBFT in terms of safety and liveness.
- We conduct data analysis on the Stellar system, and show that the structure of quorum slices is highly centralized.
- We study cascading failures considering the current quorum slices. Our results imply that validators cannot achieve a consensus after deleting only two nodes run by the Stellar foundation.
Results
Visualization of Quorum Slices in Stellar
The figure shows the structure of the quorum slices on January 22, 2019. Each circle represents a validator, where the size of the circle is proportional to the number of times the node is included in any quorum slice. Vertexes with the same color are run by the same organization. This figure indicates that sdf_validator nodes are included in quorum slices the most, followed by eno and tempo.eu.com.
PageRank (PR) and NodeRank (NR)
PR is a metric that gives more weight to a selected node from a more influential node. NR is an upgrade version of PR, considering some characteristics of quorum slices. Through the two metrics, we measure that how centralized the current structure of quorum slices is. The result shows that sdf_validator nodes have the highest power, especially in NR.
Cascading Failure
To see a negative impact of the centralization in Stellar, we apply cascading failure, which causes gradual failure of other nodes due to the failure of a few nodes.
Failure (%) = Number of failed validators / Total number of validators * 100
(1) sdf_validator1, sdf_validator2 : 100%
(2) sdf_validator1, sdf_validator3 : 100%
(4) sdf_validator2, sdf_validator3 : 100%
The result indicates that the failure of two of sdf_validator nodes can lead to the failure of the entire system. Note that all of the sdf_validator nodes are run by the Stellar foundation.
The Most recent Status... (May 15, 2019 5:00 AM (UTC/GMT))
The results in the paper were analyzed with data on January 8, 2019. We began discussions for the responsible disclosure with David Mazieres, a chief scientist at Stellar, on April 2 after the paper was accepted. As an effect of the paper, many entities including Stellar Foundation are discussing the centralization of Stellar and trying to change their quorum slices more securely. In fact, recently, the structure of quorum slices is much more unbiased than in the past; however, still when two nodes fail, the system might be blocked. Short summaries of the changes in the current Stellar network as below.
1. Generally, the total number of validators and quorum slices increase.
2. Many nodes, including the Stellar foundation, which have never changed their slices in the past few months, are actively changing their slices with various nodes that were previously not included.
3. Number of times when sdf_validators (they are run by Stellar foundation) are included in the slices highly decreases.
4. The values of PR and NR are less biased than in the past.
5. However, the current structure of quorum slices is much more vulnerable to cascading failure with the failure of 2 nodes than the past.
The exact results of two metrics and cascading failure with the current data are shown in below.
PageRank (PR) and NodeRank (NR)
Cascading Failure Result
* When 2 nodes fail
- There are 28 cases where 100% failure occurs when two nodes fail, even though there have been many changes in the structure of quorum slices.
- This indicates that despite the efforts of the decentralized structure of quorum slices, the structure of quorum slices is much weaker than before.
- This text file shows the node pairs that caused the entire network to fail (docs.google.com/document/d/1T45C6uJmlVlF-zh_rMy3Q33_kgZnNndvyr6TFWqzbZU/edit?usp=sharing).
* When 3 nodes fail
- Total 2109 cases with 3 nodes lead to 100% failure of the entire system.
History of Cascading Failure
May 5, 2019
when 2 nodes fail
when 3 nodes fail
May 1, 2019
when 2 nodes fail
when 3 nodes fail
The figure above shows the result of a cascading failure caused by two and three node failures, respectively.
Q&A
Q1. Is there any response from Stellar?
http://www.scs.stanford.edu/~dm/blog/safety-vs-liveness.html
Q2. If someday lots of central banks or other super important financial institutions participate in Stellar, the structure of quorum slices would be much more decentralized.
Yes, we agree with that. But as it stands now, it still seems challenging to attract such important institutions to the Stellar network. Moreover, someday when such institutions start to use Stellar network, they need to run their own full nodes and advertise themselves to others.
Q3. If every node includes various validators in each slice differently, then the structure of quorum slices would be much more decentralized.
No. According to the Stellar consensus protocol, it would be difficult for all the validators to be uniformly included in slices because the extent to which they are trusted by others is different.
Q4. Under the Stellar business model, failures among nodes that are not directly related with itself might be less important.
Some failures such as cascading failures might be equally important to all nodes because they can impact to all nodes.
Q5. What are the meaning of "fail two nodes" and "the entire system fails" in the paper?
As can be seen from many articles and papers, some network attacks, such as DDoS, can occur in the blockchain networks. In this paper, we are saying that if two centralized nodes can not receive or send any message because of DDoS, then all nodes in Stellar network wull be blocked and can not move to the next step in the consensus process.
- Paper Information
Minjeong Kim, Yujin Kwon, and Yongdae Kim, "Is Stellar As Secure As You Think?", IEEE Security & Privacy on the Blockchain (S&B), 2019 : Camera-ready version (syssec.kaist.ac.kr/pub/2019/kim_snb2019.pdf)