Oct 9, 2024 - Validating Ethereum transactions without storing the entire blockchain

Comments

It is no secret that participating as a validator node (aka “full node”) in the Ethereum blockchain requires non-trivial hardware and storage resources. The hardware requirements to run a Geth full node (one of the more popular Ethereum full node implementations) state that the recommended minimum storage is a 2TB SSD drive - and with a default cache size, operators should expect storage to grow at a rate of about 14GB/week.

These storage requirements apply to anyone who wants to help validate transactions on the mainnet, not just to “staking” validators who want to earn Proof-of-stake rewards for validating transactions (who have additional requirements, such as ensuring high node uptime).

The more costly the hardware requirements, the fewer the number of parties capable of running a full node. Less full nodes leads to increased load on fewer servers, or to more parties relying on intermediaries (such as “node providers”) to operate the hardware for them.

This got us thinking: can we modify the block validation protocol used in networks like Ethereum so that storing the full blockchain state is no longer a prerequisite for participating as a block validator? In other words, can we let a node with “small” storage capacity (say, 5-10GB) meaningfully contribute to transaction validation without requiring it to store a full copy of the chain, and without compromising blockchain data integrity?

Today at the BRAINS 2024 conference in Berlin my PhD student Weihong Wang presented our work on “A Scalable State Sharing Protocol for Low-Resource Validator Nodes in Blockchain Networks” which addresses this question.

Read more

Oct 2, 2024 - Remember AOP? Modular access control for Solidity smart contracts

Comments

If you have ever looked at how Ethereum smart contracts are developed in the Solidity programming language, you will know that one of the most critical aspects of the code are the so-called “access control checks”: short conditional tests that check whether the call to the contract is “legit”: was it made by a party with sufficient rights? (e.g. the owner or creator of the contract) Is the contract in the right state to handle the request? Were all the necessary actions executed earlier? And so on. Forgetting such a check usually leads to security vulnerabilities with disastrous consequences.

In our recent paper “Safe design and evolution of smart contracts using dynamic condition response graphs to model generic role-based behaviors” (which got published last week in the Journal of “Software: Evolution and Process”), we develop a method to express such access control logic not as conditional tests scattered throughout the contract code, but rather as a separately specified set of constraints.

Read more

Aug 23, 2023 - Static Application Security Testing of Consensus-Critical Code in the Cosmos Network

Comments

How effective are Static Application Security Testing (SAST) tools at finding bugs in consensus-critical code in application-specific blockchains? That’s the question we addressed in our new paper “Static Application Security Testing of Consensus-Critical Code in the Cosmos Network” that recently got accepted at the 5th Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS 2023).

Read more

May 18, 2023 - Security & Privacy of Contemporary Distributed Systems

Comments

This past semester I had the pleasure of running a seminar course in KU Leuven’s brand new Advanced Master of Cybersecurity. The course is called “Security & Privacy of Contemporary Distributed Software Systems”. That’s a mouthful, but at least it’s quite descriptive.

For this inaugural year I decided to focus the course on security & privacy aspects of blockchain and distributed ledger technology. As far as “contemporary distributed systems” go, it’s hard to miss the rapid expansion of this class of systems - the core technology underpinning “Web3”.

Read more

Oct 4, 2022 - Academia Part II: joining DistriNet at KULeuven

Comments

After (almost) 9 years at Bell Labs (first as a researcher, then as a department head) I have recently made the decision to move back to academia, while remaining affiliated with the Labs in a limited advisory research role.

As of this week I am part of the faculty at the Computer Science Department in KU Leuven as an Associate Professor where I will be pursuing research and teaching on distributed systems, blockchain and software security in the DistriNet research group.

In this new role I will bootstrap a new line of research on secure distributed computing with a focus on building and securing decentralized applications, in particular applications that employ “smart contracts”, i.e. code that manages digital assets, usually recorded on blockchain-based ledgers. Specific topics of interest include the study of new and widely used languages for writing smart contracts and system-level challenges of blockchain platforms including their security, privacy, scalability and interoperability.

I’m looking for Master students interested in pursuing a PhD in any of these areas. I have an open position for a 4-year full-time PhD research assistant appointment in Leuven, Belgium. For any questions about the topic, don’t hesitate to reach out at tom.vancutsem at kuleuven.be. For practical questions regarding working conditions for PhD students at KU Leuven, check this helpful website from the university.

Update: my inaugural lecture slides on secure and dependable software services for the Internet of Value are available here.