pull down to refresh

Time Tells All: Deanonymization of Blockchain RPC Usersdl.acm.org/doi/abs/10.1145/3719027.3765082
180 sats \ 102 boost \ 0 comments \ @Scoresby 28 Jan bitcoin

Yet another reason why you should run your own nodeYet another reason why you should run your own node

Good Bitcoin wallets allow you to connect to your own node rather than querying a node run by the wallet developers or some other entity. But running a node takes some effort, and so often wallets default to a publicly accessible node, rather than forcing you to do the work.

This paper assumes a state-level actor that performs timing analysis on RPC calls and claims this actor could link the IP address at which wallet RPC calls originate to blockchain addresses. They claim this attack is not hindered by encrypted data transport.

We find if a normal RPC user performs 3 or 4 transactions with their wallet at a monitored IP address, the success rate of uniquely identifying the user’s pseudonym can reach up to 96.80% in Ethereum testnet, 95.33% in Ethereum mainnet, 97.70% in Bitcoin testnet and 96.58% in Solana testnet.
Furthermore, our results demonstrate that TRAP is universally effective across diverse open-source or closed-source wallets. The success rate remains consistently high for attackers located in different cities or countries, regardless of their geographic distance from the victim.

How it worksHow it works

We propose a novel deanonymization attack method named Timestamp Reveals Associated Pseudonym(TRAP), which aims to uniquely link an IP address of a RPC user to its pseudonym.
  1. By carefully analyzing RPC API calls along with the sizes and sequences of TCP packets generated by these calls in wallets, we design a machine learning model that leverages TCP packet size and sequence features to accurately detect Tπ‘ž .
  2. Thanks to wallet design philosophy for good user experience,a wallet typically queries transaction status automatically and promptly without user intervention to provide timely feedback to users. This allows the attacker to estimate an upper bound ofthe interval 𝐼𝑐,π‘ž (which is short and spans only a few blocks) and derive the range of transaction confirmation timestamp T𝑐 .
  3. By searching ledgers based on the estimated T𝑐 , the attacker can obtain a set of candidate pseudonyms. To uniquely identify the target, the attacker conducts multiple rounds of traffic and ledger analysis against the same IP address and each round generates a candidate set. Intersecting these sets may reveal the target.

If you've been waiting to learn how to spin up a node of your own, consider this another strong reminder to look into doing it. All it takes is an old laptop and some time. There's lots of great guides out there.

write
preview
related posts