Formal Security Analysis on dBFT Protocol of NEO
This exposes critical vulnerabilities in a widely used blockchain consensus protocol, impacting systems like NEO and ONT.
The paper identifies attacks that break the claimed security of NEO's delegated Byzantine Fault Tolerance (dBFT) protocol, which is supposed to tolerate up to f Byzantine nodes, and provides fixes that were accepted by the NEO team.
NEO is one of the top public chains worldwide. We focus on its backbone consensus protocol, called delegated Byzantine Fault Tolerance (dBFT). The dBFT protocol has been adopted by a variety of blockchain systems such as ONT. dBFT claims to guarantee the security when no more than $f = \lfloor \frac{n}{3} \rfloor$ nodes are Byzantine, where $n$ is the total number of consensus participants. However, we identify attacks to break the claimed security. In this paper, we show our results by providing a security analysis on its dBFT protocol. First, we evaluate NEO's source code and formally present the procedures of dBFT via the state machine replication (SMR) model. Next, we provide a theoretical analysis with two example attacks. These attacks break the security of dBFT with no more than $f$ nodes. Then, we provide recommendations on how to fix the system against the identified attacks. The suggested fixes have been accepted by the NEO official team. Finally, we further discuss the reasons causing such issues, the relationship with current permissioned blockchain systems, and the scope of potential influence.