What has happened?
As part of a DoS attack, an enormous amount of dust accounts were created and submitted to the nano network. The goal appears to be a resource-exhaustion attack aimed at denying service to normal users either partially or entirely by filling the network with accounts and transaction volume.
Before the start of March, Nano had ~5.5M accounts over a 5 year period and within 10 days this number increased to over 20M. Most significantly affected was the synchronization process which made it difficult for nodes to synchronize with each other. The synchronization process largely relied on account scanning and for every account added, the synchronization degradation was compounded.
Since nano is asynchronous, and due to the synchronization process being unable to complete, it was possible for the attacker to maintain their transaction activity while all other activity on the network was unable to recover. Asynchronicity benefits the network under typical usage by preventing slowdowns in one area from slowing down the rest of the network, this is called priority inversion. In this case, the addition of an unprecedented number of accounts and the associated stall of the synchronization process was the root cause of the slowdowns for the rest of the network and the attacking transactions consumed the remaining available resources.
What is this update?
The V21.3 update contains a series of low-risk patches which mitigate the performance impact from the number of accounts. Several cases where the synchronization process would be restarted or prevented from being restarted were fixed. Support was also added to do an age-based query for updated accounts which significantly reduces synchronization bandwidth.
All node and service operators are encouraged to upgrade to V21.3 as soon as possible. There are no breaking changes or major impacts to integrations to consider with this upgrade.
For details on how to upgrade see the current release notes documentation.
What are the network effects upon upgrade?
After the V21.3 upgrade, nodes will be able to synchronize with the network more effectively, although the overall system performance will remain partially degraded until more complex changes are added in subsequent releases. Node operators should see their block count come in to sync with the rest of the network and the number of confirmed transactions will rise as more nodes are upgraded and synchronized.
Longer term solutions
Additional patches are being added to the upcoming V22 release including dividing the synchronization process into smaller chunks using functionality that is already supported. This will reduce memory consumption in the synchronization process. There are designs to remove account scanning entirely from the synchronization process and these designs will be implemented when complete.
Of great interest is the PoS4QoS design which has the potential to formally specify the transaction scheduling process, define worst-case bounds on how a transaction is prioritized, and greatly reduce or eliminate reliance on proof of work as a throttling mechanism.
If the attacker’s intent was to identify issues and spur fixes, this could have been done on a non-live network such as beta or a private test network. All of the problem areas would have been uncovered in the same way, yet it would not have had an impact on nano users or services. Nano is a live financial network, we treat it as such, which is why this activity is considered an attack rather than a contribution.
Nano is an open-source project and while the Nano Foundation is a heavy contributor to the code base, we are a small team and the nano protocol depends on public code contributions for maintenance and improvement. Those who have the skills or resources to help us improve nano are encouraged to connect with us to discuss further.
We have 3 developers hopefully joining us full time at the start of April and we look forward to announcing them officially. Thank you for your ongoing support during this difficult time and we look forward to the network getting back to normal.