Liveness Attacks On HotStuff: The Vulnerability Of Timer Doubling Mechanism

Abstract

Abstract Byzantine fault-tolerant (BFT) consensus protocols are essential in distributed computing. Most partially synchronous BFT protocols proceed in views and rely on a view synchronizer module to guarantee liveness by synchronizing honest replicas to the same view. HotStuff is a leading BFT consensus protocol known for achieving linear view change and optimistic responsiveness. To achieve these desirable properties, HotStuff relies on a candidate solution for the view synchronizer based on a recomposed timer doubling mechanism. However, a formal analysis of this mechanism is currently lacking. This paper delves into HotStuff with the recomposed timer doubling mechanism. To facilitate accurate analysis, we introduce a new specification for the view synchronizer, incorporating two paths for view switching as in HotStuff’s setting. Surprisingly, we observe that the adversary can disrupt the view synchronization and launch a liveness attack, stalling the confirmation process. Besides, the adversary can further recover or control the confirmation process at will. A repairment that retains the desirable feature of HotStuff is also presented. We simulate the liveness attack and the repairment, demonstrating their effectiveness. Specifically, the liveness attack can cause HotStuff’s throughput to drop and remain at 0. When equipped with our repairment, HotStuff can resist the attack and retain the throughput performance.