Yuzhe Tang's Research Profile

Research Highlights

• Leading researcher on “mempool security” (mempool is a permissionless, shared cache widely used in decentralized systems like blockchains)

  • Research results published in:

    • [CCS 21]: The first mempool attack.

    • [USENIX Security 24]: The first mempool fuzzer to find design flaws.

    • [IEEE S&P 25]: The first provable-secure designs of mempools.

    • [IMC 21]: Mempool misuses for the first measurement of Ethereum-network topology.

  • Severe bugs discovered and confirmed by Ethereum Foundation

  • Research funded by two awards from the highly competitive Ethereum Foundation academic grant program: [award 22], [award 23]

  • Development efforts funded by one award in 2024 from the Ethereum Foundation Ecosystem Support Program

  • Developed security patches adopted in Geth v1.11.4 [release notes].

• Established researcher on “blockchain systems security” with expertise in:

  • “blockchain denial of service” [NDSS 21], “financial security of smart contracts” [Euro S&P 23], “blockchain cost modeling” ([FSE 21], [Middleware 20], [ICDE 19]), “upgradable smart contracts” [WWW 24], “fuzzing blockchain clients” [USENIX Security 24], “wallet security” [WWW 25]

  • Research and education efforts funded by two NSF awards on blockchains: [NSF 22], [NSF 21]

  • Our iBatch [FSE 21] influences the design of account abstraction mechanism (ERC-4337) on Ethereum.

Research Interests

• Security analysis and vulnerability discovery: [USENIX Security 24], [CCS 21]

• Provable/formal security and economics of security: [IEEE S&P 25]

• Security-oriented measurement and cyber-crime: [Euro S&P 23], [IMC 21], [NDSS 21]

• Workload-aware system optimization: [TSE 23]/[FSE 21], [Middleware 20], [ICDE 19], [TPDS 13]

• Secure data storage and replication: [Middleware 21], [ACSAC 14], [EDBT 14], [ICDCS 08]

• Research mission:

  • Understand, enable and verify the systems security and application security of digital infrastructures under evolving threats, in high-impact or emerging application domains, including decentralized systems (like blockchains and smart contracts), software supply-chain, emerging web infrastructures, finance technology, etc.

Representative Papers

Underline: students advised by Dr. Tang

• IEEE S&P'25: “Asymmetric Mempool DoS Security: Formal Definitions and Provable Secure Designs”, AR=14.3%, Wanning Ding, Yuzhe Tang, Yibo Wang. [pdf]

  • Summary: Presented the first economic-security framework for mempools, including the formal definitions, provable secure designs, and security analysis on Ethereum mempools under asymmetric DoS attacks. In particular, the provable-secure designs, named saferAd, mitigate the dual attacks of mempool evictions and locking by statically enforcing an upper bound of transaction fees outside mempool (modeling attack damage) under the locking attacks and a lower bound of transaction fees inside mempool (modeling attack cost) under eviction attacks.

• USENIX Security'24: “Understanding Ethereum Mempool Security under Asymmetric DoS by Symbolized Stateful Fuzzing”, AR=14.5%, Yibo Wang, Yuzhe Tang, Kai Li, Wanning Ding, Zhihua Yang. [pdf], [slides]

  • Summary: mpfuzz is the first fuzzer to find unique design flaws in mempool, a security-critical component in blockchains. mpfuzz models asymmetric mempool-DoS (denial of service) attacks like DETER (CCS'21) as its bug oracles and employs a novel transaction-symbolization technique to speed up fuzzing. Instead of covering the large space of concrete Ethereum transactions, mpfuzz covers only seven symbols abstracted from the semantics of Ethereum transactions without causing false negatives in bug detection. mpfuzz detects more than 20 new mempool DoS vulnerabilities beyond DETER, most of which are confirmed.

• Euro S&P'23: “Understanding the Security Risks of Decentralized Exchanges by Uncovering Unfair Trades in the Wild”, AR=35.7%, Jiaqi Chen, Yibo Wang, Yuxuan Zhou, Wanning Ding , Yuzhe Tang, X. Wang, Kai Li. [preprint], [slides], [2-page slides]

  • Summary: This paper presents a large-scale measurement study on popular decentralized exchanges (DEX). It uncovers a previously unknown and surprising phenomenon: DEXes widely exercise unfair practices in settling trades, leading to the financial unsafety of the traded crypto-assets. Analyzing 60 million transactions, it finds 671,400 unfair trades on Uniswap, Balancer, Curve, and other leading DEXes, causing the loss of value worth more than 3.88 million USD. The root cause is the fundamental difficulty in enforcing access control of tokens across smart contracts on Ethereum.

• CCS'21: “DETER: Denial of Ethereum Txpool sERvices”, AR=22%, Kai Li, Yibo Wang, Yuzhe Tang. [pdf], [slides], [talk], [poster], [Patch@Geth-1.11.4], [CVE-2022-23327], [CVE-2022-23328]

  • Summary: This work examines the design security of Ethereum's txpool (or memory pool) which is a buffer storing unconfirmed transactions prior to mining. By modeling transaction operations in txpool, we discover a series of denial-of-service attacks, named DETER attacks that can disable a remote Ethereum node's txpool and deny critical services in mining and transaction relay. DETER attacks incur zero or low Ether cost, and can be extended to result in disruption to an entire Ethereum network. We propose mitigation schemes that reduce a DETER attack's success rate to zero while preserving the miners' revenue.

• IMC'21: “TopoShot: Uncovering Ethereum's Network Topology Leveraging Replacement Transactions”, AR=28%, Kai Li, Yuzhe Tang, Jiaqi Chen, Yibo Wang, Xianghong Liu. [pdf], [slides], [poster], [open dataset], [talk@IMC’21]

  • Summary: This paper presents the first measurement study that uncovers Ethereum's peer-to-peer network topology. Network topology in Ethereum remains an open research problem, measuring which requires to infer the routing-table information hidden in blackbox nodes and is known to be challenging. This paper presents TopoShot, a novel method uniquely repurposing Ethereum's transaction replacement/eviction policies for topology measurement. For the large-scale measurement, we propose a non-trivial parallel measurement schedule. We take extensive measures and notably propose workload-adaptive configurations to minimize service interruption to tested nodes/network. Through systematic measurement studies, our work induces new knowledge including the full-network topology in major testnets (Ropsten, Rinkeby and Goerli) and critical sub-network topology in the mainnet, which reveal interesting graph-theoretic properties and connectivity centralization in real Ethereum networks.

• FSE'21: “iBatch: Saving Ethereum Fees via Secure and Cost-Effective Batching of Smart-Contract Invocations”, AR=24.5%, Yibo Wang, Qi Zhang, Kai Li, Yuzhe Tang, Jiaqi Chen, X. Luo, T. Chen. [pdf], [extended version (in TSE’23)], [html], [slides]

  • Summary: Today, blockchains' transaction fees are skyrocketing and have scared away some big customers (e.g., Binance as an institutional customer in Ethereum). This work tackles this pressing problem on Ethereum and presents iBatch, a security protocol to batch-process multiple smart-contract invocations in a single transaction, hence amortizing its high fees. To ensure the security (invocation integrity) while saving costs, we propose a novel nonce-maintenance method to defend against replay attacks. We design a middleware system supporting a range of batching policies from the conservative to the more aggressive batching. By replaying real Ethereum transactions, we evaluate iBatch's cost. The result shows iBatch saves 14.6%-59.1% Gas cost per invocation with a moderate 2-minute delay and 19.06%-31.52% Ether cost per invocation with a minimal delay of 0.26-1.66 blocks.

• NDSS'21: “As Strong As Its Weakest Link: How to Break (and Fix) Blockchain DApps at RPC Service”, AR=15.2%, Kai Li, Jiaqi Chen, Xianghong Liu, Yuzhe Tang, X. Wang, X. Luo. [pdf], [slides], [demo1], [demo2]

  • Summary: This work presents a measurement study examining the security of Ethereum remote procedural call (RPC) services. The key RPC API is "eth_call", which supports free execution of smart contracts. Misusing this API leads to a zero-cost denial-of-service attack, which we call Denial of Ethereum Rpc Service (DoERS). Novel measurement methods are proposed to uncover the load balancing, rate limiting, Gas limits, and other service internal behaviors that would otherwise be hidden inside the blackbox services. The results show that at the time of measurement, most services are vulnerable to the DoERS attacks -- a DoERS attacker investing zero Ether/USD can cause severe service interruption with significant response time increase.

• Other selected papers: [link]

Ph.D. Mentoring (and First-authored Papers)

• Dr. Kai Li (2018-2022): Tenure-track Assistant Professor at SDSU (San Diego State)

  • Direction: Denial-of-service attacks in blockchain networks

  • 1st-author papers (during Ph.D.): CCS’21, IMC’21, NDSS’21, Middleware’20

  • Internships: IBM Research ’20, Amazon ’21

  • Award: NortonLife Ph.D. fellowship finalist ’22, Ethereum Foundation bug bounty, RPC service bug bounty, Ethereum Foundation academic grant

• Yibo Wang (2020-2025):

  • Direction: Semantic fuzzing of decentralized systems

  • Papers: Security’24, FSE’21/TSE’23, CCS’22 poster

  • Internship: Georgia Tech, CertiK

  • Award: Ethereum Foudation bug bounty

• Jiaqi Chen (2020-2026):

  • Direction: Economic security in smart contracts

  • Papers: WWW’24 short, Euro S&P’23

  • Internship: CertiK

• Yuxuan Zhou (2021-):

  • Direction: Systems security in open-source software supply chains

  • Papers: WWW’24 short

• Wanning Ding (2022-):

  • Direction: Economic security in blockchain systems

  • Papers: S&P’25

  • Award: Ethereum Fellowship’22

• Zhihua Yang (2023-):

  • Direction: Security and performance issues in layer-two blockchains

  • Award: Flashbots bug bounty

• Jin Yang (2023-):

  • Direction: Systems security in emerging key-management services

• Shouzhi Fang (2024-):

• Xianghong Liu (on leave)