An eclipse attack is a network-level attack on a blockchain peer-to-peer (P2P) network in which the attacker fills all inbound and outbound peer connection slots of a target node with attacker-controlled nodes. Once fully “eclipsed,” the victim cannot communicate with any honest node — it sees only attacker-provided data. The attacker can then feed the victim a falsified view of blockchain state, enabling harmful second-order attacks (facilitating 0-confirmation double spends, supporting selfish mining, isolating mining pools, or targeting specific users or services). Eclipse attacks differ from 51% attacks in that they attack individual nodes rather than the entire network’s consensus.
How It Works
Modern blockchain nodes maintain a peer set: a fixed number of outbound connections (initiated by the node) and inbound connections (accepted from peers). For example, Bitcoin Core maintains 8 outbound + up to 125 inbound connections.
Phase 1 — Overwhelming the Address Table
The attacker floods the victim’s peer address table (Bitcoin’s addrMan, Ethereum’s peer discovery tables) with a large number of IP addresses controlled by the attacker. Bitcoin Core stores 65,536 address “buckets” — filling these with attacker nodes eventually monopolizes the victim’s future connection attempts.
Phase 2 — Disconnecting Honest Peers
The attacker waits for the victim node to restart, or triggers restarts through various means (resource exhaustion, timing attacks). On restart, the victim’s connections come predominantly from the poisoned address table — attacker nodes.
Phase 3 — Eclipsing
Once the victim’s connections are fully controlled, the attacker can:
- Withhold/delay blocks — show the victim an outdated chain tip
- Feed a forked chain — show the victim an attacker-controlled fork
- Facilitate double-spend attacks — the victim accepts a 0-confirmation transaction; the attacker then hides the double-spend broadcast from the victim while broadcasting to the honest network
- Support selfish mining — isolate mining pools to waste their hash power on stale blocks
Eclipse vs. Other Network Attacks
| Attack | Target | Requires |
|---|---|---|
| Eclipse | Specific node(s) | Control victim’s peer connections |
| Sybil | Entire network reputation system | Many fake identities |
| 51% attack | Global consensus | >50% hash power / stake |
| Routing (BGP hijack) | Network-level routing | ISP/BGP control |
| DDoS | Node availability | Bandwidth |
Eclipse attacks can be a precursor to or enabler of other attacks — eclipsed nodes can be used as stepping stones.
Bitcoin Eclipse Attack Research (2015)
Ari Heilman, Ethan Heilman, et al. published the seminal “Eclipse Attacks on Bitcoin’s Peer-to-Peer Network” paper in 2015, demonstrating:
- Bitcoin Core could be eclipsed with as few as 32 attacker IP addresses using just 2 machines
- The attack exploited Bitcoin’s address table (
addrMan) construction and restart behavior - The attacker needed to control only inbound connections after address poisoning
Bitcoin’s response: Randomized address table bucket selection, enhanced address diversity requirements, and improved restart connection handling. Later upgrades added peer eviction logic skeptical of newly connected peers.
Ethereum Eclipse Attack Research
Ethereum’s devp2p protocol (Kademlia-based DHT) was analyzed in 2018-21 studies:
- Grundmann et al. (2018): Eclipse attacks on Ethereum; shown feasible with moderate resources
- Gervais et al. (2020): Further analysis of Ethereum P2P vulnerabilities
- Mitigations: Ethereum clients implemented enhanced peer selection diversity (multiple /24 subnets required), peer scoring, and minimum peer requirements before accepting unconfirmed transactions
History
| Year | Event |
|---|---|
| 2015 | Heilman et al. publish “Eclipse Attacks on Bitcoin’s Peer-to-Peer Network” — first formal analysis |
| 2015-16 | Bitcoin Core patched: addrMan randomization, restart diversification, peer eviction improvements |
| 2018 | Grundmann et al. demonstrate Ethereum eclipse attacks via devp2p Kademlia DHT weaknesses |
| 2020 | Ethereum Go-client (Geth) and others add enhanced peer diversity requirements and scoring |
| 2021 | Further P2P security research; academic consensus that practical eclipse attacks are mitigated in major clients but not fully impossible |
| 2022+ | Attention shifts to staking-specific P2P concerns in Ethereum PoS validator networks |
Common Misconceptions
“Eclipse attacks are the same as Sybil attacks”
Sybil attacks create many fake identities to gain disproportionate influence over reputation systems or peer selection globally — they target the network as a whole. Eclipse attacks target a specific victim node to monopolize its specific peer connections. Eclipse attacks often use Sybil resources (many IPs) as a tool to execute the eclipse, but the goal and mechanism differ.
“Eclipse attacks can steal funds directly”
Eclipse attacks don’t directly steal anything — they provide a falsified view that enables fraud (double-spending, mining manipulation). The funds at risk belong to counterparties who accept transactions from the eclipsed node’s perspective, or mining operations that lose block rewards.
Social Media Sentiment
Eclipse attacks are primarily a topic of academic blockchain security research, developer forums (Bitcoin Core mailing lists, Ethereum Fellowship of Ethereum Magicians), and dedicated security conferences. They are not widely discussed in mainstream crypto Twitter but are core knowledge for Node security, validator operations, and protocol developers. The 2015 Bitcoin research is considered a landmark in blockchain P2P security analysis. Security researchers studying Bitcoin and Ethereum P2P layers consistently reference eclipse attack defenses when evaluating client software quality. The existence of eclipse attacks is occasionally cited in “Bitcoin is insecure” arguments, typically by those who don’t note that the practical attack vectors were significantly mitigated shortly after the research was published.
Last updated: 2026-04
Related Terms
Sources
- Heilman, E., Kendler, A., Zohar, A., & Goldberg, S. (2015). Eclipse Attacks on Bitcoin’s Peer-to-Peer Network. USENIX Security Symposium.
- Grundmann, M., Neudecker, T., & Hartenstein, H. (2018). Exploiting Transaction Accumulation and Double Spends for Topology Inference in Bitcoin. FC 2018 Workshop on Bitcoin and Blockchain Research.
- Marcus, Y., Heilman, E., & Goldberg, S. (2018). Low-Resource Eclipse Attacks on Ethereum’s Peer-to-Peer Network. IACR Cryptology ePrint Archive.