Blockchains, with intricate architectures, encompass various components, e.g., consensus network, smart contracts, decentralized applications, and auxiliary services. While offering numerous advantages, these components expose various attack surfaces, leading to severe threats to blockchains. In this study, we unveil a novel attack surface, i.e., the state storage, in blockchains. The state storage, based on the Merkle Patricia Trie, plays a crucial role in maintaining blockchain state. Besides, we design Nurgle, the first Denial-of-Service attack targeting the state storage. By proliferating intermediate nodes within the state storage, Nurgle forces blockchains to expend additional resources on state maintenance and verification, impairing their performance. We conduct a comprehensive and systematic evaluation of Nurgle, including the factors affecting it, its impact on blockchains, its financial cost, and practically demonstrating the resulting damage to blockchains. The implications of Nurgle extend beyond the performance degradation of blockchains, potentially reducing trust in them and the value of their cryptocurrencies. Additionally, we further discuss three feasible mitigations against Nurgle. At the time of writing, the vulnerability exploited by Nurgle has been confirmed by six mainstream blockchains, and we received thousands of USD bounty from them.

翻译：区块链具有复杂的体系结构，包含多个组件，例如共识网络、智能合约、去中心化应用和辅助服务。这些组件在提供诸多优势的同时，也暴露了各种攻击面，对区块链构成严重威胁。在本研究中，我们揭示了区块链中一个新颖的攻击面——状态存储。基于Merkle Patricia Trie的状态存储在维护区块链状态方面起着至关重要的作用。此外，我们设计了Nurgle，这是首个针对状态存储的拒绝服务攻击。通过大量增殖状态存储中的中间节点，Nurgle迫使区块链在状态维护和验证上消耗额外资源，从而损害其性能。我们对Nurgle进行了全面系统的评估，包括影响因素、对区块链的冲击、财务成本，并实际演示了对区块链造成的损害。Nurgle的影响不仅限于区块链性能下降，还可能削弱对其的信任及其加密货币的价值。此外，我们进一步讨论了三种可行的缓解措施。截至本文撰写时，Nurgle利用的漏洞已得到六个主流区块链的确认，我们从中获得了数千美元的漏洞赏金。