This work uncovers novel security threats to Ethereum’s consensus layer arising from Internet routing vulnerabilities following its transition to Proof-of-Stake (PoS). Addressing the challenge of verifying validator geographic distribution—obscured and infeasible to measure directly—the paper proposes the first non-intrusive validator geolocation framework, integrating BGP hijacking modeling with PoS incentive-penalty dynamics. It introduces two protocol-network co-designed attacks: (1) StakeBleed, leveraging prefix hijacking to induce inactive-validator leakage, thereby breaking finality within two hours and causing ~300 ETH in losses; and (2) KnockBlock, exploiting route manipulation to bias block inclusion order, boosting the attacker’s MEV revenue by 44.5% within two minutes via hijack of a single IP prefix. This is the first systematic study revealing PoS consensus fragility at the Internet infrastructure layer, providing both theoretical foundations and empirical evidence for cross-layer security defense.

With the promise of greater decentralization and sustainability, Ethereum transitioned from a Proof-of-Work (PoW) to a Proof-of-Stake (PoS) consensus mechanism. The new consensus protocol introduces novel vulnerabilities that warrant further investigation. The goal of this paper is to investigate the security of Ethereum's PoS system from an Internet routing perspective. To this end, this paper makes two contributions: First, we devise a novel framework for inferring the distribution of validators on the Internet without disturbing the real network. Second, we introduce a class of network-level attacks on Ethereum's PoS system that jointly exploit Internet routing vulnerabilities with the protocol's reward and penalty mechanisms. We describe two representative attacks: StakeBleed, where the attacker triggers an inactivity leak, halting block finality and causing financial losses for all validators; and KnockBlock, where the attacker increases her expected MEV gains by preventing targeted blocks from being included in the chain. We find that both attacks are practical and effective. An attacker executing StakeBleed can inflict losses of almost 300 ETH in just 2 hours by hijacking as few as 30 IP prefixes. An attacker implementing KnockBlock could increase their MEV expected gains by 44.5% while hijacking a single prefix for less than 2 minutes. Our paper serves as a call to action for validators to reinforce their Internet routing infrastructure and for the Ethereum P2P protocol to implement stronger mechanisms to conceal validator locations.