Blockchain is a revolutionary technology that enables users to communicate in a trust-less manner. It revolutionizes the modes of business between organizations without the need for a trusted third party. It is a distributed ledger technology based on a decentralized peer-to-peer (P2P) network. It enables users to store data globally on thousands of computers in an immutable format and empowers users to deploy small pieces of programs known as smart contracts. The blockchain-based smart contract enables auto enforcement of the agreed terms between two untrusted parties. There are several security vulnerabilities in Ethereum blockchain-based smart contracts, due to which sometimes it does not behave as intended. Because a smart contract can hold millions of dollars as cryptocurrency, so these security vulnerabilities can lead to disastrous losses. In this paper, a systematic review of the security vulnerabilities in the Ethereum blockchain is presented. The main objective is to discuss Ethereum smart contract security vulnerabilities, detection tools, real life attacks and preventive mechanisms. Comparisons are drawn among the Ethereum smart contract analysis tools by considering various features. From the extensive depth review, various issues associated with the Ethereum blockchain-based smart contract are highlighted. Finally, various future directions are also discussed in the field of the Ethereum blockchain-based smart contract that can help the researchers to set the directions for future research in this domain.

https://ieeexplore.ieee.org/ielx7/6287639/9668973/09667515.pdf

Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract

Smart contracts are self-executing programs that run on the blockchain and make it possible for peers to enforce agreements without a third-party guarantee. The smart contract on Ethereum is the fundamental element of decentralized finance with billions of US dollars in value. Smart contracts cannot be changed after deployment and hence the code needs to be verified for potential vulnerabilities. However, smart contracts are far from being secure and attacks exploiting vulnerabilities that have led to losses valued in the millions. In this work, we explore the current state of smart contracts security, prevalent vulnerabilities, and security-analysis tool support, through reviewing the latest advancement and research published in the past five years. We study 13 vulnerabilities in Ethereum smart contracts and their countermeasures, and investigate nine security-analysis tools. Our findings indicate that a uniform set of smart contract vulnerability definitions does not exist in research work and bugs pertaining to the same mechanisms sometimes appear with different names. This inconsistency makes it difficult to identify, categorize, and analyze vulnerabilities. We explain some safeguarding approaches and best practices. However, as technology improves new vulnerabilities may emerge. Regarding tool support, SmartCheck, DefectChecker, contractWard, and sFuzz tools are better choices in terms of more coverage of vulnerabilities; however, tools such as NPChecker, MadMax, Osiris, and Sereum target some specific categories of vulnerabilities if required. While contractWard is relatively fast and more accurate, it can only detect pre-defined vulnerabilities. The NPChecker is slower, however, can find new vulnerability patterns.

https://www.mdpi.com/2624-800X/2/2/19/pdf?version=1654438241

The State of Ethereum Smart Contracts Security: Vulnerabilities, Countermeasures, and Tool Support

Blockchain technology and its applications are gaining popularity day by day. It is a ground-breaking technology that allows users to communicate without the need of a trusted middleman. A smart contract (self-executable code) is deployed on the blockchain and auto executes due to a triggering condition. In a no-trust contracting environment, smart contracts can establish trust among parties. Terms and conditions embedded in smart contracts will be imposed immediately when specified criteria have been fulfilled. Due to this, the malicious assailants have a special interest in smart contracts. Blockchains are immutable means if some transaction is deployed or recorded on the blockchain, it becomes unalterable. Thus, smart contracts must be analyzed to ensure zero security vulnerabilities or flaws before deploying the same on the blockchain because a single vulnerability can lead to the loss of millions. For analyzing the security vulnerabilities of smart contracts, various analysis tools have been developed to create safe and secure smart contracts. This paper presents a systematic review on Ethereum smart contracts analysis tools. Initially, these tools are categorized into static and dynamic analysis tools. Thereafter, different sources code analysis techniques are studied such as taint analysis, symbolic execution, and fuzzing techniques. In total, 86 security analysis tools developed for Ethereum blockchain smart contract are analyzed regardless of tool type and analysis approach. Finally, the paper highlights some challenges and future recommendations in the field of Ethereum smart contracts.

Ethereum Smart Contract Analysis Tools: A Systematic Review

Blockchains have been booming in recent years. As a decentralized system architecture, smart contracts give blockchains a user-defined logic. A smart contract is an executable program that can automatically carry out transactions on the Ethereum blockchain. However, some security issues in smart contracts are difficult to fix, and smart contracts also lack quality assessment standards. Therefore, this study proposes a Multiple-Objective Detection Neural Network (MODNN), a more scalable smart contract vulnerability detection tool. MODNN can validate 12 types of vulnerabilities, including 10 recognized threats, and identify more unknown types without the need for specialist or predefined knowledge through implicit features and Multi-Objective detection (MOD) algorithms. It supports the parallel detection of multiple vulnerabilities and has high scalability, eliminating the need to train separate models for each type of vulnerability and reducing significant time and labor costs. This paper also developed a data processing tool called Smart Contract-Crawler (SCC) to address the lack of smart contract vulnerability datasets. MODNN was evaluated using more than 18,000 smart contracts from Ethereum. Experiments showed that MODNN could achieve an average F1 Score of 94.8%, the current highest compared to several standard machine learning (ML) classification models. 

Smart contract vulnerability detection combined with multi-objective detection

Smart contracts on Ethereum enable billions of dollars to be transacted in a decentralized, transparent and trustless environment. However, adversaries lie await in the Dark Forest, waiting to exploit any and all smart contract vulnerabilities in order to extract profits from unsuspecting victims in this new financial system. As the blockchain space moves at a breakneck pace, exploits on smart contract vulnerabilities rapidly evolve, and existing research quickly becomes obsolete. It is imperative that smart contract developers stay up to date on the current most damaging vulnerabilities and countermeasures to ensure the security of users' funds, and to collectively ensure the future of Ethereum as a financial settlement layer. This research work focuses on two smart contract vulnerabilities: transaction-ordering dependency and oracle manipulation. Combined, these two vulnerabilities have been exploited to extract hundreds of millions of dollars from smart contracts in the past year (2020-2021). For each of them, this paper presents: (1) a literary survey from recent (as of 2021) formal and informal sources; (2) a reproducible experiment as code demonstrating the vulnerability and, where applicable, countermeasures to mitigate the vulnerability; and (3) analysis and discussion on proposed countermeasures. To conclude, strengths, weaknesses and trade-offs of these countermeasures are summarised, inspiring directions for future research.

https://dl.acm.org/doi/pdf/10.1145/3474374.3486916

Your Smart Contracts Are Not Secure: Investigating Arbitrageurs and Oracle Manipulators in Ethereum

Blockchain has attracted widespread attention since its inception and one of the special technologies is smart contracts. Smart contracts are programs on blockchain that act as trusted intermediary between the users and are widely used in variety of industry (e.g., IoT, supply chain management). Smart contracts can store or manipulate valuable assets which may cause huge economic losses. Unlike traditional computer programs, the code of a smart contract cannot be modified after it is deployed on the blockchain. Hence, the security analysis and vulnerability detection of the smart contract must be performed before its deployment. In this survey, we considered 15 security vulnerabilities in smart contracts and introduced the vulnerable areas and the causes of vulnerabilities. According to the methods used, we introduced the existing smart contract analysis methods and vulnerability detection tools from three aspects of static analysis, dynamic analysis and formal verification. Finally, by considering the analysis tools and security vulnerabilities, we found that a new attack cannot be detected by existing detection tools if the vulnerability without pre-defined. We recommend using machine learning methods to analyze smart contracts in combination with traditional program vulnerabilities, and find vulnerabilities that have not yet been discovered in smart contracts. In addition, many detection tools require too much resources or are too complex, so it is necessary to introduce new detection methods.

The Vulnerabilities in Smart Contracts: A Survey

Blockchain technology has been applied in various fields, providing strong support for the medical field, supply chain and other industries, followed by the emergence of DApp based on blockchain smart contract technology. DApp as a distributed application model, implements part of the background business functions by the smart contract of blockchain to ensure the transparency, openness and traceability of key businesses, and can effectively resist DDoS attacks. However, blockchain data storage is expensive and not suitable for storing large amounts of data. This is a key barrier to the large amount of user data generated by DApp, and the risk of data loss, tampering and so on if the data is stored in a centralized service organization. In addition, smart contracts cannot be modified once deployed, and DApp often need frequent iterative updates in the later maintenance process, which will be faced with the need to modify the business logic of smart contracts. To solve the above problems, this paper proposes a user’s data storage model of DApp based on IPFS to reduce the storage cost of data, and designs a set of hot-swapping smart contract architecture based on contract address to manage DApp user data, so as to meet the functional business replacement in the later stage of smart contract. In addition, for the privacy security of data, this paper introduces the Diffie-Hellman key exchange technology as the encryption scheme to protect user data.

A DAPP Business Data Storage Model Based on Blockchain and IPFS

The smart contract technology of blockchain is being applied in many industries, but its security issues have also caused huge economic losses, so it is very important to conduct security audits on them before smart contracts’ deployment. The existing smart contract security audit methods rely heavily on the rules formulated by experts based on their own knowledge and experience, require high hardware resources and the detection procedure is time-consuming. To address these problems mentioned above, we propose a lightweight smart contract vulnerability detection model(SC-VDM) based on Convolutional Neural Networks(CNN), which can automatically detect the vulnerabilities in the smart contract on a lightweight computer without expert knowledge. We first convert the smart contract bytecode into smart contract bytecode grayscale matrix pictures and then use CNN for vulnerability detecting. We test SC-VDM on two datasets which each contain four types of smart contract vulnerabilities. The experimental results show that the accuracy and F1-score can reach more than 81% and 86% on two datasets. It performs best on the Reentrancy vulnerability which had caused The DAO attack in 2016, and the accuracy and F1-score is 89.52% and 93.96%. Moreover, the detection time is greatly shortened than traditional tools, it costs only 0.021 s for each smart contract.

SC-VDM: A Lightweight Smart Contract Vulnerability Detection Model

In the big data environment, the scale of attacks of Distributed Denial of Service (DDoS) continues to expand rapidly. The traditional network situation assessment method cannot effectively evaluate the security situation of DDoS. A security situation assessment method based on deep learning and a security situation assessment model based on neural network are proposed. The model uses convolutional neural network (CNN), back propagation algorithm (BP) and Long Short-Term memory neural network (LSTM) to learn various network security indicators to achieve a comprehensive assessment of the network. The experimental results show that the model can more easily and accurately evaluate the network security status, which is more accurate and flexible than the existing evaluation methods.

A Security Situation Assessment Method Based on Neural Network

The Internet of Things (IoT) technology, as an important part of a new generation of information technology, is beginning to be applied in more and more fields. However, due to the lack of basic security technology, the Internet of Things is facing a severe information security situation. Blockchain technology, as a new solution that can realize decentralized collaboration in an untrusted network, has a natural fit with IoT, which is inherently distributed. The performance of the blockchain largely depends on the consensus mechanism, but the current research rarely discusses IoT security from the perspective of the consensus mechanism. In this article, we comprehensively analyzed the impact of the consensus mechanism on IoT security. First, we briefly explained the blockchain technology. Next, we analyzed and discussed typical consensus mechanisms. Then, we proposed to classify current IoT security issues from three perspectives: data security, communication security, and application security. Next, we discussed the consensus mechanism of single-chain and multi-chain in IoT. Finally, we analyzed the problems of blockchain consensus in IoT security. In response to the security challenges of IoT, it is proposed to look forward to the optimization of consensus from three perspectives: the optimization of blockchain node evaluation, the optimization of blockchain architecture, and the optimization of blockchain storage. We hope to contribute to the future development and innovation of blockchain in IoT.

Hui Li

Papers

The Vulnerabilities in Smart Contracts: A Survey

A DAPP Business Data Storage Model Based on Blockchain and IPFS

SC-VDM: A Lightweight Smart Contract Vulnerability Detection Model

A Security Situation Assessment Method Based on Neural Network

Survey: Research on Blockchain Consensus Mechanism in IoT Security