A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
25 Jun 2018
TL;DR: The objective of this paper is to give a comprehensive analysis of domain-specific programming practices from critical points of usability and security to provide a working guideline for newcomers and researchers.
Abstract: Blockchain is a promising infrastructural technology that is finding its way into a growing number of domains like big data, finance, and medical. While blockchain has come to be thought of primarily as the foundation for Bitcoin, it has evolved far beyond underpinning the virtual currency. As it becomes progressively popular, the need for effective programming means would be more demanding. Blockchain programming as a core means provides accounts of the ‘code is law’ that specifies agreements between parties and allows its stakeholders to still trust the platform to execute the agreed-upon contract (known as smart contract) as expected. Although it seems straightforward in theory, it is hardly the case when it comes to real-life situations. There have been several instances that show smart contracts are riddled with issues and vulnerabilities in code, causing damages. What’s for sure is lacking is that the existing languages are not living up to the point to be able to unleash the full potential of the blockchain, as often have resulted in buggy code with a steep learning curve for developers. This denotes that the current research on contract development is not sufficient and is still in a stage of infancy. In order to advance the state of the research in this area, an evaluation of the current state-of-the-art practices in a thorough and experimental manner is required. Thus, the objective of this paper is to give a comprehensive analysis of such domain-specific programming practices from critical points of usability and security to provide a working guideline for newcomers and researchers.
123 citations
Posted Content•
TL;DR: In this article, a comprehensive survey of Ponzi schemes on Ethereum is presented, analysing their behavior and their impact from various viewpoints, and the authors present a comprehensive analysis of their impact on smart contracts.
Abstract: Ponzi schemes are financial frauds which lure users under the promise of high profits. Actually, users are repaid only with the investments of new users joining the scheme: consequently, a Ponzi scheme implodes soon after users stop joining it. Originated in the offline world 150 years ago, Ponzi schemes have since then migrated to the digital world, approaching first the Web, and more recently hanging over cryptocurrencies like Bitcoin. Smart contract platforms like Ethereum have provided a new opportunity for scammers, who have now the possibility of creating "trustworthy" frauds that still make users lose money, but at least are guaranteed to execute "correctly". We present a comprehensive survey of Ponzi schemes on Ethereum, analysing their behaviour and their impact from various viewpoints.
121 citations
10 May 2021
TL;DR: In this paper, the authors provide a vision on 6G security and security key performance indicators with the tentative threat landscape based on the foreseen 6G network architecture, and discuss the security and privacy challenges that may encounter with the available 6G requirements and potential 6G applications.
Abstract: Although the fifth generation (5G) wireless networks are yet to be fully investigated, the visionaries of the 6th generation (6G) echo systems have already come into the discussion. Therefore, in order to consolidate and solidify the security and privacy in 6G networks, we survey how security may impact the envisioned 6G wireless systems, possible challenges with different 6G technologies, and the potential solutions. We provide our vision on 6G security and security key performance indicators (KPIs) with the tentative threat landscape based on the foreseen 6G network architecture. Moreover, we discuss the security and privacy challenges that may encounter with the available 6G requirements and potential 6G applications. We also give the reader some insights into the standardization efforts and research-level projects relevant to 6G security. In particular, we discuss the security considerations with 6G enabling technologies such as distributed ledger technology (DLT), physical layer security, distributed AI/ML, visible light communication (VLC), THz, and quantum computing. All in all, this work intends to provide enlightening guidance for the subsequent research of 6G security and privacy at this initial phase of vision towards reality.
118 citations
Posted Content•
07 May 2018
TL;DR: This survey is motivated by the lack of a comprehensive literature review on the development of decentralized consensus mechanisms in blockchain networks and provides a comprehensive survey on the emerging applications of the blockchain networks in a wide range of areas.
Abstract: The past decade has witnessed the rapid evolution in blockchain technologies, which has attracted tremendous interests from both the research communities and the industry. The blockchain network was originated in the Internet finical sector as a decentralized, immutable ledger system for transactional data ordering. Nowadays, it is envisioned as a powerful backbone/framework for decentralized data processing and data-driven self-organization in flat, open-access networks. In particular, the plausible characteristics of decentralization, immutability and self-organization are primarily owing to the unique decentralized consensus mechanisms introduced by blockchain networks. This survey is motivated by the lack of a comprehensive literature review on the development of decentralized consensus mechanisms in blockchain networks. In this survey, we provide a systematic vision of the organization of blockchain networks. By emphasizing the unique characteristics of incentivized consensus in blockchain networks, our in-depth review of the state-of-the-art consensus protocols is focused on both the perspective of distributed consensus system design and the perspective of incentive mechanism design. From a game-theoretic point of view, we also provide a thorough review on the strategy adoption for self-organization by the individual nodes in the blockchain backbone networks. Consequently, we provide a comprehensive survey on the emerging applications of the blockchain networks in a wide range of areas. We highlight our special interest in how the consensus mechanisms impact these applications. Finally, we discuss several open issues in the protocol design for blockchain consensus and the related potential research directions.
118 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...In [22], [23], the special issues regarding the design, application and security of the smart contracts are reviewed in the scope of the Ethereum network....
[...]
08 Nov 2018
TL;DR: The prosperity of Bitcoin has given rise to widespread attention and in-depth research on blockchains, and the blockchain provides the fundamental technology for the decentralization, openness, and security of the network.
Abstract: The prosperity of Bitcoin has given rise to widespread attention and in-depth research on blockchains. The blockchain provides the fundamental technology for the decentralization, openness, securit...
115 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations