A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
10 Dec 2018
TL;DR: This tutorial presents the original Bitcoin design, along with Ethereum and Hyperledger, and reflects on their design choices through the academic lens, as well as providing an overview of potential applications and associated research challenges, and exploring the possible interplay between AI and blockchains.
Abstract: Known for powering cryptocurrencies such as Bitcoin and Ethereum, blockchain is seen as a disruptive technology capable of revolutionizing a wide variety of domains, ranging from finance to governance, by offering superior security, reliability, and transparency founded upon a decentralized and democratic computational model. In this tutorial, we first present the original Bitcoin design, along with Ethereum and Hyperledger, and reflect on their design choices through the academic lens. We further provide an overview of potential applications and associated research challenges, as well as a survey of ongoing research directions related to byzantine fault-tolerance consensus protocols. We highlight the new opportunities blockchain creates for building the next generation of secure middleware platforms and explore the possible interplay between AI and blockchains, or more specifically, how blockchain technology can enable the notion of "decentralized intelligence." We conclude with a walkthrough demonstrating the process of developing a decentralized application using a popular Smart Contract language (Solidity) over the Ethereum platform
5 citations
24 Oct 2019
TL;DR: To reduce the high false rate of smart contract vulnerability detection, ReJection, a detection method based on abstract syntax tree (AST), is used, to focus on the reentrancy vulnerability with obvious harm and features in smart contracts.
Abstract: Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.
5 citations
TL;DR: In this article , the authors present a comprehensive view of blockchain and its related concepts, and illustrate the integration of blockchain with IoT, cloud and social media and the related issues and challenges.
Abstract: Distributed Ledger Technology (DLT) driven blockchain is currently one of the most promising technology revolutions with enormous potential across a wide range of applications. Distributed ledger is essentially a distributed and encrypted database that can address several concerns pertaining to Internet security and trust with transparency. In fact, the scope of blockchain applications is broadening with each passing day. The exclusive features of safe and transparent data exchange provided by blockchain technology provide compelling arguments for its implementation in a variety of application scenarios. In this paper, we present the comprehensive view of blockchain and its related concepts. Though, there exists intensive research on these domains; however, these fields are still dealing with several security issues, data reliability and storage and scalability. Blockchain has emerged as a critical technology that can address these issues through its features like decentralization, transparency, immutability and auditability. Building trust in distributed systems without the need for authority is a technological advancement that can be well leveraged by domain, like, Internet of Things (IoT), cloud and social media. Technologies like IoT and Cloud computing can be perceived as the trivial ones to get benefitted from the blockchain. However, the integration of social media and blockchain can revolutionize the domains, like, content creating and sharing, fake news scourge, trademarking and rights management. In this paper, we illustrate the integration of blockchain with IoT, cloud and social media and the related issues and challenges. Moreover, we also show some of the major research works done in each domain.
5 citations
15 Nov 2020
TL;DR: This paper performed several attack experiments to test methods of abusing smart contracts, including the remote execution of commands, and the stealing of large amounts of data, and demonstrated that APT attacks could be successfully executed on a blockchain platform.
Abstract: In this paper, we discuss methods of stealing data via advanced persistent threat (APT) attacks on blockchains. Blockchain technology is generally used for storing data and digital coins and counts more than 562 organizations among its users. Smart contracts, as a key part of blockchain technology, are used for blockchain programmability. APT attacks are usually launched by government-backed hackers to steal data. APT attacks build hidden Command and Control (C&C) channels to steal resources remotely. Smart contracts represent a vulnerability of blockchain technology to APT attacks because of their sandbox-style open execution environment. Therefore, we performed several attack experiments to test methods of abusing smart contracts, including the remote execution of commands, and the stealing of large amounts of data. These experiments demonstrated that APT attacks could be successfully executed on a blockchain platform. In the large-scale data-stealing experiments, we found that the transmission rate for a maximum target data size of 100 MB can reach 27.771 MB/s, faster than the average rate of approximately 100 kB/s of a three-layer network proxy. We also investigated APT attacks based on public APT events, which use hidden techniques to steal data as critical APT attack actions. We propose several attack algorithms that can be applied for APT attacks.
5 citations
24 Jun 2019
TL;DR: PORTHOS is presented, a macroprogramming framework and domain specific language for writing commitment-based smart contracts that span multiple blockchain systems that harmonises the features of different blockchain systems as well as enables communication across the smart contracts.
Abstract: The rise of blockchain technology has paved the way for an increasing number of blockchain systems, each having different characteristics. The need for distributed applications that span across multiple blockchain systems is increasing. However, it is currently not possible to write a single-description smart contract which can be compiled to span across multiple blockchain systems. In this paper we present PORTHOS, a macroprogramming framework and domain specific language for writing commitment-based smart contracts that span multiple blockchain systems. The language allows programmers to write smart contracts at a higher level of abstraction by composing together contract blocks, without the need to specify how logic should be split across different blockchain instances. A runtime framework, including both on-chain and off-chain functionality, harmonises the features of different blockchain systems as well as enables communication across the smart contracts. A proof of concept, built on the Ethereum and Hyperledger Fabric blockchain systems and extendible to other systems, illustrates the technique and framework. We also show how the PORTHOS language is expressive enough to define a variety of applications.
5 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations