A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
TL;DR: Wang et al. as mentioned in this paper proposed a function-level dynamic monitoring and analysis method for smart contracts, and implemented a prototype system. But the implementation of the prototype system was limited to a single smart contract.
Abstract: The close integration of blockchain and smart contract technology has become an important foundation for current trusted applications. High-quality, high-efficiency and high-security codes have become basic requirements for smart contract applications because they are not easy to be modified after being deployed on blockchain. This paper proposes a function-level dynamic monitoring and analysis method for smart contract, and implements a prototype system. The method adds a “shadow stack” and related data structures to virtual machine of testing blockchain platform by analyzing the principle of function management with original stack, then monitors the bytecode after code instrumentation, records the function calling relationships as well as the relevant metrics of time, instruction number and gas consumption. The prototype system identifies contract inefficient behaviors using visualization and intelligent analysis methods, then forms a smart contract optimization closed loop through iterative improvement. Finally, the paper verified the high feasibility and applicability of the monitoring and analyzing method as well as prototype system’s performance through experiments.
4 citations
TL;DR: This paper organizes many attacks that byzantine users may apply to take advantage of the loyal users of a system to ensure security in a distributed setting.
Abstract: The objective of any security system is the capacity to keep a secret. It is vital to keep the data secret when it is stored as well as when it is sent over a network. Nowadays, many people utilize the internet to access various resources, and several businesses employ a dispersed environment to give services to their users. As a result, a more secure distributed environment is required, in which all transactions and processes can be effectively completed safely. It is critical in a distributed system environment to deliver reliable services to users at any time and from any place. As an example of a distributed system, Blockchain is a unique distributed system that has confronted lots of attacks despite its security mechanism. Security is a top priority in a distributed setting. This paper organizes many attacks that byzantine users may apply to take advantage of the loyal users of a system. A wide range of previous articles dealt considered diverse types of attacks. However, we could not find a well-organized document that helps scientists consider different attacking aspects while designing a new distributed system. A hundred various kinds of most essential attacks are categorized and summarized in this article.
4 citations
4 citations
02 May 2022
TL;DR: Wang et al. as mentioned in this paper designed a GRU network with attention mechanism learning from the N-gram bytecode patterns to determine whether a smart contract is fraudulent or not, which can provide a unified solution to different scam genres, thus relieving the need for code analysis skills.
Abstract: Smart contract is the building block of blockchain systems that enables automated peer-to-peer transactions and decentralized services. With the increasing popularity of smart contracts, blockchain systems, in particular Ethereum, have been the “paradise” of versatile fraud activities. In this work, we present SCSGuard, a novel deep learning scam detection framework that harnesses the automatically extractable bytecodes of smart contracts as their new features. We design a GRU network with attention mechanism learning from the N-gram bytecode patterns to determine whether a smart contract is fraudulent or not. Our framework is advantageous over the baseline algorithms in three aspects. Firstly, SCSGuard provides a unified solution to different scam genres, thus relieving the need for code analysis skills. Secondly, the inference of SCSGuard is faster than the code analysis by several orders of magnitudes. Thirdly, experimental results manifest that SCSGuard achieves high accuracy (0.92~0.94), precision (0.94~0.96) and recall (0.97~0.98) for both Ponzi and Honeypot scams under similar settings, and is potentially useful to detect new Phishing smart contracts.
4 citations
06 Aug 2020
TL;DR: Wang et al. as discussed by the authors proposed a model that effectively detects smart Ponzi scheme in its full lifecycle using features based on operation codes (i.e., opcodes) of smart contract on Ethereum.
Abstract: Blockchain is becoming an important infrastructure of the next generation of information technology. But now, the fraud on blockchain is serious which has affected the development of blockchain ecology. Smart Ponzi scheme which realized by smart contract is a new type of Ponzi scheme and running on Ethereum. It would cause more serious damage to society in less time than other Ponzi schemes. Timely and comprehensive detection of all smart Ponzi schemes is the key to constructed an automatic detection model of smart Ponzi scheme. A model that effectively detect smart Ponzi scheme in its full lifecycle is proposed in this paper. The model only uses features based on operation codes (i.e., opcodes) of smart contract on Ethereum. The systematic modeling strategy realizes the efficient automatic detection model of smart Ponzi scheme step by step. Precision, Recall and F1-score of the model are 0.98, 0.93 and 0.95 respectively by experiments. Smart Ponzi schemes hidden on Ethereum are detected effectively by the model. More importantly, the performance of model is guaranteed at any moment in the lifecycle, even at the birth of a smart Ponzi scheme.
4 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations