A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
01 Jan 2021
TL;DR: A state-of-the-art survey on the integration of blockchain with 5G networks and beyond, exploring and analysing the opportunities that blockchain potentially empowers important 5G services, ranging from spectrum management, data sharing, network virtualization, resource management to interference management, federated learning, privacy and security provision.
Abstract: The fifth generation (5G) wireless networks are on the way to be deployed around the world. The 5G technologies target to support diverse vertical applications by connecting heterogeneous devices and machines with drastic improvements in terms of high quality of service, increased network capacity and enhanced system throughput. However, 5G systems still remain a number of security challenges that have been mentioned by researchers and organizations, including decentralization, transparency, risks of data interoperability, and network privacy vulnerabilities. Furthermore, the conventional techniques may not be sufficient to deal with the security requirements of 5G. As 5G is generally deployed in heterogeneous networks with massive ubiquitous devices, it is quite necessary to provide secure and decentralized solutions. Motivated from these facts, in this paper we provide a state-of-the-art survey on the integration of blockchain with 5G networks and beyond. In this detailed survey, our primary focus is on the extensive discussions on the potential of blockchain for enabling key 5G technologies, including cloud computing, edge computing, Network Function Virtualization, Network Slicing, and D2D communications. We then explore and analyse the opportunities that blockchain potentially empowers important 5G services, ranging from spectrum management, data sharing, network virtualization, resource management to interference management, federated learning, privacy and security provision. The recent advances in the applications of blockchain in 5G Internet of Things are also surveyed in a wide range of popular use-case domains, such as smart healthcare, smart city, smart transportation, smart grid and UAVs. The main findings derived from the comprehensive survey on the cooperated blockchain-5G networks and services are then summarized, and possible research challenges with open issues are also identified. Lastly, we complete this survey by shedding new light on future directions of research on this newly emerging area.
3 citations
TL;DR: In this article , a comprehensive survey on Verification and Validation (V&V) solutions for blockchain-based software applications (BC-Apps) is presented, which synthesize V&V tools and techniques addressing different components at various layers of the BC-App stack, as well as across the whole stack.
3 citations
TL;DR: Wang et al. as discussed by the authors proposed a selective mechanism for self-protecting against the approach from crimes or computer viruses on blockchain, whether the disclosure of user's privacy occurs or not.
Abstract: In recent years, blockchain is utilized practically as a distributed secure digital ledger of some sorts of transactions. Blockchain is regarded as one of the most important next generation infrastructure technologies of the financial industry, as well as artificial intelligence and big data. In 2020, cryptocurrencies based on blockchain, such as Bitcoin, Ethereum, or XRP, have a value of more than $450 billion in the market capitalization. Furthermore, on blockchains such as Ethereum, transactions can also represent automatic executions of programs, which are called smart contracts. Thus, many institutes in various categories show their positive attitude toward processing financial transactions or non-financial contracts on blockchain. Although many researchers have studied for various types of issues on blockchain, there always exist security and privacy concerns for blockchain. In this paper, we point out a new concern for abusing the publicity of blockchain and also show the possibility of suspicions aroused by the concern. Then we propose a selective mechanism for self-protecting against the approach from crimes or computer viruses on blockchain, whether the disclosure of user’s privacy occurs or not. Next, we also propose a concrete implementation of our proposed selective mechanism with two new address types. We aim to incorporate the mechanism in Bitcoin Core, which is the official Bitcoin client software, and using libbitcoin library functions for Bitcoin software development. We show experimental results to estimate overhead costs for processing our proposed address types toward processing the current standard address type in nodes on the peer-to-peer network.
3 citations
TL;DR: Wang et al. as discussed by the authors presented an efficient blockchain assisted conditional anonymity privacy-preserving public auditing (BA-CAPPPA) scheme with reward mechanism, where the Ethereum blockchain is integrated into BA-CAPPA to enhance the security level.
Abstract: In real-world scenarios, in order to encourage one to report others crimes, judicial department usually rents independent cloud storage spaces to receive the precious evidences from whistleblowers. Since the uploaded data are not controlled by cloud users, remote data integrity is very important. Public cloud auditing enables an auditor to periodically check the integrity of outsourcing data on behalf of users, without retrieving the entire data file. However, most existing data auditing schemes have potential security vulnerabilities, and thus cannot defense many security attacks (e.g., the man-in-the-middle attack). Meanwhile, it is significant to protect whistleblower’s identity privacy, reward the real data uploader, and further trace the responsibility of slanders accurately. From the aforementioned requirements, we present an efficient blockchain-assisted conditional anonymity privacy-preserving public auditing (BA-CAPPPA) scheme with reward mechanism. The Ethereum blockchain is integrated into BA-CAPPPA to enhance the security level of the whole public auditing mechanism. Theoretical analysis results show that the BA-CAPPPA achieves man-in-the-middle attack resistance, storage correctness guarantee, data privacy-preservation, conditional identity anonymity, and reward mechanism. Performance evaluations and comparisons demonstrate that BA-CAPPPA could outperform some state-of-the-art data auditing schemes.
3 citations
Posted Content•
TL;DR: This paper analyzes the unique characteristics of the Ethereum smart contract program model as compared to the conventional program model and proposes the notions of whole transaction basis path set and bounded transaction interaction to capture essential control flow behaviors of smart contracts.
Abstract: The widespread recognition of the smart contracts has established their importance in the landscape of next generation blockchain technology. However, writing a correct smart contract is notoriously difficult. Moreover, once a state-changing transaction is confirmed by the network, the result is immutable. For this reason, it is crucial to perform a thorough testing of a smart contract application before its deployment. This paper's focus is on the test coverage criteria for smart contracts, which are objective rules that measure test quality. We analyze the unique characteristics of the Ethereum smart contract program model as compared to the conventional program model. To capture essential control flow behaviors of smart contracts, we propose the notions of whole transaction basis path set and bounded transaction interaction. The former is a limited set of linearly independent inter-procedural paths from which the potentially infinite paths of Ethereum transactions can be constructed by linear combination, while the latter is the permutations of transactions within a certain bound. Based on these two notions, we define a family of path-based test coverage criteria. Algorithms are given to the generation of coverage requirements. A case study is conducted to compare the effectiveness of the proposed test coverage criteria with random testing and statement coverage testing.
3 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...For example, there have been a plenty of well-documented attacks on the Ethereum smart contracts [7]: The reentrancy attack managed to steal tokens valued $60M from a contract and ultimately led to the hard-fork that created Ethereum Classic (ETC) [8]....
[...]
...Examples include re-entrancy, unchecked send, arithmetic overflow, and dangerous delegatecall [7]....
[...]
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations