A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
TL;DR: In this paper, the authors systematically review 152 articles in the burgeoning academic literature on blockchain and its applications and synthesize the findings from five parallel lines of enquiry for scholars: computer science, economics, entrepreneurship, and law and governance.
Abstract: Blockchain, a decentralized validation protocol in which no one individual entity completely controls the process or information, is labeled both a “techno tour de force” and a “fraud.” Austrian School researchers view the blockchain application Bitcoin as an ideal example of currency decentralization while ethics scholars fret about this very lack of control. Given the significant importance of the future of blockchain technology to a range of disciplines and the fragmented knowledge base with little cross-disciplinary integration to fields such as computer science and law, we begin by offering a nontechnical explanation of the basics of blockchain and its applications such as smart contracts, cryptocurrencies, tokens, and initial coin offerings. We systematically review 152 articles in the burgeoning academic literature on blockchain and its applications and synthesize the findings from five parallel lines of enquiry for scholars: computer science, economics, entrepreneurship, and law and governance. Finally, we outline a comprehensive research agenda for scholars of regulation policy and governance, entrepreneurship and sustainability, organization design and theory, and consumer behavior, highlighting promising phenomenon, methodologies, data, and theories. We aim to simplify and explain blockchain for what it is—a valuable tool that is revolutionary, transformational, and critical for scholars to understand and investigate.
64 citations
Posted Content•
TL;DR: This paper formalizessemantic conformance of smart contracts against a state machine model with access-control policy and develops a highly-automated formal verifier for Solidity that can produce proofs as well as counterexamples.
Abstract: Ensuring correctness of smart contracts is paramount to ensuring trust in blockchain-based systems. This paper studies the safety and security of smart contracts in the \emph{Azure Blockchain Workbench}, an enterprise Blockchain-as-a-Service offering from Microsoft. As part of this study, we formalize \emph{semantic conformance} of smart contracts against a state machine model with access-control policy and develop a highly-automated formal verifier for Solidity that can produce proofs as well as counterexamples. We have applied our verifier {\sc VeriSol} to analyze {\it all} contracts shipped with the Azure Blockchain Workbench, which includes application samples as well as a governance contract for Proof of Authority (PoA). We have found previously unknown bugs in these published smart contracts. After fixing these bugs, {\sc VeriSol} was able to successfully perform full verification for all of these contracts.
63 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...Finally, there are several works that discuss a survey and taxonomy of vulnerabilities in smart contracts [13], [26], [28]....
[...]
TL;DR: In this article, a Monte Carlo simulation is used to quantify the effect of uncle blocks both to the profitability of selfish mining and the blockchain's security in Ethereum (ETH) and a brief outlook about a recent Ethereum Classic (ETC) improvement proposal that weighs uncle blocks during the selection of the main chain is given.
Abstract: Many of today's crypto currencies use blockchains as decentralized ledgers and secure them with proof of work. In case of a fork of the chain, Bitcoin's rule for achieving consensus is selecting the longest chain and discarding the other chain as stale. It has been demonstrated that this consensus rule has a weakness against selfish mining in which the selfish miner exploits the variance in block generation by partially withholding blocks. In Ethereum, however, under certain conditions stale blocks don't have to be discarded but can be referenced from the main chain as uncle blocks yielding a partial reward. This concept limits the impact of network delays on the expected revenue for miners. But the concept also reduces the risk for a selfish miner to gain no rewards from withholding a freshly minted block. This paper uses a Monte Carlo simulation to quantify the effect of uncle blocks both to the profitability of selfish mining and the blockchain's security in Ethereum (ETH). A brief outlook about a recent Ethereum Classic (ETC) improvement proposal that weighs uncle blocks during the selection of the main chain will be given.
63 citations
03 Jan 2019
TL;DR: This work proposes the adoption of some well-known OO metrics for Solidity smart contracts, and analyzes more than 40 thousand Solidity source files to suggest that smart contract programs are short, neither overly complex nor coupled too much, do not rely heavily on inheritance, and either quite well-commented or not commented at all.
Abstract: Blockchain-based decentralized cryptocurrency platforms are currently one of the hottest topics in technology. Although most of the interest is generated by cryptocurrency related activities, it is becoming apparent that a much wider spectrum of applications can leverage the blockchain technology. The primary concepts enabling such general use of the blockchain are the so-called smart contracts, which are special programs that run on the blockchain. One of the most popular blockchain platforms that supports smart contracts is Ethereum. As smart contracts typically handle money, ensuring their low number of faults and vulnerabilities are essential. To aid smart contract developers and help to mature the technology, we need analysis tools and studies for smart contracts. As an initiative for this, we propose the adoption of some well-known OO metrics for Solidity smart contracts. Furthermore, we analyze more than 40 thousand Solidity source files with our prototype tool. The results suggest that smart contract programs are short, neither overly complex nor coupled too much, do not rely heavily on inheritance, and either quite well-commented or not commented at all. Moreover, smart contracts could benefit from an external library and dependency management mechanism, as more than 85% of the defined libraries in Solidity files code the same functionalities.
61 citations
TL;DR: This survey is conducted to identify the significant technical aspects of blockchain-based smart contracts with the associated future research directions.
Abstract: The industrial and computing research context revolutionized in various directions during the last decades. The blockchain-based smart contract embraced as a significant research interest due to its distinguishing features such as decentralized storage of transactions, autonomous execution of contract codes, and decentralized establishment of the trust. Blockchain-based smart contracts can transform the working architecture of almost all industries towards elevated service standards. The use cases of blockchain based smart contracts range from industrial applications such as cryptocurrency systems towards logistics, agriculture, real estate, energy trading and so forth. The decentralization concept of blockchain is one of the biggest leaps in technology research since future computing got a super momentum towards the Internet of Things (IoT) and edge computing. A plethora of research is in progress to investigate the opportunities for the applicability of smart contracts and blockchain technologies to various industries. It is important to identify the technical aspects of blockchain-based smart contracts to further improve and sharpen the capabilities which they already owed. This survey is conducted to identify the significant technical aspects of blockchain-based smart contracts with the associated future research directions.
61 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...[109] analyzed the vulnerabilities of Ethereum, which is popular in the industry....
[...]
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations