scispace - formally typeset
Search or ask a question
Book ChapterDOI

A Survey of Attacks on Ethereum Smart Contracts SoK

22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
Journal ArticleDOI
TL;DR: This work proposes an approach that combines balanced LDA (which ensures that the topics are balanced across a domain) with the reference architecture of a domain to capture and compare the popularity and impact of discussion topics across the Stack Exchange communities.
Abstract: Blockchain-related discussions have become increasingly prevalent in programming QA and LDA-derived topics are not linked to higher level domain-specific concepts. We propose an approach that combines balanced LDA (which ensures that the topics are balanced across a domain) with the reference architecture of a domain to capture and compare the popularity and impact of discussion topics across the Stack Exchange communities. Popularity measures the distribution of interest in discussions, and impact gauges the trend of popularity over time. We made a number of interesting observations, including: (1) Bitcoin, Ethereum, Hyperledger Fabric and Corda are the four most commonly-discussed blockchain platforms on the Stack Exchange communities. (2) A broad range of topics are discussed across the various platforms of distinct layers in our derived reference architecture. (3) The Application layer topics exhibit the highest popularity (33.2 percent) and fastest growth in topic impact since November 2015. (4) The Application, API, Consensus and Network layer topics are discussed across the studied blockchain platforms, but exhibit different distributions in popularity. (5) The impact of architectural layer topics exhibits an upward trend, but is growing at different speeds across the studied blockchain platforms. The breakdown of the topic impact across the architectural layers is relatively stable over time except for the Hyperledger Fabric platform. Based on our findings, we highlighted future directions and provided recommendations for practitioners and researchers.

28 citations


Cites background from "A Survey of Attacks on Ethereum Sma..."

  • ...[8] analyzed the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of vulnerabilities and attacks against Solidity, EVM, and blockchain....

    [...]

Journal ArticleDOI
TL;DR: This article critically evaluates the popular claims surrounding the potential of blockchain technologies to disrupt the legal system by separating hype from fact.
Abstract: When bitcoin was released by the mysterious Satoshi Nakamoto in 2008, few could have predicted that it would attract as much attention as it has today. It has spawned a veritable host of other cryptocurrencies, including ether on the upstart Ethereum network, which boasts smart contract functionality. The underlying blockchain technology has also attracted attention, with some within the blockchain community suggesting that it can solve such diverse problems as secured digital voting to tracking food provenance. In the legal context, blockchains have been envisaged as capable of revolutionising registries for assets ranging from land to intellectual property, modernising clearing and settlement, and even fundamentally transforming the contracting process. This article critically evaluates the popular claims surrounding the potential of blockchain technologies to disrupt the legal system by separating hype from fact.

27 citations

Journal ArticleDOI
01 Dec 2020
TL;DR: ABCDE as discussed by the authors is based on Scrum and is therefore iterative and incremental, where the requirement gathering with user stories, the iterative-incremental approach, the key roles, and the meetings.
Abstract: Blockchain software development is becoming more and more important for any modern software developer and IT startup. Nonetheless, blockchain software production still lacks a disciplined, organized and mature development process, as demonstrated by the many and (in)famous failures and frauds occurred in recent years. In this paper we present ABCDE, a complete method addressing blockchain software development. The method considers the software integration among the blockchain components—smart contracts, libraries, data structures—and the out-of-chain components, such as web or mobile applications, which all together constitute a complete DApp system. We advocate for ABCDE the use of agile practices, because these are suited to develop systems whose requirements are not completely understood since the beginning, or tend to change, as it is the case of most blockchain-based applications. ABCDE is based on Scrum, and is therefore iterative and incremental. From Scrum, we kept the requirement gathering with user stories, the iterative-incremental approach, the key roles, and the meetings. The main difference with Scrum is the separation of development activities in two flows—one for smart contracts and the other for out-of-chain software interacting with the blockchain—each performed iteratively, with integration activities every 2–3 iterations. ABCDE makes explicit the activities that must be performed to design, develop, test and integrate smart contracts and out-of-chain software, and documents the smart contracts using formal diagrams to help development, security assessment, and maintenance. A diagram derived from UML class diagram helps to effectively model the data structure of smart contracts, whereas the exchange of messages between the entities of the system is modeled using a modified UML sequence diagram. The proposed method has also specific activities for security assessment and gas optimization, through systematic use of patterns and checklists. ABCDE focuses on Ethereum blockchain and its Solidity language, but preserves generality and with proper modifications might be applied to any blockchain software project. ABCDE method is described in detail, and an example is given to show how to concretely implement the various development steps.

27 citations

Posted Content
TL;DR: Li et al. as discussed by the authors developed a more general framework of block-structured Markov processes in the queueing study of blockchain systems, which can provide analysis both for the stationary performance measures and for the sojourn times of any transaction and block.
Abstract: In this paper, we develop a more general framework of block-structured Markov processes in the queueing study of blockchain systems, which can provide analysis both for the stationary performance measures and for the sojourn times of any transaction and block. Note that an original aim of this paper is to generalize the two-stage batch-service queueing model studied in Li et al. \cite{Li:2018} both ``from exponential to phase-type" service times and ``from Poisson to MAP" transaction arrivals. In general, the MAP transaction arrivals and the two stages of PH service times make our blockchain queue more suitable to various practical conditions of blockchain systems with crucial random factors, for example, the mining processes, the block-generations, the blockchain-building and so forth. For such a more general blockchain queueing model, we focus on two basic research aspects: (1) By using the matrix-geometric solution, we first obtain a sufficient stable condition of the blockchain system. Then we provide simple expressions for the average number of transactions in the queueing waiting room, and the average number of transactions in the block. (2) However, comparing with Li et al. \cite{Li:2018}, analysis of the transaction-confirmation time becomes very difficult and challenging due to the complicated blockchain structure. To overcome the difficulties, we develop a computational technique of the first passage times by means of both the PH distributions of infinite sizes and the $RG$-factorizations. Finally, we hope that the methodology and results given in this paper will open a new avenue to queueing analysis of more general blockchain systems in practice, and can motivate a series of promising future research on development of lockchain technologies.

26 citations

Journal ArticleDOI
TL;DR: In this paper, the authors present the first general-purpose automated smart contract repair approach that is also gas-aware, where the repair method is search-based and searches among mutations of the buggy contract.
Abstract: Smart contracts are automated or self-enforcing contracts that can be used to exchange assets without having to place trust in third parties. Many commercial transactions use smart contracts due to their potential benefits in terms of secure peer-to-peer transactions independent of external parties. Experience shows that many commonly used smart contracts are vulnerable to serious malicious attacks, which may enable attackers to steal valuable assets of involving parties. There is, therefore, a need to apply analysis and automated repair techniques to detect and repair bugs in smart contracts before being deployed. In this work, we present the first general-purpose automated smart contract repair approach that is also gas-aware. Our repair method is search-based and searches among mutations of the buggy contract. Our method also considers the gas usage of the candidate patches by leveraging our novel notion of gas dominance relationship. We have made our smart contract repair tool SCRepair available open-source, for investigation by the wider community.

26 citations

References
More filters
Book
01 Jan 2002
TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.

2,964 citations

01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state. Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.

2,755 citations

Journal ArticleDOI
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.

1,495 citations

Proceedings ArticleDOI
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.

1,258 citations

Proceedings ArticleDOI
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.

1,232 citations

Trending Questions (1)
Why ethereum is important?

The provided paper does not explicitly mention why Ethereum is important.