A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
••
19 Jul 2021TL;DR: This survey considered 15 security vulnerabilities in smart contracts and introduced the vulnerable areas and the causes of vulnerabilities, and found that a new attack cannot be detected by existing detection tools if the vulnerability without pre-defined is found.
Abstract: Blockchain has attracted widespread attention since its inception and one of the special technologies is smart contracts. Smart contracts are programs on blockchain that act as trusted intermediary between the users and are widely used in variety of industry (e.g., IoT, supply chain management). Smart contracts can store or manipulate valuable assets which may cause huge economic losses. Unlike traditional computer programs, the code of a smart contract cannot be modified after it is deployed on the blockchain. Hence, the security analysis and vulnerability detection of the smart contract must be performed before its deployment. In this survey, we considered 15 security vulnerabilities in smart contracts and introduced the vulnerable areas and the causes of vulnerabilities. According to the methods used, we introduced the existing smart contract analysis methods and vulnerability detection tools from three aspects of static analysis, dynamic analysis and formal verification. Finally, by considering the analysis tools and security vulnerabilities, we found that a new attack cannot be detected by existing detection tools if the vulnerability without pre-defined. We recommend using machine learning methods to analyze smart contracts in combination with traditional program vulnerabilities, and find vulnerabilities that have not yet been discovered in smart contracts. In addition, many detection tools require too much resources or are too complex, so it is necessary to introduce new detection methods.
11 citations
••
01 Nov 2018TL;DR: This paper focuses on presenting an overview of blockchain technology, highlighting its advantages, limitations and areas of application and the perspective of integrating this technology into secured systems models for the authors' comfort and their private life.
Abstract: With the increasing number of connected devices and the number of online transactions today, managing all these transactions and devices and maintaining network security is a research issue. Current solutions are mainly based on cloud computing infrastructures, which require servers high-end and broadband networks to provide data storage and computing services. These solutions have a number of significant disadvantages, such as high maintenance costs of centralized servers, critical weakness of Internet Of Things applications, security and trust issues, etc. The blockchain is seen as a promising technique for addressing the mentioned security issues and design new decentralization frameworks. However, this new technology has a great potential in the most diverse technological fields. In this paper, we focus on presenting an overview of blockchain technology, highlighting its advantages, limitations and areas of application.The originality of this work resides in the comparison between the different blockchain systems and their security schemes and the perspective of integrating this technology into secured systems models for our comfort and our private life.
11 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...It is the fact of exploiting a recursive sending for example the biggest flight about 60 million US dollar of the contract CAO by this attack just after its deployment of 20 days [17]....
[...]
••
01 Jan 2020TL;DR: An evaluation framework to assess smart contracts has been proposed and it has been used to empirically evaluate some of the most prominent smart contract platforms and shown that the Ethereum blockchain smart contract exceeds the others in terms of development tools, resources, and community support.
Abstract: One of the building blocks of our legal and economic systems in society is the indispensable reliance on contracts and trust systems to protect individual rights. Recently smart contracts are becoming prominent parts of various blockchain platforms. The goal of smart contracts is to eliminate the third party and centralized trust systems. Due to recent emergence of smart contracts, there is no well-defined framework that researchers can use to evaluate smart contracts under various blockchain platforms and differentiate between them. In this work, a survey on the prominent smart contract landscape specially those based on blockchain have been conducted. Based on the survey, an evaluation framework to assess smart contracts has been proposed. The framework is a set of criteria based on two major aspects; infrastructure related and development related criteria. The evaluation framework was peer-reviewed for reliability and validity. To measure the applicability of the proposed framework, it has been used to empirically evaluate some of the most prominent smart contract platforms. The results of the empirical evaluation have shown that the Ethereum blockchain smart contract exceeds the others in terms of development tools, resources, and community support. EOS blockchain smart contracts have the best execution speeds, and transaction costs. Lastly, Stellar blockchain has predictability and the best transaction builder to use in smart contract development concerning user friendliness. Recommendations for smart contract developers are provided in light of the research.
11 citations
••
TL;DR: In this paper, the pros and cons of using Ethereum MainNet, the public Ethereum blockchain, as a Coordination Blockchain are analyzed within the context of Ethereum Private Sidechains, a private blockchain technology which allows many blockchains to be operated in parallel, and allows atomic crosschain transactions to execute across blockchains.
Abstract: A Coordination Blockchain is a blockchain that coordinates activities of multiple private blockchains. This paper discusses the pros and cons of using Ethereum MainNet, the public Ethereum blockchain, as a Coordination Blockchain. The requirements Ethereum MainNet needs to fulfil to perform this role are analyzed within the context of Ethereum Private Sidechains, a private blockchain technology which allows many blockchains to be operated in parallel, and allows atomic crosschain transactions to execute across blockchains. We found that Ethereum MainNet is best suited to storing long-term static data that need to be widely available, such as the Ethereum Registration Authority information. However, due to Ethereum MainNet’s probabilistic finality, it is not well suited to information that needs to be available and acted upon immediately, such as the Sidechain Public Keys and Atomic Crosschain Transaction state information that need to be accessible prior to the first atomic crosschain transaction being issued on a sidechain. Although this paper examined the use of Ethereum MainNet as a Coordination Blockchain within reference to Ethereum Private Sidechains, the discussions and observations of the typical tasks a Coordination Blockchain may be expected to perform are applicable more widely to any multi-blockchain system.
11 citations
••
TL;DR: This paper aims at structuring this field of knowledge by providing introductions to network slicing and blockchain technologies through a global architecture that aggregates the various proposals into a coherent whole while showing the motivation behind applying Blockchain and smart contracts to network sliced.
Abstract: Network slicing is one of the fundamental tenets of Fifth Generation (5G)/Sixth Generation (6G) networks. Deploying slices requires end-to-end (E2E) control of services and the underlying resources in a network substrate featuring an increasing number of stakeholders. Beyond the technical difficulties this entails, there is a long list of administrative negotiations among parties that do not necessarily trust each other, which often requires costly manual processes, including the legal construction of neutral entities. In this context, Blockchain comes to the rescue by bringing its decentralized yet immutable and auditable lemdger, which has a high potential in the telco arena. In this sense, it may help to automate some of the above costly processes. There have been some proposals in this direction that are applied to various problems among different stakeholders. This paper aims at structuring this field of knowledge by, first, providing introductions to network slicing and blockchain technologies. Then, state-of-the-art is presented through a global architecture that aggregates the various proposals into a coherent whole while showing the motivation behind applying Blockchain and smart contracts to network slicing. And finally, some limitations of current work, future challenges and research directions are also presented.
11 citations
References
More filters
•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
••
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
••
24 Oct 2016TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
••
24 Oct 2016TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations