A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
03 Sep 2018
TL;DR: The blockchain represents emerging technologies and future trends and the development of the blockchain is a revolution for the traditional social organization and mode of operation.
Abstract: The blockchain represents emerging technologies and future trends For the traditional social organization and mode of operation, the development of the blockchain is a revolution As a decentraliz
162 citations
TL;DR: This paper proposes a decentralized PoD solution for PoD of digital assets that leverages key features of blockchain and Ethereum smart contracts to provide immutable and tamper-proof logs, accountability, and traceability and leverages the benefits of interplanetary file system.
Abstract: There is an immense need of a proof of delivery (PoD) of today’s digital media and content, especially those that are subject to payment. Current PoD systems are mostly centralized and heavily dependent on a trusted third party (TTP) especially for payment. Such existing PoD systems often lack security, transparency, and visibility, and are not highly credible, as the TTP can be subject to failure, manipulation, corruption, compromise, and hacking. In this paper, we propose a decentralized PoD solution for PoD of digital assets. Our solution leverages key features of blockchain and Ethereum smart contracts to provide immutable and tamper-proof logs, accountability, and traceability. Ethereum smart contracts are used to orchestrate and govern all interactions and transactions including automatic payments in Ether cryptocurrency between customers, digital-content provider, and the file server hosting the digital content. All entities are incentivized to act honestly, and our solution has a mechanism to handle dispute if arisen among participants. The solution has an off-chain secure download phase involving the file server and customers. Moreover, our solution leverages the benefits of interplanetary file system to store the agreed upon terms and conditions between the smart contract actors. A security analysis of our proposed system has been provided. The full code of the smart contract has been publicly made available on Github.
157 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...especially critical to safeguard a smart contract code against any vulnerabilities, risks and attacks as a smart contract deals directly with assets of high value [19]....
[...]
30 Oct 2017
TL;DR: The first solution that allows an arbitrary set of users in a payment channel network to securely rebalance their channels, according to the preferences of the channel owners is presented, and it is shown that an honest participant cannot lose any of its funds while rebalancing.
Abstract: Scaling the transaction throughput of decentralized blockchain ledgers such as Bitcoin and Ethereum has been an ongoing challenge. Two-party duplex payment channels have been designed and used as building blocks to construct linked payment networks, which allow atomic and trust-free payments between parties without exhausting the resources of the blockchain. Once a payment channel, however, is depleted (e.g., because transactions were mostly unidirectional) the channel would need to be closed and re-funded to allow for new transactions. Users are envisioned to entertain multiple payment channels with different entities, and as such, instead of refunding a channel (which incurs costly on-chain transactions), a user should be able to leverage his existing channels to rebalance a poorly funded channel. To the best of our knowledge, we present the first solution that allows an arbitrary set of users in a payment channel network to securely rebalance their channels, according to the preferences of the channel owners. Except in the case of disputes (similar to conventional payment channels), our solution does not require on-chain transactions and therefore increases the scalability of existing blockchains. In our security analysis, we show that an honest participant cannot lose any of its funds while rebalancing. We finally provide a proof of concept implementation and evaluation for the Ethereum network.
156 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...With the emergence of smart contracts and more expressive transaction languages, it was shown that smart contracts have severe security vulnerabilities [29]....
[...]
TL;DR: The DAO experiment failed shortly after inception as an anonymous hacker stole over $50M USD worth of Ethers out of $168M invested as discussed by the authors, and the Ethereum community voted to return (or fork) the state of the network to one prior to the hack, returning Ethers back to investors and shuttingtering The DAO.
Abstract: In spring 2016, The Distributed Autonomous Organization (The DAO) was created on Ethereum. As with Bitcoin, Ethereum uses a P2P network, where distributed ledgers are implemented as daisy-chained blocks of data. Ethereum’s native cryptocurrency, Ethers, are spent to execute pieces of code called smart contracts. Investors paid their Ethers for The DAO to operate, and received the opportunity to vote on and become investors in venture projects proposed by Ethereum-based startups. Transactions and settlements between investors and startups executed autonomously. The DAO experiment failed shortly after inception as an anonymous hacker stole over $50M USD worth of Ethers out of $168M invested. The Ethereum community voted to return (or fork) the state of the network to one prior to the hack, returning Ethers back to investors and shuttering The DAO. However, this action arguably represented a bailout—ironically, Bitcoin was conceived as a reaction against the 2008 bailout of US banks—and violated the ledger immutability and “code is law” ethos of the blockchain community.
153 citations
TL;DR: Various Artificial Intelligence (AI) techniques and tools for SC privacy protection are investigated and a case study of retail marketing is presented, which uses AI and SC to preserve its security and privacy.
Abstract: Applications of Blockchain (BC) technology and Cyber-Physical Systems (CPS) are increasing exponentially. However, framing resilient and correct smart contracts (SCs) for these smart application is a quite challenging task because of the complexity associated with them. SC is modernizing the traditional industrial, technical, and business processes. It is self-executable, self-verifiable, and embedded into the BC that eliminates the need for trusted third-party systems, which ultimately saves administration as well as service costs. It also improves system efficiency and reduces the associated security risks. However, SCs are well encouraging the new technological reforms in Industry 4.0, but still, various security and privacy challenges need to be addressed. In this paper, a survey on SC security vulnerabilities in the software code that can be easily hacked by a malicious user or may compromise the entire BC network is presented. As per the literature, the challenges related to SC security and privacy are not explored much by the authors around the world. From the existing proposals, it has been observed that designing a complex SCs cannot mitigate its privacy and security issues. So, this paper investigates various Artificial Intelligence (AI) techniques and tools for SC privacy protection. Then, open issues and challenges for AI-based SC are analyzed. Finally, a case study of retail marketing is presented, which uses AI and SC to preserve its security and privacy.
151 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations