A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
TL;DR: The result indicates that the proposed model not only has diversified functions of copyright management compared with previous studies on the blockchain-based digital rights management, but it can also solve the existing problems in traditional spatial data infrastructure for data sharing due to its characteristics of complete decentralization, mass orientation, immediacy, and high security.
Abstract: The copyright of data is a key point that needs to be solved in spatial data infrastructure for data sharing. In this paper, we propose a decentralized digital rights management model of spatial data, which can provide a novel way of solving the existing copyright management problem or other problems in spatial data infrastructure for data sharing. An Ethereum smart contract is used in this model to realize spatial data digital rights management function. The InterPlanetary File System is utilized as external data storage for storing spatial data in the decentralized file system to avoid data destruction that is caused by a single point of failure. There is no central server in the model architecture, which has a completely decentralized nature and it makes spatial data rights management not dependent on third-party trust institutions. We designed three spatial data copyright management algorithms, developed a prototype system to implement and test the model, used the smart contract security verification tool to check code vulnerabilities, and, finally, discussed the usability, scalability, efficiency, performance, and security of the proposed model. The result indicates that the proposed model not only has diversified functions of copyright management compared with previous studies on the blockchain-based digital rights management, but it can also solve the existing problems in traditional spatial data infrastructure for data sharing due to its characteristics of complete decentralization, mass orientation, immediacy, and high security.
11 citations
Posted Content•
TL;DR: Evaluation with real-world smart contracts shows that VERISMART can detect all arithmetic bugs with a negligible number of false alarms, far outperforming existing analyzers.
Abstract: We present VeriSmart, a highly precise verifier for ensuring arithmetic safety of Ethereum smart contracts. Writing safe smart contracts without unintended behavior is critically important because smart contracts are immutable and even a single flaw can cause huge financial damage. In particular, ensuring that arithmetic operations are safe is one of the most important and common security concerns of Ethereum smart contracts nowadays. In response, several safety analyzers have been proposed over the past few years, but state-of-the-art is still unsatisfactory; no existing tools achieve high precision and recall at the same time, inherently limited to producing annoying false alarms or missing critical bugs. By contrast, VeriSmart aims for an uncompromising analyzer that performs exhaustive verification without compromising precision or scalability, thereby greatly reducing the burden of manually checking undiscovered or incorrectly-reported issues. To achieve this goal, we present a new domain-specific algorithm for verifying smart contracts, which is able to automatically discover and leverage transaction invariants that are essential for precisely analyzing smart contracts. Evaluation with real-world smart contracts shows that VeriSmart can detect all arithmetic bugs with a negligible number of false alarms, far outperforming existing analyzers.
11 citations
Additional excerpts
...such as openness and immutability [3]....
[...]
01 Dec 2019
TL;DR: A blockchain-powered land administration system, termed as LandLedger, which provides accountable, transparent, efficient, secure and scalable land property administration, and uses Merkle Patricia Tree to implement ownership verification and property history checking efficiently.
Abstract: The current land administration system of many countries including India is plagued with incomplete and damaged records Different departments pertaining to land administration system store their own copy of records, which lead to incomplete verification and document forgery In this paper, we present a blockchain-powered land administration system, termed as LandLedger, which provides accountable, transparent, efficient, secure and scalable land property administration The proposed architecture of LandLedger realizes property verification, registration and revocation using specially designed transactions on a permissioned blockchain, which is managed by various departments such as Registrar's office, The Income tax department, The Revenue department and so on LandLedger uses Merkle Patricia Tree to implement ownership verification and property history checking efficiently The implementation of LandLedger shows its practicality with enhanced features in comparison to the current practice used in many countries including India
11 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...There have been instances in which adversaries exploited the security vulnerabilities associated with the smart contracts [8]....
[...]
Posted Content•
TL;DR: A framework for developing a decentralized ride-hailing architecture implemented on the Hyperledger Fabric blockchain platform is proposed and evaluated using a static analysis tool and performing a performance analysis under heavy network load.
Abstract: Ride-hailing and ride-sharing applications have recently gained in popularity as a convenient alternative to traditional modes of travel. Current research into autonomous vehicles is accelerating rapidly and will soon become a critical component of a ride-hailing platform's architecture. Implementing an autonomous vehicle ride-hailing platform proves a difficult challenge due to the centralized nature of traditional ride-hailing architectures. In a traditional ride-hailing environment the drivers operate their own personal vehicles so it follows that a fleet of autonomous vehicles would be required for a centralized ride-hailing platform to succeed. Decentralization of the ride-hailing platform would remove a road block along the way to an autonomous vehicle ride-hailing platform by allowing owners of autonomous vehicles to add their vehicle to a community driven fleet when not in use. Blockchain technology is an attractive choice for this decentralized architecture due to its immutability and fault tolerance. This paper proposes a framework for developing a decentralized ride-hailing architecture implemented on the Hyperledger Fabric blockchain platform. The implementation is evaluated using a static analysis tool and performing a performance analysis under heavy network load.
11 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...in [14] also discuss these attacks among others on the Ethereum environment in their taxonomic aggregation of Ethereum vulnerabilities and poor programming practices....
[...]
Posted Content•
TL;DR: Wang et al. as mentioned in this paper analyzed the blockchain game architecture and reveal the possible penetration methods of cracking, and scanned more than 600 commercial blockchain games to summarize a security overview from the perspective of the web server and smart contract, respectively.
Abstract: Blockchain gaming is an emerging entertainment paradigm. However, blockchain games are still suffering from security issues, due to the immature blockchain technologies and its unsophisticated developers. In this work, we analyzed the blockchain game architecture and reveal the possible penetration methods of cracking. We scanned more than 600 commercial blockchain games to summarize a security overview from the perspective of the web server and smart contract, respectively. We also conducted three case studies for blockchain games to show detailed vulnerability detection.
11 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations