A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
Posted Content•
TL;DR: In this paper, the authors survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment, or only 0.27% of the 3 million ETH (600 million USD) at stake.
Abstract: In recent years, we have seen a great deal of both academic and practical interest in the topic of vulnerabilities in smart contracts, particularly those developed for the Ethereum blockchain. While most of the work has focused on detecting *vulnerable* contracts, in this paper, we focus on finding how many of these vulnerable contracts have actually been *exploited*. We survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment. This corresponds to at most 8,487 ETH (~1.7 million USD), or only 0.27% of the 3 million ETH (600 million USD) at stake. We explain these results by demonstrating that the funds are very concentrated in a small number of contracts which are *not exploitable* in practice.
10 citations
01 Oct 2021
TL;DR: The paper uses an objective-centered design science research approach to develop a blockchain-based KYC-system for the conduct of ICOs that is compliant-by-design and integrated into the investment flow of an ICO.
Abstract: Blockchain technology is often proposed as an infrastructure for decentralized Know-Your-Customer (KYC) verification, i.e., a process determining whether a customer is eligible for a given transaction. The benefit of using blockchain technology lies in the expected compliance costs reduction for companies by automatically enforcing KYC-requirements, whose results are accessible by multiple financial institutions. While information systems researchers have proposed conceptual models and prototypes of blockchain-based KYC-systems, they do not yet consider severe penalties that are applicable to companies if KYC-requirements are not met. Hence, if the legal requirements for KYC-processes cannot be met, these systems are not applicable. The paper uses an objective-centered design science research approach to develop a blockchain-based KYC-system for the conduct of ICOs that is compliant-by-design. To this end, the authors first identify existing KYC-requirements and define corresponding system design objectives that are used to develop a KYC-system that automatically enforces KYC-regulations, thereby preventing money laundering and other forms of identity fraud. Second, the authors contribute to the literature by providing a blueprint for compliant-by-design blockchain-based KYC-systems, in the paper, integrated into the investment flow of an ICO. Third, the authors propose a KYC-system that is applicable in the real world, by making – due to legal certainty – KYC-processes cost-effective, i.e., the proposed blockchain-based KYC-system expectably reduces compliance costs for customers and financial organizations.
10 citations
01 Apr 2021
TL;DR: A semi-Markov process (SMP) based approach is proposed to model the Eclipse attack behavior and possible mitigation activities that may prevent the attack from being successful during the attack process and to determine the steady-state dependability of the Bitcoin node.
Abstract: The block chain technology has immense potential in many different applications, including but not limited to cryptocurrencies, financial services, smart contracts, supply chains, healthcare services, and energy trading. Due to the critical nature of these applications, it is pivotal to model and evaluate dependability of the block chain-based systems, contributing to their reliable and robust operation. This paper models and analyzes the dependability of Bitcoin nodes subject to Eclipse attacks and state-dependent mitigation activities. Built upon the block chain technology, the Bitcoin is a peer-to-peer cryptocurrency system enabling an individual user to trade freely without the involvement of banks or any other types of intermediate agents. However, a node in the Bitcoin is vulnerable to the Eclipse attack, which aims to monopolize the information flow of the victim node. A semi-Markov process (SMP) based approach is proposed to model the Eclipse attack behavior and possible mitigation activities that may prevent the attack from being successful during the attack process. The SMP model is then evaluated to determine the steady-state dependability of the Bitcoin node. Numerical examples are provided to demonstrate the influence of the time to restart the Bitcoin software and time to detect and delete the malicious message on the Bitcoin node dependability. KeywordsBitcoin, Block chain, Dependability, Eclipse attack, Semi-Markov process (SMP).
9 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...The block chain technology has received lots of attentions from academia, governments, and industries in the last decade (Akbari et al., 2017; Atzei et al., 2017; Dai et al., 2019; Ferrag et al., 2018; Kang et al., 2018; Li et al., 2020)....
[...]
...Introduction The block chain technology has received lots of attentions from academia, governments, and industries in the last decade (Akbari et al., 2017; Atzei et al., 2017; Dai et al., 2019; Ferrag et al., 2018; Kang et al., 2018; Li et al., 2020)....
[...]
01 Dec 2021
TL;DR: The immutability of blockchain means that data in blockchain cannot be modified once confirmed as mentioned in this paper, which guarantees the reliability and integrity of blockchain. However, absolute immutality is not conducive to timely correction of blockchain, as it may lead to the centralization of redaction right or single point of failure.
Abstract: The immutability of blockchain means that data in blockchain cannot be modified once confirmed. It guarantees the reliability and integrity of blockchain. However, absolute immutability is not conducive to timely correction of blockchain. Currently, there are some researches on redactable blockchain. They replaced hash functions with chameleon hash functions or proposed policy-based chameleon hashes, which may lead to the centralization of redaction right or single point of failure.
9 citations
20 Sep 2019
TL;DR: An introduction to the architecture of information technology was given and the goal and research status of the incentive layer of blockchain were illustrated with digital economy development as the backdrop.
Abstract: The current research on the blockchain includes study on network architecture and the incentive. In this paper, an introduction to the architecture of information technology was given and the goal and research status of the incentive layer of blockchain were illustrated with digital economy development as the backdrop. The existing issuance of token was elaborated from computation, storage and transmission, three core facets of network technology. The development of the token allocation and the path was analyzed to confirm its rationality. It discusses the possible directions and challenges of the future research on blockchain incentive.
9 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations