A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
Posted Content•
TL;DR: A comprehensive review on the recent advances in architecture design and technology development towards tackling several critical challenges that are inherent in IIoT and blockchain themselves, such as standardization, scalability, and interoperability is provided.
Abstract: The proliferation of the Internet of Things (IoT) technology has made ubiquitous computing a reality by broadening Internet connectivity across diverse application domains, thus bridging billions of devices and human beings as well for information collection, data processing, and decision-making. In recent years, IoT technology and its applications in various industrial sectors have grown exponentially. Most existing industrial IoT (IIoT) implementations, however, are still relying on a centralized architecture, which is vulnerable to the single point of failure attack and requires a massive amount of computation at the central entity. The emerging blockchain technology is currently undergoing rapid development and has the full potential to revolutionize the IIoT platforms and applications. As a distributed and decentralized tamper-resistant ledger, blockchain maintains the consistency of data records at different locations and holds the potential to address the issues in traditional IIoT networks, such as heterogeneity, interoperability, and security. Integrating the blockchain technology into IIoT platforms requires to address several critical challenges that are inherent in IIoT and blockchain themselves, such as standardization, scalability, and interoperability. This paper provides a comprehensive review on the recent advances in architecture design and technology development towards tackling these challenges. We further provide several representative industrial use cases that can benefit from the integration of blockchain technology, and discuss the recent research trends and open issues in blockchain-enabled IIoT platforms.
8 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...For example, in June 2016, the DAO (Decentralized Autonomous Organizations) attacks in Ethereum networks resulted in the attacker unlawfully siphoning off Ether worth 60 Million USD, with transactions that were valid according to the exploited smart contract [70]....
[...]
...[70] shows that Decentralized Autonomous Organization (DAO) attacks occurred by exploiting the shortcomings in smart contracts....
[...]
...For example, an adversary exploiting the shortcoming of a smart contract was seen in the DAO attack(3) [70] [71]....
[...]
TL;DR: In this paper , the authors conducted two literature reviews and diverse expert interviews and synthesized scattered knowledge on challenges and solutions for smart contracts, and identified 29 challenges (e.g., code visibility, code updateability, and encapsulation) and 60 solutions (i.e., gas limit specification, off-ledger computations, and shadowing).
Abstract: Smart contracts are a promising means of formalizing and reliably enforcing agreements between entities using distributed ledger technology (DLT). Research has revealed that a significant number of smart contracts are subject to programming flaws, making them vulnerable to attacks and leading to detrimental effects, such as asset loss. Researchers and developers call for a thorough analysis of challenges to identify their causes and propose solutions. To respond to these calls, we conducted two literature reviews and diverse expert interviews and synthesized scattered knowledge on challenges and solutions. We identified 29 challenges (e.g., code visibility, code updateability, and encapsulation) and 60 solutions (e.g., gas limit specification, off-ledger computations, and shadowing). Moreover, we developed 20 software design patterns (SDPs) in collaboration with smart contract developers. The SDPs help developers adjust their programming habits and thus support them in their daily development practices. Our results provide actionable knowledge for smart contract developers to overcome the identified challenges and offer support for comparing smart contract integration concepts across three fundamentally different DLT protocols (i.e., Ethereum, EOSIO, and Hyperledger Fabric). Moreover, we support developers in becoming aware of peculiarities in smart contract development and the resulting benefits and drawbacks.
8 citations
01 Sep 2018
TL;DR: This research addresses the gap by developing with rigorous means a smart contract's language that aims to be legally relevant, and that comprises socio-technical utility for cross-organizational business collaboration by identifying and implementing abstract grammar patterns for a smart-contract language that has the expected application utility and verifiability.
Abstract: Smart contracts play an advent role in automated business participation by rendering collaboration processes more time-efficient, cost-effective and establishing more transparency. Smart contracts facilitate trust-less systems, without the need for intervention from third-party intermediaries. Existing smart-contract languages mainly focus on technical utility and do not take into consideration social and legally relevant issues, e.g., lack of semantics, ontological completeness, and so on. In this research, we address the gap by developing with rigorous means a smart contract's language that aims to be legally relevant, and that comprises socio-technical utility for cross-organizational business collaboration. The proposed language seeks to retain the strengths of the already existing languages of different generations while eluding their limitations. We aim to identify and implement abstract grammar patterns for a smart-contract language that has the expected application utility and verifiability. We evaluate the developed language based on automating industry-collaboration cases with our novel smart-contract language to test the suitability, utility, and expressiveness.
8 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...The social utility comprises the mechanism to maintain the transparency to all relevant stakeholders of business collaboration if conflicts arise [1]....
[...]
02 Jul 2019
TL;DR: The capability of Blockchain for acting as a solution to the concerned problem is examined and a Blockchain-based system that acts as an integrated decentralized database for citizenship records of a nation is built.
Abstract: The absence of a unified repository of citizens' records hinders strategic planning of government for implementing welfare schemes and service delivery. Keeping a central repository of such records in traditional databases is a security concern as any data breach from the system can compromise the privacy of the citizen. Besides such a system can be misused. In this work, these problems are addressed by developing a secure and robust system for holding the identity records of all the citizens of a nation. In this paper, the capability of Blockchain for acting as a solution to the concerned problem is examined. Blockchain applications inherently possess characteristics of being robust to break down, secured using cryptography and autonomous as they are capable of functioning without the need for manual intervention based on defined business logic. This paper uses the strengths of Blockchain to build a Blockchain-based system that acts as an integrated decentralized database for citizenship records of a nation.
8 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...So any system adversary[9] possessed by a traditional Programmable Blockchain system like Ethereum[14] is also possessed by the proposed system....
[...]
01 Jun 2019
TL;DR: The author proposes a three-layer model from the perspective of data analysis; on the basis of this model, the data structure and data type of blockchain, as well as theData structure and operation principle of smart contract are studied.
Abstract: Blockchain technology is characterized by anti-counterfeiting, non-tampering and easy to implement smart contracts, and is known as a new technology that will lead to social change. Therefore, the study of data in blockchain has important theoretical and practical significance. The author proposes a three-layer model from the perspective of data analysis; on the basis of this model, the data structure and data type of blockchain, as well as the data structure and operation principle of smart contract are studied. Finally, the seven problems and correlations of blockchain data analysis are summarized.
8 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations