A Survey of Attacks on Ethereum Smart Contracts SoK
22 Apr 2017-Vol. 10204, pp 164-186
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Citations
More filters
01 Dec 2021
TL;DR: Wang et al. as mentioned in this paper designed a scheme that uses smart contract and blockchain to provide a secure data sharing and access environment, in which there are three major parties and each of them has its own key pair for encrypting and signing the data.
Abstract: With the fast growth of networked devices, the shared data volume keeps increasing over time, i.e., the Internet of Things (IoT) devices may generate zettabytes of data in the coming few years. According to the recent version of General Data Protection Regulation (GDPR), users have the right to fully control their personal data. Many web service providers also provide some options for users to control the data. However, it is still a challenge to investigate how they enforce these actions. There is a need to deploy additional measures to secure the data access. Focused on this challenge, in this work, we design a scheme that uses smart contract and blockchain to provide a secure data sharing and access environment. In our scheme, there are three major parties and each of them has its own key pair for encrypting and signing the data. We also develop four main smart contracts for different parties, and discuss what kinds of data should be immutable and placed on-chain. In the evaluation, we explore the performance of our scheme under different platforms such as Ethereum with EtHash, Ethereum with Clique, and Hyperledger. With the analysis of several potential attacks, our results indicate the viability and effectiveness of our scheme.
6 citations
TL;DR: A common reference frame is introduced to systematically evaluate and compare DeFi incidents and investigates potential defenses, finding that 103 of the attacks are not executed atomically, granting a rescue time frame for defenders.
Abstract: —Within just four years, the blockchain-based De- centralized Finance (DeFi) ecosystem has accumulated a peak total value locked (TVL) of more than 253 billion USD. This surge in DeFi’s popularity has, unfortunately, been accompanied by many impactful incidents. According to our data, users, liquidity providers, speculators, and protocol operators suffered a total loss of at least 3 . 24 billion USD from Apr 30 , 2018 to Apr 30 , 2022 . Given the blockchain’s transparency and increasing incident frequency, two questions arise: How can we systematically measure, evaluate, and compare DeFi incidents? How can we learn from past attacks to strengthen DeFi security? In this paper, we introduce a common reference frame to systematically evaluate and compare DeFi incidents. We investigate 77 academic papers, 30 audit reports, and 181 real-world incidents. Our open data reveals several gaps between academia and the practitioners’ community. For example, few academic papers address “price oracle attacks” and “permissonless inter-actions”, while our data suggests that they are the two most frequent incident types ( 15% and 10 . 5% correspondingly). We also investigate potential defenses, and find that: (i) 103 ( 56% ) of the attacks are not executed atomically, granting a rescue time frame for defenders; (ii) SoTA bytecode similarity analysis can at least detect 31 vulnerable/ 23 adversarial contracts; and (iii) 33 ( 15 . 3% ) of the adversaries leak potentially identifiable information by interacting with centralized exchanges.
6 citations
01 Oct 2019
TL;DR: The main objective of this research is to help financial institutions in choosing the most appropriate financial instrument for CSCS and allow its automated trading using blockchain technology, which has been achieved on one of the prominent blockchain platforms.
Abstract: Blockchain technology is disrupting current business models and practices by making intermediary services obsolete and the term has become a buzzword worldwide. One particular area based on the distributed ledger technology that has grabbed the attention of many financial businesses is "Smart Contracts". A lot of research is going on to harness its full potential in many fronts from small to large financial businesses. Currently, the Collateral Smart Contract Services (CSCS) are manually processed in financial institutions. The main objective of this research is to help financial institutions in choosing the most appropriate financial instrument for CSCS and allow its automated trading using blockchain technology, which we have achieved on one of the prominent blockchain platforms. We have designed a Chaincode for CSCS using Hyperledger Fabric, maintaining a transparent distributed ledger for the CSCS between financial institutions. The clients in the network are permissioned and possess certificates that they utilize to interact with the Hyperledger Fabric network. Go programming language has been used to create contracts on Hyperledger Fabric. One of the main challenges in the implementation has been to identify different elements that are required to get the network and chaincode running on the Hyperledger. We have designed a network consisting of multiple organizations each one connecting with other organizations for the Hyperledger transactions, for achieving collateral services among these institutions. The experimental evaluation criteria designed for this study could be used as formal procedure for designing financial smart contracts on Hyperledger.
6 citations
Cites background from "A Survey of Attacks on Ethereum Sma..."
...However, financial enterprises might be reluctant to put their data on a public blockchain due to vulnerabilities [5], [6]....
[...]
TL;DR: In this article , the authors conclude that a synthetic solution that crosses discipline boundaries is necessary to close the gaps between the current design of blockchain and the design principle of a trust engine for a truly intelligent world.
Abstract: security, scalability, decentralization, applicability, governance and regulation, system design, and cross-chain interoperability. Both research and practice are more centered around the first category of privacy and security and the fourth category of applicability. Future scholars, practitioners, and policy-makers have vast opportunities in other, much less exploited facets and the synthesis at the interface of multiple aspects. Finally, in counterexamples, we conclude that a synthetic solution that crosses discipline boundaries is necessary to close the gaps between the current design of blockchain and the design principle of a trust engine for a truly intelligent world. Acknowledgments: I am deeply indebted to all the pioneers in Web3 for their inspirations, especially for my mentors, coauthors, and students who jointly contribute to the interdisciplinary conversation around the applications of blockchain. The name list is to be added.
6 citations
01 Jul 2018
TL;DR: A macroprogramming approach is proposed for developing the different system components required for blockchain connected IoT devices including smart contracts, edge nodes and IoT devices from a monolithic description so that one can use a higher level of abstraction to develop an application, while still being able to generate code automatically which can be deployed on different nodes.
Abstract: Blockchain and smart contract technology provide a means of decentralised computational agreements that are trusted and automated. By integrating Internet of Things (IoT) devices with blockchain systems and smart contracts, agreements can not only be confined to in-blockchain manipulation of state, however can enable agreements to interact on the physical world. This integration is non-trivial due to the limited resources on IoT devices and the heterogeneity of such an architecture. Such blockchain connected IoT devices typically require programming of smart contracts, edge blockchain nodes and the IoT devices. IoT embedded systems require expertise in low level development. Similarly, smart contract programming requires expertise with an extensive attention to detail, as even minor bugs can have catastrophic consequences. In this paper, we propose a macroprogramming approach for developing the different system components required for blockchain connected IoT devices including smart contracts, edge nodes and IoT devices from a monolithic description. In this manner, one can use a higher level of abstraction to develop an application, while still being able to generate code automatically which can be deployed on different nodes.
6 citations
References
More filters
Book•
01 Jan 2002TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
Abstract: Elementary Techniques.- 1. The Basics.- 2. Functional Programming in HOL.- 3. More Functional Programming.- 4. Presenting Theories.- Logic and Sets.- 5. The Rules of the Game.- 6. Sets, Functions, and Relations.- 7. Inductively Defined Sets.- Advanced Material.- 8. More about Types.- 9. Advanced Simplification, Recursion, and Induction.- 10. Case Study: Verifying a Security Protocol.
2,964 citations
01 Jan 2013
TL;DR: Ethereum as mentioned in this paper is a transactional singleton machine with shared state, which can be seen as a simple application on a decentralised, but singleton, compute resource, and it provides a plurality of resources, each with a distinct state and operating code but able to interact through a message-passing framework with others.
Abstract: The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its
utility through a number of projects, not least Bitcoin. Each such project can be seen as a simple application on a decentralised, but singleton, compute resource. We can call this paradigm a transactional singleton machine with shared-state.
Ethereum implements this paradigm in a generalised manner. Furthermore it provides a plurality of such resources, each with a distinct state and operating code but able to interact through a message-passing framework with others. We discuss its design, implementation issues, the opportunities it provides and the future hurdles we envisage.
2,755 citations
TL;DR: Protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer are discussed.
Abstract: Smart contracts combine protocols with user interfaces to formalize and secure relationships over computer networks. Objectives and principles for the design of these systems are derived from legal principles, economic theory, and theories of reliable and secure protocols. Similarities and differences between smart contracts and traditional business procedures based on written contracts, controls, and static forms are discussed. By using cryptographic and other security mechanisms, we can secure many algorithmically specifiable relationships from breach by principals, and from eavesdropping or malicious interference by third parties, up to considerations of time, user interface, and completeness of the algorithmic specification. This article discusses protocols with application in important contracting areas, including credit, content rights management, payment systems, and contracts with bearer.
1,495 citations
24 Oct 2016
TL;DR: This paper introduces a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains and devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints.
Abstract: Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. This opens the question whether existing security analysis of Bitcoin's PoW applies to other implementations which have been instantiated with different consensus and/or network parameters. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for double-spending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1,258 citations
24 Oct 2016
TL;DR: This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
Abstract: Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
1,232 citations