Zewei Lin,Jiachi Chen,Jiajing Wu,Weizhe Zhang,Zibin Zheng

2024-11-15

Abstract:In recent years, security incidents stemming from centralization defects in smart contracts have led to substantial financial losses. A centralization defect refers to any error, flaw, or fault in a smart contract's design or development stage that introduces a single point of failure. Such defects allow a specific account or user to disrupt the normal operations of smart contracts, potentially causing malfunctions or even complete project shutdowns. Despite the significance of this issue, most current smart contract analyses overlook centralization defects, focusing primarily on other types of defects. To address this gap, our paper introduces six types of centralization defects in smart contracts by manually analyzing 597 Stack Exchange posts and 117 audit reports. For each defect, we provide a detailed description and code examples to illustrate its characteristics and potential impacts. Additionally, we introduce a tool named CDRipper (Centralization Defects Ripper) designed to identify the defined centralization defects. Specifically, CDRipper constructs a permission dependency graph (PDG) and extracts the permission dependencies of functions from the source code of smart contracts. It then detects the sensitive operations in functions and identifies centralization defects based on predefined patterns. We conduct a large-scale experiment using CDRipper on 244,424 real-world smart contracts and evaluate the results based on a manually labeled dataset. Our findings reveal that 82,446 contracts contain at least one of the six centralization defects, with our tool achieving an overall precision of 93.7%.

Software Engineering

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Nikolay Ivanov,Qiben Yan

DOI: https://doi.org/10.48550/arXiv.2209.08370

2022-09-18

Abstract:In this work, we explore the class of Ethereum smart contracts called the administrated ERC20 tokens. We demonstrate that these contracts are more owner-controlled and less safe than the services they try to disrupt, such as banks and centralized online payment systems. We develop a binary classifier for identification of administrated ERC20 tokens, and conduct extensive data analysis, which reveals that nearly 9 out of 10 ERC20 tokens on Ethereum are administrated, and thereby unsafe to engage with even under the assumption of trust towards their owners. We design and implement SafelyAdministrated - a Solidity abstract class that safeguards users of administrated ERC20 tokens from adversarial attacks or frivolous behavior of the tokens' owners.

Cryptography and Security

Loi Luu,Duc-Hiep Chu,Hrishi Olickel,Prateek Saxena,Aquinas Hobor

DOI: https://doi.org/10.1145/2976749.2978309

2016-10-24

Abstract:Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.

Wansen Wang,Pu Zhang,Renjie Ji,Wenchao Huang,Zhaoyi Meng,Yan Xiong

2024-12-05

Abstract:Some smart contracts violate decentralization principles by defining privileged accounts that manage other users' assets without permission, introducing centralization risks that have caused financial losses. Existing methods, however, face challenges in accurately detecting diverse centralization risks due to their dependence on predefined behavior patterns. In this paper, we propose JANUS, an automated analyzer for Solidity smart contracts that detects financial centralization risks independently of their specific behaviors. JANUS identifies differences between states reached by privileged and ordinary accounts, and analyzes whether these differences are finance-related. Focusing on the impact of risks rather than behaviors, JANUS achieves improved accuracy compared to existing tools and can uncover centralization risks with unknown patterns. To evaluate JANUS's performance, we compare it with other tools using a dataset of 540 contracts. Our evaluation demonstrates that JANUS outperforms representative tools in terms of detection accuracy for financial centralization risks . Additionally, we evaluate JANUS on a real-world dataset of 33,151 contracts, successfully identifying two types of risks that other tools fail to detect. We also prove that the state traversal method and variable summaries, which are used in JANUS to reduce the number of states to be compared, do not introduce false alarms or omissions in detection.

Machine Learning,Cryptography and Security

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Ruhi TAŞ

DOI: https://doi.org/10.18185/erzifbed.1105551

2023-03-31

Erzincan Üniversitesi Fen Bilimleri Enstitüsü Dergisi

Abstract:A smart contract is a concept of computer protocols that helps to facilitate blockchain technology. This blockchain-based smart contract is a public ledger of all participating transactions. It is considered a self-executable application and contains predetermined rules. It also operates by decentralizing networks that are shared between all parties, and this execution of contracts between parties could be securely done without a middleman or a third party. With blockchain technology, developers could provide an efficient framework and ensure security issues. While the new blockchain has successfully been developed to prevent the problems of fraud and hacking, there is still a considerable risk concerning security and confidentiality. Therefore, we should not underestimate this matter. This study aims to review the potential risks that may take place on blockchain-based smart contracts. In addition, the options that may assist application developers in order to provide viable guidance, and to avoiding these security vulnerabilities.

Zulfiqar Ali Khan,Akbar Siami Namin

DOI: https://doi.org/10.48550/arXiv.2012.14481

2020-12-29

Abstract:Smart contract (SC) is an extension of BlockChain technology. Ethereum BlockChain was the first to incorporate SC and thus started a new era of crypto-currencies and electronic transactions. Solidity helps to program the SCs. Still, soon after Solidity's emergence in 2014, Solidity-based SCs suffered many attacks that deprived the SC account holders of their precious funds. The main reason for these attacks was the presence of vulnerabilities in SC. This paper discusses SC vulnerabilities and classifies them according to the domain knowledge of the faulty operations. This classification is a source of reminding developers and software engineers that for SC's safety, each SC requires proper testing with effective tools to catch those classes' vulnerabilities.

Cryptography and Security

Agostino Capponi,Garud Iyengar,Jay Sethuraman

2023-12-02

Abstract:Financial markets are undergoing an unprecedented transformation. Technological advances have brought major improvements to the operations of financial services. While these advances promote improved accessibility and convenience, traditional finance shortcomings like lack of transparency and moral hazard frictions continue to plague centralized platforms, imposing societal costs. In this paper, we argue how these shortcomings and frictions are being mitigated by the decentralized finance (DeFi) ecosystem. We delve into the workings of smart contracts, the backbone of DeFi transactions, with an emphasis on those underpinning token exchange and lending services. We highlight the pros and cons of the novel form of decentralized governance introduced via the ownership of governance tokens. Despite its potential, the current DeFi infrastructure introduces operational risks to users, which we segment into five primary categories: consensus mechanisms, protocol, oracle, frontrunning, and systemic risks. We conclude by emphasizing the need for future research to focus on the scalability of existing blockchains, the improved design and interoperability of DeFi protocols, and the rigorous auditing of smart contracts.

Trading and Market Microstructure,Computers and Society

Jialu Hao,Cheng Huang,Wenjuan Tang,Yang Zhang,Shuai Yuan

DOI: https://doi.org/10.1109/TCSII.2021.3125500

2022-01-01

Abstract:Access control is essential in computer security systems to regulate the access to critical or valuable resources. Conventional access control models mainly rely on a centralized and trusted server to mediate each attempted access from client to resources, which face serious challenges of single point of failure and lack of transparency. In this brief, we propose a smart contract-based access control framework, which enables the owner to achieve resource access control in a reliable, auditable and scalable way. An access control contract is deployed on blockchain to manage attribute-based access policies of resources flexibly and make access decisions for clients credibly. A set of attributes is distributed to the clients through off-chain signatures signed by the owner to determine their privileges, without consuming the expensive on-chain storage space. Finally, we implement an experimental prototype on Ethereum test network and perform extensive experimental and theoretical analysis to evaluate its scalability and efficiency.

Pengxiang Ma,Ningyu He,Yuhua Huang,Haoyu Wang,Xiapu Luo

2023-07-02

Abstract:Smart contracts play a vital role in the Ethereum ecosystem. Due to the prevalence of kinds of security issues in smart contracts, the smart contract verification is urgently needed, which is the process of matching a smart contract's source code to its on-chain bytecode for gaining mutual trust between smart contract developers and users. Although smart contract verification services are embedded in both popular Ethereum browsers (e.g., Etherscan and Blockscout) and official platforms (i.e., Sourcify), and gain great popularity in the ecosystem, their security and trustworthiness remain unclear. To fill the void, we present the first comprehensive security analysis of smart contract verification services in the wild. By diving into the detailed workflow of existing verifiers, we have summarized the key security properties that should be met, and observed eight types of vulnerabilities that can break the verification. Further, we propose a series of detection and exploitation methods to reveal the presence of vulnerabilities in the most popular services, and uncover 19 exploitable vulnerabilities in total. All the studied smart contract verification services can be abused to help spread malicious smart contracts, and we have already observed the presence of using this kind of tricks for scamming by attackers. It is hence urgent for our community to take actions to detect and mitigate security issues related to smart contract verification, a key component of the Ethereum smart contract ecosystem.

Cryptography and Security

Bibin K. Baby,Alan Sunil,Neetha Thomas

Abstract:: Smart Contracts have gained tremendous popularity in the past few years., to the point that billons of US Dollars are currently exchanged very day through such technology. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other and other application running on blockchains. We analyze a case of study where a bug discovered in a Smart Contract Library, and perhaps “unsafe” programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers. In this study we analyze the source code of Parity and the Library, and discuss how recognized best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also specify the Smart Contract software development, which make some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.

Computer Science

Theodosis Mourouzis,Jayant Tandon

DOI: https://doi.org/10.48550/arXiv.1903.04806

2019-03-12

Abstract:The aim of this work is to study the use of decentralization and smart contracts on blockchain networks. We investigate the implementation and use of smart contracts on the platforms Bitcoin, Ethereum and Hyperledger Fabric. Additionally, we have researched consensus algorithms and their respective uses, mentioning both advantages and disadvantages where necessary. To conclude, there is an example contract that is meant to be a close to direct translation of a generic legal house rental contract to show how a legal contract can be translated.

Cryptography and Security

Myles Lewis,Chris Crawford

DOI: https://doi.org/10.54941/ahfe1003726

2024-01-04

Abstract:As time progresses, the need for more secure applications grows exponentially. The different types of sensitive information that is being transferred virtually has sparked a rise in systems that leverage blockchain. Different sectors are beginning to use this disruptive technology to evaluate the risks and benefits. Sectors like finance, medicine, higher education, and wireless communication have research regarding blockchain. Futhermore, the need for security standards in this area of research is pivotal. In recent past, several attacks on blockchain infrastructures have resulted in hundreds of millions dollars lost and sensitive information compromised. Some of these attacks include DAO attacks, bZx attacks, and Parity Multisignature Wallet Double Attacks which targeted vulnerabilities within smart contracts on the Ethereum network. These attacks exposed the weaknesses of current smart contract development practices which has led to the increase in distrust and adoption of systems that leverage blockchain for its functionality. In this paper, I identify common software vulnerabilities and attacks on blockchain infrastructures, thoroughly detail the smart contract development process and propose a model for ensuring a stronger security standard for future systems leveraging smart contracts. The purpose for proposing a model is to promote trust among end users in the system which is a foundational element for blockchain adoption in the future.

Cryptography and Security

Gerardo Iuliano,Dario Di Nucci

2024-12-03

Abstract:Smart contracts are self-executing programs on blockchain platforms like Ethereum, which have revolutionized decentralized finance by enabling trustless transactions and the operation of decentralized applications. Despite their potential, the security of smart contracts remains a critical concern due to their immutability and transparency, which expose them to malicious actors. The connections of contracts further complicate vulnerability detection. This paper presents a systematic literature review that explores vulnerabilities in Ethereum smart contracts, focusing on automated detection tools and benchmark evaluation. We reviewed 1,888 studies from five digital libraries and five major software engineering conferences, applying a structured selection process that resulted in 131 high-quality studies. The key results include a hierarchical taxonomy of 101 vulnerabilities grouped into ten categories, a comprehensive list of 144 detection tools with corresponding functionalities, methods, and code transformation techniques, and a collection of 102 benchmarks used for tool evaluation. We conclude with insights on the current state of Ethereum smart contract security and directions for future research.

Software Engineering

Fabian Schär

DOI: https://doi.org/10.2139/ssrn.3571335

2020-01-01

SSRN Electronic Journal

Abstract:This paper explores the Decentralized Finance (DeFi) ecosystem. We examine how DeFi is emerging on top of the public Ethereum smart contract platform, compare it to the centralized architecture of traditional financial markets and highlight opportunities and potential risks of this ecosystem. We propose a multi-layered framework to analyze the implicit architecture and the various DeFi building blocks, including token standards, decentralized exchanges, decentralized debt markets, blockchain derivatives and on-chain asset management protocols. We conclude that DeFi still is a niche market with certain risks, but also has interesting properties in terms of efficiency, transparency, accessibility and interoperability. As such, it may potentially contribute to a more robust and transparent financial infrastructure.

Wejdene Haouari,Abdelhakim Senhaji Hafid,Marios Fokaefs

2024-04-09

Abstract:Ethereum smart contracts are highly powerful, immutable, and able to retain massive amounts of tokens. However, smart contracts keep attracting attackers to benefit from smart contract flaws and Ethereum unexpected behavior. Thus, methodologies and tools have been proposed to help implement secure smart contracts and to evaluate the security of smart contracts already deployed. Most related surveys focus on tools without discussing the logic behind them. in addition, they assess the tools based on papers rather than testing the tools and collecting community feedback. Other surveys lack guidelines on how to use tools specific to smart contract functionalities. This paper presents a literature review combined with an experimental report that aims to assist developers in developing secure smarts, with a novel emphasis on the challenges and vulnerabilities introduced by NFT fractionalization by addressing the unique risks of dividing NFT ownership into tradeable units called fractions. It provides a list of frequent vulnerabilities and corresponding mitigation solutions. In addition, it evaluates the community most widely used tools by executing and testing them on sample smart contracts. Finally, a comprehensive guide on implementing secure smart contracts is presented.

Cryptography and Security

Francesco Maria De Collibus,Matija Piškorec,Alberto Partida,Claudio J. Tessone

DOI: https://doi.org/10.3390/e24081048

IF: 2.738

2022-07-31

Entropy

Abstract:In this paper, we use the methods of networks science to analyse the transaction networks of tokens running on the Ethereum blockchain. We start with a deep dive on four of them: Ampleforth (AMP), Basic Attention Token (BAT), Dai (DAI) and Uniswap (UNI). We study two types of blockchain addresses, smart contracts (SC), which run code, and externally owned accounts (EOA), run by human users, or off-chain code, with the corresponding private keys. We use preferential attachment and network dismantling strategies to evaluate their importance for the network structure. Subsequently, we expand our view to all ERC-20 tokens issued on the Ethereum network. We first study multilayered networks composed of Ether (ETH) and individual tokens using a dismantling approach to assess how the deconstruction starting from one network affects the other. Finally, we analyse the Ether network and Ethereum-based token networks to find similarities between sets of high-degree nodes. For this purpose, we use both the traditional Jaccard Index and a new metric that we introduce, the Ordered Jaccard Index (OJI), which considers the order of the elements in the two sets that are compared. Our findings suggest that smart contracts and exchange-related addresses play a structural role in transaction networks both in DeFi and Ethereum. The presence in the network of nodes associated to addresses of smart contracts and exchanges is positively correlated with the success of the token network measured in terms of network size and market capitalisation. These nodes play a fundamental role in the centralisation of the supposedly decentralised finance (DeFi) ecosystem: without them, their networks would quickly collapse.

physics, multidisciplinary

Yongfeng Huang,Yiyang Bian,Renpu Li,J. Leon Zhao,Peizhong Shi

DOI: https://doi.org/10.1109/access.2019.2946988

IF: 3.9

2019-01-01

IEEE Access

Abstract:Smart contract security is an emerging research area that deals with security issues arising from the execution of smart contracts in a blockchain system. Generally, a smart contract is a piece of executable code that automatically runs on the blockchain to enforce an agreement preset between parties involved in the transaction. As an innovative technology, smart contracts have been applied in various business areas, such as digital asset exchange, supply chains, crowdfunding, and intellectual property. Unfortunately, many security issues in smart contracts have been reported in the media, often leading to substantial financial losses. These security issues pose new challenges to security research because the execution environment of smart contracts is based on blockchain computing and its decentralized nature of execution. Thus far, many partial solutions have been proposed to address specific aspects of these security issues, and the trend is to develop new methods and tools to automatically detect common security vulnerabilities. However, smart contract security is systematic engineering that should be explored from a global perspective, and a comprehensive study of issues in smart contract security is urgently needed. To this end, we conduct a literature review of smart contract security from a software lifecycle perspective. We first analyze the key features of blockchain that can cause security issues in smart contracts and then summarize the common security vulnerabilities of smart contracts. To address these vulnerabilities, we examine recent advances in smart contract security spanning four development phases: 1) security design; 2) security implementation; 3) testing before deployment; and 4) monitoring and analysis. Finally, we outline emerging challenges and opportunities in smart contract security for blockchain engineers and researchers.