Major vulnerabilities in Ethereum smart contracts: Investigation and statistical analysis
DOI:
https://doi.org/10.4108/eetiot.5120Keywords:
Blockchain Security, Smart Contract Security, Cryptocurrency Security, Smart contracts AttacksAbstract
The general public is becoming increasingly familiar with blockchain technology. Numerous new applications are made possible by this technology's unique features, which include transparency, strong security via cryptography, and distribution. These applications need certain programming tools and interfaces to be implemented. This is made feasible by smart contracts. If the prerequisites are satisfied, smart contracts are carried out automatically. Any mistake in smart contract coding, particularly security-related ones, might have an impact on the project as a whole, available funds, and important data. The current paper discusses the flaws of the Ethereum smart contract in this respect. By examining publically accessible scientific sources, this work aims to present thorough information about vulnerabilities, examples, and current security solutions. Additionally, a substantial collection of current Ethereum (ETH) smart contracts has undergone a static code examination to conduct the vulnerability-finding procedure. The output has undergone assessments and statistical analysis. The study's conclusions demonstrate that smart contracts have several distinct flaws, including arithmetic flaws, that developers should be more aware of. These vulnerabilities and the solutions that can be used to address them are also included.
Downloads
References
[1] Zou W, Lo D, Kochhar PS, Le XB, Xia X, Feng Y, Chen Z, Xu B. Smart contract development: Challenges and opportunities. IEEE Transactions on Software Engineering. 2019 Sep 24;47(10):2084-106.
[2] Wang S, Yuan Y, Wang X, Li J, Qin R, Wang FY. An overview of smart contract: architecture, applications, and future trends. In2018 IEEE Intelligent Vehicles Symposium (IV) 2018 Jun 26 (pp. 108-113). IEEE.
[3] Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M., & Lee, H. N. (2022). Systematic review of security vulnerabilities in ethereum blockchain smart contract. IEEE Access, 10, 6605-6621.
[4] Destefanis, G., Marchesi, M., Ortu, M., Tonelli, R., Bracciali, A., & Hierons, R. (2018, March). Smart contracts vulnerabilities: a call for blockchain software engineering?. In 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE) (pp. 19-25). IEEE.
[5] Sharma T, Zhou Z, Miller A, Wang Y. Exploring security practices of smart contract developers. arXiv preprint arXiv:2204.11193. 2022 Apr 24.
[6] Sifra EM. Security vulnerabilities and countermeasures of smart contracts: A survey. In2022 IEEE International Conference on Blockchain (Blockchain) 2022 Aug 22 (pp. 512-515). IEEE.
[7] Qian P, Liu Z, He Q, Huang B, Tian D, Wang X. Smart contract vulnerability detection technique: A survey. arXiv preprint arXiv:2209.05872. 2022 Sep 13.
[8] Singh, A., Parizi, R. M., Zhang, Q., Choo, K. K. R., & Dehghantanha, A. (2020). Blockchain smart contracts formalization: Approaches and challenges to address vulnerabilities. Computers & Security, 88, 101654.
[9] Praitheeshan P, Pan L, Yu J, Liu J, Doss R. Security analysis methods on ethereum smart contract vulnerabilities: a survey. arXiv preprint arXiv:1908.08605. 2019 Aug 22.
[10] Wang Z, Jin H, Dai W, Choo KK, Zou D. Ethereum smart contract security research: survey and future research opportunities. Frontiers of Computer Science. 2021 Apr;15:1-8.
[11] Wohrer M, Zdun U. Smart contracts: security patterns in the ethereum ecosystem and solidity. In2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE) 2018 Mar 20 (pp. 2-8). IEEE.
[12] Zheng Z, Zhang N, Su J, Zhong Z, Ye M, Chen J. Turn the Rudder: A Beacon of Reentrancy Detection for Smart Contracts on Ethereum. arXiv preprint arXiv:2303.13770. 2023 Mar 24.
[13] Chen J, Huang M, Lin Z, Zheng P, Zheng Z. To healthier ethereum: A comprehensive and iterative smart contract weakness enumeration. arXiv preprint arXiv:2308.10227. 2023 Aug 20.
[14] Ray I. Security vulnerabilities in smart contracts as specifications in linear temporal logic (Master's thesis, University of Waterloo).
[15] He D, Deng Z, Zhang Y, Chan S, Cheng Y, Guizani N. Smart contract vulnerability analysis and security audit. IEEE Network. 2020 Jul 17;34(5):276-82.
[16] Yashavant CS, Kumar S, Karkare A. Scrawld: A dataset of real world ethereum smart contracts labelled with vulnerabilities. arXiv preprint arXiv:2202.11409. 2022 Feb 23.
[17] Ren M, Yin Z, Ma F, Xu Z, Jiang Y, Sun C, Li H, Cai Y. Empirical evaluation of smart contract testing: What is the best choice?. InProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis 2021 Jul 11 (pp. 566-579).
[18] Zhou H, Milani Fard A, Makanju A. The state of ethereum smart contracts security: Vulnerabilities, countermeasures, and tool support. Journal of Cybersecurity and Privacy. 2022 May 27;2(2):358-78.
[19] Prasad B. Vulnerabilities and attacks on smart contracts over blockChain. Turkish Journal of Computer and Mathematics Education (TURCOMAT). 2021 May 10;12(11):5436-49.
[20] Chen J, Xia X, Lo D, Grundy J, Luo X, Chen T. Defining smart contract defects on ethereum. IEEE Transactions on Software Engineering. 2020 Apr 20;48(1):327-45.
[21] Vani S, Doshi M, Nanavati A, Kundu A. Vulnerability Analysis of Smart Contracts. arXiv preprint arXiv:2212.07387. 2022 Dec 14.
[22] Durieux T, Ferreira JF, Abreu R, Cruz P. Empirical review of automated analysis tools on 47,587 ethereum smart contracts. InProceedings of the ACM/IEEE 42nd International conference on software engineering 2020 Jun 27 (pp. 530-541).
[23] Kushwaha SS, Joshi S, Singh D, Kaur M, Lee HN. Ethereum smart contract analysis tools: A systematic review. IEEE Access. 2022 Apr 22;10:57037-62.
[24] Wohrer M, Zdun U. Smart contracts: security patterns in the ethereum ecosystem and solidity. In2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE) 2018 Mar 20 (pp. 2-8). IEEE.
[25] Zheng Z, Xie S, Dai HN, Chen X, Wang H. Blockchain challenges and opportunities: A survey. International journal of web and grid services. 2018;14(4):352-75.
[26] Lashkari B, Musilek P. A comprehensive review of blockchain consensus mechanisms. IEEE Access. 2021 Mar 12;9:43620-52.
[27] Zheng Z, Xie S, Dai H, Chen X, Wang H. An overview of blockchain technology: Architecture, consensus, and future trends. In2017 IEEE international congress on big data (BigData congress) 2017 Jun 25 (pp. 557-564). Ieee.
[28] Gervais A, Karame GO, Wüst K, Glykantzis V, Ritzdorf H, Capkun S. On the security and performance of proof of work blockchains. InProceedings of the 2016 ACM SIGSAC conference on computer and communications security 2016 Oct 24 (pp. 3-16).
[29] Bentov I, Lee C, Mizrahi A, Rosenfeld M. Proof of activity: Extending bitcoin's proof of work via proof of stake [extended abstract] y. ACM SIGMETRICS Performance Evaluation Review. 2014 Dec 8;42(3):34-7.
[30] Joshi S. Feasibility of proof of authority as a consensus protocol model. arXiv preprint arXiv:2109.02480. 2021 Aug 30.
[31] Ekparinya P, Gramoli V, Jourjon G. The attack of the clones against proof-of-authority. arXiv preprint arXiv:1902.10244. 2019 Feb 26.
[32] Manolache MA, Manolache S, Tapus N. Decision making using the blockchain proof of authority consensus. Procedia Computer Science. 2022 Jan 1;199:580-8.
[33] Singh PK, Singh R, Nandi SK, Nandi S. Managing smart home appliances with proof of authority and blockchain. InInnovations for Community Services: 19th International Conference, I4CS 2019, Wolfsburg, Germany, June 24-26, 2019, Proceedings 19 2019 (pp. 221-232). Springer International Publishing.
[34] Saad SM, Radzi RZ. Comparative review of the blockchain consensus algorithm between proof of stake (pos) and delegated proof of stake (dpos). International Journal of Innovative Computing. 2020 Nov 19;10(2).
[35] Yang F, Zhou W, Wu Q, Long R, Xiong NN, Zhou M. Delegated proof of stake with downgrade: A secure and efficient blockchain consensus algorithm with downgrade mechanism. IEEE Access. 2019 Aug 14;7:118541-55.
[36] Hu Q, Yan B, Han Y, Yu J. An improved delegated proof of stake consensus algorithm. Procedia Computer Science. 2021 Jan 1;187:341-6.
[37] Snider M, Samani K, Jain T. Delegated proof of stake: features & tradeoffs. Multicoin Cap. 2018 Mar 2;19:1-9.
[38] Castro M, Liskov B. Practical byzantine fault tolerance and proactive recovery. ACM Transactions on Computer Systems (TOCS). 2002 Nov 1;20(4):398-461.
[39] Abraham I, Gueta G, Malkhi D, Alvisi L, Kotla R, Martin JP. Revisiting fast practical byzantine fault tolerance. arXiv preprint arXiv:1712.01367. 2017 Dec 4.
[40] Gao S, Yu T, Zhu J, Cai W. T-PBFT: An EigenTrust-based practical Byzantine fault tolerance consensus algorithm. China Communications. 2019 Dec;16(12):111-23.
[41] Consensus Algorithms in Blockchain Systems [Internet]. DEV Community. 2020 [cited 2024 Feb 3]. Available from: https://dev.to/akroutihamza/consensus-algorithms-in-blockchain-systems-44ag
[42] Makhdoom I, Abolhasan M, Ni W. Blockchain for IoT: The challenges and a way forward. InICETE 2018-Proceedings of the 15th International Joint Conference on e-Business and Telecommunications 2018 Jan 1.
[43] Lang D, Friesen M, Ehrlich M, Wisniewski L, Jasperneite J. Pursuing the vision of Industrie 4.0: Secure plug-and-produce by means of the asset administration shell and blockchain technology. In2018 IEEE 16th International Conference on Industrial Informatics (INDIN) 2018 Jul 18 (pp. 1092-1097). IEEE.
[44] 1.The Blockchain Generations [Internet]. Ledger. Available from: https://www.ledger.com/academy/blockchain/web-3-the-three-blockchain-generations
[45] Anwar S, Anayat S, Butt S, Butt S, Saad M. Generation Analysis of Blockchain Technology: Bitcoin and Ethereum. International Journal of Information Engineering & Electronic Business. 2020 Aug 1;12(4).
[46] Efanov D, Roschin P. The all-pervasiveness of the blockchain technology. Procedia computer science. 2018 Jan 1;123:116-21.
[47] Nakamoto S. Bitcoin: A peer-to-peer electronic cash system. Decentralized business review. 2008 Oct 31.
[48] Rostami M, Bahaghighat M, Zanjireh MM. Bitcoin daily close price prediction using optimized grid search method. Acta Universitatis Sapientiae, Informatica. 2021;13(2):265-87.
[49] Brighente A, Conti M, Kumar S. Extorsionware: Exploiting smart contract vulnerabilities for fun and profit. arXiv preprint arXiv:2203.09843. 2022 Mar 18.
[50] Egbertsen W, Hardeman G, van den Hoven M, van der Kolk G, van Rijsewijk A. Replacing paper contracts with Ethereum smart contracts. Semantic Scholar. 2016 Jun 10;35:1-35.
[51] Top Smart Contract Applications and Use Cases - Scalable Solutions [Internet]. 2021. Available from: https://scalablesolutions.io/news/smart-contract-applications-and-use-cases/
[52] Dannen C. Introducing Ethereum and solidity. Berkeley: Apress; 2017.
[53] Zhang P, Xiao F, Luo X. A framework and dataset for bugs in ethereum smart contracts. In2020 IEEE International Conference on Software Maintenance and Evolution (ICSME) 2020 Sep 28 (pp. 139-150). IEEE.
[54] Krsul I, Spafford E, Tripunitara M. Computer vulnerability analysis. COAST Laboratory, Purdue University, West Lafayette, IN, Technical Report. 1998 May 6.
[55] Samreen NF, Alalfi MH. Reentrancy vulnerability identification in ethereum smart contracts. In2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE) 2020 Feb 18 (pp. 22-29). IEEE.
[56] Mehar MI, Shier CL, Giambattista A, Gong E, Fletcher G, Sanayhie R, Kim HM, Laskowski M. Understanding a revolutionary and flawed grand experiment in blockchain: the DAO attack. Journal of Cases on Information Technology (JCIT). 2019 Jan 1;21(1):19-32.
[57] Grossman S, Abraham I, Golan-Gueta G, Michalevsky Y, Rinetzky N, Sagiv M, Zohar Y. Online detection of effectively callback free objects with applications to smart contracts. Proceedings of the ACM on Programming Languages. 2017 Dec 27;2(POPL):1-28.
[58] Prechtel D, Groß T, Müller T. Evaluating spread of ‘gasless send’in ethereum smart contracts. In2019 10th IFIP international conference on new technologies, mobility and security (NTMS) 2019 Jun 24 (pp. 1-6). IEEE.
[59] Oualid Z, Oualid Z. What is a reentrancy attack in Solidity? | Technical examples [Internet]. Get Secure World. 2022. Available from: https://www.getsecureworld.com/blog/what-is-a-reentrancy-attack-in-solidity-technical-examples/
[60] Samreen NF, Alalfi MH. A survey of security vulnerabilities in ethereum smart contracts. arXiv preprint arXiv:2105.06974. 2021 May 14.
[61] Samreen NF, Alalfi MH. A survey of security vulnerabilities in ethereum smart contracts. arXiv preprint arXiv:2105.06974. 2021 May 14.
[62] Palladino S. The parity wallet hack explained. July-2017.[Online]. Available: https://blog. zeppelin. solutions/on-the-parity-wallet-multisighack-405a8c12e8f7. 2017 Jul 20.
[63] Wöhrer M, Zdun U. Design patterns for smart contracts in the ethereum ecosystem. In2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) 2018 Jul 30 (pp. 1513-1520). IEEE.
[64] DASP - TOP 10 [Internet]. www.dasp.co. [cited 2024 Feb 3]. Available from: https://www.dasp.co
[65] Khan ZA, Namin AS. Ethereum smart contracts: Vulnerabilities and their classifications. In2020 IEEE International Conference on Big Data (Big Data) 2020 Dec 10 (pp. 1-10). IEEE.
[66] Thanh LY. Prevent Integer Overflow in Ethereum Smart Contracts [Internet]. Medium. 2018 [cited 2024 Feb 3]. Available from: https://yenthanh.medium.com/prevent-integer-overflow-in-ethereum-smart-contracts-a7c84c30de66
[67] Gao J, Liu H, Liu C, Li Q, Guan Z, Chen Z. Easyflow: Keep ethereum away from overflow. In2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion) 2019 May 25 (pp. 23-26). IEEE.
[68] Scanning Live Ethereum Contracts for the “Unchecked-Send” Bug [Internet]. Hacking Distributed. Available from: https://hackingdistributed.com/2016/06/16/scanning-live-ethereum-contracts-for-bugs/
[69] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on ethereum smart contracts (sok). InPrinciples of Security and Trust: 6th International Conference, POST 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings 6 2017 (pp. 164-186). Springer Berlin Heidelberg.
[70] Kulkarni Y. Denial of Service (DoS) Attack on Smart Contracts [Internet]. Be on the Right Side of Change. 2022. Available from: https://blog.finxter.com/denial-of-service-dos-attack-on-smart-contracts/
[71] Bhardwaj A, Shah SB, Shankar A, Alazab M, Kumar M, Gadekallu TR. Penetration testing framework for smart contract blockchain. Peer-to-Peer Networking and Applications. 2021 Sep;14:2635-50.
[72] Smart Contract Randomness or ReplicatedLogic Attack – Be on the Right Side of Change [Internet]. 2023 [cited 2024 Feb 3]. Available from: https://blog.finxter.com/randomness-or-replicatedlogic-attack-on-smart-contracts/
[73] Yao S, Zhang D. An Anonymous Verifiable Random Function with Applications in Blockchain. Wireless Communications and Mobile Computing. 2022 Apr 19;2022.
[74] Verifiable Random Function (VRF) - Explained | Chainlink [Internet]. chain.link. [cited 2024 Feb 3]. Available from: https://blog.chain.link/verifiable-random-function-vrf/
[75] Behnke R. What Is a Front-Running Attack? [Internet]. www.halborn.com. 2021 [cited 2024 Feb 3]. Available from: https://halborn.com/what-is-a-front-running-attack/
[76] Frontrunning - Ethereum Smart Contract Best Practices [Internet]. consensys.github.io. Available from: https://consensys.github.io/smart-contract-best-practices/attacks/frontrunning/
[77] Mense A, Flatscher M. Security vulnerabilities in ethereum smart contracts. InProceedings of the 20th international conference on information integration and web-based applications & services 2018 Nov 19 (pp. 375-380).
[78] ImmuneBytes. A Techno-Manual on the Front Running Attack - ImmuneBytes [Internet]. 2022 [cited 2024 Feb 3]. Available from: https://www.immunebytes.com/blog/front-running-attack/
[79] Front-running attack in DeFi applications - how to deal with it? [Internet]. Securing. 2022. Available from: https://www.securing.pl/en/front-running-attack-in-defi-applications-how-to-deal-with-it/
[80] Libsubmarine.org. 2022. Available from: https://libsubmarine.org/
[81] Arulprakash M, Jebakumar R. Commit-reveal strategy to increase the transaction confidentiality in order to counter the issue of front running in blockchain. InAIP Conference Proceedings 2022 Aug 26 (Vol. 2460, No. 1). AIP Publishing.
[82] Dika A, Nowostawski M. Security vulnerabilities in ethereum smart contracts. In2018 IEEE international conference on Internet of Things (iThings) and IEEE green computing and communications (GreenCom) and IEEE cyber, physical and social computing (CPSCom) and IEEE Smart Data (SmartData) 2018 Jul 30 (pp. 955-962). IEEE.
[83] Tang X, Zhou K, Cheng J, Li H, Yuan Y. The vulnerabilities in smart contracts: A survey. InAdvances in Artificial Intelligence and Security: 7th International Conference, ICAIS 2021, Dublin, Ireland, July 19-23, 2021, Proceedings, Part III 7 2021 (pp. 177-190). Springer International Publishing.
[84] Ethereum Contract Diff Checker [Internet]. etherscan.io. [cited 2024 Feb 3]. Available from: https://etherscan.io/contractdiffchecker?a1=0xa11e4ed59dc94e69612f3111942626ed513cb172
[85] Zhu H, Niu W, Liao X, Zhang X, Wang X, Li B, He Z. Attacker Traceability on Ethereum through Graph Analysis. Security and Communication Networks. 2022 Jan 27;2022.
[86] CoinFabrik. Smart Contract Short Address Attack Mitigation Failure [Internet]. CoinFabrik. 2017 [cited 2024 Feb 3]. Available from: https://blog.coinfabrik.com/smart-contract-short-address-attack-mitigation-failure/
[87] Perez D, Livshits B. Smart contract vulnerabilities: Vulnerable does not imply exploited. In30th USENIX Security Symposium (USENIX Security 21) 2021 (pp. 1325-1341).
[88] Perez D, Livshits B. Smart contract vulnerabilities: Vulnerable does not imply exploited. In30th USENIX Security Symposium (USENIX Security 21) 2021 (pp. 1325-1341).
[89] Sayeed S, Marco-Gisbert H, Caira T. Smart contract: Attacks and protections. IEEE Access. 2020 Jan 30;8:24416-27.
[90] Bug Security : Locked Ether · Issue #19930 · ethereum/go-ethereum [Internet]. GitHub. [cited 2024 Feb 3]. Available from: https://github.com/ethereum/go-ethereum/issues/19930
[91] Smart Contract Weakness Classification (SWC) [Internet]. swcregistry.io. [cited 2024 Feb 3]. Available from: https://swcregistry.io
[92] SmartCDS/Addresses.txt at main · Csreasercher/SmartCDS [Internet]. GitHub. [cited 2024 Feb 3]. Available from: https://github.com/Csreasercher/SmartCDS/blob/main/Addresses.txt
[93] Feist J, Grieco G, Groce A. Slither: a static analysis framework for smart contracts. In2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) 2019 May 27 (pp. 8-15). IEEE.
[94] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, Takhaviev R, Marchenko E, Alexandrov Y. Smartcheck: Static analysis of ethereum smart contracts. InProceedings of the 1st international workshop on emerging trends in software engineering for blockchain 2018 May 27 (pp. 9-16).
[95] Luu L, Chu DH, Olickel H, Saxena P, Hobor A. Making smart contracts smarter. InProceedings of the 2016 ACM SIGSAC conference on computer and communications security 2016 Oct 24 (pp. 254-269).
[96] MythX: Preparing for a smart contract audit [Internet]. mythx.io. [cited 2024 Feb 3]. Available from: https://mythx.io/about
[97] Chen T, Cao R, Li T, Luo X, Gu G, Zhang Y, Liao Z, Zhu H, Chen G, He Z, Tang Y. SODA: A Generic Online Detection Framework for Smart Contracts. InNDSS 2020 Feb 23.
[98] Nguyen TD, Pham LH, Sun J, Lin Y, Minh QT. sfuzz: An efficient adaptive fuzzer for solidity smart contracts. InProceedings of the ACM/IEEE 42nd International Conference on Software Engineering 2020 Jun 27 (pp. 778-788).
[99] Chen J, Xia X, Lo D, Grundy J, Luo X, Chen T. Defectchecker: Automated smart contract defect detection by analyzing evm bytecode. IEEE Transactions on Software Engineering. 2021 Jan 27;48(7):2189-207.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Mohammad Pishdar, Mahdi Bahaghighat, Rajeev Kumar, Qin Xin
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
This is an open-access article distributed under the terms of the Creative Commons Attribution CC BY 3.0 license, which permits unlimited use, distribution, and reproduction in any medium so long as the original work is properly cited.
