298 research outputs found
End-to-End Formal Verification of Ethereum 2.0 Deposit Smart Contract
We report our experience in the formal verification of the deposit smart contract, whose correctness is critical for the security of Ethereum 2.0, a new Proof-of-Stake protocol for the Ethereum blockchain. The deposit contract implements an incremental Merkle tree algorithm whose correctness is highly nontrivial, and had not been proved before. We have verified the correctness of the compiled bytecode of the deposit contract to avoid the need to trust the underlying compiler. We found several critical issues of the deposit contract during the verification process, some of which were due to subtle hidden bugs of the compiler.Ope
The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts
Modern blockchains, such as Ethereum, enable the execution of so-called smart
contracts - programs that are executed across a decentralised network of nodes.
As smart contracts become more popular and carry more value, they become more
of an interesting target for attackers. In the past few years, several smart
contracts have been exploited by attackers. However, a new trend towards a more
proactive approach seems to be on the rise, where attackers do not search for
vulnerable contracts anymore. Instead, they try to lure their victims into
traps by deploying seemingly vulnerable contracts that contain hidden traps.
This new type of contracts is commonly referred to as honeypots. In this paper,
we present the first systematic analysis of honeypot smart contracts, by
investigating their prevalence, behaviour and impact on the Ethereum
blockchain. We develop a taxonomy of honeypot techniques and use this to build
HoneyBadger - a tool that employs symbolic execution and well defined
heuristics to expose honeypots. We perform a large-scale analysis on more than
2 million smart contracts and show that our tool not only achieves high
precision, but is also highly efficient. We identify 690 honeypot smart
contracts as well as 240 victims in the wild, with an accumulated profit of
more than $90,000 for the honeypot creators. Our manual validation shows that
87% of the reported contracts are indeed honeypots
Pre-deployment Analysis of Smart Contracts -- A Survey
Smart contracts are programs that execute transactions involving independent
parties and cryptocurrencies. As programs, smart contracts are susceptible to a
wide range of errors and vulnerabilities. Such vulnerabilities can result in
significant losses. Furthermore, by design, smart contract transactions are
irreversible. This creates a need for methods to ensure the correctness and
security of contracts pre-deployment. Recently there has been substantial
research into such methods. The sheer volume of this research makes
articulating state-of-the-art a substantial undertaking. To address this
challenge, we present a systematic review of the literature. A key feature of
our presentation is to factor out the relationship between vulnerabilities and
methods through properties. Specifically, we enumerate and classify smart
contract vulnerabilities and methods by the properties they address. The
methods considered include static analysis as well as dynamic analysis methods
and machine learning algorithms that analyze smart contracts before deployment.
Several patterns about the strengths of different methods emerge through this
classification process
Empirical Review of Smart Contract and DeFi Security: Vulnerability Detection and Automated Repair
Decentralized Finance (DeFi) is emerging as a peer-to-peer financial
ecosystem, enabling participants to trade products on a permissionless
blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has
experienced explosive growth in recent years. Unfortunately, smart contracts
hold a massive amount of value, making them an attractive target for attacks.
So far, attacks against smart contracts and DeFi protocols have resulted in
billions of dollars in financial losses, severely threatening the security of
the entire DeFi ecosystem. Researchers have proposed various security tools for
smart contracts and DeFi protocols as countermeasures. However, a comprehensive
investigation of these efforts is still lacking, leaving a crucial gap in our
understanding of how to enhance the security posture of the smart contract and
DeFi landscape.
To fill the gap, this paper reviews the progress made in the field of smart
contract and DeFi security from the perspective of both vulnerability detection
and automated repair. First, we analyze the DeFi smart contract security issues
and challenges. Specifically, we lucubrate various DeFi attack incidents and
summarize the attacks into six categories. Then, we present an empirical study
of 42 state-of-the-art techniques that can detect smart contract and DeFi
vulnerabilities. In particular, we evaluate the effectiveness of traditional
smart contract bug detection tools in analyzing complex DeFi protocols.
Additionally, we investigate 8 existing automated repair tools for smart
contracts and DeFi protocols, providing insight into their advantages and
disadvantages. To make this work useful for as wide of an audience as possible,
we also identify several open issues and challenges in the DeFi ecosystem that
should be addressed in the future.Comment: This paper is submitted to the journal of Expert Systems with
Applications (ESWA) for revie
Resource Analysis of Ethereum 2.0 Clients
Scalability is a common issue among the most used permissionless blockchains,
and several approaches have been proposed accordingly. As Ethereum is set to be
a solid foundation for a decentralized Internet web, the need for tackling
scalability issues while preserving the security of the network is an important
challenge. In order to successfully deliver effective scaling solutions,
Ethereum is on the path of a major protocol improvement called Ethereum 2.0
(Eth2), which implements sharding. As the change of consensus mechanism is an
extremely delicate matter, this improvement will be achieved through different
phases, the first of which is the implementation of the Beacon Chain. For this,
a specification has been developed and multiple groups have implemented clients
to run the new protocol. In this work, we analyse the resource usage behaviour
of different clients running as Eth2 nodes, comparing their performance and
analysing differences. Our results show multiple network perturbations and how
different clients react to it
ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection
Decentralized cryptocurrencies feature the use of blockchain to transfer
values among peers on networks without central agency. Smart contracts are
programs running on top of the blockchain consensus protocol to enable people
make agreements while minimizing trusts. Millions of smart contracts have been
deployed in various decentralized applications. The security vulnerabilities
within those smart contracts pose significant threats to their applications.
Indeed, many critical security vulnerabilities within smart contracts on
Ethereum platform have caused huge financial losses to their users. In this
work, we present ContractFuzzer, a novel fuzzer to test Ethereum smart
contracts for security vulnerabilities. ContractFuzzer generates fuzzing inputs
based on the ABI specifications of smart contracts, defines test oracles to
detect security vulnerabilities, instruments the EVM to log smart contracts
runtime behaviors, and analyzes these logs to report security vulnerabilities.
Our fuzzing of 6991 smart contracts has flagged more than 459 vulnerabilities
with high precision. In particular, our fuzzing tool successfully detects the
vulnerability of the DAO contract that leads to USD 60 million loss and the
vulnerabilities of Parity Wallet that have led to the loss of $30 million and
the freezing of USD 150 million worth of Ether.Comment: To appear in ASE 2018, Montpellier, France. 10 page
- …