Oyente: Making Smart Contracts Smarter

ArXiv, 2021

Ethereum Smart Contracts based on Blockchain Technology (BT)enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum smart contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This enables consumers to make agreements in a transparent and conflict-free environment. However, there exist some security vulnerabilities within these smart contracts that are a potential threat to the applications and their consumers and have shown in the past to cause huge financial losses. In this study, we review the existing literature and broadly classify the BT applications. As Ethereum smart contracts find their application mostly in e-commerce applications, we believe these are more commonly vulnerable to attacks. In these smart contracts, we mainly focus on identifying vulnerabilities that programmers and users of smart contracts must avoid. This paper ...

IAEME PUBLICATION, 2020

Smart contracts have a piece of code which are executed under certain conditions and are deployed on blockchain. Some of the applications of smart contracts are crypto assets, Health care applications, voting, IOT, digital rights, gambling, escrow, music rights management, record keeping, smart property and e-governance. Smart contracts plays a crucial role in these applications but adversaries exploit smart contracts due to vulnerabilities in smart contracts and millions of dollars are drained within few years, like The DAO attack, King of the Ether Throne, Multi-player games, Parity Multisig Wallet, Rubixi, GovernMental, Dynamic libraries and Batch Transfer Overflow. Due to these reasons, an extensive research is required on attacks on smart contracts with efficient detective and preventive methods. In this paper, we concentrate on vulnerabilities of smart contracts which are the root cause of the attacks. The existing work on these attacks has discussed only a few of the vulnerabilities and there is a need to cover all smart contract vulnerabilities over Ethereum. The taxonomy of vulnerabilities is listed below with smart contract code and the investigations done on how the attackers are exploiting the Smart Contracts with these vulnerabilities..

Financial Cryptography and Data Security

In recent years, Ethereum gained tremendously in popularity, growing from a daily transaction average of 10K in January 2016 to an average of 500K in January 2020. Similarly, smart contracts began to carry more value, making them appealing targets for attackers. As a result, they started to become victims of attacks, costing millions of dollars. In response to these attacks, both academia and industry proposed a plethora of tools to scan smart contracts for vulnerabilities before deploying them on the blockchain. However, most of these tools solely focus on detecting vulnerabilities and not attacks, let alone quantifying or tracing the number of stolen assets. In this paper, we present Horus, a framework that empowers the automated detection and investigation of smart contract attacks based on logic-driven and graph-driven analysis of transactions. Horus provides quick means to quantify and trace the flow of stolen assets across the Ethereum blockchain. We perform a large-scale analysis of all the smart contracts deployed on Ethereum until May 2020. We identified 1,888 attacked smart contracts and 8,095 adversarial transactions in the wild. Our investigation shows that the number of attacks did not necessarily decrease over the past few years, but for some vulnerabilities remained constant. Finally, we also demonstrate the practicality of our framework via an in-depth analysis on the recent Uniswap and Lendf.me attacks.

IEEE Transactions on Information Forensics and Security

Sir Syed University Research Journal of Engineering & Technology

With the evolution of technology, blockchain a swiftly impending phenomenon i.e., "decentralized computing” is observed. The emergence of Smart Contracts (SC) has resulted in advancements in the application of blockchain technology. The Ethereum network’s computing capabilities and functionalities are founded on the basis of SC. A smart contract is a self-executing agreement between buyer and seller with the terms of the settlement between them, written directly as lines of code, existing across a distributed decentralized blockchain network. It is a decentralized software that runs on a blockchain autonomously, consistently, and publicly. Conversely, due to the complex semantics of fundamental domain-specific languages and their testability, constructing reliable and secure SC can be extremely difficult. SC might contain some vulnerabilities. Security vulnerabilities can originate from financial tribulations; there are a number of notorious events that specify blockchain SC co...

2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2018

Smart Contracts have gained tremendous popularity in the past few years, to the point that billions of US Dollars are currently exchanged every day through such technology. However, since the release of the Frontier network of Ethereum in 2015, there have been many cases in which the execution of Smart Contracts managing Ether coins has led to problems or conflicts. Compared to traditional Software Engineering, a discipline of Smart Contract and Blockchain programming, with standardized best practices that can help solve the mentioned problems and conflicts, is not yet sufficiently developed. Furthermore, Smart Contracts rely on a non-standard software life-cycle, according to which, for instance, delivered applications can hardly be updated or bugs resolved by releasing a new version of the software. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other applications running on blockchains. We analyse a case of study where a bug discovered in a Smart Contract library, and perhaps "unsafe" programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers (about 150M USD, in November 2017). In this study we analyze the source code of Parity and the library, and discuss how recognised best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also reflect on the specificity of Smart Contract software development, which makes some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.

arXiv (Cornell University), 2022

Context: Smart contracts are computer programs that are automatically executed on the blockchain. Among other issues, vulnerabilities in their implementation have led to severe loss and theft of cryptocurrency. In contrast to traditional software, smart contracts become immutable when deployed to the Ethereum blockchain. Therefore, it is essential to understand the nature of vulnerabilities in Ethereum smart contracts to prevent these vulnerabilities in the future. Existing classifications exist, but are limited in several ways, e.g., focusing on single data sources, mixing dimensions, or providing categories that are not orthogonal. Objective: This study aims to characterize vulnerabilities and code weaknesses in Ethereum smart contracts written in Solidity, and to unify existing classifications schemes on Ethereum smart contract vulnerabilities by mapping them to our classification. Method: We extracted 2143 vulnerabilities from public coding platforms (i.e., GitHub and Stack Overflow) and popular vulnerability databases (i.e., National Vulnerability Database and Smart Contract Weakness Registry) and categorized them using a card sorting approach. We targeted the Ethereum blockchain in this paper, as it is the first and most popular blockchain to support the deployment of smart contracts, and Solidity as the most widely used language to implement smart contracts. We devised a classification scheme of smart contract vulnerabilities according to their error source and impact. Afterwards, we mapped existing classification schemes to our classification. Results: The resulting classification consists of 11 categories describing the error source of a vulnerability and 13 categories describing potential impacts. Our findings show that the language specific coding and the structural data flow categories are the dominant categories, but that the frequency of occurrence differs substantially between the data sources. Conclusions: Our findings enable researchers to better understand smart contract vulnerabilities by defining various dimensions of the problem and supporting our classification with mappings with literature-based classifications and frequency distributions of the defined categories. Also, they allow researchers to target their research and tool development to better support the implementation and quality assurance of smart contracts.

Computer Communications , 2021

The use of blockchain and smart contracts have not stopped growing in recent years. Like all software that begins to expand its use, it is also beginning to be targeted by hackers who will try to exploit vulnerabilities in both the underlying technology and the smart contract code itself. While many tools already exist for analyzing vulnerabilities in smart contracts, the heterogeneity and variety of approaches and differences in providing the analysis data makes the learning curve for the smart contract developer steep. In this article the authors present ESAF (Ethereum Security Analysis Framework), a framework for analysis of smart contracts that aims to unify and facilitate the task of analyzing smart contract vulnerabilities which can be used as a persistent security monitoring tool for a set of target contracts as well as a classic vulnerability analysis tool among other uses.

Lecture Notes in Computer Science, 2019

Ethereum smart contracts are executable programs, deployed on a peer-to-peer network and executed in a consensus-based fashion. Their bytecode is public, immutable and once deployed to the blockchain, cannot be patched anymore. As smart contracts may hold Ether worth of several million dollars, they are attractive targets for attackers and indeed some contracts have successfully been exploited in the recent past, resulting in tremendous financial losses. The correctness of smart contracts is thus of utmost importance. While first approaches on formal verification exist, they demand users to be well-versed in formal methods which are alien to many developers and are only able to analyze individual contracts, without considering their execution environment, i.e., calls to external contracts, sequences of transaction, and values from the actual blockchain storage. In this paper, we present Annotary, a concolic execution framework to analyze smart contracts for vulnerabilities, supported by annotations which developers write directly in the Solidity source code. In contrast to existing work, Annotary supports analysis of inter-transactional, inter-contract control flows and combines symbolic execution of EVM bytecode with a resolution of concrete values from the public Ethereum blockchain. While the analysis of Annotary tends to weight precision higher than soundness, we analyze inter-transactional call chains to eliminate false positives from unreachable states that traditional symbolic execution would not be able to handle. We present the annotation and analysis concepts of Annotary, explain its implementation on top of the Laser symbolic virtual machine, and demonstrate its usage as a plugin for the Sublime Text editor.

IEEE Access

In this work we perform a comprehensive empirical study of Smart Contracts deployed on the Ethereum blockchain. The objective of the analysis is to provide empirical results on Smart Contracts features, on smart contract transactions within the blockchain, on the role of the development community, and on the source code characteristics. We collected a set of more than ten thousand Smart Contracts source codes, and a dataset of meta-data regarding their interaction with the blockchain from Etherscan.io. We examined the collected data computing different statistics on naming policies, Smart Contract ether balance, number of Smart Contract transactions, functions and other quantities characterizing use and purpose of Smart Contracts. We found that the number of transactions and the balances follow power-law distributions and that software code metrics display, on average, values lower than corresponding metrics in standard software but have high variances. Focusing the attention on the twenty Smart Contracts with the topmost number of transactions, we found that most of them represent financial Smart Contracts and that some of them have peculiar software development stories behind them. Results show that Blockchain software is rapidly changing and evolving and that it is no longer devoted only to cryptovalues applications but to general purpose computation.