Smart Contract Security Vulnerabilities

Yıl 2023, Cilt: 16 Sayı: 1, 196 - 211, 31.03.2023

Ruhi Taş

https://doi.org/10.18185/erzifbed.1105551

Öz

A smart contract is a concept of computer protocols that helps to facilitate blockchain technology. This blockchain-based smart contract is a public ledger of all participating transactions. It is considered a self-executable application and contains predetermined rules. It also operates by decentralizing networks that are shared between all parties, and this execution of contracts between parties could be securely done without a middleman or a third party. With blockchain technology, developers could provide an efficient framework and ensure security issues. While the new blockchain has successfully been developed to prevent the problems of fraud and hacking, there is still a considerable risk concerning security and confidentiality. Therefore, we should not underestimate this matter. This study aims to review the potential risks that may take place on blockchain-based smart contracts. In addition, the options that may assist application developers in order to provide viable guidance, and to avoiding these security vulnerabilities.

Anahtar Kelimeler

Blockchain, Smart Contract, Vulnerability, Ethereum, Solidity

Akıllı Sözleşme Güvenlik Zaafiyetleri

Öz

Akıllı sözleşme, blok zinciri teknolojisini kolaylaştırmaya yardımcı olan bir bilgisayar protokolleri kavramıdır. Bu blok zinciri tabanlı akıllı sözleşme, katılan tüm işlemlerin halka açık bir defteridir. Kendi kendine çalıştırılabilir bir uygulama olarak kabul edilir ve önceden belirlenmiş kurallar içerir. Ayrıca, tüm taraflar arasında paylaşılan ağları merkezi olmayan hale getirerek çalışır ve taraflar arasındaki bu sözleşmelerin yürütülmesi, bir aracı veya üçüncü bir taraf olmadan güvenli bir şekilde yapılabilir. Blockchain teknolojisi ile geliştiriciler verimli bir çerçeve sağlayabilir ve güvenlik sorunlarını sağlayabilir. Yeni blok zinciri, dolandırıcılık ve bilgisayar korsanlığı sorunlarını önlemek için başarıyla geliştirilmiş olsa da, güvenlik ve gizlilik konusunda hala önemli bir risk var. Bu nedenle bu konuyu hafife almamalıyız. Bu çalışma, blockchain tabanlı akıllı sözleşmelerde yer alabilecek potansiyel risklerin incelenmesi amaçlamaktadır. Ayrıca geliştiricilere rehberlik ederek, olası güvenlik açıklarından kaçınmak için uygulama geliştiricilere yardımcı olunması sağlanmıştır.

Anahtar Kelimeler

Blok zinciri, Akıllı sözleşmeler, Zaafiyet, Ethereum, Solidity

Kaynakça

• ArXiv.org e-Print archive. (2022). ArXiv. https://arxiv.org/
• Atzei, N., Bartoletti, M., & Cimoli, T. (2017). A Survey of Attacks on Ethereum Smart Contracts (SoK). In M. Maffei & M. Ryan (Eds.), Principles of Security and Trust (Vol. 10204, pp. 164–186). Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-662-54455-6_8
• Bitcoin. (2022). Bitcoin. Bitcoin Homepage. https://bitcoin.org/
• Chang, S. (2019). Ethereum Smart Contracts Vulnerable to Hacks: $4 Million in Ether at Risk. https://www.investopedia.com/news/ethereum-smart-contracts-vulnerable-hacks-4-million-ether-risk/
• Chen, B., Tan, Z., & Fang, W. (2018). Blockchain-Based Implementation for Financial Product Management. 2018 28th International Telecommunication Networks and Applications Conference (ITNAC), 1–3. https://doi.org/10.1109/ATNAC.2018.8615246
• Chen, J., Xia, X., Lo, D., Grundy, J., & Yang, X. (2020). Maintaining Smart Contracts on Ethereum: Issues, Techniques, and Future Challenges. ArXiv:2007.00286 [Cs]. http://arxiv.org/abs/2007.00286
• Coenen, K., De Prest, J., & Leyssens, K. (2017). Blockchain Introduction. https://ordina-jworks.github.io/blockchain/2017/05/10/Blockchain-Introduction.html#smart-contracts
• Comprehensive list of known attack vectors and common anti-patterns. (2022). Solidity Security. https://github.com/sigp/solidity-security-blog
• Coverdale, C. (2018). Solidity: Tx Origin Attacks. A transaction origin attack is form of… | by Chris Coverdale | Coinmonks | Medium. https://medium.com/coinmonks/solidity-tx-origin-attacks-58211ad95514
• Dey, S. (2018). Securing Majority-Attack in Blockchain Using Machine Learning and Algorithmic Game Theory: A Proof of Work. 2018 10th Computer Science and Electronic Engineering (CEEC), 7–10. https://doi.org/10.1109/CEEC.2018.8674185
• Dika, A., & Nowostawski, M. (2018). Security Vulnerabilities in Ethereum Smart Contracts. 2018 IEEE International Conference on Internet of Things (IThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 955–962. https://doi.org/10.1109/Cybermatics_2018.2018.00182
• Dorri, A., Kanhere, S. S., Jurdak, R., & Gauravaram, P. (2017). Blockchain for IoT security and privacy: The case study of a smart home. 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), 618–623. https://doi.org/10.1109/PERCOMW.2017.7917634
• Ekblaw, A., Azaria, A., Halamka, J. D., Lippman, A., Original, I., & Vieira, T. (2016). A Case Study for Blockchain in Healthcare: " MedRec " prototype for electronic health records and medical research data MedRec: Using Blockchain for Medical Data Access and Permission Management. IEEE Technology and Society Magazine, 1–13. https://doi.org/10.1109/OBD.2016.11
• Esra, S. (2018). ICO Smart contract Vulnerability: Short Address Attack | by Selvakumar Esra | huzzle | Medium. https://medium.com/huzzle/ico-smart-contract-vulnerability-short-address-attack-31ac9177eb6b
• Ethereum Smart Contract Best Practices. (2022). Ethereum Smart Contract Best Practices. https://consensys.github.io/smart-contract-best-practices/attacks/
• Finley, K. (2016). A $50 Million Hack Just Showed That the DAO Was All Too Human | WIRED. Wired. https://www.wired.com/2016/06/50-million-hack-just-showed-dao-human/
• Frankenfield, J. (2022). Smart Contracts Definition. https://www.investopedia.com/terms/s/smart-contracts.asp
• Grech, N., Kong, M., Jurisevic, A., Brent, L., Scholz, B., & Smaragdakis, Y. (2018). MadMax: Surviving out-of-gas conditions in Ethereum smart contracts. Proceedings of the ACM on Programming Languages, 2(OOPSLA), 1–27. https://doi.org/10.1145/3276486
• Hacken. (2018). Most Common Smart Contract Vulnerabilities. Smart Contract Vulnerabilities. https://hacken.io/education/most-common-smart-contract-vulnerabilities/
• IBM. (2022). What are smart contracts on blockchain? https://www.ibm.com/topics/smart-contracts
• IEEE Xplore. (2022). IEEE. https://ieeexplore.ieee.org/Xplore/home.jsp
• Jiang, B., Liu, Y., & Chan, W. K. (2018). ContractFuzzer: Fuzzing smart contracts for vulnerability detection. Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 259–269. https://doi.org/10.1145/3238147.3238177
• Kemmoe, V. Y., Stone, W., Kim, J., Kim, D., & Son, J. (2020). Recent Advances in Smart Contracts: A Technical Overview and State of the Art. IEEE Access, 8, 117782–117801. https://doi.org/10.1109/ACCESS.2020.3005020
• Lauslahti, K., Mattila, J., & Seppala, T. (2018). Smart Contracts How Will Blockchain Technology Affect Contractual Practices? SSRN Electronic Journal, 68. https://doi.org/10.2139/ssrn.3154043
• Li, X., Jiang, P., Chen, T., Luo, X., & Wen, Q. (2020). A survey on the security of blockchain systems. Future Generation Computer Systems, 107, 841–853. https://doi.org/10.1016/j.future.2017.08.020
• Luu, L., Chu, D.-H., Olickel, H., Saxena, P., & Hobor, A. (2016). Making Smart Contracts Smarter. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 254–269. https://doi.org/10.1145/2976749.2978309
• Ma, Z., Huang, W., & Gao, H. (2018). Secure DRM Scheme Based on Blockchain with High Credibility. Chinese Journal of Electronics, 27(5), 1025–1036. https://doi.org/10.1049/cje.2018.07.003
• Manning, A. (2018). Solidity Security: Comprehensive list of known attack vectors and common anti-patterns. https://blog.sigmaprime.io/solidity-security.html#reentrancy
• Mei, X., Ashraf, I., Jiang, B., & Chan, W. K. (2019). A Fuzz Testing Service for Assuring Smart Contracts. 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), 544–545. https://doi.org/10.1109/QRS-C.2019.00116
• Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System. Bitcoin. https://bitcoin.org/bitcoin.pdf
• Nan, Y., Yang, Z., Wang, X., Zhang, Y., Zhu, D., & Yang, M. (2018). Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. Proceedings 2018 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium, San Diego, CA. https://doi.org/10.14722/ndss.2018.23092
• Oyente. (2022). [JavaScript]. Enzyme Finance. https://github.com/enzymefinance/oyente (Original work published 2017)
• Perez, D., & Livshits, B. (2020). Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited. ArXiv:1902.06710 [Cs]. http://arxiv.org/abs/1902.06710
• Ramezan, G., Leung, C., & Jane Wang, Z. (2018). A Strong Adaptive, Strategic Double-Spending Attack on Blockchains. 2018 IEEE International Conference on Internet of Things (IThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 1219–1227. https://doi.org/10.1109/Cybermatics_2018.2018.00216
• Riady, R. (2018). Common Smart Contract Vulnerabilities and How To Mitigate Them – Yos Riady · Software Craftsman. Smart Contract Vulnerabilities. https://yos.io/2018/10/20/smart-contract-vulnerabilities-and-how-to-mitigate-them/#vulnerability-all-data-is-public/
• Ribeiro, S. L., & de Paiva Barbosa, I. A. (2020). Risk Analysis Methodology to Blockchain-based Solutions. 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS), 59–60. https://doi.org/10.1109/BRAINS49436.2020.9223309
• Saad, M., Njilla, L., Kamhoua, C., Kim, J., Nyang, D., & Mohaisen, A. (2019). Mempool optimization for Defending Against DDoS Attacks in PoW-based Blockchain Systems. 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 285–292. https://doi.org/10.1109/BLOC.2019.8751476
• Saad, M., Spaulding, J., Njilla, L., Kamhoua, C., Shetty, S., Nyang, D., & Mohaisen, A. (2019). Exploring the Attack Surface of Blockchain: A Systematic Overview. ArXiv:1904.03487 [Cs]. http://arxiv.org/abs/1904.03487
• Security Audits – Chainsecurity. (2022). ChainSecurity. https://chainsecurity.com/audits/
• Smart Contract Security. (2022). Mastering Ethereum. https://cypherpunks-core.github.io/ethereumbook/09smart-contracts-security.html
• SmartDec. (2022). SmartDec. Smart Contract Security. https://smartdec.net/
• State of the DApps—DApp Statistics. (2022). Stateofthedapps. https://www.stateofthedapps.com/stats/
• State Variable Default Visibility. (2022). State Variable Default Visibility. https://swcregistry.io/docs/SWC-108
• Szabo, N. (1994). Micropayments and Mental Transaction Costs. 14.
• Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., & Alexandrov, Y. (2018). SmartCheck: Static Analysis of Ethereum Smart Contracts. 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 9–16.
• Vessenes, P. (2016). Tx.Origin And Ethereum Oh My! https://vessenes.com/tx-origin-and-ethereum-oh-my/
• Vogeler, W. (2018). Reports: Ethereum Smart Contracts Are Far From Secure—FindLaw. https://www.findlaw.com/legalblogs/technologist/reports-ethereum-smart-contracts-are-far-from-secure/
• Wang, S., Wang, C., & Hu, Q. (2019). Corking by Forking: Vulnerability Analysis of Blockchain. IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 829–837. https://doi.org/10.1109/INFOCOM.2019.8737490
• Xu, J. J. (2016). Are blockchains immune to all malicious attacks? Financial Innovation, 2(1), 25. https://doi.org/10.1186/s40854-016-0046-5
• Zhao, X., Chen, Z., Chen, X., Wang, Y., & Tang, C. (2017). The DAO attack paradoxes in propositional logic. 2017 4th International Conference on Systems and Informatics (ICSAI), 1743–1746. https://doi.org/10.1109/ICSAI.2017.8248566