Ethereum Smart Contracts: Security Vulnerabilities and Security Tools

Ethereum represents the second generation of blockchain technology by providing an open and global computing platform which allows the exchange of cryptocurrency (Ether) and the development of self-verifying smart contract applications. Smart contracts present a foundation for possessing digital assets and a variety of decentralized applications within the blockchain area. Ethereum and smart contracts are public, distributed and immutable, as such, they are prone to vulnerabilities sourcing from simple coding mistakes of developers. Motivated by the security breaches and recurring financial losses in smart contracts, we aim to advance the field of security in smart contract programming. The main objective is to aid smart contract developers by providing a taxonomy of all known security issues and by inspecting the security code analysis tools used to identify those vulnerabilities. Based on previous research as well as attacks on Ethereum smart contracts, we propose an updated taxonomy which categorizes all known vulnerabilities within their architectural and severity level. Our second proposed taxonomy is a novel categorization of security tools on Ethereum. Furthermore, we conduct the investigation of security code analysis tools on Ethereum by assessing their effectiveness and accuracy. In particular, we analyze four security tools, namely, Oyente, Securify, Remix, and SmartCheck. The results indicate that there are overall inconsistencies between the tools on different security properties. SmartCheck outperformed the other tools in terms of effectiveness, whereas Oyente performed the best in terms of accuracy. Furthermore, based on the limitations we identified, we propose future improvements within the user interfaces, interpretation of results, and additional vulnerability checks.

[1]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[2]  Chris Dannen,et al.  Introducing Ethereum and Solidity: Foundations of Cryptocurrency and Blockchain Programming for Beginners , 2017 .

[3]  Christopher D. Clack,et al.  Smart Contract Templates: foundations, design landscape and research directions , 2016, ArXiv.

[4]  Maher Alharby,et al.  Blockchain-based Smart Contracts: A Systematic Mapping Study , 2017, ICAISC 2017.

[5]  K. Bhargavan,et al.  : Formal Verification of Smart Contracts , 2016 .

[6]  Elaine Shi,et al.  Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab , 2016, Financial Cryptography Workshops.

[7]  Michael Devetsikiotis,et al.  Blockchains and Smart Contracts for the Internet of Things , 2016, IEEE Access.

[8]  Nick Szabo,et al.  Formalizing and Securing Relationships on Public Networks , 1997, First Monday.

[9]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[10]  Sergei Tikhomirov,et al.  Ethereum: State of Knowledge and Research Perspectives , 2017, FPS.

[11]  Zibin Zheng,et al.  Blockchain challenges and opportunities: a survey , 2018, Int. J. Web Grid Serv..

[12]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[13]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[15]  G. Hardeman Replacing Paper Contracts With Ethereum Smart Contracts , 2016 .

[16]  Nishant Rodrigues,et al.  KEVM: A Complete Semantics of the Ethereum Virtual Machine , 2017 .

[17]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[18]  Xiapu Luo,et al.  Under-optimized smart contracts devour your money , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[19]  Ari Juels,et al.  Setting Standards for Altering and Undoing Smart Contracts , 2016, RuleML.

[20]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[21]  Elaine Shi,et al.  The Ring of Gyges: Investigating the Future of Criminal Smart Contracts , 2016, CCS.

[22]  Massimo Bartoletti,et al.  Financial Cryptography and Data Security , 2017, Lecture Notes in Computer Science.

[23]  Jae hyung Lee DappGuard : Active Monitoring and Defense for Solidity Smart Contracts , 2017 .