A Survey of Attacks on Ethereum Smart Contracts (SoK)

Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.

[1]  M. Bishop Vulnerabilities Analysis , 1967 .

[2]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[3]  Matt Bishop,et al.  A Taxonomy of UNIX System and Network Vulnerabilities , 1997 .

[4]  Nick Szabo,et al.  Formalizing and Securing Relationships on Public Networks , 1997, First Monday.

[5]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[6]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[7]  Frank Piessens,et al.  A taxonomy of causes of software vulnerabilities in Internet software , 2002 .

[8]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[9]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[10]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[11]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[12]  Jason Teutsch,et al.  Demystifying Incentives in the Consensus Computer , 2015, CCS.

[13]  Aviv Zohar,et al.  Secure High-Rate Transaction Processing in Bitcoin , 2015, Financial Cryptography.

[14]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[15]  Jeremy Clark,et al.  On Bitcoin as a public randomness source , 2015, IACR Cryptol. ePrint Arch..

[16]  Elaine Shi,et al.  Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab , 2016, Financial Cryptography Workshops.

[17]  Christopher D. Clack,et al.  Smart Contract Templates: foundations, design landscape and research directions , 2016, ArXiv.

[18]  Arthur Gervais,et al.  Ethereum Eclipse Attacks , 2016 .

[19]  Ingo Weber,et al.  New kids on the block: an analysis of modern blockchains , 2016, ArXiv.

[20]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[21]  Survey on Blockchain Technologies and Related Services FY2015 Report , 2016 .

[22]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[23]  Hubert Ritzdorf,et al.  On the Security and Performance of Proof of Work Blockchains , 2016, IACR Cryptol. ePrint Arch..

[24]  Ari Juels,et al.  Setting Standards for Altering and Undoing Smart Contracts , 2016, RuleML.

[25]  K. Bhargavan,et al.  : Formal Verification of Smart Contracts , 2016 .

[26]  R. Brown,et al.  Corda : An Introduction , 2016 .

[27]  Christopher K. Frantz,et al.  From Institutions to Code: Towards Automated Generation of Smart Contracts , 2016, 2016 IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS*W).

[28]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[29]  Cécile Pierrot,et al.  Malleability of the blockchain’s entropy , 2016, Cryptography and Communications.

[30]  Emin Gün Sirer,et al.  Majority is not enough , 2013, Financial Cryptography.