A Mechanism to Detect and Prevent Ethereum Blockchain Smart Contract Reentrancy Attacks

In Ethereum blockchain, smart contracts are immutable, public, and distributed. However, they are subject to many vulnerabilities stemming from coding errors made by developers. Seven cybersecurity incidents occurred in Ethereum smart contracts between 2016 and 2018, which led to financial losses estimated to be over US$ 289 million. Reentrancy vulnerability was the cause of two of these incidents, and the impacts went far beyond financial loss. Several reentrancy countermeasures are available, which are based on predefined patterns that are used to prevent vulnerability exploitation before the deployment of a smart contract; however, several limitations have been identified in these countermeasures. Motivated by all these issues, the objective of this article is to help developers improve the cybersecurity of smart contracts by proposing a solution that calculates the difference between the contract balance and the total balance of all participants in a smart contract before and after any operation in a transaction that changes its state. Proof-of-concept implementations show that this solution can provide a detection and prevention mechanism against reentrancy attacks during the execution of any smart contract.

[1]  Sophia Drossopoulou,et al.  Writing safe smart contracts in Flint , 2018, Programming.

[2]  Tilo Müller,et al.  Evaluating Spread of ‘Gasless Send’ in Ethereum Smart Contracts , 2019, 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[3]  Jing Liu,et al.  A Survey on Security Verification of Blockchain Smart Contracts , 2019, IEEE Access.

[4]  Alexander Mense,et al.  Security Vulnerabilities in Ethereum Smart Contracts , 2018, iiWAS.

[5]  P. Watters,et al.  An Empirical Analysis of Blockchain Cybersecurity Incidents , 2019, 2019 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE).

[6]  Michael J. Coblenz Obsidian: A Safer Blockchain Programming Language , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[7]  A Taxonomy of Blockchain Threats and Vulnerabilities , 2020 .

[8]  Huashan Chen,et al.  A Survey on Ethereum Systems Security , 2019, ACM Comput. Surv..

[9]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[10]  Manar H. Alalfi,et al.  Reentrancy Vulnerability Identification in Ethereum Smart Contracts , 2020, 2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE).

[11]  Kung Chen,et al.  Modularizing Cross-Cutting Concerns with Aspect-Oriented Extensions for Solidity , 2019, 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON).

[12]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[13]  Steven Stewart,et al.  MPro: Combining Static and Symbolic Analysis for Scalable Testing of Smart Contract , 2019, 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE).

[14]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[15]  JongHyup Lee,et al.  Patch Transporter: Incentivized, Decentralized Software Patch System for WSN and IoT Environments , 2018, Sensors.