EtherClue: Digital investigation of attacks on Ethereum smart contracts

Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency. While vulnerability detectors can prevent vulnerable contracts from being deployed, this does not mean that such contracts will not be deployed. Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks, the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved. In this work, we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise (IoCs) specially crafted for use in the blockchain. IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain. Therefore, we define a model for smart contract execution, comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain. Subsequently, we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue, a prototype tool for investigating Ethereum security incidents. Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation; however, they are contract-specific and suffer from false negatives. On the other hand, fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation which are nevertheless applicable for practical use.

[1]  Gordon J. Pace,et al.  Contracts over Smart Contracts: Recovering from Violations Dynamically , 2018, ISoLA.

[2]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Zhong Chen,et al.  ReGuard: Finding Reentrancy Bugs in Smart Contracts , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[4]  Alex Groce,et al.  Echidna: effective, usable, and fast fuzzing for smart contracts , 2020, ISSTA.

[5]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[6]  Shouhuai Xu,et al.  A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses , 2019 .

[7]  Huashan Chen,et al.  A Survey on Ethereum Systems Security , 2019, ACM Comput. Surv..

[8]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[9]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[10]  A Blockchain-based Forensic Model for Financial Crime Investigation: The Embezzlement Scenario , 2020, SSRN Electronic Journal.

[11]  Faouzi Kamoun,et al.  Blockchain-based chain of custody: towards real-time tamper-proof evidence management , 2020, ARES.

[12]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[13]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[14]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[15]  Kieron O'Hara,et al.  Smart Contracts - Dumb Idea , 2017, IEEE Internet Comput..

[16]  Shou-Ching Hsiao,et al.  The dynamic analysis of WannaCry ransomware , 2018, 2018 20th International Conference on Advanced Communication Technology (ICACT).

[17]  Yajin Zhou,et al.  Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum , 2019, RAID.

[18]  Jie Chen,et al.  Anti-Money Laundering in Bitcoin: Experimenting with Graph Convolutional Networks for Financial Forensics , 2019, ArXiv.

[19]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[20]  Yannis Smaragdakis,et al.  Gigahorse: Thorough, Declarative Decompilation of Smart Contracts , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[21]  Roohie Naaz Mir,et al.  Forensic-chain: Blockchain based digital forensics chain of custody with PoC in Hyperledger Composer , 2019, Digit. Investig..

[22]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[23]  Nitesh Kumar,et al.  Detecting Malicious Accounts on the Ethereum Blockchain with Supervised Learning , 2020, CSCML.

[24]  Yinqian Zhang,et al.  TXSPECTOR: Uncovering Attacks in Ethereum from Transactions , 2020, USENIX Security Symposium.

[25]  Elisa Gonzalez Boix,et al.  Towards Scalable Blockchain Analysis , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[26]  Uwe Zdun,et al.  Smart contracts: security patterns in the ethereum ecosystem and solidity , 2018, 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE).

[27]  George Azzopardi,et al.  Detection of illicit accounts over the Ethereum blockchain , 2020, Expert Syst. Appl..

[28]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[29]  Yajin Zhou,et al.  EthScope: A Transaction-centric Security Analytics Framework to Detect Malicious Smart Contracts on Ethereum , 2020, ArXiv.

[30]  Ghassan O. Karame,et al.  EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts , 2020, USENIX Security Symposium.

[31]  Jae hyung Lee DappGuard : Active Monitoring and Defense for Solidity Smart Contracts , 2017 .

[32]  Baoxu Liu,et al.  Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications , 2021, USENIX Security Symposium.