Skip to main content
SpringerLink
Log in

An Extensive Security Analysis on Ethereum Smart Contracts

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2021)

  • 1240 Accesses

Abstract

Smart contracts have extensive applications in various emerging domains such as IoT, 5G networks, and finance. In this regard, the Ethereum platform has provided the capability of running smart contracts on its distributed infrastructure. Smart contracts are small programs that describe a set of rules for supervising associated funds, often written in a Turing-complete programming language called Solidity. Furthermore, Ethereum is currently one of the most extensive cryptocurrencies next to Bitcoin. This provides an extraordinary opportunity for attackers to exploit potential zero-day vulnerabilities in this ecosystem that are tightly twisted with financial gain. Consequently, this paper introduces a practical framework called “EthFuzz” to identify vulnerabilities and generate concrete exploits for the Ethereum ecosystem. Our system works through a graph-based method in combination with dynamic symbolic execution. Moreover, our proposed framework can tackle the path explosion problem in its symbolic execution engine. To prove our approach’s usefulness, we could successfully identify and generate 26,015 exploits out of 207,412 exploitable paths, within 1,000,000 real-world smart contracts on the Ethereum live blockchain network.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

References

  1. Bytecode to opcode disassembler – etherscan. https://etherscan.io/opcode-tool. Accessed 2 Feb 2020

  2. Github - comaeio/porosity: *unmaintained* decompiler and security analysis tool for blockchain-based ethereum smart-contracts. https://github.com/comaeio/porosity. Accessed 7 May 2020

  3. Openzeppelin/openzeppelin-contracts: Openzeppelin contracts is a library for secure smart contract development. https://github.com/OpenZeppelin/openzeppelin-contracts. Accessed 29 Jan 2021

  4. Oyente. https://github.com/melonproject/oyente. Accessed 11 Aug 2019

  5. Paritytech/parity-ethereum: The fast, light, and robust EVM and WASM client. https://github.com/paritytech/parity-ethereum. Accessed 2 July 2019

  6. Ashouri, M.: Kaizen: a scalable concolic fuzzing tool for scala. In: Proceedings of the 11th ACM SIGPLAN International Symposium on Scala, pp. 25–32 (2020)

    Google Scholar 

  7. Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8

    Chapter  Google Scholar 

  8. Parity Authors. Ethereum rust client (2017)

    Google Scholar 

  9. Baldoni, R., Coppa, E., D’elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 1–39 (2018)

    Article  Google Scholar 

  10. Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, vol. 41, p. 46 (2005)

    Google Scholar 

  11. Birrell, A.D., Nelson, B.J.: Implementing remote procedure calls. In: Proceedings of the Ninth ACM Symposium on Operating Systems Principles, p. 3 (1983)

    Google Scholar 

  12. Brent, L.: Vandal: a scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981 (2018)

  13. Dannen, C.: Introducing Ethereum and Solidity. Apress, Berkeley (2017). https://doi.org/10.1007/978-1-4842-2535-6

    Book  Google Scholar 

  14. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  15. Grech, N., Kong, M., Jurisevic, A., Brent, L., Scholz, B., Smaragdakis, Y.: Madmax: surviving out-of-gas conditions in ethereum smart contracts. Proc. ACM Program. Lang. 2(OOPSLA), 116 (2018)

    Google Scholar 

  16. Huh, S., Cho, S., Kim, S.: Managing IoT devices using blockchain platform. In: 2017 19th International Conference on Advanced Communication Technology (ICACT), pp. 464–467. IEEE (2017)

    Google Scholar 

  17. Kalra, S., Goel, S., Dhawan, M., Sharma, S.: Zeus: analyzing safety of smart contracts. In: NDSS, pp. 1–12 (2018)

    Google Scholar 

  18. Krupp, J., Rossow, C.: Teether: gnawing at ethereum to automatically exploit smart contracts. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1317–1333 (2018)

    Google Scholar 

  19. Law, A.: Smart contracts and their application in supply chain management. Ph.D. thesis, Massachusetts Institute of Technology (2017)

    Google Scholar 

  20. Liu, C., et al.: ReGuard: finding reentrancy bugs in smart contracts. In: Proceedings of the 40th International Conference on Software Engineering: Companion Proceedings, pp. 65–68. ACM (2018)

    Google Scholar 

  21. Liu, H., Liu, C., Zhao, W., Jiang, Y., Sun, J.: S-gram: towards semantic-aware security auditing for ethereum smart contracts. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 814–819. ACM (2018)

    Google Scholar 

  22. Vivar, A.L., Castedo, A.T., Orozco, A.L.S., Villalba, L.J.G.: Smart contracts: a review of security threats alongside an analysis of existing solutions. Entropy 22(2), 203 (2020)

    Article  Google Scholar 

  23. Nguyen, D.C., Pathirana, P.N., Ding, M., Seneviratne, A.: Blockchain for 5G and beyond networks: a state of the art survey. arXiv preprint arXiv:1912.05062 (2019)

  24. Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663 (2018)

    Google Scholar 

  25. Palladino, S.: The parity wallet hack explained, July 2017. https://blog.zeppelin.solutions

  26. Perez, D., Livshits, B.: Smart contract vulnerabilities: does anyone care? arXiv preprint arXiv:1902.06710 (2019)

  27. Qureshi, H.: A hacker stole 31 m of ether–how it happened, and what it means for ethereum. Freecodecamp.org, 20 July 2017

  28. Sirer, E.G.: Thoughts on the DAO hack. Hacking 17 July 2016

    Google Scholar 

  29. Szabo, N.: Smart contracts: building blocks for digital markets. EXTROPY J. Transhumanist Thought 16, 18:2 (1996)

    Google Scholar 

  30. Tsankov, P., et al.: Securify: practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82. ACM (2018)

    Google Scholar 

  31. Whaley, J., Avots, D., Carbin, M., Lam, M.S.: Using datalog with binary decision diagrams for program analysis. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 97–118. Springer, Heidelberg (2005). https://doi.org/10.1007/11575467_8

    Chapter  Google Scholar 

  32. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Cyber Security, Saint Pölten University of Applied Sciences, Saint Pölten, Austria

    Mohammadreza Ashouri

Authors
  1. Mohammadreza Ashouri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammadreza Ashouri .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. University of Kent Canterbury, Canterbury, Kent, UK

    Shujun Li

  3. University of Washington, Seattle, WA, USA

    Radha Poovendran

  4. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Hervé Debar

  5. Google Inc., New York, NY, USA

    Moti Yung

Appendices

Appendix A

Re-Entrancy Attack

Ethereum Virtual Machine (EVM) establishes a machine language called EVM bytecode, which includes approximately 150 opcodes [13]. Unlike memory, storage perseveres beyond the execution history of a contract. Indeed it is stored as a part of the global blockchain state. The EVM also states specific instructions to access transactions’ fields, modify the contract’s private storage, examine the current blockchain state, and even create additional transactions. It should be highlighted that the original Ethereum paper [28] differentiates between transactions, which are signed by regular accounts, and messages, which are not. Note that the EVM only implements integer arithmetic and cannot handle floating-point values.

In addition to the persistent storage and 256-bit word stack, the EVM also executes a byte-addressable memory, which serves as an input and output buffer to different instructions. For instance, the SHA3 instruction, which calculates a Keccak-256 hash over variable-length data, reads its input from memory, where two stack arguments present both the memory location and length of the input. The memory content is not endured between contract executions, and it is invariably set to “zero” at the opening of each execution.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ashouri, M. (2021). An Extensive Security Analysis on Ethereum Smart Contracts. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 398. Springer, Cham. https://doi.org/10.1007/978-3-030-90019-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90019-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90018-2

  • Online ISBN: 978-3-030-90019-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation