JingHuey Khor
ABSTRACT
Public blockchains targeting Internet of Things (IoT) are gaining more traction every day with majority of them being built on top of the Ethereum infrastructure. However, a growing number of these blockchains introduces security issues. There are 525 entries already in the Common Vulnerabilities and Exposure database related to Ethereum smart contracts. 479 of them are related to arithmetic errors, which include integer overflow or underflow. This paper, thus, concentrates on analyzing arithmetic vulnerabilities found in existing public blockchains targeted at IoT applications. Furthermore, the performance in terms of security and gas cost of smart contracts is analyzed with and without SafeMath library. In addition, an improved SafeMath library is proposed that has better arithmetic coverage and requires lower gas consumption. Four security tools are used to analyze the arithmetic protection of the improved SafeMath library. The results show that the improved SafeMath library is able to cover 4 more arithmetic operations compared to the original one by using only two common conditions checks and is capable of saving 26 units of gas, which is a significant amount in the long run.
- Vogelsteller, F., Buterin, V.. 2015. ERC-20 token standard. Ethereum.Google Scholar
- Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y. 2018. SmartCheck: Static analysis of Ethereum smart contracts. In: 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 27 May-3 June 2018, pp. 9--16Google ScholarDigital Library
- Buterin, V.2017. Vyper. DOI=https://vyper.readthedocs.io/en/latest/.Google Scholar
- Edgington, B. 2017. LLL Introduction. DOI= https://lll-docs.readthedocs.io/en/latest/lll_introduction.html.Google Scholar
- Delmolino, K., Arnett, M., Kosba, A., Miller, A., Shi, E.2015. A programmer's guide to Ethereum and serpent. DOI=https://www.cs.umd.edu/~elaine/smartcontract/guide.pdf.Google Scholar
- Ethereum: Solidity: 2016. Introduction to smart contracts. DOI= https://solidity.readthedocs.io/en/v0.4.24/introduction-to-smart-contracts.html.Google Scholar
- Buterin, V. 2017. PSA: I now consider Serpent outdated tech. DOI = https://twitter.com/vitalikbuterin/status/886400133667201024?lang=en.Google Scholar
- Castor, A. 2017. One of Ethereum's earliest smart contract languages is headed for retirement. DOI=https://www.coindesk.com/one-of-ethereums-earliest-smart-contract-languages-is-headed-for-retirement (2017)Google Scholar
- Wohrer, M., Zdun, U.: Smart contracts. 2018. Security patterns in the ethereum ecosystem and solidity. In: 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 20--20 March 2018, pp. 2--8.Google ScholarCross Ref
- Diligence, C. 2018. Ethereum smart contract best practices. DOI=https://consensys.github.io/smart-contract-best-practices/known_attacks/Google Scholar
- NCC. 2018. Decentralized application security project - top 10. DOI=https://dasp.co/.Google Scholar
- Wood, G. 2019. Ethereum: A secure decentralised generalised transaction ledger Ethereum.Google Scholar
- Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bunzli, F., Vechev, M. 2018. Securify: Practical security analysis of smart contracts. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada.Google ScholarDigital Library
- Diligence, C. 2018. Mythirl platform: Platform and ecosystem for Ethereum security tools. DOI=https://mythril.ai/files/whitepaper.pdfGoogle Scholar
- Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A. 2016. Making smart contracts smarter. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.Google ScholarDigital Library
- Sen, K., Marinov, D., Agha, G. 2005. CUTE: a concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes 30(5), 263--272. DOI=10.1145/1095430.1081750Google ScholarDigital Library
- Remix. 2018. Ethereum- IDE. DOI=https://remix.readthedocs.io/en/latest/Google Scholar
- Brent, L., Jurisevic, A., Kong, M., Liu, E., Gauthier, F., Gramoli, V., Holz, R., Scholz, B. 2018. Vandal: A scalable security analysis framework for smart contracts. CoRRGoogle Scholar
Index Terms
- An Improved Gas Efficient Library for Securing IoT Smart Contracts Against Arithmetic Vulnerabilities
Recommendations
ContractFuzzer: fuzzing smart contracts for vulnerability detection
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringDecentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while ...
Making Smart Contracts Smarter
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityCryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has ...
Library Usage Detection in Ethereum Smart Contracts
On the Move to Meaningful Internet Systems: OTM 2019 ConferencesAbstractWe analyze the usage of the SafeMath library on the blockchain with a data set of 6.9 million bytecodes of Ethereum smart contracts. This library provides safe arithmetic operations for contracts. In order to detect smart contracts that make use ...
Comments