Kailun Yan
ABSTRACT
The blockchain-powered decentralized applications and systems have been widely deployed in recent years. The decentralization feature promises users anonymity, security, and non-censorship, which is especially welcomed in the areas of decentralized finance and digital assets. From the perspective of most common users, a decentralized ecosystem means every service follows the principle of decentralization. However, we find that the services in a decentralized ecosystem still may contain centralized components or scenarios, like third-party SDKs and privileged operations, which violate the promise of decentralization and may cause a series of centralized security risks. In this work, we systematically study the centralized security risks existing in decentralized ecosystems. Specifically, we identify seven centralized security risks in the deployment of two typical decentralized services – crypto wallets and DApps, such as anonymity loss and overpowered owner. Also, to measure these risks in the wild, we designed an automated detection tool called Naga and carried out large-scale experiments. Based on the measurement of 28 Ethereum crypto wallets (Android version) and 110,506 on-chain smart contracts, the result shows that the centralized security risks are widespread. Up to 96.4% of wallets and 83.5% of contracts exist at least one security risk, including 260 well-known tokens with a total market cap of over $98 billion.
- Oct. 5, 2022. Find a wallet. Retrieved Oct. 5, 2022 from https://ethereum.org/en/wallets/find-wallet/Google Scholar
- Lawrence Abrams. Apr. 3, 2022. Fake Trezor data breach emails used to steal cryptocurrency wallets. Retrieved Oct. 5, 2022 from https://www.bleepingcomputer.com/news/security/fake-trezor-data-breach-emails-used-to-steal-cryptocurrency-wallets/Google Scholar
- Aleks-blockchaincap, Banteg, Dudesahn, Ekrenzke, Lehnberg, Ryanwatkins, Srs-parafi, Tracheopteryx, Vooncer, Yfi-cent, and Milkyklim. Jan. 21, 2021. YIP-57: Funding Yearn’s Future. Retrieved Oct. 5, 2022 from https://gov.yearn.finance/t/yip-57-funding-yearns-future/9319Google Scholar
- Maria Apostolaki, Aviv Zohar, and Laurent Vanbever. 2017. Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (S&P), San Jose, CA, USA, May 22-26, 2017.Google Scholar
- Jeff Benson. Mar. 4, 2022. Ethereum’s Infura Cuts Off Users to Separatist Areas in Ukraine, Accidentally Blocks Venezuela. Retrieved Oct. 5, 2022 from https://decrypt.co/94315/ethereum-infura-cuts-off-users-separatist-areas-ukraine-accidentally-blocks-venezuelaGoogle Scholar
- Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W. Felten. 2015. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (S&P), San Jose, CA, USA, May 17-21, 2015.Google Scholar
- Vitalik Buterin. Oct. 4, 2022. A Next-Generation Smart Contract and Decentralized Application Platform. Retrieved Oct. 5, 2022 from https://ethereum.org/en/whitepaper/Google Scholar
- Ting Chen, Yufei Zhang, Zihao Li, Xiapu Luo, Ting Wang, Rong Cao, Xiuzhuo Xiao, and Xiaosong Zhang. 2019. TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), London, UK, November 11-15, 2019.Google Scholar
- Ethereum. Oct. 5, 2022. Solidity Lang. Retrieved Oct. 5, 2022 from https://github.com/ethereum/solidityGoogle Scholar
- Etherscan. Oct. 5, 2022. Etherscan. Retrieved Oct. 5, 2022 from http://etherscan.io/Google Scholar
- Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In Proceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB@ICSE), Montreal, QC, Canada, May 27, 2019.Google Scholar
- Asem Ghaleb and Karthik Pattabiraman. 2020. How effective are smart contract analysis tools¿ evaluating smart contract static analysis tools using bug injection. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), Virtual Event, USA, July 18-22, 2020.Google Scholar
- Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE), Montpellier, France, September 3-7, 2018.Google Scholar
- Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 18-21, 2018.Google Scholar
- Yogita Khatri. Nov. 11, 2020. Ethereum infrastructure provider Infura is down, crypto exchanges begin to disable ETH withdrawals. Retrieved Oct. 5, 2022 from https://www.theblock.co/post/84232/ethereum-infrastructure-provider-infura-is-downGoogle Scholar
- Johannes Krupp and Christian Rossow. 2018. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In Proceedings of the 27th USENIX Security Symposium (USENIX-Sec), Baltimore, MD, USA, August 15-17, 2018.Google Scholar
- Kai Li, Jiaqi Chen, Xianghong Liu, Yuzhe Richard Tang, XiaoFeng Wang, and Xiapu Luo. 2021. As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS), virtually, February 21-25, 2021.Google Scholar
- Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: Finding Reentrancy Bugs in Smart Contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings (ICSE-Companion), Gothenburg, Sweden, May 27 - June 03, 2018.Google Scholar
- Zhuotao Liu, Yangxi Xiang, Jian Shi, Peng Gao, Haoyu Wang, Xusheng Xiao, Bihan Wen, Qi Li, and Yih-Chun Hu. 2022. Make Web3.0 Connected. IEEE Transactions on Dependable and Secure Computing 19, 5 (2022), 2965–2981.Google Scholar
- Sishan Long, Soumya Basu, and Emin Gün Sirer. 2022. Measuring Miner Decentralization in Proof-of-Work Blockchains. CoRR abs/2203.16058 (2022). arXiv:2203.16058Google Scholar
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), Vienna, Austria, October 24-28, 2016.Google Scholar
- Kartik Nayak, Srijan Kumar, Andrew Miller, and Elaine Shi. 2016. Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P), Saarbrücken, Germany, March 21-24, 2016.Google Scholar
- OpenZeppelin. Oct. 5, 2022. Openzeppelin Contracts. Retrieved Oct. 5, 2022 from https://github.com/OpenZeppelin/openzeppelin-contractsGoogle Scholar
- Martin Ortner, Eskandari, and Shayan. Jul. 1, 2022. Smart Contract Sanctuary. Retrieved Oct. 5, 2022 from https://github.com/tintinweb/smart-contract-sanctuaryGoogle Scholar
- Pierluigi Paganini. Jul. 30, 2018. KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens. Retrieved Oct. 5, 2022 from https://securityaffairs.co/wordpress/74910/hacking/kickico-hack.htmlGoogle Scholar
- Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019. Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 24-27, 2019.Google Scholar
- Sunbeom So, Seongjoon Hong, and Hakjoo Oh. 2021. SmarTest: Effectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution. In Proceedings of the 30th USENIX Security Symposium (USENIX-Sec), August 11-13, 2021.Google Scholar
- Sunbeom So, Myungho Lee, Jisu Park, Heejo Lee, and Hakjoo Oh. 2020. VERISMART: A Highly Precise Safety Verifier for Ethereum Smart Contracts. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 18-21, 2020.Google Scholar
- Cryptopedia Staff. Mar. 17, 2022. What Was The DAO¿Retrieved Oct. 5, 2022 from https://www.gemini.com/cryptopedia/the-dao-hack-makerdaoGoogle Scholar
- Gilad Stern and Ittai Abraham. 2022. New Dolev-Reischuk Lower Bounds Meet Blockchain Eclipse Attacks. IACR Cryptol. ePrint Arch. (2022), 730.Google Scholar
- Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, and Baoxu Liu. 2021. Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications. In Proceedings of the 30th USENIX Security Symposium (USENIX-Sec), August 11-13, 2021.Google Scholar
- Eli Tan. Aug. 4, 2022. Solana’s $6M Exploit Likely Tied to Slope Wallet, Developers Say. Retrieved Oct. 5, 2022 from https://www.coindesk.com/business/2022/08/03/solanas-latest-6m-exploit-likely-tied-to-slope-wallet-devs-say/Google Scholar
- Christof Ferreira Torres, Antonio Ken Iannillo, Arthur Gervais, and Radu State. 2021. ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts. In Proceedings of the 6th IEEE European Symposium on Security and Privacy (EuroS&P), Vienna, Austria, September 6-10, 2021.Google Scholar
- Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC), San Juan, PR, USA, December 03-07, 2018.Google Scholar
- Muoi Tran, Inho Choi, Gi Jun Moon, Anh V. Vu, and Min Suk Kang. 2020. A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer Network. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 18-21, 2020. IEEE, 894–909.Google Scholar
- Petar Tsankov, Andrei Marian Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin T. Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), Toronto, ON, Canada, October 15-19, 2018.Google Scholar
- Connor Tumbleson. Sept. 20, 2022. Apktool. Retrieved Oct. 5, 2022 from https://ibotpeaches.github.io/Apktool/Google Scholar
- Md Shahab Uddin, Mohammad Mannan, and Amr M. Youssef. 2021. Horus: A Security Assessment Framework for Android Crypto Wallets. In Proceedings of the 17th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Virtual Event, September 6-9, 2021.Google Scholar
- Samuel Wan. Jul. 7, 2022. Celsius Network continues to make moves, prompting calls to resume withdrawals. Retrieved Oct. 5, 2022 from https://cryptoslate.com/celsius-network-continues-to-make-moves-prompting-calls-to-resume-withdrawals/Google Scholar
- Philipp Winter, Anna Harbluk Lorimer, Peter Snyder, and Benjamin Livshits. 2021. What’s in Your Wallet¿ Privacy and Security Issues in Web 3.0. CoRR abs/2109.06836 (2021). arXiv:2109.06836Google Scholar
- Martin Young. Oct. 7, 2020. 75 crypto exchanges have closed down so far in 2020. Retrieved Oct. 5, 2022 from https://cointelegraph.com/news/75-crypto-exchanges-have-closed-down-so-far-in-2020Google Scholar
Index Terms
- Bad Apples: Understanding the Centralized Security Risks in Decentralized Ecosystems
Recommendations
Empirical vulnerability analysis of automated smart contracts security testing on blockchains
CASCON '18: Proceedings of the 28th Annual International Conference on Computer Science and Software EngineeringThe emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the ...
Decentralized Vision-Based Byzantine Agent Detection in Multi-robot Systems with IOTA Smart Contracts
Foundations and Practice of SecurityAbstractMultiple opportunities lie at the intersection of multi-robot systems and distributed ledger technologies (DLTs). In this work, we investigate the potential of new DLT solutions such as IOTA, for detecting anomalies and byzantine agents in multi-...
IoT and Blockchain combined: for decentralized security
AbstractBlockchain technology, a version of distributed ledger technology, has been grabbing a huge amount of attention in fields beyond its roots in crypto-currencies: blockchain and finance, blockchain and logistics, blockchain and the Internet of ...
Comments