A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses

Chen, Huashan; Pendleton, Marcus; Njilla, Laurent; Xu, Shouhuai

doi:10.48550/arxiv.1908.04507

Cited by 8 publications

(16 citation statements)

References 91 publications

(119 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The latter could include not only the cases where Ether is locked indefinitely, but also cases of Honeypots as defined by Torres et al [41] (since Ether becomes locked, except for the attacker). Our findings suggest new categories comparable to those proposed in the recent survey by Chen et al [10] (available online on August 13, 2019).…”

Section: Practical Implications and Challengessupporting

confidence: 91%

See 1 more Smart Citation

Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts

Durieux,

Ferreira,

Abreu

et al. 2019

Preprint

View full text Add to dashboard Cite

Over the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research.To address this, we present an empirical evaluation of 9 state-of-theart automated analysis tools using two new datasets: i) a dataset of 69 annotated vulnerable smart contracts that can be used to evaluate the precision of analysis tools; and ii) a dataset with all the smart contracts in the Ethereum Blockchain that have Solidity source code available on Etherscan (a total of 47,518 contracts). The datasets are part of SmartBugs, a new extendable execution framework that we created to facilitate the integration and comparison between multiple analysis tools and the analysis of Ethereum smart contracts. We used SmartBugs to execute the 9 automated analysis tools on the two datasets. In total, we ran 428,337 analyses that took approximately 564 days and 3 hours, being the largest experimental setup to date both in the number of tools and in execution time. We found that only 42% of the vulnerabilities from our annotated dataset are detected by all the tools, with the tool Mythril having the higher accuracy (27%). When considering the largest dataset, we observed that 97% of contracts are tagged as vulnerable, thus suggesting a considerable number of false positives. Indeed, only a small number of vulnerabilities (and of only two categories) were detected simultaneously by four or more tools. CCS CONCEPTS• Software and its engineering → Software defect analysis; Software testing and debugging.

show abstract

Section: Practical Implications and Challengessupporting

confidence: 91%

“…The second provider was Google Cloud 10 , where we also used three servers with 32 vCPUs with 30GB of RAM. We spent 1038.46 e with Google Cloud.…”

Section: Tools' Setupmentioning

confidence: 99%

Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts

Durieux,

Ferreira,

Abreu

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

“…Moreover, the authors of this paper deal with cryptojacking attacks, which, however, are out-of-thescope for our reference architecture, as they are not related to the infrastructure of the involved parties we consider (see Section III-A). Chen et al [94] propose a 4-layer model similar to ours, which is used to study vulnerabilities in Ethereum. The authors identify 44 vulnerabilities, 26 attacks, and 47 defenses in total.…”

Section: Related Workmentioning

confidence: 99%

The Security Reference Architecture for Blockchains: Towards a Standardized Model for Studying Vulnerabilities, Threats, and Defenses

Homoliak,

Venugopalan,

Hum

et al. 2019

Preprint

View full text Add to dashboard Cite

Due to their specific features, such as decentralization and immutability, blockchains have become popular in recent years. Blockchains are full-stack distributed systems in terms of realization, where security is a critical factor for their success. However, despite increasing popularity and adoption, there is a lack of standardized models to study security threats related to blockchains in a similar fashion as was done, e.g., in the area of cloud computing [236], [384]. To fill this gap, the main focus of our work is to systematize the knowledge about security and privacy aspects of blockchains, and thus contribute to the standardization of this domain.To this end, we propose the security reference architecture for blockchains, which utilizes a stacked model (similar to the ISO/OSI) that demonstrates the nature and hierarchy of various security and privacy threats. The model contains four layers:(1) the network layer, (2) the consensus layer, (3) the replicated state machine layer, and (4) the application layer. At each of these layers, we identify known security threats, their origin as well as mitigation techniques or countermeasures. Although a similar model has already been used in previous work to serve as a general outline of the blockchain infrastructure, we adapt it for the purpose of studying security threats in this domain. Further, we propose a blockchain-specific version of the threat-risk assessment standard ISO/IEC 15408 by embedding the stacked model into this standard. Finally, following our stacked model and its categorization, we provide an extensive survey of blockchain-oriented and related research as well as its applications.

show abstract

“…Security Tools, Frameworks, and Design Patterns We complement our results on security issues by studying the smart contract developers' awareness of security tools (e.g., which tools they ask about or suggest in answers). We compile a comprehensive list of security tools based on relevant evaluation and survey papers (e.g., [13,28,9,34,23,46]) and other sources (e.g., [12]), and search for mentions of the following (in alphabetical order): ContractFuzzer [25], Con-tractLarva [15], echidna 6 , EtherTrust [21], EthIR, Ethlint (formerly known as Solium) 7 , FSolidM [36], MAIAN [43], Manticore [39], Mythril (as well as the service MythX and the client Mythos) [40], Octopus 8 , Osiris [52], Oyente [35], Rattle [49], ReGuard [33], SASC [60], sCompile [8], Securify [54], Slither [18], Smar-tAnvil [14], SmartCheck [51], solcheck 9 , solgraph 10 , solint 11 , Solhint 12 , SonarSolidity 13 , Sūrya (also spelled as Surya) 14 , teEther [29], Vandal [7], VeriSolid [38], VerX [47], VULTRON [56], Zeus [27]. Note that our goal is not to evaluate or compare the technical quality of these tools and frameworks (for that we refer the reader to surveys, e.g., [46]); we are only interested in whether they are discussed by developers.…”

Section: Security Issues and Tools (Q2)mentioning

confidence: 99%

“…While the technical capabilities of these tools and frameworks have been evaluated by multiple surveys (e.g., [13,28,9,34,23]), relatively little is known about whether developers use them in practice or even whether developers are aware of them. In fact, to the best of our knowledge, no prior work has studied the smart contract developers' awareness of security issues and tools or about which issues they are most concerned.…”

Section: Introductionmentioning

confidence: 99%

Smart Contract Development from the Perspective of Developers: Topics and Issues Discussed on Social Media

Ayman¹,

Roy²,

Alipour³

et al. 2019

Preprint

View full text Add to dashboard Cite

Blockchain-based platforms are emerging as a transformative technology that can provide reliability, integrity, and auditability without trusted entities. One of the key features of these platforms is the trustworthy decentralized execution of general-purpose computation in the form of smart contracts, which are envisioned to have a wide range of applications. As a result, a rapidly growing and active community of smart-contract developers has emerged in recent years. A number of research efforts have investigated the technological challenges that these developers face, introducing a variety of tools, languages, and frameworks for smart-contract development, focusing on security. However, relatively little is known about the community itself, about the developers, and about the issues that they face and discuss. To address this gap, we study smart-contract developers and their discussions on two social media sites, Stack Exchange and Medium. We provide insight into the trends and key topics of these discussions, into the developers' interest in various security issues and security tools, and into the developers' technological background.

show abstract

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses

Cited by 8 publications

References 91 publications

Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts

Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts

The Security Reference Architecture for Blockchains: Towards a Standardized Model for Studying Vulnerabilities, Threats, and Defenses

Smart Contract Development from the Perspective of Developers: Topics and Issues Discussed on Social Media

Contact Info

Product

Resources

About