This work presents ContractChecker, a Blockchain-based security protocol for verifying the storage consistency between mutually distrusting cloud provider and clients. Unlike existing protocols, the ContractChecker uniquely delegates log auditing to the Blockchain, and has the advantages in reducing client cost and lowering requirements on client availability, lending itself to modern scenarios with mobile and web clients. The ContractChecker collects the logs from both clients and cloud server, and verifies the consistency by cross-checking the logs. By this means, it does not only detect the attacks from malicious clients and server forging their logs, but also is able to mitigate those attacks and recover the system from them. In addition, we design new attacks against ContractChecker exploiting various limits in real Blockchain systems (e.g., write unavailability, Blockchain forks, contract race conditions). We analyze and harden the security of ContractChecker protocols under these proposed new attacks. We implement a functional prototype of the ContractChecker on Ethereum/Solidity. By experiments on private and public Ethereum testnets, we extensively evaluate the cost of the ContractChecker in comparison with that of existing client-based log auditing works. The result shows the ContractChecker can scale to hundreds of clients and save client costs by more than one order of magnitude. The evaluation result verifies our design motivation of delegating log auditing to the Blockchain in Con-tractChecker.More specifically, they make a single party attest to the log of operations (step W1) and send the attested log to individual clients, each of which audits the log against her local operations (W2). In particular, Catena [23] is a novel scheme that makes log attestation based on the Blockchain (W1 on Blockchain), yet still uses clients for log auditing (W2 by clients). These client-based log auditing schemes require high client availability (i.e., all clients have to participate in the protocol execution) and incur high client cost (i.e., a client needs to store the global operation log of all other clients), rendering them ill-suited for applications with a large number of low-end and stateless clients; see § 3.1 for a list of target applications.We propose ContractChecker, a secure Blockchain-based consistency verification protocol. Distinct from existing works, ContractChecker uniquely delegates both log attestation (W1) and log auditing (W2) to the Blockchain. Concretely, ContractChecker runs a program on the Blockchain (i.e., the so-called smart contracts) to collect log attestations from clients and the server and to audit the log there for making the consistency assertion. Comparing existing works, our approach, by delegating log auditing to Blockchain, has the advantage in lowering client availability requirement (i.e., only active clients who interact with the cloud are required to participate in the protocol) and in minimizing client overhead (i.e., a client only maintains her own operations for a li...