Finding The Greedy, Prodigal, and Suicidal Contracts at Scale

Nikolić, Ivica; Kolluri, Aashish; Sergey, Ilya; Saxena, Prateek; Hobor, Aquinas

doi:10.48550/arxiv.1802.06038

Cited by 7 publications

(34 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Destroyable contract: A destroyable contract [140] refers to the smart contract subject to be terminated or killed by an anonymous suicide instruction called by any external user account or another smart contract. The self-destruct function in the smart contract is usually executed by its owner whenever an attack or emergency incident is detected.…”

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

“…Unsecured balance: If the balance of any smart contract is exposed to be drained off by a hacker or anonymous caller, the contract is vulnerable with unsecured balance. It can be caused by the improper access control mechanism for balance variable and constructor functions or updating balance after invoking call instruction to send money to another contract or arbitrary user [140], [65].…”

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

“…Greedy contract: The smart contracts that are remaining active and keep locking Ether balance continuously due to the inability to access the external library contracts to transfer or send fund. These contracts are defined as greedy contracts according to [140]. If the library contracts are terminated or destructed by an arbitrary user either intentionally or accidentally, the contracts that call the external library functions are becoming greedy contract [140].…”

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

“…These contracts are defined as greedy contracts according to [140]. If the library contracts are terminated or destructed by an arbitrary user either intentionally or accidentally, the contracts that call the external library functions are becoming greedy contract [140]. The attackers made the Parity Multisig wallets contracts as greedy contracts by claiming the ownership of the wallet library contracts and subsequently destructed them to freeze the money in the wallet contracts [89].…”

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

“…In some cases, the contracts are transferring money to arbitrary recipients who have never intervened with these contracts and no data about those addresses. In this scenario, the contracts which send fund to the anonymous users are called Prodegal contract [140], since their sending function can be invoked by any user to send fund to the list of addresses by the sender's choice.…”

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

See 4 more Smart Citations

Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey

Praitheeshan¹,

Pan²,

Yu³

et al. 2019

Preprint

View full text Add to dashboard Cite

Smart contracts are software programs featuring both traditional applications and distributed data storage on blockchains. Ethereum is a prominent blockchain platform with the support of smart contracts. The smart contracts act as autonomous agents in critical decentralized applications and hold a significant amount of cryptocurrency to perform trusted transactions and agreements. Millions of dollars as part of the assets held by the smart contracts were stolen or frozen through the notorious attacks just between 2016 and 2018, such as the DAO attack, Parity Multi-Sig Wallet attack, and the integer underflow/overflow attacks. These attacks were caused by a combination of technical flaws in designing and implementing software codes. However, many more vulnerabilities of less severity are to be discovered because of the scripting natures of the Solidity language and the non-updateable feature of blockchains. Hence, we surveyed 16 security vulnerabilities in smart contract programs, and some vulnerabilities do not have a proper solution. This survey aims to identify the key vulnerabilities in smart contracts on Ethereum in the perspectives of their internal mechanisms and software security vulnerabilities. By correlating 16 Ethereum vulnerabilities and 19 software security issues, we predict that many attacks are yet to be exploited. And we have explored many software tools to detect the security vulnerabilities of smart contracts in terms of static analysis, dynamic analysis, and formal verification. This survey presents the security problems in smart contracts together with the available analysis tools and the detection methods. We also investigated the limitations of the tools or analysis methods with respect to the identified security vulnerabilities of the smart contracts.

show abstract

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

Section: F Other Ethereum Vulnerabilitiesmentioning

confidence: 99%

See 3 more Smart Citations

Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey

Praitheeshan¹,

Pan²,

Yu³

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

sCompile: Critical Path Identification and Analysis for Smart Contracts

Chang

Gao

Xiao

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Smart contracts are an innovation built on top of the blockchain technology. It provides a platform for automatically executing contracts in an anonymous, distributed, and trusted way, which has the potential to revolutionize many industries. The most popular programming language for creating smart contracts is called Solidity, which is supported by Ethereum. Like ordinary programs, Solidity programs may contain vulnerabilities, which potentially lead to attacks. The problem is magnified by the fact that smart contracts, unlike ordinary programs, cannot be patched easily once deployed. It is thus important that smart contracts are checked against potential vulnerabilities.Existing approaches tackle the problem by developing methods which aim to automatically analyze or verify smart contracts. Such approaches often results in false alarms or poor scalability, fundamentally because Solidity is Turing-complete. In this work, we propose an alternative approach to automatically identify critical program paths (with multiple function calls including inter-contract function calls) in a smart contract, rank the paths according to their criticalness, discard them if they are infeasible or otherwise present them with user friendly warnings for user inspection. We identify paths which involve monetary transaction as critical paths, and prioritize those which potentially violate important properties. For scalability, symbolic execution techniques are only applied to top ranked critical paths. Our approach has been implemented in a tool called sCompile, which has been applied to 36,099 smart contracts. The experiment results show that sCompile is efficient, i.e., 5 seconds on average for one smart contract. Furthermore, we show that many known vulnerability can be captured if the user inspects as few as 10 program paths generated by sCompile. Lastly, sCompile discovered 224 unknown vulnerabilities with a false positive rate of 15.4% before user inspection.

show abstract

Basis Path Coverage Criteria for Smart Contract Application Testing

Wang

Xie

et al. 2019

2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)

View full text Add to dashboard Cite

The widespread recognition of the smart contracts has established their importance in the landscape of next generation blockchain technology. However, writing a correct smart contract is notoriously difficult. Moreover, once a state-changing transaction is confirmed by the network, the result is immutable. For this reason, it is crucial to perform a thorough testing of a smart contract application before its deployment. This paper's focus is on the test coverage criteria for smart contracts, which are objective rules that measure test quality. We analyze the unique characteristics of the Ethereum smart contract program model as compared to the conventional program model. To capture essential control flow behaviors of smart contracts, we propose the notions of whole transaction basis path set and bounded transaction interaction. The former is a limited set of linearly independent inter-procedural paths from which the potentially infinite paths of Ethereum transactions can be constructed by linear combination, while the latter is the permutations of transactions within a certain bound. Based on these two notions, we define a family of path-based test coverage criteria. Algorithms are given to the generation of coverage requirements. A case study is conducted to compare the effectiveness of the proposed test coverage criteria with random testing and statement coverage testing.

show abstract

Finding The Greedy, Prodigal, and Suicidal Contracts at Scale

Cited by 7 publications

References 0 publications

Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey

Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey

sCompile: Critical Path Identification and Analysis for Smart Contracts

Basis Path Coverage Criteria for Smart Contract Application Testing

Contact Info

Product

Resources

About