Potential Risks of Hyperledger Fabric Smart Contracts

Yamashita, Kazuhiro; Nomura, Yoshihide; Zhou, Ence; Pi, Bingfeng; Sun, Jun

doi:10.1109/iwbose.2019.8666486

Cited by 107 publications

(79 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…There are very few papers [37], [38] focused on security vulnerabilities in Fabric chaincodes. Based on [37] and [38], we summarize primary security vulnerabilities in Fabric chaincodes in Table 3, where we consider Go as the programming language because Go is most widely used in Fabric chaincode development.…”

Section: B Security Vulnerabilities In Fabric Chaincodesmentioning

confidence: 99%

“…Different from common software weaknesses, most security vulnerabilities in Fabric chaincodes arise from the nondeterministic behavior of Go, which may lead to consensus failure. Examples of the vulnerabilities in Table 3 can be found in [38] (e.g., Listing 2 in [38]) or [39] (readers are able to run a demo on the homepage of [39] to get a report that includes examples of nine security vulnerabilities in [37]). Moreover, because Fabric has no native cryptocurrency, it is difficult to determine the severity of these vulnerabilities.…”

Section: B Security Vulnerabilities In Fabric Chaincodesmentioning

confidence: 99%

“…However, due to the lack of a detailed description of Chaincode Scanner, we cannot fully disclose the theory of the tool. Yamashita et al [38] surveyed various artifacts and identified fourteen potential risks in Fabric. They argued that smart contracts written in general-purpose programming languages, such as Go and Java, lack restrictions and are more likely to cause nondeterministic risks.…”

Section: ) Code Analysis Toolsmentioning

confidence: 99%

See 2 more Smart Citations

Smart Contract Security: A Software Lifecycle Perspective

et al. 2019

View full text Add to dashboard Cite

Smart contract security is an emerging research area that deals with security issues arising from the execution of smart contracts in a blockchain system. Generally, a smart contract is a piece of executable code that automatically runs on the blockchain to enforce an agreement preset between parties involved in the transaction. As an innovative technology, smart contracts have been applied in various business areas, such as digital asset exchange, supply chains, crowdfunding, and intellectual property. Unfortunately, many security issues in smart contracts have been reported in the media, often leading to substantial financial losses. These security issues pose new challenges to security research because the execution environment of smart contracts is based on blockchain computing and its decentralized nature of execution. Thus far, many partial solutions have been proposed to address specific aspects of these security issues, and the trend is to develop new methods and tools to automatically detect common security vulnerabilities. However, smart contract security is systematic engineering that should be explored from a global perspective, and a comprehensive study of issues in smart contract security is urgently needed. To this end, we conduct a literature review of smart contract security from a software lifecycle perspective. We first analyze the key features of blockchain that can cause security issues in smart contracts and then summarize the common security vulnerabilities of smart contracts. To address these vulnerabilities, we examine recent advances in smart contract security spanning four development phases: 1) security design; 2) security implementation; 3) testing before deployment; and 4) monitoring and analysis. Finally, we outline emerging challenges and opportunities in smart contract security for blockchain engineers and researchers.

show abstract

Section: B Security Vulnerabilities In Fabric Chaincodesmentioning

confidence: 99%

Section: B Security Vulnerabilities In Fabric Chaincodesmentioning

confidence: 99%

Section: ) Code Analysis Toolsmentioning

confidence: 99%

See 1 more Smart Citation

Smart Contract Security: A Software Lifecycle Perspective

et al. 2019

View full text Add to dashboard Cite

show abstract

“…Yamashita et al [39] identified 14 potential risks resulting from the nondeterminism of the Hyperledger Fabric chaincode written in Golang. These risks are caused by the language instructions, access outside the Blockchain, and other reasons.…”

Section: B Evaluation 1) Chaincode Securitymentioning

confidence: 99%

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

et al. 2020

View full text Add to dashboard Cite

In Internet of Things ecosystems, where various entities trade data and data analysis results, public key infrastructure plays an important role in establishing trust relationships between these entities to specify who trusts whose private keys. The owner of a private key is provided with a public key certificate issued by a certificate authority (CA) representing a trusted third party. Although this certificate ensures the reliability of the ecosystem by verifying the data source and preventing the denial of trading, it often causes an overconcentration of trust in a particular CA. Consequently, if that CA is infringed, all the related trust relationships become compromised. The paper proposes a distributed authentication infrastructure called Meta-PKI that decentralizes such overconcentration via a cross-certification procedure performed by multiple CAs. Although cross-certification is capable of establishing mutual trust relationships, it does not evaluate the trustworthiness of other CAs in a standardized manner. Therefore, this paper also proposes a new crosscertification method using a distributed ledger technology for building trust relationships based on unified criteria. It also describes the implementation of a Meta-PKI system for Hyperledger Fabric as a proof of concept. Once trust relationships have been established, it takes approximately 65.7 ms to validate them using the proposed system, which is secure against CA takeover and spoofing by outsider attackers.

show abstract

“…While many smart contract programming languages have been designed with determinism in mind, sometimes general purpose programming languages are used for development [21]. A detailed overview of potential risks of non-determinism and causes can be found in [22]. We consider SOLIDITY language for stateful contracts since it is the most popular smart contract programming languages and generally it was one of the first languages that revealed such weaknesses, unfortunately on its own instance.…”

Section: Smart Contract Weaknessesmentioning

confidence: 99%

Overview of the Languages for Safe Smart Contract Programming

Тюрин¹,

Тюляндин²,

Мальцев³

et al. 2019

Proceedings of ISP RAS

View full text Add to dashboard Cite

Blockchain technologies are gradually being found an application in many areas, especially in FinTech. As a result, a lot of blockchain platforms have emerged with the support of smart contracts that are intended to automate party interactions. However, it has been shown that they are prone to attacks and errors which lead to money loss. To date, there has been a wide range of approaches for making smart contracts safer that included analysis tools, reasoning models, and safer and more rigorous programming languages. In this paper, we provide an overview of smart contract programming languages design principles, related vulnerabilities, and future research areas. The provided overview is meant to outline the to date state of languages and to become a possible basis for future proceedings, and show approaches, used by the community, to reach safe and usable language for smart contracts. We have split all found vulnerabilities by source of their arising. Various languages' characteristics such as abstraction level, paradigm, Turing completeness and main features are summarized in the table. Additional information about languages is provided, e.g. model of execution and tools for static analysis.

show abstract

Potential Risks of Hyperledger Fabric Smart Contracts

Cited by 107 publications

References 17 publications

Smart Contract Security: A Software Lifecycle Perspective

Smart Contract Security: A Software Lifecycle Perspective

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

Overview of the Languages for Safe Smart Contract Programming

Contact Info

Product

Resources

About