Making Smart Contracts Smarter.

IACR Cryptology ePrint Archive, (2016): 254-269

Cited by: 1352|Views382
EI

Abstract

Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs t...More

Code:

Data:

0
Introduction
  • Decentralized cryptocurrencies have gained considerable interest and adoption since Bitcoin was introduced in 2009 [1].
  • Oyente is a symbolic execution tool exclusively designed to analyze Ethereum smart contracts.
  • The authors provide Oyente, a symbolic execution tool which analyses Ethereum smart contracts to detect bugs.
Highlights
  • Decentralized cryptocurrencies have gained considerable interest and adoption since Bitcoin was introduced in 2009 [1]
  • We investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies
  • We propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable
  • Users in Ethereum have to follow a predefined protocol when participating in the network, we show that there is considerable room for manipulation of
  • Our discussion is restricted to most popular smart contract platform called Ethereum, but the security problems discussed in this paper may be of wider application to other open distributed application platforms
  • We propose improvements to the operational semantics of Ethereum to fix the security problems discussed in Section 3
Results
  • Let them consider a scenario where the blockchain is at state σ and the new block includes two transactions (e.g., Ti, Tj) invoking the same contract.
  • The security problem that a contract may have uses the block timestamp as a triggering condition to execute some critical operations, e.g., sending money.
  • As the authors show in Section 6, among the first 19, 366 contracts, 83 of them depend on the block timestamp to transfer Ether to different addresses.
  • If the call is made via the send instruction, the caller contract should explicitly check the return value to verify if the call has been executed properly.
  • An attacker can prepare a contract to call itself 1023 times before sending a transaction to KoET to claim the throne from the current king.
  • Where denotes an empty call stack; e exc denotes that an exception has been thrown; and each part of an activation record M, pc, l, s has the following meaning: M : the contract code array pc : the address of the instruction to be executed l : an auxiliary memory s : an operand stack.
  • The root cause of the problem is in the inconsistency of how exceptions influence the final state, depending whether a contract method is invoked as a transaction, or via the call instruction.
  • A getstate instruction typically pushes certain “special” value onto the stack: in particular, the current timestamp, block id, remaining gas, current balance, and this contract’s own address.
  • It answers whether the contract has any security problems (e.g., TOD, timestamp-dependence, mishandled exceptions), outputting “problematic” symbolic paths to the users.
Conclusion
  • As an example of a false positive, Figure 15 shows a case where there are two separate flows of Ether, but the order of their execution does not change the outcome of the contract.
  • The authors check if timestamp is included in the path condition of a flow of Ether, such that manipulation of the block timestamp would result in a different payout or recipient from the contract.
  • If a user invokes PonziGovernMental when it is close to 12 hours since the last deposit, the miner can set the block timestamp to make the condition in Line 5 either valid or invalid.
Tables
  • Table1: Operational Semantics of call and return. EXC stands for “Exception”
  • Table2: Operational Semantics of EtherLite. EXC stands for “Exception”
Download tables as Excel
Related work
  • Smart Contract Security. Delmolino et al [14] show that even a simple self-construct contract (e.g., “Rock, Paper, 4c1216cd659350f83ef44ba071b4

    0x0c10fafe0cdbfff32abfe53d57ec861d09-

    986cc1050c850481f79b1a862bb10a

    Scissors”) can contain several logic problems, including: • Contracts do not refund. Some contracts proceed further only if users send a certain amount of Ether. However, these contracts sometimes “forget” to refund users if users send less than what is required.

    • Lack of cryptography to achieve fairness. Some contracts perform computation based on users’ inputs to decide the outcome (e.g., rolling a die). However, those contracts store users’ input in plaintext on the blockchain. Thus, malicious users can submit inputs biased in their favor.
Funding
  • This work is supported by the Ministry of Education, Singapore under Grant No R-252000-560-112 and in part by Yale-NUS College under Grant No R-607-265-045-121
Reference
  • Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. bitcoin.org, 2009.
    Google ScholarLocate open access versionFindings
  • Ethereum Foundation. Ethereum’s white paper. https://github.com/ethereum/wiki/wiki/White-Paper, 2014.
    Findings
  • A Miller, A Juels, E Shi, B Parno, and J Katz. Permacoin: Repurposing Bitcoin work for long-term data preservation. IEEE Security and Privacy, 2014.
    Google ScholarLocate open access versionFindings
  • Use case for factom: The world’s first blockchain operating system (bos). http://kencode.de/projects/ePlug/Factom-Linux-Whitepaper.pdf, Feb 2015.
    Findings
  • Nick Szabo. The idea of smart contracts. http://szabo.best.vwh.net/smart contracts idea.html, 1997.
    Findings
  • Loi Luu, Jason Teutsch, Raghav Kulkarni, and Prateek Saxena. Demystifying incentives in the consensus computer. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, pages 706–719. ACM, 2015.
    Google ScholarLocate open access versionFindings
  • EtherDice smart contract is down for maintenance. https://www.reddit.com/r/ethereum/comments/47f028/etherdice is down for maintenance we are having/.
    Locate open access versionFindings
  • RSK Labs. Rootstock: Smart contracts platform powered by Bitcoin. http://www.rootstock.io/, 2015.
    Findings
  • Counterparty platform. http://counterparty.io/, 2015.
    Findings
  • James C. Corbett, Jeffrey Dean, Michael Epstein, Andrew Fikes, Christopher Frost, J. J. Furman, Sanjay Ghemawat, Andrey Gubarev, Christopher Heiser, Peter Hochschild, Wilson Hsieh, Sebastian Kanthak, Eugene Kogan, Hongyi Li, Alexander Lloyd, Sergey Melnik, David Mwaura, David Nagle, Sean Quinlan, Rajesh Rao, Lindsay Rolig, Yasushi Saito, Michal Szymaniak, Christopher Taylor, Ruth Wang, and Dale Woodford. Spanner: Google’s globally distributed database. ACM Trans. Comput. Syst., aug 2013.
    Google ScholarLocate open access versionFindings
  • Jason Baker, Chris Bond, James C. Corbett, JJ Furman, Andrey Khorlin, James Larson, Jean-Michel Leon, Yawei Li, Alexander Lloyd, and Vadim Yushprakh. Megastore: Providing scalable, highly available storage for interactive services. In Proceedings of the Conference on Innovative Data system Research (CIDR), pages 223–234, 2011.
    Google ScholarLocate open access versionFindings
  • KingOfTheEtherThrone smart contract. https://github.com/kieranelby/KingOfTheEtherThrone/blob/v0.4.0/contracts/KingOfTheEtherThrone.sol.
    Findings
  • GovernMental’s 1100 ETH payout is stuck because it uses too much gas. https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals 1100 eth jackpot payout is stuck/.
    Locate open access versionFindings
  • Kevin Delmolino, Mitchell Arnett, Ahmed Kosba, Andrew Miller, and Elaine Shi. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. Cryptology ePrint Archive, Report 2015/460, 2015. http://eprint.iacr.org/.
    Locate open access versionFindings
  • Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. http://gavwood.com/paper.pdf, 2014.
    Findings
  • Ethereum Foundation. The solidity contract-oriented programming language. https://github.com/ethereum/solidity.
    Findings
  • Ethereum Foundation. The serpent contract-oriented programming language. https://github.com/ethereum/serpent.
    Findings
  • Oyente project page. https://www.comp.nus.edu.sg/̃loiluu/oyente.html.
    Findings
  • TheDAO smart contract. http://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code.
    Findings
  • EtherEx: A fully decentralized cryptocurrency exchange. https://etherex.org/.
    Findings
  • EtherOpt: A decentralized options exchange. http://etheropt.github.io/.
    Findings
  • The Run smart contract. https://etherscan.io/address/0xcac337492149bdb66b088bf5914bedfbf78ccc18.
    Findings
  • Ethereum Foundation. Block validation algorithm. https://github.com/ethereum/wiki/wiki/BlockProtocol-2.0#block-validation-algorithm.
    Findings
  • Andrew Miller, Brian Warner, and Nathan Wilcox. Gas economics. https://github.com/LeastAuthority/ethereum-analyses/blob/master/GasEcon.md.
    Findings
  • Protect The Castle Contract. http://protect-the-castle.ether-contract.org/.
    Findings
  • GovernMental Smart Contract. http://governmental.github.io/GovernMental/.
    Findings
  • Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In Proceedings of the 2016 IEEE Symposium on Security and Privacy, SP ’16. IEEE Computer Society, 2016.
    Google ScholarLocate open access versionFindings
  • Lottopolo smart contract. https://etherchain.org/account/0x0155ce35fe73249fa5d6a29f3b4b7b98732eb2ed.
    Findings
  • Random number generator contract. https://github.com/randao/randao.
    Findings
  • Joseph Bonneau, Jeremy Clark, and Steven Goldfeder. On Bitcoin as a public randomness source. Cryptology ePrint Archive, Report 2015/1015, 2015. http://eprint.iacr.org/.
    Locate open access versionFindings
  • James C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385–394.
    Google ScholarLocate open access versionFindings
  • Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 238–252, New York, NY, USA, 1977. ACM.
    Google ScholarLocate open access versionFindings
  • Microsoft Corporation. The Z3 theorem prover. https://github.com/Z3Prover/z3.
    Findings
  • The Ethereum block explorer. https://etherscan.io/.
    Findings
  • The Ethereum network stats. https://etherchain.org/.
    Findings
  • Peter Borah. Tokenwith invariants - vulnerable contracts in ethereum. https://github.com/ PeterBorah/smart-contract-security-examples/blob/7d7ef27b12f15318871c44512b70737176d23c5f/contracts/TokenWithInvariants.sol.
    Findings
  • Peter Vessenes. More ethereum attacks: Race-to-empty is the real deal. http://vessenes.com/more-ethereum-attacks-race-toempty-is-the-real-deal/.
    Findings
  • Alexandre Naverniouk. EtherID: Ethereum name registrar. http://etherid.org/.
    Findings
  • Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. Town crier: An authenticated data feed for smart contracts. Cryptology ePrint Archive, Report 2016/168, 2016. http://eprint.iacr.org/.
    Findings
  • Ari Juels, Ahmed Kosba, and Elaine Shi. The ring of Gyges: Investigating the future of criminal smart contracts. Cryptology ePrint Archive, Report 2016/358, 2016. http://eprint.iacr.org/.
    Locate open access versionFindings
  • Philip A. Bernstein and Nathan Goodman. Concurrency control in distributed database systems. ACM Comput. Surv., 13(2):185–221, June 1981.
    Google ScholarLocate open access versionFindings
  • Friedemann Mattern. Virtual time and global states of distributed systems. In Parallel and Distributed Algorithms, pages 215–226. North-Holland, 1989.
    Google ScholarLocate open access versionFindings
  • C. J. Fidge. Timestamps in message-passing systems that preserve the partial ordering. Proceedings of the 11th Australian Computer Science Conference, 10(1):56aA S66, 1988.
    Google ScholarLocate open access versionFindings
  • Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, pages 558–565, July 1978.
    Google ScholarLocate open access versionFindings
  • Andrew Koening and Bjarne Stroustrup. Exception handling for C++. Journal of Object-Oriented Programming, 3(2):16–33, 1990.
    Google ScholarLocate open access versionFindings
  • Robin Milner, Mads Tofte, and David MacQueen. The Definition of Standard ML. MIT Press, Cambridge, MA, USA, 1997.
    Google ScholarFindings
Author
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科