Security Strengths and Weaknesses of Blockchain Smart Contract System: A Survey
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 33122
Security Strengths and Weaknesses of Blockchain Smart Contract System: A Survey

Authors: Malaw Ndiaye, Karim Konate

Abstract:

Smart contracts are computer protocols that facilitate, verify, and execute the negotiation or execution of a contract, or that render a contractual term unnecessary. Blockchain and smart contracts can be used to facilitate almost any financial transaction. Thanks to these smart contracts, the settlement of dividends and coupons could be automated. Smart contracts have become lucrative and profitable targets for attackers because they can hold a great amount of money. Smart contracts, although widely used in blockchain technology, are far from perfect due to security concerns. Although a series of attacks are listed, there is a lack of discussions and proposals on improving security. This survey takes stock of smart contract security from a more comprehensive perspective by correlating the level of vulnerability and systematic review of security levels in smart contracts.

Keywords: Blockchain, bitcoin, smart Contract, criminal smart contract, security.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 545

References:


[1] F. Glatz. (2014) What are smart contracts? https://heckerhut.medium.com/whats-a-smart-contract-in-search-of-aconsensus- c268c830a8ad.
[2] S. D. Levi and A. B. Lipton, An Introduction to Smart Contracts and Their Potential and Inherent Limitations, 2018, https://corpgov.law.harvard.edu/2018/05/26/an-introduction-to-smartcontracts- and-their-potential-and-inherent-limitations/.
[3] L. Zhang, Y. Wang, F. Li, Y. Hu, and M. H. Au, “A game-theoretic method based on q-learning to invalidate criminal smart contracts,” Information Sciences, vol. 498, pp. 144–153, 2019.
[4] H. T. Le, N. T. T. Le, N. N. Phien, and N. Duong-Trung, “Introducing multi shippers mechanism for decentralized cash on delivery system,” money, vol. 10, no. 6, 2019.
[5] B. K. Mohanta, S. S. Panda, and D. Jena, “An overview of smart contract and use cases in blockchain technology,” in 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT). IEEE, 2018, pp. 1–4.
[6] D. Perez and B. Livshits, “Smart contract vulnerabilities: Does anyone care?” arXiv preprint arXiv:1902.06710, 2019.
[7] A. Dika, “Ethereum smart contracts: Security vulnerabilities and security tools,” Master’s thesis, NTNU, 2017.
[8] W. Dingman, A. Cohen, N. Ferrara, A. Lynch, P. Jasinski, P. E. Black, and L. Deng, “Defects and vulnerabilities in smart contracts, a classification using the nist bugs framework,” International Journal of Networked and Distributed Computing, vol. 7, no. 3, pp. 121–132, 2019.
[9] J. J. Xu, “Are blockchains immune to all malicious attacks?” Financial Innovation, vol. 2, no. 1, p. 25, 2016.
[10] R. Modi, Solidity Programming Essentials: A beginner’s guide to build smart contracts for Ethereum and blockchain. Packt Publishing Ltd, 2018.
[11] Y. Hu, M. Liyanage, A. Mansoor, K. Thilakarathna, G. Jourjon, A. Seneviratne, and M. Ylianttila, “The use of smart contracts and challenges,” arXiv preprint arXiv:1810.04699, 2018.
[12] M. Alharby and A. van Moorsel, “Blockchain-based smart contracts: A systematic mapping study,” arXiv preprint arXiv:1710.06372, 2017.
[13] R. Rawat, R. Chougule, S. Singh, S. Dixit, and G. B.-P. A. Kadam, “Smart contracts using blockchain,” International Research Journal of Engineering and Technology (IRJET), 2019.
[14] Y. Murray and D. A. Anisi, “Survey of formal verification methods for smart contracts on blockchain,” in 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 2019, pp. 1–6.
[15] C. Dannen, Introducing Ethereum and Solidity. Springer, 2017.
[16] M. N. Temte, “Blockchain challenges traditional contract law: Just how smart are smart contracts,” Wyo. L. Rev., vol. 19, p. 87, 2019.
[17] A. Bahga and V. K. Madisetti, “Blockchain platform for industrial internet of things,” Journal of Software Engineering and Applications, vol. 9, no. 10, p. 533, 2016.
[18] T. Sameeh. (2018) An overview of the most reliable cryptocurrency smart contract platforms. https://www.cointelligence.com/content/smart-contract-platforms-guide/.
[19] Kryptographe. (2018) Which are the top 5 smart blockchain based smart contract platforms? https://www.kryptographe.com/top-5-smart-blockchain-based-smartcontract- platforms/.
[20] R. Jackson. (2019) The top 5 smart contract development platforms. https://hackernoon.com/top-5-smart-contract-platforms-to-check-out-in- 2019-1igc3w1m.
[21] A. Davies. (2019) 5 best smart contract platforms for 2019. https://www.devteam.space/blog/5-best-smart-contractplatforms- for-2019/.
[22] N. Myers. (2019) The essential list of smart contract platform resources. https://www.freestartupkits.com/articles/technology/coding/the-essentiallist- of-smart//-contract-platforms/.
[23] R. M. Parizi, A. Dehghantanha et al., “Smart contract programming languages on blockchains: An empirical evaluation of usability and security,” in International Conference on Blockchain. Springer, 2018, pp. 75–91.
[24] V. Buterin et al., “A next-generation smart contract and decentralized application platform,” white paper, vol. 3, p. 37, 2014.
[25] Techopedia. (2019) Runtime environment (rte). https://www.techopedia.com/definition/5466/runtime-environment-rte.
[26] P. Praitheeshan, L. Pan, J. Yu, J. Liu, and R. Doss, “Security analysis methods on ethereum smart contract vulnerabilities: A survey,” arXiv preprint arXiv:1908.08605, 2019.
[27] S. Rouhani and R. Deters, “Security, performance, and applications of smart contracts: A systematic survey,” IEEE Access, vol. 7, pp. 50 759–50 779, 2019.
[28] K. Kovalenko. (2019) Investing in smart contract platforms. https://www.blog.nomics.com/essays/investing-in-smart-contract-platforms/ platform-usage.
[29] Sanbase. (2019) All assets. https://https://www.app.santiment.net/assets/all/.
[30] T. Sameeh. (2019) Dapps statistics. https://www.stateofthedapps.com/stats/platform/ethereum/new/.
[31] M. brings transparency. (2019) Dapps statistics. https://messari.io/screener.
[32] M. Academic. (2020 (accessed 2020)) Vulnerability (computing). https://academic.microsoft.com/.
[33] M. Giancaspro, “Is a ’smart contract’really a smart idea? insights from a legal perspective,” Computer law & security review, vol. 33, no. 6, pp. 825–835, 2017.
[34] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts (sok),” in International Conference on Principles of Security and Trust. Springer, 2017, pp. 164–186.
[35] K. Chatterjee, A. K. Goharshady, and Y. Velner, “Quantitative analysis of smart contracts,” in European Symposium on Programming. Springer, Cham, 2018, pp. 739–767.
[36] V. Saini. (2018) Contractpedia: An encyclopedia of 40+ smart contract platforms. https://hackernoon.com/contractpedia-an-encyclopedia-of-40-smartcontract- platforms-4867f66da1e5.
[37] C. Details. (2019) The ultimate security vulnerability datasource. https://www.cvedetails.com/vulnerability-list.php/.
[38] M. Gogan. (2018) Smart contract security: What are the weak spots of ethereum, eos, and neo networks? https://www.technative.io/smart-contract-security-what-are-the-weakspots- of-ethereum-eos-and-neo-networks/.
[39] K. Jing. (2019) Eos smart contract development security best practices. https://github.com/slowmist/eos-smart-contract-security-best-practices/ blob/master/.
[40] NIST. (2019) The bugs framework (bf). https://samate.nist.gov/BF/Classes/KMN.html.
[41] Github. (2018) Comprehensive list of known attack vectors and common anti-patterns. https://github.com/sigp/solidity-security-blog/precision-vuln.
[42] F. Junis, F. M. W. Prasetya, F. I. Lubay, and A. K. Sari, “A revisit on blockchain-based smart contract technology,” arXiv preprint arXiv:1907.09199, 2019.
[43] Y. Fu, M. Ren, F. Ma, Y. Jiang, H. Shi, and J. Sun, “Evmfuzz: Differential fuzz testing of ethereum virtual machine,” arXiv preprint arXiv:1903.08483, 2019.
[44] Y. Fu, M. Ren, F. Ma, H. Shi, X. Yang, Y. Jiang, H. Li, and X. Shi, “Evmfuzzer: detect evm vulnerabilities via fuzz testing,” in Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 2019, pp. 1110–1114.
[45] C. Details. (2018) Webassembly virtual machine project : Security vulnerabilities. https://www.cvedetails.com/vulnerability-list/.
[46] M. Larabel. (2019) Llvm stack clash compiler protection is under review. https://www.phoronix.com/.
[47] S. blog. (2017 (accessed december 14, 2019)) Decentralized application security project. https://steemit.com/blockchain/@aetrnty/aeternity-s-smart-contracts.
[48] D. Schatz, R. Bashroush, and J. Wall, “Towards a more representative definition of cyber security,” Journal of Digital Forensics, Security and Law, vol. 12, no. 2, pp. 53–74, 2017.
[49] G. O. Karame and E. Androulaki, Bitcoin and blockchain security. Artech House, 2016.
[50] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart contracts smarter,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, 2016, pp. 254–269.
[51] T. Abdellatif and K.-L. Brousmiche, “Formal verification of smart contracts based on users and blockchain behaviors models,” in 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 2018, pp. 1–5.
[52] G. Bigi, A. Bracciali, G. Meacci, and E. Tuosto, “Validation of decentralised smart contracts through game theory and formal methods,” in Programming Languages with Applications to Biology and Security. Springer, 2015, pp. 142–161.
[53] K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, A. Rastogi, T. Sibut-Pinote, N. Swamy, and S. Zanella-B´eguelin, “Short paper: Formal verification of smart contracts,” in Proceedings of the 11th ACM Workshop on Programming Languages and Analysis for Security (PLAS), in conjunction with ACM CCS, 2016, pp. 91–96.
[54] Z. Nehai, P.-Y. Piriou, and F. Daumas, “Model-checking of smart contracts,” in 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). IEEE, 2018, pp. 980–987.
[55] M. Di Angelo and G. Salzer, “A survey of tools for analyzing ethereum smart contracts,” in 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON). IEEE, 2019.
[56] J.-L. Lanet, “D´etection de vuln´erabilit´es appliqu´eea la v´erification de code interm´ediaire de java card,” Ph.D. dissertation, UNIVERSIT´E DE LIMOGES, 2016.
[57] NASA. (2020) What is formal methods? https://shemesh.larc.nasa.gov/fm/fm-what.html.
[58] C. M. Holloway, “Why engineers should consider formal methods,” in 16th DASC. AIAA/IEEE digital avionics systems conference. Reflections to the future. Proceedings, vol. 1. IEEE, 1997, pp. 1–3.
[59] B. CURRAN, How Formal Verification Can Reduce Bugs & Vulnerabilities in Smart Contracts, 2018, https://blockonomi.com/formal-verification-smart-contracts/.
[60] Y. Hirai, “Formal verification of deed contract in ethereum name service,” November-2016.
[Online]. Available: https://yoichihirai. com/deed. pdf, 2016.
[61] S. Amani, M. B´egel, M. Bortin, and M. Staples, “Towards verifying ethereum smart contract bytecode in isabelle/hol,” in Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs. ACM, 2018, pp. 66–77.
[62] P. Sivakumar and K. Singh, “Privacy based decentralized public key infrastructure (pki) implementation using smart contract in blockchain,” technical report, 2018.
[63] F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi, “Town crier: An authenticated data feed for smart contracts,” in Proceedings of the 2016 aCM sIGSAC conference on computer and communications security. ACM, 2016, pp. 270–282.
[64] P. Mell, J. Dray, and J. Shook, “Smart contract federated identity management without third party authentication services,” arXiv preprint arXiv:1906.11057, 2019.
[65] J. P. Cruz, Y. Kaji, and N. Yanai, “Rbac-sc: Role-based access control using smart contract,” IEEE Access, vol. 6, pp. 12 240–12 251, 2018.
[66] H. Guo, E. Meamari, and C.-C. Shen, “Multi-authority attribute-based access control with smart contract,” in Proceedings of the 2019 International Conference on Blockchain Technology. ACM, 2019, pp. 6–11.
[67] R. M. Parizi, A. Dehghantanha, K.-K. R. Choo, and A. Singh, “Empirical vulnerability analysis of automated smart contracts security testing on blockchains,” in Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering. IBM Corp., 2018, pp. 103–113.
[68] H. Wang, Y. Li, S.-W. Lin, L. Ma, and Y. Liu, “Vultron: catching vulnerable smart contracts once and for all,” in Proceedings of the 41st International Conference on Software Engineering: New Ideas and Emerging Results. IEEE Press, 2019, pp. 1–4.
[69] B. Jiang, Y. Liu, and W. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, 2018, pp. 259–269.
[70] USLegal, Access Control Mechanism National Security Law and Legal Definition, 2019, https://definitions.uslegal.com/a/access-control-mechanism-national-security/.
[71] M. Thakur et al., “Authentication, authorization and accounting with ethereum blockchain,” Master’s thesis, Helsingfors universitet, 2017.
[72] A. Dika and M. Nowostawski, “Security vulnerabilities in ethereum smart contracts,” in 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). IEEE, 2018, pp. 955–962.
[73] V. Buterin. (2016) Thinking about smart contract security. https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/.
[74] W. Zou, D. Lo, P. S. Kochhar, X.-B. D. Le, X. Xia, Y. Feng, Z. Chen, and B. Xu, “Smart contract development: Challenges and opportunities,” IEEE Transactions on Software Engineering, 2019.
[75] F. Scicchitano, A. Liguori, M. Guarascio, E. Ritacco, and G. Manco, “A deep learning approach for detecting security attacks on blockchain.” in ITASEC, 2020, pp. 212–222.
[76] H. M. Kim, M. Laskowski, and N. Nan, “A first step in the co-evolution of blockchain and ontologies: Towards engineering an ontology of governance at the blockchain protocol level,” arXiv preprint arXiv:1801.02027, 2018.
[77] L. Y. XIAO, A.-B. OMAR, L. DAVID, and R. ABHIK, “Smart contract repair,” arXiv preprint arXiv:1912.05823v1, 2019.