34,200 buggy Ethereum smart contracts are in danger, some ‘suicidal,’ study finds

Getting your Trinity Audio player ready...

Using a tool called MAIAN, 2,365 of the vulnerable smart contracts fell to an exploit within ten measly seconds.

Ethereum can’t catch a break: In the midst of a hard fork debate to recover stolen or locked ETH as more and more funds are lost to hacks and bugs on smart contracts, a new study has been released attesting to Ethereum’s glaring vulnerabilities. While the blockchain itself isn’t at risk, the growing number of smart contracts being built on top of it aren’t as rock solid as they should be.

A study conducted by researchers from the National University of Singapore (NUS) and the University College London (UCL) has concluded that 34,200 out of nearly one million smart contracts on Ethereum are vulnerable to attack, with 2,365 of them only needing ten seconds to exploit using an analysis tool they built called MAIAN.

“Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract,” the researchers wrote in the paper. Their analysis has flagged close to $13.8 million worth of ether at risk at the time they did the study.

Through MAIAN, the researchers were able to classify the trace vulnerabilities into three classes: greedy, prodigal, and suicidal.

The prodigal class covers smart contracts that surrender funds to “arbitrary addresses,” or an address that is not the owner’s and has no previous history with the account—in other words, an attacker. This is common for individual users, and the research says that such a vulnerability can be forced to cough up ETH in as little as a single function invocation.

“The above contract requires a single function invocation to leak its Ether. However, there are examples of contracts which need two or more invocations (calls with specific arguments) to cause a leak,” according to the paper.

The greedy contract, on the other hand, stays alive but freezes the Ether within it and never lets go of the funds—much like the $285 million Parity lock-up. And unfortunately, Parity hits ticks the criteria not only for the greedy contract classification but also the suicidal contract class—which pertains to contracts that can be killed by anyone. Parity’s library contract was accidentally killed by an unwitting user.

As more and more amateur developers and developer-wannabes will probably try to cash in on the cryptocurrency hype, more vulnerabilities can be expected. It’s hard to think of a way to enforce a higher level of standard and quality control in the open network, and investors are suffering the severely expensive consequences. Meanwhile, erring and even blatantly negligent developers are seemingly getting off unscathed, prompting some to call for accountability.

During the height of the Parity mess, blockchain development company Vulcanize engineer Rick Dudley said in an article on CoinDesk: “My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures?”