Tech 28 February 2018Cecille de Jesus
34,200 buggy Ethereum smart contracts are in danger, some ‘suicidal,’ study finds
Using a tool called MAIAN, 2,365 of the vulnerable smart contracts fell to an exploit within ten measly seconds.
Ethereum can’t catch a break: In the midst of a hard fork debate to recover stolen or locked ETH as more and more funds are lost to hacks and bugs on smart contracts, a new study has been released attesting to Ethereum’s glaring vulnerabilities. While the blockchain itself isn’t at risk, the growing number of smart contracts being built on top of it aren’t as rock solid as they should be.
A study conducted by researchers from the National University of Singapore (NUS) and the University College London (UCL) has concluded that 34,200 out of nearly one million smart contracts on Ethereum are vulnerable to attack, with 2,365 of them only needing ten seconds to exploit using an analysis tool they built called MAIAN.
“Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract,” the researchers wrote in the paper. Their analysis has flagged close to $13.8 million worth of ether at risk at the time they did the study.
Through MAIAN, the researchers were able to classify the trace vulnerabilities into three classes: greedy, prodigal, and suicidal.
The prodigal class covers smart contracts that surrender funds to “arbitrary addresses,” or an address that is not the owner’s and has no previous history with the account—in other words, an attacker. This is common for individual users, and the research says that such a vulnerability can be forced to cough up ETH in as little as a single function invocation.
“The above contract requires a single function invocation to leak its Ether. However, there are examples of contracts which need two or more invocations (calls with specific arguments) to cause a leak,” according to the paper.
The greedy contract, on the other hand, stays alive but freezes the Ether within it and never lets go of the funds—much like the $285 million Parity lock-up. And unfortunately, Parity hits ticks the criteria not only for the greedy contract classification but also the suicidal contract class—which pertains to contracts that can be killed by anyone. Parity’s library contract was accidentally killed by an unwitting user.
As more and more amateur developers and developer-wannabes will probably try to cash in on the cryptocurrency hype, more vulnerabilities can be expected. It’s hard to think of a way to enforce a higher level of standard and quality control in the open network, and investors are suffering the severely expensive consequences. Meanwhile, erring and even blatantly negligent developers are seemingly getting off unscathed, prompting some to call for accountability.
During the height of the Parity mess, blockchain development company Vulcanize engineer Rick Dudley said in an article on CoinDesk: “My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures?”
Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.
Tech 15 January 2019
Accenture leads firms in assessment for blockchain services
Professional services company Accenture was among the firms assessed by Everest Group as most capable of delivering blockchain solutions successfully.
Tech 15 January 2019
Cryptojackers remain biggest malware threat
Cryptocurrency mining remains the most prevalent use for malware distribution, according to the latest study by Check Point Software Technologies Ltd.
Tech 14 January 2019
Smart-card based wallets for a smarter, more secure wallet
Wright points out that a smart-card application tied to a wallet can offer better security for crypto assets while also allowing for private system authentication.