Tech 28 February 2018

Cecille de Jesus

34,200 buggy Ethereum smart contracts are in danger, some ‘suicidal,’ study finds

Using a tool called MAIAN, 2,365 of the vulnerable smart contracts fell to an exploit within ten measly seconds.

Ethereum can’t catch a break: In the midst of a hard fork debate to recover stolen or locked ETH as more and more funds are lost to hacks and bugs on smart contracts, a new study has been released attesting to Ethereum’s glaring vulnerabilities. While the blockchain itself isn’t at risk, the growing number of smart contracts being built on top of it aren’t as rock solid as they should be.

A study conducted by researchers from the National University of Singapore (NUS) and the University College London (UCL) has concluded that 34,200 out of nearly one million smart contracts on Ethereum are vulnerable to attack, with 2,365 of them only needing ten seconds to exploit using an analysis tool they built called MAIAN.

“Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract,” the researchers wrote in the paper. Their analysis has flagged close to $13.8 million worth of ether at risk at the time they did the study.

Through MAIAN, the researchers were able to classify the trace vulnerabilities into three classes: greedy, prodigal, and suicidal.

The prodigal class covers smart contracts that surrender funds to “arbitrary addresses,” or an address that is not the owner’s and has no previous history with the account—in other words, an attacker. This is common for individual users, and the research says that such a vulnerability can be forced to cough up ETH in as little as a single function invocation.

“The above contract requires a single function invocation to leak its Ether. However, there are examples of contracts which need two or more invocations (calls with specific arguments) to cause a leak,” according to the paper.

The greedy contract, on the other hand, stays alive but freezes the Ether within it and never lets go of the funds—much like the $285 million Parity lock-up. And unfortunately, Parity hits ticks the criteria not only for the greedy contract classification but also the suicidal contract class—which pertains to contracts that can be killed by anyone. Parity’s library contract was accidentally killed by an unwitting user.

As more and more amateur developers and developer-wannabes will probably try to cash in on the cryptocurrency hype, more vulnerabilities can be expected. It’s hard to think of a way to enforce a higher level of standard and quality control in the open network, and investors are suffering the severely expensive consequences. Meanwhile, erring and even blatantly negligent developers are seemingly getting off unscathed, prompting some to call for accountability.

During the height of the Parity mess, blockchain development company Vulcanize engineer Rick Dudley said in an article on CoinDesk: “My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures?”

Note: Tokens on the Bitcoin Core (SegWit) chain are referenced as BTC coins; tokens on the Bitcoin Cash ABC chain are referenced as BCH, BCH-ABC or BAB coins.

Bitcoin Satoshi Vision (BSV) is today the only Bitcoin project that follows the original Satoshi Nakamoto whitepaper, and that follows the original Satoshi protocol and design. BSV is the only public blockchain that maintains the original vision for Bitcoin and will massively scale to become the world’s new money and enterprise blockchain.

COMMENT

latest news

China’s e-commerce firm JD.com has applied for 200 blockchain patents

Tech 22 May 2019

China’s e-commerce firm JD.com has applied for 200 blockchain patents

JD.com, also known as Jingdong and formerly as 360Buy, is one of the leading blockchain patents applicants in the world, and is leading the way in Chinese blockchain patents.

Read More
ABN AMRO ditches BTC wallet, but eyes blockchain trade inventory system

Tech 22 May 2019

ABN AMRO ditches BTC wallet, but eyes blockchain trade inventory system

ABN AMRO got the message that nobody wanted their BTC custodial wallet, so they’ll be working on a blockchain inventory instead.

Read More
Calastone debuts world’s largest blockchain financial services system

Tech 22 May 2019

Calastone debuts world’s largest blockchain financial services system

Calastone has launched what they claim is the biggest blockchain for financial service organizations.

Read More
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]