Tech 28 February 2018Cecille de Jesus
34,200 buggy Ethereum smart contracts are in danger, some ‘suicidal,’ study finds
Using a tool called MAIAN, 2,365 of the vulnerable smart contracts fell to an exploit within ten measly seconds.
Ethereum can’t catch a break: In the midst of a hard fork debate to recover stolen or locked ETH as more and more funds are lost to hacks and bugs on smart contracts, a new study has been released attesting to Ethereum’s glaring vulnerabilities. While the blockchain itself isn’t at risk, the growing number of smart contracts being built on top of it aren’t as rock solid as they should be.
A study conducted by researchers from the National University of Singapore (NUS) and the University College London (UCL) has concluded that 34,200 out of nearly one million smart contracts on Ethereum are vulnerable to attack, with 2,365 of them only needing ten seconds to exploit using an analysis tool they built called MAIAN.
“Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract,” the researchers wrote in the paper. Their analysis has flagged close to $13.8 million worth of ether at risk at the time they did the study.
Through MAIAN, the researchers were able to classify the trace vulnerabilities into three classes: greedy, prodigal, and suicidal.
The prodigal class covers smart contracts that surrender funds to “arbitrary addresses,” or an address that is not the owner’s and has no previous history with the account—in other words, an attacker. This is common for individual users, and the research says that such a vulnerability can be forced to cough up ETH in as little as a single function invocation.
“The above contract requires a single function invocation to leak its Ether. However, there are examples of contracts which need two or more invocations (calls with specific arguments) to cause a leak,” according to the paper.
The greedy contract, on the other hand, stays alive but freezes the Ether within it and never lets go of the funds—much like the $285 million Parity lock-up. And unfortunately, Parity hits ticks the criteria not only for the greedy contract classification but also the suicidal contract class—which pertains to contracts that can be killed by anyone. Parity’s library contract was accidentally killed by an unwitting user.
As more and more amateur developers and developer-wannabes will probably try to cash in on the cryptocurrency hype, more vulnerabilities can be expected. It’s hard to think of a way to enforce a higher level of standard and quality control in the open network, and investors are suffering the severely expensive consequences. Meanwhile, erring and even blatantly negligent developers are seemingly getting off unscathed, prompting some to call for accountability.
During the height of the Parity mess, blockchain development company Vulcanize engineer Rick Dudley said in an article on CoinDesk: “My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures?”
Note: Tokens on the Bitcoin Core (SegWit) chain are referenced as BTC coins; tokens on the Bitcoin Cash ABC chain are referenced as BCH, BCH-ABC or BAB coins.
Bitcoin Satoshi Vision (BSV) is today the only Bitcoin project that follows the original Satoshi Nakamoto whitepaper, and that follows the original Satoshi protocol and design. BSV is the only public blockchain that maintains the original vision for Bitcoin and will massively scale to become the world’s new money and enterprise blockchain.
Tech 22 March 2019
Blockchain analyst CipherBlade criticizes WSJ journalism, or lack thereof
CipherBlade, a blockchain investigation firm, has concluded that the Wall Street Journal (WSJ) has overstated its previous claims about the cryptocurrency exchange ShapeShift.
Tech 22 March 2019
Unwriter announces Bottle, a Bitcoin browser
Looking to find a way out of the world wide web, Unwriter has released Bottle, a new browser exclusively for the Bitcoin SV network.
Tech 22 March 2019
Money Button CEO: How to upload large files to Bitcoin SV blockchain
OP_Return has a 100KB upload limit, but Ryan X Charles will show you how you can upload much larger files with a new tool from Money Button.