Abstract
Blockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency, the second generation (i.e., Blockchain 2.0), as represented by Ethereum, is an open and decentralized platform enabling a new paradigm of computing—Decentralized Applications (DApps) running on top of blockchains. The rich applications and semantics of DApps inevitably introduce many security vulnerabilities, which have no counterparts in pure cryptocurrency systems like Bitcoin. Since Ethereum is a new, yet complex, system, it is imperative to have a systematic and comprehensive understanding on its security from a holistic perspective, which was previously unavailable in the literature. To the best of our knowledge, the present survey, which can also be used as a tutorial, fills this void. We systematize three aspects of Ethereum systems security: vulnerabilities, attacks, and defenses. We draw insights into vulnerability root causes, attack consequences, and defense capabilities, which shed light on future research directions.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
- Ittay Eyal and Emin Gün Sirer. 2014. How to disincentivize large Bitcoin mining pools. Retrieved from http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/.Google Scholar
- Fabian Vogelsteller and Vitalik Buterin. 2015. ERC-20 Token Standard|Ethereum Improvement Proposals. Retrieved from https://eips.ethereum.org/EIPS/eip-20.Google Scholar
- Least Authority. 2015. Ethereum Analysis: Gas Economics and Proof of Work. Retrieved from https://github.com/LeastAuthority/ethereum-analyses.Google Scholar
- Ethereum Community Forum. 2015. Formal Verification for Solidity Contracts. Retrieved from https://forum.ethereum.org/discussion/3779/formal-verification-for-solidity-contracts.Google Scholar
- Phil Daian. 2016. Analysis of the DAO exploit. Retrieved from http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/.Google Scholar
- Vitalik Buterin. 2016. EIP-150, gas cost changes for IO-heavy operations. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-150.md.Google Scholar
- Vitalik Buterin. 2016. EIP-155, simple replay attack protection. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-155.md.Google Scholar
- Gavin Wood. 2016. EIP-161, state trie clearing. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-161.md.Google Scholar
- Joris Bontje. 2016. How can I securely generate a random number in my smart contract? Retrieved from https://ethereum.stackexchange.com/questions/191/how-can-i-securely-generate-a-random-number-in-my-smart-contract.Google Scholar
- Alyssa Hertig. 2016. Rise of Replay Attacks Intensifies Ethereum Divide—CoinDesk. Retrieved from https://www.coindesk.com/rise-replay-attacks-ethereum-divide.Google Scholar
- Vitalik Buterin. 2016. Transaction spam attack: Next Steps. Retrieved from https://blog.ethereum.org/2016/09/22/transaction-spam-attack-next-steps/.Google Scholar
- Peter Vessenes. 2016. Tx.Origin And Ethereum Oh My! Retrieved from https://vessenes.com/tx-origin-and-ethereum-oh-my/.Google Scholar
- Matt Suiche. 2017. The $280M Ethereum’s Parity bug—Comae Technologies. Retrieved from https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513.Google Scholar
- Nooku. 2017. Exploit with ERC20 token transactions from exchanges. Retrieved from https://www.reddit.com/r/ethereum/comments/63s917/worrysome_bug_exploit_with_erc20_token/dfwmhc3/.Google Scholar
- Ethererik. 2017. GovernMental’s 1100 ETH jackpot payout is stuck because it uses too much gas. Retrieved from https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals_1100_eth_jackpot_payout_is_stuck/.Google Scholar
- Haseeb Qureshi. 2017. A hacker stole $31M of Ether—How it happened, and what it means for Ethereum. Retrieved from https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce.Google Scholar
- Paweł Bylica. 2017. How to Find $10M Just by Reading the Blockchain. Retrieved from https://medium.com/golem-project/how-to-find-10m-by-just-reading-blockchain-6ae9d39fcd95.Google Scholar
- Lorenz Breidenbach, Phil Daian, Ari Juels, and Emin Gün Sirer. 2017. An In-Depth Look at the Parity Multisig Bug. Retrieved from http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.Google Scholar
- Santiago Palladino. 2017. The Parity Wallet Hack Explained. Retrieved from https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7.Google Scholar
- Vbuterin. 2017. A state clearing FAQ. Retrieved from https://www.reddit.com/r/ethereum/comments/5es5g4/a_state_clearing_faq/?st=iw2e1mwo8sh=fa77688depth=1.Google Scholar
- X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2020. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.Google ScholarDigital Library
- Lorenz Breidenbach, Phil Daian, Ari Juels, and Florian Tramèr. 2017. To Sink Frontrunners, Send in the Submarines. Retrieved from http://hackingdistributed.com/2017/08/28/submarine-sends/.Google Scholar
- Crypto Panda. 2018. The $3 Million Winner of Fomo3D Is Still Playing to Win—Longhash. Retrieved from https://www.longhash.com/news/the-3-million-winner-of-fomo3d-is-still-playing-to-win.Google Scholar
- Cornell Blockchain. 2018. Bamboo. Retrieved from https://github.com/pirapira/bamboo.Google Scholar
- Common Vulnerabilities and Exposures. 2018. BatchOverflow. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10299.Google Scholar
- Louis Poinsignon. 2018. BGP leaks and cryptocurrencies. Retrieved from https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/.Google Scholar
- SlowMist. 2018. Billions of Tokens Theft Case cause by ETH Ecological Defects. Retrieved from https://mp.weixin.qq.com/s/ia9nBhmqVEXiiQdFrjzmyg.Google Scholar
- Mihail Sotnichek. 2018. EOS Smart Contract Vulnerabilities in Detail. Retrieved from https://www.apriorit.com/dev-blog/553-eos-smart-contract-vulnerability.Google Scholar
- ChainSecurity AG. 2018. ChainSecurity Chaincode Scanner. Retrieved from https://chaincode.chainsecurity.com/.Google Scholar
- Adrian Manning. 2018. Comprehensive list of known attack vectors and common anti-patterns. Retrieved from https://github.com/sigp/solidity-security-blog.Google Scholar
- Vaibhav Saini. 2018. ContractPedia: An Encyclopedia of 40+ Smart Contract Platforms. Retrieved from https://hackernoon.com/contractpedia-an-encyclopedia-of-40-smart-contract-platforms-4867f66da1e5.Google Scholar
- Common Vulnerabilities and Exposures. 2018. CVE-2018-10299. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-10299.Google Scholar
- Block.one. 2018. EOS.IO Technical White Paper v2. Retrieved from https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md.Google Scholar
- Georgios Konstantopoulos. 2018. How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 2). Retrieved from https://medium.com/loom-network/how-to-secure-your-smart-contracts-6-solidity-vulnerabilities-and-how-to-avoid-them-part-2-730db0aa4834.Google Scholar
- Arseny Reutov. 2018. Predicting Random Numbers in Ethereum Smart Contracts. Retrieved from https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620.Google Scholar
- Zhenxuan Bai. 2018. Replay Attacks on Ethereum Smart Contracts. Retrieved from https://github.com/nkbai/defcon26/tree/master/docs.Google Scholar
- OpenZeppelin. 2018. SafeMath. Retrieved from https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol.Google Scholar
- Bernhard Mueller. 2018. Safety tips. Retrieved from https://github.com/ethereum/wiki/wiki/Safety#favor-pull-over-push-for-external-calls.Google Scholar
- Ethereum community. 2018. Solidity 0.5.0 documentation. Retrieved from https://solidity.readthedocs.io/en/v0.5.0/050-breaking-changes.html.Google Scholar
- Ethereum community. 2018. Solidity Version 0.4.22. Retrieved from https://github.com/ethereum/solidity/releases/tag/v0.4.22.Google Scholar
- Stefan Beyer. 2018. Storage Allocation Exploits in Ethereum Smart Contracts. Retrieved from https://medium.com/cryptronics/storage-allocation-exploits-in-ethereum-smart-contracts-16c2aa312743.Google Scholar
- Martin Derka. 2018. What We Learned from Fomo3D. Retrieved from https://medium.com/@martinderka.Google Scholar
- Zhenxuan Bai, Yuwei Zheng, Senhua Wang, and Kunzhe Chai. 2018. You may have paid more than you imagine. Retrieved from https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Bai2.Google Scholar
- The Coq development team. 2019. The Coq Proof Assistant. Retrieved from https://coq.inria.fr/.Google Scholar
- SlowMist. 2019. EOS DApp hack events. Retrieved from https://hacked.slowmist.io/en/?c=EOS%20DApp.Google Scholar
- SlowMist. 2019. EOS smart contract development security best practices. Retrieved from https://github.com/slowmist/eos-smart-contract-security-best-practices.Google Scholar
- Alex Lielacher. 2019. ETC 51 % attack. Retrieved from https://bravenewcoin.com/insights/etc-51-attack-what-happened-and-how-it-was-stopped.Google Scholar
- Ethereum community. 2019. Ethereum 2.0 specifications. Retrieved from https://github.com/ethereum/eth2.0-specs.Google Scholar
- ConsenSys Diligence. 2019. Ethereum Smart Contract Best Practices. Retrieved from https://consensys.github.io/smart-contract-best-practices/.Google Scholar
- Felix Lange, Guillaume Ballet, and Antoine Toulme. 2019. Ethereum Wire Protocol (ETH). Retrieved from https://github.com/ethereum/devp2p/blob/master/caps/eth.md.Google Scholar
- MythX development team. 2019. Mythril. Retrieved from https://github.com/ConsenSys/mythril.Google Scholar
- Franz Volland and Florian Blum. 2019. Oracle. Retrieved from https://github.com/fravoll/solidity-patterns/blob/master/docs/oracle.md.Google Scholar
- Yaning Zhang and Youcai Qian. 2019. RANDAO: A DAO working as RNG of Ethereum. Retrieved from https://github.com/randao/randao.Google Scholar
- MythX development team. 2019. Smart Contract Weakness Classification and Test Cases. Retrieved from https://smartcontractsecurity.github.io/SWC-registry/.Google Scholar
- Vyper development team. 2019. Vyper documentation. Retrieved from https://vyper.readthedocs.io/en/latest/?badge=latest#.Google Scholar
- Etherscan development team. 2020. Ethereum (ETH) Blockchain Explorer. Retrieved from https://etherscan.io/.Google Scholar
- OpenEthereum. 2020. Fast and feature-rich multi-network Ethereum client. Retrieved from https://github.com/paritytech/parity-ethereum.Google Scholar
- The go-ethereum authors. 2020. Official Go implementation of the Ethereum protocol. Retrieved from https://github.com/ethereum/go-ethereum.Google Scholar
- State of The DApps development team. 2020. State of the DApps—DApp Statistics. Retrieved from https://www.stateofthedapps.com/stats.Google Scholar
- J. Adler, R. Berryhill, A. Veneris, Z. Poulos, N. Veira, and A. Kastania. 2018. Astraea: A decentralized blockchain oracle. arXiv:1808.00528.Google Scholar
- E. Albert, P. Gordillo, B. Livshits, A. Rubio, and I. Sergey. 2018. EthIR: A framework for high-level analysis of Ethereum bytecode. arXiv:1805.07208.Google Scholar
- R. Almadhoun, M. Kadadha, M. Alhemeiri, M. Alshehhi, and K. Salah. 2018. A user authentication scheme of iot devices using blockchain-enabled fog nodes. In Proceedings of the IEEE/ACS AICCSA. IEEE, 1--8.Google Scholar
- Sidney Amani, Myriam Bégel, Maksym Bortin, and Mark Staples. 2018. Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In Proceedings of the ACM SIGPLAN CPP. ACM, 66--77.Google Scholar
- E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis, A. De Caro, D. Enyeart, C. Ferris, G. Laventman, and Y. Manevich. 2018. Hyperledger fabric: A distributed operating system for permissioned blockchains. In Proceedings of the EuroSys. 30.Google Scholar
- N. Atzei, M. Bartoletti, and T. Cimoli. 2017. A survey of attacks on ethereum smart contracts (sok). In Proceedings of the POST. 164--186.Google Scholar
- Arati Baliga. 2017. Understanding blockchain consensus models. In Persistent, Vol. 4. 1--14.Google Scholar
- S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meiklejohn, and G. Danezis. 2017. Consensus in the age of blockchains. CoRR abs/1711.03936.Google Scholar
- M. Bartoletti, S. Carta, T. Cimoli, and R. Saia. 2017. Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact. arXiv:1703.03779.Google Scholar
- I. Bentov, R. Pass, and E. Shi. 2016. Snow white: Provably secure proofs of stake. IACR ePrint Arch. 2016 (2016), 919.Google Scholar
- K. Bhargavan, A. Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T. Pinote, N. Swamy et al. 2016. Formal verification of smart contracts: Short paper. In Proceedings of the ACM PLAS. 91--96.Google Scholar
- F. Bobot, J. C. Filliâtre, C. Marché, and A. Paskevich. 2011. Why3: Shepherd your herd of provers. First International Workshop on Intermediate Verification Languages, pp. 53--64.Google Scholar
- Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable delay functions. In Proceedings of the CRYPTO. Springer, 757--788.Google ScholarDigital Library
- D. Boneh, B. Bünz, and B. Fisch. 2018. A survey of two verifiable delay functions. IACR ePrint Arch. 2018 (2018), 712.Google Scholar
- J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten. 2015. SoK: Research perspectives and challenges for bitcoin and cryptocurrencies. In Proceedings of the IEEE SP. 104--121.Google Scholar
- L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz. 2018. Vandal: A scalable security analysis framework for smart contracts. arXiv:1809.03981.Google Scholar
- Vitalik Buterin. 2014. Slasher: A punitive proof-of-stake algorithm. Ethereum Blog. Retrieved from https://blog. ethereum. org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm.Google Scholar
- Vitalik Buterin and Virgil Griffith. 2017. Casper the friendly finality gadget. arXiv preprint arXiv:1710.09437.Google Scholar
- Christian C. and Marko V.2017. Blockchain consensus protocols in the wild. CoRR abs/1707.01873.Google Scholar
- J. Chang, B. Gao, H. Xiao, J. Sun, and Z. Yang. 2018. sCompile: Critical path identification and analysis for smart contracts. arXiv:1808.00624.Google Scholar
- D. Chaum. 1982. Blind signatures for untraceable payments. In Proceedings of the CRYPTO.199--203.Google Scholar
- H. Chen, J. Cho, and S. Xu. 2018. Quantifying the security effectiveness of firewalls and DMZs. In Proceedings of the HoTSoS. 9:1--9:11.Google Scholar
- T. Chen, X. Li, Y. Wang, J. Chen, Z. Li, X. Luo, M. Au, and X. Zhang. 2017. An adaptive gas cost mechanism for ethereum to defend against under-priced DoS attacks. In Proceedings of the ISPEC. Springer, 3--24.Google Scholar
- Jin-Hee Cho, Shouhuai Xu, Patrick M. Hurley, Matthew Mackay, Trevor Benjamin, and Mark Beaumont. 2019. STRAM: Measuring the trustworthiness of computer-based systems. ACM Comput. Surv. 51, 6 (2019), 128:1--128:47.Google ScholarDigital Library
- Michael Coblenz. 2017. Obsidian: A safer blockchain programming language. In Proceedings of the ICSE. 97--99.Google ScholarDigital Library
- M. Conti, E. Kumar, C. Lal, and S. Ruj. 2018. A survey on security and privacy issues of bitcoin. IEEE Communications Surveys Tutorials 20, 4 (2018), 3416--3452.Google ScholarDigital Library
- T. Cook, A. Latham, and J. Lee. 2017. Dappguard: Active monitoring and defense for solidity smart contracts. Retrieved from https://pdfs.semanticscholar.org/7438/ffd4c3b45a6d239815df377a453adfa890fa.pdf.Google Scholar
- P. Cousot and R. Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the PoPL. 238--252.Google Scholar
- P. Daian, I. Eyal, A. Juels, and E. Sirer. 2017. Piecework: Generalized outsourcing control for proofs of work. In Proceedings of the FC. 182--190.Google Scholar
- P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels. 2019. Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges. arXiv:1904.05234.Google Scholar
- B. David, P. Gaži, A. Kiayias, and A. Russell. 2018. Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-stake blockchain. In Proceedings of the EUROCRYPT. Springer, 66--98.Google Scholar
- E. Deirmentzoglou, G. Papakyriakopoulos, and C. Patsakis. 2019. A survey on long-range attacks for proof of stake protocols. IEEE Access 7 (2019), 28712--28725.Google ScholarCross Ref
- K. Delmolino, M. Arnett, A. Kosba, A. Miller, and E. Shi. 2016. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. In Proceedings of the FinancialCRYPTO. 79--94.Google Scholar
- G. Destefanis, M. Marchesi, M. Ortu, R. Tonelli, A. Bracciali, and R. Hierons. 2018. Smart contracts vulnerabilities: A call for blockchain software engineering? In Proceedings of the IEEE IWBOSE. 19--25.Google Scholar
- Monika Di Angelo and Gernot Salzer. 2019. A survey of tools for analyzing ethereum smart contracts. In Proceedings of the DAPPCON.Google ScholarCross Ref
- Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combatting junk mail. In Proceedings of the CRYPTO. 139--147.Google Scholar
- Paul Dworzanski. A note on committee random number generation, commit-reveal, and last-revealer attacks. Retrieved from http://paul.oemm.org/commit_reveal_subcommittees.pdf.Google Scholar
- P. Ekparinya, V. Gramoli, and G. Jourjon. 2018. Impact of man-in-the-middle attacks on ethereum. In Proceedings of the IEEE SRDS. 11--20.Google Scholar
- Joshua Ellul and Gordon J Pace. 2018. Runtime verification of ethereum smart contracts. In Proceedings of the IEEE EDCC. 158--163.Google ScholarCross Ref
- Ittay Eyal and Emin Gün Sirer. 2018. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61, 7 (2018), 95--102.Google ScholarDigital Library
- M. Fischer, N. Lynch, and M. Paterson. 1985. Impossibility of distributed consensus with one faulty process. J. ACM 32, 2, 374--382.Google ScholarDigital Library
- P. Gaži, A. Kiayias, and A. Russell. 2018. Stake-bleeding attacks on proof-of-stake blockchains. In Proceedings of the CVCBT. 85--92.Google Scholar
- A. Gervais, G. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and S. Capkun. 2016. On the security and performance of proof of work blockchains. In Proceedings of the ACM CCS. 3--16.Google Scholar
- Vincent Gramoli. 2020. From blockchain consensus back to byzantine consensus. Future Gen. Comput. Syst. 107 (2020), 760--769.Google ScholarDigital Library
- N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis. 2018. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. In Proceedings of the OOPSLA. 116.Google Scholar
- I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. EtherTrust: Sound Static Analysis of Ethereum Bytecode. Technical Report. Retrieved from https://pdfs.semanticscholar.org/26c2/b7e7479336d44891aadda6b5eaae2ca2ee91.pdf.Google Scholar
- I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. Foundations and tools for the static analysis of ethereum smart contracts. In Proceedings of the ICCAV. Springer, 51--78.Google Scholar
- I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. A semantic framework for the security analysis of ethereum smart contracts. In Proceedings of the POST. Springer, 243--269.Google Scholar
- S. Grossman, I. Abraham, G. Golan-Gueta, Y. Michalevsky, N. Rinetzky, M. Sagiv, and Y. Zohar. 2017. Online detection of effectively callback free objects with applications to smart contracts. In Proceedings of the PoPL. 48.Google Scholar
- C. Grunspan and R. Pérez-Marco. 2019. Selfish mining and Dyck words in Bitcoin and Ethereum networks. arXiv:1904.07675.Google Scholar
- Cyril Grunspan and Ricardo Pérez-Marco. 2019. Selfish mining in ethereum. arXiv:1904.13330.Google Scholar
- Y. Han, W. Lu, and S. Xu. 2014. Characterizing the power of moving target defense via cyber epidemic dynamics. In Proceedings of the HotSoS’14, Vol. 10. 1--12.Google Scholar
- D. Harz and W. Knottenbelt. 2018. Towards safer smart contracts: A survey of languages and verification methods. arXiv:1809.09805.Google Scholar
- H. Hasan and K. Salah. 2018. Proof of delivery of digital assets using blockchain and smart contracts. IEEE Access 6, 65439--65448.Google ScholarCross Ref
- H. Hasan and K. Salah. 2019. Combating deepfake videos using blockchain and smart contracts. IEEE Access 7, 41596--41606.Google ScholarCross Ref
- S. Henningsen, D. Teunis, M. Florian, and B. Scheuermann. 2019. Eclipsing ethereum peers with false friends. In Proceedings of the EuroS8P. 300--309.Google Scholar
- E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. Moore, D. Park, Y. Zhang, and A. Stefanescu. 2018. KEVM: A complete formal semantics of the ethereum virtual machine. In Proceedings of the CSF. 204--217.Google Scholar
- Yoichi Hirai. 2017. Defining the ethereum virtual machine for interactive theorem provers. In Proceedings of the FinancialCRYPTO. 520--535.Google ScholarCross Ref
- Y. Huang, Y. Bian, R. Li, J. Zhao, and P. Shi. 2019. Smart contract security: A software lifecycle perspective. IEEE Access 7, 150184--150202.Google ScholarCross Ref
- B. Jiang, Y. Liu, and W. Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the ASE. 259--269.Google Scholar
- A. Judmayer, N. Stifter, A. Zamyatin, I. Tsabary, I. Eyal, P. Gazi, S. Meiklejohn, and E. Weippl. 2019. Pay-To-Win: Incentive Attacks on Proof-of-Work Cryptocurrencies. Technical Report. Cryptology ePrint Archive, Report 2019/775.Google Scholar
- Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: Analyzing safety of smart contracts. In Proceedings of theNDSS.Google ScholarCross Ref
- M. Khan and K. Salah. 2018. IoT security: Review, blockchain solutions, and open challenges. Future Gen. Comput. Syst. 82, 395--411.Google ScholarCross Ref
- A. Kiayias, A. Russell, B. David, and R. Oliynykov. 2017. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Proceedings of the CRYPTO. 357--388.Google Scholar
- L. Kiffer, D. Levin, and A. Mislove. 2017. Stick a fork in it: Analyzing the Ethereum network partition. In Proceedings of the ACM HotNets. 94--100.Google Scholar
- Simon Kim. 2017. Measuring Ethereum’s Peer-to-peer Network. Ph.D. Dissertation.Google Scholar
- S. Kim, Z. Ma, S. Murali, J. Mason, A. Miller, and M. Bailey. 2018. Measuring ethereum network peers. In Proceedings of the ACM IMC. 91--104.Google Scholar
- James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.Google ScholarDigital Library
- Sunny King and Scott Nadal. 2012. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. Self-published Paper. Retrieved from https://www.chainwhy.com/upload/default/20180619/126a057fef926dc286accb372da46955.pdf.Google Scholar
- A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. 2016. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In Proceedings of the IEEE SP. 839--858.Google Scholar
- J. Krupp and C. Rossow. 2018. teether: Gnawing at ethereum to automatically exploit smart contracts. In Proceedings of the UsenixSecurity. 1317--1333.Google Scholar
- Ao Li and Fan Long. 2018. Detecting standard violation errors in smart contracts. arXiv:1812.07702.Google Scholar
- W. Li, S. Andreina, J. Bohli, and G. Karame. 2017. Securing proof-of-stake blockchain protocols. In Proceedings of the DPM CBT. 297--315.Google Scholar
- X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2017. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.Google Scholar
- X. Li, P. Parker, and S. Xu. 2011. A stochastic model for quantitative security analyses of networked systems. IEEE TDSC 8, 1, 28--43.Google Scholar
- Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu, Z. Chen, S. Wang, and J. Wang. 2018. SySeVR: A framework for using deep learning to detect software vulnerabilities. CoRR abs/1807.06756.Google Scholar
- Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. In Proceedings of the NDSS.Google Scholar
- Z. Lin, W. Lu, and S. Xu. 2019. Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE/ACM Trans. Netw. 27, 3 (2019), 1098--1111.Google ScholarDigital Library
- C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and B. Roscoe. 2018. ReGuard: Finding reentrancy bugs in smart contracts. In Proceedings of the ICSE. 65--68.Google Scholar
- L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor. 2016. Making smart contracts smarter. In Proceedings of the ACM CCS. 254--269.Google Scholar
- L. Luu, J. Teutsch, R. Kulkarni, and P. Saxena. 2015. Demystifying incentives in the consensus computer. In Proceedings of the ACM CCS. 706--719.Google Scholar
- L. Luu, Y. Velner, J. Teutsch, and P. Saxena. 2017. Smartpool: Practical decentralized pooled mining. In Proceedings of the UsenixSecurity. 1409--1426.Google Scholar
- Y. Marcus, E. Heilman, and S. Goldberg. 2018. Low-resource eclipse attacks on Ethereum’s peer-to-peer network. Retrieved from http://ljk.imag.fr/membres/Jean-Guillaume.Dumas/Enseignements/ProjetsCrypto/Ethereum/236.pdf.Google Scholar
- A. Mavridou and A. Laszka. 2017. Designing secure ethereum smart contracts: A finite state machine based approach. arXiv:1711.09327.Google Scholar
- Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn. 2018. Smart contracts for bribing miners. In Proceedings of the FinancialCRYPTO. 3--18.Google Scholar
- Silvio Micali. 2016. Algorand: The efficient and democratic ledger. arXiv preprint arXiv:1607.01341 (2016).Google Scholar
- A. Miller, A. Kosba, J. Katz, and E. Shi. 2015. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In Proceedings of the ACM CCS. 680--691.Google Scholar
- J. Mireles, E. Ficke, J. Cho, P. Hurley, and S. Xu. 2019. Metrics towards measuring cyber agility. IEEE TIFS 14, 12 (2019), 3217--3232.Google Scholar
- Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. Retrieved from https://bitcoin.org/bitcoin.pdf.Google Scholar
- Ryuya Nakamura, Takayuki Jimba, and Dominik Harz. 2019. Refinement and verification of CBC casper. Networks 2 (2019), 4.Google Scholar
- C. Natoli and V. Gramoli. 2017. The balance attack or why forkable blockchains are ill-suited for consortium. In Proceedings of the IEEE/IFIP DSN. 579--590.Google Scholar
- D. Nicol, W. Sanders, and K. Trivedi. 2004. Model-based evaluation: From dependability to security. IEEE TDSC 1, 1 (2004), 48--65.Google Scholar
- I. Nikolić, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the ACSAC. 653--663.Google Scholar
- Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002. Isabelle/HOL: A Proof Assistant for Higher-order Logic. Vol. 2283. Springer.Google Scholar
- Jianyu Niu and Chen Feng. 2019. Selfish mining in Ethereum. arXiv:1901.04620.Google Scholar
- S. Noel and S. Jajodia. 2017. A Suite of Metrics for Network Attack Graph Analytics. Springer International Publishing, Cham, 141--176.Google Scholar
- Russell O’Connor. 2017. Simplicity: A new language for blockchains. In Proceedings of the PLAS. 107--120.Google ScholarDigital Library
- D. Park, Y. Zhang, M. Saxena, P. Daian, and G. Roşu. 2018. A formal verification tool for Ethereum VM bytecode. In Proceedings of the of ACM ESEC/FSE. ACM, 912--915.Google Scholar
- M. Pendleton, R. Garcia-Lebron, J. Cho, and S. Xu. 2016. A survey on systems security metrics. ACM Comput. Surv. 49, 4, 62:1--62:35.Google Scholar
- L. Quan, L. Wu, and H. Wang. 2019. EVulHunter: Detecting fake transfer vulnerabilities for EOSIO’s smart contracts at webassembly-level. arXiv:1906.10362.Google Scholar
- A. Ramos, M. Lazar, R. H. Filho, and J. J. P. C. Rodrigues. 2017. Model-based quantitative network security metrics: A survey. IEEE Commun. Surveys Tutor. 19, 4 (2017), 2704--2734.Google ScholarCross Ref
- F. Ritz and A. Zugenmaier. 2018. The impact of uncle rewards on selfish mining in ethereum. In Proceedings of the IEEE EuroS8P. 50--57.Google Scholar
- M. Rodler, W. Li, G. Karame, and L. Davi. 2018. Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv:1812.05934.Google Scholar
- G. Rosu and T. Serbănută. 2010. An overview of the K semantic framework. J. Logic Algebra. Program. 79, 6 (2010), 397--434.Google ScholarCross Ref
- M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and A. Mohaisen. 2019. Exploring the attack surface of blockchain: A systematic overview. arXiv:1904.03487.Google Scholar
- K. Salah, M. Rehman, N. Nizamuddin, and A. Fuqaha. 2019. Blockchain for AI: Review and open research challenges. IEEE Access 7 (2019), 10127--10149.Google ScholarCross Ref
- Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278--1308.Google ScholarCross Ref
- F. Schrans, S. Eisenbach, and S. Drossopoulou. 2018. Writing safe smart contracts in Flint. In Proceedings of the ACM on Programming Languages. ACM, 218--219.Google Scholar
- Robert W. Sebesta. 2012. Concepts of Programming Languages. Pearson, Boston.Google Scholar
- Ilya Sergey, Amrit Kumar, and Aquinas Hobor. 2018. Scilla: A smart contract intermediate-level language. arXiv:1801.00687.Google Scholar
- Yonatan Sompolinsky and Aviv Zohar. 2015. Secure high-rate transaction processing in bitcoin. In Proceedings of the FinancialCRYPTO. 507--527.Google ScholarCross Ref
- Matt Suiche. 2017. Porosity: A decompiler for blockchain-based smart contracts bytecode. In Proceedings of the DEF CON. 11.Google Scholar
- A. Suliman, Z. Husain, M. Abououf, M. Alblooshi, and K. Salah. 2018. Monetization of IoT data using smart contracts. IET Netw. 8, 1 (2018), 32--37.Google ScholarCross Ref
- N. Swamy, C. Hriţcu, C. Keller, A. Rastogi, A. Lavaud, S. Forest, K. Bhargavan, C. Fournet, P. Strub, M. Kohlweiss et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256--270.Google Scholar
- A. Tann, X. Han, S. Gupta, and Y. Ong. 2018. Towards safer smart contracts: A sequence learning approach to detecting vulnerabilities. arXiv:1811.06632.Google Scholar
- S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the IEEE/ACM WETSEB. 9--16.Google Scholar
- P. Tsankov, A. Dan, D. Cohen, A. Gervais, F. Buenzli, and M. Vechev. 2018. Securify: Practical security analysis of smart contracts. arXiv:1806.01143.Google Scholar
- F. Tschorsch and B. Scheuermann. 2016. Bitcoin and beyond: A technical survey on decentralized digital currencies. IEEE Commun. Surveys Tutor. 18, 3 (2016), 2084--2123.Google ScholarDigital Library
- Marko Vukolić. 2017. Rethinking permissioned blockchains. In Proceedings of the ACM BCC. 3--7.Google ScholarDigital Library
- Wenbo Wang, Dinh Thai Hoang, Peizhao Hu, Zehui Xiong, Dusit Niyato, Ping Wang, Yonggang Wen, and Dong In Kim. 2019. A survey on consensus mechanisms and mining strategy management in blockchain networks. IEEE Access 7 (2019), 22328--22370.Google ScholarCross Ref
- X. Wang, X. Zha, G. Yu, W. Ni, R. Liu, Y. Guo, X. Niu, and K. Zheng. 2018. Attack and defence of ethereum remote apis. In Proceedings of the GC. IEEE, 1--6.Google Scholar
- Benjamin Wesolowski. 2019. Efficient verifiable delay functions. In Proceedings of the EUROCRYPT. 379--407.Google ScholarDigital Library
- F. Winzer, B. Herd, and S. Faust. 2019. Temporary censorship attacks in the presence of rational miners. In Proceedings of the IEEE EuroS8PW. 357--366.Google Scholar
- M. Wohrer and U. Zdun. 2018. Smart contracts: Security patterns in the ethereum ecosystem and solidity. In Proceedings of the IEEE IWBOSE. 2--8.Google Scholar
- Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014), 1--32.Google Scholar
- Karl Wüst and Arthur Gervais. 2016. Ethereum Eclipse Attacks. Technical Report. ETH Zurich.Google Scholar
- Y. Xiao, N. Zhang, W. Lou, and Y. Hou. 2019. A survey of distributed consensus protocols for blockchain networks. arxiv:1904.04098Google Scholar
- M. Xu, G. Da, and S. Xu. 2015. Cyber epidemic models with dependences. Internet Math. 11, 1 (2015), 62--92.Google ScholarCross Ref
- Shouhuai Xu. 2014. Cybersecurity dynamics. In Proceedings of the HotSoS. 14:1--14:2.Google Scholar
- Shouhuai Xu. 2014. Emergent behavior in cybersecurity. In Proceedings of the HotSoS. 13:1--13:2.Google Scholar
- Shouhuai Xu. 2019. Cybersecurity dynamics: A foundation for the science of cybersecurity. In Proactive and Dynamic Network Defense, Zhuo Lu and Cliff Wang (Eds.). Vol. 74. Springer International Publishing, Cham, 1--31.Google Scholar
- Shouhuai Xu, Wenlian Lu, and Li Xu. 2012. Push- and pull-based epidemic spreading in arbitrary networks: Thresholds and deeper insights. ACM Trans. Auton. Adapt. Syst. 7, 3 (2012), 32:1--32:26.Google ScholarDigital Library
- K. Yamashita, Y. Nomura, E. Zhou, B. Pi, and S. Jun. 2019. Potential risks of hyperledger fabric smart contracts. In Proceedings of the IEEE IWBOSE. 1--10.Google Scholar
- V. Zamfir, N. Rush, A. Asgaonkar, and G. Piliouras. 2018. Introducing the “Minimal CBC Casper” Family of Consensus Protocols. Retrieved from https://github.com/cbc-casper/cbc-casper-paper/blob/master/cbc-casper-paper-draft.pdf.Google Scholar
- G. Zeng, S. Yiu, J. Zhang, H. Kuzuno, and M. Au. 2017. A nonoutsourceable puzzle under GHOST rule. In Proceedings of the IEEE PST. 35--358.Google Scholar
- F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi. 2016. Town crier: An authenticated data feed for smart contracts. In Proceedings of the ACM CCS. 270--282.Google Scholar
- R. Zhang, R. Xue, and L. Liu. 2019. Security and privacy on blockchain. CoRR abs/1903.07602.Google Scholar
- R. Zheng, W. Lu, and S. Xu. 2015. Active cyber defense dynamics exhibiting rich phenomena. In Proceedings of the HotSoS. 2:1--2:12.Google Scholar
- R. Zheng, W. Lu, and S. Xu. 2018. Preventive and reactive cyber defense dynamics is globally stable. IEEE Trans. Netw. Sci. Eng. 5, 2 (2018), 156--170.Google ScholarCross Ref
- Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey. 2018. Erays: Reverse engineering ethereum’s opaque smart contracts. In Proceedings of the USENIXSecurity.Google Scholar
- L. Zhu, B. Zheng, M. Shen, S. Yu, F. Gao, H. Li, K. Shi, and K. Gai. 2018. Research on the security of blockchain data: A survey. CoRR abs/1812.02009.Google Scholar
Index Terms
- A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
Recommendations
A survey on the security of blockchain systems
AbstractSince its inception, the blockchain technology has shown promising application prospects. From the initial cryptocurrency to the current smart contract, blockchain has been applied to many fields. Although there are some studies on the ...
Highlights- We conduct the first systematic examination on security risks to popular blockchain systems.
Proof-of-stake at stake: predatory, destructive attack on PoS cryptocurrencies
CryBlock '20: Proceedings of the 3rd Workshop on Cryptocurrencies and Blockchains for Distributed SystemsThere have been several 51% attacks on Proof-of-Work (PoW) blockchains recently, including Verge and GameCredits, but the most noteworthy has been the attack that saw hackers make off with up to $18 million after a successful double-spend was executed ...
Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology
WWW '18: Proceedings of the 2018 World Wide Web ConferenceBlockchain technology becomes increasingly popular. It also attracts scams, for example, Ponzi scheme, a classic fraud, has been found making a notable amount of money on Blockchain, which has a very negative impact. To help dealing with this issue, ...
Comments