survey

Public Access

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses

Authors:
Huashan Chen

The University of Texas at San Antonio, San Antonio, TX, USA

The University of Texas at San Antonio, San Antonio, TX, USA
View Profile

,
Marcus Pendleton

U.S. Air Force Research Laboratory and 90 COS/CYD

U.S. Air Force Research Laboratory and 90 COS/CYD
View Profile

,
Laurent Njilla

U.S. Air Force Research Laboratory

U.S. Air Force Research Laboratory
View Profile

,
Shouhuai Xu

The University of Texas at San Antonio, San Antonio, TX, USA

The University of Texas at San Antonio, San Antonio, TX, USA

0000-0001-8034-0942
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 53 Issue 3Article No.: 67pp 1–43https://doi.org/10.1145/3391195

Published:12 June 2020Publication History

ACM Computing Surveys

Abstract

Blockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency, the second generation (i.e., Blockchain 2.0), as represented by Ethereum, is an open and decentralized platform enabling a new paradigm of computing—Decentralized Applications (DApps) running on top of blockchains. The rich applications and semantics of DApps inevitably introduce many security vulnerabilities, which have no counterparts in pure cryptocurrency systems like Bitcoin. Since Ethereum is a new, yet complex, system, it is imperative to have a systematic and comprehensive understanding on its security from a holistic perspective, which was previously unavailable in the literature. To the best of our knowledge, the present survey, which can also be used as a tutorial, fills this void. We systematize three aspects of Ethereum systems security: vulnerabilities, attacks, and defenses. We draw insights into vulnerability root causes, attack consequences, and defense capabilities, which shed light on future research directions.

Supplemental Material

Available for Download

zip

chen.zip (671.7 KB)

Supplemental movie, appendix, image and software files for, A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses

References

Ittay Eyal and Emin Gün Sirer. 2014. How to disincentivize large Bitcoin mining pools. Retrieved from http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/.Google Scholar
Fabian Vogelsteller and Vitalik Buterin. 2015. ERC-20 Token Standard|Ethereum Improvement Proposals. Retrieved from https://eips.ethereum.org/EIPS/eip-20.Google Scholar
Least Authority. 2015. Ethereum Analysis: Gas Economics and Proof of Work. Retrieved from https://github.com/LeastAuthority/ethereum-analyses.Google Scholar
Ethereum Community Forum. 2015. Formal Verification for Solidity Contracts. Retrieved from https://forum.ethereum.org/discussion/3779/formal-verification-for-solidity-contracts.Google Scholar
Phil Daian. 2016. Analysis of the DAO exploit. Retrieved from http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/.Google Scholar
Vitalik Buterin. 2016. EIP-150, gas cost changes for IO-heavy operations. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-150.md.Google Scholar
Vitalik Buterin. 2016. EIP-155, simple replay attack protection. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-155.md.Google Scholar
Gavin Wood. 2016. EIP-161, state trie clearing. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-161.md.Google Scholar
Joris Bontje. 2016. How can I securely generate a random number in my smart contract? Retrieved from https://ethereum.stackexchange.com/questions/191/how-can-i-securely-generate-a-random-number-in-my-smart-contract.Google Scholar
Alyssa Hertig. 2016. Rise of Replay Attacks Intensifies Ethereum Divide—CoinDesk. Retrieved from https://www.coindesk.com/rise-replay-attacks-ethereum-divide.Google Scholar
Vitalik Buterin. 2016. Transaction spam attack: Next Steps. Retrieved from https://blog.ethereum.org/2016/09/22/transaction-spam-attack-next-steps/.Google Scholar
Peter Vessenes. 2016. Tx.Origin And Ethereum Oh My! Retrieved from https://vessenes.com/tx-origin-and-ethereum-oh-my/.Google Scholar
Matt Suiche. 2017. The $280M Ethereum’s Parity bug—Comae Technologies. Retrieved from https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513.Google Scholar
Nooku. 2017. Exploit with ERC20 token transactions from exchanges. Retrieved from https://www.reddit.com/r/ethereum/comments/63s917/worrysome_bug_exploit_with_erc20_token/dfwmhc3/.Google Scholar
Ethererik. 2017. GovernMental’s 1100 ETH jackpot payout is stuck because it uses too much gas. Retrieved from https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals_1100_eth_jackpot_payout_is_stuck/.Google Scholar
Haseeb Qureshi. 2017. A hacker stole $31M of Ether—How it happened, and what it means for Ethereum. Retrieved from https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce.Google Scholar
Paweł Bylica. 2017. How to Find $10M Just by Reading the Blockchain. Retrieved from https://medium.com/golem-project/how-to-find-10m-by-just-reading-blockchain-6ae9d39fcd95.Google Scholar
Lorenz Breidenbach, Phil Daian, Ari Juels, and Emin Gün Sirer. 2017. An In-Depth Look at the Parity Multisig Bug. Retrieved from http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.Google Scholar
Santiago Palladino. 2017. The Parity Wallet Hack Explained. Retrieved from https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7.Google Scholar
Vbuterin. 2017. A state clearing FAQ. Retrieved from https://www.reddit.com/r/ethereum/comments/5es5g4/a_state_clearing_faq/?st=iw2e1mwo8sh=fa77688depth=1.Google Scholar
X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2020. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.Google ScholarDigital Library
Lorenz Breidenbach, Phil Daian, Ari Juels, and Florian Tramèr. 2017. To Sink Frontrunners, Send in the Submarines. Retrieved from http://hackingdistributed.com/2017/08/28/submarine-sends/.Google Scholar
Crypto Panda. 2018. The $3 Million Winner of Fomo3D Is Still Playing to Win—Longhash. Retrieved from https://www.longhash.com/news/the-3-million-winner-of-fomo3d-is-still-playing-to-win.Google Scholar
Cornell Blockchain. 2018. Bamboo. Retrieved from https://github.com/pirapira/bamboo.Google Scholar
Common Vulnerabilities and Exposures. 2018. BatchOverflow. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10299.Google Scholar
Louis Poinsignon. 2018. BGP leaks and cryptocurrencies. Retrieved from https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/.Google Scholar
SlowMist. 2018. Billions of Tokens Theft Case cause by ETH Ecological Defects. Retrieved from https://mp.weixin.qq.com/s/ia9nBhmqVEXiiQdFrjzmyg.Google Scholar
Mihail Sotnichek. 2018. EOS Smart Contract Vulnerabilities in Detail. Retrieved from https://www.apriorit.com/dev-blog/553-eos-smart-contract-vulnerability.Google Scholar
ChainSecurity AG. 2018. ChainSecurity Chaincode Scanner. Retrieved from https://chaincode.chainsecurity.com/.Google Scholar
Adrian Manning. 2018. Comprehensive list of known attack vectors and common anti-patterns. Retrieved from https://github.com/sigp/solidity-security-blog.Google Scholar
Vaibhav Saini. 2018. ContractPedia: An Encyclopedia of 40+ Smart Contract Platforms. Retrieved from https://hackernoon.com/contractpedia-an-encyclopedia-of-40-smart-contract-platforms-4867f66da1e5.Google Scholar
Common Vulnerabilities and Exposures. 2018. CVE-2018-10299. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-10299.Google Scholar
Block.one. 2018. EOS.IO Technical White Paper v2. Retrieved from https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md.Google Scholar
Georgios Konstantopoulos. 2018. How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 2). Retrieved from https://medium.com/loom-network/how-to-secure-your-smart-contracts-6-solidity-vulnerabilities-and-how-to-avoid-them-part-2-730db0aa4834.Google Scholar
Arseny Reutov. 2018. Predicting Random Numbers in Ethereum Smart Contracts. Retrieved from https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620.Google Scholar
Zhenxuan Bai. 2018. Replay Attacks on Ethereum Smart Contracts. Retrieved from https://github.com/nkbai/defcon26/tree/master/docs.Google Scholar
OpenZeppelin. 2018. SafeMath. Retrieved from https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol.Google Scholar
Bernhard Mueller. 2018. Safety tips. Retrieved from https://github.com/ethereum/wiki/wiki/Safety#favor-pull-over-push-for-external-calls.Google Scholar
Ethereum community. 2018. Solidity 0.5.0 documentation. Retrieved from https://solidity.readthedocs.io/en/v0.5.0/050-breaking-changes.html.Google Scholar
Ethereum community. 2018. Solidity Version 0.4.22. Retrieved from https://github.com/ethereum/solidity/releases/tag/v0.4.22.Google Scholar
Stefan Beyer. 2018. Storage Allocation Exploits in Ethereum Smart Contracts. Retrieved from https://medium.com/cryptronics/storage-allocation-exploits-in-ethereum-smart-contracts-16c2aa312743.Google Scholar
Martin Derka. 2018. What We Learned from Fomo3D. Retrieved from https://medium.com/@martinderka.Google Scholar
Zhenxuan Bai, Yuwei Zheng, Senhua Wang, and Kunzhe Chai. 2018. You may have paid more than you imagine. Retrieved from https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Bai2.Google Scholar
The Coq development team. 2019. The Coq Proof Assistant. Retrieved from https://coq.inria.fr/.Google Scholar
SlowMist. 2019. EOS DApp hack events. Retrieved from https://hacked.slowmist.io/en/?c=EOS%20DApp.Google Scholar
SlowMist. 2019. EOS smart contract development security best practices. Retrieved from https://github.com/slowmist/eos-smart-contract-security-best-practices.Google Scholar
Alex Lielacher. 2019. ETC 51 % attack. Retrieved from https://bravenewcoin.com/insights/etc-51-attack-what-happened-and-how-it-was-stopped.Google Scholar
Ethereum community. 2019. Ethereum 2.0 specifications. Retrieved from https://github.com/ethereum/eth2.0-specs.Google Scholar
ConsenSys Diligence. 2019. Ethereum Smart Contract Best Practices. Retrieved from https://consensys.github.io/smart-contract-best-practices/.Google Scholar
Felix Lange, Guillaume Ballet, and Antoine Toulme. 2019. Ethereum Wire Protocol (ETH). Retrieved from https://github.com/ethereum/devp2p/blob/master/caps/eth.md.Google Scholar
MythX development team. 2019. Mythril. Retrieved from https://github.com/ConsenSys/mythril.Google Scholar
Franz Volland and Florian Blum. 2019. Oracle. Retrieved from https://github.com/fravoll/solidity-patterns/blob/master/docs/oracle.md.Google Scholar
Yaning Zhang and Youcai Qian. 2019. RANDAO: A DAO working as RNG of Ethereum. Retrieved from https://github.com/randao/randao.Google Scholar
MythX development team. 2019. Smart Contract Weakness Classification and Test Cases. Retrieved from https://smartcontractsecurity.github.io/SWC-registry/.Google Scholar
Vyper development team. 2019. Vyper documentation. Retrieved from https://vyper.readthedocs.io/en/latest/?badge=latest#.Google Scholar
Etherscan development team. 2020. Ethereum (ETH) Blockchain Explorer. Retrieved from https://etherscan.io/.Google Scholar
OpenEthereum. 2020. Fast and feature-rich multi-network Ethereum client. Retrieved from https://github.com/paritytech/parity-ethereum.Google Scholar
The go-ethereum authors. 2020. Official Go implementation of the Ethereum protocol. Retrieved from https://github.com/ethereum/go-ethereum.Google Scholar
State of The DApps development team. 2020. State of the DApps—DApp Statistics. Retrieved from https://www.stateofthedapps.com/stats.Google Scholar
J. Adler, R. Berryhill, A. Veneris, Z. Poulos, N. Veira, and A. Kastania. 2018. Astraea: A decentralized blockchain oracle. arXiv:1808.00528.Google Scholar
E. Albert, P. Gordillo, B. Livshits, A. Rubio, and I. Sergey. 2018. EthIR: A framework for high-level analysis of Ethereum bytecode. arXiv:1805.07208.Google Scholar
R. Almadhoun, M. Kadadha, M. Alhemeiri, M. Alshehhi, and K. Salah. 2018. A user authentication scheme of iot devices using blockchain-enabled fog nodes. In Proceedings of the IEEE/ACS AICCSA. IEEE, 1--8.Google Scholar
Sidney Amani, Myriam Bégel, Maksym Bortin, and Mark Staples. 2018. Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In Proceedings of the ACM SIGPLAN CPP. ACM, 66--77.Google Scholar
E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis, A. De Caro, D. Enyeart, C. Ferris, G. Laventman, and Y. Manevich. 2018. Hyperledger fabric: A distributed operating system for permissioned blockchains. In Proceedings of the EuroSys. 30.Google Scholar
N. Atzei, M. Bartoletti, and T. Cimoli. 2017. A survey of attacks on ethereum smart contracts (sok). In Proceedings of the POST. 164--186.Google Scholar
Arati Baliga. 2017. Understanding blockchain consensus models. In Persistent, Vol. 4. 1--14.Google Scholar
S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meiklejohn, and G. Danezis. 2017. Consensus in the age of blockchains. CoRR abs/1711.03936.Google Scholar
M. Bartoletti, S. Carta, T. Cimoli, and R. Saia. 2017. Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact. arXiv:1703.03779.Google Scholar
I. Bentov, R. Pass, and E. Shi. 2016. Snow white: Provably secure proofs of stake. IACR ePrint Arch. 2016 (2016), 919.Google Scholar
K. Bhargavan, A. Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T. Pinote, N. Swamy et al. 2016. Formal verification of smart contracts: Short paper. In Proceedings of the ACM PLAS. 91--96.Google Scholar
F. Bobot, J. C. Filliâtre, C. Marché, and A. Paskevich. 2011. Why3: Shepherd your herd of provers. First International Workshop on Intermediate Verification Languages, pp. 53--64.Google Scholar
Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable delay functions. In Proceedings of the CRYPTO. Springer, 757--788.Google ScholarDigital Library
D. Boneh, B. Bünz, and B. Fisch. 2018. A survey of two verifiable delay functions. IACR ePrint Arch. 2018 (2018), 712.Google Scholar
J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten. 2015. SoK: Research perspectives and challenges for bitcoin and cryptocurrencies. In Proceedings of the IEEE SP. 104--121.Google Scholar
L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz. 2018. Vandal: A scalable security analysis framework for smart contracts. arXiv:1809.03981.Google Scholar
Vitalik Buterin. 2014. Slasher: A punitive proof-of-stake algorithm. Ethereum Blog. Retrieved from https://blog. ethereum. org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm.Google Scholar
Vitalik Buterin and Virgil Griffith. 2017. Casper the friendly finality gadget. arXiv preprint arXiv:1710.09437.Google Scholar
Christian C. and Marko V.2017. Blockchain consensus protocols in the wild. CoRR abs/1707.01873.Google Scholar
J. Chang, B. Gao, H. Xiao, J. Sun, and Z. Yang. 2018. sCompile: Critical path identification and analysis for smart contracts. arXiv:1808.00624.Google Scholar
D. Chaum. 1982. Blind signatures for untraceable payments. In Proceedings of the CRYPTO.199--203.Google Scholar
H. Chen, J. Cho, and S. Xu. 2018. Quantifying the security effectiveness of firewalls and DMZs. In Proceedings of the HoTSoS. 9:1--9:11.Google Scholar
T. Chen, X. Li, Y. Wang, J. Chen, Z. Li, X. Luo, M. Au, and X. Zhang. 2017. An adaptive gas cost mechanism for ethereum to defend against under-priced DoS attacks. In Proceedings of the ISPEC. Springer, 3--24.Google Scholar
Jin-Hee Cho, Shouhuai Xu, Patrick M. Hurley, Matthew Mackay, Trevor Benjamin, and Mark Beaumont. 2019. STRAM: Measuring the trustworthiness of computer-based systems. ACM Comput. Surv. 51, 6 (2019), 128:1--128:47.Google ScholarDigital Library
Michael Coblenz. 2017. Obsidian: A safer blockchain programming language. In Proceedings of the ICSE. 97--99.Google ScholarDigital Library
M. Conti, E. Kumar, C. Lal, and S. Ruj. 2018. A survey on security and privacy issues of bitcoin. IEEE Communications Surveys Tutorials 20, 4 (2018), 3416--3452.Google ScholarDigital Library
T. Cook, A. Latham, and J. Lee. 2017. Dappguard: Active monitoring and defense for solidity smart contracts. Retrieved from https://pdfs.semanticscholar.org/7438/ffd4c3b45a6d239815df377a453adfa890fa.pdf.Google Scholar
P. Cousot and R. Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the PoPL. 238--252.Google Scholar
P. Daian, I. Eyal, A. Juels, and E. Sirer. 2017. Piecework: Generalized outsourcing control for proofs of work. In Proceedings of the FC. 182--190.Google Scholar
P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels. 2019. Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges. arXiv:1904.05234.Google Scholar
B. David, P. Gaži, A. Kiayias, and A. Russell. 2018. Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-stake blockchain. In Proceedings of the EUROCRYPT. Springer, 66--98.Google Scholar
E. Deirmentzoglou, G. Papakyriakopoulos, and C. Patsakis. 2019. A survey on long-range attacks for proof of stake protocols. IEEE Access 7 (2019), 28712--28725.Google ScholarCross Ref
K. Delmolino, M. Arnett, A. Kosba, A. Miller, and E. Shi. 2016. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. In Proceedings of the FinancialCRYPTO. 79--94.Google Scholar
G. Destefanis, M. Marchesi, M. Ortu, R. Tonelli, A. Bracciali, and R. Hierons. 2018. Smart contracts vulnerabilities: A call for blockchain software engineering? In Proceedings of the IEEE IWBOSE. 19--25.Google Scholar
Monika Di Angelo and Gernot Salzer. 2019. A survey of tools for analyzing ethereum smart contracts. In Proceedings of the DAPPCON.Google ScholarCross Ref
Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combatting junk mail. In Proceedings of the CRYPTO. 139--147.Google Scholar
Paul Dworzanski. A note on committee random number generation, commit-reveal, and last-revealer attacks. Retrieved from http://paul.oemm.org/commit_reveal_subcommittees.pdf.Google Scholar
P. Ekparinya, V. Gramoli, and G. Jourjon. 2018. Impact of man-in-the-middle attacks on ethereum. In Proceedings of the IEEE SRDS. 11--20.Google Scholar
Joshua Ellul and Gordon J Pace. 2018. Runtime verification of ethereum smart contracts. In Proceedings of the IEEE EDCC. 158--163.Google ScholarCross Ref
Ittay Eyal and Emin Gün Sirer. 2018. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61, 7 (2018), 95--102.Google ScholarDigital Library
M. Fischer, N. Lynch, and M. Paterson. 1985. Impossibility of distributed consensus with one faulty process. J. ACM 32, 2, 374--382.Google ScholarDigital Library
P. Gaži, A. Kiayias, and A. Russell. 2018. Stake-bleeding attacks on proof-of-stake blockchains. In Proceedings of the CVCBT. 85--92.Google Scholar
A. Gervais, G. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and S. Capkun. 2016. On the security and performance of proof of work blockchains. In Proceedings of the ACM CCS. 3--16.Google Scholar
Vincent Gramoli. 2020. From blockchain consensus back to byzantine consensus. Future Gen. Comput. Syst. 107 (2020), 760--769.Google ScholarDigital Library
N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis. 2018. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. In Proceedings of the OOPSLA. 116.Google Scholar
I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. EtherTrust: Sound Static Analysis of Ethereum Bytecode. Technical Report. Retrieved from https://pdfs.semanticscholar.org/26c2/b7e7479336d44891aadda6b5eaae2ca2ee91.pdf.Google Scholar
I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. Foundations and tools for the static analysis of ethereum smart contracts. In Proceedings of the ICCAV. Springer, 51--78.Google Scholar
I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. A semantic framework for the security analysis of ethereum smart contracts. In Proceedings of the POST. Springer, 243--269.Google Scholar
S. Grossman, I. Abraham, G. Golan-Gueta, Y. Michalevsky, N. Rinetzky, M. Sagiv, and Y. Zohar. 2017. Online detection of effectively callback free objects with applications to smart contracts. In Proceedings of the PoPL. 48.Google Scholar
C. Grunspan and R. Pérez-Marco. 2019. Selfish mining and Dyck words in Bitcoin and Ethereum networks. arXiv:1904.07675.Google Scholar
Cyril Grunspan and Ricardo Pérez-Marco. 2019. Selfish mining in ethereum. arXiv:1904.13330.Google Scholar
Y. Han, W. Lu, and S. Xu. 2014. Characterizing the power of moving target defense via cyber epidemic dynamics. In Proceedings of the HotSoS’14, Vol. 10. 1--12.Google Scholar
D. Harz and W. Knottenbelt. 2018. Towards safer smart contracts: A survey of languages and verification methods. arXiv:1809.09805.Google Scholar
H. Hasan and K. Salah. 2018. Proof of delivery of digital assets using blockchain and smart contracts. IEEE Access 6, 65439--65448.Google ScholarCross Ref
H. Hasan and K. Salah. 2019. Combating deepfake videos using blockchain and smart contracts. IEEE Access 7, 41596--41606.Google ScholarCross Ref
S. Henningsen, D. Teunis, M. Florian, and B. Scheuermann. 2019. Eclipsing ethereum peers with false friends. In Proceedings of the EuroS8P. 300--309.Google Scholar
E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. Moore, D. Park, Y. Zhang, and A. Stefanescu. 2018. KEVM: A complete formal semantics of the ethereum virtual machine. In Proceedings of the CSF. 204--217.Google Scholar
Yoichi Hirai. 2017. Defining the ethereum virtual machine for interactive theorem provers. In Proceedings of the FinancialCRYPTO. 520--535.Google ScholarCross Ref
Y. Huang, Y. Bian, R. Li, J. Zhao, and P. Shi. 2019. Smart contract security: A software lifecycle perspective. IEEE Access 7, 150184--150202.Google ScholarCross Ref
B. Jiang, Y. Liu, and W. Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the ASE. 259--269.Google Scholar
A. Judmayer, N. Stifter, A. Zamyatin, I. Tsabary, I. Eyal, P. Gazi, S. Meiklejohn, and E. Weippl. 2019. Pay-To-Win: Incentive Attacks on Proof-of-Work Cryptocurrencies. Technical Report. Cryptology ePrint Archive, Report 2019/775.Google Scholar
Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: Analyzing safety of smart contracts. In Proceedings of theNDSS.Google ScholarCross Ref
M. Khan and K. Salah. 2018. IoT security: Review, blockchain solutions, and open challenges. Future Gen. Comput. Syst. 82, 395--411.Google ScholarCross Ref
A. Kiayias, A. Russell, B. David, and R. Oliynykov. 2017. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Proceedings of the CRYPTO. 357--388.Google Scholar
L. Kiffer, D. Levin, and A. Mislove. 2017. Stick a fork in it: Analyzing the Ethereum network partition. In Proceedings of the ACM HotNets. 94--100.Google Scholar
Simon Kim. 2017. Measuring Ethereum’s Peer-to-peer Network. Ph.D. Dissertation.Google Scholar
S. Kim, Z. Ma, S. Murali, J. Mason, A. Miller, and M. Bailey. 2018. Measuring ethereum network peers. In Proceedings of the ACM IMC. 91--104.Google Scholar
James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.Google ScholarDigital Library
Sunny King and Scott Nadal. 2012. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. Self-published Paper. Retrieved from https://www.chainwhy.com/upload/default/20180619/126a057fef926dc286accb372da46955.pdf.Google Scholar
A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. 2016. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In Proceedings of the IEEE SP. 839--858.Google Scholar
J. Krupp and C. Rossow. 2018. teether: Gnawing at ethereum to automatically exploit smart contracts. In Proceedings of the UsenixSecurity. 1317--1333.Google Scholar
Ao Li and Fan Long. 2018. Detecting standard violation errors in smart contracts. arXiv:1812.07702.Google Scholar
W. Li, S. Andreina, J. Bohli, and G. Karame. 2017. Securing proof-of-stake blockchain protocols. In Proceedings of the DPM CBT. 297--315.Google Scholar
X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2017. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.Google Scholar
X. Li, P. Parker, and S. Xu. 2011. A stochastic model for quantitative security analyses of networked systems. IEEE TDSC 8, 1, 28--43.Google Scholar
Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu, Z. Chen, S. Wang, and J. Wang. 2018. SySeVR: A framework for using deep learning to detect software vulnerabilities. CoRR abs/1807.06756.Google Scholar
Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. In Proceedings of the NDSS.Google Scholar
Z. Lin, W. Lu, and S. Xu. 2019. Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE/ACM Trans. Netw. 27, 3 (2019), 1098--1111.Google ScholarDigital Library
C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and B. Roscoe. 2018. ReGuard: Finding reentrancy bugs in smart contracts. In Proceedings of the ICSE. 65--68.Google Scholar
L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor. 2016. Making smart contracts smarter. In Proceedings of the ACM CCS. 254--269.Google Scholar
L. Luu, J. Teutsch, R. Kulkarni, and P. Saxena. 2015. Demystifying incentives in the consensus computer. In Proceedings of the ACM CCS. 706--719.Google Scholar
L. Luu, Y. Velner, J. Teutsch, and P. Saxena. 2017. Smartpool: Practical decentralized pooled mining. In Proceedings of the UsenixSecurity. 1409--1426.Google Scholar
Y. Marcus, E. Heilman, and S. Goldberg. 2018. Low-resource eclipse attacks on Ethereum’s peer-to-peer network. Retrieved from http://ljk.imag.fr/membres/Jean-Guillaume.Dumas/Enseignements/ProjetsCrypto/Ethereum/236.pdf.Google Scholar
A. Mavridou and A. Laszka. 2017. Designing secure ethereum smart contracts: A finite state machine based approach. arXiv:1711.09327.Google Scholar
Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn. 2018. Smart contracts for bribing miners. In Proceedings of the FinancialCRYPTO. 3--18.Google Scholar
Silvio Micali. 2016. Algorand: The efficient and democratic ledger. arXiv preprint arXiv:1607.01341 (2016).Google Scholar
A. Miller, A. Kosba, J. Katz, and E. Shi. 2015. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In Proceedings of the ACM CCS. 680--691.Google Scholar
J. Mireles, E. Ficke, J. Cho, P. Hurley, and S. Xu. 2019. Metrics towards measuring cyber agility. IEEE TIFS 14, 12 (2019), 3217--3232.Google Scholar
Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. Retrieved from https://bitcoin.org/bitcoin.pdf.Google Scholar
Ryuya Nakamura, Takayuki Jimba, and Dominik Harz. 2019. Refinement and verification of CBC casper. Networks 2 (2019), 4.Google Scholar
C. Natoli and V. Gramoli. 2017. The balance attack or why forkable blockchains are ill-suited for consortium. In Proceedings of the IEEE/IFIP DSN. 579--590.Google Scholar
D. Nicol, W. Sanders, and K. Trivedi. 2004. Model-based evaluation: From dependability to security. IEEE TDSC 1, 1 (2004), 48--65.Google Scholar
I. Nikolić, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the ACSAC. 653--663.Google Scholar
Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002. Isabelle/HOL: A Proof Assistant for Higher-order Logic. Vol. 2283. Springer.Google Scholar
Jianyu Niu and Chen Feng. 2019. Selfish mining in Ethereum. arXiv:1901.04620.Google Scholar
S. Noel and S. Jajodia. 2017. A Suite of Metrics for Network Attack Graph Analytics. Springer International Publishing, Cham, 141--176.Google Scholar
Russell O’Connor. 2017. Simplicity: A new language for blockchains. In Proceedings of the PLAS. 107--120.Google ScholarDigital Library
D. Park, Y. Zhang, M. Saxena, P. Daian, and G. Roşu. 2018. A formal verification tool for Ethereum VM bytecode. In Proceedings of the of ACM ESEC/FSE. ACM, 912--915.Google Scholar
M. Pendleton, R. Garcia-Lebron, J. Cho, and S. Xu. 2016. A survey on systems security metrics. ACM Comput. Surv. 49, 4, 62:1--62:35.Google Scholar
L. Quan, L. Wu, and H. Wang. 2019. EVulHunter: Detecting fake transfer vulnerabilities for EOSIO’s smart contracts at webassembly-level. arXiv:1906.10362.Google Scholar
A. Ramos, M. Lazar, R. H. Filho, and J. J. P. C. Rodrigues. 2017. Model-based quantitative network security metrics: A survey. IEEE Commun. Surveys Tutor. 19, 4 (2017), 2704--2734.Google ScholarCross Ref
F. Ritz and A. Zugenmaier. 2018. The impact of uncle rewards on selfish mining in ethereum. In Proceedings of the IEEE EuroS8P. 50--57.Google Scholar
M. Rodler, W. Li, G. Karame, and L. Davi. 2018. Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv:1812.05934.Google Scholar
G. Rosu and T. Serbănută. 2010. An overview of the K semantic framework. J. Logic Algebra. Program. 79, 6 (2010), 397--434.Google ScholarCross Ref
M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and A. Mohaisen. 2019. Exploring the attack surface of blockchain: A systematic overview. arXiv:1904.03487.Google Scholar
K. Salah, M. Rehman, N. Nizamuddin, and A. Fuqaha. 2019. Blockchain for AI: Review and open research challenges. IEEE Access 7 (2019), 10127--10149.Google ScholarCross Ref
Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278--1308.Google ScholarCross Ref
F. Schrans, S. Eisenbach, and S. Drossopoulou. 2018. Writing safe smart contracts in Flint. In Proceedings of the ACM on Programming Languages. ACM, 218--219.Google Scholar
Robert W. Sebesta. 2012. Concepts of Programming Languages. Pearson, Boston.Google Scholar
Ilya Sergey, Amrit Kumar, and Aquinas Hobor. 2018. Scilla: A smart contract intermediate-level language. arXiv:1801.00687.Google Scholar
Yonatan Sompolinsky and Aviv Zohar. 2015. Secure high-rate transaction processing in bitcoin. In Proceedings of the FinancialCRYPTO. 507--527.Google ScholarCross Ref
Matt Suiche. 2017. Porosity: A decompiler for blockchain-based smart contracts bytecode. In Proceedings of the DEF CON. 11.Google Scholar
A. Suliman, Z. Husain, M. Abououf, M. Alblooshi, and K. Salah. 2018. Monetization of IoT data using smart contracts. IET Netw. 8, 1 (2018), 32--37.Google ScholarCross Ref
N. Swamy, C. Hriţcu, C. Keller, A. Rastogi, A. Lavaud, S. Forest, K. Bhargavan, C. Fournet, P. Strub, M. Kohlweiss et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256--270.Google Scholar
A. Tann, X. Han, S. Gupta, and Y. Ong. 2018. Towards safer smart contracts: A sequence learning approach to detecting vulnerabilities. arXiv:1811.06632.Google Scholar
S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the IEEE/ACM WETSEB. 9--16.Google Scholar
P. Tsankov, A. Dan, D. Cohen, A. Gervais, F. Buenzli, and M. Vechev. 2018. Securify: Practical security analysis of smart contracts. arXiv:1806.01143.Google Scholar
F. Tschorsch and B. Scheuermann. 2016. Bitcoin and beyond: A technical survey on decentralized digital currencies. IEEE Commun. Surveys Tutor. 18, 3 (2016), 2084--2123.Google ScholarDigital Library
Marko Vukolić. 2017. Rethinking permissioned blockchains. In Proceedings of the ACM BCC. 3--7.Google ScholarDigital Library
Wenbo Wang, Dinh Thai Hoang, Peizhao Hu, Zehui Xiong, Dusit Niyato, Ping Wang, Yonggang Wen, and Dong In Kim. 2019. A survey on consensus mechanisms and mining strategy management in blockchain networks. IEEE Access 7 (2019), 22328--22370.Google ScholarCross Ref
X. Wang, X. Zha, G. Yu, W. Ni, R. Liu, Y. Guo, X. Niu, and K. Zheng. 2018. Attack and defence of ethereum remote apis. In Proceedings of the GC. IEEE, 1--6.Google Scholar
Benjamin Wesolowski. 2019. Efficient verifiable delay functions. In Proceedings of the EUROCRYPT. 379--407.Google ScholarDigital Library
F. Winzer, B. Herd, and S. Faust. 2019. Temporary censorship attacks in the presence of rational miners. In Proceedings of the IEEE EuroS8PW. 357--366.Google Scholar
M. Wohrer and U. Zdun. 2018. Smart contracts: Security patterns in the ethereum ecosystem and solidity. In Proceedings of the IEEE IWBOSE. 2--8.Google Scholar
Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014), 1--32.Google Scholar
Karl Wüst and Arthur Gervais. 2016. Ethereum Eclipse Attacks. Technical Report. ETH Zurich.Google Scholar
Y. Xiao, N. Zhang, W. Lou, and Y. Hou. 2019. A survey of distributed consensus protocols for blockchain networks. arxiv:1904.04098Google Scholar
M. Xu, G. Da, and S. Xu. 2015. Cyber epidemic models with dependences. Internet Math. 11, 1 (2015), 62--92.Google ScholarCross Ref
Shouhuai Xu. 2014. Cybersecurity dynamics. In Proceedings of the HotSoS. 14:1--14:2.Google Scholar
Shouhuai Xu. 2014. Emergent behavior in cybersecurity. In Proceedings of the HotSoS. 13:1--13:2.Google Scholar
Shouhuai Xu. 2019. Cybersecurity dynamics: A foundation for the science of cybersecurity. In Proactive and Dynamic Network Defense, Zhuo Lu and Cliff Wang (Eds.). Vol. 74. Springer International Publishing, Cham, 1--31.Google Scholar
Shouhuai Xu, Wenlian Lu, and Li Xu. 2012. Push- and pull-based epidemic spreading in arbitrary networks: Thresholds and deeper insights. ACM Trans. Auton. Adapt. Syst. 7, 3 (2012), 32:1--32:26.Google ScholarDigital Library
K. Yamashita, Y. Nomura, E. Zhou, B. Pi, and S. Jun. 2019. Potential risks of hyperledger fabric smart contracts. In Proceedings of the IEEE IWBOSE. 1--10.Google Scholar
V. Zamfir, N. Rush, A. Asgaonkar, and G. Piliouras. 2018. Introducing the “Minimal CBC Casper” Family of Consensus Protocols. Retrieved from https://github.com/cbc-casper/cbc-casper-paper/blob/master/cbc-casper-paper-draft.pdf.Google Scholar
G. Zeng, S. Yiu, J. Zhang, H. Kuzuno, and M. Au. 2017. A nonoutsourceable puzzle under GHOST rule. In Proceedings of the IEEE PST. 35--358.Google Scholar
F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi. 2016. Town crier: An authenticated data feed for smart contracts. In Proceedings of the ACM CCS. 270--282.Google Scholar
R. Zhang, R. Xue, and L. Liu. 2019. Security and privacy on blockchain. CoRR abs/1903.07602.Google Scholar
R. Zheng, W. Lu, and S. Xu. 2015. Active cyber defense dynamics exhibiting rich phenomena. In Proceedings of the HotSoS. 2:1--2:12.Google Scholar
R. Zheng, W. Lu, and S. Xu. 2018. Preventive and reactive cyber defense dynamics is globally stable. IEEE Trans. Netw. Sci. Eng. 5, 2 (2018), 156--170.Google ScholarCross Ref
Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey. 2018. Erays: Reverse engineering ethereum’s opaque smart contracts. In Proceedings of the USENIXSecurity.Google Scholar
L. Zhu, B. Zheng, M. Shen, S. Yu, F. Gao, H. Li, K. Shi, and K. Gai. 2018. Research on the security of blockchain data: A survey. CoRR abs/1812.02009.Google Scholar

Index Terms

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
1. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

A survey on the security of blockchain systems
Abstract
Since its inception, the blockchain technology has shown promising application prospects. From the initial cryptocurrency to the current smart contract, blockchain has been applied to many fields. Although there are some studies on the ...
Highlights
- We conduct the first systematic examination on security risks to popular blockchain systems.
Read More
Proof-of-stake at stake: predatory, destructive attack on PoS cryptocurrencies
CryBlock '20: Proceedings of the 3rd Workshop on Cryptocurrencies and Blockchains for Distributed Systems

There have been several 51% attacks on Proof-of-Work (PoW) blockchains recently, including Verge and GameCredits, but the most noteworthy has been the attack that saw hackers make off with up to $18 million after a successful double-spend was executed ...
Read More
Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology
WWW '18: Proceedings of the 2018 World Wide Web Conference

Blockchain technology becomes increasingly popular. It also attracts scams, for example, Ponzi scheme, a classic fraud, has been found making a notable amount of money on Blockchain, which has a very negative impact. To help dealing with this issue, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 53, Issue 3
May 2021
787 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3403423
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Copyright © 2020 ACM
© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 June 2020
- Online AM: 7 May 2020
- Accepted: 1 March 2020
- Revised: 1 February 2020
- Received: 1 August 2019
Published in csur Volume 53, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Blockchain
Ethereum
security
smart contract
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 235
  Total Citations
  View Citations
- 18,053
  Total Downloads
- Downloads (Last 12 months)3,917
- Downloads (Last 6 weeks)347
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses

ACM Computing Surveys

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

A survey on the security of blockchain systems

Proof-of-stake at stake: predatory, destructive attack on PoS cryptocurrencies

Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology