Smart Contract Security: The Attacks and Solutions

Okereke Innocent

Okereke Innocent

September 25, 2020

 |9 min read

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on print
Smart Contract Security

Smart contract security is fundamental to trustless applications. Smart contracts are a set of predefined codes that self-executes according to the terms therein. 

Although it acts similarly to the traditional agreement, it eliminated the involvement of a third party. The smart contract protocols are capable of initiating their commands automatically. 

You cannot update or modify a smart contract for security patches after its deployment on a blockchain network. Therefore, developers must ensure that they implement robust security strategies before deploying on the blockchain network. Recent attacks and the number of vulnerabilities due to the absence of security patches have challenged smart contracts’ sustainability. 

While blockchain technology is gaining traction, there are potential attacks. For instance, there are currently emerging DeFi attacks; exchange hacks, among others. However, all blockchain-related attacks are not smart contract attacks. Some are defraud, malicious, and weak protocol attacks. Nonetheless, herein we are discussing the smart contract attacks and possible smart contract security guides. 

Despite the different security measures in place, a smart contract faces challenges of various attacks. These attacks do not only target smart contracts; they also go after cryptocurrency wallets, transaction authentication, mining pools, etc. 

The Smart Contract Framework

The Ethereum network is one of the significant frameworks that are often used to develop smart contracts. As a smart contract developer, you can build any dApp on the Ethereum platform. However, despite all its advantages, it is not fully secured.

For example, unexpected bugs in the smart contract can trigger it to execute tasks it wasn’t designed to perform. This leads to a significant loss on the parties involved in the unresolved agreement that follows. Meanwhile, Ethereum is not the only smart contract platform you can utilize for the development of dApps. 

Other platforms include the likes of Hawk, which you can use for the development of privacy-preserving smart contracts. Hawk is the first smart contract security system. It established a recognized academic provision of the cryptocurrency blockchain model. It consists of a Universal Composability (UC) model, which comprises independent interest. You can leverage the UC model to stimulate security protocols in the blockchain network.

Also read: Writing Your First Smart Contract Using Clarity

Attacks on Smart Contract Security

Over the years, there are many smart contract attacks, costing the victims a huge amount of money. However, the DAO and the Parity Wallet hacks are well-known. A few members of the Ethereum society inaugurated the DAO (known as genesis DAO) in 2016. DAO was an open-source smart contract protocol that allowed anyone to swap DAO tokens with ETHs. 

The process helped to generate about $150m, providing DAO with a large crowdfund. Participants who have DAO tokens were allowed to vote on propositions and were rewarded, provided it resulted in a profit. However, the DAO smart contract had made underlying flaws that allowed attackers to remove the network’s funds. A loophole allowed the hacker to request funds from the smart contract before the balance was updated. 

Such vulnerability occurred due to bugs in the code, where the developers did not consider the possibility of a recursive call. 

Therefore it allowed hackers to steal ETHs worth millions of dollars within the first few hours. The DAO attack is an example of how destructive a single vulnerability in the smart contract can be. 

You can read more about DAO Attack here.

Another attack was the Parity Wallet hack on the Parity Multisig Wallet version 1.5+. The vulnerability enabled the hacker to steal about 150,000 ETHs that was worth around $30m. In a bid to execute the attack, the hacker transmitted two separate transactions to acquire ownership of Multisig so that all the currency could be drained from the platform. Immediately the attack was complete; the Parity Multisig Wallet Library contract was initiated. This attack occurred twice; hence it is often referred to as Parity Wallet hack 1 & 2.  

The Attack Classification 

The attacks on smart contract security and blockchain, in general, can be classified into four basic categories. These categories include malicious attacks, weak protocol, defraud, and application bugs.

Malicious Attacks

This type of blockchain attack comprises spreading malware and viruses to people’s wallets and accounts. Sometimes, it starts with compromising identities. Examples of such attacks are crypto-jacking, slack, and forum attack. How it happens is that a set of hacks will write programs that could penetrate your wallet to change some properties. Such properties are passwords, usernames, emails, etc. By doing so, it could compromise your account and, as such, may lead to loss of values. 

Weak Protocols

Unlike the traditional database and networks, the blockchain runs by protocols. The protocol vulnerabilities could lead to a sudden takeover of the system by hackers. For instance, there is Proof of Work, Proof of Stake, Delegated Proof of Stake, Byzantine Fault Tolerance, etc. depending on the blockchain functionalities. That said, the different protocols are prone to one attack or the other. Some of those attacks are 51% attacks, Sybill attacks, 34% attack, and denial of service. 

The Proof-of-Work protocol presumes that 50% of network miners will always be honest. Meanwhile, adversaries making up more than 50% hashing can gain control of the network. Therefore, weak consensus can lead to multiple attacks that relate to the blockchain network. On the other hand, the Sybil attack allows an attacker to establish several malicious nodes over the Bitcoin blockchain network. An Eclipse attack can occur in the same vein to manipulate the peer-to-peer (P2P) network. The essence is often to gain full control over the information that makes up a node. 

Defraud

This smart contract attack tricks merchants into taking advantage of the unstable actions of digital transactions. Defraud can trick a merchant into releasing his goods before the confirmation of a transaction. In a practical sense, a Bitcoin transaction is confirmed after six transactions. 

Meanwhile, a consumer may try to persuade a merchant to release goods without waiting for up to 6 transactions, so attack techniques like one confirmation or no confirmation can be initiated to double spend. 

Application Bugs

This type of attack occurs when there is an error in the code of the smart contract. It arises when smart contract developers fail to see code errors in the decentralized application. An attacker can drain all the money from the smart contract wallet through simple code bugs. Hence, the need for smart contract audits.  

Smart Contract Attack

Here, we shall explore seven different attacks that affect smart contract security’s integrity. If any of these attacks become successful, it causes the smart contract to perform in an unanticipated manner. In such a case, parties involved with the contract agreement might incur a huge loss. They include: 

Reentrancy

This is one of the most catastrophic attacks on smart contract security protocols. The attack can completely render the smart contract useless or steal valuable information. This type of attack occurs when a function calls for another contract through an outer call. Such vulnerability enables an attacker to execute a recursive call back of the main function. The action creates an unintended loop that recurs many times. When a vulnerable smart contract has a revoke function, an attacker may call the revoke function multiple times to drain all available balance in the contract. 

Smart Contract Underflow and Overflow

This particular attack on smart contract security is relatively easy to initiate. It attacks transactions that accept unauthorized input data or value. A smart contract overflow happens when more value is provided than the maximum value. 

Smart contracts are often written in solidity, which can handle up to 256-bit numbers. Therefore, an increment by one would amount to an overflow. On the other hand, smart contract underflow is the total opposite of the overflow. 

Short Address Attack

The attack occurs when the Ethereum Virtual Machine (EVM) is weak. EVM can allow imprecise padded arguments, allowing hackers to send specially crafted addresses that lead to exploitation. This attack has the same strategy as the SQL injection bug. 

DELETECALL 

Most times, smart developers use the CALL and DELETECALL to modularize written code. Although the DELEGATE opcode comprises a similar function to the message CALL, the msg.sender and msg.value doesn’t get altered. Such a feature allows developers to generate reusable code, improving the chance of abrupt code-execution using DELETECALL. This DELETECALL shows that it is possible to introduce flaws, leading to new smart contract security vulnerabilities. 

Transaction Ordering Dependence (TOD)

This vulnerability allows corrupt miners to have a damaging effect on smart contracts. The vulnerability relies on the order of transaction execution. For instance, every newly generated block contains two transactions that enforce the smart contract. This feature doesn’t provide enough information to users to determine the agreement’s state or about the initiation of an individual’s invocation. In the Ethereum blockchain, miners control the order of transactions, and they prioritize transactions with higher gas. 

Therefore, any miner that closes a block can influence the order of the transaction. 

Timestamp Dependence

It is a smart vulnerability that attackers can exploit to compromise the integrity of smart contract projects. A corrupt miner can alter the timestamp by a few seconds since the platform gives miners about 30 seconds of block validation. Therefore, the outcome of the random number generated can be manipulated to gain benefits.

Smart Contract Security Techniques

There are about ten major security analyses that are in place to identify vulnerabilities in smart contracts. The deployment of most of these tools is for static and dynamic analysis of smart contract codes. These security techniques include Slither, MythX, Mythril, Manticore, Security, Smartcheck, Echidna, Oyente, Vandal, and Zeus. Each of these security techniques has a certain ability to identify vulnerabilities on smart contracts, and they have their limitations too. Whichever security technique you employ, ensure that you understand the limitations that it has. 

Conclusion

The importance of smart contract security cannot be overemphasized, especially now that smart contracts are gaining more traction. As technology expands, it catches the attention of more attackers. Therefore, it must be well protected from any form of attack. However, one can still not guarantee the proper solution to secure smart contracts; hence smart contract security is a big challenge. Consequently, there is a need for smart contract security audit. 

Xord is here for your Blockchain projects and free Blockchain consultation. Connect with our Blockchain experts at https://xord.one/contact/

Categories:

Leave a Comment

Xord is a blockchain solution provider company. At Xord, We develop decentralized solutions making world trustworthy & secure place, using blockchain technology.