Document Type : Research Article
Authors
Blockchain Laboratory, Faculty of Electrical and Computer Engineering, Tarbiat Modares University, Tehran, Iran
Abstract
Smart contracts are applications that are deployed on a blockchain and can be executed through transactions. The code and the state of the smart contracts are persisted on the ledger, and their execution is validated by all blockchain nodes. Smart contracts often hold and manage amounts of cryptocurrency. Therefore, their code should be secured against attacks. Smart contracts can be secured either by fixing their source/byte code before deployment (offline) or by inserting some protection code into the runtime (online). On the one hand, the offline methods do not have enough data for effective protection, and on the other hand, the existing online methods are too costly. In this paper, we propose an online method to complement the offline methods with a low overhead. Our protections are categorized into multiple \emph{safety guards}. These guards are implemented in the blockchain nodes (clients), and require some parameters to be set in the constructor to be activated. After deployment, the configured guards protect the contract and revert suspicious transactions. We have implemented our proposed safety guards by small changes to the Hyperledger Besu Ethereum client. Our evaluations show that our implementation is effective in preventing the corresponding attacks, and has low execution overhead.
Keywords
[2] Nick Szabo. Smart Contracts: Building Blocks for Digital Markets. https://www.fon.hum.uva.nl/rob/Courses/ InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html, 1996. [Online;
accessed 07-October-2021].
[3] Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform. https://github.com/ethereum/wiki/wiki/White-Paper, 2014. [Online; accessed 07-October-2021].
[4] Solidity Programming Language. https://soliditylang.org. [Online; accessed 07-October-2021].
[5] Ethereum Smart Contracts Anatomy. https://ethereum.org/en/developers/docs/smart-contracts/anatomy/. [Online;
accessed 07-October-2021].
[6] Ethereum Transactions. https://ethereum.org/en/developers/docs/transactions. [On-line; accessed 07-October-2021].
[7] Ethereum Nodes and Clients. https://ethereum.org/en/developers/docs/nodes-and-clients. [Online; accessed 07-October-
2021].
[8] Geth, Official Golang implementation of the Ethereum protocol. https://github.com/ethereum/go-ethereum. [Online; accessed 07-October-2021].
[9] OpenEthereum, Fast and feature-rich multi-network Ethereum client. https://github.com/openethereum/openethereum. [Online; accessed 07-October-2021].
[10] Nethermind, .NET Core Ethereum client. https://github.com/NethermindEth/nethermind.[Online; accessed 07-October-2021].
[11] Hyperledger Besu, An open-source Ethereum client. https://github.com/hyperledger/besu. [Online; accessed 07-October-2021].
[12] The Trinity Ethereum Client. https://github.com/ethereum/trinity. [Online; accessed 07-October-2021].
[13] The Erigon Ethereum Client. https://github.com/ledgerwatch/erigon. [Online; accessed 07-October-2021].
[14] Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. Making smart contracts smarter. In The 2016 ACM SIGSAC Conference, pages 254–269, 10 2016.
[15] Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian B¨unzli, and Martin Vechev. Securify: Practical security analysis of smart contracts. In The 2018 ACM SIGSAC Conference, pages 67–82, 10 2018.
[16] MythX, Smart contract security tool for Ethereum. https://mythx.io/. [Online; accessed 07-October-2021].
[17] Sergei Tikhomirov, Ekaterina Voskresen-skaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov.Smartcheck: static analysis of ethereum smart contracts. In 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pages 9–16, 05 2018.
[18] Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. Zeus: Analyzing safety of smart contracts. In Network and Distributed System Security Symposium, 01 2018.
[19] Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. Manti-core: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019
34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 1186–1189, 2019.
[20] Bernhard Mueller. Smashing ethereum smart contracts for fun and real profit. In 9th HITB Security Conference, 2018.
[21] Gordon Pace, Joshua Ellul, and Shaun Azzopardi. Monitoring smart contracts: Contract-larva and open challenges beyond. In The 18th International Conference on Runtime Verification, 11 2018.
[22] Xinming Wang, Jiahao He, Zhijian Xie, Gansen Zhao, and Shing-Chi Cheung. Contractguard: Defend ethereum smart contracts with embedded intrusion detection. IEEE Transactions on Services Computing, PP:1–1, 10 2019.
[23] Zeli Wang, Weiqi Dai, Kim-Kwang Raymond Choo, Hai Jin, and Deqing Zou. Fsfc: An input filter-based secure framework for smart contract. Journal of Network and Computer Applications, 154:102530, 2020.
[24] Michael Rodler, Wenting Li, Ghassan Karame, and Lucas Davi. Sereum: Protecting existing smart contracts against re-entrancy attacks. In Proceedings 2019 Network and Distributed System Security Symposium, 01 2019.
[25] Christof Torres, Mathis Baden, Robert Norvill, and Hugo Jonker. ÆGIS: Smart shielding of smart contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 2589–2591, 11 2019.
[27] SWC Registry, Smart Contract Weakness Classification and Test Cases. https://swcregistry.io/. [Online; accessed 07-October-2021].
[28] The Collapse of FairWin’s $125m Ponzi Scheme. https://medium.com/@PhABC/the-collapse-of-fairwins-125m-ponzi-scheme-61a66b273420. [Online; accessed 07-October-2021].
[29] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on Ethereum smart contracts. In International Conference on Principles of Security and Trust, pages 164–186, 03 2017.
)