OVERVIEW OF VULNERABILITIES IN SMART CONTRACTS WRITTEN IN SOLIDITY
DOI:
https://doi.org/10.14308/ite000787Keywords:
smart contract, Solidity, vulnerabilities, Ethereum, cybersecurity, cyberattack, blockchain, Decentralized Finance (DeFi)Abstract
The increasing interest in blockchain and smart contract technologies has brought attention to the security challenges associated with these innovative solutions. Smart contracts, which are written in the Solidity programming language and executed on the Ethereum platform, offer new opportunities for automating legal and financial transactions. However, they also pose risks related to code and data security.
The article discusses the fundamental principles of smart contracts, with a focus on the Solidity language and the vulnerabilities that commonly arise during development. The authors provide a concise overview of academic research on smart-contract security, highlighting the significance of each paper. This review provides readers with an understanding of the current state of research in smart contract cybersecurity and emphasizes the importance of enhancing the security of blockchain technologies.
Given the increasing complexity and expanding applications of blockchain technologies, studying smart contract vulnerabilities is crucial. This study highlights the significance of conducting a systematic analysis of cyberattacks, including a detailed examination of each type and incident of attack. This approach can prevent potential vulnerabilities and effectively minimize the risks of attacks. Such an approach is crucial to ensure the further development and popularization of blockchain technology.
The paper provides examples that illustrate real-life cases of smart contract vulnerabilities and discusses the consequences of such vulnerabilities. Analyzing these examples provides insight into the importance of careful code development and auditing, as well as the significance of ongoing cybersecurity education and training for developers. Recommendations for future research are provided and vectors for future work are outlined.
This paper may interest individuals involved in smart contract development, blockchain and cybersecurity research, and those interested in blockchain technology.
Downloads
Metrics
References
2. Ethereum Foundation. (2023, December 15). Ethereum. Retrieved from https://ethereum.org/en/
3. Ethereum Foundation. (2023, December 15). ERC-20 Token Standard. Retrieved from https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
4. Smart Contract Weakness Classification and Test Cases (SWC Registry). (2023, December 15). Retrieved from https://swcregistry.io/
5. Zipfel, K. (2023, December 15). Smart Contract Vulnerabilities. Retrieved from https://github.com/kadenzipfel/smart-contract-vulnerabilities/tree/master/vulnerabilities
6. Mehar, M., Shier, C., Giambattista, A., Gong, E., Fletcher, G., Sanayhie, R., Kim, H. M., & Laskowski, M. (2017). Understanding a Revolutionary and Flawed Grand Experiment in Blockchain: The DAO Attack. Retrieved from https://dx.doi.org/10.2139/ssrn.3014782
7. Lai, E., & Luo, W. (2020). Static Analysis of Integer Overflow of Smart Contracts in Ethereum. Retrieved from https://dx.doi.org/10.1145/3377644.3377650
8. OpenZeppelin. (2023, December 15). SafeMath. Retrieved from https://docs.openzeppelin.com/contracts/2.x/api/math
9. Zhang, X., Li, Z., Xu, X., Zhao, X., & Kang, Q. (2023). Deep learning-based solution for smart contract vulnerabilities detection. Scientific Reports, 13, 4241. https://doi.org/10.1038/s41598-023-47219-0
10. Li, C., Nie, S., Cao, Y., Yu, Y., & Hu, Z. (2020). Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts. Retrieved from https://dx.doi.org/10.1109/OJCS.2020.3039991
11. Nassirzadeh, B., Sun, H., Banescu, S., & Ganesh, V. (2021). Gas Gauge: A Security Analysis Tool for Smart Contract Out-of-Gas Vulnerabilities. Retrieved from https://dx.doi.org/10.1007/978-3-031-18679-0_9
12. Fang, Y., Wu, D., Yi, X., Wang, S., Chen, Y., Chen, M., Liu, Y., & Jiang, L. (2023). Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. Retrieved from https://dx.doi.org/10.1145/3597926.3598125
13. CertiK. (2022, September 28). MEV Bot OxBAD... Incident Analysis. CertiK Blog. https://www.certik.com/blog/mev-bot-oxbad-incident-analysis
14. Wang, C., Jiang, H., Wang, Y., Huang, Q., & Zuo, Z. (2023). Research on smart contract vulnerability detection method based on domain features of solidity contracts and attention mechanism. Retrieved from https://dx.doi.org/10.3233/jifs-224489
15. Ethereum Foundation. (2023, December 15). Ethereum Virtual Machine (EVM). Retrieved from https://ethereum.org/en/developers/docs/evm/
16. Xu, Y., Hu, G., You, L., & Cao, C. (2021). A Novel Machine Learning-Based Analysis Model for Smart Contract Vulnerability. Retrieved from https://dx.doi.org/10.1155/2021/5798033
17. Akça, S., Rajan, A., & Peng, C. (2019). SolAnalyser: A Framework for Analysing and Testing Smart Contracts. Retrieved from https://dx.doi.org/10.1109/APSEC48747.2019.00071
18. ConsenSys. (2023, December 15). Timestamp Dependence. In Ethereum Smart Contract Best Practices. Retrieved from https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/timestamp-dependence/
19. Franciscu, S. Y., Ruggahakotuwa, R. K., Samarawickrama, S., & Lahiru, J. (2023). GRIFFIN: Enhancing the security of smart contracts. Retrieved from https://dx.doi.org/10.17352/tcsit.000071
20. Ivanov, N., Lou, J., Chen, T., Li, J., & Yan, Q. (2021). Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts. Retrieved from https://dx.doi.org/10.1145/3433210.3453085
21. Fariz, T. (2021, September 5). Solidity Hacks/Vulnerabilities part 2. DEV Community. https://dev.to/fariztiger/solidity-hacks-vulnerabilities-part-2-2bpg
22. Crypto Panda. (2018, August 22). The $3 Million Winner of Fomo3D Is Still Playing to Win. Longhash. Retrieved from https://www.longhash.com/news/the-3-million-winner-of-fomo3d-is-still-playing-to-win
23. Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., & Hobor, A. (2018). Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. arXiv preprint arXiv:1802.06038. Retrieved from https://arxiv.org/pdf/1802.06038.pdf
24. Solidity Team. (2023, December 15). Known Attacks. In Ethereum Contract Security Techniques and Tips. Retrieved from https://ethereum-contract-security-techniques-and-tips.readthedocs.io/en/latest/known_attacks/
25. Solidity by Example. (2023, December 15). Front-Running. In Solidity by Example. Retrieved from https://solidity-by-example.org/hacks/front-running/
26. Cybernews. (2021, October 4). Flash Boys 2.0: Front-runners draining $280 million per month from crypto transactions. Cybernews. Retrieved from https://cybernews.com/crypto/flash-boys-2-0-front-runners-draining-280-million-per-month-from-crypto-transactions/
27. Neptune Mutual. (2023, December 15). Solidity Front-Running Attack. В Neptune Mutual. Retrieved from https://neptunemutual.com/blog/solidity-front-running-attack/
28. Yang, Z., & Lei, H. (2018). Lolisa: Formal Syntax and Semantics for a Subset of the Solidity Programming Language. arXiv preprint arXiv:1803.09885. https://arxiv.org/abs/1803.09885
29. Staderini, M., Pataricza, A., & Bondavalli, A. (2023, December 15). Security Evaluation and Improvement of Solidity Smart Contracts. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4038087
30. Zaazaa, O., & El Bakkali, H. (2023). A systematic literature review of undiscovered vulnerabilities and tools in smart contract technology. Journal of Intelligent Systems. https://doi.org/10.1515/jisys-2023-0038
31. Soud, M., Qasse, I. A., Liebel, G., & Hamdaqa, M. (2022). AutoMESC: Automatic Framework for Mining and Classifying Ethereum Smart Contract Vulnerabilities and Their Fixes. Retrieved from https://dx.doi.org/10.48550/arXiv.2212.10660
32. Perez, D., & Livshits, B. (2023, December 15). Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited. Retrieved from https://dblp.org/rec/conf/uss/0001L21.html
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Viktor Rud
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
