Skip to main content

Penetration testing framework for smart contract Blockchain

Peer-to-Peer Networking and Applications volume 14pages 2635–2650 (2021)Cite this article

Abstract

Smart contracts powered by blockchain ensure transaction processes are effective, secure and efficient as compared to conventional contacts. Smart contracts facilitate trustless process, time efficiency, cost effectiveness and transparency without any intervention by third party intermediaries like lawyers. While blockchain can counter traditional cybersecurity attacks on smart contract applications, cyberattacks keep evolving in the form of new threats and attack vectors that influence blockchain similar to other web and application based systems. Effective blockchain testing help organizations to build and utilize the technology securely withe connected infrastructure. However, during the course of our research, the authors detected that Blockchain technology comes with security considerations like irreversible transactions, insufficient access, and non-competent strategies. Attack vectors, like these are not found on web portals and other applications. This research presents a new Penetration Testing framework for smart contracts and decentralized apps. The authors compared results from the proposed penetration-testing framework with automated penetration test Scanners. The results detected missing vulnerability that were not reported during regular pen test process.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

References

  1. Greenspan G (2018) Why Many Smart Contract Use Cases Are Simply Impossible. Retrieved March 10, 2020, from https://www.coindesk.com/three-smart-contract-misconceptions

  2. Tsankov P (2018) Security practical security analysis of smart contracts. ArXiv preprint, arXiv: 1806.01143v2

  3. Wang F, Yuan Y, Rong C, Zhang J (2018) Parallel Blockchain: an architecture for CPSS-based smart societies. IEEE transactions of. Comput Soc 5(2):303–310

    Google Scholar 

  4. Zhang Y (2018) Smart contract-based access control for internet of things (IoT). ArXiv Preprint arXiv 1802(04410):2018

    Google Scholar 

  5. Xu L, Mcardle G (2018) Internet of too many things in smart transport: the problem, the side effects and the solution. IEEE Access 6:62840–62848. https://doi.org/10.1109/ACCESS.2018.2877175

    Article  Google Scholar 

  6. Li Y, Cheng X, Cao Y, Wang D, Yang Y (2018) Smart choice for the smart grid: narrowband internet of things (NB-IoT). IEEE Internet Things J 5(3):1505–1515. https://doi.org/10.1109/JIOT.2017.2781251

    Article  Google Scholar 

  7. Amani S, Bégel M, Bortin M, Staples M (2018) Towards verifying Ethereum smart contract Bytecode in Isabelle/HOL. Proceedings of 7th ACM SIGPLAN international conference for certified program proofs (CPP), Los Angeles, 66–77

  8. Wang S (2018) A preliminary research of prediction markets based on Blockchain powered smart contracts. Proceedings of IEEE international conference of Blockchain, 1287–1293

  9. Chang T, Svetinovic D (2019) Improving Bitcoin ownership identification using transaction patterns analysis. IEEE Trans Syst Man Cyber Syst Pub 50:9–20. https://doi.org/10.1109/TSMC.2018.2867497

    Article  Google Scholar 

  10. Australian Securities Exchange (2018) CHESS Replacement. Retrieved February 15, 2020 from https://www.asx.com.au/services/chess-replacement.htm

  11. US Securities and Exchange Commission (2018). Investor Bulletin: Initial Coin Offerings. Retrieved February 5, 2020, from https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_coinofferings

  12. Zhang J (2018) Cyber-physical social systems: the state of the art and perspectives. IEEE Trans Comput Soc 5(3):829–840

    Article  Google Scholar 

  13. What is a DAO? (2018) Retrieved February 17, 2020, from https://blockchainhub.net/dao-decentralized-autonomous-organization

  14. Wan J, Li J, Imran M, Li M, Fazal A (2019) Blockchain-based solution for enhancing security and privacy in smart factory. IEEE transactions on industrial informatics (early access), IEEE systems, man, and cybernetics society. https://doi.org/10.1109/TII.2019.2894573

  15. Pouttu A, Liinamaa O, Destino G (2018) 5G test network (5GTN) — environment for demonstrating 5G and IoT convergence during 2018 Korean Olympics between Finland and Korea," IEEE INFOCOM 2018 - IEEE conference on computer communications workshops (INFOCOM WKSHPS), Honolulu, HI, 2018, pp. 1–2, https://doi.org/10.1109/INFCOMW.2018.8406996

  16. Choo K, Gritzalis S, Park J (2018) Cryptographic solutions for industrial internet-of-things: research challenges and opportunities. IEEE Trans Industrial Info 14(8):3567–3569. https://doi.org/10.1109/TII.2018.2841049

    Article  Google Scholar 

  17. Tonelli R, Lunesu M, Pinna A, Taibi D, Marchesi M (2019) Implementing a microservices system with Blockchain smart contracts. IEEE international workshop on Blockchain oriented software engineering (IWBOSE), Hangzhou. https://doi.org/10.1109/IWBOSE.2019.8666520

    Book  Google Scholar 

  18. Amoordon A, Rocha H (2019) Presenting Tendermint: Idiosyncrasies, Weaknesses, and Good Practices. IEEE international workshop on Blockchain oriented software engineering (IWBOSE), Hangzhou. https://doi.org/10.1109/IWBOSE.2019.8666541

    Book  Google Scholar 

  19. Yamashita K, Nomura Y, Zhou F, Pi B, Jun S (2019) Potential risks of hyper ledger fabric smart contracts. IEEE international workshop on Blockchain oriented software engineering (IWBOSE), Hangzhou. https://doi.org/10.1109/IWBOSE.2019.8666486

    Book  Google Scholar 

  20. Al-Jaroodi J, Mohamed N (2019) Industrial applications of Blockchain. IEEE 9th annual computing and communication workshop and conference (CCWC), Las Vegas. https://doi.org/10.1109/CCWC.2019.8666530

    Book  Google Scholar 

  21. The Energy Web Foundation (2018) Promising Blockchain Applications for Energy: Separating the Signal from the Noise. Retrieved April 2, 2020, from http://www.coinsay.com/wp-content/uploads/2018/07/Energy-Futures-Initiative-Promising-Blockchain-Applications-for-Energy.pdf

  22. Mohamed N, Al-Jaroodi J (2019) Applying Blockchain in industry 4.0 applications. IEEE 9th annual computing and communication workshop and conference (CCWC), Las Vegas. https://doi.org/10.1109/CCWC.2019.8666558

  23. Draper A, Familrouhani A, Cao D, Heng T, Han W (2019) Security applications and challenges in Blockchain. IEEE international conference on consumer electronics (ICCE), Las Vegas, NV https://doi.org/10.1109/ICCE.2019.8661914

  24. Mahmood S, Hasan R, Ullah A, Sarker U (2019) SMART security alert system for monitoring and controlling container transportation. 4th MEC international conference on big data and Smart City (ICBDSC), Muscat. https://doi.org/10.1109/ICBDSC.2019.8645574

  25. Tateishi T, Yoshihama S, Sato N, Saito S (2019) Automatic smart contract generation using controlled natural language and template. IBM J Res Dev (Early Access), IBM. https://doi.org/10.1147/JRD.2019.2900643

  26. Wang S, Ouyang L, Yuan Y, Ni X, Han X, Wang F (2019) Blockchain-enabled smart contracts: architecture, applications, and future trends. IEEE transactions on systems, man, and cybernetics: systems (early access), IEEE systems, man, and cybernetics society. https://doi.org/10.1109/TSMC.2019.2895123

  27. Hildenbrandt E (2018) KEVM: A complete formal semantics of the Ethereum virtual machine. IEEE 31st computer Security Foundation symposium (CSF), 204–217

  28. Ozyilmaz R, Yurdakul A (2019) Designing a Blockchain-based IoT with Ethereum, swarm, and LoRa: the software solution to create high availability with minimal security risks. IEEE consumer electronics magazine, volume: 8, issue 2, 28–34. IEEE Consum Electron Soc 8:28–34. https://doi.org/10.1109/MCE.2018.2880806

  29. Knirsch F, Unterweger A, Engel D (2018) Privacy-preserving Blockchain-based electric vehicle charging with dynamic tariff decisions. Compute. Sci. Res. Develop. 33(1–2):71–79

    Article  Google Scholar 

  30. Suliman A, Husain Z, Abououf M, Alblooshi M, Salah K (2019) Monetization of IoT data using smart contracts. IET Networks 8(1):32–37. https://doi.org/10.1049/iet-net.2018.5026

    Article  Google Scholar 

  31. Wood G (2016). Ethereum: A secure decentralized generalized transaction ledger. Retrieved March 15, 2020, from https://ethereum.github.io/yellowpaper/paper.pdf

  32. Alladi T, Chamola V, Parizi R Choo R (2019) Blockchain applications for industry 4.0 and industrial IoT: a review. IEEE access, special section on distributed computing infrastructure for cyber-physical systems, volume 2019 (7). https://doi.org/10.1109/ACCESS.2019.2956748

  33. Ch R, Gadekallu T, Abidi M, Al-Ahmari A (2020) Computational system to classify cyber crime offenses using machine learning. MDPI J Sustainability 12. https://doi.org/10.3390/su12104087

  34. Azab A, Alazab M, Aiash M (2016) Machine learning based botnet identification traffic. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp 1788-1794). IEEE

  35. Reddy GT, Sudheer K, Rajesh K, Lakshmanna K (2014) Employing data mining on highly secured private clouds for implementing a security-asa-service framework. J Theor Appl Inf Technol 59(2):317–326

    Google Scholar 

  36. Qin R, Yuan Y, Wang Y (2018) Research on the selection strategies of Blockchain mining pools. IEEE Trans Comput Soc 5(3):748–757

    Article  Google Scholar 

  37. Gatteschi V, Lamberti F, Demartini C, Pranteda C, Santamaria V (2018) Blockchain and smart contracts for insurance: is the technology mature enough? IEEE Future Internet 10(2):20–26

    Article  Google Scholar 

  38. Lin C, Wang Z, Deng J, Wang L, Ren J, Wu G (2018) mTS: temporal-and spatial-collaborative charging for wireless rechargeable sensor networks with multiple vehicles. IEEE INFOCOM 2018 - IEEE conference on computer communications. Honolulu, HI 2018:99–107. https://doi.org/10.1109/INFOCOM.2018.8486402

    Article  Google Scholar 

  39. Struye J, Braem B, Latré S, Marquez-Barja J (2018) The CityLab testbed — large-scale multi-technology wireless experimentation in a city environment: neural network-based interference prediction in a smart city, vol 2018. IEEE INFOCOM 2018 - IEEE conference on computer communications workshops (INFOCOM WKSHPS), Honolulu, pp 529–534. https://doi.org/10.1109/INFCOMW.2018.8407018

  40. Shah B, Chen Z, Yin F, Khan I, Ahmad N (2018) Energy and interoperable aware routing for throughput optimization in clustered IoT-wireless sensor networks. Futur Gener Comput Syst 81:372–381

    Article  Google Scholar 

  41. Shah B, Zhe C, Yin F, Khan I, Begum S, Faheem M, Khan F (2018) 3D weighted centroid algorithm & RSSI ranging model strategy for node localization in WSN based on smart devices. Sustain Cities Soc 39:298–308

    Article  Google Scholar 

  42. Numan M, Subhan F, Khan WZ, Hakak S, Haider S, Reddy G, Alazab M (2020) A systematic review on clone node detection in static wireless sensor networks. IEEE Access 8:65450–65461

    Article  Google Scholar 

  43. Bhattacharya S, Kaluri R, Singh S, Alazab M, Tariq U (2020) A novel PCA-firefly based XGBoost classification model for intrusion detection in networks using GPU. Electronics 9(2):219

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, University of Petroleum and Energy Studies, Dehradun, India

    Akashdeep Bhardwaj & Manoj Kumar

  2. School of Software, Dalian University of Technology China, Dalian, China

    Syed Bilal Hussian Shah

  3. Department of Computer Science, Amity University, Noida, Uttar Pradesh, India

    Achyut Shankar

  4. College of Engineering, IT and Environment, Charles Darwin University, Brinkin, NT, 0909, Australia

    Mamoun Alazab

  5. School of Information technology and Engineering, Vellore Institute of Technology, Vellore, India

    Thippa Reddy Gadekallu

Authors
  1. Akashdeep Bhardwaj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Syed Bilal Hussian Shah
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Achyut Shankar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mamoun Alazab
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Manoj Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Thippa Reddy Gadekallu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Syed Bilal Hussian Shah or Thippa Reddy Gadekallu.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Highlights

This research presents a new framework to perform manual penetration testing framework on smart contract application and decentralized apps.

• Results from the new proposed penetration-testing framework and automated penetration test scanners are compared in this research for Blockchain applications. No other framework currently performs such validations.

• The new framework detected missing vulnerabilities that were initially not reported during the regular penetration testing process, which could have made the Blockchain contract app vulnerable to Cyber-attacks and threats.

• While in real-time Cyber space, no one can ensure that the operations would be executed in a predefined order. Any malicious user could cheat the seller if the buyer intentionally changes the order of transactions or execution process. The proposed framework performs validation and compares input as well as any mismatch for actual steps against the predefined properties and process.

• The authors also compared the tool and manual penetration testing results to analyze in the wake of removing the vulnerabilities discovered amid penetration Tests for the smart contract applications.

This article is part of the Topical Collection: Special Issue on Blockchain for Peer-to-Peer Computing

Guest Editors: Keping Yu, Chunming Rong, Yang Cao, and Wenjuan Li

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bhardwaj, A., Shah, S.B.H., Shankar, A. et al. Penetration testing framework for smart contract Blockchain. Peer-to-Peer Netw. Appl. 14, 2635–2650 (2021). https://doi.org/10.1007/s12083-020-00991-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-020-00991-6

Keywords

  • Attack vectors
  • Blockchain
  • Cyber threats
  • Cybersecurity
  • OWASP
  • Smart contracts