Abstract
Blockchain has gradually been popularized by its transparency, fairness, and democracy. This technology has opened the door to the development of Ethereum, a blockchain platform with smart contracts that can hold and automatically transfer tokens. Like a legacy computer program, smart contracts are vulnerable to security bugs. In recent years, many successful attacks on Ethereum network have been recorded, cost victims millions of dollars. In this paper, we classify attack vectors of Ethereum smart contracts, then propose some behaviour-based methods to detect them. To realize the ideas, we implement Abbe, a tool that can not only discover known attacks but also detect zero-day vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Name of the cryptocurrency used in Ethereum blockchain. Ether can be transferred among accounts and exchanged to other currencies. 1 ether will be exchanged for each US$217 (recorded at Aug 18, 2019).
- 3.
Price per each unit of gas is determined by the sender. The higher the price, the faster the transaction may be processed. All consumed gas must be paid in ether.
- 4.
- 5.
All releases of solcjs are listed at https://ethereum.github.io/solc-bin/bin/list.js.
- 6.
The private repository of Abbe is located at https://github.com/nxqbaos/abbe2. Access to this repository is granted upon requests.
- 7.
The Abbe tool has been invited to be presented at Hack In The Box (HITB+) Cyber Week’s Conference, Oct. 15–17, 2019, Abu Dhabi, UAE.
References
Post-Mortem Investigation (2016). https://www.kingoftheether.com/postmortem.html
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Beregszaszi, A.: EVM: overflow detection in arithmetic instructions (2016). github.com/ethereum/EIPs/issues/159
Beyer, S.: Storage allocation exploits in ethereum smart contracts (2018). https://medium.com/cryptronics/storage-allocation-exploits-in-ethereum-smart-contracts-16c2aa312743
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, pp. 91–96. ACM (2016)
Buterin, V.: Ethereum Improvement Proposal 7 (2015). https://github.com/ethereum/EIPs/blob/master/EIPS/eip-7.md
Buterin, V.: Ethereum Improvement Proposal 170 (2016). https://github.com/ethereum/EIPs/blob/master/EIPS/eip-170.md
Buterin, V., et al.: A next-generation smart contract and decentralized application platform. White Paper (2014)
Buterin, V., et al.: Difference between CALL, CALLCODE and DELEGATECALL (2016). https://ethereum.stackexchange.com/questions/3667/difference-between-call-callcode-and-delegatecall
Consensys: Solidity Recommendations (2018). https://consensys.github.io/smart-contract-best-practices/recommendations/
Falkon, S.: The story of the DAO - its history and consequences (2017). https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee
Hoyte, D.: MerdeToken: it’s some hot shit (2018). https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte
Kalra, S., Goel, S., Dhawan, M., Sharma, S.: Zeus: analyzing safety of smart contracts. In: NDSS (2018)
Luu, L., et al.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)
Manticore (2018). https://github.com/trailofbits/manticore
McKie, S.: Solidity learning: Revert(), Assert(), and Require() in solidity, and the new REVERT Opcode in the EVM (2017). https://medium.com/blockchannel/the-use-of-revert-assert-and-require-in-solidity-and-the-new-revert-opcode-in-the-evm-1a3a7990e06e
Mueller, B.: Mythril - Reversing and Bug Hunting Framework for the Ethereum Blockchain
Nakamoto, S., et al.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008)
Nikolić, I., et al.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663. ACM (2018)
Palladino, S.: The parity wallet hack explained - zeppelin blog (2017). https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7
SmartDec: automatically checking smart contracts for vulnerabilities and bad practices (2018). https://tool.smartdec.net
SMARX: Capture the ether - the game of ethereum smart contract security (2018). https://capturetheether.com
SpankChain: We Got Spanked: What We Know So Far (2018). https://medium.com/spankchain/we-got-spanked-what-we-know-so-far-d5ed3a0f38fe
Szabo, N.: Smart Contracts. Unpublished manuscript (1994)
Tann, A., Han, X.J., Gupta, S.S., Ong, Y.S.: Towards safer smart contracts: a sequence learning approach to detecting vulnerabilities (2018). arXiv preprint arXiv:1811.06632
Tsankov, P., et al.: Securify: practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82. ACM (2018)
Wood, G., et al.: Ethereum: A Secure Decentralised Generalised Transaction Ledger. Ethereum project yellow paper 151, 1–32 (2014)
Zeppelin team: The Ethernaut Wargame. https://ethernaut.zeppelin.solutions
Acknowledgement
During the preparation of this work, the first author was partially supported by University of Technology (HCMUT), VNU-HCM under “Student Scientific Research” Grant Number 121/H-HBK-KHCN&DA; and the last author was partially funded by Vietnam National University-HCMC under Grant C2019-20-14. The authors would like to thank Nguyen Van Thanh for his comments helping to improve the manuscript significantly.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Nguyen, QB., Nguyen, AQ., Nguyen, VH., Nguyen-Le, T., Nguyen-An, K. (2019). Detect Abnormal Behaviours in Ethereum Smart Contracts Using Attack Vectors. In: Dang, T., Küng, J., Takizawa, M., Bui, S. (eds) Future Data and Security Engineering. FDSE 2019. Lecture Notes in Computer Science(), vol 11814. Springer, Cham. https://doi.org/10.1007/978-3-030-35653-8_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-35653-8_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35652-1
Online ISBN: 978-3-030-35653-8
eBook Packages: Computer ScienceComputer Science (R0)