Skip to main content
SpringerLink
Log in

In Code We Trust?

Measuring the Control Flow Immutability of All Smart Contracts Deployed on Ethereum

  • Conference paper
  • First Online:
Data Privacy Management, Cryptocurrencies and Blockchain Technology (DPM 2017, CBT 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10436))

Abstract

Program code stored on the Ethereum blockchain is considered immutable, but this does not imply that its control flow cannot be modified. This bears the risk of loopholes whenever parties encode binding agreements in smart contracts. In order to quantify the issue, we define a heuristic indicator of control flow immutability, evaluate it based on a call graph of all smart contracts deployed on Ethereum, and find that two out of five smart contracts require trust in at least one third party. Besides, the analysis reveals that significant parts of the Ethereum blockchain are interspersed with debris from past attacks against the platform. We leverage the call graph to develop a method for data cleanup, which allows for less biased statistics of Ethereum use in practice.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Notes

  1. 1.

    In a slight abuse of legal terminology, this notion of legitimacy includes everything except attacks against the platform as a whole.

  2. 2.

    Private refers to scope and write access. It does not imply any confidentiality.

  3. 3.

    A node that follows the protocol. We make this assumption throughout the paper.

  4. 4.

    For completeness: also user accounts have nonces. The nonce of an user account is the number of transactions sent by that account.

  5. 5.

    EVM instruction SELFDESTRUCT.

  6. 6.

    https://etherscan.io/.

  7. 7.

    Accessed on 19 June 2017.

  8. 8.

    https://github.com/alex-miller-0/Ethereum_Blockchain_Parser.

  9. 9.

    https://github.com/ethereum/wiki/wiki/JSON-RPC.

  10. 10.

    https://github.com/paritytech/parity/wiki/JSONRPC-trace-module.

  11. 11.

    https://www.mongodb.com/.

  12. 12.

    https://github.com/Arachnid/evmdis/.

  13. 13.

    Via abstract interpretation.

  14. 14.

    Specifically: CALL, DELEGATECALL, CALLCODE.

  15. 15.

    Reaching a CALLDATALOAD instruction.

  16. 16.

    Reaching a SLOAD instruction.

  17. 17.

    Reaching a PUSH20: an address is 20 bytes long.

  18. 18.

    Using the networkX graph library, https://networkx.github.io/.

  19. 19.

    at the addresses 0x1, 0x2, 0x3, 0x4.

  20. 20.

    See TxHash: 0xf435a354924097686ea88dab3aac1dd464e6a3b387c77aeee94145b0fa5a63d2.

  21. 21.

    From 01 May 2016 until the hard fork on 18 Oct 2016.

  22. 22.

    Address: 0x1fa0e1dfa88b371fcedf6225b3d8ad4e3bacef0e.

  23. 23.

    Block number: 3 633 433.

  24. 24.

    Assuming 12 s block time.

References

  1. Contracts - Solidity 0.4.12 documentation. http://solidity.readthedocs.io/en/develop/. Accessed 12 June 2017

  2. Contracts - Solidity 0.4.12 documentation - Swarm. http://solidity.readthedocs.io/en/develop/miscellaneous.html#contract-metadata. Accessed 12 June 2017

  3. Ethereum Homestead Documentation. http://ethdocs.org/en/latest/. Accessed 19 June 2017

  4. Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts. Technical report, Cryptology ePrint Archive: Report 2016/1007 (2016)

    Google Scholar 

  5. Bartoletti, M., Pompianu, L.: An empirical analysis of smart contracts: platforms, applications, and design patterns. arXiv preprint arXiv:1703.06322 (2017)

  6. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Gollamudi, A., Gonthier, G., Kobeissi, N., Kulatova, N., Rastogi, A., Sibut-Pinote, T., Swamy, N., Zanella-Béguelin, S.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS 2016, pp. 91–96. ACM (2016)

    Google Scholar 

  7. Buterin, V.: A state clearing FAQ. https://www.reddit.com/r/ethereum/comments/5es5g4/a_state_clearing_faq/. Accessed 18 June 2017

  8. Buterin, V.: Hard Fork Completed. https://blog.ethereum.org/2016/07/20/hard-fork-completed/. Accessed 18 June 2017

  9. del Castillo, M.: The DAO Attacked: Code Issue Leads to $60 Million Ether Theft. http://www.coindesk.com/dao-attacked-code-issue-leads-60-million-ether-theft/. Accessed 18 June 2017

  10. Hertig, A.: So, Ethereum’s Blockchain is Still Under Attack. http://www.coindesk.com/so-ethereums-blockchain-is-still-under-attack/. Accessed 18 June 2017

  11. Hirai, Y.: Formal verification of Deed contract in Ethereum name service. (2016). https://yoichihirai.com/deed.pdf. Accessed 31 July 2017

  12. Jameson, H.: FAQ: Upcoming Ethereum Hard Fork. https://blog.ethereum.org/2016/10/18/faq-upcoming-ethereum-hard-fork/. Accessed 18 June 2017

  13. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)

    Google Scholar 

  14. Luu, L., Teutsch, J., Kulkarni, R., Saxena, P.: Demystifying incentives in the consensus computer. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 706–719. ACM (2015)

    Google Scholar 

  15. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)

    Google Scholar 

  16. Norvill, R., Awan, I.U., Pontiveros, B., Cullen, A.J., et al.: Automated labeling of unknown contracts in Ethereum (2017)

    Google Scholar 

  17. Swende, M.H.: The Shanghai Attacks. https://edcon.io/ppt/one/Martin%20Holst%20Swende_The%20%27Shanghai%20%27Attacks_EDCON.pdf. Accessed 19 June 2017

  18. Szabo, N.: Formalizing and securing relationships on public networks. First Monday 2(9) (1997)

    Google Scholar 

  19. Wood, G.: Ethereum: A secure decentralised generalised transaction ledger (EIP-150 revision) (2017). http://gavwood.com/paper.pdf. Accessed 18 June 2017

Download references

Acknowledgments

We like to thank Dr. Christian Reitwießner for answering many Ethereum related questions, Dr. Arthur Gervais for pointing out the existence of the parity tracing API and the excellent parsing script, Nick Johnson for the creation of the evmdis disassembler, Martin Holst Swende for the additional material on the Ethereum DoS attacks, and Clemens Brunner for proofreading and discussions. This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 740558.

Author information

Authors and Affiliations

  1. Department of Computer Science, Universität Innsbruck, Innsbruck, Austria

    Michael Fröwis & Rainer Böhme

Authors
  1. Michael Fröwis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rainer Böhme
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Fröwis .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. Department of Information and Communications Engineering, Autonomous University of Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Hannes Hartenstein

  4. Autonomous University of Barcelona, Bellaterra, Spain

    Jordi Herrera-Joancomartí

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Fröwis, M., Böhme, R. (2017). In Code We Trust?. In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., Herrera-Joancomartí, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2017 2017. Lecture Notes in Computer Science(), vol 10436. Springer, Cham. https://doi.org/10.1007/978-3-319-67816-0_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67816-0_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67815-3

  • Online ISBN: 978-3-319-67816-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation