Abstract
Smart contracts have revolutionized the way in which legal contracts are facilitated and executed. However, they are equipped with potential vulnerabilities and security threats in their design. These vulnerabilities pave the way for hacking smart contracts, resulting in huge losses. The security vulnerabilities of smart contracts can be used to illegitimately steal money. As an illustration, some known security vulnerabilities of smart contracts include arithmetic bugs, exceptions, re-entrancy attacks, and flash loan attacks [Dimov (Security of Smart Contracts - Infosec Resources (infosecinstitute.com), 2016)].
The number of attacks on smart contracts accounts for a significant proportion of the number of attacks from different layers and components. For instantiation, an attacker in the DAO exploited a bug in the smart contract to repeatedly steal money, causing investors to lose approximately $50 million in cryptocurrency value [Huang et al. (IEEE Access 7:150184–150202, 2019)].
This chapter puts forward some important vulnerabilities and threats in smart contracts that pose major challenges for smart contract designers. The consequences of these vulnerabilities and threats have resulted in detrimental effects in the past. The chapter also outlines solutions to avoid security issues related to smart contracts. Finally, sample attack scenarios are created to demonstrate these threats and the pragmatic approach behind them.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Christof Ferreira Torres, Julian Schütte, and Radu State, OSIRIS: Hunting for Integer Bugs in Ethereum Smart Contracts, https://orbilu.uni.lu/bitstream/10993/36757/1/osiris.pdf
Enmei Lai and Wenjun Luo, Static Analysis of Integer Overflow of Smart Contracts in Ethereum, ICCSP 2020: Proceedings of the 2020 4th International Conference on Cryptography, Security and Privacy, pp. 110-115, 2020.
Michael Rodler, Wenting Li, Ghassan O. Karame, Lucas Davi, Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks, Network and Distributed System Security (NDSS) Symposium, pp. 1-15, 2019.
Pengcheng Zhang, Feng Xiao, and Xiapu Luo, SolidityCheck : Quickly Detecting Smart Contract Problems Through Regular Expressions, https://arxiv.org/pdf/1911.09425.pdf, 2019.
Richard Ma, Jan Gorzny, Edward Zulkoski, Kacper Bak, and Olga V. Mack, Chapter 4: Common Security Flaws, Fundamentals of Smart Contract Security, Computer Engineering Foundations, Currents, and Trajectories Collection, Momentum Press, 2019.
Mudabbir Kaleem, Anastasia Mavridou, and Aron Laszka, Vyper: A Security Comparison with Solidity Based on Common Vulnerabilities, Cryptography and Security, 2020, https://arxiv.org/abs/2003.07435#:~:text=Vyper%3A%20A%20Security%20Comparison%20with%20Solidity%20Based%20on%20Common%20Vulnerabilities,-Mudabbir%20Kaleem%2C%20Anastasia&text=Vyper%20has%20been%20proposed%20as,Solidity%20since%20the%20system's%20inception.
Jonghyuk Song, Attack on Pseudo-random number generator(PRNG) used in Cryptogs, an Ethereum (CVE-2018–14715), 2018, https://medium.com/coinmonks/attack-on-pseudo-random-number-generator-prng-used-in-cryptogs-an-ethereum-cve-2018-14715-f63a51ac2eb9.
Rick Fontein, Comparison of static analysis tooling for smart contracts on the EVM, https://telluur.com/utwente/bachelor/Module%2012%20-%20Bachelor%20Referaat/comparison-static-analysis.pdf.
HackPedia: 16 Solidity Hacks/Vulnerabilities,their Fixes and Real World Examples, 2018, https://medium.com/hackernoon/hackpedia-16-solidity-hacks-vulnerabilities-their-fixes-and-real-world-examples-f3210eba5148.
Phitchayaphong Tantikul and Sudsanguan Ngamsuriyaroj, Exploring Vulnerabilities in Solidity Smart Contract, 6th International Conference on Information Systems Security and Privacy (ICISSP), Valletta-Malta, 2020, https://www.scitepress.org/Papers/2020/89098/89098.pdf.
Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov, SmartCheck: Static Analysis of Ethereum Smart Contracts, 2018 ACM/IEEE 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9-16, 2018.
Alexander Mense and Markus Flatscher, Security Vulnerabilities in Ethereum Smart Contracts, iiWAS2018: Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, pp. 375–380, 2018.
Ardit Dika and Mariusz Nowostawski, Security Vulnerabilities in Ethereum Smart Contracts, IEEE Confs on Internet of Things, Green Computing and Communications, Cyber, Physical and Social Computing, Smart Data, Blockchain, Computer and Information Technology, Congress on Cybermatics, pp. 955-962, 2018.
Chris Coverdale, Solidity: Transaction-Ordering Attacks, https://medium.com/coinmonks/solidity-transaction-ordering-attacks-1193a014884e, 2018.
SWC-114, SWC Registry, Smart Contract Weakness Classification and Test Cases, https://swcregistry.io/docs/SWC-114.
Sidi Mohamed Beillahi, Eric Keilty, Keerthi Nelaturu, Andreas Veneris, and Fan Long, Automated Auditing of Price Gouging TOD Vulnerabilities in Smart Contracts, IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 1-6, 2022.
Yogesh Kulkarni, Denial of Service (DoS)Attack on SmartContracts, finxter, https://blog.finxter.com/denial-of-service-dos-attack-on-smart-contracts/.
Noama Fatima Samreen and Manar H. Alalfi, SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts, https://arxiv.org/abs/2105.02852#:~:text=version%2C%20v3)%5D-,SmartScan%3A%20An%20approach%20to%20detect%20Denial%20of,Vulnerability%20in%20Ethereum%20Smart%20Contracts&text=Blockchain%20technology%20(BT)%20Ethereum%20Smart,of%20a%20central%20authorizing%20agency, 2021.
SWC-128, SWC Registry, Smart Contract Weakness Classification and Test Cases, DoS With Block Gas Limit, https://swcregistry.io/docs/SWC-128.
SWC-113, SWC Registry, Smart Contract Weakness Classification and Test Cases, DoS with Failed Call, https://swcregistry.io/docs/SWC-113.
Bybit Learn, What Is a Flash Loan Attack — and How DoI Prevent It?, Coinspeaker, https://www.coinspeaker.com/guides/what-is-flash-loan-attack-and-how-to-prevent-it/#:~:text=One%20example%20of%20them%20is,causing%20the%20price%20to%20plummet, 2021.
Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais, Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit, Financial Cryptography and Data Security. FC 2021. Lecture Notes in Computer Science(), vol 12674. Springer, Berlin, Heidelberg, 2021.
Yixin Cao, Chuanwei Zou, and Xianfeng Cheng, Flashot: A Snapshot of Flash Loan Attack on DeFi Ecosystem, https://arxiv.org/abs/2102.00626?utm_source=dlvr.it&utm_medium=twitter.
Zhiyang Chen, Sidi Mohamed Beillahi, and Fan Long, FlashSyn: Flash Loan Attack Synthesis via Counter Example Driven Approximation, https://arxiv.org/abs/2206.10708.
What is a Vampire Attack in Crypto?, WhiteboardCrypto, https://whiteboardcrypto.com/what-is-a-vampire-attack-in-crypto/.
What is a Vampire Attack? SushiSwap SagaExplained, Finematics, https://finematics.com/vampire-attack-sushiswap-explained/.
Jiahua Xu, Krzysztof Paruch, Simon Cousaert, and Yebo Feng, SoK: Decentralized Exchanges (DEX) with Automated Market Maker (AMM) Protocols, https://arxiv.org/abs/2103.12732, 2021.
How to Prevent Liquidity Vampire Attacks in DeFi?, https://blaize.tech/article-type/how-to-prevent-liquidity-vampire-attacks-in-defi/.
Maximal Extractable Value (MEV), https://ethereum.org/en/developers/docs/mev/#:~:text=Maximal%20extractable%20value%20(MEV)%20refers,of%20transactions%20in%20a%20block, 2022.
MEV: how dark is the forest?, https://medium.com/coinmonks/mev-how-dark-is-the-forest-74bcc40d185d, 2022.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kaur, G., Habibi Lashkari, A., Sharafaldin, I., Habibi Lashkari, Z. (2023). Smart Contracts and DeFi Security and Threats. In: Understanding Cybersecurity Management in Decentralized Finance. Financial Innovation and Technology. Springer, Cham. https://doi.org/10.1007/978-3-031-23340-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-23340-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23339-5
Online ISBN: 978-3-031-23340-1
eBook Packages: Business and ManagementBusiness and Management (R0)