Professional Documents
Culture Documents
1
code that executes conditioned transactions between not work since they could not get the votes neces-
users and other contracts. Contracts can store value, sary in such a short time. In characteristic of smart
transfer and receive value, and execute code. The contract, developers and designers didn’t consider
execution of transactions with these contracts is per- such an attack or malicious usage condition within
formed by nodes on the EVM in a publicly visible “theDAO”. [4]
way, and paid for in units of gas.
The amount of gas allocated for a given trans- 1.4 Testing Methodology
action’s execution is finite and fixed by the creator
of the transaction. The gas cost for each EVM in- The contribution of this paper is twofold. Motivated
struction is provided in [12] and roughly correlates by existing security analyses of smart contracts in
to the computational cost of each instruction mak- Ethereum, we first demonstrate that there is indeed
ing exceptions where other system goals are consid- opportunity to infer attacks from blockchain meta-
ered. For example, arithmetic operations are very data. Second, we describe and propose future di-
cheap while storage is among the most expensive rections for our prototype of DappGuard. Addtion-
operations so that the blockchain does not grow too ally, we conclude with general discussion of smart
quickly. contract security as it relates to the Dapp and smart
A smart contract’s transaction is executed when contract environment.
it is mined into a block. Miners receive a static re-
ward, as well as the value of any gas used times 2 Background and Related Work
the gas price (set by the market and having units
ether/gas) when they successfully solve a proof-of- The Solidity language does not introduce constructs
work puzzle and submit a block to the blockchain. to deal with domain-specific aspects since its com-
putation steps are recorded on a public blockchain.
1.3 TheDAO Incident Hence, Ethereum developers had focused on cor-
rectness of its execution to avoid manipulation and
A DAO is fully autonomous, decentralized organi- tamper of adversary. However, in last couple of
zation with no single leader. It is designed to re- years it has been proven that correctness of the ex-
place the rules and structure of a traditional orga- ecution cannot guarantee security of the smart con-
nization, eliminating the need for people and cen- tract not only from reordered. several security vul-
tralized control. ”TheDAO” is one kind of DAO nerabilities in Ethereum smart contracts have been
initiated and developed by German startup Slock.it. discovered both by hands-on development experi-
“TheDAO” was launched in April 2016 became as ence. [5]
one of the most popular smart contracts since the
Ethereum blockchain started running. However,
several Ethereum developers raised questions and 2.1 Security Issues
concerns about its potential vulnerability within its Most notably, a taxonomy of vulnerabilities and re-
recursive call of splitDAO function which is used lated attacks against Solidity, the EVM, and the
for person who want to leave “theDAO” contract. blockchain were recently described by Atzei, Bar-
In mid of June 2016, one of “theDAO” creator an- toletti, and Cimoli [5]. They defined 12 vulnera-
nounced that the “recursive call bug” had been ad- bilities among these components that pose risks to
dressed and no “theDAO” contracts and funds were the contract owners. We utilize this vocabulary in
at risk. [1] our analyses and thus, we provide the list and brief
However, 3 days later after the announcement, descriptions for clarity and convenience.
unkown attacker could drain more then 3.6 mil-
lion ethers by utilizing bug in the recursive spilit- 1. Call to the unknown: This refers to any use of
DAO function. The Ethereum development team call , delegatecall , send, or direct call to
did attempt to split “theDAO” contract to prevent another contract that results results in execu-
more ether from being taken, but the attempt did tion of an unknown, possibly malicious, fall-
2
back function (the anonymous function on ev- 9. Transaction Ordering Dependence (TOD) :
ery smart contract invoked as a catch all). This occurs when the assumed state of the
blockchain is not the blockchain’s actual state
2. Gasless send: If the callee of a send (the when a transaction is executed. The order in
Ethereum function to transfer ether) is a con- which transactions are mined can have adverse
tract with a relatively expensive fallback func- effects on the execution of any given transac-
tion, then the amount of gas the caller is limited tion. This bug is said to be present in up to
to– 2300 units for sending ether to an address– %15.8 of all contracts on the blockchain1 .
will be insufficient, and an out-of-gas excep-
tion will be thrown. 10. Stack size limit: a transaction’s call stack
grows with each contract invocation, and once
3. Exception disorder: refers to unchecked the stack is 1,024 frames tall, an exception is
send errors or called contracts that throw ex- thrown. Changes to gas rules and certian in-
ceptions. The effect is that the calling contract struction costs have resolved this vulnerability
transaction is entirely reverted and all gas is in the current enviromnent.
lost.
11. Generating Randomness: many contracts
4. Type casts: if the arguments to a direct call that require random numbers use the hash of
from one contract to a function of another con- transactions yet-to-appear in the blockchain. A
tract is incorrectly typed, or the address of the malicious miner could arrange their block to
called contract is incorrect, either nothing will influence the outcome of this random number
happen, or the wrong code will execute. In nei- generation.
ther case is an exception thrown, and the caller
is not made aware. 12. Timestamp dependence: some Dapps use
timestamps to generate random numbers.
5. Reentrancy: In some cases, a contract’s fall- However, the clock in Ethereum is set by the
back function allows it to re-enter a caller func- local clocks of its miners. So, such Dapps can
tion before it has terminated. This can result be influenced with slight adjustments to min-
in the repeated execution of functions intended ers’ reported times.
only to be executed once per transaction.
Additionally, there have been at least 20 reported
6. Keeping secrets: by the public nature of the types of integer orverflow/underflow vulnerabilities.
blockchain, contract fields marked private Finally, the solidity documentation maintatins a list
are not guaranteed to remain secret- to set a of known bugs by version.
private field, a contract owner must broadcast
a transaction. Cryptographic protocols are re- 2.2 Static Analysis
quired to guarantee that fields are not visible to
anyone mining or inspecting the blockchain. It was demonstrated that many contracts are likely
vulnerable to exception disorder in the form of
7. Immutability: when a contract is added to the unchecked ’send’ instructions [3]. Further, the
blockchain, there is no way to edit it. If a con- evmdis [10] tool performs disassembly of contract
tract is found to be defective, there is often bytecode and JUMP target analysis.
nothing to be done short of killing the contract
(assuming measures were taken by the contract 2.3 Symbolic Execution: Oyente [11]
creator to make this possible).
Luu and colleagues developed the Oyente symbolic
8. Ether lost in transfer: If ether is sent to an execution system with the security goals of mit-
“orphan” address that doesn’t actually belong 1 https://medium.com/@hrishiolickel/why-smart-contracts-
to any user or contract, that ether will be lost fail-undiscovered-bugs-and-what-we-can-do-about-them-
and cannot be retrieved. 119aa2843007
3
igating TOD, exception disorder, and timestamp this information is enough to identify potentially
dependence bugs for contract owners in the pre- malicious transactions, and finally, if these mark-
deployment stage and users in the pre-transaction ers provide reason to think that common vulnera-
stage. Oyente is able to, given the Ethereum global bilities are actually being exploited in selected live
state and a contract’s bytecode, whether the con- contracts. Our findings motivate the second compo-
tract’s execution has feasible paths to the bug and nent, DappGuard, a system for live smart contract
with what input and path constraints. Oyente’s de- monitoring.
sign also utilizes a black box validator to identify
and remove false positives. 3.1 Searching for attack fingerprints
4
contract would likely stand to gain more value in to replay the attack against the DAO (an instance
ether than the gas wasted by a calling address who of reentrancy). After depositing (test) ether into the
would get an out of gas exception. Likewise, calls contract, called SimpleDAO, on behalf of multiple
to the unknown are likely mistakes rather than the other contracts, our malicious contract was able to
result of malicious activity, and tools provided by withdraw more ether than was deposited on its be-
many Ethereum wallets as well as Dapps like the half. Once we initiated the reentrancy with a call
Ethereum Name Service can help prevent erroneous to the malicious contract’s fallback (which occurs
sends. any time ether is transferred to a contract), the con-
tract was able to perform two withdrals of one ether
Integer overflow/underflow Atzei, Bartoletti, each (after depositing only one) before running out
and Cimoli identified a second possible of attack of gas.
on the DAO contract that relies on an integer un- That our example exploit was successful, and re-
derflow to allow a malicious contract to withdraw quired extremely simple techniques on behalf of the
more ether than it deposited. This is a more sub- malicious party, we expect that the same vulnerabil-
tle vulnerability than reentrancy, as it only involves ity that affected the DAO is still possible and imple-
two calls to the malicious contract’s fallback, mak- mentable (especially given that many contracts pub-
ing the attack less obvious and less likely to result lish their source code publicly). Without attention to
in an out-of-gas exception. However, we still expect the transaction receipts, or if a contract has a partic-
such an exploit to consume more gas than a normal ularly large gas allocation, such an attack might go
call, and we might also be able to detect the two fall- unnoticed, especially on high-value contracts with
back invocations in the affected transaction’s log. many transactions. The feasibility of this exploit,
and the ease with which it might go undiscovered
in less-dramatic instances than of the DAO, is evi-
Exception disorders Exceptions in Solidity are
dence that the attacks we identified are very possible
handled inconsistently, with behavior depending on
to execute.
how the inciting call was made. This means that
the identification of non-exception side-channel ef-
fects of exploits (and exceptions, in any case, aren’t 3.3 Live Contract Analysis
always a result of certain exploits) is especially im-
Seeing that a common smart contract exploit was
portant in identifying exploits that intentionally or
feasible, and could potentially be detected via aber-
unintentionally take advantage of Solidity’s confus-
rant gas usage or message values, we analyzed
ing exception handling model.
the transaction receipts for several gambling-based
Dapps.
3.2 Testing Methodology
What is likely common between the effects of ex- 3.3.1 Transaction Receipts
ploits on common smart contract vulnerabilities are
high gas usage, strange message values (especially For each of the Dapps EthereumLottery, Etheroll,
in transactions on ‘random’ gambling contracts), HonestDice, and Rouleth (versions 3.5 and 4.8), we
and suspicious fallback invocations that might be retrieved transaction receipts for up to 10,000 trans-
visible in a transaction’s log. We are interested in actions on the contract. Each transaction receipt is
the prevalence and detectabbility of these effects in of the following form:
real contracts.
{
"blockNumber":"3702663",
3.2.1 SimpleDAO
"timeStamp":"1494720276",
To test the likelihood of a given contract being sub- "hash":"0x662aca...",
ject to malicious behavior, we first deployed a smart "nonce":"40",
contract modeling the DAO contract and attempted "blockHash":"0x64b...",
5
"transactionIndex":"12", side effect of using more gas than we might
"from":"0xa4fc86...", expect, and so we can check for suspiciously
"to":"0x9473bc8b...", high gas usage among users. Again, gas usage
"value":"200000", can be variable and doesn’t necessarily indi-
"gas":"303587", cate wrongdoing, but consistently high gas us-
"gasPrice":"10000000000", age from a single user might be a sign of an
"isError":"0", attacker.
"input":"0x727b1...",
"contractAddress":"", • value: We are examining gambling contracts,
"cumulativeGasUsed":"752879", and so the value (in wei, which is equivalent to
"gasUsed":"203587", 10−18 ether) often represents a bet. A spike in
"confirmations":"3612" message value might represent a suspiciously
} high bet, perhaps indicating that the user has
more confidence than others about the outcome
Transaction receipts only refer to transactions of the gamble.
that have been successfully added to the blockchain,
so blockNumber refers to the block where the Given this information, we gathered the follow-
transaction was mined (and timeStamp the time it ing data for each contract tested:
was mined). The hash is the transaction’s iden-
• For each user, the number of transactions that
tifier. Nonce is a hash of the proof of work re-
resulted in exceptions.
quired of the miner who mined the block containing
this transaction, and the transaction’s index refers • For each user, the amount of ether transmitted
to its position relative to other transactions on the and gas per transaction (and the respective av-
block. The number of miners who agree on this erages per user).
transaction’s outcome is given in confirmations.
ContractAddress is empty for all transactions that • The total amount of gas spent on the contract’s
do not create a contract (for transactions where the transactions, the total value transferred, and the
contract of interest is called by another user or con- total number of transactions considered.
tract, the to field will be the address of the contract
• The average and standard deviation of gas us-
of interest).
age over all of the contract’s transactions, and
For the purposes of our analysis, we are interested
the average and standard deviation of value
in the following fields:
over all of the contract’s transactions.
• from: This is the address of the calling con-
tract or user. The large number of transactions • For each user and each transaction, the number
for some contracts means we might identify of standard deviations away from the contract
patterns in certain users’ behavior. average for gas and value the transaction’s gas
usage and value lie.
• isError: This flag is set to 1 when an ex-
ception occurred during the execution of the • The number of users who had transactions
transaction. Exceptions are reasonably com- where gas expenditure fell outside two stan-
mon (and can be the result of a simple mis- dard deviations of the contract’s average.
take in writing contracts or transactions), but if
Of course, evaluating value and gas usage across
specific users generate many exceptions when
users is less illustrative if gas expenditure and mes-
interacting with a given contract, we might be
sage values seem random. However, as we would
suspicious.
expect, in the contracts we tested gas usage tends to
• gasUsed: This measures (in units of gas) the peak around certain values (presumably, functions
amount of gas consumed during the transac- in the called contract expend reasonably consistent
tion’s execution. Many exploits come with the amounts of gas per call), and values seem similarly
6
clustered. The standard deviation calculations as- much more– on the order of ten-times more, in some
sumed a roughly normal distribution for gas and cases. Again, a high value transfer is not certainly
value, but this assumption was likely inappropri- suspect, but this is to show that outliers, at least for
ate for some of the contracts. More refined outlier some contracts, can be identified.
detection would be necessary to evaluate contracts
with more complicated distributions.
3.3.2 Observations
7
ecution tracing and In our experimentation, to de- The AddressModel represents each address’s in-
ploy test contracts without needing to spend real teraction with the contract– amount of value trans-
monetary value holding ether, we used a testnet and ferred, average gas usage, and the number of excep-
experimented implemnting a fail-safe by sending tions among its transactions with the contract.
transactions to our contract. As a result, we present The MinerModel serves to relate transactions on
a design for DappGuard. the contract wiht the details of the blocks and min-
The goals of DappGuard are relatively simple: ers responsible for adding them to the blockchain.
Such information as who mined a block contain-
1. Classify known attacks from transaction data ing a transaction on the contract, the order of trans-
2. Protect smart contracts from known attacks actions on that block, associated with information
from the AddressModel for the source of the trans-
3. Determine malicious actors and learn new at- action.
tacks The Rules Engine works to apply each model to
new transactions to inform judgments about the va-
To accomplish these goals, DappGuard’s archi- lidity of the transaction, and updates each model to
tecture relies on the following components: strengthen the identification of standard and mali-
cious transactions and mining patterns.
• EthWorldModel (EWM)
The BMNs serve to keep an up-to-date version
– ContractModel of the blockchain available (the Mainnet node), and
to test the execution of pending transactions on our
– AddressModel
contract (the Testnet node). These nodes are each
– MinerModel Ethereum nodes on the main network and a test net-
– Rules work (such as Ropsten or Kovan) respectively. The
Mainnet node’s job is to remain synced with the
• Blockchain Monitor Nodes (BMN) main blockchain. The job of the Testnet node is to
trace the possible states for all orderings of transac-
– Mainnet node tions on our contract that are pending on the main
– Private testnet Clone node network.
To identify security risks associated with TOD,
• TransactionRiskAnalyzer (TRA) exception disorders, and timestamp dependencies,
– Oyente Validator we validate pending transactions against the results
of the Oyente symbolic execution system. This val-
– Transaction Foretrace idator uses the results of running Oyente on our con-
– Anomaly Analysis + Rules Engine tract, in the form of constraints on function inputs
that produce bugs of these kinds, to determine the
– Responder
validity of the transaction’s execution. Security is-
The EWM stores information about transaction sues outside the scope of this validator will be ad-
histories for the contract, for users who have in- dressed by either the Testnet simulation or applica-
teracted with the contract, and metadata associated tion of our Rules Engine.
with the blocks containing each transaction. The Finally, the Responder module reacts to danger-
ContractModel stores statistics relevant to the clas- ous transactions as determined by the contract. This
sification of any new transactions– such as distribu- might send a notification to the contract owner (as a
tions of gas usage and value transferred from past logged event on the Testnet node), or initiate a take-
transactions and the number of transactions on the down of the contract, or kick off a transaction gen-
contract (in total, and from particular users). These erated by the user that changes the contract’s state
models will resemble a refined version of our live to prevent an imminent transaction from exploiting
contract analysis (Sec. 3.3). a security hole.
8
4.3 Modes of Operation 6 Discussion
4.3.1 Knowledge Acquisition Obviously, the current incarnation of DappGuard is
little more than proof-of-concept based on our de-
This mode refers to DappGuard initially populating,
veloped tools. However, we believe that our re-
maintaining, and optimizing its EthWorldModel for
search shows that blockchain data and knowledge
efficient transaction analysis. This would include
of smart contract attack mechanics can be used to
gathering a complete blockchain transaction history
detect attacks as they occur. Further, we believe by
and analysis, and updates to any known vulnera-
providing this design, we both motivate active and
bilities or risk indicators used by the Rules En-
adaptive security in the Ethereum ecosystem and
gine. Any post-mordem analysis of missed attacks
identify strong candidates for tools a system of this
would be one example. Finally, any information ex-
nature would rely on.
change with client smart contract owners that results
in changes to the EWM would fall under knowledge
acquisition for DappGuard.
9
References Code
[1] Ethereum Hack dao hack simplified.
All code relevant to this project can be found in
http://blog.erratasec.com/2016/06/
etheriumdao-hack-similfied.html. Accessed: the following repository: https://github.com/
2016-06-18. cookt/857final
[2] Ethereum what is ethereum for beginners. https://
blockgeeks.com/guides/what-is-ethereum. Ac-
cessed: 2012-01-30.
[3] Hacking, Distributed: Scanning live Ethereum con-
tracts for the ”unchecked-send” bug, author= Wen,
Zikai Alex and Miller, Andrew, year = 2016, howpub-
lished = ://hackingdistributed.com/2016/06/16/scanning-
live-ethereum-contracts-for-bugs/.
[4] thedao hack faq. https://ethereum.
stackexchange.com/questions/6183/
thedao-hack-faq-how-did-the-attack-happen-on-17-june-2016.
Accessed: 2016-06-17.
[5] ATZEI , N., BARTOLETTI , M., AND C IMOLI , T. A sur-
vey of attacks on ethereum smart contracts. Tech. rep.
[6] BARTOLETTI , M., AND P OMPIANU , L. An empirical
analysis of smart contracts: platforms, applications, and
design patterns. CoRR abs/1703.06322 (2017).
[7] B HARGAVAN , K., D ELIGNAT-L AVAUD , A., F OURNET,
C., G OLLAMUDI , A., G ONTHIER , G., KOBEISSI , N.,
K ULATOVA , N., R ASTOGI , A., S IBUT-P INOTE , T.,
S WAMY, N., AND Z ANELLA -B ÉGUELIN , S. Formal ver-
ification of smart contracts: Short paper. In Proceedings
of the 2016 ACM Workshop on Programming Languages
and Analysis for Security (New York, NY, USA, 2016),
PLAS ’16, ACM, pp. 91–96.
[8] C ONSEN S YS. Smart contract best prac-
tices. https://github.com/ConsenSys/
smart-contract-best-practices#
eng-techniques, 2017.
[9] E THEREUM. Security considerations. http:
//solidity.readthedocs.io/en/develop/
security-considerations.html, 2015–2017.
[10] J OHNSON , N. evmdis. https://github.com/
Arachnid/evmdis, 2016–2017.
[11] L UU , L., C HU , D.-H., O LICKEL , H., S AXENA , P.,
AND H OBOR , A. Making smart contracts smarter. In
Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security (New York, NY,
USA, 2016), CCS ’16, ACM, pp. 254–269.
[12] W OOD , G. Ethereum: A secure decentralised generalised
transaction ledger. Ethereum Project Yellow Paper 151
(2014).
10
Appendix of Live Contract Gas and Value
Histograms
11
12