survey

Public Access

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses

Authors:

Marcus Pendleton,

Laurent Njilla,

Shouhuai XuAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 53, Issue 3

Article No.: 67, Pages 1 - 43

https://doi.org/10.1145/3391195

Published: 12 June 2020 Publication History

All formats PDF

Abstract

Blockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency, the second generation (i.e., Blockchain 2.0), as represented by Ethereum, is an open and decentralized platform enabling a new paradigm of computing—Decentralized Applications (DApps) running on top of blockchains. The rich applications and semantics of DApps inevitably introduce many security vulnerabilities, which have no counterparts in pure cryptocurrency systems like Bitcoin. Since Ethereum is a new, yet complex, system, it is imperative to have a systematic and comprehensive understanding on its security from a holistic perspective, which was previously unavailable in the literature. To the best of our knowledge, the present survey, which can also be used as a tutorial, fills this void. We systematize three aspects of Ethereum systems security: vulnerabilities, attacks, and defenses. We draw insights into vulnerability root causes, attack consequences, and defense capabilities, which shed light on future research directions.

Supplementary Material

a67-chen-apndx.pdf (chen.zip)

Supplemental movie, appendix, image and software files for, A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses

Download
671.67 KB

References

[1]

Ittay Eyal and Emin Gün Sirer. 2014. How to disincentivize large Bitcoin mining pools. Retrieved from http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/.

[2]

Fabian Vogelsteller and Vitalik Buterin. 2015. ERC-20 Token Standard|Ethereum Improvement Proposals. Retrieved from https://eips.ethereum.org/EIPS/eip-20.

[3]

Least Authority. 2015. Ethereum Analysis: Gas Economics and Proof of Work. Retrieved from https://github.com/LeastAuthority/ethereum-analyses.

[4]

Ethereum Community Forum. 2015. Formal Verification for Solidity Contracts. Retrieved from https://forum.ethereum.org/discussion/3779/formal-verification-for-solidity-contracts.

[5]

Phil Daian. 2016. Analysis of the DAO exploit. Retrieved from http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/.

[6]

Vitalik Buterin. 2016. EIP-150, gas cost changes for IO-heavy operations. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-150.md.

[7]

Vitalik Buterin. 2016. EIP-155, simple replay attack protection. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-155.md.

[8]

Gavin Wood. 2016. EIP-161, state trie clearing. Retrieved from https://github.com/ethereum/EIPs/blob/master/EIPS/eip-161.md.

[9]

Joris Bontje. 2016. How can I securely generate a random number in my smart contract? Retrieved from https://ethereum.stackexchange.com/questions/191/how-can-i-securely-generate-a-random-number-in-my-smart-contract.

[10]

Alyssa Hertig. 2016. Rise of Replay Attacks Intensifies Ethereum Divide—CoinDesk. Retrieved from https://www.coindesk.com/rise-replay-attacks-ethereum-divide.

[11]

Vitalik Buterin. 2016. Transaction spam attack: Next Steps. Retrieved from https://blog.ethereum.org/2016/09/22/transaction-spam-attack-next-steps/.

[12]

Peter Vessenes. 2016. Tx.Origin And Ethereum Oh My! Retrieved from https://vessenes.com/tx-origin-and-ethereum-oh-my/.

[13]

Matt Suiche. 2017. The $280M Ethereum’s Parity bug—Comae Technologies. Retrieved from https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513.

[14]

Nooku. 2017. Exploit with ERC20 token transactions from exchanges. Retrieved from https://www.reddit.com/r/ethereum/comments/63s917/worrysome_bug_exploit_with_erc20_token/dfwmhc3/.

[15]

Ethererik. 2017. GovernMental’s 1100 ETH jackpot payout is stuck because it uses too much gas. Retrieved from https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals_1100_eth_jackpot_payout_is_stuck/.

[16]

Haseeb Qureshi. 2017. A hacker stole $31M of Ether—How it happened, and what it means for Ethereum. Retrieved from https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce.

[17]

Paweł Bylica. 2017. How to Find $10M Just by Reading the Blockchain. Retrieved from https://medium.com/golem-project/how-to-find-10m-by-just-reading-blockchain-6ae9d39fcd95.

[18]

Lorenz Breidenbach, Phil Daian, Ari Juels, and Emin Gün Sirer. 2017. An In-Depth Look at the Parity Multisig Bug. Retrieved from http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.

[19]

Santiago Palladino. 2017. The Parity Wallet Hack Explained. Retrieved from https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7.

[20]

Vbuterin. 2017. A state clearing FAQ. Retrieved from https://www.reddit.com/r/ethereum/comments/5es5g4/a_state_clearing_faq/?st=iw2e1mwo8sh=fa77688depth=1.

[21]

X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2020. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.

Digital Library

[22]

Lorenz Breidenbach, Phil Daian, Ari Juels, and Florian Tramèr. 2017. To Sink Frontrunners, Send in the Submarines. Retrieved from http://hackingdistributed.com/2017/08/28/submarine-sends/.

[23]

Crypto Panda. 2018. The $3 Million Winner of Fomo3D Is Still Playing to Win—Longhash. Retrieved from https://www.longhash.com/news/the-3-million-winner-of-fomo3d-is-still-playing-to-win.

[24]

Cornell Blockchain. 2018. Bamboo. Retrieved from https://github.com/pirapira/bamboo.

[25]

Common Vulnerabilities and Exposures. 2018. BatchOverflow. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10299.

[26]

Louis Poinsignon. 2018. BGP leaks and cryptocurrencies. Retrieved from https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/.

[27]

SlowMist. 2018. Billions of Tokens Theft Case cause by ETH Ecological Defects. Retrieved from https://mp.weixin.qq.com/s/ia9nBhmqVEXiiQdFrjzmyg.

[28]

Mihail Sotnichek. 2018. EOS Smart Contract Vulnerabilities in Detail. Retrieved from https://www.apriorit.com/dev-blog/553-eos-smart-contract-vulnerability.

[29]

ChainSecurity AG. 2018. ChainSecurity Chaincode Scanner. Retrieved from https://chaincode.chainsecurity.com/.

[30]

Adrian Manning. 2018. Comprehensive list of known attack vectors and common anti-patterns. Retrieved from https://github.com/sigp/solidity-security-blog.

[31]

Vaibhav Saini. 2018. ContractPedia: An Encyclopedia of 40+ Smart Contract Platforms. Retrieved from https://hackernoon.com/contractpedia-an-encyclopedia-of-40-smart-contract-platforms-4867f66da1e5.

[32]

Common Vulnerabilities and Exposures. 2018. CVE-2018-10299. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-10299.

[33]

Block.one. 2018. EOS.IO Technical White Paper v2. Retrieved from https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md.

[34]

Georgios Konstantopoulos. 2018. How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 2). Retrieved from https://medium.com/loom-network/how-to-secure-your-smart-contracts-6-solidity-vulnerabilities-and-how-to-avoid-them-part-2-730db0aa4834.

[35]

Arseny Reutov. 2018. Predicting Random Numbers in Ethereum Smart Contracts. Retrieved from https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620.

[36]

Zhenxuan Bai. 2018. Replay Attacks on Ethereum Smart Contracts. Retrieved from https://github.com/nkbai/defcon26/tree/master/docs.

[37]

OpenZeppelin. 2018. SafeMath. Retrieved from https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol.

[38]

Bernhard Mueller. 2018. Safety tips. Retrieved from https://github.com/ethereum/wiki/wiki/Safety#favor-pull-over-push-for-external-calls.

[39]

Ethereum community. 2018. Solidity 0.5.0 documentation. Retrieved from https://solidity.readthedocs.io/en/v0.5.0/050-breaking-changes.html.

[40]

Ethereum community. 2018. Solidity Version 0.4.22. Retrieved from https://github.com/ethereum/solidity/releases/tag/v0.4.22.

[41]

Stefan Beyer. 2018. Storage Allocation Exploits in Ethereum Smart Contracts. Retrieved from https://medium.com/cryptronics/storage-allocation-exploits-in-ethereum-smart-contracts-16c2aa312743.

[42]

Martin Derka. 2018. What We Learned from Fomo3D. Retrieved from https://medium.com/@martinderka.

[43]

Zhenxuan Bai, Yuwei Zheng, Senhua Wang, and Kunzhe Chai. 2018. You may have paid more than you imagine. Retrieved from https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Bai2.

[44]

The Coq development team. 2019. The Coq Proof Assistant. Retrieved from https://coq.inria.fr/.

[45]

SlowMist. 2019. EOS DApp hack events. Retrieved from https://hacked.slowmist.io/en/?c=EOS%20DApp.

[46]

SlowMist. 2019. EOS smart contract development security best practices. Retrieved from https://github.com/slowmist/eos-smart-contract-security-best-practices.

[47]

Alex Lielacher. 2019. ETC 51 % attack. Retrieved from https://bravenewcoin.com/insights/etc-51-attack-what-happened-and-how-it-was-stopped.

[48]

Ethereum community. 2019. Ethereum 2.0 specifications. Retrieved from https://github.com/ethereum/eth2.0-specs.

[49]

ConsenSys Diligence. 2019. Ethereum Smart Contract Best Practices. Retrieved from https://consensys.github.io/smart-contract-best-practices/.

[50]

Felix Lange, Guillaume Ballet, and Antoine Toulme. 2019. Ethereum Wire Protocol (ETH). Retrieved from https://github.com/ethereum/devp2p/blob/master/caps/eth.md.

[51]

MythX development team. 2019. Mythril. Retrieved from https://github.com/ConsenSys/mythril.

[52]

Franz Volland and Florian Blum. 2019. Oracle. Retrieved from https://github.com/fravoll/solidity-patterns/blob/master/docs/oracle.md.

[53]

Yaning Zhang and Youcai Qian. 2019. RANDAO: A DAO working as RNG of Ethereum. Retrieved from https://github.com/randao/randao.

[54]

MythX development team. 2019. Smart Contract Weakness Classification and Test Cases. Retrieved from https://smartcontractsecurity.github.io/SWC-registry/.

[55]

Vyper development team. 2019. Vyper documentation. Retrieved from https://vyper.readthedocs.io/en/latest/?badge=latest#.

[56]

Etherscan development team. 2020. Ethereum (ETH) Blockchain Explorer. Retrieved from https://etherscan.io/.

[57]

OpenEthereum. 2020. Fast and feature-rich multi-network Ethereum client. Retrieved from https://github.com/paritytech/parity-ethereum.

[58]

The go-ethereum authors. 2020. Official Go implementation of the Ethereum protocol. Retrieved from https://github.com/ethereum/go-ethereum.

[59]

State of The DApps development team. 2020. State of the DApps—DApp Statistics. Retrieved from https://www.stateofthedapps.com/stats.

[60]

J. Adler, R. Berryhill, A. Veneris, Z. Poulos, N. Veira, and A. Kastania. 2018. Astraea: A decentralized blockchain oracle. arXiv:1808.00528.

[61]

E. Albert, P. Gordillo, B. Livshits, A. Rubio, and I. Sergey. 2018. EthIR: A framework for high-level analysis of Ethereum bytecode. arXiv:1805.07208.

[62]

R. Almadhoun, M. Kadadha, M. Alhemeiri, M. Alshehhi, and K. Salah. 2018. A user authentication scheme of iot devices using blockchain-enabled fog nodes. In Proceedings of the IEEE/ACS AICCSA. IEEE, 1--8.

[63]

Sidney Amani, Myriam Bégel, Maksym Bortin, and Mark Staples. 2018. Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In Proceedings of the ACM SIGPLAN CPP. ACM, 66--77.

[64]

E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis, A. De Caro, D. Enyeart, C. Ferris, G. Laventman, and Y. Manevich. 2018. Hyperledger fabric: A distributed operating system for permissioned blockchains. In Proceedings of the EuroSys. 30.

[65]

N. Atzei, M. Bartoletti, and T. Cimoli. 2017. A survey of attacks on ethereum smart contracts (sok). In Proceedings of the POST. 164--186.

[66]

Arati Baliga. 2017. Understanding blockchain consensus models. In Persistent, Vol. 4. 1--14.

[67]

S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meiklejohn, and G. Danezis. 2017. Consensus in the age of blockchains. CoRR abs/1711.03936.

[68]

M. Bartoletti, S. Carta, T. Cimoli, and R. Saia. 2017. Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact. arXiv:1703.03779.

[69]

I. Bentov, R. Pass, and E. Shi. 2016. Snow white: Provably secure proofs of stake. IACR ePrint Arch. 2016 (2016), 919.

[70]

K. Bhargavan, A. Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T. Pinote, N. Swamy et al. 2016. Formal verification of smart contracts: Short paper. In Proceedings of the ACM PLAS. 91--96.

[71]

F. Bobot, J. C. Filliâtre, C. Marché, and A. Paskevich. 2011. Why3: Shepherd your herd of provers. First International Workshop on Intermediate Verification Languages, pp. 53--64.

[72]

Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable delay functions. In Proceedings of the CRYPTO. Springer, 757--788.

Digital Library

[73]

D. Boneh, B. Bünz, and B. Fisch. 2018. A survey of two verifiable delay functions. IACR ePrint Arch. 2018 (2018), 712.

[74]

J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten. 2015. SoK: Research perspectives and challenges for bitcoin and cryptocurrencies. In Proceedings of the IEEE SP. 104--121.

[75]

L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz. 2018. Vandal: A scalable security analysis framework for smart contracts. arXiv:1809.03981.

[76]

Vitalik Buterin. 2014. Slasher: A punitive proof-of-stake algorithm. Ethereum Blog. Retrieved from https://blog. ethereum. org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm.

[77]

Vitalik Buterin and Virgil Griffith. 2017. Casper the friendly finality gadget. arXiv preprint arXiv:1710.09437.

[78]

Christian C. and Marko V.2017. Blockchain consensus protocols in the wild. CoRR abs/1707.01873.

[79]

J. Chang, B. Gao, H. Xiao, J. Sun, and Z. Yang. 2018. sCompile: Critical path identification and analysis for smart contracts. arXiv:1808.00624.

[80]

D. Chaum. 1982. Blind signatures for untraceable payments. In Proceedings of the CRYPTO.199--203.

[81]

H. Chen, J. Cho, and S. Xu. 2018. Quantifying the security effectiveness of firewalls and DMZs. In Proceedings of the HoTSoS. 9:1--9:11.

[82]

T. Chen, X. Li, Y. Wang, J. Chen, Z. Li, X. Luo, M. Au, and X. Zhang. 2017. An adaptive gas cost mechanism for ethereum to defend against under-priced DoS attacks. In Proceedings of the ISPEC. Springer, 3--24.

[83]

Jin-Hee Cho, Shouhuai Xu, Patrick M. Hurley, Matthew Mackay, Trevor Benjamin, and Mark Beaumont. 2019. STRAM: Measuring the trustworthiness of computer-based systems. ACM Comput. Surv. 51, 6 (2019), 128:1--128:47.

Digital Library

[84]

Michael Coblenz. 2017. Obsidian: A safer blockchain programming language. In Proceedings of the ICSE. 97--99.

Digital Library

[85]

M. Conti, E. Kumar, C. Lal, and S. Ruj. 2018. A survey on security and privacy issues of bitcoin. IEEE Communications Surveys Tutorials 20, 4 (2018), 3416--3452.

Digital Library

[86]

T. Cook, A. Latham, and J. Lee. 2017. Dappguard: Active monitoring and defense for solidity smart contracts. Retrieved from https://pdfs.semanticscholar.org/7438/ffd4c3b45a6d239815df377a453adfa890fa.pdf.

[87]

P. Cousot and R. Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the PoPL. 238--252.

[88]

P. Daian, I. Eyal, A. Juels, and E. Sirer. 2017. Piecework: Generalized outsourcing control for proofs of work. In Proceedings of the FC. 182--190.

[89]

P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels. 2019. Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges. arXiv:1904.05234.

[90]

B. David, P. Gaži, A. Kiayias, and A. Russell. 2018. Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-stake blockchain. In Proceedings of the EUROCRYPT. Springer, 66--98.

[91]

E. Deirmentzoglou, G. Papakyriakopoulos, and C. Patsakis. 2019. A survey on long-range attacks for proof of stake protocols. IEEE Access 7 (2019), 28712--28725.

[92]

K. Delmolino, M. Arnett, A. Kosba, A. Miller, and E. Shi. 2016. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. In Proceedings of the FinancialCRYPTO. 79--94.

[93]

G. Destefanis, M. Marchesi, M. Ortu, R. Tonelli, A. Bracciali, and R. Hierons. 2018. Smart contracts vulnerabilities: A call for blockchain software engineering? In Proceedings of the IEEE IWBOSE. 19--25.

[94]

Monika Di Angelo and Gernot Salzer. 2019. A survey of tools for analyzing ethereum smart contracts. In Proceedings of the DAPPCON.

[95]

Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combatting junk mail. In Proceedings of the CRYPTO. 139--147.

[96]

Paul Dworzanski. A note on committee random number generation, commit-reveal, and last-revealer attacks. Retrieved from http://paul.oemm.org/commit_reveal_subcommittees.pdf.

[97]

P. Ekparinya, V. Gramoli, and G. Jourjon. 2018. Impact of man-in-the-middle attacks on ethereum. In Proceedings of the IEEE SRDS. 11--20.

[98]

Joshua Ellul and Gordon J Pace. 2018. Runtime verification of ethereum smart contracts. In Proceedings of the IEEE EDCC. 158--163.

[99]

Ittay Eyal and Emin Gün Sirer. 2018. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61, 7 (2018), 95--102.

Digital Library

[100]

M. Fischer, N. Lynch, and M. Paterson. 1985. Impossibility of distributed consensus with one faulty process. J. ACM 32, 2, 374--382.

Digital Library

[101]

P. Gaži, A. Kiayias, and A. Russell. 2018. Stake-bleeding attacks on proof-of-stake blockchains. In Proceedings of the CVCBT. 85--92.

[102]

A. Gervais, G. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and S. Capkun. 2016. On the security and performance of proof of work blockchains. In Proceedings of the ACM CCS. 3--16.

[103]

Vincent Gramoli. 2020. From blockchain consensus back to byzantine consensus. Future Gen. Comput. Syst. 107 (2020), 760--769.

Digital Library

[104]

N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis. 2018. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. In Proceedings of the OOPSLA. 116.

[105]

I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. EtherTrust: Sound Static Analysis of Ethereum Bytecode. Technical Report. Retrieved from https://pdfs.semanticscholar.org/26c2/b7e7479336d44891aadda6b5eaae2ca2ee91.pdf.

[106]

I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. Foundations and tools for the static analysis of ethereum smart contracts. In Proceedings of the ICCAV. Springer, 51--78.

[107]

I. Grishchenko, M. Maffei, and C. Schneidewind. 2018. A semantic framework for the security analysis of ethereum smart contracts. In Proceedings of the POST. Springer, 243--269.

[108]

S. Grossman, I. Abraham, G. Golan-Gueta, Y. Michalevsky, N. Rinetzky, M. Sagiv, and Y. Zohar. 2017. Online detection of effectively callback free objects with applications to smart contracts. In Proceedings of the PoPL. 48.

[109]

C. Grunspan and R. Pérez-Marco. 2019. Selfish mining and Dyck words in Bitcoin and Ethereum networks. arXiv:1904.07675.

[110]

Cyril Grunspan and Ricardo Pérez-Marco. 2019. Selfish mining in ethereum. arXiv:1904.13330.

[111]

Y. Han, W. Lu, and S. Xu. 2014. Characterizing the power of moving target defense via cyber epidemic dynamics. In Proceedings of the HotSoS’14, Vol. 10. 1--12.

[112]

D. Harz and W. Knottenbelt. 2018. Towards safer smart contracts: A survey of languages and verification methods. arXiv:1809.09805.

[113]

H. Hasan and K. Salah. 2018. Proof of delivery of digital assets using blockchain and smart contracts. IEEE Access 6, 65439--65448.

[114]

H. Hasan and K. Salah. 2019. Combating deepfake videos using blockchain and smart contracts. IEEE Access 7, 41596--41606.

[115]

S. Henningsen, D. Teunis, M. Florian, and B. Scheuermann. 2019. Eclipsing ethereum peers with false friends. In Proceedings of the EuroS8P. 300--309.

[116]

E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. Moore, D. Park, Y. Zhang, and A. Stefanescu. 2018. KEVM: A complete formal semantics of the ethereum virtual machine. In Proceedings of the CSF. 204--217.

[117]

Yoichi Hirai. 2017. Defining the ethereum virtual machine for interactive theorem provers. In Proceedings of the FinancialCRYPTO. 520--535.

[118]

Y. Huang, Y. Bian, R. Li, J. Zhao, and P. Shi. 2019. Smart contract security: A software lifecycle perspective. IEEE Access 7, 150184--150202.

[119]

B. Jiang, Y. Liu, and W. Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the ASE. 259--269.

[120]

A. Judmayer, N. Stifter, A. Zamyatin, I. Tsabary, I. Eyal, P. Gazi, S. Meiklejohn, and E. Weippl. 2019. Pay-To-Win: Incentive Attacks on Proof-of-Work Cryptocurrencies. Technical Report. Cryptology ePrint Archive, Report 2019/775.

[121]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: Analyzing safety of smart contracts. In Proceedings of theNDSS.

[122]

M. Khan and K. Salah. 2018. IoT security: Review, blockchain solutions, and open challenges. Future Gen. Comput. Syst. 82, 395--411.

[123]

A. Kiayias, A. Russell, B. David, and R. Oliynykov. 2017. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Proceedings of the CRYPTO. 357--388.

[124]

L. Kiffer, D. Levin, and A. Mislove. 2017. Stick a fork in it: Analyzing the Ethereum network partition. In Proceedings of the ACM HotNets. 94--100.

[125]

Simon Kim. 2017. Measuring Ethereum’s Peer-to-peer Network. Ph.D. Dissertation.

[126]

S. Kim, Z. Ma, S. Murali, J. Mason, A. Miller, and M. Bailey. 2018. Measuring ethereum network peers. In Proceedings of the ACM IMC. 91--104.

[127]

James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.

Digital Library

[128]

Sunny King and Scott Nadal. 2012. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. Self-published Paper. Retrieved from https://www.chainwhy.com/upload/default/20180619/126a057fef926dc286accb372da46955.pdf.

[129]

A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. 2016. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In Proceedings of the IEEE SP. 839--858.

[130]

J. Krupp and C. Rossow. 2018. teether: Gnawing at ethereum to automatically exploit smart contracts. In Proceedings of the UsenixSecurity. 1317--1333.

[131]

Ao Li and Fan Long. 2018. Detecting standard violation errors in smart contracts. arXiv:1812.07702.

[132]

W. Li, S. Andreina, J. Bohli, and G. Karame. 2017. Securing proof-of-stake blockchain protocols. In Proceedings of the DPM CBT. 297--315.

[133]

X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen. 2017. A survey on the security of blockchain systems. Future Gen. Comput. Syst. 107 (2020), 841--853.

[134]

X. Li, P. Parker, and S. Xu. 2011. A stochastic model for quantitative security analyses of networked systems. IEEE TDSC 8, 1, 28--43.

[135]

Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu, Z. Chen, S. Wang, and J. Wang. 2018. SySeVR: A framework for using deep learning to detect software vulnerabilities. CoRR abs/1807.06756.

[136]

Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. In Proceedings of the NDSS.

[137]

Z. Lin, W. Lu, and S. Xu. 2019. Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE/ACM Trans. Netw. 27, 3 (2019), 1098--1111.

Digital Library

[138]

C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and B. Roscoe. 2018. ReGuard: Finding reentrancy bugs in smart contracts. In Proceedings of the ICSE. 65--68.

[139]

L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor. 2016. Making smart contracts smarter. In Proceedings of the ACM CCS. 254--269.

[140]

L. Luu, J. Teutsch, R. Kulkarni, and P. Saxena. 2015. Demystifying incentives in the consensus computer. In Proceedings of the ACM CCS. 706--719.

[141]

L. Luu, Y. Velner, J. Teutsch, and P. Saxena. 2017. Smartpool: Practical decentralized pooled mining. In Proceedings of the UsenixSecurity. 1409--1426.

[142]

Y. Marcus, E. Heilman, and S. Goldberg. 2018. Low-resource eclipse attacks on Ethereum’s peer-to-peer network. Retrieved from http://ljk.imag.fr/membres/Jean-Guillaume.Dumas/Enseignements/ProjetsCrypto/Ethereum/236.pdf.

[143]

A. Mavridou and A. Laszka. 2017. Designing secure ethereum smart contracts: A finite state machine based approach. arXiv:1711.09327.

[144]

Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn. 2018. Smart contracts for bribing miners. In Proceedings of the FinancialCRYPTO. 3--18.

[145]

Silvio Micali. 2016. Algorand: The efficient and democratic ledger. arXiv preprint arXiv:1607.01341 (2016).

[146]

A. Miller, A. Kosba, J. Katz, and E. Shi. 2015. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In Proceedings of the ACM CCS. 680--691.

[147]

J. Mireles, E. Ficke, J. Cho, P. Hurley, and S. Xu. 2019. Metrics towards measuring cyber agility. IEEE TIFS 14, 12 (2019), 3217--3232.

[148]

Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. Retrieved from https://bitcoin.org/bitcoin.pdf.

[149]

Ryuya Nakamura, Takayuki Jimba, and Dominik Harz. 2019. Refinement and verification of CBC casper. Networks 2 (2019), 4.

[150]

C. Natoli and V. Gramoli. 2017. The balance attack or why forkable blockchains are ill-suited for consortium. In Proceedings of the IEEE/IFIP DSN. 579--590.

[151]

D. Nicol, W. Sanders, and K. Trivedi. 2004. Model-based evaluation: From dependability to security. IEEE TDSC 1, 1 (2004), 48--65.

[152]

I. Nikolić, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the ACSAC. 653--663.

[153]

Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. 2002. Isabelle/HOL: A Proof Assistant for Higher-order Logic. Vol. 2283. Springer.

[154]

Jianyu Niu and Chen Feng. 2019. Selfish mining in Ethereum. arXiv:1901.04620.

[155]

S. Noel and S. Jajodia. 2017. A Suite of Metrics for Network Attack Graph Analytics. Springer International Publishing, Cham, 141--176.

[156]

Russell O’Connor. 2017. Simplicity: A new language for blockchains. In Proceedings of the PLAS. 107--120.

Digital Library

[157]

D. Park, Y. Zhang, M. Saxena, P. Daian, and G. Roşu. 2018. A formal verification tool for Ethereum VM bytecode. In Proceedings of the of ACM ESEC/FSE. ACM, 912--915.

[158]

M. Pendleton, R. Garcia-Lebron, J. Cho, and S. Xu. 2016. A survey on systems security metrics. ACM Comput. Surv. 49, 4, 62:1--62:35.

[159]

L. Quan, L. Wu, and H. Wang. 2019. EVulHunter: Detecting fake transfer vulnerabilities for EOSIO’s smart contracts at webassembly-level. arXiv:1906.10362.

[160]

A. Ramos, M. Lazar, R. H. Filho, and J. J. P. C. Rodrigues. 2017. Model-based quantitative network security metrics: A survey. IEEE Commun. Surveys Tutor. 19, 4 (2017), 2704--2734.

[161]

F. Ritz and A. Zugenmaier. 2018. The impact of uncle rewards on selfish mining in ethereum. In Proceedings of the IEEE EuroS8P. 50--57.

[162]

M. Rodler, W. Li, G. Karame, and L. Davi. 2018. Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv:1812.05934.

[163]

G. Rosu and T. Serbănută. 2010. An overview of the K semantic framework. J. Logic Algebra. Program. 79, 6 (2010), 397--434.

[164]

M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and A. Mohaisen. 2019. Exploring the attack surface of blockchain: A systematic overview. arXiv:1904.03487.

[165]

K. Salah, M. Rehman, N. Nizamuddin, and A. Fuqaha. 2019. Blockchain for AI: Review and open research challenges. IEEE Access 7 (2019), 10127--10149.

[166]

Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278--1308.

[167]

F. Schrans, S. Eisenbach, and S. Drossopoulou. 2018. Writing safe smart contracts in Flint. In Proceedings of the ACM on Programming Languages. ACM, 218--219.

[168]

Robert W. Sebesta. 2012. Concepts of Programming Languages. Pearson, Boston.

[169]

Ilya Sergey, Amrit Kumar, and Aquinas Hobor. 2018. Scilla: A smart contract intermediate-level language. arXiv:1801.00687.

[170]

Yonatan Sompolinsky and Aviv Zohar. 2015. Secure high-rate transaction processing in bitcoin. In Proceedings of the FinancialCRYPTO. 507--527.

[171]

Matt Suiche. 2017. Porosity: A decompiler for blockchain-based smart contracts bytecode. In Proceedings of the DEF CON. 11.

[172]

A. Suliman, Z. Husain, M. Abououf, M. Alblooshi, and K. Salah. 2018. Monetization of IoT data using smart contracts. IET Netw. 8, 1 (2018), 32--37.

[173]

N. Swamy, C. Hriţcu, C. Keller, A. Rastogi, A. Lavaud, S. Forest, K. Bhargavan, C. Fournet, P. Strub, M. Kohlweiss et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256--270.

[174]

A. Tann, X. Han, S. Gupta, and Y. Ong. 2018. Towards safer smart contracts: A sequence learning approach to detecting vulnerabilities. arXiv:1811.06632.

[175]

S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the IEEE/ACM WETSEB. 9--16.

[176]

P. Tsankov, A. Dan, D. Cohen, A. Gervais, F. Buenzli, and M. Vechev. 2018. Securify: Practical security analysis of smart contracts. arXiv:1806.01143.

[177]

F. Tschorsch and B. Scheuermann. 2016. Bitcoin and beyond: A technical survey on decentralized digital currencies. IEEE Commun. Surveys Tutor. 18, 3 (2016), 2084--2123.

Digital Library

[178]

Marko Vukolić. 2017. Rethinking permissioned blockchains. In Proceedings of the ACM BCC. 3--7.

Digital Library

[179]

Wenbo Wang, Dinh Thai Hoang, Peizhao Hu, Zehui Xiong, Dusit Niyato, Ping Wang, Yonggang Wen, and Dong In Kim. 2019. A survey on consensus mechanisms and mining strategy management in blockchain networks. IEEE Access 7 (2019), 22328--22370.

[180]

X. Wang, X. Zha, G. Yu, W. Ni, R. Liu, Y. Guo, X. Niu, and K. Zheng. 2018. Attack and defence of ethereum remote apis. In Proceedings of the GC. IEEE, 1--6.

[181]

Benjamin Wesolowski. 2019. Efficient verifiable delay functions. In Proceedings of the EUROCRYPT. 379--407.

Digital Library

[182]

F. Winzer, B. Herd, and S. Faust. 2019. Temporary censorship attacks in the presence of rational miners. In Proceedings of the IEEE EuroS8PW. 357--366.

[183]

M. Wohrer and U. Zdun. 2018. Smart contracts: Security patterns in the ethereum ecosystem and solidity. In Proceedings of the IEEE IWBOSE. 2--8.

[184]

Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014), 1--32.

[185]

Karl Wüst and Arthur Gervais. 2016. Ethereum Eclipse Attacks. Technical Report. ETH Zurich.

[186]

Y. Xiao, N. Zhang, W. Lou, and Y. Hou. 2019. A survey of distributed consensus protocols for blockchain networks. arxiv:1904.04098

[187]

M. Xu, G. Da, and S. Xu. 2015. Cyber epidemic models with dependences. Internet Math. 11, 1 (2015), 62--92.

[188]

Shouhuai Xu. 2014. Cybersecurity dynamics. In Proceedings of the HotSoS. 14:1--14:2.

[189]

Shouhuai Xu. 2014. Emergent behavior in cybersecurity. In Proceedings of the HotSoS. 13:1--13:2.

[190]

Shouhuai Xu. 2019. Cybersecurity dynamics: A foundation for the science of cybersecurity. In Proactive and Dynamic Network Defense, Zhuo Lu and Cliff Wang (Eds.). Vol. 74. Springer International Publishing, Cham, 1--31.

[191]

Shouhuai Xu, Wenlian Lu, and Li Xu. 2012. Push- and pull-based epidemic spreading in arbitrary networks: Thresholds and deeper insights. ACM Trans. Auton. Adapt. Syst. 7, 3 (2012), 32:1--32:26.

Digital Library

[192]

K. Yamashita, Y. Nomura, E. Zhou, B. Pi, and S. Jun. 2019. Potential risks of hyperledger fabric smart contracts. In Proceedings of the IEEE IWBOSE. 1--10.

[193]

V. Zamfir, N. Rush, A. Asgaonkar, and G. Piliouras. 2018. Introducing the “Minimal CBC Casper” Family of Consensus Protocols. Retrieved from https://github.com/cbc-casper/cbc-casper-paper/blob/master/cbc-casper-paper-draft.pdf.

[194]

G. Zeng, S. Yiu, J. Zhang, H. Kuzuno, and M. Au. 2017. A nonoutsourceable puzzle under GHOST rule. In Proceedings of the IEEE PST. 35--358.

[195]

F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi. 2016. Town crier: An authenticated data feed for smart contracts. In Proceedings of the ACM CCS. 270--282.

[196]

R. Zhang, R. Xue, and L. Liu. 2019. Security and privacy on blockchain. CoRR abs/1903.07602.

[197]

R. Zheng, W. Lu, and S. Xu. 2015. Active cyber defense dynamics exhibiting rich phenomena. In Proceedings of the HotSoS. 2:1--2:12.

[198]

R. Zheng, W. Lu, and S. Xu. 2018. Preventive and reactive cyber defense dynamics is globally stable. IEEE Trans. Netw. Sci. Eng. 5, 2 (2018), 156--170.

[199]

Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey. 2018. Erays: Reverse engineering ethereum’s opaque smart contracts. In Proceedings of the USENIXSecurity.

[200]

L. Zhu, B. Zheng, M. Shen, S. Yu, F. Gao, H. Li, K. Shi, and K. Gai. 2018. Research on the security of blockchain data: A survey. CoRR abs/1812.02009.

Cited By

J. J(2024)Innovating Healthcare With Blockchain TechnologyCybersecurity and Data Management Innovations for Revolutionizing Healthcare10.4018/979-8-3693-7457-3.ch011(240-259)Online publication date: 23-Jul-2024
https://doi.org/10.4018/979-8-3693-7457-3.ch011
Singh S(2024)Blockchain TechnologyExploring Central Bank Digital Currencies10.4018/979-8-3693-1882-9.ch004(33-41)Online publication date: 12-Jul-2024
https://doi.org/10.4018/979-8-3693-1882-9.ch004
De Mofo GWacka ATchakounte FFotso J(2024)Detection of Vulnerabilities in Cryptocurrency Smart Contracts Based on Image ProcessingGlobal Perspectives on the Applications of Computer Vision in Cybersecurity10.4018/978-1-6684-8127-1.ch004(102-123)Online publication date: 23-Feb-2024
https://doi.org/10.4018/978-1-6684-8127-1.ch004
Show More Cited By

Index Terms

A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
1. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology
WWW '18: Proceedings of the 2018 World Wide Web Conference

Blockchain technology becomes increasingly popular. It also attracts scams, for example, Ponzi scheme, a classic fraud, has been found making a notable amount of money on Blockchain, which has a very negative impact. To help dealing with this issue, ...
A survey on the security of blockchain systems
Abstract
Since its inception, the blockchain technology has shown promising application prospects. From the initial cryptocurrency to the current smart contract, blockchain has been applied to many fields. Although there are some studies on the ...
Highlights
- We conduct the first systematic examination on security risks to popular blockchain systems.
Proof-of-stake at stake: predatory, destructive attack on PoS cryptocurrencies
CryBlock '20: Proceedings of the 3rd Workshop on Cryptocurrencies and Blockchains for Distributed Systems

There have been several 51% attacks on Proof-of-Work (PoW) blockchains recently, including Verge and GameCredits, but the most noteworthy has been the attack that saw hackers make off with up to $18 million after a successful double-spend was executed ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 53, Issue 3

May 2021

787 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3403423

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2020 ACM.

© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 June 2020

Online AM: 07 May 2020

Accepted: 01 March 2020

Revised: 01 February 2020

Received: 01 August 2019

Published in CSUR Volume 53, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

ARO
NSF CREST
NSF
US AFRL

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

260
Total Citations
View Citations
18,846
Total Downloads

Downloads (Last 12 months)3,539
Downloads (Last 6 weeks)305

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

J. J(2024)Innovating Healthcare With Blockchain TechnologyCybersecurity and Data Management Innovations for Revolutionizing Healthcare10.4018/979-8-3693-7457-3.ch011(240-259)Online publication date: 23-Jul-2024
https://doi.org/10.4018/979-8-3693-7457-3.ch011
Singh S(2024)Blockchain TechnologyExploring Central Bank Digital Currencies10.4018/979-8-3693-1882-9.ch004(33-41)Online publication date: 12-Jul-2024
https://doi.org/10.4018/979-8-3693-1882-9.ch004
De Mofo GWacka ATchakounte FFotso J(2024)Detection of Vulnerabilities in Cryptocurrency Smart Contracts Based on Image ProcessingGlobal Perspectives on the Applications of Computer Vision in Cybersecurity10.4018/978-1-6684-8127-1.ch004(102-123)Online publication date: 23-Feb-2024
https://doi.org/10.4018/978-1-6684-8127-1.ch004
Hall OShiaeles SLi F(2024)A Study of Ethereum’s Transition from Proof-of-Work to Proof-of-Stake in Preventing Smart Contracts Criminal ActivitiesNetwork10.3390/network40100024:1(33-47)Online publication date: 26-Jan-2024
https://doi.org/10.3390/network4010002
Sharma VAgarwal ABarua A(2024)Demand-Side Effects of Open Innovation: The Case of Cryptocurrency ForkingSSRN Electronic Journal10.2139/ssrn.4837150Online publication date: 2024
https://doi.org/10.2139/ssrn.4837150
Khelifi AAltaweel MHashir MHadjitofi TGhazal M(2024)Salsal: blockchain for vetting cultural object collectionsHeritage Science10.1186/s40494-023-01129-612:1Online publication date: 11-Jan-2024
https://doi.org/10.1186/s40494-023-01129-6
Wei ZSun JZhang ZZhang XYang XZhu L(2024)Survey on Quality Assurance of Smart ContractsACM Computing Surveys10.1145/3695864Online publication date: 14-Sep-2024
https://doi.org/10.1145/3695864
Ruggiero CMazzini PCoppa ELenti SBonomi S(2024)SoK: A Unified Data Model for Smart Contract Vulnerability TaxonomiesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664507(1-13)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664507
Chen WLuo XWang HCui HZheng SLiu XShrivastava ASui Y(2024)EVMBT: A Binary Translation Scheme for Upgrading EVM Smart Contracts to WASMProceedings of the 25th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems10.1145/3652032.3657570(131-142)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3652032.3657570
Jiao TXu ZQi MWen SXiang YNan G(2024)A Survey of Ethereum Smart Contract Security: Attacks and DetectionDistributed Ledger Technologies: Research and Practice10.1145/36438953:3(1-28)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3643895
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents