- November 15, 2021
- By Cyberarch Admin
Smart Contracts in Blockchain is fast emerging as one of the most innovative technologies today. It is a method to conduct business transactions or exchanging money, property or shares which are fast, secured, cost-effective and efficient than general contracts in specific fields. One of the major highlights of smart contracts is that it doesn’t involve a middleman or a third party. In other words, negotiations of an agreement are enforced and ascertained without the need of someone like a lawyer. The most popular smart contracts platform in the world today is Ethereum.
However, like many latest technologies used today across the world, there are new and unseen security vulnerabilities that come to the fore every day. Smart contracts utilize program code for laying down the terms and conditions, specifications and other aspects between a buyer and a seller. Also, the contract is self-executed with the help of programming. But due to poor coding or programming practices, there are possibilities for flaws to occur that can be exploited by cybercriminals. Also, the smart contracts are stored in Blockchain which means that their security depends upon the protocols set for it.
According to reports, Ethereum has more than 32,000 smart contracts which are vulnerable to hacking. Another study points out that one in twenty smart contracts is at risk of getting compromised. Till today, several big and small security threats, failures and related losses are reported. Experts estimate that more than 2 billion dollars have been stolen by hackers since 2017. This is because fixing a bug in the Blockchain is a daunting task, unlike in software which can be repaired easily with a security patch. One of the major incidents occurred in 2017 and was known as Parity Bug, where someone exploited the code of a multi-signature wallet. As a result, over 280 million US dollars was reportedly lost.
What makes smart contracts so vulnerable?
Smart contracts have a security model, which is very similar to the model embraced by open-source and free software as all the programmed code is made public. At the same time, the common public is encouraged to discover and report bugs in it. However, one of the big differences is that security bugs in smart contracts often cause vulnerabilities that have serious financial implications. It makes attacking smart contracts even more attractive as malicious users can make immediate financial gains.
Smart Contract Attack Vectors
Bugs often impact users financially by stealing, locking it up or miscounted. But besides bug, smart contract developers are one of the main players who end up being fraudulent. They intentionally place bugs in the code. Thereafter, they promote the platform and finally disappear with the users’ funds collected. Thus, the contract developers are major threat actors.
Another factor that is often associated with smart contracts is that code is immutable. Of course, it is good that codes cannot be changed, which assures users about future interactions. But it would also mean bugs in the code will remain in perpetuity. Additionally, there are non-bug attacks that are a result of fast innovations happening in this field. It leads to protocol attacks as well as smart contract hacks.
Common Vulnerabilities in Smart Contracts
After studying a large number of smart contracts, researchers and experts have realized vulnerabilities that are most common. In this blog, you can find out some of the typical vulnerabilities found in Ethereum smart contracts based on Solidity.
Re-entrancy is one of the popular factors that cause smart contract vulnerabilities. This type of vulnerability was exploited in the infamous “The DAO” attack which is well-known in the industry. So, how does that happen? When a contract calls a function in another contract, the process involves blocking of caller’s execution until the call returns. It opens the window for the callee, who might be a malicious actor, to exploit this intermediate state.
2. Transaction-Ordering Dependence
In smart contracts, multiple users have the ability to invoke functions in the same contract. For example, users may be able to change the price in the digital marketplace. However, such options can create vulnerabilities as the order in which their calls are executed is unknown. This uncertainty can cause trouble. For example, when someone changes the price before another user performs buying transaction is executed.
3. Denial of Service
If a user performs a function that involves sending ether using transfer or when the user decides to make a high-level function call to another contract, then the recipient contract has the option to block the execution by putting an exception always. It is another vulnerability that is consistently observed in smart contracts.
Smart contracts can end up in a deadlock state where the users might not be able to perform any function from the contract. Now this state can be caused by accident. Also, such a state can occur due to the adversarial action of malicious users.
5. Timestamp Dependence
In Ethereum, clocks are used for the execution of smart contracts. This can be exploited by malicious users by altering the clock and choosing the timestamp of a block arbitrarily. This is a certain vulnerability that is exposed in contracts where the accuracy of the clock is essential for working of the contract.
6. Mishandled Exceptions
Functions in smart contracts are called differently. Now depending on how they are called, an exception in the callee is sometimes propagated to the caller and sometimes not. Due to this inconsistent propagation policy developers can miss handling exceptions in callee contracts. Technically, smart contracts can be secured using a typical mechanism used for traditional software. Best practises involve writing secure code robust enough to defend itself from potential attackers. Testing the code should be proper and essential to secure software.
The security approach to smart contracts, as experts suggest, is to be proactive. Although developers are quick to react and fix the damage, prevention is a far better approach. A comprehensive and detailed approach that can be applied in real world scenarios is the need of the hour.
Blockchain solutions contain nodes and application programs interfaces that are in public and private networks. It is essential to note here that nodes are communication entities that generally run on the user’s infrastructure and network. Thus, it requires security controls, vulnerability assessment, patches and penetration testing. Moreover, security contracts in Blockchain are transparent in nature, and their source code is available in the public domain. Thus, the benefit of attacking such a system is more appealing and makes it more vulnerable.
Penetration testing is carried out by having a mindset of a potential hacker, and its approach is to exploit the coding errors. The process involves breaking into the network and analyzing and reporting all the security loopholes present. Depending on the size of the network and the complex architecture, penetration test may take time to complete. However, penetration testing should be an ongoing process focused on testing the whole system and security issues. Some of the objectives of penetration testing would be:
- Identifying vulnerabilities
- Identifying potential errors
- Improving security on the technical level
- Increasing security on organization level
Penetration Testing Guide
Best practices must be followed while conducting penetration testing of smart contracts. First of all, it is important to provide a legal disclaimer which states that the process is to find security vulnerabilities and necessary solutions rather than to provide guarantees. Secondly, explain how rigorous would the process be and how the authorities should be aware of the consequences from a security perspective. Thereafter, conduct manual and automated attack vulnerability tests and analyse whether any such attacks will affect the smart contracts.
In the third step, you can discuss the severe vulnerabilities and suggest possible fixes for the same. Also, there may be areas that may not be of immediate concern but needs to be in the loop to prevent further damage due to it. Additionally, all complexities even in minute forms regarding nodes, codes, performance or network, need to be detailed. A comprehensive audit report will be submitted.
The next step would include analysing preparation in the event of failures such as bug or vulnerability. How to respond to an attack, measures to be taken, how much money is at risk and so on. It would be the right time to ask if all tools and libraries are updated to their latest versions. If not, updating to the latest patches would be helpful. Also, if a smart contract is not tested previously, a high level of scrutiny should follow to discover any possible vulnerability.
Ideally, all the recommendations should be implemented and if time permits, a follow-up discussion or audit is the best practice to ensure no vulnerabilities are present anymore. It is always advised to partner with a professional penetration testing team from outside who can detect possible flaws using their fresh perspective. They will be able to optimize and fix the issues as well. To quicken the process, offering a bug bounty will be beneficial. As the usage of smart contracts grows, it will be of paramount importance to boost its security. Regular penetration testing will be of immense help.