Main navigation

34,200 Ethereum Contracts Vulnerable to Hackers, Containing Millions in Ether

Sat, 02/24/2018 - 21:35
article image
David Dinkins
Researchers have found more than 34,000 Ethereum smart contracts that are vulnerable to hackers, potentially putting tens of millions of dollars at risk.
34,200 Ethereum Contracts Vulnerable to Hackers, Containing Millions in Ether
Cover image via U.Today
Read U.TODAY on
Google News

Over 34,000 of Ethereum’s smart contracts — containing tens of millions of dollars — are vulnerable to hackers, according to researchers. Ilya Sergey, assistant professor at University College London, has co-authored a paper with colleagues from the National University of Singapore outlining the vulnerabilities.

In the beginning

Sergey’s interest in smart contract security began with the revelation last year that a hacker calling himself “DevOpps199” had exploited a vulnerability in order to make himself the “owner” of a library used by a number of Ethereum wallets, including the popular Parity wallet. DevOpps199 wasn’t able to steal users’ funds, but by deleting the critical library, he was able to forever lock the funds up and prevent their release. Ethereum users lost $150 mln as a result of this attack.

Amazingly, Parity knew of the flaw months before the attack, and chose not to fix it. The fix that would have kept $150 mln in users’ funds from getting forever locked was considered a “convenience enhancement.”

“Like a vending machine”

Researchers wanted to analyze Ethereum’s entire Blockchain to find which other smart contracts were vulnerable to hackers. They wanted to do so at scale, and they didn’t have access to the source code of every smart contract on the network. So Sergey came up with a clever idea: he’d clone the entire Ethereum Blockchain, essentially making a private fork of the network. This would allow him to execute attacks, see how the smart contracts reacted, and tweak his methods.

Sergey compared his research to deciphering a vending machine’s operations. He told Motherboard Vice:

Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free. Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine — which we have no knowledge about, springs and whatnot — eventually releases the latch so you can take the candy.


The researchers poked and prodded at over 1 mln smart contracts, and when one didn’t behave as expected, they flagged it for further research. Ultimately they discovered 34,200 contracts that were exploitable. A deeper examination of 3,000 of these contracts revealed they held $6 mln in Ether. That means that total amount of Ether at stake could be in the tens of millions of dollars.

Sergey said his researchers tried to find the owners of the vulnerable contracts to warn them, but have not been able to locate them. For now, the funds are safe. Sergey says:

If someone wants to exploit this idea, they’ll have to do at least as much work as we did.

article image
About the author

David Dinkins is a freelance writer who holds a Master of Arts in history from Louisiana Tech University and has extensive teaching experience both at LSU – Shreveport and University of Phoenix. He got involved with cryptocurrency in early 2014 working as part of the Dash Core Team and have served in the role of writer/editor (mostly editor) during that time. He has edited a huge number of documents for the Core Team, including the Evolution whitepaper, the PrivateSend whitepaper, and many of Evan Duffield’s communications with the Dash Community.