Over 34,000 of Ethereum’s smart contracts — containing tens of millions of dollars — are vulnerable to hackers, according to researchers. Ilya Sergey, assistant professor at University College London, has co-authored a paper with colleagues from the National University of Singapore outlining the vulnerabilities.
In the beginning
Sergey’s interest in smart contract security began with the revelation last year that a hacker calling himself “DevOpps199” had exploited a vulnerability in order to make himself the “owner” of a library used by a number of Ethereum wallets, including the popular Parity wallet. DevOpps199 wasn’t able to steal users’ funds, but by deleting the critical library, he was able to forever lock the funds up and prevent their release. Ethereum users lost $150 mln as a result of this attack.
Amazingly, Parity knew of the flaw months before the attack, and chose not to fix it. The fix that would have kept $150 mln in users’ funds from getting forever locked was considered a “convenience enhancement.”
“Like a vending machine”
Researchers wanted to analyze Ethereum’s entire Blockchain to find which other smart contracts were vulnerable to hackers. They wanted to do so at scale, and they didn’t have access to the source code of every smart contract on the network. So Sergey came up with a clever idea: he’d clone the entire Ethereum Blockchain, essentially making a private fork of the network. This would allow him to execute attacks, see how the smart contracts reacted, and tweak his methods.
Sergey compared his research to deciphering a vending machine’s operations. He told Motherboard Vice:
Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free. Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine — which we have no knowledge about, springs and whatnot — eventually releases the latch so you can take the candy.
The researchers poked and prodded at over 1 mln smart contracts, and when one didn’t behave as expected, they flagged it for further research. Ultimately they discovered 34,200 contracts that were exploitable. A deeper examination of 3,000 of these contracts revealed they held $6 mln in Ether. That means that total amount of Ether at stake could be in the tens of millions of dollars.
Sergey said his researchers tried to find the owners of the vulnerable contracts to warn them, but have not been able to locate them. For now, the funds are safe. Sergey says:
If someone wants to exploit this idea, they’ll have to do at least as much work as we did.