Blockchain smart contracts aren’t as secure as you might think

Image credit: Production Perig /

ITEM: Researchers say they have found vulnerabilities in tens of thousands of smart contracts used in the Ethereum blockchain.

The Ethereum blockchain has proven to be vulnerable in the past, from the $50 million Decentralized Autonomous Organization (DAO) heist in 2016 to two problems last year involving Parity, a multisignature wallet app based on Ethereum – one intentional, the other allegedly accidental.

However, late last month, computing experts from the National University of Singapore (NUS), Yale-NUS College and University College London have published a research paper indicating the scope of the problem may be much bigger.

The research team developed a special tool to analyze Ethereum smart contracts – and found a lot of holes, reports Futurism:

The group analyzed roughly one million smart contracts using a custom-built tool called MAIAN. The team was looking for contracts attackers could manipulate to lock funds indefinitely, force to leak funds randomly, or simply kill.

Their analysis tool flagged 34,200 contracts. It even found the flaw in the Parity blockchain app that rendered $169 million worth of ether inaccessible to owners back in July 2017. The team then manually analyzed 3,759 contracts and found they could exploit vulnerabilities in 3,686 of them.

On the bright side, reports Motherboard, co-author Ilya Sergey – an assistant professor of computer science at University College London – says anyone aiming to exploit the smart contract vulnerabilities would have to replicate the entire study, which actually involved a lot of work and treated Ethereum like a vending machine:

“Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free,” Sergey said over the phone. “Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine—which we have no knowledge about, springs and whatnot—eventually releases the latch so you can take the candy.”

What this meant in practice was downloading a copy of the entire Ethereum blockchain up to a certain point (essentially, creating a private fork) and running it locally, executing many different permutations of interactions with all the smart contracts live on the blockchain at the time of the fork. When an undesired action emerged in one of the contracts as the result of a chain of instructions—the researchers call this a “trace vulnerability”—they flagged it.

Still, it’s not hard to imagine that there are bad actors out there who won’t mind working up a sweat to dig up smart contracts with vulnerabilities.

In any case, the report isn’t that surprising in the sense that nothing connected to the internet is 100% hack-proof. Eventually, some bright spark will find a hole and exploit it. Blockchain is no different, despite all the hype about it being a safe and trustworthy way to handle decentralized transactions.

That’s no reason to avoid blockchain, of course – if we shunned every app or device that was potentially hackable, we might as well shut off the internet and return to the good old days of carrier pigeons and sneakernet. But with blockchain drawing a lot of interest both inside and outside the FinTech arena, CXOs shouldn’t take blockchain security for granted.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.