ethereum

Report: 34,100 Vulnerable Ethereum Smart Contracts

A scan of almost one million Ethereum smart-contracts has found 34,100 vulnerable contracts that could be exploited to steal Ether. It could even freeze/delete assets in certain contracts the hackers do not own.

For the typical user not familiar with the world of cryptocurrencies these smart contracts are a set of coded operations which get executed automatically when a user sends an input to the contract.

An example of how a smart contract can look is as follows:

Take for example an Ethereum smart-contract which is used to auction a digital object.
This contract has variable “y” that counts the number of bids made on the object. The owner may perhaps want to continue the bidding process on the object and therefore might set up a contract condition of “y>100” before permitting the object to be sold to the highest bidder.
Once this condition is met, the smart contract in question automatically begins an Ether transaction with the select winner and then releases a sale order for the object.

Smart-contracts are just one of the many reasons why the Ethereum network and its underlying cryptocurrency —known as Ether— are so well known. Smart-contracts are what power most of today’s Initial Coin Offerings (ICOs), but they also run several other Ethereum-based services/tools.

Smart Contracts Are CodeEthereum

Smart contracts are just like any other piece of code and can (and will) sometimes contain vulnerabilities as well as bugs that may be exploited.

A hacker exploited one bug in 2016 to steal over $60 million worth of Ether from TheDAO organization.

This bug in the code was the catalyst for researchers from the National University of Singapore to begin looking for bugs in other Ethereum smart contracts.

In the year 2016 they created a tool they called Oyente that would scan Ethereum smart contracts for bugs.

The researchers initially used Oyente to analyze 19,376 Ethereum smart contracts finding that 8,133 were vulnerable.

That branch of research did not get much media attention and the research team’s warning regarding the manner in which most smart contracts were being coded was largely ignored.

The research team set its sights back to scanning vulnerable Ethereum smart contracts last fall when, however, when someone exploited a smart contract bug to toy with users’ Ether funds.

The incident happened last November when a GitHub member calling themselves Devops199 unintentionally locked over $275 million worth of Ether inside Parity wallets using a bug he found.

This incident alone drove researchers to develop a new tool for analyzing smart contracts. Dubbed Maian this new tool can scan for more flaws, and is also specialized in what is known as “at-scale scanning”.

The six-person team used Maian to analyze a whopping 978,898 smart contracts, with the following results, listed below:

Scan results

Greedy contracts – smart contracts that can be locked by someone else subsequently freezing funds eternally.
Prodigal contracts – basically smart contracts that when attacked deliver funds for safe keeping to the wrong Ethereum address.
Suicidal contracts – smart contracts that can be killed by someone else – not just the owner.
The results show that three and a half percent of the scanned contracts are affected by a severe vulnerability that may in fact aid attackers in stealing funds or even freezing users’ Ether.

Similar to 2016 the research team is now warning people about the dangers of trusting smart contracts just a bit too much and suggests users deploy smart contract analysis software in order to scan for flaws before placing their funds inside a smart contract.

Nevertheless, if you’re searching for a tool for scanning Ethereum smart contracts, there is also Mythril, which is unrelated to the NUS team’s work with Maian and Oyente.

Olé Crypto,

CBNN

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.