A scan of almost one million Ethereum smart-contracts has found 34,100 vulnerable contracts that could be exploited to steal Ether. It could even freeze/delete assets in certain contracts the hackers do not own.
For the typical user not familiar with the world of cryptocurrencies these smart contracts are a set of coded operations which get executed automatically when a user sends an input to the contract.
An example of how a smart contract can look is as follows:
Smart-contracts are just one of the many reasons why the Ethereum network and its underlying cryptocurrency —known as Ether— are so well known. Smart-contracts are what power most of today’s Initial Coin Offerings (ICOs), but they also run several other Ethereum-based services/tools.
Smart Contracts Are Code
Smart contracts are just like any other piece of code and can (and will) sometimes contain vulnerabilities as well as bugs that may be exploited.
A hacker exploited one bug in 2016 to steal over $60 million worth of Ether from TheDAO organization.
This bug in the code was the catalyst for researchers from the National University of Singapore to begin looking for bugs in other Ethereum smart contracts.
In the year 2016 they created a tool they called Oyente that would scan Ethereum smart contracts for bugs.
The researchers initially used Oyente to analyze 19,376 Ethereum smart contracts finding that 8,133 were vulnerable.
That branch of research did not get much media attention and the research team’s warning regarding the manner in which most smart contracts were being coded was largely ignored.
The research team set its sights back to scanning vulnerable Ethereum smart contracts last fall when, however, when someone exploited a smart contract bug to toy with users’ Ether funds.
The incident happened last November when a GitHub member calling themselves Devops199 unintentionally locked over $275 million worth of Ether inside Parity wallets using a bug he found.
This incident alone drove researchers to develop a new tool for analyzing smart contracts. Dubbed Maian this new tool can scan for more flaws, and is also specialized in what is known as “at-scale scanning”.
The six-person team used Maian to analyze a whopping 978,898 smart contracts, with the following results, listed below:
Suicidal contracts – smart contracts that can be killed by someone else – not just the owner.
Similar to 2016 the research team is now warning people about the dangers of trusting smart contracts just a bit too much and suggests users deploy smart contract analysis software in order to scan for flaws before placing their funds inside a smart contract.
Nevertheless, if you’re searching for a tool for scanning Ethereum smart contracts, there is also Mythril, which is unrelated to the NUS team’s work with Maian and Oyente.