基于Ethereum智能合约的安全策略分析

doi:10.3969/j.issn.0255-8297.2021.01.013

Abstract

Abstract: A smart contract is a collection of code and data. Once a smart contract is deployed, it cannot be changed. Smart contracts have financial properties, thus, it would cause huge losses if there were vulnerabilities in smart contracts. Therefore, it is essential to write safe and reliable smart contracts. Based on the Ethereum platform, related security of smart contracts is analyzed, and several common vulnerabilities are summarized, including reentrancy vulnerabilities, integer overflow vulnerabilities, deny of service (DoS) vulnerabilities, timestamp dependence vulnerabilities, and transaction-ordering dependence vulnerabilities. We made theoretical analysis in detail and scenario recurrence on these vulnerabilities, proposed corresponding preventive security strategies, and verified the effectiveness of these strategies. Finally, we analyzed and compared several popular tools for detecting smart contract vulnerabilities.

Key words: blockchain, Ethereum, smart contract, vulnerability analysis, prevention strategy

CLC Number:

TP311

ZHANG Dengji, ZHAO Xiangfu, CHEN Zhongyu, TONG Xiangrong. Analysis of Security Strategies for Smart Contracts Based on Ethereum[J]. Journal of Applied Sciences, 2021, 39(1): 151-163.

References

[1] Nakamoto S. Bitcoin:a peer-to-peer electronic cash system[EB/OL].[2020-09-10]. https://bitcoin.org/bitcoin.pdf.
[2] Szabo N. Formalizing and securing relationships on public networks[EB/OL].[2020-09-10]. https://firstmonday.org/ojs/index.php/fm/article/view/548.
[3] Buterin V. A next-generation smart contract and decentralized application platform[EB/OL].[2020-09-10]. https://ethereum.org/en/whitepaper/.
[4] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Acta Automatica Sinica, 2016, 42(4):481-494. (in Chinese)
[5] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity[EB/OL].[2020-09-10]. http://solidity.readthedocs.org.
[6] Delmolino K, Arnett M, Kosba A, et al. Step by step towards creating a safe smart contract:lessons and insights from a cryptocurrency lab[C]//International Conference on Financial Cryptography and Data Security. Heidelberg, Berlin:Springer, 2016:79-94.
[7] Buterin V. Critical update Re:DAO vulnerability Ethereum blog[EB/OL].[2020-09-10]. https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.
[8] Breidenbach L, Daian P, Juels A, et al. An in-depth look at the parity multisig bug[EB/OL].[2020-09-10]. http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.
[9] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity's security considerations[EB/OL].[2020-09-10]. https://solidity.readthedocs.io/en/latest/security-considerations.html.
[10] Wohrer M, Zdun U. Smart contracts:security patterns in the Ethereum ecosystem and solidity[C]//2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2018:2-8.
[11] Giordano F, Bachfischer A, Carder G, et al. OpenZeppelin is a library for secure smart contract development[EB/OL].[2020-09-10]. https://github.com/OpenZeppelin/openzeppelincontracts.
[12] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. Smartcheck:static analysis of Ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, 2018:9-16.
[13] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016:254-269.
[14] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on Ethereum smart contracts (SoK)[C]//International Conference on Principles of Security & Trust. Heidelberg, Berlin:Springer, 2017:164-186.
[15] Mense A, Flatscher M. Security vulnerabilities in Ethereum smart contracts[C]//Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 2018:375-380.
[16] Tsankov P, Dan A, Drachsler-Cohen D, et al. Securify:practical security analysis of smart contracts[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:67-82.
[17] Husikyan L, Husikyan L, Guezengar F, et al. Remix-IDE[EB/OL].[2020-09-10]. https://remix-ide.readthedocs.io/en/latest/layout.html.
[18] Yang X, Guo W S, Gao Z Y, et al. Beosin:blockchain security one-stop service[EB/OL].[2020-09-10]. https://lianantech.com/beosin/#/.
[19] Bhargavan K, Delignat-Lavaud A, Fournet C, et al. Formal verification of smart contracts:short paper[C]//Proceedings of 2016 ACM Workshop on Programming Languages and Analysis for Security, 2016:91-96.
[20] Liu C, Liu H, Cao Z, et al. Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion, 2018:65-68.
[21] Zhou E, Hua S, Pi B, et al. Security assurance for smart contract[C]//20189th IFIP International Conference on New Technologies, Mobility and Security, 2018:1-5.
[22] Jiang B, Liu Y, Chan W K. ContractFuzzer:fuzzing smart contracts for vulnerability detection[C]//201833rd IEEE/ACM International Conference on Automated Software Engineering, 2018:259-269.

Analysis of Security Strategies for Smart Contracts Based on Ethereum

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	ZHAO Yingqi, ZHU Xueyang, LI Guangyuan, GAO Ya, BAO Yulong. Verification of Smart Contracts with Time Constraints [J]. Journal of Applied Sciences, 2021, 39(1): 1-16.
[2]	FAN Junsong, CHEN Jianhai, SHEN Rui, LIU Zhenguang, HE Qinming, HUANG Butian. SGX-Based Approach for Blockchain Transactions Security and Privacy Protection [J]. Journal of Applied Sciences, 2021, 39(1): 17-28.
[3]	ZHAO Xiaoqi, LI Yong. Auditable and Traceable Blockchain Anonymous Transaction Scheme [J]. Journal of Applied Sciences, 2021, 39(1): 29-41.
[4]	ZHANG Xuewang, FENG Jiaqi, YIN Zijie, LIN Jinzhao. Trusted Query Method for Data Provenance Based on Blockchain [J]. Journal of Applied Sciences, 2021, 39(1): 42-54.
[5]	WANG Siyuan, ZOU Shihong. Blockchain and Capability Based Access Control Mechanism in Multi-domain IoT [J]. Journal of Applied Sciences, 2021, 39(1): 55-69.
[6]	ZHOU Qi, SHEN Tao, ZHU Yan, LIU Yingli. Authentication Method of Integrated Energy Management System Based on Blockchain [J]. Journal of Applied Sciences, 2021, 39(1): 70-78.
[7]	TU Yuanchao, CHEN Yuling, LI Tao, REN Xiaojun, QING Xinyi. Improved PBFT Scheme Based on Reputation Voting [J]. Journal of Applied Sciences, 2021, 39(1): 79-89.
[8]	YANG Di, XU Han, LONG Chengnian, PENG Shaoliang. Roadside Parking Management System Based on Blockchain Technology [J]. Journal of Applied Sciences, 2021, 39(1): 90-98.
[9]	FAN Jun, LI Ru, ZHANG Yihang. An Architecture Based on Lightweight Blockchain Suitable for Vehicular Cloud [J]. Journal of Applied Sciences, 2021, 39(1): 99-108.
[10]	XIANG Weijing, TSAI Weitek. Research and Design of Legal Smart Contract Platform Model [J]. Journal of Applied Sciences, 2021, 39(1): 109-122.
[11]	ZHOU Zhengqiang, CHEN Yuling, LI Tao, REN Xiaojun, QING Xinyi. Medical Data Security Sharing Scheme Based on Consortium Blockchain [J]. Journal of Applied Sciences, 2021, 39(1): 123-134.
[12]	ZHANG Lihua, HUANG Yang, WANG Xinyi, BAI Jiayi, CAO Yu, ZHANG Ganzhe. Data Protection Scheme for Targeted Poverty Alleviation Based on Blockchain [J]. Journal of Applied Sciences, 2021, 39(1): 135-150.
[13]	FANG Junjie, LEI Kai. Blockchain for Edge AI Computing: A Survey [J]. Journal of Applied Sciences, 2020, 38(1): 1-21.
[14]	HE Zhengyuan, DUAN Tiantian, ZHANG Ying, ZHANG Hanwen, SUN Yi. Blockchain in Internet of Things: Application and Challenges [J]. Journal of Applied Sciences, 2020, 38(1): 22-33.
[15]	BAO Zhenshan, WANG Kaixuan, ZHANG Wenbo. A Practical Byzantine Fault Tolerance Consensus Algorithm Based on Tree Topological Network [J]. Journal of Applied Sciences, 2020, 38(1): 34-50.