A smart contract is a collection of code and data. Once a smart contract is deployed, it cannot be changed. Smart contracts have financial properties, thus, it would cause huge losses if there were vulnerabilities in smart contracts. Therefore, it is essential to write safe and reliable smart contracts. Based on the Ethereum platform, related security of smart contracts is analyzed, and several common vulnerabilities are summarized, including reentrancy vulnerabilities, integer overflow vulnerabilities, deny of service (DoS) vulnerabilities, timestamp dependence vulnerabilities, and transaction-ordering dependence vulnerabilities. We made theoretical analysis in detail and scenario recurrence on these vulnerabilities, proposed corresponding preventive security strategies, and verified the effectiveness of these strategies. Finally, we analyzed and compared several popular tools for detecting smart contract vulnerabilities.
ZHANG Dengji, ZHAO Xiangfu, CHEN Zhongyu, TONG Xiangrong
. Analysis of Security Strategies for Smart Contracts Based on Ethereum[J]. Journal of Applied Sciences, 2021
, 39(1)
: 151
-163
.
DOI: 10.3969/j.issn.0255-8297.2021.01.013
[1] Nakamoto S. Bitcoin:a peer-to-peer electronic cash system[EB/OL].[2020-09-10]. https://bitcoin.org/bitcoin.pdf.
[2] Szabo N. Formalizing and securing relationships on public networks[EB/OL].[2020-09-10]. https://firstmonday.org/ojs/index.php/fm/article/view/548.
[3] Buterin V. A next-generation smart contract and decentralized application platform[EB/OL].[2020-09-10]. https://ethereum.org/en/whitepaper/.
[4] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Acta Automatica Sinica, 2016, 42(4):481-494. (in Chinese)
[5] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity[EB/OL].[2020-09-10]. http://solidity.readthedocs.org.
[6] Delmolino K, Arnett M, Kosba A, et al. Step by step towards creating a safe smart contract:lessons and insights from a cryptocurrency lab[C]//International Conference on Financial Cryptography and Data Security. Heidelberg, Berlin:Springer, 2016:79-94.
[7] Buterin V. Critical update Re:DAO vulnerability Ethereum blog[EB/OL].[2020-09-10]. https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.
[8] Breidenbach L, Daian P, Juels A, et al. An in-depth look at the parity multisig bug[EB/OL].[2020-09-10]. http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.
[9] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity's security considerations[EB/OL].[2020-09-10]. https://solidity.readthedocs.io/en/latest/security-considerations.html.
[10] Wohrer M, Zdun U. Smart contracts:security patterns in the Ethereum ecosystem and solidity[C]//2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2018:2-8.
[11] Giordano F, Bachfischer A, Carder G, et al. OpenZeppelin is a library for secure smart contract development[EB/OL].[2020-09-10]. https://github.com/OpenZeppelin/openzeppelincontracts.
[12] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. Smartcheck:static analysis of Ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, 2018:9-16.
[13] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016:254-269.
[14] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on Ethereum smart contracts (SoK)[C]//International Conference on Principles of Security & Trust. Heidelberg, Berlin:Springer, 2017:164-186.
[15] Mense A, Flatscher M. Security vulnerabilities in Ethereum smart contracts[C]//Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 2018:375-380.
[16] Tsankov P, Dan A, Drachsler-Cohen D, et al. Securify:practical security analysis of smart contracts[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:67-82.
[17] Husikyan L, Husikyan L, Guezengar F, et al. Remix-IDE[EB/OL].[2020-09-10]. https://remix-ide.readthedocs.io/en/latest/layout.html.
[18] Yang X, Guo W S, Gao Z Y, et al. Beosin:blockchain security one-stop service[EB/OL].[2020-09-10]. https://lianantech.com/beosin/#/.
[19] Bhargavan K, Delignat-Lavaud A, Fournet C, et al. Formal verification of smart contracts:short paper[C]//Proceedings of 2016 ACM Workshop on Programming Languages and Analysis for Security, 2016:91-96.
[20] Liu C, Liu H, Cao Z, et al. Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion, 2018:65-68.
[21] Zhou E, Hua S, Pi B, et al. Security assurance for smart contract[C]//20189th IFIP International Conference on New Technologies, Mobility and Security, 2018:1-5.
[22] Jiang B, Liu Y, Chan W K. ContractFuzzer:fuzzing smart contracts for vulnerability detection[C]//201833rd IEEE/ACM International Conference on Automated Software Engineering, 2018:259-269.
