Wed, 14. Oct. 2020   Rodler, Michael

New Technology Fixes Security Vulnerabilities in Smart Contracts

Smart Contracts have made Ethereum the world's second largest crypto currency. However, recent criminal attacks exploited errors in the programmed contracts. Our research group, together with partners from industry, has developed and evaluated a technique that enables published smart contracts to be improved instantly.

Smart contracts are used in modern blockchain systems to implement any kind of contractual regulations. They enable the autonomous administration of crypto currency and regulate without the intervention of a third party (e.g. a notary or a bank) the transfer of values and rights between actors. Smart contracts thus have great potential to revolutionize business areas such as the finance, insurance, and energy sector. Due to their ease of use and the high monetary value of some contracts, they are an attractive target for hackers. They try to exploit programming errors in the code in order to, for example, steal crypto currency.

To prevent this, developers must react quickly on discovered security vulnerabilities because smart contracts are always online and always available. This entails the distributed structure of the underlying blockchain. But an instant correction rarely happens, as one of our researchers, Michael Rodler, knows: "Our analyses of the Ethereum blockchain have shown that vulnerable smart contracts are often continued to be used by unsuspecting users, even though security problems in these contracts were made public months before. Often no action is taken to terminate or remedy these smart contracts".

A probable reason is that the manual correction procedures currently available are time-consuming and error-prone. Our research group, together with NEC Laboratories Europe, has therefore developed a framework that helps developers to fix errors automatically. For this purpose, the new patching framework features a so-called bytecode rewriter. Independent of the used programming language and compiler, it patches common Ethereum smart contracts by rewriting their byte code.

The effectiveness of this technique was demonstrated by simulated attacks on 14,000 real, vulnerable smart contracts. The attack transactions were successfully blocked, while the functionality of the original contracts remained completely intact. A usability study showed that the tool is practical and provides developers with a decisive time advantage. "Our EVMPatch framework enables developers to quickly respond to security vulnerabilities and directly fix the faulty code. In doing so, they protect the users of their smart contracts", explains Michael Rodler, who will present the work at the renowned USENIX Security Symposium in Vancouver next year.

Publication

Rodler, Michael; Li, Wenting; Karame, Ghassan O.; Davi, Lucas: EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In: Proc. of 30th USENIX Security Symposium. USENIX Association, Vancouver, B.C., Canada 2021. https://arxiv.org/abs/2010.00341  

More Informationen also on our project page on the research project "Securing Smart Contracts".