Securing Smart Contracts
Timely and Automated Patching of Ethereum Smart Contracts
Developers must react quickly on discovered security vulnerabilities and deploy patches. This is especially true for smart contracts, because they are always online and always available due to the distributed nature of the blockchain. But corrections rarely happen. Our analyses of the Ethereum blockchain have shown that vulnerable smart contracts are often continued to be used by unsuspecting users, even though security problems in these contracts were made public months before. Often no action is taken to terminate or remedy these smart contracts. A probable reason is that the manual correction procedures currently available are time-consuming and error-prone. Our research group, together with NEC Laboratories Europe, has therefore developed a framework that helps developers to fix errors automatically. For this purpose, the new patching framework features a so-called bytecode rewriter. Independent of the used programming language and compiler, it patches common Ethereum smart contracts by rewriting their byte code. Additionally EVMPatch deploys differential testing on prior transactions from the blockchain to test the introduced patches.
For more information on EVMPatch, contact Michael Rodler.
EVMPatch, our experiments and results are described in our upcoming paper at USENIX Security 2021:
Rodler, Michael; Li, Wenting; Karame, Ghassan O.; Davi, Lucas: EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In: Proc. of 30th USENIX Security Symposium. USENIX Association, Vancouver, B.C., Canada 2021.
A pre-print of our upcoming USENIX Security publication can be found on arxiv.org: https://arxiv.org/abs/2010.00341
To assess the practicality of patching Ethereum smart contract with and without EVMPatch we performed a developer study and asked several developers to perform common patching tasks.
The results are summarized in our paper. The questionnaire, study manual and the smart contracts we used can be found on github: github.com/uni-due-syssec/evmpatch-developer-study
We also released the raw data of our evaluation on github:
Protecting Existing Smart Contracts Against Re-Entrancy Attacks
Recently, a number of existing blockchain systems have witnessed major bugs and vulnerabilities within smart contracts. Although the literature features a number of proposals for securing smart contracts, these proposals mostly focus on proving the correctness or absence of a certain type of vulnerability within a contract, but cannot protect deployed (legacy) contracts from being exploited. In this project, we address this problem and develop a novel smart contract security technology, called Sereum (Secure Ethereum), which protects existing, deployed contracts in a backwards compatible way based on run-time monitoring and validation.
By means of implementation and evaluation using the Ethereum blockchain, we show that Sereum covers the actual execution flow of a smart contract to accurately detect and prevent re-entrancy attacks with a false positive rate as small as 0.06% and with negligible run-time overhead.
For more information on Sereum, contact Michael Rodler.
Rodler, M., Li, W., Karame, G. O., & Davi, L. (2019). Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019.
You can find our paper also on the arxiv.org preprint server arxiv.org
During the development of Sereum, we identified several re-entrancy attack patterns, which are not covered by existing analysis tools. Source code of example contracts and attacks can be found on github.com/uni-due-syssec/eth-reentrancy-attack-patterns
You can find the raw data of replaying (almost) all transactions in all blocks up to block 8 million of the Ethereum mainnnet with Sereum also on github: github.com/uni-due-syssec/sereum-results
Our paper Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks attracted attention of various new portals. You can find a (non-exhaustive) list of media portals covering our research here: