Page 46 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 46
8�9 General Issue: Smart Contracts may detect these flaws before they are exploited and
lead to loss are only now being developed.
346
8.9.1 Issue: Attacks on Smart Contracts In addition to the vulnerabilities that are present
generally in high-level programming languages and
Dimensions Affected: Execution Layer; Smart environments, challenges to those engaging in the
Contracts use of smart contracts on public blockchains such as
The most well-known smart contract platform on Ethereum include publicly visible data. Anyone can
public blockchains at present exists on Ethere- view the complete source code data of an applica-
um, often called ‘Blockchain 2.0.’ It includes a tion/smart contract in Ethereum. (If not, would oth-
333
334
Turing-complete scripting language and gener- ers trust what the deployer/programmer of the code
al-purpose computing platform on which ‘smart says a compiled code contains?) Great care must be
contracts’ can be executed. given to creating code which can also ensure proper
335
336
Most smart contracts on the Ethereum network levels of security and privacy.
are written in Solidity, an object-oriented high-lev- Smart contracts can be deterministic (running and
el programming language created by and for Ethe- only interacting with data sources within the block-
reum a high level programming language. The chain) and non-deterministic (requiring data that
337
source code is compiled into based Ethereum Virtual exists outside the blockchain, such as from oracles.)
Machine (EVM) bytecode, which is visible and able 347 Oracles however can be insecure, leading to incor-
to be inspected by all nodes in the network. The rect triggering or halting of smart contract execu-
338
EVM bytecode runs on the software-based Ethere- tion. Although ‘digital events’ may seamlessly trigger
um Virtual Machine (EVM), which is present on all a smart contract, initiation of a digital event from the
network nodes. 339 physical (external) world could be problematic.
For example, if a smart contract retrieves some
Vulnerabilities: information from an external source, this retrieval
A number of vulnerabilities in smart contracts have must be performed repeatedly and separately by
been identified. These are enumerated in Table 6� each user node. But, because this source is outside of
There are also reportedly flaws prevalent in smart the blockchain – known as ‘offchain,’ there is no guar-
contract blockchain codes: while there have been antee that every node will receive the same answer,
344
important academic studies of vulnerabilities in and at the same time. Or, as has been suggested,
349
348
blockchain, automated software applications that perhaps the source will change its response in the
345
Box 6:
Smart Contract Vulnerabilities and Attacks: The 2016 DAO Exploit and use of a hard fork to reverse
the hack
In 2016, several prominent members of the Ethereum community decided to create a fully decen-
tralized automated organization (DAO) called ‘The DAO’ to function as a venture capital fund. Its
members could pitch innovative projects to the community who would vote on whether the project
would receive funding. The DAO engaged in a hugely successful month-long crowd funding effort
selling tokens to establish the organization, which would exist as a comprehensive smart contract on
the Ethereum blockchain. The effort raised 9.7 million ETH (USD 150 million at that time and rose to
340
USD 250 million shortly after when ETH pricing rose.) A bad actor discovered that the coin refunding
option to withdraw coins invested in The DAO was faulty. It was set to send coins to the actor’s address
(via a loop) without first reducing the actor’s investment by the withdrawal amount. Hence the send
was made prior to the account reduction and the account reduction instruction was never reached
in the loop. The bad actor withdrew 3.6 million ETH (approximately USD 70 million at the time of the
attack) before declaring and ending the attack. 341
Security Aspects: Subsequently, a decision to reverse the chain was voted on, This decision was not
342
accepted by all members of the Ethereum mining community, who ultimately decided to hard fork the
blockchain and subsequently created ‘Ethereum Classic.’ 343
44 Security Aspects of Distributed Ledger Technologies