Page 46 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 46

8�9  General Issue: Smart Contracts                may detect these flaws before they are exploited and
                                                               lead to loss are only now being developed.
                                                                                                    346
            8.9.1   Issue: Attacks on Smart Contracts            In addition to the vulnerabilities that are present
                                                               generally in high-level programming languages and
            Dimensions Affected: Execution Layer; Smart        environments, challenges to those engaging in the
            Contracts                                          use of smart contracts on public blockchains such as
            The most well-known smart contract platform on     Ethereum include publicly visible data. Anyone can
            public blockchains at present exists on Ethere-    view the complete source code data of an applica-
            um,  often called ‘Blockchain 2.0.’  It includes a   tion/smart contract in Ethereum. (If not, would oth-
                333
                                            334
            Turing-complete scripting language and gener-      ers trust what the deployer/programmer of the code
            al-purpose computing platform on which ‘smart      says a compiled code contains?)  Great care must be
            contracts’  can be executed.                       given to creating code which can also ensure proper
                     335
                                      336
               Most smart contracts on the Ethereum network    levels of security and privacy.
            are written in Solidity, an object-oriented high-lev-  Smart contracts can be deterministic (running and
            el programming language created by and for Ethe-   only interacting with data sources within the block-
            reum  a high level programming language. The       chain) and non-deterministic (requiring data that
                 337
            source code is compiled into based Ethereum Virtual   exists outside the blockchain, such as from oracles.)
            Machine (EVM) bytecode, which is visible and able   347  Oracles however can be insecure, leading to incor-
            to be inspected by all nodes in the network.  The   rect triggering or halting of smart contract execu-
                                                     338
            EVM bytecode runs on the software-based Ethere-    tion. Although ‘digital events’ may seamlessly trigger
            um Virtual Machine (EVM), which is present on all   a smart contract, initiation of a digital event from the
            network nodes. 339                                 physical (external) world could be problematic.
                                                                 For  example,  if  a  smart  contract  retrieves  some
            Vulnerabilities:                                   information from an external source, this retrieval
            A number of vulnerabilities in smart contracts have   must be performed repeatedly and separately by
            been identified. These are enumerated in Table 6�   each user node. But, because this source is outside of
               There are also reportedly flaws prevalent in smart   the blockchain – known as ‘offchain,’ there is no guar-
            contract blockchain codes:   while there have been   antee that every node will receive the same answer,
                                    344
            important academic studies of vulnerabilities in   and at the same time.  Or, as has been suggested,
                                                                                                           349
                                                                                  348
            blockchain,  automated software applications that   perhaps the source will change its response in the
                      345

                Box 6:
                Smart Contract Vulnerabilities and Attacks: The 2016 DAO Exploit and use of a hard fork to reverse
                the hack
                In 2016, several prominent members of the Ethereum community decided to create a fully decen-
                tralized automated organization (DAO) called ‘The DAO’ to function as a venture capital fund. Its
                members could pitch innovative projects to the community who would vote on whether the project
                would receive funding. The DAO engaged in a hugely successful month-long crowd funding effort
                selling tokens to establish the organization, which would exist as a comprehensive smart contract on
                the Ethereum blockchain.  The effort raised 9.7 million ETH (USD 150 million at that time and rose to
                                       340
                USD 250 million shortly after when ETH pricing rose.) A bad actor discovered that the coin refunding
                option to withdraw coins invested in The DAO was faulty. It was set to send coins to the actor’s address
                (via a loop) without first reducing the actor’s investment by the withdrawal amount. Hence the send
                was made prior to the account reduction and the account reduction instruction was never reached
                in the loop. The bad actor withdrew 3.6 million ETH (approximately USD 70 million at the time of the
                attack) before declaring and ending the attack. 341
                Security Aspects: Subsequently, a decision to reverse the chain was voted on,  This decision was not
                                                                                    342
                accepted by all members of the Ethereum mining community, who ultimately decided to hard fork the
                blockchain and subsequently created ‘Ethereum Classic.’ 343






           44    Security Aspects of Distributed Ledger Technologies
   41   42   43   44   45   46   47   48   49   50   51