Bitcoin might have seen unprecedented popularity over the past few months for its unpredictable dips and hikes, but it was Ethereum that managed to get most of the news space. While the currency has also experienced incredible growth over the last year, it has also been at the center of several cryptocurrency security issues and controversies. One of these was particularly devastating when it was revealed back in November that a user named Devops199 had unintentionally triggered a bug that froze $280 million in Ethereum.
Devops199 did that by essentially making themselves an owner of a smart contract. Much on that particular incident has already been discussed, but now it appears more millions could be at risk because there are over 34,200 of these contracts that potentially expose millions of dollars' worth of ether to hackers.
Motherboard reported on research conducted by the National University of Singapore (NUS), Singapore's Yale-NUS College and the UK's University College London (UCL) that has revealed that thousands of smart contracts remain vulnerable. "A sample of roughly 3,000 vulnerable contracts that the team verified could be exploited to steal roughly $6 million worth of ether," suggesting that a much larger sum could be potentially frozen or stolen.
Researchers downloaded entire Ethereum blockchain
Their research [PDF] documents a tool called MAIAN that the team developed to analyze nearly one million smart contracts for vulnerabilities which could lead to frozen coins or a total destruction of these contracts. The tool uses the entire Ethereum blockchain to make a private fork for testing purposes to make sure current contracts or funds aren't disturbed.
"Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free," Ilya Sergey, an assistant professor of computer science at University College London and co-author of the research told the publication. "Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine - which we have no knowledge about, springs and whatnot - eventually releases the latch so you can take the candy."
To be able to play with this vending machine, they downloaded a copy of the entire Ethereum blockchain up to a certain point and ran it locally. Executing different permutations of interactions with all the currently live smart contracts, they looked for vulnerabilities.
In a sample of a million smart contracts, they flagged over 34,200 that were critically vulnerable. They also tried to track those the creators of these vulnerable smart contracts but couldn't. As Motherboard notes it isn't necessary if they would have even listened to these researchers. When DevOps199 managed to freeze hundreds of millions in Ethereum, it was discovered that Parity (the company behind the vulnerable code library) was actually made aware of the vulnerability months before.
"In August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement," Parity had said in its statement post-freeze. "Thus, we committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction."
As it turned out it wasn't so much about convenience as it was about security.
The researchers have opted not to reveal details of the vulnerable contracts to avoid similar incidents from happening. As for how others could do the damage, they wrote criminals would "have to do at least as much work as we did" to exploit this idea.
- Their research is currently undergoing peer review and might eventually help make it easier for researchers to identify vulnerabilities in smart contracts, leading to potential fixes.