Researchers discovered 34,200 buggy smart contracts on Ethereum.
In November of last year, a person known by the pseudonym “DevOps199” stumbled across a critical vulnerability in the code for a subset of Ethereum wallets. They made themselves the “owner” of this Ethereum code library, called a smart contract, and destroyed it. This shouldn’t have been possible, but DevOps199 nonetheless locked up roughly $150 million USD worth of other people’s digital coins.
There are hundreds of thousands of similar smart contracts on Ethereum that control wallets, tokens and applications, or hold funds. Now, researchers say they’ve devised a new approach for finding vulnerabilities in smart contracts that would have exposed the flaw DevOps199 exploited before it was too late. Even more, the researchers say they’ve discovered an additional 34,200 vulnerable smart contracts. A sample of roughly 3,000 vulnerable contracts that the team verified could be exploited to steal roughly $6 million worth of ether, Ethereum’s in-house cryptocurrency, they said.
“We’re dealing with applications that have two very unpleasant traits: They manage your money, and they cannot be amended,” said Ilya Sergey, an assistant professor of computer science at University College London and co-author of the work, over the phone.
The authors—hailing from the National University of Singapore (NUS) and Yale-NUS College in Singapore, as well as University College London in the UK—published their technical report on the arXiv preprint server last week, and it is currently undergoing peer review.
Smart contracts are self-executing bits of code that are stored on the Ethereum blockchain. People interact with smart contracts by sending them instructions in a transaction, and the code is run during the mining process. These programs are executed with Ethereum-specific code that’s stored on the blockchain and doesn’t mean much to people—human-readable source code is often also available, but isn’t always published. This makes analyzing vulnerabilities in smart contracts difficult; you need to be able to see their source code, and vulnerabilities are often only found after a disaster has already occured.
Sergey and his colleagues wanted to analyze smart contracts at scale, however, and for future vulnerabilities. Their solution was to treat Ethereum like a vending machine.
“Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free,” Sergey said over the phone. “Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine—which we have no knowledge about, springs and whatnot—eventually releases the latch so you can take the candy.”
What this meant in practice was downloading a copy of the entire Ethereum blockchain up to a certain point (essentially, creating a private fork) and running it locally, executing many different permutations of interactions with all the smart contracts live on the blockchain at the time of the fork. When an undesired action emerged in one of the contracts as the result of a chain of instructions—the researchers call this a “trace vulnerability”—they flagged it.
After analyzing nearly one million smart contracts, the researchers found 34,200 that were critically vulnerable, including the contract that DevOps199 destroyed. On a subset of roughly 3,000 contracts, the team was able to verify and reproduce the flagged vulnerabilities with an 89 percent success rate.
According to Sergey, the researchers attempted to track down the creators of the vulnerable smart contracts but did not succeed. There’s no guarantee these creators would have listened, either: Parity, the company behind the vulnerable wallet code library that DevOps199 destroyed, was made aware of the issue months before the catastrophe but elected not to act immediately. The company wrote at the time that it considered the fix a “convenience enhancement” when they were made aware.
Still, because the researchers have not actually revealed the vulnerable contracts, the money is presumably safe for now.
“If someone wants to exploit this idea, they’ll have to do at least as much work as we did,” Sergey said.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .