Received December 6, 2019, accepted January 17, 2020, date of publication January 30, 2020, date of current version

February 10, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.2970495

Smart Contract: Attacks and Protections

SARWAR SAYEED , HECTOR MARCO-GISBERT , (Senior Member, IEEE), AND TOM CAIRA
School of Computing, Engineering and Physical Sciences, University of the West of Scotland, Paisley PA1 2BE, U.K.
Corresponding author: Hector Marco-Gisbert ([email protected])

ABSTRACT Smart contracts are programs that reside within decentralized blockchains and are executed
pursuant to triggered instructions. A smart contract acts in a similar way to a traditional agreement but
negates the necessity for the involvement of a third party. Smart contracts are capable of initiating their
commands automatically, thus eliminating the involvement of a regulatory body. As a consequence of
blockchain’s immutable feature, smart contracts are developed in a manner that is distinct from traditional
software. Once deployed to the blockchain, a smart contract cannot be modified or updated for security
patches, thus encouraging developers to implement strong security strategies before deployment in order to
avoid potential exploitation at a later time. However, the most recent dreadful attacks and the multifarious
existing vulnerabilities which result as a consequence of the absence of security patches have challenged
the sustainability of this technology. Attacks such as the Decentralized Autonomous Organization (DAO)
attack and the Parity Wallet hack have cost millions of dollars simply as a consequence of naïve bugs in the
smart contract code. In this paper, we classify blockchain exploitation techniques into 4 categories based
on the attack rationale; attacking consensus protocols, bugs in the smart contract, malware running in the
operating system, and fraudulent users. We then focus on smart contract vulnerabilities, analyzing the 7 most
important attack techniques to determine the real impact on smart contract technology. We reveal that even
adopting the 10 most widely used tools to detect smart contract vulnerabilities, these still contain known
vulnerabilities, providing a dangerously false sense of security. We conclude the paper with a discussion
about recommendations and future research lines to progress towards a secure smart contract solution.

INDEX TERMS Smart contracts, attack techniques, DApp, Ethereum, vulnerability.

I. INTRODUCTION the traditional approach where users ended up expending an

A blockchain is a distributed network that is leveraged for unreasonable amount of time and effort.
various purposes [1]. It is an immutable ledger technology Ethereum is a blockchain platform which provides tools for
where the recorded information is open and can be viewed developers to build decentralized applications which, unlike
by everyone. It does not involve any central authority to Bitcoin, can be utilized for various purposes [2], [3]. Bitcoin
monitor the regular flow of the network, making it less blockchain enhances a peer to peer digital cash system which
prone to attacks. Miners’ consent is required to verify the allows the participant to perform online transactions [4],
authenticity of any acts performed in the blockchain platform. whereas, besides digital transactions, Ethereum is also uti-
Since its inception, blockchain has primarily been utilized lized to execute smart contract code in decentralized applica-
for crypto transactions. However, blockchain is not all about tions which are deployed on the network.
cryptocurrencies, rather, it extends far beyond this. Over time, A smart contract functions in a similar way a normal
the remarkable advancement of blockchain has made it pos- contract works among two or more parties. Parties do not need
sible to apply it to various other activities. The smart contract to rely on lawyers or banks to set up an agreement for them,
is one of these applications which allows agreement to be rather, the smart contract gets executed automatically to issue
formed and authentic transactions initiated between parties payment once certain conditions are met. For instance, a lease
without the involvement of middlemen. This improves upon agreement, insurance contract, or real estate payments can be
in the form of a smart contract.
A smart contract is basically a piece of code that resides
The associate editor coordinating the review of this manuscript and inside the blockchain, ensuring the stated conditions are met
approving it for publication was Tyson Brooks . to fulfill the user’s requirement [5]. The written code is pub-

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
24416 VOLUME 8, 2020
S. Sayeed et al.: Smart Contract: Attacks and Protections

licly visible in the blockchain, and transparent to anyone who has a version of the smart contract code, which is immutable.
is connected to the network. Upon fulfilling the conditions Exploiting a single or a few nodes will not significantly affect
by the desired time, the contract gets triggered to execute the actions of TBC.com, conveying the security aspects of
the digital transaction. Since the conditions are encrypted blockchain over a centralized system.
cryptographically, no party is able to alter the contents of a
contract. The immutable nature of blockchain also ensures A. BLOCKCHAIN AND DIGITAL TRUST
that every single device connected to the network contains a The blockchain is one of the creative innovations of the
copy of the contract, thus securing a backup version of the era, which is able to distribute digital information securely.
contact. It combines three main technologies which ensures its proper
Being open-source, the contract code enables the involved function; private key cryptography, peer-to-peer networking,
parties to determine what the contract does and how it is and the consensus protocol [13]. An intricate cryptography
initiated [6]. It also guarantees the execution of the contract approach is implemented to secure transactions and a hashing
without being affected when certain parts of the network are method is used to provide a fixed-length output [14]. For
down or being attacked by adversaries. Once the contract is instance, a transaction sent by Alice will be shown as
placed within the blockchain, it is nearly impossible to have
it removed or deleted unless the whole blockchain network
is exploited by some significant attack techniques. However, Hence, securing the user’s identity while only the public
such attacking efforts may involve a huge amount of capital, address and the transfer amount is visible to others. Using the
requiring an adversary to re-generate every block that is public key it is possible to determine any transactions made
chained after the affected block. by a participant. Similarly, the immutability of blockchain
Despite all the security enhancements and security makes it a tamper-free system. Once any content is recorded
tools [7], [8], blockchain still faces challenges to cope with in the blockchain, it can not be omitted from the ledger.
various pernicious attacks [9]. A range of attacks are con- Moreover, the block validation process involves network
stantly initiated to obstruct the natural flow or even fully miners to determine whether a particular block is valid. Any-
destroy the network [10]. Attacks relating to cryptocurrency one can join the network as a miner to participate in the
wallets, smart contracts, transaction authentication, mining validation process [15]. The block generation method differs
pools, and blockchain networks are frequently exploited by in different platforms, although Ethereum’s mining process
adversaries. DAO attacks, King of the Ether Throne, and is very similar to Bitcoin [16]. Ethereum, along with many
Multi-player Games are some smart contract based attacks other digital currencies, follows the Proof of Work (PoW)
which occur due to the bugs in smart contract code [11]. consensus protocol. The PoW protocol utilizes the ’ethash’
This paper focuses on examining smart contract based algorithm for the mining task. The validation process makes
attacks as well as the consequences of their exploitation. use of powerful computers to solve a puzzle. A miner with
We do not aim to determine how much effort it takes to a valid hash is awarded ether, and the generated block is
execute particular attacks. Rather, we focus on various attack then added to that particular blockchain. The block generation
types and available security tools to restrict those attacks, time of Ethereum is roughly 12-15 seconds.
as well as limitations that exist to those security enhance-
ments. B. SMART CONTRACT FRAMEWORKS
Ethereum is one of the major platforms which is used for
II. BACKGROUND the development of a smart contract. Smart contract devel-
This section involves reviewing relevant context associated opers are permitted to develop any decentralized application
with Ethereum smart contracts and attacks launched on them. (DApp) they wish on the Ethereum platform. The decentral-
The investigation of the literature helps to grasp the concepts ized applications trigger exactly as per the code conditions
of blockchain technology and smart contract frameworks, and without having any risk of censorship, deception, or down-
provides an overview of Ethereum, decentralized applica- time. However, besides all the advantages, no one can claim
tions, and past smart contract-based attacks. it to be a fully secure platform. For instance, unexpected
Figure 1 shows a comparison between client-server archi- bugs in the smart contact code may lead the contract to
tecture and decentralized DApp architecture. TBC.com, trigger unintended tasks it is not set to perform. Hence, parties
an application, contains front-end and back-end parts [12]. involved with the contract may experience huge loss as a
The front-end is developed using HTML and can be viewed consequence of the unresolved agreement. Besides Ethereum,
by any clients, whereas the back-end is developed using there are other smart contract platforms that are utilized for
Node.js. Both ends communicate with each other via JSON the development of DApps.
using HTTP protocol. All the confidential data is saved Hawk is another framework for developing privacy-
to a central server. In the case of a smart contract-based preserving smart contracts [17]. Hawk does not require
decentralized application (DApp), the back-end is the smart cryptography implementation, so it provides opportunity
contract and the confidential data is saved at Block 45 of the for non-programmers to write a Hawk program. A Hawk
blockchain. Every node that is connected to the blockchain compiler is in place to compile Hawk programs. One-chain

VOLUME 8, 2020 24417

 S. Sayeed et al.: Smart Contract: Attacks and Protections

FIGURE 1. A comparison between Client-server architecture and Decentralized DApp architecture.

privacy and contractual security are two security approaches makes it immutable, therefore, a deployed contract can never
guaranteed by Hawk to enhance protection. Hawk is the be voided or erased.
first smart contract system which establishes a recognized, Gas is a term that is used as a fee in the Ethereum plat-
academic provision of the blockchain model of cryptography. form [23]. Gas is often estimated by the computational per-
It comprises a Universal Composability (UC) model, which formance of a smart contract. Distinct smart contracts require
consists of independent interest. The UC model is a formal different volumes of gas in order to execute a required task.
model that can be leveraged, simulating security protocols in The gas requirement of a smart contract can be determined
the blockchain. by applying the following rule
Hawk utilizes zkSNARKs to verify smart contracts. How-
ever, SNARKs involves pre-circuit trusted setup, requiring a
Besides gas, the Ethereum Virtual Machine (EVM) is
new setup in place for any program which is implemented by
another significant aspect of the Ethereum blockchain. The
a contract [18]. A multi-party calculation can be adopted to
EVM generates a degree of abstraction between the executing
diminish reliability on the setup, but this is inappropriate to
code and the machine that executes it [24]. The layer ensures
utilize on the per-circuit basis that is desired by Hawk. More-
that the DApps are detached from each other as well as from
over, HAWK suffers from scalability challenges and, in addi-
hosts. Solidity code needs to be compiled to opcode in order
tion, the privacy aspect is entirely handled by a third-party
for the EVM to execute it. The EVM utilizes the opcodes to
manager, making all confidential data insecure. Hawk, and
carry out various tasks. There are about 140 distinct opcodes
other frameworks which are focused on achieving privacy-
that enhance the EVM to be Turing-complete, allowing it to
preserving contracts, suffer from serious flaws [19]. They
evaluate anything. The opcodes are encoded to bytecode to
cannot be affiliated with digital currencies. As such, all these
determine proper security. The EVM dominates the inner part
frameworks may incur high costs for transaction processing.
of the Ethereum blockchain and also consists of a detail list
EOS and Tron are also smart contract based platforms
of the status to initiate a transaction [23].
which incorporate scalability [20].

D. DECENTRALIZED APPLICATION
C. ETHEREUM SYNOPSIS A decentralized application is also referred to as a DApp [6].
The Ethereum blockchain has its own cryptocurrency which DApps are open-source applications based on the Ethereum
is ether. Ether is the token which powers the Ethereum blockchain where a consensus is maintained between the user
blockchain [21]. Ether operates in a slightly different way and programmer during the development process. The source
from Bitcoin, and is also utilized in smart contracts. A smart code is available for examination and the application is stored
contract is computer code which incorproates an automated in the blockchain to ensure trust and transparency. Miners
legal agreement [22]. Vyper, Bamboo, Serpent, and Mutan are responsible for securing the application and are rewarded
are a few programming languages that have been used to with tokens for the validation of the DApp. Bitcoin can be
write smart contract code. However, currently, Solidity is considered as a DApp on the Bitcoin blockchain platform.
the prime language adopted for writing smart contracts. Nevertheless, the Ethereum blockchain is recognized as a
The implementation of smart contracts within the blockchain bigger platform for decentralized applications.

24418 VOLUME 8, 2020

S. Sayeed et al.: Smart Contract: Attacks and Protections

FIGURE 2. Total cycle of smart contract execution over Ethereum blockchain.

Likewise, a Decentralized Autonomous Organization providing DAO with a large crowdfund. Participants with
(DAO) aims to categorize the policies of an organization by DAO tokens were permitted to cast their vote on propositions
limiting the requirement for centralized activities with the and receive rewards as long as it resulted in profit. However,
use of a decentralized approach [25]. It may involve a few the DAO contract contained severe flaws, allowing attackers
participants contributing to the writing of smart contract code. to remove funds. A loophole existed which permitted an
Having an initial funding period, participants are allowed attacker to request funds from the smart contract numer-
to include funds to purchase tokens, and the DAO begins ous times before the balance was updated. The vulnerability
its execution after the funding period. Participants have the occurred due to bugs in the code where the developers did not
option to propose approaches to utilize the funds, and a few consider the potential for a recursive call. Hence, it enabled
participants can also vote to determine the approval of the attackers to steal ether worth millions of dollars within the
proposals. first few hours. The DAO attack scenario demonstrates how
Figure 2 shows the sequence of smart contract execution destructive a simple smart contract vulnerability can be.
over Ethereum blockchain. Two parties reach an agreement, Similarly, the Parity Wallet hack is another vulnerability
which is then written by a developer using Solidity code. The which was discovered on the Parity Multisig Wallet with
code is then compiled to bytecode for the EVM to process. version 1.5+ [27], [28]. The flaw permitted an attacker to
Miners’ involvement is required for processing the contract remove over 150,000 ETH ( 30M USD). In order to execute
to the blockchain. Once included, the contract gets processed the attack, the adversary transmitted two transactions aiming
on the event scheduled date, triggered by the written code. to acquire ownership of Multisig so that all the currency could
The execution of the contract releases the payment to the be drained. Once the attack was accomplished, the Parity
appropriate party, which can later be verified by anyone. Multisig Wallet Library contract was initiated. However, it
contained a bug which authorized anyone to run initWal-
E. SMART CONTRACT-BASED ATTACKS let [29]. The attack was executed twice; hence, it is referred to
There have been a lot of attacks on smart contracts, costing as Parity Wallet hack 1 and 2. In the first attack, the attacker
a large amount of money. However, the DAO attack and the was able to modify the status of the wallet by initiating a call
Parity Wallet hacks are the most often discussed. to initWallet. As a result, the attacker was believed to be
In May 2016, a few participants from the Ethereum society the owner and drained funds without any hindrance.
inaugurated the DAO [26]. The inception was known as
genesis DAO. The DAO was an open-source smart contract III. ATTACK CLASSIFICATION
that allowed anyone to exchange DAO tokens with ether. In this section, we classify blockchain-based exploitations
That method of exchange helped to gather around $150M, into 4 categories. Our study indicates that most blockchain

VOLUME 8, 2020 24419

 S. Sayeed et al.: Smart Contract: Attacks and Protections

different protocols. Exploitations due to weak consensus have

been very common in recent times, although it can often
be very expensive to carry out attacks due to flaws in the
consensus protocols. However, successfully executed attacks
can remove blocks from the chain, destroy a blockchain fully,
or acquire full control over the price of a cryptocurrency.
51% Attack, Selfish mining, and 34% Attack are some attack
techniques that occur due to weak protocols.
The PoW protocol assumes that 50% of network miners
will always to be honest miners. Thus, adversaries compris-
ing more than 50% hashing can gain control of the net-
work [33]. Weak consensus can also lead to numerous attacks
related to the blockchain network. The Sybil attack permits
an attacker to establish several malicious nodes over the
Bitcoin blockchain network. The malicious nodes are then
used to corrupt the network, conduct unprivileged transac-
tions, or alter valid transactions. Similarly, an Eclipse attack
can be executed to manipulate the Peer to Peer (P2P) net-
work in order to gain full control over the information a
node comprises. In addition, Border Gateway Protocol (BGP)
FIGURE 3. A classification of exploitation based on the fragile methods.
hijacking makes false declarations over the routing system
to divert the traffic. Thus, regardless of the decentralized
attacks fall under the listed categories. Potential adversaries feature, the blockchain network can still be compromised by
utilize specific categories to initiate an attack in accor- various attack techniques due to weak consensus.
dance with their attacking capability. Although this section
focuses on classifying the exploitation techniques, the rest C. DEFRAUD
of the paper concentrates on a single category which is This exploitation tricks merchants to take advantage of the
application bugs. unstable actions of digital transactions. Defraud may influ-
Figure 3 shows the classification of exploitation and attack ence the merchant to release goods prior to a transaction being
vectors that fall under each classification. Our analysis does fully confirmed. In a normal scenario, a Bitcoin transaction
not determine how much effort is required to perform partic- is confirmed after 6 transactions. However, a consumer may
ular attacks, rather, it points out the main flaws of particular persuade a merchant to release goods without the wait for up
exploitations. to 6 transactions, so that attack techniques such as 1 confir-
mation or n confirmation could be initiated to double spend.
A. MALICIOUS ACTS Similarly, in recent times, various retailers are accepting
Malicious acts may comprise the action of spreading malware cryptocurrencies, allowing consumers to receive their product
to deceive users. This type of exploitation is mostly initiated instantly [34]. For example, purchasing a coffee from a coffee
over the Internet to compromise user identity or conduct shop. Consider a scenario where an adversary manages to
fraud through the use of malware or viruses. Such malicious spend the same cryptocurrency within a short span of time,
activities can seriously impact a victim’s financial circum- which will onset a race between both transactions. If the sec-
stances [30]. Malicious attacks may arise in any form such ond transaction is adopted by the pool miners for processing,
as an email from the wallet asking to sync the account with then the first transaction will be discarded, potentially leaving
a network that has just been hard-forked. Exploitation of the merchant unpaid for the provided goods.
user wallets through malicious attacks may allow an attacker
to drain all the currency. Crypto-jacking, slack, and forums D. APPLICATION BUGS
attacks are a few malicious techniques asking miners to log An application bugs exploitation emerges when there is an
in through corrupted links [31]. Glupteba is another malware error in the smart contract code. This exploitation mainly
that utilizes the Bitcoin blockchain for its update. Thus, occurs in smart contracts. It arises when developers fail to
it remains active despite the server connection being termi- identify code errors in the decentralized application. Attack-
nated by the antivirus. This malware spreads through scripts ers are able to drain all the money from the contract wallet
to steal confidential information such as user id, passwords, through simple code bugs. Smart contract applications are
browsing history, saved cookies, etc. [32]. similar to web applications that run over the blockchain.
Like web application bugs, they also comprise errors, how-
B. WEAK PROTOCOL ever, these bugs can lead to serious challenges. For example,
Blockchain comprises a consensus protocol to keep the net- the DAO was able to raise $150m, whilst the attacker was
work flowing. Different blockchain platforms have adopted able to steal about $60m due to code bugs. [35]. Rubixi and

24420 VOLUME 8, 2020

S. Sayeed et al.: Smart Contract: Attacks and Protections

TABLE 1. Classification of attacks based on exploitation.

Listing 1. A vulnerable function that can be exploited by Reentrancy.

GovernMental are some of the smart contract applications

which had flaws due to code bugs [11]. Application bugs may
not only allow attackers to steal money, but also influence an
application to function differently.

IV. ATTACK TECHNIQUES

In this section, we define seven attack techniques which can
have a serious impact on a smart contract application. Suc-
cessful execution of such attacks may lead the smart contract
to perform in an expected manner. Hence, parties associated Listing 2. A vulnerable contract which can be exploited by Smart contract
overflow.
with the contract agreement might incur a severe loss.

A. REENTRANCY An attacker is able to call this function with parameters to

Reentrancy is considered to be one of the most catastrophic exploit the vulnerability. For instance, the code below shifts
attack techniques in the smart contract [36]. This attack tech- the check to balances[msg.sender] >= total. An
nique is able to fully destroy the contract or steal valuable attacker can input 2 addresses in the receivers function in
information. Reentrancy may occur when a function calls order for the token smart contract to transmit ether to both
for another contract through an outer call. Listing 1 below addresses.
presents a code snippet which can be exploited to execute
a Reentrancy attack. The exploitation allows an attacker to Smart contract underflow occurs in the opposite way to
execute a recursive callback of the main function, making an overflow [40]. However, the underflow attacks are more
unintended loop which is repeated many times. For instance, simple to perform as achieving the required token to cause
when a vulnerable contract contains a revoke function, the overflow is often challenging for attackers.
contract may call the revoke function illicitly numerous
times in order to drain any available balance the contract C. SHORT ADDRESS ATTACK
comprises. Single function Reentrancy attacks and cross- This vulnerability occurs due to the weakness of the
function Reentrancy attacks are two different types that can Ethereum Virtual Machine (EVM) [41]. The EVM permits
be exploited by the attackers. The exploitation allows the imprecise padded arguments allowing adversaries to dispatch
attacker to use external calls to execute the desired tasks. specially crafted addresses which result in the exploitation.
The Short Address Attack follows a similar attacking strat-
B. SMART CONTRACT OVERFLOW AND UNDERFLOW
egy as a SQL injection bug [42]. When an underflow is
This vulnerability is relatively easy to initiate and occurs in detected the EVM includes a zero at the end of the address
transactions that accept unauthorized input data or value [37]. in order to ensure that it comprises a 256-bit datatype. How-
Smart contract overflow mainly occurs when more value is ever, an adversary can take advantage of this vulnerability
provided than the maximum value [38]. The contracts are by omitting the very last zero from the ether address. This
mainly written in Solidity which can handle up to 256-bit vulnerability is an input validation bug and mainly occurs
numbers, thus, an increment by 1 would cause an overflow. from the sender’s side due to weak transaction generation
Conventional testing approaches are inadequate for determin- code.
ing overflow vulnerability in smart contacts.
Listing 2 shows smart contract code which comprises bugs
D. DELEGATECALL
at the following line [39],
Smart code developers leverage the CALL and DELEGATE-
CALL to modularise written code [43]. The DELEGATE

VOLUME 8, 2020 24421

 S. Sayeed et al.: Smart Contract: Attacks and Protections

invocation is initiated. Therefore, when the output of both

transactions is dependent on the order, the contract results in
a TOD vulnerability.
In Ethereum blockchain, the miners are in charge of con-
trolling the order of transactions, prioritizing transactions
with higher gas. Hence, any miner that closes a block can
influence the order of a transaction. The ability for potential
miners to influence the transaction order for illicit activities
is an outcome of Transaction Ordering Dependence (TOD).

G. TIMESTAMP DEPENDENCE
Listing 3. A vulnerable contract drained by attacker to steal Ether. Timestamp Dependence is another vulnerability that can be
exploited by corrupt miners [44]. In order to gain a benefit,
a miner may re-arrange the timestamp by a few seconds. The
timestamp dependence vulnerability occurs from a flawed
opcode comprises a similar function to the message CALL,
comprehension of timekeeping [46]. It enables the Ethereum
however, other than the code executed to call for a contract,
network to be detached from the synchronized global clock.
the msg.sender and msg.value does not get altered.
For example, a smart contract utilizes the current timestamp
This attribute allows developers to generate re-usable code,
to produce random numbers in order to determine the lottery
enhancing the chance of abrupt code-execution by the use
result. Since the smart contract permits miners to put up a
of DELEGATECALL. The DELEGATECALL feature shows
timestamp within 30 seconds of block validation, this gives a
that it is possible to introduce flaws while building custom
miner more opportunity for exploitation. Hence, the outcome
libraries and it can also lead to new vulnerabilities. DELE-
of the random number generator can be altered to gain bene-
GATECALL vulnerabilities can be avoided by observing for
fits.
a lapse on both the library contract and calling contract and,
in addition, developing state-less libraries whenever feasible.
V. SECURITY TECHNIQUES
In this section, we discuss 10 major security analysis tools
E. DEFAULT VISIBILITIES which are in place to find vulnerabilities in the smart contract.
The visibility specifiers in the Solidity function control the Most tools are mainly utilized for static and dynamic analysis
manner in which a function is to be called [43]. The visi- of smart contract codes.
bility specifier also takes control when permitting users to
call for external functions by derived contracts. Improper A. SLITHER
implementation of the visibility specifiers can cause serious Slither is a static analysis framework for smart contract
effects in the smart contract. The default visibility is always code [47]. Its security detection techniques for potential bugs
set to public for functions, allowing external contracts to call are fast and reliable. Slither can be used to perform main tasks
for visibility when functions do not explicitly mention it. such as automated vulnerablity detection, automated opti-
This vulnerability arises when developers neglect to set the mization detection, code understanding, and assisted code
visibility specifier to private. review. A multi-stage procedure is initiated for the secu-
Listing 3 shows a smart contract based on an address rity analysis. The Solidity compiler produces a Solidity
guessing game [43]. A participant can win a reward by pro- Abstract Syntax Tree (AST) from the contract source code
ducing an Ethereum address which must contain zeroes in and the AST is used as an input to Slither. During the initial
its last 8 hex characters. Once the requirements are fulfilled, stage, Slither obtains significant contract information such as
the gainEther() function can be executed to receive the the inheritance graph, Control-flow graph (CFG) [48], etc.
reward. Since the vulnerable code does not specify the vis- The next stage includes converting the full code to SlithIR.
ibility and the _sendEther() function is set as public, In the following stage, the code analysis task is performed by
an attacker will be able to steal the reward. computing a list of pre-defined analyses.

F. TRANSACTION ORDERING DEPENDENCE(TOD) B. MYTHX

Transaction Ordering Dependence (TOD) is a vulnerability MythX is a security analysis service that scans EVM-based
that can allow corrupt miners to have a serious effect on smart smart contracts for vulnerabilities [49]. It comprises various
contracts [44]. This vulnerability is a very common security analysis techniques which include static, dynamic, as well
bug in the smart contract, relying on the order of transac- as symbolic execution. The main objective of MythX is to
tion execution [45]. For example, a newly generated block support DApp developers with the development of smart
contains 2 transactions enforcing the same smart contract. contracts to ensure a safer platform. MythX does not serve
Such plots do not provide enough information to users to the requirements by itself, rather it is integrated with devel-
determine the state of the contract or when the individual opment tools such as Truffle and Remix. It is not only

24422 VOLUME 8, 2020

S. Sayeed et al.: Smart Contract: Attacks and Protections

compatible with the Ethereum platform - developers asso- paths of a contract, Securify utilizes static analysis to analyze
ciated with Tron, Vechain, Quorum, Roostock and a few every path of the smart contract.
other EVM-based platforms can also take advantage of these
security tools to find bugs in a smart contract. MythX goes F. SMARTCHECK
through three stages to analyze smart contract code. First, SmartCheck is an automated extensive vulnerability analysis
it requires developers to submit their code; second, a complete tool for Solidity smart contracts [56], [57]. SmartCheck is an
suite of analysis techniques needs to be activated; finally, open-source engine which not only points out the vulnerabil-
it generates an analysis report demonstrating if any errors ities in the smart contract code but also clarifies the cause of
exist. the vulnerabilities with proper description and recommenda-
tion. SmartCheck was implemented by utilizing XPath [xpa]
C. MYTHRIL queries on the intermediate representation (IR) to detect vul-
Mythril is a security tool that analyzes smart contracts writ- nerability patterns. SmartCheck protects any analyzed code
ten by Solidity [50]. Mythril, an open-source tool, takes that has been converted to IR and elements associated with it
advantage of the symbolic execution technique in order to are determined with XPath matching.
determine the errors in code. The examination of security A security experiment was initiated by SmartCheck on
flaws involves executing smart contract bytecode in a custom over 4600 valid contracts. It was determined that 86.6% of the
built EVM. Mythril goes through four major working stages contacts comprised zero balance, whereas a single contract
to accomplish its security analysis. When a flaw in a program consisted of a balance of only 38.4% of the total balance.
is discovered, the input transactions are analyzed to determine The SmartCheck analysis indicated that 99.9% of analyzed
the possible reasons. This security method helps to deduce the contracts contained some kind of security flaw, with 63.2%
main cause of the program vulnerability, and also mitigate of contracts being severely vulnerable.
exploitation. If a developer produces the source code of the
G. ECHIDNA
contract, Mythril is able to locate the bugs within the code.
Echidna is an EVM smart fuzzer that identifies bugs in Solid-
ity code [58]. This tool only requires the Solidity propositions
D. MANTICORE
to conduct deep analysis for bugs and provides a clear user
Manticore is a Solidity audit tool that performs a symbolic interface (UI) to simplify its output. Echidna utilizes different
analysis of smart contracts [51]. The main functions of man- combinations of inputs until it manages to break the provided
ticore involve tracing inputs that terminate a program, log- property. Echidna contains a few similar attributes to Man-
ging instruction-level implementation, and providing access ticore, which allows it to function at the EVM level [59]. In
to its analysis engine through Python API. It has a dynamic addition, it can also be consolidated to continuous integration
symbolic execution feature which analyzes binaries as well (CI) in order to identify code bugs whilst development is in
as Ethereum smart contracts [52]. The primary attributes in process. A myriad of tools are supplied by Echidna in order
Manticore’s architecture comprise the Core Engine, Native to compose custom analyses for dealing with complicated
Execution Modules, and Ethereum Execution Modules. The contracts. This tool utilizes stack, therefore, the required
Satisfiability Modulo Theories (SMT-LIB) module, Event dependency will be based on the solc version that the contract
System, and API are regarded as secondary attributes. employs.

E. SECURIFY H. OYENTE
Securify is a smart contract security analyzer tool [53]. Secu- Oyente is a symbolic execution tool which is used to
rify is an automated tool able to determine whether the con- find security bugs in smart contracts [60]. Oyente exam-
tract performs accordingly, based on the provided attributes. ines Ethereum smart contracts to identify security loopholes
Securify is an open-source product whose security analysis which can cause potential threats. Oyente not only detects
function goes through two stages to perform the required unsafe bugs but also investigates every practical execution
task [54]. Up to this point, around 18000 contracts have been path. An experiment carried out by Oyente on 19,366 smart
submitted to Securify for security analysis. Securify accepts contracts resulted in 8,833 of them being identified as vul-
EVM bytecode for security analysis. Contracts written in nerable. The symbolic execution method symbolically rep-
Solidity are also accepted as an input, however, the code resents the nature of an execution path as a mathematical
needs to be compiled to EVM bytecode for the security formula. OYENTE carries out a comparison between the
process to be effected. When a security violation is triggered, new formula and formulas that comprise ordinary bugs to
Securify produces a command which induces the violation figure out if both formulas are valid simultaneously.
pattern to match. Similarly, when both the violation and
compliance pattern do not match, it generates a warning. I. VANDAL
The security analysis technique of Securify is unique when Vandal is another security analysis framework for smart con-
compared with other tools such as Oyente and Mythril [55]. tracts. Vandal comprises an analysis pipeline which trans-
While Oyente and Mythril symbolically enumerate distinct forms EVM bytecode into semantic logic relations [61].

VOLUME 8, 2020 24423

 S. Sayeed et al.: Smart Contract: Attacks and Protections

Vandal is a very fast and efficient security analysis tool that approximation for the behavior. Another experiment indi-
has examined over 95% of 141000 smart contracts with an cates that although Mythril is able to defend against vulnera-
average run-time overhead of only 4.15 seconds. The low bilities such as TOD, Reentrancy, and TX.origin, it was able
overhead beats the overall performance of major existing to recognize only 12 vulnerabilities out of 18 [66].
security analysis tools. The security design of Vandal com- Manticore defends against the popular Reentrancy vulner-
prises a declarative language called Soufflé. Performing secu- ability as well as Abuse of TX origin [63]. However, it is
rity analysis in a declarative language helps security analysts unable to detect contract suicidal and time manipulation.
with the prototype of the latest analysis. It also does not analyze various security issues such as TOD,
Random number, visibility, costly pattern, etc. One of the
J. ZEUS major disadvantages of Manticore is that it performs analysis
Zeus is a practical framework to examine the validity of smart for different types of attack techniques; hence, the imple-
contracts [62]. It takes advantage of abstract interpretation, mentation is quite sluggish [51]. A Solidity compiler and
and symbolic model checking for analyzing the safety of state-of-the-art theorem prover z3 are the prerequisites for
smart contracts. The Zeus prototype has tested over 22400 running Manticore. Although symbolic analysis techniques
smart contracts, showing that about 94.6% of these contracts are being widely reviewed from a security perspective, they
are vulnerable. Zeus accepts the smart contract code and are not being fully exercised due to the limited flexibility
generates the authentic version in an XACML-styled tem- and user-availability. An experiment on smart contracts from
plate. The smart contract code and the policy specifications Ethereum blockchains with a set time out of 90 minutes on
are translated to LLVM bitcode to enhance the contract’s each contract shows that Manticore was able to produce an
behavior. Zeus performs static analysis of the furnished smart average coverage of 65.64%.
contract code to append the assert statement policy at the right Securify is an advanced tool comprising formal guarantees.
spot of the program. A security experiment suggests that Securify only targets
7 issues for security analysis among 18 blockchain based
VI. SECURITY ANALYSIS AND LIMITATIONS challenges [66]. Besides some security advantages, Securify
Having bugs in smart contract code can have serious con- contains severe flaws. Securify does not comprehend numer-
sequences. Attacks such as DAO or Parity Wallet hacks, ical analysis [67]. Hence, it is unable to recognize overflows,
discussed in section II show the effects of such exploita- allowing for potential bugs in the smart contract code [53].
tions. In this section, we analyze the 10 security techniques Similarly, Securify determines that all contract instructions
discussed in section V. Our analysis reveals the limitations can be reachable. Moreover, some of the attributes for prop-
of particular techniques, and also determines their ability to erty violations are also vulnerable and can be compromised
discover vulnerabilities. by potential adversaries.
Slither includes a few limitations. It lacks formal seman- SmartCheck is unable to detect some severe program bugs,
tics, which limits its ability to perform more detailed security which can only be detected by taint analysis or handled
analysis [47]. It also fails to determine low-level information through manual audits [56]. Taint analysis is a way of check-
precisely, for instance, the gas computation. Slither’s vulner- ing program variables that can be affected by user input [68].
ability detection process is similar to SmartCheck [63]. It One of the possible reasons for a program to crash can
misses vulnerable codes and terminates the scanning process be illicit user input. Hence, in order for a program to run
when the security regulations do not coincide in a severe effectively, user input must be thoroughly checked. However,
external call. However, besides these limitations, an exper- SmartCheck is an effective tool for identifying simple pro-
iment on detection capability demonstrates that Slither can gram bugs. An experiment among 4 security analysis tools,
detect major vulnerabilities such as Reentrancy, contract sui- namely, Oyente, Securify, Remix, and SmartCheck, indicates
cidal, an abuse of Tx origin, and time manipulation. that SmartCheck is not very consistent in terms of perfor-
MythX is able to detect some critical vulnerabilities such as mance and that additional security features must be included
access controls, integer overflow, and integer underflow [64]. for accuracy in vulnerability checks [69]. SmartCheck only
The Remix Integrated Development Environment (IDE) can identifies vulnerabilities that are low risk to the contract. For
be enhanced by a MythX plugin. The Mythx plugin uses instance, incorrect compiler version, improper style guide,
the trial account credentials. The main limitation of the trial and redundant functions. Similarly, another experiment based
account is that it is able to examine only a limited number of on the detection capability of various security tools shows that
vulnerabilities. SmartCheck is unable to detect some serious attacks such as
Although using a heuristic, Mythril is known for its high Reentrancy and contract suicidal [63].
accuracy in security analysis. However, experiments suggest Echidna generates inputs to fuzz smart contract code.
that Mythril consists of a few limitations [65]. For instance, However, one of the major limitations of Echidna is that it
Mythril is unable to extend taints over memory fields when does not offer any direct application program interface (API)
analyzed with taint analysis. Issues can be exacerbated when endorsing security checks of smart contracts [70]. Moreover,
the parameters accept pass by reference. Moreover, the defi- Echidna fails to provide satisfactory security results [71]. The
nition of the pattern is complicated in searching for the best randomness of inputs makes only a portion of the path space

24424 VOLUME 8, 2020

S. Sayeed et al.: Smart Contract: Attacks and Protections

obtainable, whereas some complicated parts of the program VII. CONCLUSION

are secured by branch conditions. Random mutation does Smart contract technologies enable users to form decentral-
not fulfill the requirements of branch conditions, hence the ized digital agreements without the need for a third party. The
program remains exploitable. In addition, Echidna exercises smart contract technology attracted sectors such as health,
various generation methods for different data types [72]. business management, shareholder agreement and insurance.
While the Haskell is ignored, the address is the only data However, the more this technology expands, the more it
type that can produce an impact. When a list of addresses catches the attention of potential attackers, resulting in several
is determined as a yaml list, those addresses provide more severe exploitations.
chances to discover bugs as compared to fully random In this paper, we revealed that this technology is not free
addresses. from vulnerabilities and attacks. Based on the attack vector,
Oyente is a smart contract auto-auditing security analyzer we proposed an attack categorization to focus on vulnerabili-
tool which is able to detect severe smart contract bugs. How- ties in the code of smart contracts. After analyzing 10 security
ever, there still lie challenges as Oyente is able to detect tools to detect vulnerabilities in order to assess their effec-
only 20.2% of Parity Wallet hacks [53]. An analysis indicates tiveness, we found that not all vulnerabilities were detected,
that Oyente generates false positives and also underesti- providing a dangerous false sense of security that attackers
mates some serious bugs. It does not provide full protec- can abuse.
tion to smart contract code and fails to log 72.9% of TOD Our research points out that a proper solution to secure
vulnerabilities. Moreover, Oyente also consistently fails to smart contracts remains a challenge and future work will
determine other critical vulnerabilities. An experiment on involve developing strategies to detect and mitigate the major
Oyente’s vulnerability detection capability suggests that it security flaws presented in this paper.
is only able to defend against attacks such as Reentrancy
and Time manipulation [63]. However, it is wholly unsuc- REFERENCES
cessful in identifying vulnerabilities such as contract suici- [1] A. Rosic. (2016). What is Blockchain Technology? A Step-by-Step
dal and Abuse of TX origin. Research suggests that Oyente Guide For Beginners. Accessed: Jul. 29, 2018. [Online]. Available:
https://blockgeeks.com/guides/what-is-blockchain-technology/
protects against only 4 out of 18 blockchain-based security [2] A. Rosic. (2016). What is Ethereum? Accessed: Oct. 17, 2019. [Online].
challenges [66]. Hence, this security approach is not fully Available: https://blockgeeks.com/guides/ethereum/
protective. [3] J. A. Kassem, S. Sayeed, H. Marco-Gisbert, Z. Pervez, and K. Dahal,
‘‘DNS-IdM: A blockchain identity management system to secure personal
The vandal security design faces challenges while translat- data sharing in a network,’’ Appl. Sci., vol. 9, no. 15, p. 2953, Jul. 2019.
ing smart contract code into logic relations [61]. An analysis [4] (2009). How does Bitcoin Work? Accessed: Jul. 29, 2017. [Online]. Avail-
pipeline is used to transform Ethereum bytecode into logic able: https://bitcoin.org/en/how-it-works
[5] A. Rosic. (2016). Smart Contracts: The Blockchain Technology That
relations. The challenge lies when the low-level stack-based Will Replace Lawyers. Accessed: Aug. 3, 2019. [Online]. Available:
abstract machine executes the EVM bytecode. Moreover, the https://blockgeeks.com/guides/smart-contracts/
Vandal decompiler cannot cope with transforming the EVM’s [6] S. Velu. (2019). What Are Dapps? The New Decentralized Future.
Accessed: Oct. 14, 2019. [Online]. Available: https://blockgeeks.
stack-based operations into a register-based intermediate rep- com/guides/dapps/
resentation; hence, it crashes when decompiling the major [7] F. Ma, Y. Fu, M. Ren, M. Wang, Y. Jiang, K. Zhang, H. Li, and X. Shi,
portion of the smart contract [73]. The implementation of ‘‘EVM: From offline detection to online reinforcement for Ethereum vir-
tual machine,’’ in Proc. IEEE 26th Int. Conf. Softw. Anal., Evol. Reeng.
Vandal also suffers from engineering limitations, thus proper (SANER), Feb. 2019, pp. 554–558.
control of timeout may not be achieved [74]. A security [8] Y. Fu, M. Ren, F. Ma, H. Shi, X. Yang, Y. Jiang, H. Li, and X. Shi,
experiment shows that Vandal is able to detect only 5 out ‘‘EVMFuzzer: Detect EVM vulnerabilities via fuzz testing,’’ in Proc. 27th
ACM Joint Meeting Eur. Softw. Eng. Conf. Symp. Found. Softw. Eng.-
of 18 critical blockchain-based security issues [66]. ESEC/FSE, 2019, pp. 1110–1114.
ZEUS comprises a few limitations. Attributes involving [9] I. C. Lin and T. C. Liao, ‘‘A survey of blockchain security issues and
mathematical equations cannot be fully validated [62]. For challenges,’’ Int. J. Netw. Secur., vol. 19, no. 5, pp. 653–659, 2017.
[10] A. Soundararajan. (2019). 10 Blockchain and New Age Security
such operations, ZEUS relies entirely on users to test prac- Attacks You Should Know. Accessed: Jul. 29, 2018. [Online]. Avail-
tices involving mathematical attributes. Solidity constructs, able: https://blogs.arubanetworks.com/solutions/10-blockchain-and-new-
such as throw and selfdestruct, are simulated as a age-security-attacks-you-should-know/
[11] N. Atzei, M. Bartoletti, and T. Cimoli, ‘‘A survey of attacks on ethereum
program termination. The run-time behavior of ZEUS does smart contracts,’’ in Proc. Int. Conf. Princ. Secur. Trust, 2017, pp. 164–186.
not consider such parameters. Similarly, it fails to rein- [12] Pluralsight. (2015). What’s Difference Between Front-End
force virtual functions and examine contracts which con- Back-End? Accessed: Jul. 29, 2018. [Online]. Available:
https://www.pluralsight.com/blog/film-games/whats-difference-front-
tain assembly blocks. The validation of safety properties are end-back-end
acknowledged by ZEUS. However, verification of liveness [13] M. Andreessen. What is Blockchain Technology? Accessed: Sep. 25, 2019.
is not endorsed by ZEUS. Static analysis tools may not [Online]. Available: https://www.coindesk.com/information/what-is-
blockchain-technology
be fully able to detect cross-function Reentrancy vulnera- [14] A. Rosic. (2016). What is Blockchain Technology? A Step-by-Step
bilities because every external function is required to be Guide For Beginners. Accessed: Sep. 27, 2019. [Online]. Available:
checked to keep the contracts function safe [75]. In addition, https://blockgeeks.com/guides/what-is-blockchain-technology/
[15] D. Cosset. (2018). Blockchain: What is Mining? Accessed: Jul. 29, 2018.
ZEUS does not involve policies to execute cross-function [Online]. Available: https://dev.to/damcosset/blockchain-what-is-mining-
analysis. 2eod

VOLUME 8, 2020 24425

 S. Sayeed et al.: Smart Contract: Attacks and Protections

[16] A. Hertig. (2019). How Ethereum Mining Works. Accessed Oct. 20, 2019. [38] S. Sayeed and H. Marco-Gisbert, ‘‘On the effectiveness of control-flow
[Online]. Available: https://www.coindesk.com/information/ethereum- integrity against modern attack techniques,’’ in Proc. ICT Syst. Secur.
mining-works Privacy Protection, G. Dhillon, F. Karlsson, K. Hedström, and A. Zúquete,
[17] A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou, ‘‘Hawk: Eds. Cham, Switzerland: Springer, 2019, pp. 331–344.
The blockchain model of cryptography and privacy-preserving smart con- [39] L. Y. Thanh. (2018). Prevent Integer Overflow Ethereum Smart
tracts,’’ Cryptology ePrint Archive, Santa Barbara, CA, USA, Tech. Rep. Contracts. Accessed: Jun. 19, 2019. [Online]. Available: https://medium.
2015/675, 2015. [Online]. Available: https://eprint.iacr.org/2015/675 com/@yenthanh/prevent-integer-overflow-in-ethereum-smart-contracts-
[18] H. Kalodner, S. Goldfeder, X. Chen, S. M. Weinberg, and E. W. Felten, a7c84c30de66
‘‘Arbitrum: Scalable, private smart contracts,’’ in Proc. 27th {USENIX} [40] Blockgeeks. (2018). Understanding Overflow and Underflow Attacks
Secur. Symp. ({USENIX} Security), 2018, pp. 1353–1370. on Smart Contracts. Accessed: Jul. 19, 2019. [Online]. Available:
[19] P. Das, L. Eckey, T. Frassetto, D. Gens, K. Hostáková, P. Jauernig, S. https://blockgeeks.com/guides/underflow-attacks-smart-contracts/
Faust, and A.-R. Sadeghi, ‘‘Fastkitten: Practical smart contracts on bit- [41] A. Bryk. (2018). Blockchain Attack Vectors: Vulnerabilities Most
coin,’’ in Proc. 28th USENIX Secur. Symp. (USENIX Security), 2019, Secure Technology. Accessed: Sep. 14, 2019. [Online]. Available:
pp. 801–818. https://www.apriorit.com/dev-blog/578-blockchain-attack-vectors
[20] J. M. Duffy. (2019). Connecting Ethereum, EOS, Tron: Making [42] S. Esra. (2018). ICO Smart Contract Vulnerability: Short Address Attack.
Blockchain Interoperability a Reality. Accessed: Oct. 29, 2019. [Online]. Accessed: Oct. 14, 2019. [Online]. Available: https://medium.com/
Available: https://medium.com/loom-network/connecting-ethereum-eos- huzzle/ico-smart-contract-vulnerability-short-address-attack-
and-tron-making-blockchain-interoperability-a-reality-e5ef6c67716 31ac9177eb6b
[21] Bitcoin Magazine. (2019). What Is Ether? Accessed: Sep. 12, 2019. [43] A. Manning. (2018). Solidity Security: Comprehensive List Known Attack
[Online]. Available: https://bitcoinmagazine.com/guides/what-ether Vectors Common Anti-Patterns. Accessed: Jul. 19, 2019. [Online]. Avail-
[22] Freshfields. (2019). What’s a Smart Contract? Accessed: Oct. 23, 2019. able: https://blog.sigmaprime.io/solidity-security.html
[Online]. Available: https://www.freshfields.com/en-gb/our-thinking/ [44] S. Pro. (2019). Smart Contract Security Issues: What are Smart Con-
campaigns/digital/fintech/whats-in/whats-in-a-smart-contract/ tract Vulnerabilities How to Protect. Accessed: Sep. 19, 2019. [Online].
[23] Prasanna. (2019). What is Ethereum Virtual Machine? Accessed: Available: https://smartym.pro/blog/smart-contract-security-issues-smart-
Oct. 23, 2019. [Online]. Available: https://cryptoticker.io/en/ethereum- contract-vulnerabilities-and-how-to-protect/
virtual-machine/ [45] A. Das, S. Balzer, I. Santurkar, J. Hoffmann, and F. Pfenning, ‘‘Resource-
[24] L. Hollander. (2019). The Ethereum Virtual Machine—How aware session types for digital contracts,’’ 2019, arXiv:1902.06056.
does it work? Accessed: Oct. 26, 2019. [Online]. Available: [Online]. Available: https://arxiv.org/abs/1902.06056
https://medium.com/mycrypto/the-ethereum-virtual-machine-how- [46] H. Olickel. (2016). Why Smart Contracts Fail: Undiscovered Bugs What
does-it-work-9abac2b7c9e We Can do About Them. Accessed: Jul. 29, 2019. [Online]. Available:
[25] D. Siegel. (2016). Understanding The DAO Attack. Accessed: https://medium.com/hrishiolickel/why-smart-contracts-fail-undiscovered-
Sep. 27, 2019. [Online]. Available: https://www.coindesk.com/ bugs-and-what-we-can-do-about-them-119aa2843007
understanding-dao-hack-journalists [47] J. Feist, G. Grieco, and A. Groce, ‘‘Slither: A static analysis framework for
[26] S. Falkon. (2017). The Story of the DAO—Its History and Consequences. smart contracts,’’ in Proc. IEEE/ACM 2nd Int. Workshop Emerg. Trends
Accessed: Oct. 19, 2018. [Online]. Available: https://medium.com/ Softw. Eng. Blockchain (WETSEB), May 2019, pp. 8–15.
swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee [48] S. Sayeed, H. Marco-Gisbert, I. Ripoll, and M. Birch, ‘‘Control-flow
[27] S. Palladino. (2017). The Parity Wallet Hack Explained. Accessed: integrity: Attacks and protections,’’ Appl. Sci., vol. 9, no. 20, p. 4229,
Oct. 20, 2019. [Online]. Available: https://blog.openzeppelin.com/on-the- Oct. 2019, doi: 10.3390/app9204229.
parity-wallet-multisig-hack-405a8c12e8f7/ [49] (2019). MythX: Smart Contract Security Tool for Ethereum. Accessed:
[28] B. Mueller. (2019). What Caused Accidental Killing Parity Multisig Oct. 24, 2019. [Online]. Available: https://mythx.io/
Wallet & How to Detect Similar Bugs. Accessed: Oct. 25, 2019. [Online]. [50] B. Mueller. (2019). Practical Smart Contract Security Analysis
Available: https://hackernoon.com/what-caused-the-latest-100-million- and Exploitation. Accessed: Oct. 25, 2019. [Online]. Available:
ethereum-bug-and-a-detection-tool-for-similar-bugs-7b80f8ab7279 https://medium.com/hackernoon/practical-smart-contract-security-
[29] M. Condon. (2019). Parity Wallet Hack 2: Electric Boogaloo. Accessed: analysis-and-exploitation-part-1-6c2f2320b0c
Oct. 20, 2019. [Online]. Available: https://hackernoon.com/parity-wallet- [51] HaloBlock Official. (2018). Introduction to Manticore, a Symbolic
hack-2-electric-boogaloo-e493f2365303 Analysis Tool for Smart Contract. Accessed: Oct. 26, 2019. [Online].
[30] J. J. Xu, ‘‘Are blockchains immune to all malicious attacks?’’ Financial Available: https://medium.com/haloblock/introduction-to-manticore-a-
Innov., vol. 2, no. 1, pp. 1–9, 2016. symbolic-analysis-tool-for-smart-contract-9de08dae4e1e
[31] S. Sayeed and H. Marco-Gisbert, ‘‘On the effectiveness of blockchain [52] M. Mossberg, F. Manzano, E. Hennenfent, A. Groce, G. Grieco, J. Feist,
against cryptocurrency attacks,’’ in Proc. UBICOMM, 2018, pp. 9–14. T. Brunson, and A. Dinaburg, ‘‘Manticore: A user-friendly symbolic execu-
[32] B. Bambrough. (2019). Warning Issued After Malware Is Found To Have tion framework for binaries and smart contracts,’’ 2019, arXiv:1907.03890.
Hijacked Bitcoin Blockchain. Accessed: Oct. 29, 2019. [Online]. Available: [Online]. Available: https://arxiv.org/abs/1907.03890
https://www.forbes.com/sites/billybambrough/2019/09/07/serious- [53] P. Tsankov, A. M. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and
malware-warning-over-bitcoin-blockchain/#cc2d8347c286 M. T. Vechev, ‘‘Securify: Practical security analysis of smart contracts,’’ in
[33] S. Sayeed and H. Marco-Gisbert, ‘‘Assessing blockchain consensus and Proc. ACM SIGSAC Conf. Comput. Commun. Secur., New York, NY, USA:
security mechanisms against the 51% attack,’’ Appl. Sci., vol. 9, no. 9, ACM, Oct. 2018, pp. 67–82.
p. 1788, Apr. 2019. [54] Securify. (2018). Securify: Security Scanner for Ethereum Smart Con-
[34] M. del Castillo. (2019). Customers Can Spend Bitcoin At Starbucks, tracts. Accessed: Oct. 26, 2019. [Online]. Available: https://securify.
Nordstrom and Whole Foods, Whether They Like It Or Not. chainsecurity.com/
Accessed: Aug. 27, 2019. [Online]. Available: https://www.forbes.com/ [55] ChainSecurity. (2018). Securify is Now GitHub. Accessed: Oct. 10, 2019.
sites/michaeldelcastillo/2019/05/13/starbucks-nordstrom-and-whole- [Online]. Available: https://medium.com/chainsecurity/securify-is-now-
foods-now-accept-bitcoin-just-dont-ask-them/659a4e592252 on-github-d3bec281eafc
[35] O. G. Güçlütürk. (2018). The DAO Hack Explained: Unfortunate Take- [56] S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev,
off Smart Contracts. Accessed: Oct. 19, 2019. [Online]. Available: E. Marchenko, and Y. Alexandrov, ‘‘SmartCheck: Static analysis of
https://medium.com/@ogucluturk/the-dao-hack-explained-unfortunate- Ethereum smart contracts,’’ in Proc. 1st Int. Workshop Emerging Trends
take-off-of-smart-contracts-2bd8c8db3562 Softw. Eng. Blockchain-WETSEB, 2018, pp. 9–16.
[36] W. Shahda. (2019). Protect Your Solidity Smart Contracts From [57] SmartDec. (2018). SmartCheck. Accessed: Oct. 27, 2019. [Online]. Avail-
Reentrancy Attacks. Accessed: Oct. 5, 2019. [Online]. Available: able: https://tool.smartdec.net/
https://medium.com/coinmonks/protect-your-solidity-smart-contracts- [58] (2018). Echidna, a Smart Fuzzer for Ethereum. Accessed: Sep. 10, 2019.
from-reentrancy-attacks-9972c3af7c21 [Online]. Available: https://blog.trailofbits.com/2018/03/09/echidna-a-
[37] J. Gao, H. Liu, C. Liu, Q. Li, Z. Guan, and Z. Chen, ‘‘Easyflow: smart-fuzzer-for-ethereum/
Keep Ethereum away from overflow,’’ in Proc. 41st Int. Conf. [59] J. Feist. (2019). Watch Your Language: Our First Vyper Audit.
Softw. Eng., Companion. Piscataway, NJ, USA: IEEE Press, 2019, Accessed: Nov. 11, 2019. [Online]. Available: https://securityboulevard.
pp. 23–26. com/2019/10/watch-your-language-our-first-vyper-audit/

24426 VOLUME 8, 2020

S. Sayeed et al.: Smart Contract: Attacks and Protections

[60] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, ‘‘Making HECTOR MARCO-GISBERT (Senior Member,
smart contracts smarter,’’ in Proc. ACM SIGSAC Conf. Comput. Com- IEEE) received the Ph.D. degree in com-
mun. Secur.-CCS, New York, NY, USA, 2016, pp. 254–269, doi: 10. puter science, cybersecurity from the Universi-
1145/2976749.2978309. tat Politecnica de Valencia, Spain. He was a
[61] L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, Research Associate at the Universitat Politecnica
R. Holz, and B. Scholz, ‘‘Vandal: A scalable security analysis framework de Valencia, where he co-founded the "Cybersecu-
for smart contracts,’’ Sep. 2018, arXiv:1809.03981. [Online]. Available: rity Research Group." He is currently an Associate
https://arxiv.org/abs/1809.03981
Professor and a Cybersecurity Researcher with the
[62] S. Kalra, S. Goel, M. Dhawan, and S. Sharma, ‘‘ZEUS: Analyzing safety of
University of the West of Scotland, U.K. He was
smart contracts,’’ in Proc. Netw. Distrib. Syst. Secur. Symp., 2018, pp. 1–12.
[63] S. Jarzabek, A. Poniszewska-Marańda, and L. Madeyski, Integrating a part of the team developing the multiprocessor
Research and Practice in Software Engineering (Studies in computational version of the XtratuM hypervisor to be used by the European Space Agency
intelligence). Cham, Switzerland: Springer, 2019. [Online]. Available: in its space crafts. He has participated in multiple research projects as a
https://books.google.co.uk/books?id=LR2nDwAAQBAJ Principal Investigator and Co-Investigator. He is the author of many articles
[64] S. Bomko. (2019). Detecting Critical Smart Contract Vulnerabilities with of computer security and cloud computing. He has been invited multiple
re:MythX. Accessed: Oct. 19, 2019. [Online]. Available: https://medium. times to reputed cybersecurity conferences such as Black Hat and DeepSec.
com/@sergiibomko/detecting-critical-smart-contract-vulnerabilities- He has published more than ten Common Vulnerabilities and Exposures
with-re-mythx-c543615bc216 (CVE) affecting important software such as the Linux kernel. He is a member
[65] I. Goldberg and T. Moore, Financial Cryptography and Data Security: of the Engineering and Physical Sciences Research Council (EPSRC), U.K.
23rd International Conference, FC 2019, Frigate Bay, St. Kitts and Nevis, He has received honors and awards from Google, Packet Storm Security, and
February 18–22, 2019, Revised Selected Papers (Lecture Notes in Com- IBM for his security contributions to the design and implementation of the
puter Science). Cham, Switzerland: Springer, 2019. [Online]. Available: Linux ASLR.
https://books.google.co.uk/books?id=Gcm1DwAAQBAJ
[66] M. Di Angelo and G. Salzer, ‘‘A survey of tools for analyzing Ethereum
smart contracts,’’ in Proc. IEEE Int. Conf. Decentralized Appl. Infrastruct.
(DAPPCON), Apr. 2019, pp. 69–78.
[67] Enigmatic. (2019). Using Securify for Safer Smart Contracts. Accessed:
Oct. 20, 2019. [Online]. Available: https://medium.com/coinmonks/using-
securify-for-safer-smart-contracts-8d59de22a762
[68] J. Salwan. (2013). Taint Analysis and Pattern Matching With Pin.
Accessed: Jul. 19, 2019. [Online]. Available: http://shell-storm.org/
blog/Taint-analysis-and-pattern-matching-with-Pin/
[69] A. Dika, ‘‘Ethereum smart contracts: Security vulnerabilities and security
tools,’’ M.S. thesis, NTNU, Trondheim, Norway, 2017.
[70] B. Jiang, Y. Liu, and W. K. Chan, ‘‘ContractFuzzer: Fuzzing smart con-
tracts for vulnerability detection,’’ in Proc. 33rd ACM/IEEE Int. Conf.
Automated Softw. Eng.-ASE, 2018, pp. 259–269.
[71] M. Fu, L. Wu, Z. Hong, F. Zhu, H. Sun, and W. Feng, ‘‘A critical-path-
coverage-based vulnerability detection method for smart contracts,’’ IEEE
Access, vol. 7, pp. 147327–147344, 2019.
[72] D. Guido. (2018). Echidna, Basic Echidna Usage. Accessed:
Sep. 11, 2019. [Online]. Available: https://github.com/crytic/slightly-
smarter-contracts/wiki/echidna
[73] N. Grech, L. Brent, B. Scholz, and Y. Smaragdakis, ‘‘Gigahorse: Thorough,
declarative decompilation of smart contracts,’’ in Proc. 41st Int. Conf.
Softw. Eng. Piscataway, NJ, USA: IEEE Press, 2019, pp. 1176–1186.
[74] N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis,
‘‘MadMax: Surviving out-of-gas conditions in Ethereum smart contracts,’’
Proc. ACM Program. Lang., vol. 2, no. OOPSLA, pp. 1–27, Oct. 2018.
[75] M. Rodler, W. Li, G. O. Karame, and L. Davi, ‘‘Sereum: Protecting existing
smart contracts against re-entrancy attacks,’’ 2018, arXiv:1812.05934.
[Online]. Available: https://arxiv.org/abs/1812.05934

TOM CAIRA received the B.Sc. degree in com-

SARWAR SAYEED received the bachelor’s degree puting science from the University of Glasgow,
in computing from the University of East London, U.K., and a Postgraduate Diploma in advanced
U.K., the master’s degree in IT from Cardiff research and professional practice from the Uni-
Metropolitan University, U.K., and the MBA versity of the West of Scotland, U.K. He is cur-
degree from Anglia Ruskin University, U.K. He is rently completing a Professional Doctorate with
currently a Ph.D. researcher with the University of the University of the West of Scotland. He is also
the West of Scotland, U.K. His research interests a Senior Lecturer and Researcher with the Univer-
involve control-flow integrity, blockchain security, sity of the West of Scotland, U.K. His research
and blockchain based-attacks. He has published interests include network and data security, data
a few articles related to blockchain and control- governance, personal data stores, business process improvement, and digital
flow integrity. He has also participated in a few research projects as a co- transformation.
investigator.

VOLUME 8, 2020 24427