Tittle: Making Smart Contract Smarter

Synopsis for Dissertation report

In
“Making Smart Contract Smarter”
Submitted to:
Department of Computer Science Engineering
M.B.M ENGINEERING COLLEGE, JODHPUR

Submitted by
Kshipra bora
Roll Number: 17MCE10011
Under Guidance of
Dr. Alok Singh Gahlot
 Tittle: Making Smart Contract Smarter

Introduction-`A smart contract is a program that runs on the blockchain and has its correct
execution enforced by the consensus protocol. A contract can encode any set of rules
represented in its programming language—for instance, a contract can execute transfers when
certain events happen (e.g., payment of security deposits in an escrow system). Accordingly,
smart contracts can implement a wide range of applications, including financial instruments
(e.g., sub-currencies, financial derivatives, savings wallets, wills) and self-enforcing or
autonomous governance applications (e.g., outsourced computation, decentralized gambling).
A smart contract is identified by an address (a 160-bitidentifier) and its code resides on the
blockchain. Users invoke a smart contract in present cryptocurrencies by sending transactions
to the contract address. Specifically, if a new transaction is accepted by the blockchain and has
a contract address as the recipient, then all participants on the mining network execute the
contract code with the current state of the blockchain and the transaction payloads as inputs.
The network then agrees on the output and the next state of the contract by participating in a
consensus protocol. Ethereum, a more recent cryptocurrency, is a prominent Turing-complete
smart contract platform. Unlike Bitcoin, Ethereum supports stateful contracts in which values
can persist on the blockchain to be used in multiple invocations. In the last six months alone,
roughly 15, 000 smart contracts have been deployed in the Ethereum network, suggesting a
steady growth in the usage of the platform. As Ethereum receives more public exposure and
other similar projects like Rootstock and Counterparty emerge on top of the Bitcoin blockchain,
we expect the number of smart contracts to grow.

Motivation-
Unfortunately, the security of smart contracts has not received much attention, although
several anecdotal incidents of smart contracts malfunctioning have recently been reported,
including contracts that do not execute as expected and/or that have locked away thousands of
dollars’ worth of virtual coins. In contrast to classical distributed applications that can be
patched when bugs are detected, smart contracts are irreversible and immutable. There is no
way to patch a buggy smart contract, regardless of its popularity or how much money it has,
without reversing the blockchain (a formidable task). Therefore, reasoning about the
correctness of smart contracts before deployment is critical, as is designing a safe smart
contract system.

Objective and scope-

Smart contracts can handle large numbers of virtual coins worth hundreds of dollars apiece,
easily making financial incentives high enough to attract adversaries. Unlike traditional
distributed application platforms, smart contract platforms such as Ethereum operate in open
(or permissionless) networks into which arbitrary participants can join. Thus, their execution is
 Tittle: Making Smart Contract Smarter

vulnerable to attempted manipulation by arbitrary adversaries a threat that is restricted to

accidental failures in traditional permissioned networks such as centralized cloud services.
Although users in Ethereum have to follow a predefined protocol when participating in the
network, we show that there is considerable room for manipulation of a smart contract’s
execution by the network participants. For example, Ethereum (and Bitcoin) allow network
participants (or miners) to decide which transactions to accept, how to order transactions, set
the block timestamp and so on. Contracts which depend on any of these sources need to be
aware of the subtle semantics of the underlying platform and explicitly guard against
manipulation.
In this paper, we document several new security flaws of Ethereum smart contracts and give
examples of real-world instances for each problem. These security flaws make contracts
susceptible to abuse by several parties (including miners and contracts’ users). We believe that
these flaws arise in practice because of a semantic gap between the assumptions contract
writers make about the underlying execution semantics and the actual semantics of the smart
contract system. Specifically, we show how different parties can exploit contracts which have
differing output states depending on the order of transactions and input block timestamp. To
our knowledge, these semantic gaps have not been previously identified. We also document
other serious but known problems such as improperly handled aborts/exceptions and logical
flaws. Previous work has discussed these conceptually, often with simple self-constructed
examples. In our work, we study their impact on tens of thousands of real-life contracts,
showing how these vulnerabilities can be used to sabotage or steal coins from benign users.
More importantly, our work emphasizes the subtle and/or missing abstractions in smart
contract semantics that lead developers to a false sense of security. We propose refinements to
Ethereum’s protocol that do not require changes to existing smart contracts. However, such
solutions do require all clients in the network to upgrade, thus running the risk of not seeing
real deployment. If such a requirement is unacceptable, we provide a tool called Oyente for
users to detect bugs in as a pre-deployment mitigation. Oyente is a symbolic execution tool
exclusively designed to analyze Ethereum smart contracts. It follows the execution model of
Ethereum smart contracts and directly works with Ethereum virtual machine (EVM) byte code
without access to the high-level representation (e.g., Solidity, Serpent). This design choice is
vital because the Ethereum blockchain only stores the EVM byte code of contracts, not their
source. Oyente is open source and will be available for public use soon from our project page
[18].

Description of research work-

Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two
of the most popular cryptocurrencies, Bitcoin and Ethereum, support the features to encode
rules or scripts for processing transactions. This feature has evolved to give practical shape to
the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently,
 Tittle: Making Smart Contract Smarter

Ethereum’s smart contract system has seen steady adoption, supporting tens of thousands of
contracts, holding millions of dollars’ worth of virtual coins. In this paper, we investigate the
security of running smart contracts based on Ethereum in an open distributed network like
those of cryptocurrencies. We introduce several new security problems in which an adversary
can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the
understanding of the distributed semantics of the underlying platform. As a refinement, we
propose ways to enhance the operational semantics of Ethereum to make contracts less
vulnerable. For developers writing contracts for the existing Ethereum system, we build a
symbolic execution tool called Oyente to find potential security bugs. Among19, 366 existing
Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug
which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other
attacks for several case studies which have source code available and confirm the attacks
(which target only our accounts) in the main Ethereum network.

Conclusion-
This paper, documents several new classes of security bugs in Ethereum smart contract,
proposes solution for the documented bugs formalizes the semantics of Ethereum smart
contracts, this paper also provide OYENTE, a symbolic execution tool which analyses Ethereum
smart contracts to detect bugs. We run OYENTE on real Ethereum smart contracts and
confirmed the attacks in the real Ethereum network.
 Tittle: Making Smart Contract Smarter

References-
[1] Chenguang Zhu, Ye Leu, Ye Li, Xiuheng Wu, “Identifying Solidity Smart Contract API
Documentation Errors”, 37th IEEE/ACM International Conference on Automated Software
Engineering, October 2022,
[2] Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, Aquinas Hobor, “Making Smart
Contracts Smarter”, National University of Singapore, October 2016, DOI:
http://dx.doi.org/10.1145/2976749.2978309
[3] Ethereum Foundation. The serpent contract-oriented programming language.
https://github.com/ethereum/serpent.
[4] Oyente project page. https://www.comp.nus.edu.sg/˜loiluu/oyente.html.
[5] TheDAO smart contract.
http://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code.
[6] EtherEx: A fully decentralized cryptocurrency exchange. https://etherex.org/.
[7] EtherOpt: A decentralized options exchange. http://etheropt.github.io/.
[8] The Run smart contract.
https://etherscan.io/address/0xcac337492149bdb66b088bf5914bedfbf78ccc18.
[9] Ethereum Foundation. Block validation algorithm.
https://github.com/ethereum/wiki/wiki/BlockProtocol-2.0#block-validation-algorithm.
[10] Andrew Miller, Brian Warner, and Nathan Wilcox.Gas economics.
https://github.com/LeastAuthority/ethereum-analyses/blob/master/GasEcon.md.
[11] Protect The Castle Contract. Http://protect-the-castle.ether-contract.org/.
[12] GovernMental Smart Contract. Http://governmental.github.io/GovernMental/.
[1] TheDAO smart contract.
http://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code.
[15] EtherEx: A fully decentralized cryptocurrency exchange. https://etherex.org/.
[16] EtherOpt: A decentralized options exchange. Http://etheropt.github.io/.
[17] Ethereum Foundation. Block validation algorithm.
https://github.com/ethereum/wiki/wiki/BlockProtocol-2.0#block-validation-algorithm.
[18] Andrew Miller, Brian Warner, and Nathan Wilcox.Gas economics.
https://github.com/LeastAuthority/ethereum-analyses/blob/master/GasEcon.md.