Security of blockchain-based smart contracts II – Known Vulnerabilities and Pitfalls

In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.

In this episode we will review some known issues and vulnerabilities.

Private Key Leakage

Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.

What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.

Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]

Security of blockchain-based smart contracts I

Recently, blockchain technology has been advocated as a game changer for many industries. Distributed ledger technology that has emerged out of Bitcoin has promising applications beyond digital currencies.

One of the most promising use cases of blockchain technology is the development of smart contracts.

Smart contracts are self-executing contracts, in which the terms are specified in code. Essentially, this means encoding legal contracts in computer code, which executes them automatically.

Whilst the concept has been around for a while, at least since Nick Szabo’s wrote up the concept in 1996, it was not until the advent of the Turing-complete Ethereum blockchain that smart contract use became common.

Contracts on the Ethereum blockchain exist at contract addresses and can be invoked by transaction calls.

Executing contracts written in code and stored on an immutable public blockchain creates certain risks and issues, which we will discuss in a general way in this post. In an upcoming second part, we will look at more specific examples of smart contract security vulnerabilities. [Read more…]