Smart contracts and their security challenges

user, August 24, 2022

Notable Cyberattacks on Blockchain/Smart Contracts

Many instances of cyberattacks have demonstrated that smart contracts, like blockchain technology, are vulnerable to hacks and exploitation. The total amount of money stolen or lost as a result of smart contract errors is in billions of dollars. The following are some of the most significant instances of smart contract code errors:

  • As per a report in 2017, $150 million in ETH was stolen from a business called Parity Technologies due to a serious weakness in their Ethereum smart contract,
  • In 2016, $50 million worth of ETH was stolen from Genesis DAO’s crowdfunding investors by hackers who took advantage of a security flaw in the system.
  • In August 2021, a group of hackers seized $613 million in digital currency from the Poly Network corporation. It is considered one of the biggest robberies in the crypto world, where hackers took advantage of a flaw in the digital contracts used by Poly Network.

What are Smart Contracts and how do they work?

Smart contracts are self-executing contracts, in which the provisions are stipulated in the code.

For example, an Ethereum smart contract is deployed as one or many transactions on the Ethereum blockchain which then runs on the Ethereum virtual machine, a blockchain-based platform.  The smart contract can be called by a user, by using a blockchain transaction. This transaction calls for a pre-defined procedure on the smart contract, granting the user access to the information contained within it.

For example, a vending machine operates on “contract” logic. The operation of dispensing a product is only fulfilled when a user puts money in the machine and chooses the product. Smart contracts are, of course, employed in a more complex manner when conducting cryptocurrency transactions.

Different types of Smart Contracts

Smart contracts are designed, constructed, and deployed over a network using programming languages like Solidity and Vyper. Smart contacts come in varied flavors, some of the most used types are –

  • Decentralized Autonomous Organizations (DAOs): entail a system of rules that are formed and controlled by members of the organization and are not affected by outside forces.
  • Smart Legal Contracts – entails stringent legal resources (also known as legally enforceable smart contracts).
  • Contracts of Applied Logics (ALCs) – are based on a decentralized network that combines a smart contract with a user interface on the front end.
  • Distributed Applications (DApps) – Applications or software that are hosted on servers or in the cloud and that simultaneously operate on several machines within a network.

Smart contract security challenges

Solidity contracts tend to transfer significant amounts of value as one of their core functions, in contrast to many conventional programming languages. As a result, they are vulnerable to several high-risk attacks from attackers looking to siphon money from these immutable actors.

Let us quickly review the main vulnerabilities:

  • Reentrancy Attacks: This kind of attack is both exceedingly risky—it may completely drain the ether from a weak smart contract—and quite simple to occur by accident. Reentrancy attacks happen because of two crucial Solidity characteristics:
    • Executing imperatively – that is, the next lines of code are not executed until the execution of the previous line has ended.
    • Smart contracts can contact untrusted, external contracts and wait for the outcome before continuing.

As a result, if a vulnerable contract X makes an external call to an untrusted contract Y, the latter may be maliciously modified to make a recursive call back to the weak contract X. Contract X might essentially run out of resources before the function is finished if the call from contract X to contract Y includes transmitting any amount of ether.

  • Frontrunning: It is interesting to note that smart contracts and transactions become completely public as soon as they are submitted to the network as a pending transaction rather than when they are completed on the blockchain. The mempools of Ethereum nodes share these pending transactions with the rest of the network, enabling the miner of a block to choose the transactions.

One unintended consequence of this design is that a smart contract’s intended conclusion is publicly visible before it is validated onto the blockchain. This transaction might be seen by malicious actors scanning the mempool, who might then take advantage of the situation by copying your smart contract and submitting it at a higher value. Then, by submitting their transaction first, they have successfully “front-run” your contract, taking advantage of your arbitrage opportunity.

  • Private Key Leakage: Using unsecured private keys is more of a user error than a vulnerability. It is worth mentioning, though, because it occurs quite frequently, and some gamers have made it their specialty to steal money from dubious addresses.

There are other security obstacles that smart contracts must face in addition to those mentioned above. Smart contracts are frequently vulnerable because not all developers are versed with the semantics of programmable blockchain systems.

In the upcoming blog, we will also be covering key processes involved in securing smart contracts and recommendations at different levels while developing a smart contract.

Back to top