Securing Ethereum Smart Contracts: Fighting a New Wave of Cyber Piracy

As malicious attacks are continuously waged upon Ethereum’s smart contracts, millions of dollars in the form of tokenized assets are stolen from honest users and organizations. In the past month alone, black hat hackers have successfully conducted cyber heists collectively valued at over $50M. (that’s more than any bank robbery in US history)

Needless to say, the Ethereum community needs to be more cautious when creating and vetting these smart contracts before deploying them on the main network. Without taking the proper security auditing considerations into account from the beginning, similar attacks will continue to happen more and more often. In order for the Ethereum ecosystem to truly thrive, security needs to be priority number one.

While it is usually quite easy to build software that works as expected, it is much harder to check that nobody can use it in a way that was not anticipated.

In response to these growing security concerns, members of our Cisco Research & Open Innovation team attended the IC3 ETH bootcamp event at Cornell University to focus on improving smart contract development standards. The event brought together the top cryptocurrency and security experts from IC3, as well as notable attendees from both the Ethereum Enterprise Alliance and the Ethereum Foundation.

Vitalik Buterin presenting at IC3 ETH Bootcamp at Cornell University

Our team began the week-long coding and learning session by first discussing the adolescent smart contract landscape and the important security considerations that come along with it.

“Progress in smart contract safety is going to be layered, incremental, and necessarily dependent on defense-in-depth.” -Vitalik Buterin

When developing smart contracts in Solidity, Ethereum’s contract-oriented programming language, it is important to step back and consider how much is at stake. Most contracts handle monetary transactions, and sometimes even more valuable transaction data such as health records or land registry ownership. Before releasing your code into the wild, you want to first make sure that your contract has been properly audited by security experts and laymen alike so that there are no obvious vulnerabilities present. Also, it is important to note that even if your smart contract may seem bug-free, vulnerabilities in the compiler or the platform itself may contribute to some sort of unforeseen exploit.

Fortunately, there are already some verified code examples and standardized frameworks that are starting to emerge from the community. One example is the ERC20 token standard which allows anyone to create and publish their own secure token asset on the Ethereum blockchain. However, as more individuals release their tokens and launch their crowd sales, scammers, phishers, and exploiters are taking advantage of this token sale hysteria.

“It’s like the Wild Wild West, the Internet. There are no rules.” -Steven Wright

Our team developed an Ethereum smart contract exploit training course at the IC3 bootcamp

After a week of intense coding sessions and manipulating ERC20 contracts, our team of security experts compiled our knowledge of token exploits to write multiple vulnerable smart contracts in Solidity. We used our repository of susceptible code to create an “Ethereum Smart Contract Exploit Training Course” called HackThisContract. This is the first iteration of a website that allows developers, auditors, and designers to better understand how to write secure contracts on Ethereum. Users venture through increasingly difficult coding challenges by examining vulnerable smart contracts in order to improve on their (white hat) hacking skills.

Also, we are seeking more examples of contracts to add to our challenge database, and encourage contributions to the back-end as well on Github. We strongly believe that raising awareness and educating the community on smart contract security are both essential steps in beginning to build a solid defense against future attacks.

7 key takeaways

1. Read the Solidity security considerations before creating contracts
2. Test your contracts thoroughly before deploying to Main Net (and then test them again)
3. Get your contracts audited by security experts and auditors
4. Use verified code whenever possible; don’t roll your own crypto
5. Setup automatic bug bounties to incentivize potential auditors
6. Watch out for phishers and scammers; don’t click on random links
7. Become a developer and train your white hat hacking skills

A big thanks to Phil Daian (@phildaian) for his support at the IC3 bootcamp and for his extraordinary skills and leadership in smart contract security.

Meanwhile at Cisco, we are excited to announce that we have recently joined the Ethereum Enterprise Alliance, which is now the largest open-source blockchain initiative in the world with over 150 members. With much to do and many actionable plans in sight, expect more announcements to be made within the upcoming months — we’re just getting started.