47 Zero-Day Bugs Were Found on Ethereum Smart Contract by Researchers
Brought to you by LuckyHash
Smart contract allows two anonymous parties to perform reliable transaction and and makes sure the protocol gets executed without a centralized authority’s supervision. However it takes quite some efforts to upgrade smart contract, therefore, it is very important to go over the source code before deployment to ensure that there is no security vulnerability.
Researchers at the University of California, Santa Barbara (UCSB) have developed a SAILFISH, a set of tools to detect state-inconsistency bugs in in smart contracts:
In a nutshell, Sailfish can convert it into a storage dependency graph and obtain the control flow and data flow relationships of the smart contract’s storage variables and state change instructions, and then use the dependency graph to identify potential security vulnerabilities. It determines whether the two execution paths are on the same storage variable by means of graph query.
SAILFISH can find consistency vulnerabilities, reentrancy and transaction sequence dependency vulnerabilities in smart contracts. Attackers can use those vulnerabilities to modify the execution order of transactions or take over control flow within a transaction. Researchers used it to detect 47 zero-day vulnerabilities in Ethereum smart contracts.
A zero-day is a malware attack in early stage of a software where its vulnerabilities haven’t been patched.
By testing 89853 smart contracts obtained from the Ethereum platform Etherscan, Sailfish successfully identified 47 zero-day vulnerabilities, some of which can even destroy application-specific metadata after being exploited. The performance and accuracy of Sailfish tools outruns smart contract analysis tools such as SECURITY, MYTHRIL, OYENTE, SEREUM, and VANDAL.
Related research findings will displayed on the premier computer security and electronic privacy forum IEEE Symposium on Security and Privacy in May, 2022.
For your interest, you can find the thesis here: https://arxiv.org/pdf/2104.08638.pdf
— — — — — — — — — — — — — — — — — — — — — — — — — — — —
Follow LuckyHash on Medium for more blockchain news
LuckyHash (mobile) is the world’s leading one-stop crypto asset management platform. It provides no-pledge mining hashrate leasing and cryptocurrency interest generating plans.
Also LuckyHash is giving away FREE financial management trial funds, check here
Create a LuckyHash account here and leave your account in comment to receive a free 1000USDT-7d saving account product.
