Ethereum is a Honeypot: The Ethereum Security Series #2

$17 billion worth of ETH on a public, permissionless network. Which contracts are secure, and which may not be?

There is more than $17 billion worth of ETH stored on Ethereum. As a public blockchain, the balance of every smart contract is visible and transparent. One could say that each smart contract on Ethereum is a “honeypot.” The more funds it holds, the higher the incentive to try and hack it.

In cybersecurity, the traditional meaning of a honeypot is a program intentionally created to attract attacks to deflect or study real ones. In this article, we expand the term ‘honeypot’ to refer to potential high-risk targets among Ethereum account addresses. Thinking of every smart contract on Ethereum essentially as a honeypot helps us understand the risk model we face when building on a public blockchain.

The assumption about smart contract security and honeypots is fairly simple: an address that has held uncompromised funds for a longer period of time can be assumed safer than an account that has not held funds for as long. So, when we apply the honeypot model to assess the safety of contract wallets, the two important factors to look at are:

• How much ETH (or other assets) are stored in a contract?
• For how long has it held that amount securely?

Today, we do not have a standard, quantifiable way to assess this “sweetness” of a honeypot. In this article, we adopt a MaxOfMin approach to quantifying smart contract security and identifying the strongest and weakest addresses on Ethereum according to this model. More information about the MaxOfMin approach and our methodology can be found in the addendum at the end of this article.

Finding the Most Resilient Honeypots

It is natural to assume that addresses with high ETH or other asset balances are attractive targets to hackers. For this article we restrict the analysis to ETH holdings for simplicity. We also only look at smart contracts and not at external addresses, as only they can have bugs in their implementation and can be attacked independently. With the honeypot model, those smart contracts that have held large funds for long periods of time can be considered the most resilient honeypots on main chain. To start, we identified all Ethereum smart contracts that have a balance of 100,000 ETH or more today.

Figure 1 shows the balance history of the 25 contracts that currently meet the criteria of >100k ETH. Data from Etherscan provided identification for a few, and the identities marked with an * are inferred from their transaction history.

Figure 1: Balance plot of Ethereum contracts with current balances over 100k ETH

An interesting case to note is the “WithdrawDAO” address. It is the contract that held the funds recovered from “The DAO”, maybe the most controversial event in Ethereum history to date. Evidently, it shows a steep drop when users started to withdraw their recovered DAO funds, though it still holds an unclaimed amount of ~100k ETH today — lying there, waiting to be hacked. But over the course of several years no one was able to find a bug in this contract that would allow them to siphon the ETH away.

Using the above sample of high-value contracts, we created a chart to observe what risk has looked like for these contracts over time since their creation (Figure 2). What the graph below shows is the greatest amount of ETH funds that were “at risk” of being stolen against a selected length of time (window size). For example: the Ethereum Foundation address is shown in green. The spike at the start of the X axis tells us that for one day during its entire existence, there were ~12m ETH “at risk” of being stolen (i.e. held in the account). That equates to the highest amount of ETH ever held by the account (~11.9m in mid-2015 — figure X). As we proceed along the X axis, we see the amount of at risk funds decrease. So at 100 days, the chart tells us “for 100 consecutive days at some point during the existence of the account, a hacker would have been able to steal at minimum ~4.3m ETH.” Taking the entire X axis into account, we see that at any point in time since the existence of the EF address, a hacker would have had access to at minimum ~1m ETH.

Figure 2: Maximum holdings of smart contracts with >100k ETH

This type of analysis is enabled by the MaxOfMin approach. When we look at a certain window size, we can compare the maximum of minimum holding amount across different addresses. Larger amounts means the addresses held a higher value of funds for this time length. To evaluate the risk/security score of different addresses, let’s make an assumption — for example — that an attack may be attempted for 30 days (1 month). We can see that during a thirty day period, the EF wallet held the highest amount of funds (at least ~6.8m ETH) than any other address held for any thirty day period. Bitfinex’s wallet came in second with at least ~3m ETH over any consecutive 30 day period, and the WETH token contract ranked third with ~2.7m.

If we change the window size to one year, the WETH token contract emerges as the most resilient honeypot, securing at minimum ~1.8m funds for a consecutive 365 days. Decide for yourself: What is more important? High amounts of funds for a short time frame or lower balances secured over longer periods?

Flipping the question, we could ask “if a hacker needs a certain minimum balance to be motivated to try a sophisticated attack, which addresses have proven resilient?” If we manipulate that threshold, we can see which wallets have secured at least that balance for the longest period of time. We see that the EF wallet has secured at least 3 million ETH for ~100 days and that Bitfinex has secured it for at least thirty days. If you have the problem of securely storing such an amount — you might want to consider reusing their contracts.

Finding the Best Targets

Within the honeypot model, a black hat hacker would prioritize a target based on the opportunity — i.e. they would first attempt to hack the contract with the highest balance. What they may reasonably search for, then, are addresses that are currently at their highest MaxOfMin. Or, stated differently, they may search for honeypots that are at their “sweetest” point. A good way to measure this is to look for addresses that are holding their largest amounts of funds to date.

Figure 3 shows contracts (+10k ETH) that are currently at their highest MaxOfMin score. Some of these accounts have held onto their MaxOfMin value for a significant period of time. The Polkadot Multisig account, for example, has (unwillingly) held onto 300k+ ETH since the end of December 2017. It, along with other accounts that have held their funds for long periods of time could reasonably be considered battle-tested and secure.

Figure 3: Accounts with >10k ETH at their current max holdings.

What we should look at closely, therefore, are contracts at their highest balance that have only recently received such a high ETH balance. The logic is essentially opposite of the model used to determine the strength of honeypots. If a contract has held a high amount of ETH successfully for many years, it can be determined comparatively safe. If, however, it has held a high amount of ETH only for a very short period of time, it is unproven that it would withstand attacks.

Figure 4 shows the three addresses on Ethereum that can be considered the ‘sweetest’ honeypots on the public mainnet at this point in 2020. These addresses have more than 10k ETH and have gained that ETH only within the past 30 days.

Figure 4: The 3 ‘sweetest’ honeypot contracts on Ethereum.

It is hard to determine conclusively how “secure” these honeypots are. There are many other factors, such as new types of attacks that are developed or reuse of code that has been time-proven. What we can determine, however, is that a hacker wishing to maximize the reward for their effort would be wise to analyze and target accounts that are currently at their MaxOfMin with a high ETH balance, and would be wisest to additionally target those that have guarded high balances only for a short period of time. Our hope is that highlighting this unavoidable consequence of public Ethereum as an implicit honeypot will be a motivation to place extra vigilance and security around new, high-value smart contracts.

With security analysis tools like MythX (automated security analysis) many types of flaws can be automatically detected. Such tools are invaluable during smart contract development for avoiding security flaws. But they can also be used to automatically identify bugs in the most valuable targets.

Conclusion

In the first article of this series we have observed that over time the number of automatically identifiable security issues in newly deployed contracts has been decreasing. . However, even with growing decentralization in token ownership, the growth of DeFi and trading on centralized exchanges will continue to create single contracts with high ETH balances. The benefit of transparency and openness on the Ethereum mainnet also means that people can easily identify, locate, and attempt to compromise these accounts. They are always unintentional honeypots. Our hope is that the MaxOfMin model we have provided will allow users to assign ‘scores’ to different contracts to facilitate more informed, secure, and confident decisions about where to place funds when interacting with decentralized applications.

Addendum

Methodology & Honeypot Scoring

A good starting point would be to answer the question “What contracts on Ethereum have held the highest balance for the longest time?” According to the honeypot model, those contracts should be the safest (if they haven’t been hacked, of course). They have successfully held custody over large funds for a long time.

Using the MaxOfMin approach, we can formalize this as the Honey-Pot-Dullness score as follows:

HPD = max(AreaScore),
with AreaScore = WindowSize * EthHeld

Let’s look at an example and play this out. The wrapped Ether contract (WETH) is used by many to convert ETH into an ERC20 token. We can analyze its balance history and find the time period in which it has held the highest amount of Ether for the longest period of time.

1. Select the largest time window possible. This is the time from the creation of the contract until today.
2. Find the maximum value that has been held over the full time.
3. Reduce the time window by 1 day. Do as in step 1 but move the window along the time axis and record the highest value held over the entire time window.
4. Keep reducing the window size and finding the highest value for that window until the window size is 1 day.
5. Store the result for each window size.

Example:

WindowSize EthHeld AreaScore

• 1 day 100 ETH 100 “for 1 day you could steal 100 ETH”
• 10 days 15 ETH 150 “for 10 days you could steal 15 ETH”
• 100 days 8 ETH 800 “for 100 days you could steal 8 ETH”

The maximum of all AreaScores is the HDP score and represents the fact that the contract has held Ether over long periods of time. Geometrically, the HDP can be understood as the largest rectangle that can be drawn under the balance chart of an account.

Figure 5: Balance plot & Area Score plot

However, as this score above is simply a product of EthHeld and WindowSize, a contract that has held a small amount of funds for an extremely long time can receive a higher score than a contract that has existed for a shorter amount of time but has held very high funds.