45% of Ethereum Smart Contracts are Vulnerable

A group of researchers from the University of Singapore released a paper showing that 44% of Ethereum contracts are vulnerable. At the time of the paper’s publishing in June 2016, they analyzed the 19,366 existing onthe Ethereum system and found that 8,833 contracts (around $62 million) were flagged as buggy by their tool, OYENTE. Such vulnerabilities were also popularized by the well-known DAO and Parity Wallet hacks.

The paper documents several classes of security bugs in Ethereum smart contracts, specifically transaction-ordering dependence, timestamp dependence, and mishandled expectations. We outline each briefly below:

• Transactions-ordering dependence (TOD) bug was found in 15.8% of smart contracts on Ethereum. This happens when the user of a smart contract assumes a particular state of a contract, which may not exist when his transaction is processed potentially leading to malicious behavior.
• Timestamp dependence bug arises from the imperfect understanding of timekeeping in smart contracts.
• Mishandling expectations bug is also known as the Unchecked Send. In contracts that suffer from this bug, it is possible for an attacker to elicit unexpected behavior from a contract by calling it from a carefully constructed call-stack.

In a follow up blog post, paper author Hrishi Olickel stressed that contracts need to be secured before they are created “even at the cost of a delayed and more expensive deployment.” Researchers also note that a better understanding and characterization of smart contract vulnerabilities is necessary.

Firmo Network utilizes a formally, verified programming language to securely deploy smart contracts on the blockchain. Such technology aims to mitigate the current vulnerabilities of Ethereum by bypassing Solidity and compiling directly to the blockchain.

Join the conversation! Ask questions, comment, and chat directly with the Firmo Network team here in our Telegram Community group.