Poor smart contract coding exposes millions of dollars in Ethereum

Researchers have discovered over 30,000 contracts are open to exploit.
Written by Charlie Osborne, Contributing Writer
File Photo

Smart contracts are meant to be just that; smart, irrevocable, transparent, and secure.

However, coding bugs in 34,200 of these contracts currently in circulation has exposed millions of dollars' worth of cryptocurrency to the risk of theft.

It was only back in November when the intelligent element of smart contracts was cast into doubt after an individual known only as "DevOps199" stumbled across the library code of a smart contract facilitating the trade and storage of ethereum (ETH).

The user managed to trigger a major vulnerability in the Parity multi-sig wallet -- albeit reportedly by accident -- thereby making himself the owner of the smart contract controlling user wallets in the chain and library.

In a panic, the user then wiped out some of the core library code, freezing ethereum belonging to approximately 500 wallets and worth roughly $150 million.

It should never have happened, and despite Parity's efforts to recover the funds, the cryptocurrency remains frozen.

This may only be the first indicator of a wider problem, however.

As reported by Motherboard, researchers from the National University of Singapore (NUS), Singapore's Yale-NUS College and the UK's University College London (UCL) have discovered a total of 34,200 smart contracts which contain vulnerabilities ripe for exploit.

In a paper documenting the research (.PDF), the team developed and implemented a tool called MAIAN to analyze roughly one million smart contracts for vulnerabilities which would permit the freeze of cryptocurrency, leaks, or the destruction of contracts altogether.

The researchers downloaded the entire ethereum blockchain in order to make a private fork for testing purposes in a way which would not disrupt current contracts or wallets.

The tool was then used to test replicas of the live contracts for errors which would lead to "trace vulnerabilities" that attackers could exploit.

While over 30,000 were found to raise flags for potential flaws "in a matter of seconds," a subset of 3,759 contracts was used as a testing ground for real-world exploits.

In 89 percent of cases, the team found they were able to compromise these smart contracts. If exploited by criminals, these could lead to the theft of roughly $6 million in Ethereum.

See also: Venezuela's Petro cryptocurrency raises $735 million at launch, perhaps

The researchers have attempted to contact the creators of these smart contracts to make them aware of the vulnerable coding, but have met with little success.

However, there is a silver lining -- as the contracts have not been publicly revealed, potential attackers have no groundwork or knowledge available to steal ethereum connected to them or tamper with the contracts themselves.

"If someone wants to exploit this idea, they'll have to do at least as much work as we did," Ilya Sergey, co-author of the paper and UCL assistant professor of computer science told the publication.

According to Chainalysis, cyberattackers managed to steal at least $225 million in ethereum over 2017.

The paper is currently undergoing peer review.

How Blockchain technologies are transforming our societies

Previous and related coverage

Editorial standards