加密货币比特币的出现带动了区块链技术的蓬勃发展,智能合约技术则是区块链技术中的一个技术高地.目前以太坊中的智能合约应用受到大量的关注,创造了海量的价值应用,同时也带来了密集的攻击活动.随着智能合约的数量越来越多,尤其是智能合约中的代码漏洞也逐渐被许多研究人员和恶意攻击者发现,造成了一系列重大的经济损失案件.为了对智能合约技术的稳定性发展提供理论研究基础,文章针对以太坊上已知的智能合约漏洞进行了介绍、分类和总结,并对智能合约安全漏洞进行详细的原理阐述与场景代码复现.
Abstract
The emergence of cryptocurrency bitcoin has driven the vigorous development of blockchain technology, and smart contract technology is a technical highland of blockchain technology. At present, smart contract applications in ethereum have received a lot of attention, creating a lot of value applications, and at the same time bringing intensive attack activities.With the increasing number of intelligent contracts, especially the code loopholes in intelligent contracts have been gradually discovered by many researchers and malicious attackers, which has caused a series of serious economic losses.In order to provide theoretical research basis for the stable development of intelligent contract technology, this paper introduces, classifies and summarizes the known intelligent contract vulnerabilities in ethereum, and elaborates the principle and scene code of intelligent contract security vulnerabilities in detail.
关键词
区块链 /
以太坊 /
智能合约 /
安全漏洞
{{custom_keyword}} /
Key words
blockchain /
ethereum /
smart contract /
security vulnerabilities
{{custom_keyword}} /
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
参考文献
[1] Nakamoto S, Bitcoin: A peer-to-peer electronic cash system[EB/OL].[2019-07-05]. http://www.bitcoin.org.
[2] Bonneau J, Miller A, Clark J, et al. SoK: research perspectives and challenges for bitcoin and cryptocurrencies[C]//2015 IEEE Symposium on Security and Privacy, San Jose: CA, 2015:104-121.
[3] 工业和信息化部信息中心. 2018年中国区块链产业白皮书[EB/OL].[2019-07-05]. http://www.miit.gov.cn/n1146290/n1146402/n1146445/c6180238/ -part/6180297.pdf.
[4] UK Government Chief Scientific Adviser. Distributed ledger technology: Beyond blockchain[EB/OL].[2019-07-05], https://assets.publishing.service. gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf.
[5] Wood G. Ethereum: A secure decentralised generalised transaction ledger[EB/OL].[2019-07-05]. https://ethereum.github.io/yellowpaper/paper.pdf.
[6] Cachin C, Vukolić M. Blockchain consensus protocols in the wild[C]//The International Symposium on DIStributed Computing, Austria: Vienna,2017:1-16.
[7] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on ethereum smart contracts (SoK)[C]//Principles of Security and Trust, Berlin Heidelberg: Springer, 2017:164-186.
[8] Li X, Jiang P, Chen T, et al. A survey on the security of blockchain systems[C]//Future Generation Computer Systems, 2017:1-13.
[9] Ethereum. Solidity documentation[EB/OL].[2019-07-05]. https://solidity.readthedocs.io.
[10]Foundation E. CRITICAL UPDATE Re: DAO vulnerability[EB/OL].[2019-07-05]. https://blog.ethereum.org/2016/06/17/critical-update-re-dao- vulnerability/.
[11]Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security-CCS'16, Austria: Vienna, 2016:254-269.
[12]Jiang B, Liu Y, Chan W K. ContractFuzzer: fuzzing smart contracts for vulnerability detection[C]//Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering-ASE 2018, France: Montpellier, 2018:259-269.
[13]Krupp J, Rossow C. Teether: Gnawing at ethereum to automatically exploit smart contracts[C]//27th USENIX Security Symposium, USA: Baltimore, MD, 2018:1317-1333.
[14]Grech N, Kong M, Jurisevic A, et al, MadMax: surviving out-of-gas conditions in Ethereum smart contracts[C]//Proceedings of the ACM on Programming Languages, New York: ACM, 2018:1-27.
[15]Kalra S, Goel S, Dhawan M, et al. ZEUS: Analyzing safety of smart contracts[C]//Proceedings 2018 Network and Distributed System Security Symposium, San Diego: CA, 2018.
[16]Fabian Vogelsteller and Vitalik Buterin. EIPs/eip-20.md at master·ethereum/EIPs[EB/OL].[2019-07-05]. https://github.com/ethereum/EIPs/blob/master/ EIPS/eip-20.md.
[17]BeautyChain. BecToken smart contract[EB/OL].[2019-07-05]. https://etherscan.io/address/0xc5d105e63711398af-9bbff092d4b6769c82f793d#contracts.
[18]Bitcoin Forum. Topic: Proof of stake instead of proof of work[EB/OL].[2019-07-05]. https://bitcointalk.org/index.php?topic=27787.0.
[19]Ethereum Foundation. Block validation algorithm[EB/OL]. [2019-07-05]. https://github:com/ethereum/wiki/wiki/BlockProtocol-2:0#block-validation-algorithm.
[20]Chen T, Li X, Wang Y, et al. An adaptive gas cost mechanism for ethereum to defend against under-priced DoS attacks[C]//International Conference on Information Security Practice and Experience, Cham:Springer, 2017:3-24.
[21]Fabian Vogelsteller and Vitalik Buterin. EIPs/eip-161.md at master·ethereum/EIPs[EB/OL]. [2019-07-05]. https://github.com/ethereum/EIPs/blob/ master/EIPS/eip-161.md.
[22]Fabian Vogelsteller and Vitalik Buterin. EIPs/eip-150.md at master·ethereum/EIPs[EB/OL]. [2019-07-05]. https://github.com/ethereum/EIPs/blob/ master/EIPS/eip-150.md.
[23]Vitalik Buterin. Transaction spam attack: Next steps[EB/OL].[2019-07-05]. https://blog.ethereum.org/2016/09/22/transaction-spam-attack-next-steps/.
{{custom_fnGroup.title_cn}}
脚注
{{custom_fn.content}}
基金
国家重点研发计划资助项目(2018YFB1404402);广东省科技计划资助项目(2019B010137003,2016B030305006, 2018A07071702);广州市科技计划资助项目(201804010314,2012224-12);唯链基金会资助项目(SCNU-2018-01)
{{custom_fund}}
PDF(829 KB)
