New technology fixes smart contracts
Researchers make hacker’s job harder
- von Birgit Kremer
- 16.10.2020
Smart Contracts have made Ethereum the world's second largest crypto currency. However, recent criminal attacks exploited errors in the programmed contracts. paluno - The Ruhr Institute for Software Technology at UDE, together with partners, has developed and evaluated a technique that enables published smart contracts to be improved instantly.
Smart contracts are used in modern blockchain systems to implement any kind of contractual regulations. They enable the autonomous administration of crypto currency and regulate without the intervention of a third party (e.g. a notary or a bank) the transfer of values and rights between actors. Smart contracts thus have great potential to revolutionize business areas such as the finance, insurance, and energy sector.
Attractive Target for Hackers
Due to their ease of use and the high monetary value of some contracts, they are an attractive target for hackers. They try to exploit programming errors in the code in order to, for example, steal crypto currency. To prevent this, developers must react quickly on discovered security vulnerabilities because smart contracts are always online and always available. But an instant correction rarely happens, as paluno researcher Michael Rodler knows: "Our analyses of the Ethereum blockchain have shown that vulnerable smart contracts are often continued to be used by unsuspecting users, even though security problems in these contracts were made public months before.".
A probable reason is that the manual correction procedures currently available are time-consuming and error-prone. The Secure Software Systems Group (Prof. Davi), together with NEC Laboratories Europe, has therefore developed a framework that helps developers to fix errors automatically. For this purpose, the new patching framework features a so-called bytecode rewriter. Independent of the used programming language and compiler, it patches common Ethereum smart contracts by rewriting their byte code.
The effectiveness of this technique was demonstrated by simulated attacks on 14,000 real, vulnerable smart contracts. The attack transactions were successfully blocked, while the functionality of the original contracts remained completely intact. A usability study showed that the tool is practical and provides developers with a decisive time advantage.
Publication: Rodler, Michael; Li, Wenting; Karame, Ghassan O.; Davi, Lucas: EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In: Proc. of 30th USENIX Security Symposium. USENIX Association, Vancouver, B.C., Canada 2021. https://arxiv.org/abs/2010.00341
Further informationen and editing:
Birgit Kremer, paluno, Tel. 0201/18 3-4655, birgit.kremer@paluno.uni-due.de