ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks

Torres, Christof Ferreira; Baden, Mathis; Norvill, Robert; Pontiveros, Beltrán Borja Fiz; Jonker, Hugo; Mauw, Sjouke

doi:10.1145/3320269.3384756

Cited by 33 publications

(18 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Horus has flagged none of the 14 false positives. Next, we compare our results to AEGIS [14,16]. Horus successfully detected the 7 contracts that were reported by AEGIS.…”

Section: Validationmentioning

confidence: 96%

See 1 more Smart Citation

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

Torres

Iannillo

Gervais

et al. 2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

In recent years, Ethereum gained tremendously in popularity, growing from a daily transaction average of 10K in January 2016 to an average of 500K in January 2020. Similarly, smart contracts began to carry more value, making them appealing targets for attackers. As a result, they started to become victims of attacks, costing millions of dollars. In response to these attacks, both academia and industry proposed a plethora of tools to scan smart contracts for vulnerabilities before deploying them on the blockchain. However, most of these tools solely focus on detecting vulnerabilities and not attacks, let alone quantifying or tracing the number of stolen assets. In this paper, we present Horus, a framework that empowers the automated detection and investigation of smart contract attacks based on logic-driven and graph-driven analysis of transactions. Horus provides quick means to quantify and trace the flow of stolen assets across the Ethereum blockchain. We perform a large-scale analysis of all the smart contracts deployed on Ethereum until May 2020. We identified 1,888 attacked smart contracts and 8,095 adversarial transactions in the wild. Our investigation shows that the number of attacks did not necessarily decrease over the past few years, but for some vulnerabilities remained constant. Finally, we also demonstrate the practicality of our framework via an in-depth analysis on the recent Uniswap and Lendf.me attacks.

show abstract

“…Horus has flagged none of the 14 false positives. Next, we compare our results to AEGIS [14,16]. Horus successfully detected the 7 contracts that were reported by AEGIS.…”

Section: Validationmentioning

confidence: 96%

“…Sereum [36] proposes a modified EVM to protect deployed smart contracts against reentrancy attacks. AEGIS [14,16] presents a smart contract and a DSL to protect against all kinds of runtime attacks. SODA [3] uses a modified Ethereum client to inject custom modules for the online detection of malicious transactions.…”

Section: Related Workmentioning

confidence: 99%

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

Torres

Iannillo

Gervais

et al. 2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…We generalize all the threat models by subdividing them into three major groups: victim contract, malicious contract, and hybrid malicious or victim contract. Sereum [133], teEther [97], Hydra [42], Osiris [149], SODA [53], AEGIS [65], EVMPatch [134], SeRIF [47], and OpenZeppelin Contracts [9] are threat mitigation solutions with the vulnerable contract threat model. Solutions with malicious contract threat models are the Ethereum honeypot detector HoneyBadger [150], GASPER [54], and the social engineering attack detector by Ivanov et al [88].…”

Section: Threat Modelmentioning

confidence: 99%

Security Threat Mitigation For Smart Contracts: A Survey

Иванов¹,

Li²,

Sun³

et al. 2023

Preprint

View full text Add to dashboard Cite

The blockchain technology, initially created for cryptocurrency, has been re-purposed for recording state transitions of smart contracts -decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other programs, smart contracts are prone to security vulnerabilities that have incurred multimillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy a regularly updated comprehensive open-source online registry of threat mitigation solutions.CCS Concepts: • Security and privacy → Distributed systems security.

show abstract

“…Previous studies proposed smart contract-level multi-signature voting schemes. AEGIS [10] implements a voting-based mechanism, in which trusted experts vote for a security patch. Unfortunately, the voting mechanism in AEGIS has been design for different context and cannot be applied, even with modifications, to the trustee-based contract maintenance scenarios.…”

Section: Related Workmentioning

confidence: 99%

Rectifying Administrated ERC20 Tokens

Иванов

Guo

Yan

2021

Preprint

View full text Add to dashboard Cite

ERC20 token is the most popular type of Ethereum smart contract. The daily transaction volume of these tokens exceeds 100 billion dollars, which agitates the popular notions of "decentralized banking" and "tokenized economy". Yet, it is a common misconception to assume that the decentralization of blockchain entails the decentralization of smart contracts deployed on this blockchain. In practice, the developers of smart contracts implement administrating patterns, such as censoring certain users, creating or destroying balances on demand, destroying smart contracts, or injecting arbitrary code. These routines, which are designed to tightly control the operation of these smart contracts, turn an ERC20 token into an administrated token -the type of Ethereum smart contract that we scrutinize in this research. We discover that many smart contracts are administrated, which means that their owners solely possess an omnipotent power over these contracts. Moreover, the owners of these tokens carry lesser social and legal responsibilities compared to the traditional centralized actors that those tokens intend to disrupt. This entails two major problems: a) the owners of the tokens have the ability to quickly steal all the funds and disappear from the market; and b) if the private key of the owner's account is stolen, all the assets might immediately turn into the property of the attacker. Therefore, the administrated ERC20 tokens are not only dissimilar to the traditional centralized asset management tools, such as banks, but they are also more vulnerable to adversarial actions by their owners or attackers. We develop a pattern recognition framework based on 9 syntactic features characterizing administrated ERC20 tokens, which we use to analyze existing smart contracts deployed on Ethereum Mainnet. Our analysis of 84,062 unique Ethereum smart contracts reveals that nearly 58% of them are administrated ERC20 tokens, which accounts for almost 90% of all ERC20 tokens deployed on Ethereum. To protect users from the frivolousness of unregulated token owners without depriving the ability of these owners to properly manage their tokens, we introduce SafelyAdministrated -a library that enforces a responsible ownership and management of ERC20 tokens. The library introduces three mechanisms: deferred maintenance, board of trustees and safe pause. We implement and test SafelyAdministrated in the form of Solidity abstract contract, which is ready to be used by the next generation of safely administrated ERC20 tokens.

show abstract

ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks

Cited by 33 publications

References 30 publications

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

Security Threat Mitigation For Smart Contracts: A Survey

Rectifying Administrated ERC20 Tokens

Contact Info

Product

Resources

About