Discovery of 34,200 Vulnerable Smart Contracts puts millions of dollars in Ether at security risk
Although Bitcoin had gained popularity due to its inconstant ups and downs, most of the headlines was occupied by Ethereum. While Ethereum experienced a great incline in the last year, there were various security issues and controversies around it. A user ‘Devops199’ accidentally activated a bug freezing $280 million in Ethereum in November which was disastrous.
This had happened once, Devops199 made themselves an owner of a smart contract.
Motherboard news charted that over 34,200 of these contracts have been found to be risky and vulnerably exposing millions of dollars’ worth Ether, said in a research report from National University of Singapore (NUS), Singapore’s Yale-NUS College and the UK’s University College London (UCL).
The report quote that “A sample of roughly 3,000 vulnerable contracts that the team verified could be exploited to steal roughly $6 million worth of ether”, which depicts that there is a chance of a larger amount being frozen.They were in vain of tracking down the creators of the vulnerable contracts
The entire Ethereum blockchain was downloaded by researchers.
The team created a tool MAIAN which helped to examine almost one million unprotected smart contracts that could lead to frozen coins or could completely knock down these contracts. In order to make sure the funds are not disturbed the entire Ethereum blockchain is used by the tool.
Ilya Sergey, an assistant professor of computer science at University College London and co-author of the research told the publication “Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free,”.
She said, “Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine – which we have no knowledge about, springs and whatnot – eventually releases the latch so you can take the candy.”
They searched for vulnerabilities by implementing various permutations of interactions with all the live smart contracts.
Parity (the company behind the vulnerable code library) was very well informed about the vulnerability months before DevOps199 froze hundreds of millions in Enthereum.
Post-freeze Parity told in its statement that in August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement. Thus, they committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction.
In order to stay away from such incidents in future, the researchers have chosen not to reveal the details of the vulnerable contracts. They said that the criminals would have to do at least as much work as they did to inflict some damage.
In due course, this research might help researchers to effortlessly find out the vulnerability in smart contracts and help in amending the issues. At the present, this is research is undergoing peer review.