NCC Group developed an evaluation system for the smart contracts technology. The project is called Decentralized Application Security Project (DASP) and it will allow the group to perform an online analysis of at least 10 aspects that could present vulnerabilities in a particular blockchain network.
The DASP project is described as open and collaborative whose goal is to discover vulnerabilities of smart contracts inside their ecosystem. To perform the evaluation, the project established up to nine categories and one extra category in case new vulnerabilities are found.
The first element is the reentry, a famous attack that allowed the theft of the DAO, which ultimately led to the bifurcation of Ethereum and the creation of Ethereum Classic. The reentry takes place when a smart contract, during its execution, can be reactivated or called from an external address before the first process is completed. Funds can also be requested from a malicious contract without the victim being aware of the intention of the attacker. Estimates say this type of attacks generated a loss of around 3.5 million ethers.
Access control is another characteristic that is being evaluated by the DASP project. This vulnerability takes advantage of the fact that at the time of initiating a smart contract the address needs to be configured. However, this process can be modified by an attacker and change the address that is being initiated in order to take ownership of the smart contract. This function can be activated by any user and this is why the collaborators of the DASP project consider it to be an important vulnerability. This problem allowed the case of the “suicide”of the Parity wallets to happen last November.
The smart contracts can also present arithmetic problems, which are especially dangerous. Unsigned integers are frequent in smart contracts and the majority of the developers use simple integers (which are often signed integers). The DASP website says: “If overflows occur, many apparently benign code paths become vectors of theft or denial of service.”
Another vulnerability analyzed by the DASP project included the unverified return levels in low level operations. The denial of services, failures in the randomness programmed in a smart contract, the frontrunning, the manipulation of time and the short addresses. According to the collaborators of the DASP project, many of these failures are associated with the use of Solidity, one of the most popular programming languages used to create smart contracts in the Ethereum blockchain network.
Moreover, the platform evaluates the possibility that, being in their first stages, Ethereum and its smart contracts are still vulnerable to other types of failures that are yet to be discovered. Even the contract verification process is still in the development phase, which means there could be other vulnerabilities and failures waiting to be discovered.
As we can see, it is possible that the top 10 list of the most significant failures related to the smart contracts becomes larger, until the moment when these cryptographic tools become mature and solid enough. Exposure to failure is part of the evolution process of this innovative technology that brought many advantages and has a lot of potential.
NCC Group concludes with the following: “Ethereum is still in its infancy. The main language used to develop smart contracts, Solidity, has yet to reach a stable version and the ecosystem’s tools are still experimental. Some of the most damaging smart contract vulnerabilities surprised everyone, and there is no reason to believe there will not be another one that will be equally unexpected or equally destructive. As long as investors decide to place large amounts of money on complex but lightly-audited code, we will continue to see new discoveries leading to dire consequences. Methods of formally verifying smart contracts are not yet mature, but they seem to hold great promise as ways past today’s shaky status quo. As new classes of vulnerabilities continue to be found, developers will need to stay on their feet, and new tools will need to be developed to find them before the bad guys do. This top 10 will likely evolve rapidly until smart contract development reaches a state of steadiness and maturity.”