What is a smart contract?

The Ethereum blockchain possesses self-executing code bits that are stored and run outside an average user’s attention. When the user sends a transaction command, certain smart contracts activate and run when the mining process is commenced. The Ethereum-relevant code that activates these programs and is located on the respective blockchain is irrelevant to users and, often, may not even get published. Since these codes are so small, it is hard to pinpoint smart contracts and research their source code, which means that until a catastrophe doesn’t occur, it is unlikely that you will discover a vulnerability.

Well, maybe you won’t, but the user "DevOps199" sure did: after 'accidentally' discovering a vulnerable smart contract on the Ethereum blockchain, he was able to withhold approximately $150 million that belonged to the outside coin owners. Now how about that? Wouldn’t you like to know where to search for those vulnerable smart contracts on the Ethereum blockchain, huh?

Unis to the rescue

After that incident, a massive research of the Ethereum blockchain was initiated. Professionals from University College London, the National University of Singapore, and Yale-NUS College in Singapore analysed and tested every corner of the Ethereum smart contract universe. Finally, they pinpointed 32,400 vulnerable smart contracts among a million of them; an estimated worth of 3,000 such smart contracts exceeded $6 million. The most depressing discovery was the fact that attempts to find and reproduce the flagged vulnerable codes was 89 percent successful! FYI: there are a lot of articles explaining the reasons why one has to order smart contract audits. Unfortunately, they are disregarded until the catastrophe take place.

How to block out those sweet coins?

Illya Sergey ensures the public that copying the success of DevOps199 now will be excruciatingly hard, especially after the research and amends the research had performed in relation to smart contracts on the Ethereum blockchain. However, since smart contracts are so irrelevant, self-executing, not-always-published, with-a -hard-to-trace-source-code, and cannot be amended by the user in an application arbitrarily at a whim, such vulnerabilities most likely still exist. Despite Sergey’s comforting statements, who, btw, happens to be an assistant professor in computer science in UCL, his speculations on the topic will most likely give goosebumps to every coin owner out there.

Particularly, Sergey shares that one may create a private fork and practice there until they find the right sequence to pinpoint and use a vulnerable smart contract. One may copy an Ethereum blockchain to a desired extent and start testing it locally. After running multiple alterations of smart contract interactions, you may stumble upon a certain combination that will hit that vulnerability, which may be further used on the real blockchain to block out coins. The flagged trace vulnerability may either become your or someone else’s gold mine.

Back to being serious

The researchers attempted to locate the creators of such vulnerable smart contracts but failed to do so. Even worse than that, DevOps199 executed his scheme on the Parity wallet, which had been warned about the vulnerability months before. Often times, companies won’t react swiftly to such complaints or alerts, deeming them too petty to pose real harm. Not until $150 million fall into a fraudulent scheme on their blockchain of course. Learn other cases of hacking smart contracts here.

Despite the above sounding an easy scheme to execute, it is obviously not. If it had been so simple, then a few ultra-talented hackers would have split the whole Ethereum blockchain among themselves already. It’s a coincidence of exceptional hacker skills and luck that might create a possibility to find such a vulnerable smart contract. Even then, there is no guarantee of a successful attempt to turn the discovery to one’s favor.

Analyze your blockchain wisely, guys, and keep those coins safe! ;)

Сontact Hacken to ensure your smart contracts security according to the modern standards and withing tight deadlines.