The ICO gold rush in DApps (pronounced DEE-Apps, short for Distributed Applications) has generated over $1B in 2017 alone, and shows no sign of letting up. Unfortunately, many of those DApps are built using the Solidity language (or another Turing Complete language) and thus are fundamentally insecure. That’s the finding by two different groups of security researchers who published papers on this topic.
“Making Smart Contracts Smarter” by Loi Luu, Duc-Hiep Chu, Hrisi Olickel, Prateek Saxena, and Aquinas Hobor
“A survey of attacks on Ethereum smart contracts” by Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli
The paper by Luu, et al was published in 2016 and described a tool that the authors built called OYENTE which revealed potential security bugs that would allow an adversary to “manipulate smart contract execution to gain profit.” The researchers ran it against 19,366 existing Ethereum contracts and OYENTE flagged 8,853 of them as vulnerable including TheDAO that suffered a security breach so large (worth approximately $50M) that the Ethereum Foundation took the controversial step of hard-forking the blockchain so that the stolen funds became useless.
The Atzei, et al paper was published in 2017 and provided a vulnerability taxonomy of the Solidity language; the principal programming language used for building DApps on the Ethereum network. Here’s one that caught my eye -IMMUTABLE BUGS Once a contract is published on the blockchain, it can no longer be altered. Hence, users can trust that if the contract implements their intended functionality, then its runtime behaviour will be the expected one as well, since this is ensured by the consensus protocol. The drawback is that if a contract contains a bug, there is no direct way to patch it. (emphasis added)
Hmmm, no way to patch a discovered vulnerability? Woo Hoo! Let’s build a multi-million dollar IC...