Since the debut of Bitcoin in 2009, its underlying technique, blockchain, has shown promising application prospects and attracted lots of attentions from academia and industry. Being the first cryptocurrency, Bitcoin was rated as the top performing currency in 2015 2 and the best performing commodity in 2016 3 , and has more than 300K confirmed transactions 4 daily in May, 2017. At the same time, the blockchain technique has been applied to many fields, including medicine ekblaw2016case ; azaria2016medrec ; yue2016healthcare , economics huckle2016internet ; bylica2015probabilistic ; hurich2016virtual , Internet of things dorri2017blockchain ; zhang2016iot ; sun2016blockchain , software engineering xu2016blockchain ; nordstrom2015personal ; czepluch2015use and so on. The introduction of Turing-complete programming languages to enable users to develop smart contracts running on the blockchain marks the start of blockchain 2.0 era. With the decentralized consensus mechanism of blockchain, smart contracts allow mutually distrusted users to complete data exchange or transaction without the need of any third-party trusted authority. Ethereum is now (May of 2017) the most widely used blockchain supporting smart contracts, where there are already 317,506 smart contracts and more than 75,000 transactions happened daily 6 .
Since blockchain is one of the core technology in FinTech (Financial Technology) industry, users are very concerned about its security. Some security vulnerabilities and attacks have been recently reported. Loi et al. discover that 8,833 out of 19,366 existing Ethereum contracts are vulnerable luu2016making . Note that smart contracts with security vulnerabilities may lead to financial losses. For instance, in June 2016, the criminals attacked the smart contract DAO 7 by exploiting a recursive calling vulnerability, and stole around 60 million dollars. As another example, in March 2014, the criminals exploited transaction mutability in Bitcoin to attack MtGox, the largest Bitcoin trading platform. It caused the collapse of MtGox, with a value of 450 million dollars Bitcoin stolen 8 .
Although there are some recent studies on the security of blockchain, none of them performs a systematic examination on the risks to blockchain systems, the corresponding real attacks, and the security enhancements. The closest research work to ours is atzeisurvey that only focuses on Ethereum smart contracts, rather than popular blockchain systems. From security programming perspective, their work analyzes the security vulnerabilities of Ethereum smart contracts, and provides a taxonomy of common programming pitfalls that may lead to vulnerabilities atzeisurvey . Although a series of related attacks on smart contracts are listed in atzeisurvey , there lacks a discussion on security enhancement. This paper focuses on the security of blockchain from more comprehensive perspectives. The main contributions of this paper are as follows:
(1). To the best of our knowledge, we conduct the first systematic examination on security risks to popular blockchain systems.
(2). We survey the real attacks on popular blockchain systems from 2009 to the present (May of 2017) and analyze the vulnerabilities exploited in these cases.
(3). We summarize practical academic achievements for enhancing the security of blockchain, and suggest a few future directions in this area.
The remainder of this paper is organized as follows. Section 2 introduces the main technologies used in blockchain systems. Section 3 systematically examines the security risks to blockchain, and Section 4 surveys real attacks on blockchain systems. After summarizing the security enhancements to blockchain in Section 5, we suggest a few future directions in Section 6. Finally, Section 7 concludes the paper.
2 Overview of Blockchain Technologies
This section introduces the main technologies employed in blockchain. We first present the fundamental trust mechanism (i.e., the consensus mechanism) used in blockchain, and then explain the synchronization process between nodes. After that, we introduce the two development stages of blockchain.
2.1 Consensus Mechanism
Being a decentralized system, blockchain systems do not need a third-party trusted authority. Instead, to guarantee the reliability and consistency of the data and transactions, blockchain adopts the decentralized consensus mechanism. In the existing blockchain systems, there are four major consensus mechanisms zheng2016blockchain : PoW (Proof of Work), PoS (Proof of Stake), PBFT (Practical Byzantine Fault Tolerance), and DPoS (Delegated Proof of Stake). Other consensus mechanisms, such as PoB (Proof of Bandwidth) 11 , PoET (Proof of Elapsed Time) 12 , PoA(Proof of Authority) poa and so on, are also used in some blockchain systems. The two most popular blockchain systems (i.e., Bitcoin and Ethereum) use the PoW mechanism. Ethereum also incorporates the PoA mechanism (i.e., Kovan public test chain Kovan ), and some other cryptocurrencies also use the PoS mechanism, such as PeerCoin, ShadowCash and so on.
PoW mechanism uses the solution of puzzles to prove the credibility of the data. The puzzle is usually a computationally hard but easily verifiable problem. When a node creates a block, it must resolve a PoW puzzle. After the PoW puzzle is resolved, it will be broadcasted to other nodes, so as to achieve the purpose of consensus, as shown in Fig.1.
In different blockchain systems, the block structure may vary in detail. Typically in Bitcoin, each block contains PrevHash, nonce, and Tx luu2017smart . In particular, PrevHash indicates the hash value of the last generated block, and Txs denote the transactions included in this block. The value of nonce is obtained by solving the PoW puzzle. A correct nonce should satisfy that the hash value shown in Equation 1 is less than a target value, which could be adjusted to tune the difficulty of PoW puzzle.
PoS mechanism uses the proof of ownership of cryptocurrency to prove the credibility of the data. In PoS-based blockchain, during the process of creating block or transaction, users are required to pay a certain amount of cryptocurrency. If the block or transaction created can eventually be validated, the cryptocurrency will be returned to the original node as a bonus. Otherwise, it will be fined. In the PoW mechanism, it needs a lot of calculation, resulting in a waste of computing power. On the contrary, PoS mechanism can greatly reduce the amount of computation, thereby increasing the throughput of the entire blockchain system.
2.2 Block Propagation and Synchronization
In the blockchain, each full node stores the information of all blocks. Being the foundation to building consensus and trust for blockchain, the block propagation mechanisms can be divided into the following categories wa14st2016security ; wa14st2016ethereum ; gervaissecurity :
(1). Advertisement-based propagation. This propagation mechanism is originated from Bitcoin. When node A receives the information of a block, A will send an inv message (a message type in Bitcoin) to its connected peers. When node B receives the inv message from A, it will do as follows. If node B already has the information of this block, it will do nothing. If node B does not have the information, it will reply to node A. When node A receives the reply message from node B, node A will send the complete information of this block to node B.
(2). Sendheaders propagation. This propagation mechanism is an improvement to the advertisement-based propagation mechanism. In the sendheaders propagation mechanism, node B will send a sendheaders message (a message type in Bitcoin) to node A. When node A receives the information of a block, it will send the block header information directly to node B. Compared with the advertisement-based propagation mechanism, node A does not need to send inv messages, and hence it speeds up the block propagation.
(3). Unsolicited push propagation. In the unsolicited push mechanism, after one block is mined, the miner will directly broadcast the block to other nodes. In this propagation mechanism, there is no inv message and sendheaders message. Compared with the previous two propagation mechanisms, unsolicited push mechanism can further improve the speed of block propagation.
(4). Relay network propagation. This propagation mechanism is an improvement to the unsolicited push mechanism. In this mechanism, all the miners share a transaction pool. Each transaction is replaced by a global ID, which will greatly reduce the broadcasted block size, thereby further reducing the network load and improving the propagation speed.
(5). Push/Advertisement hybrid propagation. This hybrid propagation mechanism is used in Ethereum. We assume that node A has n connected peers. In this mechanism, node A will push the block to peers directly. For the other connected peers, node A will advertise the block hash to them.
Different blockchain systems may use diverse block synchronization processes. In Ethereum, node A can request block synchronization from node B with more total difficulty. The specific process is as follows (shown in Fig.2) wa14st2016security ; wa14st2016ethereum ; gervaissecurity :
(1). Node A requests the header of the latest block from node B. This action is implemented by sending a GetBlockHeaders message. Node B will reply to node A a BlockHeaders message that contains the block header requested by A.
(2). Node A requests MaxHeaderFetch blocks to find common ancestor from node B. The default value of MaxHeaderFetch is 256, but the number of block headers sent by node B to A can be less than this value.
(3). If A has not found common ancestor after the above two steps, node A will continue to send GetBlockHeaders message, requesting one block header each time. Moreover, A repeats in binary search to find the common ancestor in its local blockchain.
(4). After node A discovers a common ancestor, A will request block synchronization from the common ancestor. In this process, A requests MaxHeaderFetch blocks per request, but the actual number of nodes sent from B to A can be less than this value.
2.3 Technology Development
From the birth of the first blockchain system Bitcoin, the blockchain technology has experienced two stages of development: blockchain 1.0 and blockchain 2.0.
In the blockchain 1.0 stage, the blockchain technology is mainly used for cryptocurrency. In addition to Bitcoin, there are many other types of cryptocurrencies, such as Litecoin, Dogecoin and so on. There are currently over 700 types of cryptocurrencies, and the total market capitalizations of them are over 26 billion US$ 19 . The technology stack of cryptocurrency could be divided into two layers: the underlying decentralized ledger layer and protocol layer swan2015blockchain . Cryptocurrency client, such as Bitcoin Wallet BitcoinWallet , runs in the protocol layer to conduct transactions, as shown in Fig.5 to Fig.5. Compared with traditional currency, cryptocurrency has the following characteristics and advantages 21 :
(1). Irreversible and traceable. Transfer and payment operations are irreversible using cryptocurrency. Once the behavior is completed, it is impossible to withdraw. In addition, all user behaviors are traceable, and these behaviors are permanently saved in the blockchain.
(2). Decentralized and anonymous. There is no third-party organization involved in the entire structure of cryptocurrency, nor does it has central management like banks. In addition, all user behaviors are anonymous. Hence, according to the transaction information, we cannot obtain the user’s real identity.
(3). Secure and permissionless. The security of the cryptocurrency is ensured by the public key cryptography and the blockchain consensus mechanism, which are hard to be broken by the criminal. Moreover, there is no need to apply for any authority or permission to use cryptocurrency. Users can simply use the cryptocurrency through the relevant clients.
(4). Fast and global. Transactions can be completed in only several minutes using cryptocurrency. Since cryptocurrencies are mostly based on public chains, anyone in the world can use them. Therefore, the user’s geographical location has little impact on the transaction speed.
|System||Contract language||Total TXs||Market Capitalization /M US$|
In blockchain 2.0 stage, smart contract is introduced so that developers can create various applications through smart contracts. A smart contract can be considered as a lightweight dAPP (decentralized application). Ethereum is a typical system of blockchain 2.0. Each Ethereum node runs an EVM (Ethereum Virtual Machine) that executes smart contracts. Besides Ethereum, several other blockchain systems also support smart contracts, whose information is listed in Table 1 bartoletti2017empirical . In Ethereum, developers can use a variety of programming languages to develop smart contracts, such as Solidity (the recommended language), Serpent, and LLL. Since these languages are Turing-complete, smart contracts can achieve rich functions. Fig.6 shows the process of smart contracts’ development, deployment and interaction. Each deployed smart contract corresponds to a unique address, through which users can interact with the smart contract through transactions by different clients (e.g., Parity, Geth, etc.). Since smart contracts can call each other through messages, developers can develop more feature-rich dAPPs based on available smart contracts. Compared with the traditional application, a dAPP has the following characteristics and advantages 22 :
(1). Autonomy. dAPPs are developed on the basis of smart contracts, and smart contracts are deployed and run on the blockchain. Hence, dAPPs can run autonomically without the need of any third party’s assistance and participation.
(2). Stable. The bytecodes of smart contracts are stored in the state tree of blockchain. Each full node saves the information of all blocks and stateDB, including the bytecodes of smart contracts. Hence, the failure of some nodes will not affect its operation. This mechanism ensures that dAPPs can run stably.
(3). Traceable. Since the invocation information of smart contracts is stored in the blockchain as transactions, all the behaviors of dAPPs are recorded and traceable.
(4). Secure. The public key cryptography and the blockchain consensus mechanism can ensure the security and correct operations of smart contracts, so as to maximize the security of dAPPs.
3 Risks to Blockchain
|Number||Risk||Cause||Range of Influence|
|3.1.1||51% vulnerability||Consensus mechanism||Blockchain1.0, 2.0|
|3.1.2||Private key security||Public-key encryption scheme|
|3.1.3||Criminal activity||Cryptocurrency application|
|3.1.4||Double spending||Transaction verification mechanism|
|3.1.5||Transaction privacy leakage||Transaction design flaw|
|3.2.1||Criminal smart contracts||Smart contract application||Blockchain2.0|
|3.2.2||Vulnerabilities in smart contract||Program design flaw|
|3.2.3||Under-optimized smart contract||Program writing flaw|
|3.2.4||Under-priced operations||EVM design flaw|
We divide the common blockchain risks into nine categories, as shown in Table 2, and detail the causes and possible consequence of each risk. The risks described in Section 3.1 exist in blockchain 1.0 and 2.0, and their causes are mostly related to the blockchain operation mechanism. By contrast, the risks introduced in Section 3.2 are unique to blockchain 2.0, and are usually resulted from the development, deployment, and execution of smart contracts.
3.1 Common Risks to Blockchain 1.0 and 2.0
3.1.1 51% Vulnerability
The blockchain relies on the distributed consensus mechanism to establish mutual trust. However, the consensus mechanism itself has 51% vulnerability, which can be exploited by attackers to control the entire blockchain. More precisely, in PoW-based blockchains, if a single miner’s hashing power accounts for more than 50% of the total hashing power of the entire blockchain, then the 51% attack may be launched. Hence, the mining power concentrating in a few mining pools may result in the fears of an inadvertent situation, such as a single pool controls more than half of all computing power. In Jan. 2014, after the mining pool ghash.io reached 42% of the total Bitcoin computing power, a number of miners voluntarily dropped out of the pool, and ghash.io issued a press statement to reassure the Bitcoin community that it would avoid reaching the 51% threshold 18 . In PoS-based blockchains, 51% attack may also occur if the number of coins owned by a single miner is more than 50% of the total blockchain. By launching the 51% attack, an attacker can arbitrarily manipulate and modify the blockchain information. Specifically, an attacker can exploit this vulnerability to conduct the following attacks 9 :
(1). Reverse transactions and initiate double spending attack (the same coins are spent multiple times).
(2). Exclude and modify the ordering of transactions.
(3). Hamper normal mining operations of other miners.
(4). Impede the confirmation operation of normal transactions.
3.1.2 Private Key Security
When using blockchain, the user’s private key is regarded as the identity and security credential, which is generated and maintained by the user instead of third-party agencies. For example, when creating a cold storage wallet in Bitcoin blockchain, the user must import his/her private key. Hartwig et al. mayerecdsa discover a vulnerability in ECDSA (Elliptic Curve Digital Signature Algorithm) scheme, through which an attacker can recover the user’s private key because it does not generate enough randomness during the signature process.
Once the user’s private key is lost, it will not be able to be recovered. If the private key is stolen by criminals, the user’s blockchain account will face the risk of being tampered by others. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user’s private key is stolen, it is difficult to track the criminal’s behaviors and recover the modified blockchain information.
3.1.3 Criminal Activity
Bitcoin users can have multiple Bitcoin addresses, and the address has no relationship with their real life identity. Therefore, Bitcoin has been used in illegal activities. Through some third-party trading platforms that support Bitcoin, users can buy or sell any product. Since this process is anonymous, it is hard to track user behaviors, let alone subject to legal sanctions. Some frequent criminal activities with Bitcoin include:
(1). Ransomware. The criminals often use ransomware for money extortion, and employ Bitcoin as trading currency. In July 2014, a ransomware named CTB-Locker 27 spread around the world by disguising itself as mail attachments. If the user clicks the attachment, the ransomware will run in the background of the system and encrypt about 114 types of each file ctblocker . The victim has to pay the attacker a certain amount of Bitcoin within 96 hours. Otherwise, the encrypted files will not be restored. In May 2017, another ransomware WannaCry (also named as WannaCrypt) 28 infected about 230,000 victims across 150 countries in two days. It exploited a vulnerability in Windows system to spread, and encrypted users’ files to ask for Bitcoin ransom.
(2). Underground market. Bitcoin is often used as the currency in the underground market. For example, Silk Road is an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency christin2013traveling . The top 10 categories of items available in Silk Road are listed in Table 3 christin2013traveling . Most of the items sold in Silk Road are drugs, or some other controlled items in the real world. Since international transactions account for a significant proportion in Silk Road, Bitcoin makes the transaction in the underground market more convenient, which will cause harm to the social security.
(3). Money laundering. Since Bitcoin has the features like anonymity and network virtual payment and has been adopted by many countries, compared with other currencies, Bitcoin carries the lowest risk of being used for money laundering treasury2015uk . Cody et al. propose Dark Wallet 29 , a Bitcoin application that can make Bitcoin transaction completely stealth and private. Dark Wallet can encrypt transaction information and mix the user’s valid coins with chaff coins, and hence it can make money laundering much easier.
3.1.4 Double Spending
Although the consensus mechanism of blockchain can validate transactions, it is still impossible to avoid double spending karame2015misbehavior . Double spending refers to that a consumer uses the same cryptocurrency multiple times for transactions. For example, an attacker could leverage race attack for double spending. This kind of attack is relatively easy to implement in PoW-based blockchains, because the attacker can exploit the intermediate time between two transactions’ initiation and confirmation to quickly launch an attack. Before the second transaction is mined to be invalid, the attacker has already got the first transaction’s output, resulting in double spending.
Ghassan et al. karame2012double conduct an analysis of double spending against fast payment in Bitcoin, and propose an attack model, as shown in Fig.7. Assuming that an attacker knows the vendor’s address before the attack, to perform double spending, the attacker will send two transactions, and and choose the same BTCs (cryptocurrency in Bitcoin) as inputs for and . ’s recipient address is set to the targeted vendor’s address, and ’s recipient address is set to the colluding address controlled by the attacker. If the following three conditions are met, double spending will be successful: (1) is added to the wallet of the targeted vendor; (2) is mined as valid into the blockchain; (3) The attacker gets ’s output before the vendor detects misbehavior. If the attack is successful, will eventually be verified as an invalid transaction, and BTCs are really spent by . The attacker has received ’s output, which is the vendor’s normal service. Since ’s recipient address is controlled by the attacker, these BTCs are still owned by herself. In this double spending model, the attacker enjoys the service without paying any BTC.
3.1.5 Transaction Privacy Leakage
Since the users’ behaviors in the blockchain are traceable, the blockchain systems take measures to protect the transaction privacy of users. In the Bitcoin and Zcash, they use one-time accounts to store the received cryptocurrency. Moreover, the user needs to assign a private key to each transaction. In this way, the attacker cannot infer whether the cryptocurrency in different transactions is received by the same user. In Monero, users can include some chaff coins (called “mixins”) when they initiate a transaction so that the attacker cannot infer the linkage of actual coins spent by the transaction.
|Not deducible||Deducible||In total|
|Using newest TXO||15.07%||4.60%||19.67%|
|Not using newest TXO||22.61%||57.72%||80.33%|
Unfortunately, the privacy protection measures in blockchain are not very robust. Andrews et al. miller2017empirical empirically evaluate two linkability weaknesses in Monero’s mixin sampling strategy, and discover that 66.09% of all transactions do not contain any mixins. 0-mixin transaction will lead to the privacy leakage of its sender. Since users may use the outputs of 0-mixin transaction as mixins, these mixins will be deducible. Moreover, they study the sampling method of mixins and find that the selection of mixins is not really random. Newer TXOs (transaction outputs) tend to be used more frequently. They further discover that 62.32% of transaction inputs with mixins are deducible, as shown in Table 4 miller2017empirical . By exploiting these weaknesses in Monero, they can infer the actual transaction inputs with 80% accuracy.
3.2 Specific Risks to Blockchain 2.0
3.2.1 Criminal Smart Contracts
Criminals can leverage smart contracts for a variety of malicious activities, which may pose a threat to our daily life. CSCs (Criminal Smart Contracts) can facilitate the leakage of confidential information, theft of cryptographic keys, and various real-world crimes (e.g., murder, arson, terrorism, etc.) juels2015ring . Juels et al. propose an example of password theft CSC PwdTheft, whose process is shown in Fig.8 juels2015ring . PwdTheft can be exploited for a fair exchange between contractor C and perpetrator P. C will pay a reward to P if and only if P gives a valid password to C. The entire transaction process can be done without any third party trusted agencies involved. Since the smart contract deployed in blockchain cannot access network directly zhang2016town , in the actual work process of PwdTheft, it is combined with trusted hardware technology, such as Intel SGX (Software Guard eXtension), to prove the validity of the password through HTTPS (Hypertext Transfer Protocol Secure). SGX will create a trusted execution environment named enclave, which can protect the application from being attacked by others. Any privileged or unprivileged software cannot access the runtime environment of enclave. Furthermore, SGX can produce quote, a digitally signed attestation. Quote can get the hash value of the application run in enclave environment. Meanwhile, quote can access the relevant data during runtime of the application. The whole password exchange process is divided into three steps:
(1). PwdTheft provides , is the public key of C, and A is the target account for stealing.
(2). The application that runs in SGX, using the PW provided by P, logs on to the server account A by establishing an HTTPS connection.
(3). If the preceding steps are successful, the data ct, and will be transmitted to PwdTheft. ct = and = . is the signature private key of the application. is a quote that runs on P’s SGX-enabled host.
After PwdTheft receives ct, and , C can decrypt them to verify the data, and then decide whether a reward should be paid to P. In this process, in order to prevent P from changing the password maliciously after the data transmission to PwdTheft, they can add a timestamp in the data. In addition, PwdTheft can be easily extended for conducting other malicious activities. For example, criminals can leverage CSCs to make 0-day vulnerability transactions, which are critical cyber-weaponry juels2015ring .
3.2.2 Vulnerabilities in Smart Contract
|1||Call to the unknown||The called function does not exist||Contract source code|
|2||Out-of-gas send||Fallback of the callee is executed|
|3||Exception disorder||Irregularity in exception handling|
|4||Type casts||Type-check error in contract execution|
|5||Reentrancy vulnerability||Function is re-entered before termination|
|6||Field disclosure||Private value is published by the miner|
|7||Immutable bug||Alter a contract after deployment||EVM bytecode|
|8||Ether lost||Send Ether to an orphan address|
|9||Stack overflow||The number of values in stack exceeds 1024|
|10||Unpredictable state||State of the contract is changed before invoking||Blockchain mechanism|
|11||Randomness bug||Seed is biased by malicious miner|
|12||Timestamp dependence||Timestamp of block is changed by malicious miner|
As programs running in the blockchain, smart contracts may have security vulnerabilities caused by program defects. Nicola et al. atzeisurvey conduct a systematic investigation of 12 types of vulnerabilities in smart contract, as shown in Table 5. Loi et al. luu2016making propose a symbolic execution tool called Oyente to find 4 kinds of potential security bugs. They discover that 8,833 out of 19,366 Ethereum smart contracts are vulnerable. The details of these 4 bugs are as follows:
(1). Transaction-ordering dependence. Valid transactions can change the state of Ethereum blockchain from to :
. In every epoch, each miner proposes their own block to update the blockchain. Since a block may contain multiple transactions, blockchain statemay change multiple times within an epoch. When a new block contains two transactions and , which invoke the same smart contract, it may trigger this vulnerability. Because the execution of the smart contract is associated with state , the execution order of and affects the ultimate state. The order of transactions’ execution depends entirely on miners. In this case, TOD (Transaction-Ordering Dependent) contracts are vulnerable.
(2). Timestamp dependence. In the blockchain, every block has a timestamp. Some smart contracts’ trigger conditions depend on timestamp, which is set by the miner according to its local system time. If an attacker can modify it, timestamp-dependent contracts are vulnerable.
(3). Mishandled exceptions. This category of vulnerability may occur when different smart contracts are called from each other. When contract A calls contract B, if B runs abnormally, B will stop running and return false. In some invocations, contract A must explicitly check the return value to verify if the call has been executed properly. If A does not correctly check the exception information, it may be vulnerable.
(4). Reentrancy vulnerability. During the invocation of the smart contract, the actual state of the contract account is changed after the call is completed. An attacker can use the intermediate state to conduct repeated calls to the smart contract. If the invoked contract involves Ether transaction, it may result in illegal Ether stealing.
3.2.3 Under-Optimized Smart Contract
|1||Dead code||Useless-code related patterns|
|3||Expensive operations||Loop-related patterns|
|7||Comparison with unilateral outcome|
When a user interacts with a smart contract deployed in Ethereum, a certain amount of gas is charged. Gas can be exchanged with Ether, which is the cryptocurrency in Ethereum. Unfortunately, some smart contracts’ development and deployment are not adequately optimized. Chen et al. chen2017under identify 7 gas-costly patterns and group them into 2 categories (as shown in Table 6): useless-code related patterns, and loop-related patterns. They propose a tool named Gasper, which can automatically discover 3 gas-costly patterns in smart contracts: dead code, opaque predicate, and expensive operations in a loop. Leveraging Gasper, they find that more than 80% smart contracts deployed in Ethereum (4,240 real smart contracts) have at least one of these 3 patterns. The details are as follows:
(1). Dead code. It means that some operations in a smart contract will never be executed, but they will still be deployed into the blockchain. Since in the smart contract deployment process the consumption of gas is related to bytecode size, the dead code will cause additional gas consumption.
(2). Opaque predicate. For some statements in a smart contract, their execution results are always the same and will not affect other statements and the smart contract. The presence of the opaque predicate causes the EVM to execute useless operations, thereby consuming additional gas.
(3). Expensive operations in a loop. It refers to some expensive operations within a loop, which can be moved outside the loop to save gas consumption.
3.2.4 Under-Priced Operations
As mentioned earlier, each operation is set to a specific gas value in Ethereum, which can be queried in the yellow paper 26 . Ethereum sets the gas value based on the execution time, bandwidth, memory occupancy and other parameters. In general, the gas value is proportional to the computing resources consumed by the operation. However, it is difficult to accurately measure the consumption of computing resources of an individual operation, and therefore some gas values are not set properly. For example, some IO-heavy operations’ gas values are set too low, and hence these operations can be executed in quantity in one transaction. In this way, an attacker can initiate a DoS (Denial of Service) attack on Ethereum.
|Number||Operation||Old value||EIP150 value|
|6||SUICIDE (does not create account)||0||5,000|
|7||SUICIDE (creates an account)||0||25,000|
Actually, attackers have exploited the under-priced operation EXTCODESIZE to attack Ethereum 23 . When EXTCODESIZE is executed, it needs to read state information and then the node will read hard disk. Since the gas value of EXTCODESIZE is only 20, the attacker can call it more than 50,000 times in one transaction. This will cause the user to consume a lot of computing resources, and block synchronization will be significantly slower compared with the normal situation. As another example, some attackers exploited the under-priced operation SUICIDE to launch DoS attacks 24 . They exploited SUICIDE to create about 19 million empty accounts, which need to be stored in the state tree. This attack caused a waste of hard disk resources. At the same time, the node information synchronization and transaction processing speed are significantly decreased.
In order to solve the security problem caused by under-priced operations, the gas values of 7 IO-heavy operations are modified in EIP (Ethereum Improvement Proposal) 150 25 , as shown in Table 7. Note that EIP150 has already been implemented in the Ethereum public chain by hard fork, and the new gas table parameters are used after No.2463000 block.
4 Attack Cases
In this section, we survey real attacks on blockchain systems, and analyze the vulnerabilities exploited in these attacks.
4.1 Selfish Mining Attack
The selfish mining attack is conducted by attackers (i.e., selfish miners) for the purpose of obtaining undue rewards or wasting the computing power of honest miners SolatP16 . The attacker holds discovered blocks privately and then attempts to fork a private chain EyalS14. Afterwards, selfish miners would mine on this private chain, and try to maintain a longer private branch than the public branch because they privately hold more newly discovered blocks. In the meanwhile, honest miners continue mining on the public chain. New blocks mined by the attacker would be revealed when the public branch approaches the length of private branch, such that the honest miners end up wasting computing power and gaining no reward, because selfish miners publish their new blocks just before honest miners. As a result, the selfish miners gain a competitive advantage, and honest miners would be incentivized to join the branch maintained by selfish miners. Through a further consolidation of mining power into the attacker’s favor, this attack undermines the decentralization nature of blockchain.
Ittay et al. EyalS14 propose an attack strategy named Selfish-Mine, which can force the honest miners to perform wasted computations on the stale public branch. In the initial circumstance of Selfish-Mine, the length of the public chain and private chain are the same. The Selfish-Mine involves the following three scenarios:
(1). The public chain is longer than the private chain. Since the computing power of selfish miners may be less than that of the honest miners, selfish miners will update the private chain according to the public chain, and in this scenario, selfish miners cannot gain any reward.
(2). Selfish miners and honest miners almost simultaneously find the first new block. In this scenario, selfish miners will publish the newly discovered block, and there will be two concurrently forks of the same length. Honest miners will mine in either of the two branches, while selfish miners will continue to mine on the private chain. If selfish miners firstly find the second new block, they will publish this block immediately. At this point, selfish miners will gain two blocks’ rewards at the same time. Because the private chain is longer than the public chain, the private chain will be the ultimate valid branch. If honest miners firstly find the second new block and this block is written to the private chain, selfish miners will gain the first new block’ rewards, and honest miners will gain the second new block’ rewards. Otherwise, if this block is written to the public block, honest miners will gain these two new blocks’ rewards, and selfish miners will not gain any reward.
(3). After selfish miners find the first new block, they also find the second new block. In this scenario, selfish miners will hold these two new blocks privately, and they continue to mine new blocks on the private chain. When the first new block is found by honest miners, selfish miners will publish its own first new block. When honest miners find the second new block, the selfish miners will immediately publish its own second new block. Then selfish miners will follow this response in turn, until the length of the public chain is only 1 greater than the private chain, after which the selfish miners will publish its last new block before honest miners find this block. At this point, the private chain will be considered valid, and consequently selfish miners will gain the rewards of all new blocks.
4.2 DAO Attack
|Number||Attack case||Related vulnerabilities|
|1||King of the Ether throne||
|2||Multi-player games||Field disclosure|
|3||Rubixi attack||Immutable bug|
|5||Dynamic libraries attack||Unpredictable state|
The DAO is a smart contract deployed in Ethereum on 28th May of 2016, which implements a crowd-funding platform. The DAO contract was attacked only after it has been deployed for 20 days. Before the attack happened, DAO has already raised 150 million US$, which is the biggest crowdfund ever. The attacker stole about 60 million US$.
The attacker exploited the reentrancy vulnerability in this case. Firstly, the attacker publishes a malicious smart contract, which includes a withdraw() function call to DAO in its callback function. The withdraw() will send Ether to the callee, which is also in the form of call. Therefore, it will invoke the callback function of the malicious smart contract again. In this way, the attacker is able to steal all the Ether from DAO. There are some other cases that exploit smart contracts’ vulnerabilities (described in Section 3.2.2), which are listed in Table 8 atzeisurvey .
4.3 BGP Hijacking Attack
BGP (Border Gateway Protocol) is a de-facto routing protocol and regulates how IP packets are forwarded to their destination. To intercept the network traffic of blockchain, attackers either leverage or manipulate BGP routing. BGP hijacking typically requires the control of network operators, which could potentially be exploited to delay network messages. Maria et al. ApostolakiZV16 comprehensively analyze the impact of routing attacks, including both node-level and network-level attacks, on Bitcoin, and show that the number of the successfully to-be-hijacked Internet prefixes depends on the distribution of mining power. Because of the high centralization of some Bitcoin mining pools, if they are attacked by BGP hijacking, it will have a significant effect. The attackers can effectively split the Bitcoin network, or delay the speed of block propagation.
Attackers conduct BGP hijacking to intercept Bitcoin miners’ connections to a mining pool server, as analyzed by Dell SecureWorks in 2014 BGPHijacking
. By rerouting traffic to a mining pool controlled by the attacker, it was possible to steal cryptocurrency from the victim. This attack collected an estimated 83,000 US$ of cryptocurrency over a two month period. Since the BGP security extensions are not widely deployed, network operators have to rely on monitoring systems, which would report rogue announcements, such as BGPMon4804446 . However, even if an attack is detected, solving a hijacking still cost hours as it is a human-driven process consisting of altering configuration or disconnecting the attacker. For example, YouTube ever took about three hours to resolve a hijacking of its prefixes by a Pakistani ISP (Internet Service Provider) Youtube .
4.4 Eclipse Attack
|1||Engineering block races||Wasting mining power on orphan blocks|
|2||Splitting mining power||51% vulnerability may be triggered|
|3||Selfish mining||Attacker can gain more than normal mining rewards|
|4||0-confirmation double spend||The vendor would not get rewards for its service|
|5||N-confirmation double spend|
The eclipse attack allows an attacker to monopolize all of the victim’s incoming and outgoing connections, which isolates the victim from the other peers in the network SinghNDW06 . Then, the attacker can filter the victim’s view of the blockchain, or let the victim cost unnecessary computing power on obsolete views of the blockchain. Furthermore, the attacker is able to leverage the victim’s computing power to conduct its own malicious acts. Ethan et al. HeilmanKZG15 consider two types of eclipse attack on Bitcoin’s peer-to-peer network, namely botnet attack and infrastructure attack. The botnet attack is launched by bots with diverse IP address ranges. The infrastructure attack models the threat from an ISP, company or nation-state that has contiguous IP addresses. The Bitcoin network might suffer from disruption and a victim’s view of the blockchain will be filtered due to the eclipse attack. Additionally, the eclipse attack is a useful basis for other attacks, as shown in Table 9 HeilmanKZG15 .
4.5 Liveness Attack
Aggelos et al. KiayiasP16 propose the liveness attack, which is able to delay as much as possible the confirmation time of a target transaction. They also present two instantiations of such attack on Bitcoin and Ethereum. Liveness attack consists of three phases, namely attack preparation phase, transaction denial phase, and blockchain retarder phase (shown in Fig.9):
(1). Attack preparation phase. Just like selfish mining attack, an attacker builds advantage over honest miners in some way before the target transaction TX is broadcasted to the public chain. The attacker builds the private chain, which is longer than the public chain.
(2). Transaction denial phase. The attacker privately holds the block that contains TX, in order to prevent TX from being written into the public chain.
(3). Blockchain retarder phase. In the growth process of the public chain, TX will no longer be able to be privately held in a certain time. In this case, the attacker will publish the block that contains TX. In some blockchain systems, when the depth of the block that contains TX is greater than a constant, TX will be regarded valid. Therefore, the attacker will continue building private chain in order to build an advantage over the public chain. After that, the attacker will publish her privately held blocks into public chain in proper time to slow down the growth rate of public chain. The liveness attack will end when TX is verified as valid in the public chain.
4.6 Balance Attack
Christopher et al. NatoliG16a
propose the balance attack against PoW-based blockchain, which allows a low-mining-power attacker to momently disrupt communications between subgroups with similar mining power. They abstract blockchain into a DAG (Directed Acyclic Graph) tree, in which DAG =. are the nodes indicating blocks’ information, and they are connected through directed edges
. After introducing a delay between correct subgroups of equivalent mining power, the attacker issues transactions in one subgroup (called “transaction subgroup”) and mines blocks in another subgroup (called “block subgroup”), to guarantee that the tree of block subgroup outweighs the tree of transaction subgroup. Even though the transactions are committed, the attacker is able to outweigh the tree containing this transaction and rewrite blocks with high probability.
The balance attack inherently violates the persistence of the main branch prefix and allows double spending. The attacker needs to identify the merchant-involved subgroup and create transactions to purchase goods from those merchants. Thereafter, the attacker issues transactions to this subgroup and propagates the mined blocks to the rest nodes of the group. As long as the merchant ships goods, the attacker stops delaying messages. With a high probability that the DAG tree seen by the merchant is outweighed by another tree, the attacker could successfully reissue another transaction using exactly the same coins. Balance attack proves that PoW-based blockchain is block oblivious. That is, when writing a transaction into the main chain, there is a certain probability that the attacker can override or delete the block containing this transaction. In the related experiment, the authors configure an Ethereum private chain with equivalent parameters of R3 consortium r3 , and showed that they can successfully carry out the balance attack, which only needs to control about 5% of total computing power.
5 Security Enhancements
In this section, we summarize security enhancements to blockchain systems, which can be used in the development of blockchain systems.
As described in Section 3.1.1, there already has mining pool with more than 40% of total computing power of blockchain. This poses a serious threat to the decentralization nature, making blockchain vulnerable to several kinds of attacks. Loi et al. luu2017smart propose a novel mining pool system named SmartPool, whose workflow is shown in Fig.10. SmartPool gets the transactions from Ethereum node clients (i.e., parity Parity or geth Geth ), which contain mining tasks information. Then, the miner conducts hashing computation based on the tasks and returns the completed shares to the smartpool client. When the number of the completed shares reaches to a certain amount, they will be committed to smartpool contract, which is deployed in Ethereum. The smartpool contract will verify the shares and deliver rewards to the client. Compared with the traditional P2P pool, SmartPool system has the following advantages:
(1). Decentralized. The core of the SmartPool is implemented in the form of smart contract, which is deployed in blockchain. Miners need first connect to Ethereum to mine through the client. Mining pool can rely on Ethereum’s consensus mechanism to run. In this way, it ensures decentralization nature of pool miners. The mining pool state is maintained by Ethereum and no longer requires a pool operator.
(2). Efficiency. Miners can send the completed shares to the smartpool contract in batches. Furthermore, miners only need to send part of shares to be verified, not all shares. Hence, SmartPool is more efficient than the P2P pool.
(3). Secure. SmartPool leverages a novel data structure, which can prevent the attacker from resubmitting shares in different batches. Furthermore, the verification method of SmartPool can guarantee that honest miners will gain expected rewards even there exist malicious miners in the pool.
5.2 Quantitative Framework
There exist tradeoffs between blockchain’s performance and security. Arthur et al. GervaisKWGRC16 propose a quantitative framework, which is leveraged to analyze PoW-based blockchain’s execution performance and security provisions. As shown in Fig.11
, the framework has two components: blockchain stimulator and security model. The stimulator mimics blockchain’s execution, whose inputs are parameters of consensus protocol and network. Through the simulator’s analysis, it can gain performance statistics of the target blockchain, including block propagation times, block sizes, network delays, stale block rate, throughput, etc. The stale block refers to a block that is mined but not written to the public chain. The throughput is the number of transactions that the blockchain can handle per second. Stale block rate will be passed as a parameter to the security model component, which is based on MDP (Markov Decision Processes) for defeating double spending and selfish mining attacks. The framework eventually outputs optimal adversarial strategy against attacks, and facilitates building security provisions for the blockchain.
Loi et al. luu2016making propose Oyente to detect bugs in Ethereum smart contracts. Oyente leverages symbolic execution to analyze the bytecode of smart contracts and it follows the execution model of EVM. Since Ethereum stores the bytecode of smart contracts in its blockchain, Oyente can be used to detect bugs in deployed contracts.
Fig.12 shows Oyente’s architecture and execution process. It takes the smart contract’s bytecode and Ethereum global state as inputs. Firstly, based on the bytecode, CFG BUILDER will statically build CFG (Control Flow Graph) of smart contract. Then, according to Ethereum state and CFG information, EXPLORER conducts simulated execution of smart contract leveraging static symbolic execution. In this process, CFG will be further enriched and improved because some jump targets are not constants; instead, they should be computed during symbolic execution. The CORE ANALYSIS module uses the related analysis algorithms to detect four different vulnerabilities (described in Section 3.2.2). The VALIDATOR module validates the detected vulnerabilities and vulnerable paths. Confirmed vulnerability and CFG information will finally be output to the VISUALIZER module, which can be employed by users to carry out debugging and program analysis. Currently, Oyente is open source for public use Oyente .
As described in Section 3.1.5, privacy leakage is a serious threat to blockchain. In the era of blockchain 2.0, not only transactions but also contract-related information are public, such as contract’s bytecode, invoking parameters, etc.
Ahmed et al. kosba2016hawk propose Hawk, a novel framework for developing privacy-preserving smart contracts. Leveraging Hawk, developers can write private smart contracts, and it is not necessary for them to use any code encryption or obfuscation techniques. Furthermore, the financial transaction’s information will not be explicitly stored in blockchain. When programmers develop Hawk contract, the contract can be divided into two parts: private portion, and public portion. The private data and financial function related codes can be written into the private portion, and codes that do not involve private information can be written into the public portion. The Hawk contract is compiled into three pieces. (1). The program that will be executed in all virtual machines of nodes, just like smart contracts in Ethereum. (2). The program that will only be executed by the users of smart contracts. (3). The program that will be executed by the manager, which is a special trustworthy party in Hawk. The Hawk manager is executed in Intel SGX enclave (described in Section 3.1.3), and it can see the privacy information of the contract but will not disclose it. Hawk can not only protect privacy against the public, but also protect the privacy between different Hawk contracts. If the manager aborts the protocol of Hawk, it will be automatically financially penalized, and the users will gain compensation. Overall, Hawk can largely protect the privacy of users when they are using blockchains.
5.5 Town Crier
Smart contract often needs to interact with off-chain (i.e., external) data source. Zhang et al. zhang2016town propose TC (Town Crier), which is an authenticated data feed system for this data interaction process. Since the smart contract deployed in blockchain cannot access network directly, they cannot get data through HTTPS. TC exactly acts as a bridge between HTTPS-enabled data source and smart contracts. The basic architecture of TC is shown in Fig.13. TC contract is the front end of the TC system, which acts as API between users’ contracts and TC server. The core program of TC is running in Intel SGX enclave (described in Section 3.1.3). The main function of the TC server is to obtain the data requests from users’ contracts, and obtain the data from target HTTPS-enabled websites. Finally, the TC server will return a datagram to the users’ contracts in the form of digitally signed blockchain messages.
TC can largely protect the security of the data requesting process. The core modules of TC are respectively running on decentralized Ethereum, SGX-enabled enclave, and HTTPS-enabled website. Furthermore, the enclave disables the function of network connection to maximize its security. Relay module is designed as a network communication hub for smart contracts, SGX enclave environment, and data source websites. Therefore, it achieves isolation between network communication and the execution of TC’s core program. Even if the Relay module is attacked, or the network communication packets are tampered, it will not change the normal function of TC. TC system provides a robust security model for the smart contracts’ off-chain data interaction, and it has already been launched online as a public service 30 .
6 Future Directions
Based on the above systematic examination on the security of current blockchain systems, we list a few future directions to stir up research efforts into this area. First, nowadays the most popular consensus mechanism used in blockchain is PoW. However, a major disadvantage of PoW is the waste of computing resources. To solve this problem, Ethereum is trying to develop a hybrid consensus mechanism of PoW and PoS. Conducting researches and developing more efficient consensus mechanisms will make a significant contribution to the development of blockchain. Second, with the growth of the number of feature-rich dAPPs, the privacy leakage risk of blockchain will be more serious. A dAPP itself, as well as the process of communication between the dAPP and Internet, are both faced with privacy leakage risks. There are some interesting techniques that can be applied in this problem: code obfuscation, application hardening, execution trusted computing (e.g., Intel SGX), etc. Third, the blockchain will produce a lot of data, including block information, transaction data, contract bytecode, etc. However, not all of the data stored in blockchain is valid. For example, a smart contract can erase its code by SUICIDE or SELFDESTRUCT, but the address of the contract will not be erased. In addition, there are a lot of smart contracts containing no code or totally the same code in Ethereum, and many smart contracts are never be executed after its deployment. An efficient data cleanup and detection mechanism is desired to improve the execution efficiency of blockchain systems.
In this paper, we focus on the security issues of blockchain technology. By studying the popular blockchain systems (e.g., Ethereum, Bitcoin, Monero, etc.), we conduct a systematic examination on the security risks to blockchain. For each risk or vulnerability, we analyze its causes and possible consequence. Furthermore, we survey the real attacks on the blockchain systems, and analyze the vulnerabilities exploited in these attacks. Finally, we summarize blockchain security enhancements and suggest a few future directions in this area.
This work is supported in part by the National Science Foundation of China (No.61471228), the Key Project of Guangdong Province Science & Technology Plan (No.2015B020233018), the National Natural Science Foundation of China (No.61402080, No.61572115, No.61502086, No.61572109), and China Postdoctoral Science Foundation founded project (No.2014M562307).
J. DESJARDINS, It’s official: Bitcoin was the top performing currency of 2015 (2016).
J. Adinolfi, And 2016’s best-performing commodity is … bitcoin? (2016).
blockchain.info, Confirmed transactions per day (2017).
A. Ekblaw, A. Azaria, J. D. Halamka, A. Lippman, A case study for blockchain in healthcare: “medrec” prototype for electronic health records and medical research data (2016).
- (5) A. Azaria, A. Ekblaw, T. Vieira, A. Lippman, Medrec: Using blockchain for medical data access and permission management, in: International Conference on Open and Big Data (OBD), 2016, pp. 25-30.
- (6) X. Yue, H. Wang, D. Jin, M. Li, W. Jiang, Healthcare data gateways: Found healthcare intelligence on blockchain with novel privacy risk control, in: Journal of medical systems, 2016, p. 218.
- (7) S. Huckle, R. Bhattacharya, M. White, N. Beloff, Internet of things, blockchain and shared economy applications, in: Procedia Computer Science, Vol. 98, 2016, pp. 461-466.
P. Bylica, L. Gle´n, P. Janiuk, A. Skrzypczak, A. Zaw locki, A probabilistic nanopayment scheme for golem, 2015.
- (9) P. Hurich, The virtual is real: An argument for characterizing bitcoins as private property, in: Banking & Finance Law Review, Vol. 31, Carswell Publishing, 2016, p. 573.
- (10) A. Dorri, S. S. Kanhere, R. Jurdak, P. Gauravaram, Blockchain for iot security and privacy: The case study of a smart home, in: IEEE Percom workshop on security privacy and trust in the internet of thing, 2017.
- (11) Y. Zhang, J. Wen, The iot electric business model: Using blockchain technology for the internet of things, in: Peer-to-Peer Networking and Applications, 2016, pp. 1-12.
- (12) J. Sun, J. Yan, K. Z. Zhang, Blockchain-based sharing services: What blockchain technology can contribute to smart cities, in: Financial Innovation, 2016, p. 26.
- (13) X. Xu, C. Pautasso, L. Zhu, V. Gramoli, A. Ponomarev, A. B. Tran, S. Chen, The blockchain as a software connector, in: The 13th Working IEEE/IFIP Conference on Software Architecture, 2016.
- (14) E.Nordström, Personal clouds: Concedo, Master’s thesis, Lulea University of Technology (2015).
- (15) J. S. Czepluch, N. Z. Lollike, S. O. Malone, The use of block chain technology in different application domains, in: The IT University of Copenhagen, Copenhagen, 2015.
- (16) Ethereum, Etherscan: The ethereum block explorer (2017).
- (17) L. Luu, D.-H. Chu, H. Olickel, P. Saxena, A. Hobor, Making smart contracts smarter, in: The ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 254-269.
V. Buterin, Critical update re: Dao vulnerability (2016).
J. Adelstein, Behind the biggest bitcoin heist in history: Inside the implosion of mt.gox (2016).
- (20) N. Atzei, M. Bartoletti, T. Cimoli, A survey of attacks on ethereum smart contracts (sok), in: International Conference on Principles of Security and Trust, 2017, pp. 164-186.
- (21) Z. Zheng, S. Xie, H.-N. Dai, H. Wang, Blockchain challenges and opportunities: A survey, in: International Journal of Web and Grid Services, 2016.
M. Ghosh, M. Richardson, B. Ford, R. Jansen, A torpath to torcoin, proof-of-bandwidth altcoins for compensating relays (2014).
Intel, Proof of elapsed time (poet) (2017).
P. technologies, Proof of authority chains (2017).
E. community, Kovan - stable ethereum public testnet (2017).
- (26) L. Luu, Y. Velner, J. Teutsch, P. Saxena, Smart pool: Practical decentralized pooled mining, in: USENIX Security Symposium, 2017.
- (27) Karl, Security of blockchain technologies, Ph.D. thesis, Swiss Federal Institute of Technology (2016).
Karl, Ethereum eclipse attacks, 2016.
- (29) A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, S. Capkun, On the security and performance of proof of work blockchains, in: The 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 3-16.
CoinMarketCap, Cryptocurrency market capitalizations (2017).
- (31) M. Swan, Blockchain: Blueprint for a new economy, O’Reilly Media, 2015.
B. L. S.A., Bitcoin wallet (2017).
BlockGeeks, What is cryptocurrency: Everything you need to know (2016).
- (34) M. Bartoletti, L. Pompianu, An empirical analysis of smart contracts: platforms, applications, and design patterns, in: 1st Workshop on Trusted Smart Contracts, 2017.
BlockGeeks, Smart contracts: The blockchain technology that will replace lawyers (2016).
N. Hajdarbegovic, Bitcoin miners ditch ghash.io pool over fears of 51% attack (2014).
Dean, 51% attack (2015).
H. Mayer, Ecdsa security in bitcoin and ethereum: a research survey, 2016.
S. Alliance, Know your ransomware: Ctb-locker (2017).
S. news, The current state of ransomware: Ctb-locker (2015).
Wikipedia, Wannacry ransomware attack (2017).
- (42) N. Christin, Traveling the silk road: A measurement analysis of a large anonymous online marketplace, in: The 22nd international conference on World Wide Web, 2013, pp. 213-224.
H. Treasury, Uk national risk assessment of money laundering and terrorist financing (2015).
W. Cody, T. Amir, Darkwallet (2017).
- (45) G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, S. Capkun, Misbehavior in bitcoin: A study of double-spending and accountability, in: ACM Transactions on Information and System Security, 2015.
- (46) G. O. Karame, E. Androulaki, S. Capkun, Double-spending fast payments in bitcoin, in: Proceedings of the ACM conference on Computer and communications security, 2012, pp. 906-917.
- (47) A. Miller, M. Möser, K. Lee, A. Narayanan, An empirical analysis of linkability in the monero blockchain, in: arXiv preprint:1704.04299, 2017.
- (48) A. Juels, A. Kosba, E. Shi, The ring of gyges: Investigating the future of criminal smart contracts, in: The ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 283-295.
- (49) F. Zhang, E. Cecchetti, K. Croman, A. Juels, E. Shi, Town crier: An authenticated data feed for smart contracts, in: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 270-282.
- (50) T. Chen, X. Li, X. Luo, X. Zhang, Under-optimized smart contracts devour your money, in: IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 2017, pp. 442-446.
E. community, The “yellow paper”: Ethereum’s formal specification (2017).
Gautham, Ethereum network comes across yet another dos attack (2016).
B. Rivlin, Vitalik buterin on empty accounts and the ethereum state (2016).
E. community, Long-term gas cost changes for io-heavy operations to mitigate transaction spam attacks (2016).
- (55) S. Solat, M. Potop-Butucaru, Zeroblock: Preventing selfish mining in bitcoin, Ph.D. thesis, University of Paris (2016).
- (56) I. Eyal, E. G. Sirer, Majority is not enough: Bitcoin mining is vulnerable, in: Financial Cryptography and Data Security - 18th International Conference, Lecture Notes in Computer Science, 2014, pp. 436-454.
- (57) M. Apostolaki, A. Zohar, L. Vanbever, Hijacking bitcoin: Routing attacks on cryptocurrencies, in: IEEE Symposium on Security and Privacy, 2017, pp. 375-392.
D. SecureWorks, BGP hijacking for cryptocurrency profit (2014).
- (59) H. Yan, R. Oliveira, K. Burnett, D. Matthews, L. Zhang, D. Massey, BGPmon: A real-time, scalable, extensible monitoring system, in: Cybersecurity Applications Technology Conference for Homeland Security, 2009, pp. 212-223.
D. Research, Pakistan hijacks youtube (2008).
- (61) A. Singh, T. Ngan, P. Druschel, D. S. Wallach, Eclipse attacks on overlay networks: Threats and defenses, in: 25th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, 2006.
- (62) E. Heilman, A. Kendler, A. Zohar, S. Goldberg, Eclipse attacks on bitcoin’s peer-to-peer network, in: 24th USENIX Security Symposium, 2015, pp. 129-144.
A. Kiayias, G. Panagiotakos, On trees, chains and fast transactions in the blockchain, 2016.
- (64) C. Natoli, V. Gramoli, The balance attack against proof-of-work blockchains: The r3 testbed as an example, in: arXiv preprint:1612.09426, 2016.
R. consortium, R3 (2017).
P. technologies, Parity (2017).
E. community, Official go implementation of the ethereum protocol (2017).
- (68) A. Gervais, G. O. Karame, K. W¨ust, V. Glykantzis, H. Ritzdorf, S. Capkun, On the security and performance of proof of work blockchains, in: The ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 3-16.
L. Luu, D. Chu, H. Olickel, P. Saxena, A. Hobor, Oyente: An analysis tool for smart contracts (2016).
- (70) A. Kosba, A. Miller, E. Shi, Z. Wen, C. Papamanthou, Hawk: The blockchain model of cryptography and privacy-preserving smart contracts, in: IEEE Symposium on Security and Privacy, 2016, pp. 839-858.
F. Zhang, E. Cecchetti, K. Croman, A. Juels, E. Shi, Town crier (2017).