DeepAI AI Chat
Log In Sign Up

Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts

by   Nikolay Ivanov, et al.

Ethereum holds multiple billions of U.S. dollars in the form of Ether cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts algorithmically operating these funds. Unsurprisingly, the security of Ethereum smart contracts has been under rigorous scrutiny. In recent years, numerous defense tools have been developed to detect different types of smart contract code vulnerabilities. When opportunities for exploiting code vulnerabilities diminish, the attackers start resorting to social engineering attacks, which aim to influence humans – often the weakest link in the system. The only known class of social engineering attacks in Ethereum are honeypots, which plant hidden traps for attackers attempting to exploit existing vulnerabilities, thereby targeting only a small population of potential victims. In this work, we explore the possibility and existence of new social engineering attacks beyond smart contract honeypots. We present two novel classes of Ethereum social engineering attacks - Address Manipulation and Homograph - and develop six zero-day social engineering attacks. To show how the attacks can be used in popular programming patterns, we conduct a case study of five popular smart contracts with combined market capitalization exceeding 29 billion, and integrate our attack patterns in their source codes without altering their existing functionality. Moreover, we show that these attacks remain dormant during the test phase but activate their malicious logic only at the final production deployment. We further analyze 85,656 open-source smart contracts, and discover that 1,027 of them can be used for the proposed social engineering attacks. We conduct a professional opinion survey with experts from seven smart contract auditing firms, corroborating that the exposed social engineering attacks bring a major threat to the smart contract systems.


page 1

page 2

page 3

page 4


Et tu, Blockchain? Outsmarting Smart Contracts via Social Engineering

We reveal six zero-day social engineering attacks in Ethereum, and subdi...

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

In recent years, Ethereum gained tremendously in popularity, growing fro...

Abusing the Ethereum Smart Contract Verification Services for Fun and Profit

Smart contracts play a vital role in the Ethereum ecosystem. Due to the ...

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

Recently, a number of existing blockchain systems have witnessed major b...

A Comprehensive Survey of Upgradeable Smart Contract Patterns

In this work, we provide a comprehensive survey of smart contract upgrad...

TokenHook: Secure ERC-20 smart contract

ERC-20 is the most prominent Ethereum standard for fungible tokens. Toke...

SigRec: Automatic Recovery of Function Signatures in Smart Contracts

Millions of smart contracts have been deployed onto Ethereum for providi...