Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts

05/01/2021
by   Nikolay Ivanov, et al.
0

Ethereum holds multiple billions of U.S. dollars in the form of Ether cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts algorithmically operating these funds. Unsurprisingly, the security of Ethereum smart contracts has been under rigorous scrutiny. In recent years, numerous defense tools have been developed to detect different types of smart contract code vulnerabilities. When opportunities for exploiting code vulnerabilities diminish, the attackers start resorting to social engineering attacks, which aim to influence humans – often the weakest link in the system. The only known class of social engineering attacks in Ethereum are honeypots, which plant hidden traps for attackers attempting to exploit existing vulnerabilities, thereby targeting only a small population of potential victims. In this work, we explore the possibility and existence of new social engineering attacks beyond smart contract honeypots. We present two novel classes of Ethereum social engineering attacks - Address Manipulation and Homograph - and develop six zero-day social engineering attacks. To show how the attacks can be used in popular programming patterns, we conduct a case study of five popular smart contracts with combined market capitalization exceeding 29 billion, and integrate our attack patterns in their source codes without altering their existing functionality. Moreover, we show that these attacks remain dormant during the test phase but activate their malicious logic only at the final production deployment. We further analyze 85,656 open-source smart contracts, and discover that 1,027 of them can be used for the proposed social engineering attacks. We conduct a professional opinion survey with experts from seven smart contract auditing firms, corroborating that the exposed social engineering attacks bring a major threat to the smart contract systems.

READ FULL TEXT

Authors

page 1

page 2

page 3

page 4

07/02/2020

Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis

Ethereum smart contracts are programs that are deployed and executed in ...
01/15/2021

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

In recent years, Ethereum gained tremendously in popularity, growing fro...
12/14/2018

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

Recently, a number of existing blockchain systems have witnessed major b...
03/28/2022

A Fly in the Ointment: An Empirical Study on the Characteristics of Ethereum Smart Contracts Code Weaknesses and Vulnerabilities

Context: Smart contracts are computer programs that are automatically ex...
07/24/2021

Combining Graph Neural Networks with Expert Knowledge for Smart Contract Vulnerability Detection

Smart contract vulnerability detection draws extensive attention in rece...
05/01/2019

Characterizing Code Clones in the Ethereum Smart Contract Ecosystem

In this paper, we present the first large-scale and systematic study to ...
11/24/2019

ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection

Ethereum smart contracts are programs that can be collectively executed ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.