Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts

by   Nikolay Ivanov, et al.

Ethereum holds multiple billions of U.S. dollars in the form of Ether cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts algorithmically operating these funds. Unsurprisingly, the security of Ethereum smart contracts has been under rigorous scrutiny. In recent years, numerous defense tools have been developed to detect different types of smart contract code vulnerabilities. When opportunities for exploiting code vulnerabilities diminish, the attackers start resorting to social engineering attacks, which aim to influence humans – often the weakest link in the system. The only known class of social engineering attacks in Ethereum are honeypots, which plant hidden traps for attackers attempting to exploit existing vulnerabilities, thereby targeting only a small population of potential victims. In this work, we explore the possibility and existence of new social engineering attacks beyond smart contract honeypots. We present two novel classes of Ethereum social engineering attacks - Address Manipulation and Homograph - and develop six zero-day social engineering attacks. To show how the attacks can be used in popular programming patterns, we conduct a case study of five popular smart contracts with combined market capitalization exceeding 29 billion, and integrate our attack patterns in their source codes without altering their existing functionality. Moreover, we show that these attacks remain dormant during the test phase but activate their malicious logic only at the final production deployment. We further analyze 85,656 open-source smart contracts, and discover that 1,027 of them can be used for the proposed social engineering attacks. We conduct a professional opinion survey with experts from seven smart contract auditing firms, corroborating that the exposed social engineering attacks bring a major threat to the smart contract systems.



page 1

page 2

page 3

page 4


Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis

Ethereum smart contracts are programs that are deployed and executed in ...

The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

In recent years, Ethereum gained tremendously in popularity, growing fro...

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

Recently, a number of existing blockchain systems have witnessed major b...

A Fly in the Ointment: An Empirical Study on the Characteristics of Ethereum Smart Contracts Code Weaknesses and Vulnerabilities

Context: Smart contracts are computer programs that are automatically ex...

Combining Graph Neural Networks with Expert Knowledge for Smart Contract Vulnerability Detection

Smart contract vulnerability detection draws extensive attention in rece...

Characterizing Code Clones in the Ethereum Smart Contract Ecosystem

In this paper, we present the first large-scale and systematic study to ...

ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection

Ethereum smart contracts are programs that can be collectively executed ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.