According to a recent study, at least 0.36% of contracts in the Ethereum network are vulnerable to failures of human error, which, despite the small percentage, could cause millions in losses.
In this study, entitled "Finding The Greedy, Prodigal, and Suicidal Contracts at Scale" (Finding greedy, lavish and suicidal contracts at scale) and conducted by researchers Ivica Nicolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor from University College London and the School of Computing at the National University of Singapore, nearly 1 million Ethereum contracts were analyzed, of which 3,686 were diagnosed with potential failures that could be caused by human error, indicating that approximately 0.36% of network contracts may have vulnerabilities.
To achieve this, a private bifurcation of this blockchain was made, avoiding connecting third parties that are in the original network. In this way, it was possible to obtain the sample of contracts for this study.
We implemented MAIAN, the first tool to precisely specify and reason about tracking properties, which uses inter-procedure symbolic analysis and concrete validation to show real vulnerabilities. Our analysis of almost one million contracts indicates 34,200 (2,365 different) vulnerable contracts, ten seconds per contract. In a subset of 3,759 contracts that we have sampled for concrete validation and manual analysis, we reproduced real exploits at a real positive rate of 89%, producing exploits for 3,686 contracts.
Ivica Nicolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor
University College London, National University of Singapore
The possible failures were classified into three categories: first are the Prodigal Contracts, which are those that can be manipulated to modify the address of the portfolio to which the funds should be sent; in second place are the Suicidal Contracts, which can be terminated by an external attack carried out by a third party; and, finally, there are the Greedy Contracts, which are the ones that can be manipulated to block the funds contained in them. As these systems tend to use several contracts, incidents of this type may involve failures of more than one of the aforementioned categories.
An example of this was the case of Parity, since last November a bug accidentally froze about 150 million dollars in ether when a user accidentally activated it. This could be considered a suicide contract, but since their portfolios left the funds blocked, they can be considered greedy. As of today, these funds remain frozen.
For the sample of contracts used in this study, the amount of Ether (ETH) that could have been extracted or blocked from lavish and suicide contracts is 4,905 ETH (more than 4 million dollars). Additionally, some 6,239 ETH (more than 5 million dollars) are trapped in posthumous contracts, which are contracts that have already been completed or have no code, of which 313 ETH were sent to contracts that had already been completed. After a contract is terminated, its code can no longer be executed in the blockchain, but all completed contracts can still receive transactions, although these can no longer invoke the code of these contracts, hence the tokens sent to contracts already terminated. they are blocked indefinitely.
Solidity was first proposed in 2014 by Gavin Wood.
The Ethereum network uses a programming language called Solidity, which was created only in 2014 and was made with the intention of making smart contracts more secure. As this is a new language, some programmers are not used to it and this can lead to failures of human error in the programming of intelligent contracts. However, this adaptation process is necessary for the network to continue to grow, and as programmers become accustomed to Solidity, failures of this nature should diminish.
When errors of this type occur and a significant amount of funds is lost, one of the possible solutions is to make a strong bifurcation (hardfork) of the Ethereum network, thus creating an update of the same network but without the error. However, this only happened once after the events of the theft of the DAO funds from Slock.it, which led to ideological differences in the creation of the Ethereum Classic. Generally, proposals of this nature tend to find enough resistance, since it is considered that the ideal of decentralization is betrayed.
However, there are other forms of abord Audits for these programs can help detect errors and potential failures before they occur. It could also create a library of contracts whose operation has already been verified, which can facilitate the work of the programmers and reduce the risk of failures. Also, Ethereum could apply more user-friendly interfaces, which would reduce the risk of failures.