Your Smart Contracts Are Not Secure: Investigating Arbitrageurs and Oracle Manipulators in Ethereum

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

2 Citations (Scopus)
405 Downloads (Pure)

Abstract

Smart contracts on Ethereum enable billions of dollars to be transacted in a decentralized, transparent and trustless environment. However, adversaries lie await in the Dark Forest, waiting to exploit any and all smart contract vulnerabilities in order to extract profits from unsuspecting victims in this new financial system. As the blockchain space moves at a breakneck pace, exploits on smart contract vulnerabilities rapidly evolve, and existing research quickly becomes obsolete. It is imperative that smart contract developers stay up to date on the current most damaging vulnerabilities and countermeasures to ensure the security of users' funds, and to collectively ensure the future of Ethereum as a financial settlement layer. This research work focuses on two smart contract vulnerabilities: transaction-ordering dependency and oracle manipulation. Combined, these two vulnerabilities have been exploited to extract hundreds of millions of dollars from smart contracts in the past year (2020-2021). For each of them, this paper presents: (1) a literary survey from recent (as of 2021) formal and informal sources; (2) a reproducible experiment as code demonstrating the vulnerability and, where applicable, countermeasures to mitigate the vulnerability; and (3) analysis and discussion on proposed countermeasures. To conclude, strengths, weaknesses and trade-offs of these countermeasures are summarised, inspiring directions for future research.

Original languageEnglish
Title of host publicationCYSARM 2021 - Proceedings of the 3rd Workshop on Cyber-Security Arms Race, co-located with CCS 2021
PublisherAssociation for Computing Machinery (ACM)
Pages25-35
Number of pages11
ISBN (Electronic)978-1-4503-8661-6
DOIs
Publication statusPublished - 2021
Event3rd Workshop on Cyber-Security Arms Race, CYSARM 2021, co-located with the ACM Conference on Computer and Communications Security, CCS 2021 - Virtual, Online, Korea, Republic of
Duration: 19 Nov 2021 → …

Publication series

NameCYSARM 2021 - Proceedings of the 3rd Workshop on Cyber-Security Arms Race, co-located with CCS 2021

Conference

Conference3rd Workshop on Cyber-Security Arms Race, CYSARM 2021, co-located with the ACM Conference on Computer and Communications Security, CCS 2021
Country/TerritoryKorea, Republic of
CityVirtual, Online
Period19/11/21 → …

Keywords

  • arbitrageurs
  • ethereum
  • oracle manipulator
  • security
  • smart contract
  • vulnerability

Fingerprint

Dive into the research topics of 'Your Smart Contracts Are Not Secure: Investigating Arbitrageurs and Oracle Manipulators in Ethereum'. Together they form a unique fingerprint.

Cite this