Smart contracts are protocols written in a programming language like Solidity and deployed to the Ethereum blockchain.
These self-executing programs are used for various applications, such as creating multi-signature wallets for cryptocurrencies or providing trustless escrow services for peer-to-peer marketplaces.
However, smart contracts can also contain bugs that attackers can exploit to steal funds from users or even crash entire blockchains (e.g., The DAO hack).
The DAO: exploiting a bug in a decentralized, autonomous organization
The DAO was a decentralized autonomous organization that raised $150 million in Ether (the cryptocurrency of the Ethereum platform). That makes it one of the most successful crowdfunding campaigns in history. However, in June 2016, the DAO was hacked, and $50 million worth of Ether was stolen by an unknown party that exploited a bug in the code.
After this incident, Ethereum developers created an upgrade called “The DAO hard fork.” The hard fork allowed users to retrieve their funds before they were transferred to another account. But unfortunately, it resulted in two different versions of Ethereum: Ethereum Classic and Ethereum (ETH).
Parity multi-sig vulnerability: wallet flaw drained $30 million
A multi-sig wallet is a particular type of wallet that requires multiple users to sign off on a transaction before it can be processed. It prevents one person from spending all the money in the wallet. Instead, it requires a majority of users to agree. In this case, however, a bug in the multi-sig implementation allowed one user’s account to drain everyone else’s funds.
For this exploit to work, two things needed to happen.
First, someone had to create an Ethereum smart contract that created new tokens and sent them back into their account.
Second, they had to make sure nobody could stop them from doing so by locking up their funds in what’s called an “escape hatch.”
Once the culprit took care of these two steps, other people started sending money into this new smart contract. Many hoped for profit but received nothing because the creator had already drained all its funds into his account!
That exploit drained over $30 million worth of Ether (ETH) from various wallets across Ethereum’s ecosystem. That includes the Parity Technologies multi-sig wallet.
Bancor hack: $23.5m stolen by exploiting smart contract security flaws
In June 2018, a hacker exploited a smart contract security flaw to steal $23.5 million from Bancor. The blockchain project aims to provide liquidity for digital currencies. The exploit was in the smart contract itself. Its purpose was to create and hold tokens with specific values so users could buy and sell them on the platform. It also allowed users to convert the tokens into other tokens through an “on-chain” process.
It turned out that while this process might have been secure enough at first, it wasn’t very well programmed. When one user made specific actions via their account (such as selling their token), it would trigger another action (like automatically creating new tokens) without checking whether those actions were valid or not. That created an opportunity for hackers.
More vulnerabilities in smart contracts than ever before – EY report
According to a report from Ernst & Young (EY), the number of smart contract vulnerabilities is increasing rapidly.
The company’s “2019 Global Blockchain Survey” report found that the number of smart contract vulnerabilities increased from 8.7% in 2018 to 12.9%. EY also found that “the median time to fix an error was under six days. However, nearly half took longer than one week, with about 2% taking longer than three months.” All of those periods are unacceptable.
Smart contracts are far from perfect
Culprits can exploit them. There have been some instances where hackers used smart contracts for malicious purposes. That includes stealing money from people or businesses.
For example, someone used an Ethereum-based smart contract to steal $25 million in Ether (the cryptocurrency of Ethereum). The hacker exploited a bug in the system and took advantage of it by sending tokens through multiple accounts. That process continued until they reached their destination address. Then, it allowed the culprit to steal all the funds stored in the “wallet” without needing any special permissions or authorization.
Smart contracts aren’t always used for malicious purposes, though. They’re being used for good things too!
You might use them if you want someone else’s approval before buying something expensive online, like a car or home appliance. These items usually cost thousands of dollars. So having someone else sign off would help protect both parties involved.
In addition, it could ensure that each party gets what they paid for, so no one has any regrets after buying something expensive like this online!
Conclusion
We can see the potential of smart contracts, but many people are still wary of their use.
That is because there are bugs in smart contracts that one can exploit. Users will lose money unless someone finds a way to fix things before it’s too late.
Many companies are working on improving their security measures – whether through improved testing or by removing human intervention from specific processes altogether.
The post Smart Contracts: Security Concerns appeared first on CryptoMode.
