Detecting Vulnerability in Ethereum Smart Contracts

Today, when we shop or bank online, or when we use social media like Facebook or web-based services like Gmail, our personal data is mainly stored on servers owned by companies like Amazon or Google. These companies are then trusted to secure this data and protect every user’s privacy.

But we know of many instances when security has been breached and data accessed without authorization, such as with the Marriott Hotel’s loss of credit card and passport numbers or Equifax’s loss of social security numbers, addresses and other personal data. These breaches illustrate the vulnerabilities of data storage within the centralized design of the Internet.

Blockchain represents the other end of the spectrum. It is a decentralized digital ledger used to record transactions that are distributed across many computers, which makes accessing or altering any of the data much more difficult. Originally designed as the technology that operated bitcoin, blockchain is now emerging as a viable alternative to centralized data transactions and storage. It has also made smart contracts possible.

Smart contracts are computer programs that directly control the flow or transfer of digital assets. But while they offer a high level of security, there are some vulnerabilities that pose a threat and can cause financial losses.

Enter Noama Fatima Samreen, a computer science master’s student working in the area of vulnerabilities to Ethereum smart contracts at the programming level. Ethereum is a blockchain technology platform that allows developers to build a variety of applications, ranging from simple wallet applications to complex financial systems for the banking industry. In a recent paper titled “Reentrancy Vulnerability Identification in Ethereum Smart Contracts (external link) ,” Samreen presents a framework that first detects the possibility of reentrancy in a smart contract and then actually attempts reentrancy.

“In the simplest terms, reentrancy means trying to get into a program again when you’re not supposed to,” explains Samreen. “More specifically, a reentrancy attack occurs when the attacker drains funds out of a smart contract. A famous example is the DAO attack, which happened when a hacker found a loophole in the coding that allowed him to drain about $60 million USD from The DAO.”

Under the supervision of Ryerson’s Manar Alalfi, Samreen’s research aims to provide a supporting tool that enables users of blockchain technology to verify their smart contracts for the existence of security vulnerabilities before they deploy the contract. This way, they can protect it from attack by hackers.

“Our framework combines static and dynamic analysis techniques,” says Samreen. “Our approach was to identify potentially vulnerable points in a smart contract, rather than test the complete contract. The result was an accurate detection, plus increased performance, when compared to a state-of-the-art tool called ContractFuzzer.”

As more companies move toward developing applications in blockchain, more Canadians will become active users of this technology. This makes it essential to protect individuals and sectors – commercial, financial, social and government – from fraudulent attacks. Detecting reentrancy vulnerability is an important part of that protection.

Samreen is looking forward to the next steps of her research.

“Dr. Alalfi introduced me to this area and has been a wonderful supervisor. With her continued support, I am hoping to be able to detect multiple vulnerabilities in the future. Also, we would like to modify our framework to incorporate suggestions to enhance a smart contract or to provide a corrected version that prevents exploitation of these vulnerabilities.”

Keen to continue her studies in computer science, Samreen is also planning to pursue a doctorate degree. “I’ve learned a lot from Ryerson’s hands-on approach to work in this area. My hope one day is to teach and work within an academic environment.”

Samreen’s research is funded in part by the Natural Sciences and Engineering Research Council of Canada (NSERC).