Smart contracts vulnerabilities: a call for blockchain software engineering?

Giuseppe Destefanis, M. Marchesi, Marco Ortu, R. Tonelli, A. Bracciali, R. Hierons
{"title":"Smart contracts vulnerabilities: a call for blockchain software engineering?","authors":"Giuseppe Destefanis, M. Marchesi, Marco Ortu, R. Tonelli, A. Bracciali, R. Hierons","doi":"10.1109/IWBOSE.2018.8327567","DOIUrl":null,"url":null,"abstract":"Smart Contracts have gained tremendous popularity in the past few years, to the point that billions of US Dollars are currently exchanged every day through such technology. However, since the release of the Frontier network of Ethereum in 2015, there have been many cases in which the execution of Smart Contracts managing Ether coins has led to problems or conflicts. Compared to traditional Software Engineering, a discipline of Smart Contract and Blockchain programming, with standardized best practices that can help solve the mentioned problems and conflicts, is not yet sufficiently developed. Furthermore, Smart Contracts rely on a non-standard software life-cycle, according to which, for instance, delivered applications can hardly be updated or bugs resolved by releasing a new version of the software. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other applications running on blockchains.We analyse a case of study where a bug discovered in a Smart Contract library, and perhaps \"unsafe\" programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers (about 150M USD, in November 2017). In this study we analyze the source code of Parity and the library, and discuss how recognised best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also reflect on the specificity of Smart Contract software development, which makes some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.","PeriodicalId":125618,"journal":{"name":"2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-03-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"151","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWBOSE.2018.8327567","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 151

Abstract

Smart Contracts have gained tremendous popularity in the past few years, to the point that billions of US Dollars are currently exchanged every day through such technology. However, since the release of the Frontier network of Ethereum in 2015, there have been many cases in which the execution of Smart Contracts managing Ether coins has led to problems or conflicts. Compared to traditional Software Engineering, a discipline of Smart Contract and Blockchain programming, with standardized best practices that can help solve the mentioned problems and conflicts, is not yet sufficiently developed. Furthermore, Smart Contracts rely on a non-standard software life-cycle, according to which, for instance, delivered applications can hardly be updated or bugs resolved by releasing a new version of the software. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other applications running on blockchains.We analyse a case of study where a bug discovered in a Smart Contract library, and perhaps "unsafe" programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers (about 150M USD, in November 2017). In this study we analyze the source code of Parity and the library, and discuss how recognised best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also reflect on the specificity of Smart Contract software development, which makes some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.
智能合约漏洞:呼吁区块链软件工程?
智能合约在过去几年中获得了极大的普及,目前每天都有数十亿美元通过这种技术进行交易。然而,自2015年以太坊Frontier网络发布以来,管理以太币的智能合约的执行导致了很多问题或冲突。与传统的软件工程相比,智能合约和区块链编程的学科尚未得到充分发展,其标准化的最佳实践可以帮助解决上述问题和冲突。此外,智能合约依赖于一个非标准的软件生命周期,例如,根据该生命周期,交付的应用程序很难通过发布新版本的软件来更新或解决错误。在本文中,我们主张需要一个区块链软件工程学科,解决智能合约编程和运行在区块链上的其他应用程序所带来的问题。我们分析了一个研究案例,其中在智能合约库中发现的一个漏洞,可能是“不安全”的编程,允许对钱包应用程序Parity进行攻击,导致大约50万以太币(约1.5亿美元,2017年11月)冻结。在本研究中,我们分析奇偶校验和库的源代码,并讨论如何公认的最佳实践可以减轻,如果采用和调整,这种有害的软件不当行为。我们还反思了智能合约软件开发的特殊性,这使得现有的一些方法不足,并呼吁定义一个特定的区块链软件工程。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信