When Ethereum first implemented the concept of smart contracts back in 2013, the idea seemed to be revolutionary
By design, smart contracts are supposed to execute only upon predetermined circumstances and be completely secure. But being just another version of a software, they are prone to many security issues.
In this article, we take a closer look at the most common smart contract security problems of the three popular blockchain networks: Ethereum, EOS, and NEO.
What can reduce the security of a smart contract?
Another common source of critical errors and vulnerabilities are the virtual machines used by the network. For instance, the Ethereum Virtual Machine (EVM) is prone to several vulnerabilities: from access control issues to immutable detects caused by programming errors in the contract code.
Now, let’s look closer at the most common smart contract security issues of the Ethereum, EOS, and NEO networks.
Top smart contract security issues by networks
Security is one of the most important features of a smart contract. So, knowing the weakest spots of a particular blockchain network can help developers make their contracts less susceptible to different vulnerabilities and attacks.
Ethereum is an open-source project that introduced the concept of smart contracts as we know it today. As we mentioned earlier, Ethereum smart contracts are written in Solidity, a high-level scripting language that was designed specifically for Ethereum.
Let’s look at some of the most common Ethereum smart contract vulnerabilities:
- Integer overflows. An overflow is a situation when an integer variable attempts to store the value that exceeds its limit. This is the bug that was exploited by attackers during the recent batchOverflow hack of the ERC coins. Attackers managed to exploit some of the ERC20 contracts and used them for generating absurd numbers of tokens.
- Reentrancy. Ethereum contracts are prone to reentrancy attacks when a function is called repeatedly by a malicious external contract before the first invocation of this function was even finished. This vulnerability makes it possible to change the state of a contract in the process of its execution. The infamous DAO hack happened mostly because of this particular security issue.
- Denial of service (DoS) attacks. Attackers can apply the general mechanism of a DoS attack to smart contracts. For instance, in the case of an auction contract, attackers can constantly call the bid() function, thus preventing other users from making their bids.
The EOS blockchain was launched only a couple of years ago, in 2017. Among the things that make EOS so different from Ethereum is the range of available programming languages. To develop an EOS smart contract, you can use any language that can be compiled to WebAssembly, including C++, Python, and Java.
While making is so much easier for the developers to write smart contracts in the language they know well, the combination of C++ and WASM, for instance, can cause additional security issues in the network.
- Numerical Overflow. EOS smart contracts are also vulnerable to overflows. In particular, when performing arithmetic operations, a contract may not check the boundaries. This may cause the values overflow, eventually leading to the loss of users assets.
- Remote code execution. An incorrect check for array bounds in a function library can cause serious damage to the entire network. This vulnerability allows attackers to use malicious smart contracts with invalid values to take control over the node by writing data into arbitrary addresses in memory.
- RAM exploit. Another security issue in the EOS network allows hackers to allocate RAM, a valuable resource used for processing transactions on the network, from other users. The attackers create a malicious smart contract which helps them occupy and eventually block the RAM of their victims, making the latter incapable of performing any operations with both their RAM and funds.
While the name NEO was first used for this blockchain only in 2017, the initial project was first launched back in 2014 as the AntShares blockchain. The NEO network is known for its “smart economy” philosophy, and the concept of smart contracts plays a significant part in this philosophy.
Just like EOS, NEO allows writing smart contracts in commonly used programming languages: C#, Java, Python, and Kotlin. The network uses Delegated Byzantine Fault Tolerance (dBFT) as a consensus mechanism, which provides NEO with a higher level of scalability than, say, Ethereum with its proof of work (PoW) consensus algorithm. But unfortunately, NEO smart contracts are also prone to various security issues, including the following:
- Storage injection. One of the known security issues of NEO smart contracts was caused by the platform’s native NEP-5 tokens. A storage injection vulnerability found in several contracts allowed hackers to provide invalid transaction input and change the total supply limit of the token.
- DoS vulnerability. Another vulnerability discovered in NEO during one of the security audits makes it possible to perform a full-force DoS attack on the network. A vulnerable mechanism found in NEO smart contracts allowed hackers to invoke a malicious contract which would crash every node that tried to process the contract.
Best practices for developing secure smart contracts
As you can see, even the most popular blockchain networks have numerous security issues that can be exploited by hackers. The good news is that most of these issues can be solved at the stage of a smart contract development.
So what can you do to improve the security of your smart contracts? Here are several efficient smart contract security tips.
First and foremost, you should always follow the recommended best practices for particular platforms and languages. For instance, there are the best practices for writing secure smart contracts in Ethereum and EOS. As for NEO, you can find some recommendations and security tips on writing smart contracts in this document.
Secondly, since many security issues in smart contracts are caused by the errors and bugs in the source code, it’s crucial to make sure that your contract is tested thoroughly before the official release.
And thirdly, always choose to run a security audit whenever you have a chance. General testing tools are good for detecting the most common and obvious bugs and code errors. However, there are lots of critical security issues that are not so easy to detect and to find them, so you might also need the professional help from security testers.
Security remains one of the main concerns regarding smart contract technology. A small error in the code of a smart contract can result in millions of dollars in loss, as it was with the DAO. Therefore, when it comes to writing a smart contract, security should always be the developer’s top priority.
To increase smart contract safety and performance, most networks recommend security best practices for developers. However, if you want to ensure the highest level of security possible, consider running additional tests and security audits for your smart contracts.
About the Author
Marcell Gogan is a specialist within digital security solutions, business design and development, virtualization and cloud computing, R&D projects, establishment and management of software research direction – working with Ekran System. He also loves writing about data management and cybersecurity.