A paper titled “Finding The Greedy, Prodigal, and Suicidal Contracts at Scale” describes in technical terms the vulnerabilities of the Ethereum network. Researchers in Singapore and the UK wrote the paper, which is currently going through peer review. These researchers used a custom tool named MAIAN to analyze Ethereum. The revelations in this paper highlight several vulnerabilities that threatens to split the Ethereum community. Here is a summary of those vulnerabilities and their implications.
Ethereum Smart Contracts
Smart contracts and the ability to create ERC20 tokens are two of the main functions of the Ethereum network. They also expose the vulnerabilities or contradictions that could take the network down a complicated path. The Ethereum network, with is indigenous cryptocurrency Ether (ETH) was created in 2015. A core component which has given Ethereum traction is its ability to include SMART Contract capabilities. This allows parties to create their own token on the Ethereum blockchain (utilizing the ERC-20 protocol) and enables data input in the form of Smart Contracts. These usually offer the ability to conduct process flows of transactions for example, based on the satisfaction of a list of predetermined variables.
Ethereum Blockchain Vulnerabilities
In May 2016, the DAO (a decentralized autonomous organization) was implemented on the Ethereum blockchain as a SMART contract to crowdfund via DAO tokens with the monies going to a unique wallet address. According to The Startup “In essence, the platform would allow anyone with a project to pitch their idea to the community and potentially receive funding from the DAO. Anyone with DAO tokens could vote on plans and would then receive rewards if the projects turned a profit.”
In June 2016, just one-month later, a hacker found a vulnerability in the code and managed to withdraw funds from the DAO wallet. The two fundamental issues which had not been considered in the code of the DAO application were the ‘recursive call’ (repeat transactions) and the fact that after a single ETH transaction, the remaining token balance would be displayed – highlighting how much was available in the wallet.
Ethereum Not at Fault but the Brand Suffered
Although the initial issue of the DAO vulnerability was of no fault of Ethereum developers – their recovery action of implementing a hard fork was their only choice. This opened the debate about future “bail outs”. Just a few days ago HardFork (25/04/18) reported that “Blockchain security startup PeckShield has come across a critical vulnerability in multiple Ethereum smart contracts (based on the ERC20 protocol) which results in integer overflow – a common issue which occurs when computers deal with numeric values outside of the range that can be represented with a given number of bits…According to the researchers, the bug makes it possible for attackers to “transfer huge amount of tokens to an address with zero balance,” tacking the sender with huge fees in the meanwhile..”
They claim too many inexperienced developers are trying to use the common language used for ERC-20 SMART contract variables, ‘Solidity’, and in doing so are leaving doors open for hackers to gain access to funds. A similar event occurred in December 2017 with Coinbase where due to a glitch in their SMART contracts they inadvertently allowed users to reward themselves with additional tokens.
Hard fork reported that “If [one] wallets transaction in the smart contract fails all transactions before that will be reversed,” VI Company explained. “But on Coinbase these transactions will not be reversed, meaning a person could add as much Ethereum to their balance as they want.” This practically meant that anyone could have abused this glitch to credit their wallets with infinite amounts of Ethereum.”
Network Speed Issues
These glitches might be the most prominent vulnerabilities in the Ethereum network, but they are not the most obvious. In 2017, a project called ‘Crypto-Kitties’ was released on the Ethereum network. According to HackerNoon, the project grew in “popularity…and this trend is placing a rapidly growing amount of pressure on the Ethereum network. The network disruption has been somewhat damaging for Ethereum in terms of adding concern to other types of traders and users that Ethereum risks congestion and slow processing speeds.” Ethereum transaction difficulties during the Crypto Kitties hype is well documented.
How is Ethereum Overcoming Bugs?
In a bid to recover credibility in their network and try and avoid any more of these attacks, Ethereum developed the ‘Ethereum Bounty Program’ in 2015. Ethereum is inviting people to try to attack their network and to report any issues or bugs. They will then reward the person who logs the fault with ETH or BTC. Ethereum tried to introduce a competitive social factor by ranking ‘bounty hunters’ against each based on the level of contributions to strengthen their network. Contributions reward them with leaderboard points as well as ETH or BTC.
However, the Ethereum Bounty Program website does not indicate the reward value in ETH or BTC – only that it will vary. This pushes the bounty hunter into a dilemma: report it for an unknown reward or just exploit it. Reporting has not always been the first choice. The only indication of monetary reward is a note on the bounty hunter’s historic rewards distributed where one bounty hunter on 27/02/2015 was awarded 5 BTC. Assuming BTC price in 2015 the bounty would have been worth between $886.40 and $1,572.95. Ethereum declares that the bounty amount will vary depending on the fault reported. The public doesn’t know what fault was reported on a given date – only that it was reported.
Ethical Hacking
This approach, inviting developers to hack your network, has become a widespread practice in many businesses due to the 2017 boom in RANSOMWARE attacks; the strategy has proven its worth when it comes to solving bugs. However, the reward level someone can make in crypto is likely to test the morality of any good Bounty Hunter.
Community Opinion
As mentioned above, the hard fork of ETH following DAO caused uproar in the community and to this day is still being used as ammunition to ridicule the ETH network. As a result, those against the DAO resolution still hold that against the network. Ethereum generally has become a bit of a cult following and is seen by many as the main rival to Bitcoin in terms of community culture.
The widespread adoption of ERC-20 protocol for ICOs and SMART contracts has made it grow exponentially in use which as a result has made it more attractive to attackers given the flow of funds. This means that given the vulnerabilities discussed above and the nature of the bounty program to solve them, the next split within the Ethereum community might be just around the corner. The precedent was set with the DAO, and there are too many actors within the ecosystem that are too big to fail.
