Smart Contract Hacking: What is it and What Does it Affect?

A smart contract is a way to handle business transactions to ensure they are secured, accurate, fast, and cost-effective–all without involving a third party, such as a bank. A smart contract uses a computer program that automatically executes the contract, the specifications of which are written into the program code. The code includes the terms of agreement between a buyer and seller, and is self-executed based on a pre-set event, such as a specific deadline. The benefits of smart contracts is that they are traceable, transparent, and irreversible.

Along with the benefits of using a smart contract, there are security concerns inherent to the process. Smart contracts rely on blockchain, the technology that provides record keeping for the Bitcoin network and other cryptocurrency platforms. Smart contracts “live” in decentralized blockchain networks, meaning the data’s security is dependent on the protocols applied to keep it secure.

Ethereum, the second-largest cryptocurrency platform, has reportedly over 32,000 smart contracts that are vulnerable to hacking due to poor coding.

A study by five researchers released in 2018, called Finding The Greedy, Prodigal, and Suicidal Contracts at Scale, found that around one in twenty smart contracts are at risk for hacking. The study identified three types of smart contracts that are particularly vulnerable, “greedy, prodigal, and suicidal — which either lock funds indefinitely, leak them to arbitrary users, or be susceptible to be killed by any user.”

The researchers were able to identify the vulnerabilities without accessing the source code, by using a tool they built called MAIAN, and were identified within ten seconds of analysis per contract. While the study did not identify the specific smart contracts that contained vulnerabilities, the study shows that identification is possible – and the next individuals that discover the issues may have a malicious intent.

Ethereum is no stranger to smart contract hacking. Parity Wallet, a digital storage service for cryptocurrency such as Ethereum, was hacked in 2017, with approximately $34 million stolen. It is estimated that hackers have stolen a total of $2 billion since 2017.

Mike Orcutt, for MIT Technology Review, states that using smart contracts for venture capital funds can be particularly vulnerable as they deal with larger amounts of cryptocurrency. One venture capital fund, Decentralized Autonomous Organization (DAO), lost $60 million to hackers in 2016, due to a flaw in a smart contract.

“A bug in a live smart contract can create a unique sort of emergency,” explains Orcutt. “In traditional software, a bug can be fixed with a patch. In the blockchain world, it’s not so simple. [Transactions] on a blockchain cannot be undone.”

If the money has already been stolen, there is nothing that can be done to fix the bug. The only solution is to create a new blockchain–and to have users switch over to it.

Some techniques being used to counter smart contract hacking include the use of artificial intelligence (AI) to monitor for suspicious activity or known issues. Auditing tools are also being developed to identify bugs before the smart contract is released.

“But making sure code is clean will only go so far,” says Orcutt. “A blockchain, after all, is a complex economic system that depends on the unpredictable behavior of humans, and people will always be angling for new ways to game it.”

Want to learn about cybersecurity? Capitol Tech offers bachelor’s, master’s and doctorate degrees in cyber and information security. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.