An Ethereum-backed contest has revealed a few new tricks for disguising malware as the harmless code the network uses to transfer and manipulate funds: digital smart contracts.
Since Ethereum was introduced in 2015, its security risks have been no secret in the blockchain community. After a $50m hack in 2016, the community controversially decided to roll back the digital records ledger with a new "hard fork" – essentially creating two versions of Ethereum, one before the hack and one after. Another $30m was stolen in July by hackers.
On Thursday an Ethereum Foundation-supported group announced three winners of a new hacking competition for creating malicious smart contracts with their standard programming language, Solidity. It's called the "Underhanded Solidity Coding Contest" and judges included Solidity lead dev Christian Reitwiessner.
It seems to show that Ethereum's community is continuing to keep an eye on different aspects of the security landscape of its platform.
The winner, security consultant Martin Swende, wrote specially formatted transaction Solidity code that could allow a hacker to steal funds. His exploit was formatted in such a way that the sandboxed environment smart contracts run in – the Ethereum Virtual Machine – accepted it. But when run, it triggered a buffer overflow.
Swende will present his competition entry at Ethereum's developer conference, DevCon3, in November.
The other two winners used a little-known technique for sending money to a contract that doesn't require running any code. Typically, users would code "payable" programming functions. But the Ethereum Virtual Machine also has a "self-destruct" instruction that allows crediting a contract's balance without code, upsetting a contract expecting the balance to match what the payable function was saying.
"This competition and its results are outstanding," said Andrew Miller, a computer scientist studying blockchain security at University of Illinois, Urbana-champaign. "They are excellent demonstrations of the potential harm that subtle programming hazards can have in Ethereum."
Miller told The Register he's "really pleased" Ethereum's community is "taking proactive security measures" by offering bug bounties, researching smart contract verification methods and running competitions such as this one.
Diana Kearns, marketing lead at the blockchain firm Synechron, told The Reg "given the [blockchain] platform has had time to mature, it is now one of the most production-ready" and its security will only continue to improve with hackathons designed to test it.
Elad Verbin, a data scientist and blockchain venture capitalist in Berlin, Germany, told The Register that Solidity "was designed to be relatively easy to learn, and easy to create new smart contracts in" but "as Ethereum becomes a large value store and large amounts of money start flowing around, the 'bounty' for an attacker increases, and the drawbacks of Solidity start showing."
For languages to work well in the traditional financial industry, they need to be auditable with specific commands, he said. If the Ethereum Foundation can't eventually get automatic testing of Solidity code to work, then "a whole new language for smart contracts might have to be popularized".