March 2020 list
If you feel a paper should belong to another category, or that we missed a relevant paper just let us know. Participation is most welcome!
Categories:
- Attacks and defenses
- Blockchain-general
- Blockchain-noncrypto uses
- Financial
- Internet of Things (IoT)
- Mathematical
- Smart Contracts
Attacks and defenses
Characterizing Cryptocurrency Exchange Scams
Authors: Pengcheng Xia, Bowen Zhang, Ru Ji, Bingyu Gao, Lei Wu, Xiapu Luo, Haoyu Wang, Guoai Xu
Abstract: As the indispensable trading platforms of the ecosystem, hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. While, it also attracts the attentions of attackers. A number of scam attacks were reported targeting cryptocurrency exchanges, leading to a huge mount of financial loss. However, no previous work in our research community has systematically studied this problem. In this paper, we make the first effort to identify and characterize the cryptocurrency exchange scams. We first identify over 1,500 scam domains and over 300 fake apps, by collecting existing reports and using typosquatting generation techniques. Then we investigate the relationship between them, and identify 94 scam domain families and 30 fake app families. We further characterize the impacts of such scams, and reveal that these scams have incurred financial loss of 520k US dollars at least. We further observe that the fake apps have been sneaked to major app markets (including Google Play) to infect unsuspicious users. Our findings demonstrate the urgency to identify and prevent cryptocurrency exchange scams. To facilitate future research, we have publicly released all the identified scam domains and fake apps to the community.
{\AE}GIS: Shielding Vulnerable Smart Contracts Against Attacks
Authors: Ferreira Christof Torres, Mathis Baden, Robert Norvill, Fiz Borja Beltran Pontiveros, Hugo Jonker, Sjouke Mauw
Abstract: In recent years, smart contracts have suffered major exploits, costing millions of dollars. Unlike traditional programs, smart contracts are deployed on a blockchain. As such, they cannot be modified once deployed. Though various tools have been proposed to detect vulnerable smart contracts, the majority fails to protect vulnerable contracts that have already been deployed on the blockchain. Only very few solutions have been proposed so far to tackle the issue of post-deployment. However, these solutions suffer from low precision and are not generic enough to prevent any type of attack. In this work, we introduce ÆGIS, a dynamic analysis tool that protects smart contracts from being exploited during runtime. Its capability of detecting new vulnerabilities can easily be extended through so-called attack patterns. These patterns are written in a domain-specific language that is tailored to the execution model of Ethereum smart contracts. The language enables the description of malicious control and data flows. In addition, we propose a novel mechanism to streamline and speed up the process of managing attack patterns. Patterns are voted upon and stored via a smart contract, thus leveraging the benefits of tamper-resistance and transparency provided by the blockchain. We compare ÆGIS to current state-of-the-art tools and demonstrate that our solution achieves higher precision in detecting attacks. Finally, we perform a large-scale analysis on the first 4.5 million blocks of the Ethereum blockchain, thereby confirming the occurrences of well reported and yet unreported attacks in the wild.
Ransomware as a Service using Smart Contracts and IPFS
Authors: Christos Karapapas, Iakovos Pittaras, Nikos Fotiou, C. George Polyzos
Abstract: Decentralized systems, such as distributed ledgers and the InterPlanetary File System (IPFS), are designed to offer more open and robust services. However, they also create opportunities for illegal activities. We demonstrate how these technologies can be used to launch a ransomware as a service campaign. We show that criminals can transact with affiliates and victims without having to reveal their identity. Furthermore, by exploiting the robustness and resilience to churn of IPFS, as well as the decentralized computing capabilities of Ethereum, criminals can remain offline during most procedures, with many privacy guarantees.
Blockchain-general
Cryptocurrency Address Clustering and Labeling
Authors: Mengjiao Wang, Hikaru Ichijo, Bob Xiao
Abstract: Anonymity is one of the most important qualities of blockchain technology. For example, one can simply create a bitcoin address to send and receive funds without providing KYC to any authority. In general, the real identity behind cryptocurrency addresses is not known, however, some addresses can be clustered according to their ownership by analyzing behavioral patterns, allowing those with known attribution to be assigned labels. These labels may be further used for legal and compliance purposes to assist in law enforcement investigations. In this document, we discuss our methodology behind assigning attribution labels to cryptocurrency addresses.
A Systematic Mapping Study on Blockchain Technology for Digital Protection of Communication with Industrial Control
Authors: Kirill Loisha, Javad Ghofrani, Dirk Reichelt
Abstract: In the next few years, Blockchain will play a central role in IoT as a technology. It enables the traceability of processes between multiple parties independent of a central instance. Blockchain allows to make the processes more transparent, cheaper, and safer. This research paper was conducted as systematic literature search. Our aim is to understand current state of implementation in context of Blockchain Technology for digital protection of communication in industrial cyber-physical systems. We have extracted 28 primary papers from scientific databases and classified into different categories using visualizations. The results show that the focus in around 14\% papers is on solution proposal and implementation of use cases “Secure transfer of order data” using Ethereum Blockchain, 7\% papers applying Hyperledger Fabric and Multichain. The majority of research (around 43\%) is focusing on solution development for supply chain and process traceability.
XBlock-EOS: Extracting and Exploring Blockchain Data From EOSIO
Authors: Weilin Zheng, Zibin Zheng, Hong-Ning Dai, Xu Chen, Peilin Zheng
Abstract: Blockchain-based cryptocurrencies and applications have flourished the blockchain research community. Massive data generated from diverse blockchain systems bring not only huge business values and but also technical challenges in data analytics of heterogeneous blockchain data. Different from Bitcoin and Ethereum, EOSIO has richer diversity and higher volume of blockchain data due to its unique architectural design in resource management, consensus scheme and high throughput. Despite its popularity (e.g., 89,800,000 blocks generated till Nov. 14, 2019 since its launching in June 8, 2018), few studies have been made on data analysis of EOSIO. To fill this gap, we collect and process the up-to-date on-chain data from EOSIO. We name these well-processed EOSIO datasets as XBlock-EOS, which consists of 7 well-processed datasets: 1) Block, Transaction and Action, 2) Internal and External EOS Transfer Action, 3) Contract Information, 4) Contract Invocation, 5) Token Action, 6) Account Creation, 7) Resource Management. It is challenging to process and analyze high volume of raw EOSIO data and establish the mapping from original raw data to the fine-grained datasets since it requires substantial efforts in exacting various types of data as well as sophisticated knowledge on software engineering and data analytics. Meanwhile, we present statistics and exploration on these datasets. Moreover, we also outline the possible research opportunities based on XBlock-EOS.
Improving Transaction Success Rate via Smart Gateway Selection in Cryptocurrency Payment Channel Networks
Authors: Suat Mercan, Enes Erdin, Kemal Akkaya
Abstract: The last decade has experienced a vast interest in Blockchain-based cryptocurrencies with a specific focus on the applications of this technology. However, slow confirmation times of transactions and unforeseeable high fees hamper their wide adoption for micro-payments. The idea of establishing payment channel networks is one of the many proposed solutions to address this scalability issue where nodes, by utilizing smart contracting, establish payment channels between each other and perform off-chain transactions. However, due to the way these channels are created, both sides have a certain one-way capacity for making transactions. Consequently, if one sides exceeds this one-way capacity, the channel becomes useless in that particular direction, which causes failures of payments and eventually creates an imbalance in the overall network. To keep the payment channel network sustainable, in this paper, we aim to increase the overall success rate of payments by effectively exploiting the fact that end-users are usually connected to the network at multiple points (i.e., gateways) any of which can be used to initiate the payment. We propose an efficient method for selection of the gateway for a user by considering the gateway’s inbound and outbound payment traffic ratio. We then augment this proposed method with split payment capability to further increase success rate especially for large transactions. The evaluation of the proposed method shows that compared to greedy and maxflow-based approaches, we can achieve much higher success rates, which are further improved with split payments.
Snapshot Samplings of the Bitcoin Transaction Network and Analysis of Cryptocurrency Growth
Authors: T. Lambert Leong
Abstract: The purpose of this work was to perform a network analysis on the rapidly growing bitcoin transaction network. Using a web-socket API, we collected data on all transactions occurring during a six hour window. Sender and receiver addresses as well as the amount of bitcoin exchanged were record. Graphs were generated, using R and Gephi, in which nodes represent addresses and edges represent the exchange of bitcoin. The six hour data set was subsetted into a one and two hour sampling snapshot of the network. We performed comparisons and analysis on all subsets of the data in an effort to determine the minimum sampling length that represented the network as a whole. Our results suggest that the six hour sampling was the minimum limit with respect to sampling time needed to accurately characterize the bitcoin transaction network.Anonymity is a desired feature of the blockchain and bitcoin network however, it limited us in our analysis and conclusions we drew from our results were mostly inferred. Future work is needed and being done to gather more comprehensive data so that the bitcoin transaction network can be better analyzed.
The Framework of Consensus Equilibria for Mining-Pool Games in Blockchain Ecosystems
Authors: George Yuan
Abstract: The goal of this paper is to establish the general framework of consensus equilibria for Mining-Pool Games in Blockchain Ecosystems, and with the explanation for the stability of in terms of the existence of consensus equilibria related to mining gap game’s behaviors by using one new concept called consensus games in Blockchain Ecosystems, here, the Blockchain ecosystem mainly means the economic activities by taking into the account of three types of different factors which are expenses, reward mechanism and mining power for the work on blockschain by applying the key consensus called Proof of Work due to Nakamoto in 2008. In order to do so, we first give an outline how the general existence of consensus equilibria for Mining Pool Games is formulated, and then used to explain the stable for Gap Games for Bitcoin in the sense by the existence of consensus equilibria under the framework of Blockchain consensus, we then establish a general existence result for consensus equilibria of general mining gap games by using the profit functions for miners as the payoffs in game theory. As applications, the general existence results for consensus equilibria of Gap games are established, which not only help us to claim the existence for the general stability for Gap games under the general framework of Blockchain ecosystems, but also allow us to illustrate a number of different phenomenon on the study of mining-pool games with possible impacts due to miners’s gap behaviors with scenarios embedded n Bitcoin economics. Our study on the explanation for the stability of mining gap game for Blockchain ecosystems shows that the concept of consensus equilibria may play a important role for the development of fundamental theory for consensus economics.
KryptoOracle: A Real-Time Cryptocurrency Price Prediction Platform Using Twitter Sentiments
Authors: Shubhankar Mohapatra, Nauman Ahmed, Paulo Alencar
Abstract: Cryptocurrencies, such as Bitcoin, are becoming increasingly popular, having been widely used as an exchange medium in areas such as financial transaction and asset transfer verification. However, there has been a lack of solutions that can support real-time price prediction to cope with high currency volatility, handle massive heterogeneous data volumes, including social media sentiments, while supporting fault tolerance and persistence in real time, and provide real-time adaptation of learning algorithms to cope with new price and sentiment data. In this paper we introduce KryptoOracle, a novel real-time and adaptive cryptocurrency price prediction platform based on Twitter sentiments. The integrative and modular platform is based on (i) a Spark-based architecture which handles the large volume of incoming data in a persistent and fault tolerant way; (ii) an approach that supports sentiment analysis which can respond to large amounts of natural language processing queries in real time; and (iii) a predictive method grounded on online learning in which a model adapts its weights to cope with new prices and sentiments. Besides providing an architectural design, the paper also describes the KryptoOracle platform implementation and experimental evaluation. Overall, the proposed platform can help accelerate decision-making, uncover new opportunities and provide more timely insights based on the available and ever-larger financial data volume and variety.
Blockchain-noncrypto uses
BlockMarkchain: A Secure Decentralized Data Market with a Constant Load on the Blockchain
Authors: Hamidreza Ehteram, Taha Mohammad Toghani, Ali Mohammad Maddah-Ali
Abstract: In this paper, we develop BlockMarkchain, as a secure data market place, where individual data sellers can exchange certified data with buyers, in a secure environment, without any mutual trust among the parties, and without trusting on a third party, as a mediator. To develop this platform, we rely on a smart contract, deployed on a secure public blockchain. The main challenges here are to verify the validity of data and to prevent malicious behavior of the parties, while preserving the privacy of the data and taking into account the limited computing and storage resources available on the blockchain. In BlockMarkchain, the buyer has the option to dispute the honesty of the seller and prove the invalidity of the data to the smart contract. The smart contract evaluates the buyer’s claim and punishes the dishonest party by forfeiting his/her deposit in favor of the honest party. BlockMarkchain enjoys several salient features including (i) the certified data has never been revealed on the public blockchain, (ii) the size of data posted on the blockchain, the load of computation on the blockchain, and the cost of communication with the blockchain is constant and negligible, and (iii) the computation cost of verifications on the parties is not expensive.
Soteria: A Provably Compliant User Right Manager Using a Novel Two-Layer Blockchain Technology
Authors: Wei-Kang Fu, Yi-Shan Lin, Giovanni Campagna, De-Yi Tsai, Chun-Ting Liu, Chung-Huan Mei, Y. Edward Chang, S. Monica Lam, Shih-Wei Liao
Abstract: Soteria is a user right management system designed to safeguard user-data privacy in a transparent and provable manner in compliance to regulations such as GDPR and CCPA. Soteria represents user data rights as formal executable sharing agreements, which can automatically be translated into a human readable form and enforced as data are queried. To support revocation and to prove compliance, an indelible, audited trail of the hash of data access and sharing agreements are stored on a two-layer distributed ledger. The main chain ensures partition tolerance and availability (PA) properties while side chains ensure consistency and availability (CA), thus providing the three properties of the CAP (consistency, availability, and partition tolerance) theorem. Besides depicting the two-layer architecture of Soteria, this paper evaluates representative consensus protocols and reports performance statistics.
Towards an Enterprise-Ready Implementation of Artificial Intelligence-Enabled, Blockchain-Based Smart Contracts
Authors: Philipp Brune
Abstract: Blockchain technology and artificial intelligence (AI) are current hot topics in research and practice. However, the potentials of their combination have been studied just recently to a larger extend. While different use cases for combining AI and blockchain have been discussed, the idea of enabling blockchain-based smart contracts to perform “smarter” decisions by using AI or machine learning (ML) models has only been considered on the conceptual level so far. It remained open, how such AI-enabled smart contracts could be implemented in a robust way for real-world applications. Therefore, in this paper a new, enterprise-class implementation of AI-enabled smart contracts is presented and first insights regarding its feasibility are discussed.
Blockchain meets Biometrics: Concepts, Application to Template Protection, and Trends
Authors: Oscar Delgado-Mohatar, Julian Fierrez, Ruben Tolosana, Ruben Vera-Rodriguez
Abstract: Blockchain technologies provide excellent architectures and practical tools for securing and managing the sensitive and private data stored in biometric templates, but at a cost. We discuss opportunities and challenges in the integration of blockchain and biometrics, with emphasis in biometric template storage and protection, a key problem in biometrics still largely unsolved. Key tradeoffs involved in that integration, namely, latency, processing time, economic cost, and biometric performance are experimentally studied through the implementation of a smart contract on the Ethereum blockchain platform, which is publicly available in github for research purposes.
Blockchain-Based Distributed Patient-Centric Image Management System
Authors: Yaseen Mohamed Jabarulla, Heung-No Lee
Abstract: In recent years, many researchers have focused on developing a feasible solution for storing and exchanging medical images in the field of health care. Current practices are deployed on cloud-based centralized data centers, which increase maintenance costs, require massive storage space, and raise privacy concerns about sharing information over a network. Therefore, it is important to design a framework to enable sharing and storing of big medical data efficiently within a trustless environment. In the present paper, we propose a novel proof-of-concept design for a distributed patient-centric image management (PCIM) system that is aimed to ensure safety and control of patient private data without using any centralized infrastructure. In this system, we employed an emerging Ethereum blockchain and a distributed file system technology called InterPlanetary File System (IPFS). Then, we implemented an Ethereum smart contract called the patient-centric access control protocol to enable a distributed and trustworthy access control policy. IPFS provides the means for decentralized storage of medical images with global accessibility. The PCIM system ensures a high level of data security and reduces fragmentation of patient health records by applying the steganography and asymmetric cryptographic technique. We describe how the PCIM system architecture facilitates the distributed and secured patient-centric data access across multiple entities such as hospitals, patients, and image requestors. Finally, we conduct and experiment to test the framework within the Windows environment and deploy a smart contract prototype on an Ethereum testnet blockchain. The experimental results demonstrate that the proposed scheme is feasible.
Trends in Development of Databases and Blockchain
Authors: Mayank Raikwar, Danilo Gligoroski, Goran Velinov
Abstract: This work is about the mutual influence between two technologies: Databases and Blockchain. It addresses two questions: 1. How the database technology has influenced the development of blockchain technology?, and 2. How blockchain technology has influenced the introduction of new functionalities in some modern databases? For the first question, we explain how database technology contributes to blockchain technology by unlocking different features such as ACID (Atomicity, Consistency, Isolation, and Durability) transactional consistency, rich queries, real-time analytics, and low latency. We explain how the CAP (Consistency, Availability, Partition tolerance) theorem known for databases influenced the DCS (Decentralization, Consistency, Scalability) theorem for the blockchain systems. By using an analogous relaxation approach as it was used for the proof of the CAP theorem, we postulate a “DCS-satisfiability conjecture.” For the second question, we review different databases that are designed specifically for blockchain and provide most of the blockchain functionality like immutability, privacy, censorship resistance, along with database features.
SkillCheck: An Incentive-based Certification System using Blockchains
Authors: Jay Gupta, Swaprava Nath
Abstract: Skill verification is a central problem in workforce hiring. Companies and academia often face the difficulty of ascertaining the skills of an applicant since the certifications of the skills claimed by a candidate are generally not immediately verifiable and costly to test. Blockchains have been proposed in the literature for skill verification and tamper-proof information storage in a decentralized manner. However, most of these approaches deal with storing the certificates issued by traditional universities on the blockchain. Among the few techniques that consider the certification procedure itself, questions like (a) scalability with limited staff, (b) uniformity of grades over multiple evaluators, or (c) honest effort extraction from the evaluators are usually not addressed. We propose a blockchain-based platform named SkillCheck, which considers the questions above, and ensure several desirable properties. The platform incentivizes effort in grading via payments with tokens which it generates from the payments of the users of the platform, e.g., the recruiters and test-takers. We provide a detailed description of the design of the platform along with the provable properties of the algorithm.
Financial
Autocorrelation of returns in major cryptocurrency markets
Authors: Eugene Tartakovsky, Ksenia Plesovskikh, Anastasiia Sarmakeeva, Alexander Bibik
Abstract: This paper is the first of a series of short articles that explore the efficiency of major cryptocurrency markets. A number of statistical tests and properties of statistical distributions will be used to assess if cryptocurrency markets are efficient, and how their efficiency changes over time. In this paper, we analyze autocorrelation of returns in major cryptocurrency markets using the following methods: Pearson’s autocorrelation coefficient of different orders, Ljung-Box test, and first-order Pearson’s autocorrelation coefficient in a rolling window. All experiments are conducted on the BTC/USD, ETH/USD, ETH/BTC markets on Bitfinex exchange, and the XBT/USD market on Bitmex exchange, each on 5-minute, 1-hour, 1-day, and 1-week time frames. The results are represented visually on charts. Statistically significant autocorrelation is persistently present on the 5m and 1H time frames on all markets. The tests disagree on the 1D and 1W time frames. The results of this article are fully reproducible. Used datasets, source code, and a runnable Jupyter Notebook are available on GitHub.
Cryptocurrency Trading: A Comprehensive Survey
Authors: Fan Fang, Carmine Ventre, Michail Basios, Hoiliong Kong, Leslie Kanthan, Lingbo Li, David Martinez-Regoband, Fan Wu
Abstract: Since the inception of cryptocurrencies, an increasing number of financial institutions are gettinginvolved in cryptocurrency trading. It is therefore important to summarise existing research papersand results on cryptocurrency trading. This paper provides a comprehensive survey of cryptocurrencytrading research, by covering 118 research papers on various aspects of cryptocurrency trading (e.g.,cryptocurrency trading systems, bubble and extreme condition, prediction of volatility and return,crypto-assets portfolio construction and crypto-assets, technical trading and others). This paper alsoanalyses datasets, research trends and distribution among research objects (contents/properties) andtechnologies, concluding with promising opportunities in cryptocurrency trading.
One model does not fit all: a multi-scale analysis of eighty-four cryptocurrencies
Authors: F. Aurelio Bariviera
Abstract: This letter expands the studies of the informational efficiency in the cryptocurrency market. Most studies have focused on Bitcoin, the foremost known cryptocurrency, and a few more coins. However, this market is more diverse, with cryptocurrencies entering and leaving the market on a weekly basis. This letter fills an important gap in the literature, by studying the informational efficiency using a multi-scaling methodology, which represents a new approach. We compute the generalized Hurst exponent of eighty-four cryptoassets daily returns. The multi-scaling methodology used in this paper find compelling evidence that cryptocurrencies have different degree of long range dependence, and –more importantly — follow different stochastic processes. Some of them follow traditional monofractal models consistent with fractional Brownian motion, while others exhibit complex multifractal dynamics.
Internet of Things (IoT)
IoT Blockchain Solution for Air Quality Monitoring in SmartCities
Authors: Shajulin Benedict, Rumaize P., Jaspreet Kaur
Abstract: IoT cloud enabled societal applications have dramatically increased in the recent past due to the thrust for innovations, notably through startup initiatives, in various sectors such as agriculture, healthcare, industry, and so forth. The existing IoT cloud solutions have led practitioners or researchers to a haphazard clutter of serious security hazards and performance inefficiencies. This paper proposes a blockchain enabled IoT cloud implementation to tackle the existing issues in smart cities. It particularly highlights the implementation of chaincodes for air quality monitoring systems in SmartCities; the proposed architecture named as IoT enabled Blockchain for Air Quality Monitoring System (IB-AQMS) is illustrated using experiments. Experimental results were carried out and the findings were disclosed in the paper.
An Incentive Mechanism for Building a Secure Blockchain-based Industrial Internet of Things
Authors: Xingjian Ding, Jianxiong Guo, Deying Li, Weili Wu
Abstract: The world-changing blockchain technique provides a novel method to establish a secure, trusted and decentralized system for solving the security and personal privacy problems in Industrial Internet of Things (IIoT) applications. The mining process in blockchain requires miners to solve a proof-of-work puzzle, which requires high computational power. However, the lightweight IIoT devices cannot directly participate in the mining process due to the limitation of power and computational resources. The edge computing service makes it possible for IIoT applications to build a blockchain network, in which IIoT devices purchase computational resources from edge servers and thus can offload their computational tasks. The amount of computational resource purchased by IIoT devices depends on how many profits they can get in the mining process, and will directly affect the security of the blockchain network. In this paper, we investigate the incentive mechanism for the blockchain platform to attract IIoT devices to purchase more computational power from edge servers to participate in the mining process, thereby building a more secure blockchain network. We model the interaction between the blockchain platform and IIoT devices as a two-stage Stackelberg game, where the blockchain platform act as the leader, and IIoT devices act as followers. We analyze the existence and uniqueness of the Stackelberg equilibrium, and propose an efficient algorithm to compute the Stackelberg equilibrium point. Furthermore, we evaluate the performance of our algorithm through extensive simulations, and analyze the strategies of blockchain platform and IIoT devices under different situations.
Mathematical
Plasma Go: A Scalable Sidechain Protocol for Flexible Payment Mechanisms in Blockchain-based Marketplaces
Authors: Madhumitha Harishankar, Dimitrios-Georgios Akestoridis, V. Sriram Iyer, Aron Laszka, Carlee Joe-Wong, Patrick Tague
Abstract: The rapid proliferation of decentralized marketplace applications demands scaling solutions beyond pairwise channels in order to facilitate high volumes of consumer-provider payment transactions. While sidechains seem to present a possible solution, there are several challenges in realizing them; while simpler state channels have seen wide adoption (e.g. Lightning network), sidechains are not in wide use yet. In this work, we propose Plasma Go, a sidechain mechanism for payment transactions where the computational and monetary costs of the required on-chain activity do not depend on the number of sidechain transactions. Indeed, Plasma Go combines pairwise payment channels and the Plasma construct of off-chain activity with root-chain notarization, to yield a mechanism where consumers and providers are guaranteed safety of their sidechain funds without the typical requirement of having them be online. We exploit efficient Boneh-Lynn-Shacham signature and key aggregation schemes to design a notarization and fund withdrawal process that mitigates well-known attacks and drawbacks in previous sidechain designs. We show that the computational load of Plasma Go is orders of magnitudes lower than the state of the art scaling solution. We also analyze the tradeoffs between the signature-based Plasma Go approach and the state-of-the-art sidechain technique ZK-Rollups and highlight a design decision for marketplace operators to make in choosing the Layer 2 solution to use.
Smart Contracts
SmartCert: Redesigning Digital Certificates with Smart Contracts
Authors: Pawel Szalachowski
Abstract: The Transport Layer Security (TLS) protocol and its public-key infrastructure (PKI) are widely used in the Internet to achieve secure communication. Validating domain ownership by trusted certification authorities (CAs) is a critical step in issuing digital certificates, but unfortunately, this process provides a poor security level. In this work, we present SmartCert, a novel approach based on smart contracts to improve digital certificates. A certificate in SmartCert conveys detailed information about its validation state which is constantly changing but only with respect to the specified smart contract code and individual domain policies. CAs issuing and updating certificates are kept accountable and their actions are transparent and monitored by the code. We present the implementation and evaluation of SmartCert, and discuss its deployability.
SMACS: Smart Contract Access Control Service
Authors: Bowen Liu, Siwei Sun, Pawel Szalachowski
Abstract: Although blockchain-based smart contracts promise a “trustless” way of enforcing agreements even with monetary consequences, they suffer from multiple security issues. Many of these issues could be mitigated via an effective access control system, however, its realization is challenging due to the properties of current blockchain platforms (like lack of privacy, costly on-chain resources, or latency). To address this problem, we propose the SMACS framework, where updatable and sophisticated Access Control Rules (ACRs)} for smart contracts can be realized with low cost. SMACS shifts the burden of expensive ACRs validation and management operations to an off-chain infrastructure, while implementing on-chain only lightweight token-based access control. SMACS is flexible and in addition to simple access control lists can easily implement rules enhancing the runtime security of smart contracts. With dedicated ACRs backed by vulnerability-detection tools, SMACS can protect vulnerable contracts after deployment. We fully implement SMACS and evaluate it.
Security Analysis of EOSIO Smart Contracts
Authors: Ningyu He, Ruiyi Zhang, Lei Wu, Haoyu Wang, Xiapu Luo, Yao Guo, Ting Yu, Xuxian Jiang
Abstract: The EOSIO blockchain, one of the representative Delegated Proof-of-Stake (DPoS) blockchain platforms, has grown rapidly recently. Meanwhile, a number of vulnerabilities and high-profile attacks against top EOSIO DApps and their smart contracts have also been discovered and observed in the wild, resulting in serious financial damages. Most of EOSIO’s smart contracts are not open-sourced and they are typically compiled to WebAssembly (Wasm) bytecode, thus making it challenging to analyze and detect the presence of possible vulnerabilities. In this paper, we propose EOSAFE, the first static analysis framework that can be used to automatically detect vulnerabilities in EOSIO smart contracts at the bytecode level. Our framework includes a practical symbolic execution engine for Wasm, a customized library emulator for EOSIO smart contracts, and four heuristics-driven detectors to identify the presence of four most popular vulnerabilities in EOSIO smart contracts. Experiment results suggest that EOSAFE achieves promising results in detecting vulnerabilities, with an F1-measure of 98%. We have applied EOSAFE to all active 53,666 smart contracts in the ecosystem (as of November 15, 2019). Our results show that over 25% of the smart contracts are vulnerable. We further analyze possible exploitation attempts against these vulnerable smart contracts and identify 48 in-the-wild attacks (25 of them have been confirmed by DApp developers), resulting in financial loss of at least 1.7 million USD.
Leave a Comment