Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and Taxonomy
Abstract
:1. Introduction
2. Research Methods
3. Conceptual Framework: A Seven-Layer Architecture for Blockchain Technology
3.1. Application Layer
3.2. Contract Layer
3.3. Incentive Layer
3.4. Consensus Layer
3.5. Network Layer
3.6. Data Layer
3.7. Physical Layer
4. Results: Security Analysis within Blockchain Layers (Towards a Taxonomy and Model of Key Concepts)
4.1. Vulnerabilities and Attacks in Seven-Layer Blockchain
4.2. Vulnerabilities/Attacks on the Application Layer
4.2.1. Hot Wallet Theft
4.2.2. Decentralised Finance (DeFi) Flash Loan Attack
- Data leakage via phishing: attackers attempt to trick users and direct them to a fake website to access user’s sensitive data, such as private key [49].
- Market price manipulation: attacker borrows a large amount of digital assets via flash loan and uses that fund to manipulate the price of that specific asset on a certain DeFi platform. Furthermore, a malicious arbitrage or attacker create an arbitrage opportunity and manipulate the token price. If greedy arbitrageurs do not have large sums of tokens in their wallet, they use flash loan to borrow tokens to leverage their trading position sizes and gain more profit [48]. There were a number of DeFi attacks that happened in 2020 and 2021 [50,51].
4.3. Vulnerabilities/Attacks on Contract Layer
4.3.1. Re-Entrancy Vulnerability
4.3.2. Parity Multi-Signature Wallet
4.3.3. Front Running/Transaction-Ordering Dependence
4.3.4. Integer Overflow and Underflow
4.3.5. Timestamp Dependence
4.3.6. Mishandled Exceptions
4.3.7. DoS with Unexpected Revert
4.3.8. Short Address—Parameter Attack
4.3.9. Denial of Service—Block Gas Limit
4.3.10. Tx.origin
4.3.11. Weak Randomness
4.3.12. Hash Collisions with Multiple Variable Length Arguments
4.3.13. One Owner Control—Centralisation
4.4. Vulnerabilities/Attacks on Incentive Layer
BDoS Attack
4.5. Vulnerabilities/Attacks on Consensus Layer
4.5.1. Double-Spending Attack
4.5.2. 51% Majority Attack
4.5.3. Selfish Mining Attack
4.5.4. Bribery Attack
4.6. Vulnerabilities/Attacks on Network Layer
4.6.1. DDoS Attack
4.6.2. Domain Name Service—Centralisation
4.6.3. Eclipse Attack
4.6.4. Sybil Attack
4.6.5. BGP Routing Attack
4.6.6. Replay Attack
4.7. Vulnerabilities/Attacks on Data Layer
4.7.1. Transaction Malleability Attack
4.7.2. Timejacking Attack
4.7.3. Quantum Attack
4.8. Vulnerabilities/Attacks on Physical Layer
4.8.1. Cold Wallet Theft
4.8.2. Cryptojacking Malware
4.9. Towards a Conceptual Taxonomy and Classification
5. Discussion: Security Risks Associated with Smart Contracts in the Contract Layer
Vulnerabilities/Attacks Location | Typical Vulnerabilities/Attacks | Authors of Key Works | Detection Tools/Preventive Techniques |
---|---|---|---|
Contract Layer | Re-entrancy | Antonopoulos and Wood (2018) [26] Shahda (2019) [53] Khan and Namin (2020) [58] Alkhalifah et al. (2021) [98] Feng et al. (2019) [99] Fang et al. (2021) [100] | |
Parity multi signature wallet | Chen et al. (2021) [4] Vivar et al. (2020) [5] Praitheeshan et al. (2020) [54] Goldberg (2018) [101] Wang et al. (2020) [102] | ||
Front running/Transaction ordering dependence | Praitheeshan et al. (2020) [54] Eskandari et al. (2019) [103] Najafi (2020) [104] Mense and Flatscher (2018) [105] | ||
Integer overflow/Underflow | Praitheeshan et al. (2020) [54] Ma et al. (2019) [55] Gao et al. (2019) [56] Khan and Namin (2020) [58] | ||
Timestamp dependence | Antonopoulos and Wood (2018) [24] Solorio et al. (2019) [52] Praitheeshan et al. (2020) [54] Jiang et al. (2018) [57] Khan and Namin (2020) [58] Feng et al. (2019) [99] | ||
Mishandled exceptions | Praitheeshan et al. (2020) [54] Khan and Namin (2020) [58] |
| |
DoS with unexpected revert | Samreen and Alalfi (2021) [62] | ||
Short address | Vivar et al. (2020) [5] Wen et al. (2021) [14] Antonopoulos and Wood (2018) [26] Feng et al. (2019) [99] Kushwaha et al. (2022) [106] | ||
DoS- Block gas limit | Chen et al. (2021) [4] Ghaleb et al. (2022) [107] Grech et al. (2018) [108] | ||
Tx.origin | Chen et al. (2021) [4] Antonopoulos and Wood (2018) [26] Tikhomirov et al. (2018) [60] |
| |
Weak randomness | Chatterjee et al. (2019) [65] Amiet (2021) [109] | ||
Hash Collisions with Multiple Variable Length Arguments | swcregistry (2020) [66] | ||
One owner control (Centralised ownership) | CertiK (2023) [110] Mou et al. (2021) [111] Li et al. (2022) [112] Ghaffari et al. (2021) [113] CertiK (2021) [114] Shanzson (2022) [115] |
|
6. Conclusions and Recommendations
6.1. A Seven-Layer Architecture and Best Practices to Mitigate against Security Risks
6.2. Key Contributions
- A review of the blockchain architecture is conducted and a more detailed seven-layer architecture is adopted.
- In each of the seven layers of blockchain, the different types of vulnerabilities and attacks are highlighted. The inter-relationships between these vulnerabilities, their exploitation, and the related consequences are described, with particular focus on the case of Ethereum blockchain.
- A systematic investigation is carried out, covering the mechanisms proposed by researchers to detect/prevent vulnerabilities and attacks. The outcome of this investigation is summarised in a taxonomy of vulnerabilities, attacks, and countermeasures in a seven-layer blockchain architecture.
- The contract layer is found to be the most vulnerable layer in a blockchain architecture, due to smart contracts being prone to security vulnerabilities. A model application is proposed to achieve best practice towards a more secure smart contract development.
6.3. Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Zamani, E.; He, Y.; Phillips, M. On the Security Risks of the Blockchain. J. Comput. Inf. Syst. 2020, 60, 495–506. [Google Scholar] [CrossRef]
- Lin, I.-C.; Liao, T.-C. A Survey of Blockchain Security Issues and Challenges. Int. J. Netw. Secur. 2017, 19, 653–659. [Google Scholar] [CrossRef]
- Xiao, Y.; Zhang, N.; Lou, W.; Hou, Y.T. A Survey of Distributed Consensus Protocols for Blockchain Networks. IEEE Commun. Surv. Tutor. 2020, 22, 1432–1465. [Google Scholar] [CrossRef]
- Chen, H.; Pendleton, M.; Njilla, L.; Xu, S. A Survey on Ethereum Systems Security. ACM Comput. Surv. 2021, 53, 1–43. [Google Scholar] [CrossRef]
- Vivar, A.L.; Castedo, A.T.; Orozco, A.L.S.; Villalba, L.J.G. An Analysis of Smart Contracts Security Threats alongside Existing Solutions. Entropy 2020, 22, 203. [Google Scholar] [CrossRef] [PubMed]
- Zheng, Z.; Xie, S.; Dai, H.N.; Chen, W.; Chen, X.; Weng, J.; Imran, M. An Overview on Smart Contracts: Challenges, Advances and Platforms. Future Gener. Comput. Syst. 2020, 105, 475–491. [Google Scholar] [CrossRef]
- Mosakheil, J.H. Security Threats Classification in Blockchains. 2018. Available online: https://www.semanticscholar.org/paper/Security-Threats-Classification-in-Blockchains-Mosakheil/91bbbb31101cbc2e803726d7210b4100f7b09ac5 (accessed on 20 March 2023).
- Neumeyer, X.; Cheng, K.; Chen, Y.; Swartz, K. Blockchain and Sustainability: An Overview of Challenges and Main Drivers of Adoption. In Proceedings of the 2021 IEEE International Conference on Technology Management, Operations and Decisions (ICTMOD), Marrakech, Morocco, 23–25 November 2022; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Morstyn, T.; Farrell, N.; Darby, S.J.; McCulloch, M.D. Using Peer-to-Peer Energy-Trading Platforms to Incentivize Prosumers to Form Federated Power Plants. Nat. Energy 2018, 3, 94–101. [Google Scholar] [CrossRef]
- Wu, J.; Tran, N. Application of Blockchain Technology in Sustainable Energy Systems: An Overview. Sustainability 2018, 10, 3067. [Google Scholar] [CrossRef]
- Dodmane, R.; K. R., R.; N. S., K.R.; Kallapu, B.; Shetty, S.; Aslam, M.; Jilani, S.F. Blockchain-Based Automated Market Makers for a Decentralized Stock Exchange. Information 2023, 14, 280. [Google Scholar] [CrossRef]
- Sai, A.R.; Buckley, J.; Fitzgerald, B.; Le Gear, A. Taxonomy of Centralization in Public Blockchain Systems: A Systematic Literature Review. Inf. Process. Manag. 2021, 58, 102584. [Google Scholar] [CrossRef]
- Marcus, Y.; Heilman, E.; Goldberg, S. Low-Resource Eclipse Attacks on Ethereum’s Peer-to-Peer Network. Cryptol. ePrint Arch. 2018. [Google Scholar]
- Wen, Y.; Lu, F.; Liu, Y.; Huang, X. Attacks and Countermeasures on Blockchains: A Survey from Layering Perspective. Comput. Netw. 2021, 191, 107978. [Google Scholar] [CrossRef]
- Tapsell, J.; Naeem Akram, R.; Markantonakis, K. An Evaluation of the Security of the Bitcoin Peer-To-Peer Network. In Proceedings of the 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Halifax, NS, Canada, 30 July–3 August 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 1057–1062. [Google Scholar] [CrossRef]
- CertiK. What Is Centralization Risk? 2022. Available online: https://certik.medium.com/what-is-centralization-risk-41cf848f5a74 (accessed on 25 March 2023).
- Saunders, M.N.K.; Lewis, P.; Thornhill, A. Research Methods for Business Students, 8th ed.; Pearson: New York, NY, USA, 2020. [Google Scholar]
- Yang, J.; Bi, H.; Liang, Z.; Zhou, H.; Yang, H.J. A Survey on Blockchain: Architecture, Applications, Challenges, and Future Trends. In Proceedings of the IEEE Congress on Cybermatics: 2020 IEEE International Conferences on Internet of Things, iThings 2020, IEEE Green Computing and Communications, GreenCom 2020, IEEE Cyber, Physical and Social Computing, CPSCom 2020 and IEEE Smart Data, SmartD, Rhodes, Greece, 2–6 November 2020. [Google Scholar] [CrossRef]
- Deng, W.; Huang, T.; Wang, H. A Review of the Key Technology in a Blockchain Building Decentralized Trust Platform. Mathematics 2022, 11, 101. [Google Scholar] [CrossRef]
- Homoliak, I.; Venugopalan, S.; Reijsbergen, D.; Hum, Q.; Schumi, R.; Szalachowski, P. The Security Reference Architecture for Blockchains: Toward a Standardized Model for Studying Vulnerabilities, Threats, and Defenses. IEEE Commun. Surv. Tutor. 2021, 23, 341–390. [Google Scholar] [CrossRef]
- Huang, J.; Lei, K.; Du, M.; Zhao, H.; Liu, H.; Liu, J.; Qi, Z. Survey on Blockchain Incentive Mechanism. In Proceedings of the ICPCSEE 2019 International Conference of Pioneering Computer Scientists, Engineers and Educators, Guilin, China, 20–23 September 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 386–395. [Google Scholar] [CrossRef]
- Ahmed, K.B.; Kumar, D. Blockchain Use Cases in Financial Services for Improving Security. In Proceedings of the 2019 Third International Conference on Inventive Systems and Control (ICISC), Coimbatore, India, 10–11 January 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 220–224. [Google Scholar] [CrossRef]
- Annessi, R.; Fast, E. Improving Security for Users of Decentralized Exchanges Through Multiparty Computation. In Proceedings of the 2021 IEEE International Conference on Blockchain (Blockchain), Melbourne, Australia, 6–8 December 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 229–236. [Google Scholar] [CrossRef]
- Sexer, N. Decentralized Exchanges vs. Centralized Exchanges: Overview. 2018. Available online: https://consensys.net/blog/news/decentralized-exchanges-overview-benefits-and-advantages-over-centralized-exchanges/ (accessed on 1 April 2023).
- Jha, P. Ethereum at the Center of Centralization Debate as SEC Lays Claim. 2022. Available online: https://cointelegraph.com/news/ethereum-at-the-center-of-centralization-debate-as-sec-lays-claim (accessed on 2 April 2023).
- Antonopoulos, A.; Wood, G. Mastering Ethereum: Building Smart Contracts and Dapps; O’Reilly Media: Sebastopol, CA, USA, 2018. [Google Scholar]
- Destefanis, G.; Marchesi, M.; Ortu, M.; Tonelli, R.; Bracciali, A.; Hierons, R. Smart Contracts Vulnerabilities: A Call for Blockchain Software Engineering? In Proceedings of the 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), Campobasso, Italy, 20 March 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 19–25. [Google Scholar] [CrossRef]
- DevCon, G. What are Blockchain Protocols and How Do they Work? Available online: https://medium.com/@genesishack/draft-what-are-blockchain-protocols-and-how-do-they-work-94815be5efa7 (accessed on 5 April 2023).
- Han, R.; Yan, Z.; Liang, X.; Yang, L.T. How Can Incentive Mechanisms and Blockchain Benefit with Each Other? A Survey. ACM Comput. Surv. 2023, 55, 1–38. [Google Scholar] [CrossRef]
- Leonardos, N.; Leonardos, S.; Piliouras, G. Oceanic Games: Centralization Risks and Incentives in Blockchain Mining. In Proceedings of the Mathematical Research for Blockchain Economy: 1st International Conference MARBLE 2019, Santorini, Greece, 6–9 May 2019. [Google Scholar] [CrossRef]
- Beikverdi, A.; Song, J.S. Trend of Centralization in Bitcoin’s Distributed Network. In Proceedings of the 2015 IEEE/ACIS 16th International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), Takamatsu, Japan, 1–3 June 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 1–6. [Google Scholar] [CrossRef]
- Minima. Is Bitcoin Incentivizing Its Own Centralization? 2022. Available online: https://www.minima.global/post/is-bitcoin-incentivizing-its-own-centralization (accessed on 10 January 2023).
- Liott, S. Has Proof of Stake Made Ethereum More Centralized? 2022. Available online: https://decrypt.co/111485/has-proof-of-stake-made-ethereum-more-centralized (accessed on 13 March 2023).
- Ethereum. Proof-of-Stake (PoS). 2023. Available online: https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/ (accessed on 12 May 2023).
- Alsunaidi, S.J.; Alhaidari, F.A. A Survey of Consensus Algorithms for Blockchain Technology. In Proceedings of the 2019 International Conference on Computer and Information Sciences (ICCIS), Sakaka, Saudi Arabia, 3–4 April 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Suresh, A.; Nair, A.R.; Lal, A.; Kumaran, S.M.; Sarath, G. A Hybrid Proof Based Consensus Algorithm for Permission Less Blockchain. In Proceedings of the 2020 Second International Conference on Inventive Research in Computing Applications (ICIRCA), Coimbatore, India, 15–17 July 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 707–713. [Google Scholar] [CrossRef]
- Nguyen, G.-T.; Kim, K. A Survey about Consensus Algorithms Used in Blockchain. J. Inf. Process. Syst. 2018, 14, 101–128. [Google Scholar] [CrossRef]
- Huang, J.; Tan, L.; Mao, S.; Yu, K. Blockchain Network Propagation Mechanism Based on P4P Architecture. Secur. Commun. Netw. 2021, 2021, 8363131. [Google Scholar] [CrossRef]
- Essaid, M.; Kim, H.W.; Guil Park, W.; Lee, K.Y.; Jin Park, S.; Ju, H.T. Network Usage of Bitcoin Full Node. In Proceedings of the 2018 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Republic of Korea, 17–19 October 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 1286–1291. [Google Scholar] [CrossRef]
- Xu, Y. Section-Blockchain: A Storage Reduced Blockchain Protocol, the Foundation of an Autotrophic Decentralized Storage Architecture. In Proceedings of the 2018 23rd International Conference on Engineering of Complex Computer Systems (ICECCS), Melbourne, VIC, Australia, 12–14 December 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 115–125. [Google Scholar] [CrossRef]
- Liu, Y.; Zhang, Y.; Zhu, S.; Chi, C. A Comparative Study of Blockchain-Based DNS Design. In Proceedings of the 2019 2nd International Conference on Blockchain Technology and Applications, Xi’an, China, 9–11 December 2019; ACM: New York, NY, USA, 2019; pp. 86–92. [Google Scholar] [CrossRef]
- Liang, Y.-C. Blockchain for Dynamic Spectrum Management. In Dynamic Spectrum Management, Proceeding of the Cognitive Radio to Blockchain and Artificial Intelligence; Springer: Berlin/Heidelberg, Germany, 2020; pp. 121–146. [Google Scholar] [CrossRef]
- Choo, K.-K.R.; Dehghantanha, A.; Parizi, R.M. (Eds.) Blockchain Cybersecurity, Trust and Privacy. In Advances in Information Security; Springer International Publishing: Cham, Switzerland, 2020; Volume 79. [Google Scholar] [CrossRef]
- Edgcombe, J. So, You Want to Connect Your IoT Device to the Blockchain? 2016. Available online: https://www.cambridgeconsultants.com/insights/so-you-want-to-connect-your-iot-device-to-the-b)lockchain (accessed on 10 November 2022).
- Rezaeighaleh, H.; Zou, C.C. New Secure Approach to Backup Cryptocurrency Wallets. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Sung, S. A New Key Protocol Design for Cryptocurrency Wallet. ICT Express 2021, 7, 316–321. [Google Scholar] [CrossRef]
- Partz, H. Bilaxy Exchange Suspends Website after ERC-20 Hot Wallet Hack. 2021. Available online: https://cointelegraph.com/news/bilaxy-exchange-suspends-website-after-erc-20-hot-wallet-hack (accessed on 12 December 2022).
- Thomas, D. AscendEX Hacked, $77.7M Lost From Hot Wallets. 2021. Available online: https://beincrypto.com/ascendex-hacked-77-7m-lost-from-hot-wallets/ (accessed on 5 June 2022).
- Werapun, W.; Karode, T.; Arpornthip, T.; Suaboot, J.; Sangiamkul, E.; Boonrat, P. The Flash Loan Attack Analysis (FAA) Framework—A Case Study of the Warp Finance Exploitation. Informatics 2022, 10, 3. [Google Scholar] [CrossRef]
- Qin, K.; Zhou, L.; Livshits, B.; Gervais, A. Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit. In Proceedings of the International Conference on Financial Cryptography and Data Security, Virtual Event, 1–5 March 2021; pp. 3–32. [Google Scholar] [CrossRef]
- Thurman, A. Cream Finance Exploited in Flash Loan Attack Netting Over $100M. 2021. Available online: https://www.coindesk.com/business/2021/10/27/cream-finance-exploited-in-flash-loan-attack-worth-over-100m (accessed on 6 June 2022).
- Solorio, K.; Hooper, D.; Kanna, R. Hands-On Smart Contract Development with Solidity and Ethereum: From Fundamentals to Deployment Paperback; O’Reilly Media: Sebastopol, CA, USA, 2019. [Google Scholar]
- Shahda, W. Protect Your Solidity Smart Contracts from Re-entrancy Attacks. 2019. Available online: https://medium.com/coinmonks/protect-your-solidity-smart-contracts-from-reentrancy-attacks-9972c3af7c21 (accessed on 4 September 2022).
- Praitheeshan, P.; Pan, L.; Yu, J.; Liu, J.; Doss, R. Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey. arXiv 2019, arXiv:1908.08605. [Google Scholar]
- Ma, R.; Gorzny, J.; Zulkoski, E.; Bak, K.; Mack, O.V. Fundamentals of Smart Contract Security, Kindle ed.; Momentum Press: New York, NY, USA, 2019. [Google Scholar]
- Gao, J.; Liu, H.; Liu, C.; Li, Q.; Guan, Z.; Chen, Z. EASYFLOW: Keep Ethereum Away from Overflow. In Proceedings of the 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Montreal, QC, Canada, 25–31 May 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 23–26. [Google Scholar] [CrossRef]
- Jiang, B.; Liu, Y.; Chan, W.K. ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, Montpellier, France, 3–7 September 2018; ACM: New York, NY, USA, 2018; pp. 259–269. [Google Scholar] [CrossRef]
- Khan, Z.A.; Siami Namin, A. Ethereum Smart Contracts: Vulnerabilities and their Classifications. In Proceedings of the 2020 IEEE International Conference on Big Data (Big Data), Atlanta, GA, USA, 10–13 December 2020. [Google Scholar] [CrossRef]
- Huang, Y.; Bian, Y.; Li, R.; Zhao, J.L.; Shi, P. Smart Contract Security: A Software Lifecycle Perspective. IEEE Access 2019, 7, 150184–150202. [Google Scholar] [CrossRef]
- Tikhomirov, S.; Voskresenskaya, E.; Ivanitskiy, I.; Takhaviev, R.; Marchenko, E.; Alexandrov, Y. SmartCheck. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain; ACM: New York, NY, USA, 2018; pp. 9–16. [Google Scholar] [CrossRef]
- Sayeed, S.; Marco-Gisbert, H.; Caira, T. Smart Contract: Attacks and Protections. IEEE Access 2020, 8, 24416–24427. [Google Scholar] [CrossRef]
- Samreen, N.F.; Alalfi, M.H. SmartScan: An Approach to Detect Denial of Service Vulnerability in Ethereum Smart Contracts. In Proceedings of the 2021 IEEE/ACM 4th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), Madrid, Spain, 31 May 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 17–26. [Google Scholar] [CrossRef]
- Bouichou, A.; Mezroui, S.; El Oualkadi, A. An Overview of Ethereum and Solidity Vulnerabilities. In Proceedings of the 2020 International Symposium on Advanced Electrical and Communication Technologies (ISAECT), Marrakech, Morocco, 25–27 November 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 1–7. [Google Scholar] [CrossRef]
- Swcregistry. Weak Sources of Randomness from Chain Attributes. 2020. Available online: https://swcregistry.io/docs/SWC-120 (accessed on 10 October 2022).
- Chatterjee, K.; Goharshady, A.K.; Pourdamghani, A. Probabilistic Smart Contracts: Secure Randomness on the Blockchain. In Proceedings of the 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Seoul, Republic of Korea, 14–17 May 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 403–412. [Google Scholar] [CrossRef]
- swcregistry. Hash Collisions with Multiple Variable Length Arguments. 2020. Available online: https://swcregistry.io/docs/SWC-133 (accessed on 17 October 2022).
- Chittoda, J. Mastering Blockchain Programming with Solidity: Write Production-Ready Smart Contracts for Ethereum Blockchain with Solidity; Packt Publishing: Birmingham, UK, 2019. [Google Scholar]
- Solidity Programming Language. Contract ABI Specification. 2021. Available online: https://docs.soliditylang.org/en/v0.8.11/abi-spec.html (accessed on 20 February 2023).
- Zipfel, K. New Smart Contract Weakness: Hash Collisions with Multiple Variable Length Arguments. 2020. Available online: https://medium.com/swlh/new-smart-contract-weakness-hash-collisions-with-multiple-variable-length-arguments-dc7b9c84e493 (accessed on 2 November 2022).
- Ghaleb, A.; Rubin, J.; Pattabiraman, K. AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities. In Proceedings of the 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), Melbourne, Australia, 14–20 May 2023. [Google Scholar]
- Dai, W.; Wang, C.; Cui, C.; Jin, H.; Lv, X. Blockchain-Based Smart Contract Access Control System. In Proceedings of the 2019 25th Asia-Pacific Conference on Communications (APCC), Ho Chi Minh City, Vietnam, 6–8 November 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 19–23. [Google Scholar] [CrossRef]
- OpenZeppelin. Access Control. 2022. Available online: https://docs.openzeppelin.com/contracts/4.x/access-control (accessed on 7 March 2023).
- Code4rena. Frax Ether Liquid Staking Contest Findings & Analysis Report—Centra. 2022. Available online: https://code4rena.com/reports/2022-09-frax/#m-01-centralization-risk-admin-have-privileges-admin-can-set-address-to-mint-any-amount-of-frxeth-can-set-any-address-as-validator-and-change-important-state-in-frxethminter-and-withdraw-fund-from-frcethminter- (accessed on 9 May 2023).
- Mirkin, M.; Ji, Y.; Pang, J.; Klages-Mundt, A.; Eyal, I.; Juels, A. BDoS: Blockchain Denial-of-Service. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, 9–13 November 2020; ACM: New York, NY, USA, 2020; pp. 601–619. [Google Scholar] [CrossRef]
- Kitakami, M.; Matsuoka, K. An Attack-Tolerant Agreement Algorithm for Block Chain. In Proceedings of the 2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC), Taipei, Taiwan, 4–7 December 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 227–228. [Google Scholar] [CrossRef]
- Saad, M.; Njilla, L.; Kamhoua, C.; Mohaisen, A. Countering Selfish Mining in Blockchains. In Proceedings of the 2019 International Conference on Computing, Networking and Communications (ICNC), Honolulu, HI, USA, 18–21 February 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 360–364. [Google Scholar] [CrossRef]
- Sun, H.; Ruan, N.; Su, C. How to Model the Bribery Attack: A Practical Quantification Method in Blockchain. In Proceedings of the 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, 14–18 September 2020; pp. 569–589. [Google Scholar] [CrossRef]
- Bonneau, J. Why Buy When You Can Rent? Bribery Attacks on Bitcoin-Style Consensus. In Proceedings of the International Conference on Financial Cryptography and Data Security, Christ Church, Barbados, 26 February 2016; pp. 19–26. [Google Scholar]
- Liao, K.; Katz, J. Incentivizing Double-Spend Collusion in Bitcoin. In Proceedings of the Financial Cryptography Bitcoin Workshop, Sliema, Malta, 7 April 2017. [Google Scholar]
- Saad, M.; Thai, M.T.; Mohaisen, A. POSTER. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, Incheon, Republic of Korea, 4–8 June 2018; ACM: New York, NY, USA, 2018; pp. 809–811. [Google Scholar] [CrossRef]
- Li, Z.; Gao, S.; Peng, Z.; Guo, S.; Yang, Y.; Xiao, B. B-DNS: A Secure and Efficient DNS Based on the Blockchain Technology. IEEE Trans. Netw. Sci. Eng. 2021, 8, 1674–1686. [Google Scholar] [CrossRef]
- Ren, S.; Liu, B.; Yang, F.; Wei, X.; Yang, X.; Wang, C. BlockDNS: Enhancing Domain Name Ownership and Data Authenticity with Blockchain. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Swathi, P.; Modi, C.; Patel, D. Preventing Sybil Attack in Blockchain Using Distributed Behavior Monitoring of Miners. In Proceedings of the 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kanpur, India, 6–8 July 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Saad, M.; Anwar, A.; Ahmad, A.; Alasmary, H.; Yuksel, M.; Mohaisen, D. RouteChain: Towards Blockchain-Based Secure and Efficient BGP Routing. Comput. Netw. 2022, 217, 109362. [Google Scholar] [CrossRef]
- Hu, B.; Zhou, C.; Tian, Y.-C.; Qin, Y.; Junping, X. A Collaborative Intrusion Detection Approach Using Blockchain for Multimicrogrid Systems. IEEE Trans. Syst. Man Cybern. Syst. 2019, 49, 1720–1730. [Google Scholar] [CrossRef]
- Sward, A.; Vecna, I.; Stonedahl, F. Data Insertion in Bitcoin’s Blockchain. Ledger 2018, 3. [Google Scholar] [CrossRef]
- Khan, K.M.; Arshad, J.; Khan, M.M. Simulation of Transaction Malleability Attack for Blockchain-Based e-Voting. Comput. Electr. Eng. 2020, 83, 106583. [Google Scholar] [CrossRef]
- Sigurdsson, G.; Giaretta, A.; Dragoni, N. Vulnerabilities and Security Breaches in Cryptocurrencies. In Proceedings of the 6th International Conference in Software Engineering for Defence Applications: SEDA 2018, Rome, Italy, 7–8 June 2018; Springer International Publishing: Berlin/Heidelberg, Germany, 2020; pp. 288–299. [Google Scholar] [CrossRef]
- Kearney, J.J.; Perez-Delgado, C.A. Vulnerability of Blockchain Technologies to Quantum Attacks. Array 2021, 10, 100065. [Google Scholar] [CrossRef]
- Khalifa, A.M.; Bahaa-Eldin, A.M.; Sobh, M.A. Quantum Attacks and Defenses for Proof-of-Stake. In Proceedings of the ICCES 2019: 2019 14th International Conference on Computer Engineering and Systems, Cairo, Egypt, 17 December 2019. [Google Scholar] [CrossRef]
- Conti, M.; Sandeep Kumar, E.; Lal, C.; Ruj, S. A Survey on Security and Privacy Issues of Bitcoin. IEEE Commun. Surv. Tutor. 2018, 20, 3416–3452. [Google Scholar] [CrossRef]
- Hu, Y.; Wang, S.; Tu, G.-H.; Xiao, L.; Xie, T.; Lei, X.; Li, C.-Y. Security Threats from Bitcoin Wallet Smartphone Applications. In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, Virtual Event, USA, 26–28 April 2021; ACM: New York, NY, USA, 2021; pp. 89–100. [Google Scholar] [CrossRef]
- Tanana, D. Behavior-Based Detection of Cryptojacking Malware. In Proceedings of the 2020 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT), Yekaterinburg, Russia, 14–15 May 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 0543–0545. [Google Scholar] [CrossRef]
- Sm4rty. Smart Contract Audit Methodology & Tips. 2022. Available online: https://sm4rty.medium.com/smart-contract-audit-methodology-tips-6e529a3f3435 (accessed on 15 May 2023).
- Ajienka, N.; Vangorp, P.; Capiluppi, A. An Empirical Analysis of Source Code Metrics and Smart Contract Resource Consumption. J. Softw. EVolume Process 2020, 32, e2267. [Google Scholar] [CrossRef]
- SWC. Smart Contract Weakness Classification and Test Cases. 2020. Available online: https://swcregistry.io/ (accessed on 2 June 2023).
- ConsenSys. Ethereum Smart Contract Best Practices—Known Attacks. Available online: https://consensys.github.io/smart-contract-best-practices/ (accessed on 7 June 2023).
- Alkhalifah, A.; Ng, A.; Watters, P.A.; Kayes, A.S.M. A Mechanism to Detect and Prevent Ethereum Blockchain Smart Contract Reentrancy Attacks. Front. Comput. Sci. 2021, 3, 598780. [Google Scholar] [CrossRef]
- Feng, Y.; Torlak, E.; Bodik, R. Precise Attack Synthesis for Smart Contracts. arXiv 2019, arXiv:1902.06067. [Google Scholar]
- Fang, Y.; Wang, C.; Sun, Z.; Cheng, H. Jyane: Detecting Reentrancy Vulnerabilities Based on Path Profiling Method. In Proceedings of the 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS), Beijing, China, 14–16 December 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 274–282. [Google Scholar] [CrossRef]
- Goldberg, O. How to Not Destroy Millions in Smart Contracts. 2018. Available online: https://hackernoon.com/how-to-not-destroy-millions-in-smart-contracts-pt-2-85c4d8edd0cf (accessed on 15 June 2023).
- Wang, A.; Wang, H.; Jiang, B.; Chan, W.K. Artemis: An Improved Smart Contract Verification Tool for Vulnerability Detection. In Proceedings of the 2020 7th International Conference on Dependable Systems and Their Applications (DSA), Xi’an, China, 28–29 November 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 173–181. [Google Scholar] [CrossRef]
- Eskandari, S.; Moosavi, S.; Clark, J. SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain. In Proceedings of the Financial Cryptography and Data Security: FC 2019 International Workshops, VOTING and WTSC, St. Kitts, St. Kitts and Nevis, 18–22 February 2019. [Google Scholar]
- Najafi, S. Front-Running Attacks on Blockchain. 2020. Available online: https://medium.com/codechain/front-running-attacks-on-blockchain-1f5ba28cd42b (accessed on 14 April 2023).
- Mense, A.; Flatscher, M. Security Vulnerabilities in Ethereum Smart Contracts. In Proceedings of the 20th International Conference on Information Integration and Web-Based Applications & Services, Yogyakarta, Indonesia, 19–21 November 2018; ACM: New York, NY, USA, 2018; pp. 375–380. [Google Scholar] [CrossRef]
- Kushwaha, S.S.; Joshi, S.; Singh, D.; Kaur, M.; Lee, H.-N. Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract. IEEE Access 2022, 10, 6605–6621. [Google Scholar] [CrossRef]
- Ghaleb, A.; Rubin, J.; Pattabiraman, K. ETainter: Detecting Gas-Related Vulnerabilities in Smart Contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Republic of Korea, 18–22 July 2022; ACM: New York, NY, USA, 2022; pp. 728–739. [Google Scholar] [CrossRef]
- Grech, N.; Kong, M.; Jurisevic, A.; Brent, L.; Scholz, B.; Smaragdakis, Y. MadMax: Surviving out-of-Gas Conditions in Ethereum Smart Contracts. Proc. ACM Program. Lang. 2018, 2, 1–27. [Google Scholar] [CrossRef]
- Amiet, N. Blockchain Vulnerabilities in Practice. Digit. Threat. Res. Pract. 2021, 2, 1–7. [Google Scholar] [CrossRef]
- CertiK. Better Security for Blockchains and Smart Contracts. 2023. Available online: https://www.certik.com/products/formal-verification (accessed on 27 June 2023).
- Mou, T.; Coblenz, M.; Aldrich, J. An Empirical Study of Protocols in Smart Contracts. arXiv 2021, arXiv:2110.08983. [Google Scholar] [CrossRef]
- Li, X.; Ma, Z.; Luo, S. Blockchain-Oriented Privacy Protection with Online and Offline Verification in Cross-Chain System. In Proceedings of the 2022 International Conference on Blockchain Technology and Information Security (ICBCTIS), Huaihua City, China, 15–17 July 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 177–181. [Google Scholar] [CrossRef]
- Ghaffari, F.; Bertin, E.; Crespi, N.; Behrad, S.; Hatin, J. A Novel Access Control Method Via Smart Contracts for Internet-Based Service Provisioning. IEEE Access 2021, 9, 81253–81273. [Google Scholar] [CrossRef]
- CertiK. What Is a Timelock? 2021. Available online: https://www.certik.com/resources/blog/Timelock (accessed on 27 June 2023).
- Shanzson. Smart Contract Auditor Tools and Techniques. 2022. Available online: https://github.com/shanzson/Smart-Contract-Auditor-Tools-and-Techniques (accessed on 28 June 2023).
Criteria for Inclusion | Criteria for Exclusion |
The paper must be peer-reviewed and published in research databases. The technical report must be reviewed by reputable blockchain security analysis companies. The paper must contain information associated with blockchain technology or related to blockchain layering, key components, vulnerabilities and attacks on Ethereum. | Papers focusing on business or legal impacts of blockchain applications. Papers focusing on other blockchain platforms other than Ethereum. Papers written in a language other than English |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mollajafari, S.; Bechkoum, K. Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and Taxonomy. Sustainability 2023, 15, 13401. https://doi.org/10.3390/su151813401
Mollajafari S, Bechkoum K. Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and Taxonomy. Sustainability. 2023; 15(18):13401. https://doi.org/10.3390/su151813401
Chicago/Turabian StyleMollajafari, Sepideh, and Kamal Bechkoum. 2023. "Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and Taxonomy" Sustainability 15, no. 18: 13401. https://doi.org/10.3390/su151813401
APA StyleMollajafari, S., & Bechkoum, K. (2023). Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and Taxonomy. Sustainability, 15(18), 13401. https://doi.org/10.3390/su151813401