Custom software development emveep icon

Ferry

Can Smart Contracts Fail or Even Get Hack? Vulnerabilities & Cases

Posted 19/12/22

Table of Contents

Smart contracts are difficult to change, once you launch it to the market there is no going back. This is often an unpleasant thing that can distort your desires. Developing smart contracts is nothing but the aim of making it easier and more profitable, but if it turns into a disaster, it’s not your hope.

You may have planned the development of a smart contract that is mature and good to avoid failure, but a good smart contract will also be difficult to do well. Three main attributes are basic in operating smart contracts, namely expressing value, transparency, and immutability.

However, these three attributes have also become a security hazard and a target for cybercriminals. Even in the absence of external criminals, system vulnerabilities are often the reason for the capital collapse and business losses caused by the weakness of these three attributes.

In this article, let’s discuss what vulnerabilities might occur in a smart contract, leading to failure, and examples of cases that have occurred in companies whose smart contracts were successfully hacked.

5 Vulnerabilities of Smart Contract

1. Arithmetic Error of Integers

Arithmetic Error of Integers

A simple and common error in smart contracts is an error in integer arithmetic. This is common due to the lack of floating-point support, smart contracts generally represent values as integers. In financial programs, generally using integers to represent values requires reducing values to smaller units for accuracy. A simple example of stating the value is in cents instead of dollars is that we did not state 0.5 dollars.

One problem the developers have been aware of is the possibility of an integer overflow. Like the distance traveled by a car, the integer printed on the computer has a maximum value, when this value is reached the integer will return to the starting point and start from the minimum value. Developers have realized this potential problem, which could have been avoided with secure math libraries.

However, the problems don’t stop there as it seems the developers lacked precision when integer arithmetic was done incorrectly. For example, to find out the result of calculating 25% of 80 in integers, because there is a rounding error stating 80/100*25 will result in 0. The error here is that division is done before multiplication. This is an example of an error that often occurs in smart contracts, causing failure.

2. The Block Gas Limit

the block gas limit

Gas block limits are used by Ethereum to ensure that each block doesn’t grow too large. This means that each block can perform only a limited number of transactions by consuming a set amount of gas.

In simple terms, if a transaction uses too much gas, then the transaction will not get into trouble and will not end up being executed. While actually, this can lead to general vulnerabilities.

A very likely common vulnerability is that if data is stored on a resizable array and then repeat access with the same array, then transactions can easily time out and roll back. This is common in the production process where the number of items usually continues to grow.

This can be dangerous because contracts related to this problem generally pass the unit test and work fine with small numbers. However, as usage continues and the project grows with the amount of data increasing it will fail.

In this case, it can usually affect funds, making recovery impossible when using recurring payments.

3. Frontrunning

frontrunning smart contract failure

Frontrunning can be defined as the occupation of unconfirmed transactions and is the result of transparency on the blockchain. All unconfirmed transactions will appear in the memory pool before miners include them in the block, and interested traders can easily monitor the contents of transactions and instead “advance” transactions by paying higher fees.

These vulnerabilities can be easily automated and have become very common in decentralized financial applications such as smart contracts. These types of problems will require some form of refactoring or even redesigning to solve them.

4. Lack of Parameters of Precondition Controls

lack of parameter

Forgetting to verify function parameters is often the reason certain operations are invalid. Usually, this includes the address parameter not being verified against a null address, or for example an unauthenticated user having sufficient token balance to perform a certain operation.

Another example is access control, where only that type of user is allowed to call or use certain functions, but verification of this is never done. This error often occurs during supervision in the design process.

To counteract this, it’s not a bad idea to write instructions for all functions indicating the parameters, preconditions, and operations to be performed. So that the developer will stick to the design patterns that have been made.

5. Logic Bugs

logic bugs on smart contract

The 4 vulnerabilities we’ve covered may be more specific to smart contracts, to a point that will now stick more to programming. However, fundamental errors are common in smart contract logic. This error can occur due to a simple typographical error or also a specification misunderstanding which in turn has a serious impact on security.

These vulnerabilities may exist which are simple errors, but they may be the first step towards the failure of smart contracts in your business. In the following, we will discuss cases of failure as well as hacking of smart contracts that have occurred.

Failure and Hacking Cases on Smart Contracts

1. Axie Infinity Hacked for $620 Million

The incident started with a fake job offer from North Korean hackers to a game developer that ended up being hacked which caused Axie Infinity to be willing to bear a loss of $620 million in crypto. This attack took place in March 2022 and managed to land in a game that was currently very popular and growing rapidly, namely Sky Mavis.

According to a recent report from digital asset news publication The Block, it found that the hacker attack started with a fake job offer to staff at Sky Mavis via LinkedIn, the hacker pretending to be a company looking to hire them.

A senior engineer at Axie Infinity was offered such a generous salary that he showed interest in the fake job offer and has gone through several rounds of job interviews. At one point, the engineer received a PDF file detailing the job he was offered. However, the document is a way for hackers to break into the Ronin system – the Ethereum-related sidechain that powers video games based on the non-fungible Axie Infinity token.

The employee downloaded and opened the file on the company’s computer until the infection chain started which eventually caused huge losses and had to be borne by Axie Infinity to replace the money of the players affected by the hack.

The FBI has been able to link the attack to the Lazarus and APT38 hackers, who are raiding cryptocurrencies for the North Korean government.

2. Parity Ice Age

Not a new case of failure, but still worth learning from. As we know that smart contracts are eternal. Every action performed on the Ethereum blockchain requires gas as fuel. If you do it wrong then you can spend a lot of money.

This is the reason why blockchain developers emphasize the inclusion of a “Kill” function. However, this function does not always exist in practice. When you’re trying to build a complex multi-signature system to increase the security of Ether holders, the thing you want to hear from a newbie developer is “I accidentally killed it”.

The incident happened to Parity. The kill call has permanently removed the library from the blockchain thus adversely affecting the advanced parts of the platform. This security exploit has frozen more than $150 Ether in its users’ wallets.

Conclusion

Small vulnerabilities that may be the beginning of failure and hacking may have become a big question for you, in fact, a system as sophisticated as this still has a gap to lead to losses. Even if you remember, there are so many advantages provided by smart contracts, both in terms of business people and users. Everything still needs to be fixed.

However, looking at the existing cases, we doubt it. How is the smart contract in the future? Do smart contracts still have a future in the business world? We have found and researched Smart Contract Future and Challenges.

Tags

Share reading