Smart contracts are supposed to be just that: smart. However, some smart contracts currently circulating aren’t quite making the grade — with vulnerabilities exposing millions of dollars worth of Ethereum to potential theft.
HOW SMART ARE SMART CONTRACTS?
Smart contracts are computer protocols meant to digitally facilitate, verify, or enforce the execution of contracts. Smart contracts’ ability to partially or fully self-execute and self-enforce makes third parties unnecessary when completing transactions — and thus provides superior security and lower costs when compared to traditional contracting.
However, not all smart contracts are created equal, and some house rather serious security vulnerabilities.
According to Motherboard, upwards of 34,200 smart contracts in circulation currently feature coding bugs, potentially exposing millions of dollars to potential theft.
The first warning sign came last November, when an individual known as “DevOps199” took control of an Ethereum smart contract, destroyed it, and permanently locked up $150 million worth of cryptocurrency — a feat which, theoretically, should never have been allowed to happen.
MILLIONS OF DOLLARS AT RISK
Now, a team of researchers from the National University of Singapore, Yale-NUS College in Singapore, and University College London claim to have discovered 34,2oo more unsecured smart contracts. They also claim that $6 million worth of Ether (ETH) could be stolen from roughly 3,000 of those not-so-smart contracts — which doesn’t bode well for the other 31,200.
One of the report’s authors, Ilya Sergey, told Motherboard:
We’re dealing with applications that have two very unpleasant traits: They manage your money, and they cannot be amended.
Sergey also put breaking into smart contracts into layman’s terms, likening the process to breaking into a vending machine. He told Motherboard:
Imagine your goal isn’t to interact with the vending machine in a proper way, but rather you want to break it or get it to serve you for free. Assume we put a few coins in the machine, and just start randomly pushing buttons hoping that the inner workings of the vending machine—which we have no knowledge about, springs and whatnot—eventually releases the latch so you can take the candy.
The researchers’ report — which claims they were able to “reproduce real exploits at a true positive rate of 89 percent” — is currently being peer-reviewed.
The team was unsuccessful in their attempts to notify the creators of the unsecured smart contracts, and the likelihood that said vulnerabilities will be fixed isn’t particularly strong. Said Sergey:
If someone wants to exploit this idea, they’ll have to do at least as much work as we did.
With millions of dollars at stake, cyber thieves doing just that is far from inconceivable.