Research Pulse Issue #13 05/14/21

  1. Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts
    Authors: Nikolay Ivanov, Jianzhi Lou, Ting Chen, Jin Li, and Qiben Yan

Ethereum holds multiple billions of U.S. dollars in the form of Ether cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts algorithmically operating these funds. Unsurprisingly, the security of Ethereum smart contracts has been under rigorous scrutiny. In recent years, numerous defense tools have been developed to detect different types of smart contract code vulnerabilities. When opportunities for exploiting code vulnerabilities diminish, the attackers start resorting to social engineering attacks, which aim to influence humans – often the weakest link in the system. The only known class of social engineering attacks in Ethereum are honeypots, which plant hidden traps for attackers attempting to exploit existing vulnerabilities, thereby targeting only a small population of potential victims. In this work, we explore the possibility and existence of new social engineering attacks beyond smart contract honeypots. We present two novel classes of Ethereum social engineering attacks - Address Manipulation and Homograph - and develop six zero-day social engineering attacks. To show how the attacks can be used in popular programming patterns, we conduct a case study of five popular smart contracts with combined market capitalization exceeding $29 billion, and integrate our attack patterns in their source codes without altering their existing functionality. Moreover, we show that these attacks remain dormant during the test phase but activate their malicious logic only at the final production deployment. We further analyze 85,656 open-source smart contracts, and discover that 1,027 of them can be used for the proposed social engineering attacks. We conduct a professional opinion survey with experts from seven smart contract auditing firms, corroborating that the exposed social engineering attacks bring a major threat to the smart contract systems.

Link: Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts - NASA/ADS

  1. A Note on Borrowing Constant Function Market Maker Shares
    Authors: Tarun Chitra, Guillermo Angeris, Alex Evans, and Hsien-Tang Kao

Constant function market makers (CFMMs) such as Uniswap, Balancer, and Curve, among many others, make up some of the largest decentralized exchanges on smart contract platforms like Ethereum. As the amount of capital deposited in these protocols has grown, improving capital efficiency for liquidity providers (LPs) has become an increasingly important challenge. One way to improve efficiency is to allow LPs to borrow Ether or USD against their shares in a CFMM protocol. In this note, we investigate the security and capital efficiency of allowing such lending. We provide sufficient conditions for LP borrowing to be at least as secure and capital efficient as direct borrowing in Aave/Compound. Furthermore, we show that the exposure taken by CFMM lenders can be replicated via barrier options, allowing for risks to be hedged. Finally, we show that the payoff of borrowed CFMM LP shares replicates bounded convex payoffs. Combined, these results suggest that CFMM lending is a safe mechanism for improving capital efficiency.


  1. On the Possibility of Creating Smart Contracts on Bitcoin by MPC-based Approaches
    Authors: Ahmad Jahanbin and Mohammad Sayad Haghighi

Bitcoin, as the first and the most adopted cryptocurrency, offers many features one of which is contingent payment, that is, the owner of money can programmatically describe the condition upon which his/her money is spent. The condition is determined using a set of instructions written in the Bitcoin scripting language. Unfortunately, this scripting language is not sophisticated enough to create complex conditions or smart contracts in general. Many admirable efforts have been made to build a smart contract infrastructure on top of the Bitcoin platform. In this paper, given the inherent limitations of the Bitcoin scripting language, we critically analyze the practical effectiveness of these methods. Afterwards, we formally define what a smart contract is and introduce seven requirements that if are satisfied, can make creation of smart contracts for Bitcoin possible. Based on the introduced requirements, we examine the ability of the current methods that use secure Multi-party Computation (MPC) to create smart contracts for Bitcoin and show where they fall short. We additionally compare their pros and cons and give clues on how a comprehensive smart contract platform can be possibly built for Bitcoin.

Link: On the Possibility of Creating Smart Contracts on Bitcoin by MPC-based Approaches | IEEE Conference Publication | IEEE Xplore

  1. The (Im)Possibility on Constructing Verifiable Random Functions
    Authors: Shujiao Cao and Rui Xue

In this paper, we further explore the properties of the verifiable random functions in both a black-box and a non-black-box manner. The results are mainly following two parts:
∙ Black-Box Barrier: It is set up for an impossibility result of black-box reduction from verifiable random functions to injective one-way functions and indistinguishability obfuscators, where the verifiable random functions are suggested to be domain-invariant (i.e. the support of the distribution of keys and the domain of the evaluation space are independent of the underlying building blocks). Our result illustrates how the non-domain-invariant constructions circumvent the black-box barriers for constructing verifiable random functions and sheds light on why it is so difficult to give a domain-invariant instantiation.
∙ Non-Black-Box Construction: On the other hand, the verifiable unpredictable functions are constructed from a given primitive by a non-black-box technique called the hitting-set generator. To show it’s a somewhat useful technique for constructing the verifiable unpredictable functions, we further derive a limitation of the black-box barrier by proving the barrier still holds between the given primitive and verifiable unpredictable functions.
Our results not only analyse the properties of verifiable random functions theoretically, but also reveal the limitation of indistinguishability obfuscators in a black-box manner, and show the advantages by adopting non-black-box techniques.


  1. DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications
    Author: Siwei Wu, Dabao Wang, Jianting He, Yajin Zhou, Lei Wu, Xingliang Yuan, Qinming He, and Kui Ren

The rapid growth of Decentralized Finance (DeFi) boosts the Ethereum ecosystem. At the same time, attacks towards DeFi applications (apps) are increasing. However, to the best of our knowledge, existing smart contract vulnerability detection tools cannot be directly used to detect DeFi attacks. That’s because they lack the capability to recover and understand high-level DeFi semantics, e.g., a user trades a token pair X and Y in a Decentralized EXchange (DEX). In this work, we focus on the detection of two types of new attacks on DeFi apps, including direct and indirect price manipulation attacks. The former one means that an attacker directly manipulates the token price in DEX by performing an unwanted trade in the same DEX by attacking the vulnerable DeFi app. The latter one means that an attacker indirectly manipulates the token price of the vulnerable DeFi app (e.g., a lending app). To this end, we propose a platform-independent way to recover high-level DeFi semantics by first constructing the cash flow tree from raw Ethereum transactions and then lifting the low-level semantics to high-level ones, including token trade, liquidity mining, and liquidity cancel. Finally, we detect price manipulation attacks using the patterns expressed with the recovered DeFi semantics. We have implemented a prototype named \tool{} and applied it to more than 350 million transactions. It successfully detected 432 real-world attacks in the wild. We confirm that they belong to four known security incidents and five zero-day ones. We reported our findings. Two CVEs have been assigned. We further performed an attack analysis to reveal the root cause of the vulnerability, the attack footprint, and the impact of the attack. Our work urges the need to secure the DeFi ecosystem.

Link: DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications - NASA/ADS

  1. Zero Knowledge for Everything and Everyone: Fast ZK Processor with Cached ORAM for ANSI C Programs
    Authors: David Heath, Yibin Yang, David Devecsery, and Vladimir Kolesnikov

We build a complete and efficient ZK toolchain that handles proof statements encoded as arbitrary ANSI C programs.
Zero-Knowledge (ZK) proofs are foundational in cryptography. Recent ZK research has focused intensely on non-interactive proofs of small statements, useful in blockchain scenarios. We instead target large statements that are useful, e.g., in proving properties of programs.
Recent work (Heath and Kolesnikov, CCS 2020 [HK20a]) designed an efficient proof-of-concept ZK machine (ZKM). Their machine executes arbitrary programs over a minimal instruction set, authenticating in ZK the program execution. In this work, we significantly extend this research thrust, both in terms of efficiency and generality. Our contributions include:
• A rich and performance-oriented architecture for representing arbitrary ZK proofs as programs.
• A complete compiler toolchain providing full support for ANSI C95 programs. We ran off-the-shelf buggy versions of the Linux programs sed and gzip, proving in ZK that each program has a bug. To our knowledge, this is the first ZK system capable of executing standard Linux programs.
• Improved ZK oblivious RAM (ORAM). [HK20a] introduced an efficient ZK-specific ORAM BubbleRAM that consumes O(log2 n) communication per access. We extend BubbleRAM with multi-level caching, decreasing communication to O(log n) per access. This introduces the possibility of a cache miss, which we handle cheaply. Our experiments show that cache misses are rare; in isolation, i.e., ignoring other processor costs, BubbleCache improves communication over BubbleRAM by more than 8×. Using BubbleCache improves our processor’s total communication (including costs of cache misses) by ≈ 25-30%.
• Numerous low-level optimizations, resulting in a CPU that is both more expressive and ≈ 5.5× faster than [HK20a]’s.
• Attention to user experience. Our engineer-facing ZK instrumentation and extensions are minimal and easy to use. Put together, our system is efficient and general, and can run many standard Linux programs. The resultant machine runs at up to 11KHz on a 1Gbps LAN and supports MBs of RAM.


  1. SmartPulse: Automated Checking of Temporal Properties in Smart Contracts
    Author: Jon Stephens, Kostas Ferles, Benjamin Mariano, Shuvendu Lahiri, and Isil Dillig

Smart contracts are programs that run on the blockchain and digitally enforce the execution of contracts between parties. Because bugs in smart contracts can have serious monetary consequences, ensuring the correctness of such software is of utmost importance. In this paper, we present a novel technique, and its implementation in a tool called SMARTPULSE, for automatically verifying temporal properties in smart contracts. SMARTPULSE is the first smart contract verification tool that is capable of checking liveness properties, which ensure that “something good” will eventually happen (e.g., “I will eventually receive my refund”). We experimentally evaluate SMARTPULSE on a broad class of smart contracts and properties and show that (a) SMARTPULSE allows automatically verifying important liveness properties, (b) it is competitive with or better than state-of-the-art tools for safety verification, and (c) it can automatically generate attacks for vulnerable contracts.


  1. Proposal: Framework for Snarky Ceremonies
    Authors: Markulf Kohlweiss, Mary Maller, Janno Siim, and Mikhail Volkhov

Succinct non-interactive arguments of knowledge (SNARKs) have found widescale adoption in recent years. The most efficient SNARKs require a distributed ceremony protocol to generate public parameters, also known as a structured reference string (SRS). We propose a general security framework for non-interactive zero-knowledge (NIZK) arguments with a ceremony protocol. In particular, our framework generalizes the notion of updatable reference strings, proposed by Groth, Kohlweiss, Maller, Meiklejohn, and Miers [Crypto, 2018], to multiple independent update phases. Importantly, this allows us to also capture existing setup ceremonies as performed for Groth16 SNARKs.


  1. SMILE: Set Membership from Ideal Lattices with Applications to Ring Signatures and Confidential Transactions
    Authors: Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Gregor Seiler

In a set membership proof, the public information consists of a set of elements and a commitment. The prover then produces a zero-knowledge proof showing that the commitment is indeed to some element from the set. This primitive is closely related to concepts like ring signatures and “one-out-of-many” proofs that underlie many anonymity and privacy protocols. The main result of this work is a new succinct lattice-based set membership proof whose size is logarithmic in the size of the set.
We also give a transformation of our set membership proof to a ring signature scheme. The ring signature size is also logarithmic in the size of the public key set and has size 16 KB for a set of 25 elements, and 22 KB for a set of size 225. At an approximately 128-bit security level, these outputs are between 1.5X and 7X smaller than the current state of the art succinct ring signatures of Beullens et al. (Asiacrypt 2020) and Esgin et al. (CCS 2019).
We then show that our ring signature, combined with a few other techniques and optimizations, can be turned into a fairly efficient Monero-like confidential transaction system based on the MatRiCT framework of Esgin et al. (CCS 2019). With our new techniques, we are able to reduce the transaction proof size by factors of about 4X - 10X over the aforementioned work. For example, a transaction with two inputs and two outputs, where each input is hidden among 215 other accounts, requires approximately 30KB in our protocol.


  1. ReTRACe: Revocable and Traceable Blockchain Rewrites using Attribute-based Cryptosystems
    Authors: Gaurav Panwar, Roopa Vishwanathan, and Satyajayant Misra

In this paper, we study efficient and authorized rewriting of transactions already written to a blockchain. Mutable transactions will make a fraction of all blockchain transactions, but will be a necessity to meet the needs of privacy regulations, such as the General Data Protection Regulation (GDPR). The state-of-the-art rewriting approaches have several shortcomings, such as lack of user anonymity, inefficiency, and absence of revocation mechanisms. We present ReTRACe, an efficient framework for blockchain rewrites. ReTRACe is designed by composing a novel revocable chameleon hash with ephemeral trapdoor scheme, a novel revocable fast attribute based encryption scheme, and a dynamic group signature scheme. We discuss ReTRACe, and its constituent primitives in detail, along with their security analyses, and present experimental results to demonstrate the scalability of ReTRACe.


  1. Cyclic Arbitrage in Decentralized Exchange Markets
    Authors: Ye Wang, Yan Chen, Shuiguang Deng, and Roger Wattenhofer

In May 2020, Uniswap V2 was officially launched on Ethereum. Uniswap V2 allows users to create trading pools between any pair of cryptocurrencies, without the need for ETH as an intermediary currency. Uniswap V2 introduces new arbitrage opportunities: Traders are now able to trade cryptocurrencies cyclically: A trader can exchange currency 𝐴 for 𝐵, then 𝐵 for 𝐶, and finally 𝐶 for 𝐴 again through different trading pools. Almost surely, the three floating exchange rates are not perfectly in sync, which opens up arbitrage possibilities for cyclic trading.
In this paper, we study cyclic arbitrages in Decentralized Exchanges (DEXes) of cryptocurrencies with transaction-level data on Uniswap V2, observing 285,127 cyclic arbitrages over eight months. We conduct a theoretical analysis and an empirical evaluation to understand cyclic arbitrages systematically. We study the market size (the revenue and the cost) of cyclic arbitrages, how cyclic arbitrages change market prices, how cyclic arbitrageurs influence other participants, and the implementations of cyclic arbitrages.
Beyond the understanding of cyclic arbitrages, this paper suggests that with the smart contract technology and the replicated state machine setting of Ethereum, arbitrage strategies are easier implemented in DEXes than in Centralized Exchanges (CEXes). We find that deploying private smart contracts to implement cyclic arbitrages is more resilient to front-running attacks than applying cyclic arbitrages through public (opensource) smart contracts.


Research Pulse #13 is out!

If you’re interested in understanding DeFi security & attack types, make sure to check out DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications. It’s not a long paper, but it does an excellent job of providing the required background on DeFi terminology. Its contribution to the ecosystem is twofold. First, it formally defines two new types of DeFi attacks, namely direct and indirect price manipulation attacks. Then, the authors apply an automated detection methodology to more than 350 million transactions and find a total of 432 real-world attacks in the wild.

In the topic of zero-knowledge systems, the Proposal: Framework for Snarky Ceremonies provides an improved method that could be used to address one of the biggest risks of popular zkSNARK systems: trusted setup ceremonies. Put simply, these are ceremonies used by SNARK developers to bootstrap their systems. They are critical because if compromised, attackers would be able to fraudulently create proofs of statements that are not true. This improved method decreases the probability of such leaks to take place and it’s a worthy read.

Privacy is one of the industry’s most exciting research fields. In the paper SMILE: Set Membership from Ideal Lattices with Applications to Ring Signatures and Confidential Transactions, the authors provide an alternative approach to one of the most popular (and powerful) privacy mechanisms used by cryptoassets today: Monero’s RingCT. Through the technique described in the paper, the authors claim to reduce the transaction proof size by factors of about 4X - 10X over the existing RingCT implementations. If successfully implemented, this new approach might drastically increase the usability and efficiency of RingCT.