A recent study shows that 0.36% of the smart contracts are vulnerable to failures due to human errors. Despite the small percentage, the failures can be translated into millions of dollars.
The study conducted by the researchers from the University College London and the School of Computing at the National University of Singapore analyzed almost 1 million Ethereum contracts. From which 3,686 were labeled as potential failures that could be caused by human mistakes.
According to the researchers, they had to set a private fork with the network and also to avoid the connection of third parties that are in the original network. By doing this, they were able to obtain the samples for the study.
“We implemented MAIAN, the first tool to precisely specify and reason about tracking properties, which uses inter-procedure symbolic analysis and concrete validation to show real vulnerabilities. Our analysis of almost one million contracts indicates 34,200 (2,365 different) vulnerable contracts, ten seconds per contract. In a subset of 3,759 contracts that we have sampled for concrete validation and manual analysis, we reproduced real exploits at a real positive rate of 89%, producing exploits for 3,686 contracts,” says the study made by Ivica Nikolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor.
The failures were classified into three categories:
- The prodigal contracts – contracts that can be manipulated into changing the direction of the portfolio in which the funds should be sent;
- Suicidal contracts – contracts that can be destroyed by external attacks.
- Greedy Contracts – contracts that can be manipulated to block the funds contained inside of it.
While the system is using several contracts, incidents like the above mentioned could occur more than once at the same time. The researchers have given the example of Parity. Last November an error froze almost $150 million in Ethereum when a user accidentally activated the bug.
In the case of Parity, the failure can be considered a suicide contract, but a greedy one as well since the funds remained blocked.If a contract is terminated, the code can no longer be executed on the blockchain. However, the completed contracts can continue to receive transactions but will no longer use the code of the terminated contracts. They become permanently blocked.
The programming language for Ethereum was created in 2014 with the intention of making the smart contracts more secure. The language is called Solidity, and since it’s new, the programmers who don’t know to use it 100 percent can make mistakes.
The researchers are suggesting, however, that the adoption of solidity is critical for the network development. And as the programmers become more accustomed to it, the human errors should diminish.