ChainSecurity, a spin-off company founded by ETH Zurich scientists, has discovered a vulnerability in a scheduled upgrade to the Ethereum blockchain platform – in the nick of time.
After bitcoin, digital currency ether is the second most widespread cryptocurrency. However, Ethereum – the blockchain platform that supports ether transactions – has a few technological advantages over the market leader. Whereas practically the only use for bitcoin is in monetary transactions, Ethereum offers the additional option of linking the transactions to contractual conditions in what are known as smart contracts. These are small computer programs that are executed when the relevant monetary transaction has been concluded or, conversely, that trigger a monetary transaction or data delivery once they have been executed.
Ethereum had a regular upgrade scheduled for last Wednesday, but this was stopped at the last minute following an alert from ChainSecurity, a spin-off company founded by ETH Zurich scientists. Hubert Ritzdorf, Chief Technology Officer at ChainSecurity and former ETH doctoral student, realised that the upgrade would open up a security loophole. He informed the Ethereum core team, which immediately halted the upgrade. “If the upgrade had gone ahead as planned, malicious users could have attacked certain contracts and then been able to raid the accounts of other users,” Ritzdorf explains.
Specifically, the security loophole would have arisen because Ethereum planned to considerably decrease the fee users would pay (known as gas) to carry out smart contracts. The intention behind the decrease was to make the platform more user-friendly; however, the change would have allowed users seeking to exploit the system to create nested executions of smart contracts that would process a transaction multiple times instead of just once. This would have made it possible to steal from the ether accounts of other users. At the moment, a combination of higher contract prices and a maximum fee per transaction makes it impossible to carry out such nested transactions.
Inspection authority for smart contracts
ChainSecurity is a spin-off founded one year ago by ETH Professor Martin Vechev and the former ETH doctoral students Ritzdorf and Petar Tsankov. The company’s overall goal is to make blockchain technologies more secure. To that end, it develops and operates automated scanning programs for auditing smart contracts. Providers of smart contracts can ask ChainSecurity to audit them and thus receive certification for the security of their contracts. This is particularly useful for companies that put cryptocurrency on the market (an activity known as mining), but also for all other providers of blockchain products, such as trading platforms and insurance companies.
Ritzdorf discovered the recent security flaws just a few days ago as he was examining the scheduled Ethereum upgrade (the details of which were published in advance) for potential effects on corporate clients’ existing smart contracts and updating his company’s in-house security audit tools.
“Smart contracts are not carried out by people or by a computer system controlled by a single company. Instead, they are executed by a kind of global machine. This creates a high level of confidence in their security,” explains Tsankov from ChainSecurity. He continued: “However, security is high only as long as the software and the individual smart contracts have no security vulnerabilities. Checking for these and guaranteeing security for our clients is our business model.”
This release was first published 21 January 2019 by ETH Zurich.