Smart contracts are used in modern blockchain systems to implement all kinds of contractual regulations. They enable the autonomous administration of crypto currency and regulate, without the intervention of a third party (e.g., a notary or a bank), the transfer of values and rights between actors. Smart contracts thus have great potential to revolutionize business areas such as the finance, insurance, and energy sectors. They are easy to use and some contracts have a high monetary value, factors that make them an attractive target for hackers, who try to exploit programming errors in the code in order, for example, to steal crypto currency.

To prevent this, developers must react quickly to any security vulnerabilities discovered because smart contracts are always online and always available, which entails the distributed structure of the underlying blockchain. However, corrections are rarely instant, as paluno researcher Michael Rodler knows: "Our analyses of the Ethereum blockchain have shown that vulnerable smart contracts often continue to be used by unsuspecting users, even though security problems in these contracts were made public months before. Often, no action is taken to terminate or remedy these smart contracts."

One probable reason for this is that the manual correction procedures currently available are time-consuming and prone to errors. The "Secure Software Systems" working group (Prof. Davi), together with NEC Laboratories Europe, has therefore developed a framework that helps developers to fix errors automatically. For this purpose, the new patching framework features a "bytecode rewriter." Independently of the programming language and compiler used, it patches common Ethereum smart contracts by rewriting their byte code.

The effectiveness of this technique was demonstrated by simulated attacks on 14,000 real, vulnerable smart contracts. The attack transactions were successfully blocked, while the functionality of the original contracts remained completely intact. A usability study showed that the tool is practical and gives developers a decisive time advantage. "Our EVMPatch framework enables developers to respond quickly to security vulnerabilities and fix the faulty code directly. In doing so, they protect the users of their smart contracts," explains Michael Rodler, who will present the work at the renowned USENIX Security Symposium in Vancouver next year.

Publication

Rodler, Michael; Li, Wenting; Karame, Ghassan O.; Davi, Lucas: EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In: Proc. of 30th USENIX Security Symposium. USENIX Association, Vancouver, B.C., Canada 2021. https://arxiv.org/abs/2010.00341