- Your ‘Ethereum’ could be at risk of getting stolen by hackers, depending on where it’s stored.
- The attackers could exploit a vulnerability in non-audited and unverified smart contracts.
- Already, researchers have discovered 3,779 active smart contracts that are vulnerable to attacks.
Researchers from the CyberNews team have discovered 13 different vulnerabilities affecting 3,779 ‘Ethereum’ contracts, holding 2,088 ETH ($973,000). “Smart contracts” are programs that run on the Ethereum blockchain, residing at a specific address on it.
They can be considered a type of accounts, so they have a balance and can engage in transactions. The discovery of security flaws in smart contracts means that a hacker could potentially steal the balance or intercept the transactions, both being extremely problematic presumptions.
The researchers scanned the Ethereum blockchain for vulnerable contracts for six months, and among the 13 vulnerabilities they’ve found, four are high-severity. These are the following:
- Integer underflow: when an attacker has zero balance and sends one token, the contract circles around and gives the attacker the maximum value of tokens.
- Integer overflow: when the balance reaches its maximum value and an attacker receives one token, it circles and starts from zero.
- Unprotected Ether withdrawal: due to inadequate access control, an attacker can withdraw Ether funds from the contract.
- Unprotected self-destruct: any attacker can kill the contract and send the balance to any specified address.
If you are holding Ethereum, you should be worried but not panicking right now. To lose your crypto to hackers, you will need to have your deposit stored on a site or online service of some kind, and that platform will have to fall victim to a malicious smart contract attack.
So first, check if the service that holds your crypto uses smart contracts that are vulnerable to any of the 13 vulnerabilities, especially the four first. If the smart contracts have been audited and/or verified, they should be safe.
Developers can redo the smart contracts after fixing the code, which should remove the vulnerabilities and the associated hacking risk. CyberNews warns that this is actually something that has happened before, so the risk is not theoretical.
In 2016, hackers exploited smart contract code flaws to initiate multiple transfers without submitting them, eventually stealing $50 million from the venture capital fund of DAO (Decentralized Autonomous Organization).