Luxembourg bank Spuerkeess joined forces with SnT in 2018 to investigate how they address the security of blockchain based services, as an important step towards understanding and managing the risks of real world blockchain deployments. It’s a multi-faceted project that will end in March 2022, but – as a side achievement – their research has revealed insights into a popular and unethical practice seen in the blockchain that hosts Ethereum, the world’s second largest cryptocurrency. The team has identified that at least $18.4 million has been syphoned off using so-called ‘frontrunning’ methods, when experimentally validating their developed solution.

Their project began through Spuerkeess’ desire to have a thorough picture of the current situation of blockchain – to realise the huge potential of digitalised ledgers and other technologies. Their aim was to understand and protect against the vulnerabilities of blockchain systems, and the technologies they host. They also wanted this intelligence to be shared with other local experts and the global research community, in order to make the systems that are currently in play – or will be in the future – more secure. From SnT, this project has been worked on within the SEDAN research group by doctoral researcher Christof Ferreira Torres under the supervision of Prof. Radu State, with co-advisors from Spuerkeess including Dr. Jean Hilger and Christophe Medinger.

Millions Lost Through Scams

In one strand of their research, the team made the discovery of a technique used by fraudsters to exploit a loophole in Ethereum. This frontrunning technique sees a user exploiting the insider information of future activity to make money on transactions – to enable them to buy low and sell high. Of course, this technique doesn’t involve someone actually looking into the future, but takes advantage of the visible ledger of transactions available on Ethereum. The highly transparent nature of the blockchain allows sophisticated, IT-enabled scammers to see when there is a pending large transaction. Since these cryptocurrencies behave in a similar way to a stock market, a large transaction will usually be associated with an increase in price of a share. The users take this information to predict likely changes in the market prices of cryptocurrencies. It’s this technique that allows them the ability to buy low and sell high, in the expectation that once the larger transaction has been processed there will be an upward market movement.

“We carried out large-scale analysis of historic transactions on the Ethereum blockchain, and identified almost 200,000 frontrunning attacks,” Ferreira Torres said. “This included an individual who managed to gain almost $700,000 for an outlay of just $20,000!” he continued. “We were the first to show how frontrunning is being done and just how much profit is being made,” said Prof. State, head of SEDAN research group. He also noted that while, at this time, the practice is unethical, it’s not illegal – since cryptocurrencies are unregulated. To target this problem, the team are investigating ways in which frontrunning activity can be detected, in order to develop a tool to prevent it.

Wider Implications of Blockchain Technology

As previously noted, this breakthrough was just one strand of the research project with Spuerkeess, with the team exploring the wider implications of blockchain, including increasingly popular smart contracts. These are essentially self-executing programs stored on a blockchain that run once certain pre-determined conditions have been met. When implemented correctly, smart contracts have the capability to streamline so many industries, and even cut out the costs of hiring middlemen. But they have one big drawback – they’re irreversible. Although this makes them impervious to manipulation, it also means that if a bug is undetected in the coding, there’s no way to fix it.

This research has led them to focus on how integer overflows can expose weaknesses in smart contracts. Since smart contracts are just like computer programs, they also have a limit on possible integer values – but what would happen if the value gets pushed beyond this point? In 1985, it was hypothesised that at the turn of the millennium, computer systems may be unable to distinguish the correct date and could cause computer failures that would bring worldwide infrastructures to a standstill. The so-called ‘Y2K panic’ is an example of an integer overflow. They pose a problem in smart contracts because it could mean users end up with more, or less, tokens than they were originally supposed to receive – all because of a bug in the program. After this has happened, there would be no way to rectify the situation as the contracts are final. The team’s research in this area has led to the development of a tool that can detect when an integer overflow manifests itself, so that it can be resolved.

Over the last three years, this partner project’s ultimate goal has been to increase awareness and knowledge both locally and globally about the wider implications of using blockchains and distributed technologies. “We investigate and show our findings first to Spuerkeess. We then subsequently publish the information in academic journals as well as top ranked academic conferences, and make the information available to the global business and research community,” said Ferreira Torres. All the software tools they have developed are available on an open-source basis, meaning they’re available for anyone to download and utilise. With just a few months left on the project, the focus of this time will be on building a solution that automatically patches vulnerabilities in a smart contract, thereby removing the burden from the developer.