区块链资产窃取攻击与防御技术综述

doi:10.11959/j.issn.2096-109x.2023001

摘要/Abstract

摘要：

自中本聪提出比特币以来，区块链技术得到了跨越式发展，特别是在数字资产转移及电子货币支付方面。以太坊引入智能合约代码，使其具备了同步及保存智能合约程序执行状态，自动执行交易条件并消除对中介机构需求，Web3.0 开发者可利用以太坊提供的通用可编程区块链平台构建更加强大的去中心化应用。公链系统具备的特点，如无须中央节点控制、通过智能合约保障交互数据公开透明、用户数据由用户个人控制等，使得它在区块链技术发展的过程中吸引了更多的用户关注。然而，随着区块链技术的普及和应用，越来越多的用户将自己的数字资产存储在区块链上。由于缺少权威机构的监管及治理，以太坊等公链系统正逐步成为黑客窃取数字资产的媒介。黑客利用区块链实施诈骗及钓鱼攻击，盗取用户所持有的数字资产来获取利益。帮助读者建立区块链资产安全的概念，从源头防范利用区块链实施的资产窃取攻击。通过整理总结黑客利用区块链环境实施的资产窃取攻击方案，抽象并归纳威胁模型的研究方法，有效研究了各类攻击的特征及实施场景。通过深入分析典型攻击方法，比较不同攻击的优缺点，回答了攻击能够成功实施的根本原因。在防御技术方面，针对性结合攻击案例及攻击实施场景介绍了钓鱼检测、代币授权检测、代币锁定、去中心化代币所属权仲裁、智能合约漏洞检测、资产隔离、供应链攻击检测、签名数据合法性检测等防御方案。对于每一类防御方案，给出其实施的基本流程及方案，明确了各防护方案能够在哪类攻击场景下为用户资产安全提供防护。

关键词: 区块链, 钓鱼攻击, 诈骗攻击, 智能合约安全

Abstract:

Since Satoshi Nakamoto’s introduction of Bitcoin as a peer-to-peer electronic cash system, blockchain technology has been developing rapidly especially in the fields of digital assets transferring and electronic currency payments.Ethereum introduced smart contract code, giving it the ability to synchronize and preserve the execution status of smart contract programs, automatically execute transaction conditions and eliminate the need for intermediaries.Web3.0 developers can use Ethereum’s general-purpose programmable blockchain platform to build more powerful decentralized applications.Ethereum’s characteristics, such as central-less control, public and transparent interaction data guaranteed by smart contracts, and user-controlled data, have attracted more attentions.With the popularization and application of blockchain technology, more and more users are storing their digital assets on the blockchain.Due to the lack of regulatory and governance authority, public chain systems such as Ethereum are gradually becoming a medium for hackers to steal digital assets.Generally, fraud and phishing attacks are committed using blockchain to steal digital assets held by blockchain users.This article aims to help readers develop the concept of blockchain asset security and prevent asset theft attacks implemented using blockchain at the source.The characteristics and implementation scenarios of various attacks were effectively studied by summarizing the asset theft attack schemes that hackers use in the blockchain environment and abstracting research methods for threat models.Through an in-depth analysis of typical attack methods, the advantages and disadvantages of different attacks were compared, and the fundamental reasons why attackers can successfully implement attacks were analyzed.In terms of defense technology, defense schemes were introduced such as targeted phishing detection, token authorization detection, token locking, decentralized token ownership arbitration, smart contract vulnerability detection, asset isolation, supply chain attack detection, and signature data legitimacy detection, which combine attack cases and implementation scenarios.The primary process and plans for implementation of each type of defense plan were also given.And then it is clear which protective measures can protect user assets in different attack scenarios.

Key words: blockchain, phishing attack, fraud attack, smart contract security

中图分类号:

TP393

余北缘, 任珊瑶, 刘建伟. 区块链资产窃取攻击与防御技术综述[J]. 网络与信息安全学报, 2023, 9(1): 1-17.

Beiyuan YU, Shanyao REN, Jianwei LIU. Overview of blockchain assets theft attacks and defense technology[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 1-17.

图/表 22

图1

图2

表1

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

表2

图15

图16

图17

图18

图19

图20

参考文献 77

[1]	VITALIK B . A next-generation smart contract and decentralized application platform[R]. 2014.
[2]	ZETZSCHE D A , ARNER D W , BUCKLEY R P . Decentralized finance[J]. Journal of Financial Regulation, 2020,6(2): 172-203.
[3]	WANG Q , LI R , WANG Q ,et al. Non-fungible token (NFT):Overview,evaluation,opportunities and challenges[J]. arXiv preprint arXiv:2105.07447. 2021.
[4]	BONNEAU J , MILLER A , CLARK J ,et al. SoK:research perspectives and challenges for bitcoin and cryptocurrencies[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 104-121.
[5]	REBECCA , YANG . Public and private blockchain in construction business process and information integration[J]. Automation in Construction, 2020,118:103276.
[6]	ANDOLA N , RAGHAV , YADAV V K ,et al. Anonymity on blockchain based e-cash protocols—A survey[J]. Computer Science Review, 2021,40:100394.
[7]	MUKHOPADHYAY U , SKJELLUM A , HAMBOLU O ,et al. A brief survey of cryptocurrency systems[C]// Proceedings of 2016 14th Annual Conference on Privacy,Security and Trust (PST). 2017: 745-752.
[8]	HIGBEE A . The role of crypto-currency in cybercrime[J]. Computer Fraud ＆ Security, 2018(7): 13-15.
[9]	REDDY E , MINNAAR A . Cryptocurrency:a tool and target for cybercrime[J]. Acta Criminologica:African Journal of Criminology＆ Victimology, 2018,31(3): 71-92.
[10]	CHENG Z , HOU X , LI R ,et al. Towards a first step to understand the cryptocurrency stealing attack on Ethereum[C]// 22nd International Symposium on Research in Attacks,Intrusions and Defenses (RAID 2019). 2019: 47-60.
[11]	DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router[R]. Naval Research Lab. 2004.
[12]	ENTRIKEN W , SHIRLEY D , EVANS ,et al. Eip-721:Erc-721 non-fungible token standard[S]. Ethereum Improvement Proposals, 2018.
[13]	RADOMSKI W , COOKE A , CASTONGUAY P ,et al. Eip 1155:Erc-1155 multi token standard[S]. Ethereum, 2018.
[14]	ANDRYUKHIN A A , . Phishing attacks and preventions in blockchain based projects[C]// Proceedings of 2019 International Conference on Engineering Technologies and Computer Science (EnT). 2019: 15-19.
[15]	SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89.
[16]	ANDRYUKHIN A A . Methods of protecting decentralized autonomous organizations from crashes and attacks[J]. Proceedings of the Institute for System Programming of the RAS, 2018,30(3): 149-164.
[17]	ATZEI N , BARTOLETTI M , CIMOLI T . A survey of attacks on ethereum smart contracts SoK[C]// Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. 2017: 164-186.
[18]	BHARGAVAN K , DELIGNAT-LAVAUD A , FOURNET C ,et al. Formal verification of smart contracts:Short paper[C]// Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. 2016: 91-96.
[19]	GURI M , . BeatCoin:leaking private keys from air-gapped cryptocurrency wallets[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 2019: 1308-1316.
[20]	IVANOV N , YAN Q B . EthClipper:a clipboard meddling attack on hardware wallets with address verification evasion[C]// Proceedings of 2021 IEEE Conference on Communications and Network Security (CNS). 2022: 191-199.
[21]	HE D J , LI S H , LI C ,et al. Security analysis of cryptocurrency wallets in android-based applications[J]. IEEE Network, 2020,34(6): 114-119.
[22]	LIN D , WU J J , YUAN Q ,et al. T-EDGE:Temporal weighted MultiDiGraph embedding for ethereum transaction network analysis[J]. Frontiers in Physics, 2020,8:204.
[23]	CHEN W , GUO X , CHEN Z ,et al. Phishing scam detection on ethereum:towards financial security for blockchain ecosystem[C]// IJCAI. 2020: 4506-4512.
[24]	ZHANG D J , CHEN J Y , LU X S . Blockchain phishing scam detection via multi-channel graph classification[C]// International Conference on Blockchain and Trustworthy Systems. 2021: 241-256.
[25]	TSANKOV P , DAN A , DRACHSLER-COHEN D ,et al. Securify:Practical security analysis of smart contracts[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 67-82.
[26]	ZHUANG Y , LIU Z G , QIAN P ,et al. Smart contract vulnerability detection using graph neural network[C]// IJCAI. 2020: 3283-3290.
[27]	LIAO J W , TSAI T T , HE C K ,et al. SoliAudit:smart contract vulnerability assessment based on machine learning and fuzz testing[C]// Proceedings of 2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS). 2019: 458-465.
[28]	WANG D B , FENG H , WU S W ,et al. Penny wise and pound foolish:quantifying the risk of unlimited approval of ERC20 tokens on ethereum[C]// Proceedings of 25th International Symposium on Research in Attacks,Intrusions and Defenses. 2022: 99-114.
[29]	HE Z Y , LIAO Z , LUO F ,et al. TokenCat:detect flaw of authentication on ERC20 tokens[C]// Proceedings of ICC 2022 - IEEE International Conference on Communications. 2022: 4999-5004.
[30]	CAO Z , ZHEN Y , FAN G ,et al. TokenPatronus:a decentralized NFT anti-theft mechanism[J]. arXiv preprint arXiv:2208.05168.
[31]	WANG K L , WANG Q C , BONEH D . ERC-20R and ERC-721R:reversible transactions on ethereum[J]. arXiv preprint arXiv:2208.00543.
[32]	GUAN L , LIN J Q , LUO B ,et al. Protecting private keys against memory disclosure attacks using hardware transactional memory[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 3-19.
[33]	MALAN D J , . CS50 sandbox:Secure execution of untrusted code[C]// Proceedings of SIGCSE '13:Proceeding of the 44th ACM Technical symposium on Computer science education. 2013: 141-146.
[34]	OHM M , SYKOSCH A , MEIER M . Towards detection of software supply chain attacks by forensic artifacts[C]// Proceedings of the 15th International Conference on Availability,Reliability and Security. 2020: 1-6.
[35]	ZIBIN , ZHENG . An overview on smart contracts:Challenges,advances and platforms[J]. Future Generation Computer Systems, 2020,105: 475-491.
[36]	PEREZ D , LIVSHITS B . Smart contract vulnerabilities:Does anyone care[J]. arXiv preprint arXiv:1902.06710.
[37]	VUJI?I? D , JAGODI? D , RAN?I? S . Blockchain technology,bitcoin,and Ethereum:a brief overview[C]// Proceedings of 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH). 2018: 1-6.
[38]	LEE W M . Using the MetaMask chrome extension[M]// Beginning Ethereum Smart Contracts Programming. Berkeley,CA: Apress, 2019: 93-126.
[39]	PANDA S K , SATAPATHY S C . An investigation into smart contract deployment on ethereum platform using Web3.js and solidity using blockchain[C]// Data Engineering and Intelligent Computing. 2021: 549-561.
[40]	KHAN A G , ZAHID A H , HUSSAIN M ,et al. Security of cryptocurrency using hardware wallet and QR code[C]// Proceedings of 2019 International Conference on Innovative Computing (ICIC). 2020: 1-10.
[41]	KOBLITZ N , MENEZES A , VANSTONE S . The state of elliptic curve cryptography[J]. Designs,Codes and Cryptography, 2000,19(2/3): 173-193.
[42]	PERCIVAL C , JOSEFSSON S . The scrypt password-based key derivation function (RFC7914)[S]. 2016.
[43]	PRAITHEESHAN P , XIN Y W , PAN L ,et al. Attainable hacks on keystore files in ethereum wallets—A systematic analysis[C]// International Conference on Future Network Systems and Security. 2019: 99-117.
[44]	DASGUPTA D , SHREIN J M , GUPTA K D . A survey of blockchain from security perspective[J]. Journal of Banking and Financial Technology, 2019,3(1): 1-17.
[45]	CAI W , WANG Z H , ERNST J B ,et al. Decentralized applications:the blockchain-empowered software system[J]. IEEE Access, 2018,6: 53019-53033.
[46]	KIM S K , MA Z E , MURALI S ,et al. Measuring ethereum network peers[C]// Proceedings of the Internet Measurement Conference 2018. 2018: 91-104.
[47]	PIERRO G A , ROCHA H . The influence factors on ethereum transaction fees[C]// Proceedings of 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 2019: 24-31.
[48]	ATHULYA A A , PRAVEEN K . Towards the detection of phishing attacks[C]// Proceedings of 2020 4th International Conference on Trends in Electronics and Informatics (ICOEI)(48184). 2020: 337-343.
[49]	GABRILOVICH E , GONTMAKHER A . The homograph attack[J]. Communications of the ACM, 2002,45(2): 128.
[50]	YU B Y , LI P , LIU J W ,et al. Advanced analysis of email sender spoofing attack and related security problems[C]// Proceedings of 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom). 2022: 80-85.
[51]	SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89.
[52]	LI A , LONG F . Detecting standard violation errors in smart contracts[J]. arXiv preprint arXiv:1812.07702. 2018.
[53]	MEHAR M I , SHIER C L , GIAMBATTISTA A ,et al. Understanding a revolutionary and flawed grand experiment in blockchain[J]. Journal of Cases on Information Technology, 2019,21(1): 19-32.
[54]	Oxford Analytica. Binance breach underlines risks for crypto ecosystem[R]. Emerald Expert Briefings, 2022.
[55]	ABDELLATIF T , BROUSMICHE K L . Formal verification of smart contracts based on users and blockchain behaviors models[C]// Proceedings of 2018 9th IFIP International Conference on New Technologies,Mobility and Security (NTMS). 2018: 1-5.
[56]	ROZARIO A M , THOMAS C . Reengineering the audit with blockchain and smart contracts[J]. Journal of Emerging Technologies in Accounting, 2019,16(1): 21-35.
[57]	OHM M , PLATE H , SYKOSCH A ,et al. Backstabber’s knife collection:A review of open source software supply chain attacks[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2020: 23-43.
[58]	ROBINSON A , CORCORAN C , WALDO J . New risks in ransomware:supply chain attacks and cryptocurrency[J]. Science,Technology,and Public Policy Program Reports. 2022.
[59]	ARAPINIS M , GKANIATSOU A , KARAKOSTAS D ,et al. A formal treatment of hardware wallets[C]// International Conference on Financial Cryptography and Data Security. 2019: 426-445.
[60]	ZAHAN N , ZIMMERMANN T , GODEFROID P ,et al. What are weak links in the npm supply chain[C]// Proceedings of 2022 IEEE/ACM 44th International Conference on Software Engineering:Software Engineering in Practice (ICSE-SEIP). 2022: 331-340.
[61]	MELI M , MCNIECE M R , REAVES B . How bad can it git? characterizing secret leakage in public github repositories[C]//NDSS.
[62]	GUTOSKI G , STEBILA D . Hierarchical deterministic bitcoin wallets that tolerate key leakage[C]// International Conference on Financial Cryptography and Data Security. 2015: 497-504.
[63]	RAHIM R , NURDIYANTO H , SALEH A A ,et al. Keylogger application to monitoring users activity with exact string matching algorithm[J]. Journal of Physics:Conference Series, 2018,954:012008.
[64]	BLOCKI J , HARSHA B , ZHOU S . On the economics of offline password cracking[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy (SP). 2018: 853-871.
[65]	WANG D , CHENG H B , WANG P ,et al. Zipf’s law in passwords[J]. IEEE Transactions on Information Forensics and Security, 2017,12(11): 2776-2791.
[66]	ZHANG X , DU W L . Attacks on Android clipboard[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2014: 72-91.
[67]	LI Y J , LI H W , LV Z Z ,et al. Deterrence of intelligent DDoS via multi-hop traffic divergence[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021: 923-939.
[68]	DO XUAN C , DAO M H . A novel approach for APT attack detection based on combined deep learning model[J]. Neural Computing and Applications, 2021,33(20): 13251-13264.
[69]	POINTCHEVAL D , STERN J . Provably secure blind signature schemes[M]// Lecture Notes in Computer Science. 1996: 252-265.
[70]	BASIT A , ZAFAR M , LIU X ,et al. A comprehensive survey of AI-enabled phishing attacks detection techniques[J]. Telecommunication Systems, 2021,76(1): 139-154.
[71]	MAO J , BIAN J D , TIAN W Q ,et al. Phishing page detection via learning classifiers from page layout feature[J]. EURASIP Journal on Wireless Communications and Networking, 2019(1): 43.
[72]	CHEN Y H , CHEN J L . AI@ntiPhish—Machine learning mechanisms for cyber-phishing attack[J]. IEICE Transactions on Information and Systems, 2019,E102.D(5): 878-887.
[73]	ANSARI K H , KULKARNI U . Implementation of ethereum request for comment (ERC20) Token[C]// Proceedings of the 3rd International Conference on Advances in Science ＆ Technology (ICAST). 2020.
[74]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907. 2016.
[75]	GILAD Y , HERZBERG A , SHULMAN H . Off-path hacking:The illusion of challenge-response authentication[C]// Proceedings of IEEE Security ＆ Privacy. 2013: 68-77.
[76]	SEOL J , JIN S , LEE D ,et al. A trusted IaaS environment with hardware security module[J]. IEEE Transactions on Services Computing, 2016,9(3): 343-356.
[77]	VU D L , PASHCHENKO I , MASSACCI F ,et al. Towards using source code repositories to identify software supply chain attacks[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 2093-2095.

ERC标准	方法名	方法作用	EVM编码
ERC20	approve	授权第三方账户使用指定额度的代币	0x095ea7b3
ERC721	approve	授权第三方账户使用指定编号的代币	0x095ea7b3
ERC721	setApprovalForAll	授权第三方账户使用持有的所有合约代币	0xa22cb465
ERC1155	setApprovalForAll	授权第三方账户使用持有的所有合约代币	0xa22cb465

安全威胁	隐蔽性	成功率	收益成本比率	实施难度
仿冒钓鱼	低	低	低	低
代币恶意授权	中	中	中	中
智能合约漏洞	高	高	高	高
供应链	高	高	高	高
私钥泄露	高	中	中	低
远程控制	中	中	中	中
盲签名	高	中	高	低