区块链资产窃取攻击与防御技术综述

doi:10.11959/j.issn.2096-109x.2023001

Abstract

Abstract:

Since Satoshi Nakamoto’s introduction of Bitcoin as a peer-to-peer electronic cash system, blockchain technology has been developing rapidly especially in the fields of digital assets transferring and electronic currency payments.Ethereum introduced smart contract code, giving it the ability to synchronize and preserve the execution status of smart contract programs, automatically execute transaction conditions and eliminate the need for intermediaries.Web3.0 developers can use Ethereum’s general-purpose programmable blockchain platform to build more powerful decentralized applications.Ethereum’s characteristics, such as central-less control, public and transparent interaction data guaranteed by smart contracts, and user-controlled data, have attracted more attentions.With the popularization and application of blockchain technology, more and more users are storing their digital assets on the blockchain.Due to the lack of regulatory and governance authority, public chain systems such as Ethereum are gradually becoming a medium for hackers to steal digital assets.Generally, fraud and phishing attacks are committed using blockchain to steal digital assets held by blockchain users.This article aims to help readers develop the concept of blockchain asset security and prevent asset theft attacks implemented using blockchain at the source.The characteristics and implementation scenarios of various attacks were effectively studied by summarizing the asset theft attack schemes that hackers use in the blockchain environment and abstracting research methods for threat models.Through an in-depth analysis of typical attack methods, the advantages and disadvantages of different attacks were compared, and the fundamental reasons why attackers can successfully implement attacks were analyzed.In terms of defense technology, defense schemes were introduced such as targeted phishing detection, token authorization detection, token locking, decentralized token ownership arbitration, smart contract vulnerability detection, asset isolation, supply chain attack detection, and signature data legitimacy detection, which combine attack cases and implementation scenarios.The primary process and plans for implementation of each type of defense plan were also given.And then it is clear which protective measures can protect user assets in different attack scenarios.

Key words: blockchain, phishing attack, fraud attack, smart contract security

CLC Number:

TP393

Beiyuan YU, Shanyao REN, Jianwei LIU. Overview of blockchain assets theft attacks and defense technology[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 1-17.

Figures/Tables 22

References 77

[1]	VITALIK B . A next-generation smart contract and decentralized application platform[R]. 2014.
[2]	ZETZSCHE D A , ARNER D W , BUCKLEY R P . Decentralized finance[J]. Journal of Financial Regulation, 2020,6(2): 172-203.
[3]	WANG Q , LI R , WANG Q ,et al. Non-fungible token (NFT):Overview,evaluation,opportunities and challenges[J]. arXiv preprint arXiv:2105.07447. 2021.
[4]	BONNEAU J , MILLER A , CLARK J ,et al. SoK:research perspectives and challenges for bitcoin and cryptocurrencies[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 104-121.
[5]	REBECCA , YANG . Public and private blockchain in construction business process and information integration[J]. Automation in Construction, 2020,118:103276.
[6]	ANDOLA N , RAGHAV , YADAV V K ,et al. Anonymity on blockchain based e-cash protocols—A survey[J]. Computer Science Review, 2021,40:100394.
[7]	MUKHOPADHYAY U , SKJELLUM A , HAMBOLU O ,et al. A brief survey of cryptocurrency systems[C]// Proceedings of 2016 14th Annual Conference on Privacy,Security and Trust (PST). 2017: 745-752.
[8]	HIGBEE A . The role of crypto-currency in cybercrime[J]. Computer Fraud ＆ Security, 2018(7): 13-15.
[9]	REDDY E , MINNAAR A . Cryptocurrency:a tool and target for cybercrime[J]. Acta Criminologica:African Journal of Criminology＆ Victimology, 2018,31(3): 71-92.
[10]	CHENG Z , HOU X , LI R ,et al. Towards a first step to understand the cryptocurrency stealing attack on Ethereum[C]// 22nd International Symposium on Research in Attacks,Intrusions and Defenses (RAID 2019). 2019: 47-60.
[11]	DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router[R]. Naval Research Lab. 2004.
[12]	ENTRIKEN W , SHIRLEY D , EVANS ,et al. Eip-721:Erc-721 non-fungible token standard[S]. Ethereum Improvement Proposals, 2018.
[13]	RADOMSKI W , COOKE A , CASTONGUAY P ,et al. Eip 1155:Erc-1155 multi token standard[S]. Ethereum, 2018.
[14]	ANDRYUKHIN A A , . Phishing attacks and preventions in blockchain based projects[C]// Proceedings of 2019 International Conference on Engineering Technologies and Computer Science (EnT). 2019: 15-19.
[15]	SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89.
[16]	ANDRYUKHIN A A . Methods of protecting decentralized autonomous organizations from crashes and attacks[J]. Proceedings of the Institute for System Programming of the RAS, 2018,30(3): 149-164.
[17]	ATZEI N , BARTOLETTI M , CIMOLI T . A survey of attacks on ethereum smart contracts SoK[C]// Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. 2017: 164-186.
[18]	BHARGAVAN K , DELIGNAT-LAVAUD A , FOURNET C ,et al. Formal verification of smart contracts:Short paper[C]// Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. 2016: 91-96.
[19]	GURI M , . BeatCoin:leaking private keys from air-gapped cryptocurrency wallets[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 2019: 1308-1316.
[20]	IVANOV N , YAN Q B . EthClipper:a clipboard meddling attack on hardware wallets with address verification evasion[C]// Proceedings of 2021 IEEE Conference on Communications and Network Security (CNS). 2022: 191-199.
[21]	HE D J , LI S H , LI C ,et al. Security analysis of cryptocurrency wallets in android-based applications[J]. IEEE Network, 2020,34(6): 114-119.
[22]	LIN D , WU J J , YUAN Q ,et al. T-EDGE:Temporal weighted MultiDiGraph embedding for ethereum transaction network analysis[J]. Frontiers in Physics, 2020,8:204.
[23]	CHEN W , GUO X , CHEN Z ,et al. Phishing scam detection on ethereum:towards financial security for blockchain ecosystem[C]// IJCAI. 2020: 4506-4512.
[24]	ZHANG D J , CHEN J Y , LU X S . Blockchain phishing scam detection via multi-channel graph classification[C]// International Conference on Blockchain and Trustworthy Systems. 2021: 241-256.
[25]	TSANKOV P , DAN A , DRACHSLER-COHEN D ,et al. Securify:Practical security analysis of smart contracts[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 67-82.
[26]	ZHUANG Y , LIU Z G , QIAN P ,et al. Smart contract vulnerability detection using graph neural network[C]// IJCAI. 2020: 3283-3290.
[27]	LIAO J W , TSAI T T , HE C K ,et al. SoliAudit:smart contract vulnerability assessment based on machine learning and fuzz testing[C]// Proceedings of 2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS). 2019: 458-465.
[28]	WANG D B , FENG H , WU S W ,et al. Penny wise and pound foolish:quantifying the risk of unlimited approval of ERC20 tokens on ethereum[C]// Proceedings of 25th International Symposium on Research in Attacks,Intrusions and Defenses. 2022: 99-114.
[29]	HE Z Y , LIAO Z , LUO F ,et al. TokenCat:detect flaw of authentication on ERC20 tokens[C]// Proceedings of ICC 2022 - IEEE International Conference on Communications. 2022: 4999-5004.
[30]	CAO Z , ZHEN Y , FAN G ,et al. TokenPatronus:a decentralized NFT anti-theft mechanism[J]. arXiv preprint arXiv:2208.05168.
[31]	WANG K L , WANG Q C , BONEH D . ERC-20R and ERC-721R:reversible transactions on ethereum[J]. arXiv preprint arXiv:2208.00543.
[32]	GUAN L , LIN J Q , LUO B ,et al. Protecting private keys against memory disclosure attacks using hardware transactional memory[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 3-19.
[33]	MALAN D J , . CS50 sandbox:Secure execution of untrusted code[C]// Proceedings of SIGCSE '13:Proceeding of the 44th ACM Technical symposium on Computer science education. 2013: 141-146.
[34]	OHM M , SYKOSCH A , MEIER M . Towards detection of software supply chain attacks by forensic artifacts[C]// Proceedings of the 15th International Conference on Availability,Reliability and Security. 2020: 1-6.
[35]	ZIBIN , ZHENG . An overview on smart contracts:Challenges,advances and platforms[J]. Future Generation Computer Systems, 2020,105: 475-491.
[36]	PEREZ D , LIVSHITS B . Smart contract vulnerabilities:Does anyone care[J]. arXiv preprint arXiv:1902.06710.
[37]	VUJI?I? D , JAGODI? D , RAN?I? S . Blockchain technology,bitcoin,and Ethereum:a brief overview[C]// Proceedings of 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH). 2018: 1-6.
[38]	LEE W M . Using the MetaMask chrome extension[M]// Beginning Ethereum Smart Contracts Programming. Berkeley,CA: Apress, 2019: 93-126.
[39]	PANDA S K , SATAPATHY S C . An investigation into smart contract deployment on ethereum platform using Web3.js and solidity using blockchain[C]// Data Engineering and Intelligent Computing. 2021: 549-561.
[40]	KHAN A G , ZAHID A H , HUSSAIN M ,et al. Security of cryptocurrency using hardware wallet and QR code[C]// Proceedings of 2019 International Conference on Innovative Computing (ICIC). 2020: 1-10.
[41]	KOBLITZ N , MENEZES A , VANSTONE S . The state of elliptic curve cryptography[J]. Designs,Codes and Cryptography, 2000,19(2/3): 173-193.
[42]	PERCIVAL C , JOSEFSSON S . The scrypt password-based key derivation function (RFC7914)[S]. 2016.
[43]	PRAITHEESHAN P , XIN Y W , PAN L ,et al. Attainable hacks on keystore files in ethereum wallets—A systematic analysis[C]// International Conference on Future Network Systems and Security. 2019: 99-117.
[44]	DASGUPTA D , SHREIN J M , GUPTA K D . A survey of blockchain from security perspective[J]. Journal of Banking and Financial Technology, 2019,3(1): 1-17.
[45]	CAI W , WANG Z H , ERNST J B ,et al. Decentralized applications:the blockchain-empowered software system[J]. IEEE Access, 2018,6: 53019-53033.
[46]	KIM S K , MA Z E , MURALI S ,et al. Measuring ethereum network peers[C]// Proceedings of the Internet Measurement Conference 2018. 2018: 91-104.
[47]	PIERRO G A , ROCHA H . The influence factors on ethereum transaction fees[C]// Proceedings of 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 2019: 24-31.
[48]	ATHULYA A A , PRAVEEN K . Towards the detection of phishing attacks[C]// Proceedings of 2020 4th International Conference on Trends in Electronics and Informatics (ICOEI)(48184). 2020: 337-343.
[49]	GABRILOVICH E , GONTMAKHER A . The homograph attack[J]. Communications of the ACM, 2002,45(2): 128.
[50]	YU B Y , LI P , LIU J W ,et al. Advanced analysis of email sender spoofing attack and related security problems[C]// Proceedings of 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom). 2022: 80-85.
[51]	SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89.
[52]	LI A , LONG F . Detecting standard violation errors in smart contracts[J]. arXiv preprint arXiv:1812.07702. 2018.
[53]	MEHAR M I , SHIER C L , GIAMBATTISTA A ,et al. Understanding a revolutionary and flawed grand experiment in blockchain[J]. Journal of Cases on Information Technology, 2019,21(1): 19-32.
[54]	Oxford Analytica. Binance breach underlines risks for crypto ecosystem[R]. Emerald Expert Briefings, 2022.
[55]	ABDELLATIF T , BROUSMICHE K L . Formal verification of smart contracts based on users and blockchain behaviors models[C]// Proceedings of 2018 9th IFIP International Conference on New Technologies,Mobility and Security (NTMS). 2018: 1-5.
[56]	ROZARIO A M , THOMAS C . Reengineering the audit with blockchain and smart contracts[J]. Journal of Emerging Technologies in Accounting, 2019,16(1): 21-35.
[57]	OHM M , PLATE H , SYKOSCH A ,et al. Backstabber’s knife collection:A review of open source software supply chain attacks[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2020: 23-43.
[58]	ROBINSON A , CORCORAN C , WALDO J . New risks in ransomware:supply chain attacks and cryptocurrency[J]. Science,Technology,and Public Policy Program Reports. 2022.
[59]	ARAPINIS M , GKANIATSOU A , KARAKOSTAS D ,et al. A formal treatment of hardware wallets[C]// International Conference on Financial Cryptography and Data Security. 2019: 426-445.
[60]	ZAHAN N , ZIMMERMANN T , GODEFROID P ,et al. What are weak links in the npm supply chain[C]// Proceedings of 2022 IEEE/ACM 44th International Conference on Software Engineering:Software Engineering in Practice (ICSE-SEIP). 2022: 331-340.
[61]	MELI M , MCNIECE M R , REAVES B . How bad can it git? characterizing secret leakage in public github repositories[C]//NDSS.
[62]	GUTOSKI G , STEBILA D . Hierarchical deterministic bitcoin wallets that tolerate key leakage[C]// International Conference on Financial Cryptography and Data Security. 2015: 497-504.
[63]	RAHIM R , NURDIYANTO H , SALEH A A ,et al. Keylogger application to monitoring users activity with exact string matching algorithm[J]. Journal of Physics:Conference Series, 2018,954:012008.
[64]	BLOCKI J , HARSHA B , ZHOU S . On the economics of offline password cracking[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy (SP). 2018: 853-871.
[65]	WANG D , CHENG H B , WANG P ,et al. Zipf’s law in passwords[J]. IEEE Transactions on Information Forensics and Security, 2017,12(11): 2776-2791.
[66]	ZHANG X , DU W L . Attacks on Android clipboard[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2014: 72-91.
[67]	LI Y J , LI H W , LV Z Z ,et al. Deterrence of intelligent DDoS via multi-hop traffic divergence[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021: 923-939.
[68]	DO XUAN C , DAO M H . A novel approach for APT attack detection based on combined deep learning model[J]. Neural Computing and Applications, 2021,33(20): 13251-13264.
[69]	POINTCHEVAL D , STERN J . Provably secure blind signature schemes[M]// Lecture Notes in Computer Science. 1996: 252-265.
[70]	BASIT A , ZAFAR M , LIU X ,et al. A comprehensive survey of AI-enabled phishing attacks detection techniques[J]. Telecommunication Systems, 2021,76(1): 139-154.
[71]	MAO J , BIAN J D , TIAN W Q ,et al. Phishing page detection via learning classifiers from page layout feature[J]. EURASIP Journal on Wireless Communications and Networking, 2019(1): 43.
[72]	CHEN Y H , CHEN J L . AI@ntiPhish—Machine learning mechanisms for cyber-phishing attack[J]. IEICE Transactions on Information and Systems, 2019,E102.D(5): 878-887.
[73]	ANSARI K H , KULKARNI U . Implementation of ethereum request for comment (ERC20) Token[C]// Proceedings of the 3rd International Conference on Advances in Science ＆ Technology (ICAST). 2020.
[74]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907. 2016.
[75]	GILAD Y , HERZBERG A , SHULMAN H . Off-path hacking:The illusion of challenge-response authentication[C]// Proceedings of IEEE Security ＆ Privacy. 2013: 68-77.
[76]	SEOL J , JIN S , LEE D ,et al. A trusted IaaS environment with hardware security module[J]. IEEE Transactions on Services Computing, 2016,9(3): 343-356.
[77]	VU D L , PASHCHENKO I , MASSACCI F ,et al. Towards using source code repositories to identify software supply chain attacks[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 2093-2095.

Metrics

Recommended 0

No Suggested Reading articles found!

ERC标准	方法名	方法作用	EVM编码
ERC20	approve	授权第三方账户使用指定额度的代币	0x095ea7b3
ERC721	approve	授权第三方账户使用指定编号的代币	0x095ea7b3
ERC721	setApprovalForAll	授权第三方账户使用持有的所有合约代币	0xa22cb465
ERC1155	setApprovalForAll	授权第三方账户使用持有的所有合约代币	0xa22cb465

安全威胁	隐蔽性	成功率	收益成本比率	实施难度
仿冒钓鱼	低	低	低	低
代币恶意授权	中	中	中	中
智能合约漏洞	高	高	高	高
供应链	高	高	高	高
私钥泄露	高	中	中	低
远程控制	中	中	中	中
盲签名	高	中	高	低

Overview of blockchain assets theft attacks and defense technology

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 22

References 77

Related Articles 15

Metrics

Recommended 0

[1]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[2]	Heli WANG, Qiao YAN. Selfish mining detection scheme based on the characters of transactions [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 104-114.
[3]	Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19.
[4]	Dan LIN, Kaixin LIN, Jiajing WU, Zibin ZHENG. Bytecode-based approach for Ethereum smart contract classification [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 111-120.
[5]	Liquan CHEN, Xiao LI, Zheyi YANG, Sijie QIAN. Blockchain-based high transparent PKI authentication protocol [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 1-11.
[6]	Wenbo ZHANG, Simin CHEN, Lifei WEI, Wei SONG, Dongmei HUANG. State-of-the-art survey of smart contract verification based on formal methods [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 12-28.
[7]	Feng LIU, Jie YANG, Jiayin QI. Survey on blockchain privacy protection techniques in cryptography [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 29-44.
[8]	Xiaoling SONG, Yong LIU, Jingnan DONG, Yongfei HUANG. Application and prospect of blockchain in Metaverse [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 45-65.
[9]	Lin JIN, Youliang TIAN. Multi-authority attribute hidden for electronic medical record sharing scheme based on blockchain [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 66-76.
[10]	Pengkun JIANG, Wenyin ZHANG, Jiuru WANG, Shanyun HUANG, Wanshui SONG. Blockchain covert communication scheme based on the cover of normal transactions [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 77-86.
[11]	Jianlin NIU, Zhiyu REN, Xuehui DU. Cross-domain authentication scheme based on consortium blockchain [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 123-133.
[12]	Baoqin ZHAI, Jian WANG, Lei HAN, Jiqiang LIU, Jiahao HE, Tianhao LIU. Hierarchical proxy consensus optimization for IoV based on blockchain and trust value [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 142-153.
[13]	Jiaren YU, Youliang TIAN, Hui LIN. Design of miner type identification mechanism based on reputation management model [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 128-138.
[14]	Zhensheng GAO, Lifeng CAO, Xuehui DU. Research progress of access control based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 68-87.
[15]	Guanqun YANG, Yin LIU, Hao XU, Hongwei XING, Jianhui ZHANG, Entang LI. Credible distributed identity authentication system of microgrid based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 88-98.