Study Of The Cryptocurrency Stealing Attack On Ethereum

As the first blockchain platform to support Turing complete smart contracts,Ethereum has become one of the most famous public blockchain infrastructures in the world.More and more users choose this platform to send cryptocurrency or use the smart contract to build decentralized applications.However,although the blockchain technology itself has strong security,there are multiple weaknesses in the entire Ethereum ecosystem,resulting in countless incidents of cryptocurrency stealing attacks.Among them,the Ethereum client serves as the foundation of the Ethereum network.There are many design flaws and security risks,which have directly led to cryptocurrency stealing attacks against Ethereum for several years.Precisely,if the user starts the Ethereum Remote Procedure Call service with no access rights set,an attacker can manipulate the client remotely.To this end,we performed a systematic study to understand the cryptocurrency stealing attack on Ethereum.Specifically,we first designed and implemented a honeypot that could capture real attacks to steal cryptocurrencies in the wild.We then deployed the honeypot and reported the results of the collected data in 14 months.In total,our system captured more than 380 million RPC requests from about 1,700 distinct IP addresses.By analyzing the captured sample data,we further grouped attacks into 47 groups with 95 distinct Ethereum accounts,and seven attack methods in two categories were detected.The first type of attack is to steal cryptocurrencies directly from the target client,include passively waiting for account unlocking,actively cracking accounts,phishing by importing malicious accounts,and harvesting mining reward by modifying the coinbase.Among them,passive waiting for account unlocking is the primary attack method,and we further summarize five optimization methods used by attackers.The second type of attack is to use the target client to steal other accounts,including stealing Ethereum from the private key compromised account,stealing ERC20 tokens based on ”zero gas transaction,” and exploiting the airdrop mechanism.For all the above types of cryptocurrency stealing attacks,it can be divided into three steps: probing potential victims,preparing attacking parameters,and launching the attack.Finally,we use Ethereum public transaction data to track attackers,calculate the losses caused by these attacks,and identify new attacker account outside the sample data.Accurately,based on Ethereum’s 1.29 billion transaction records,through taint analysis and attack signatures detect,a total of 114 attacker-controlled account addresses were reported.About 15 thousand transactions that were stealing more than 57 thousand ethers and about130 thousand ”zero gas transactions” for stealing ERC20 tokens were detected.This paper is the first systematic research on Ethereum that steals cryptocurrencies.Furthermore,the system designed and implemented in this paper has effectively captured the attacker’s account and reported multiple new attack methods.The results show that the developers of the Ethereum community should pay more attention to the security problems of the client and should not let users bear too much security responsibility.At the same time,relevant users should fully understand the security issues in Ethereum and improve the system’s security protection capabilities through technology and management methods.The results of this paper have been published at the 22 nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).