About 34,200 current Ethereum smart contracts worth $4.4 million in ether are vulnerable to hacking due to poor coding that contains bugs.
That’s the alarming conclusion five researchers from the U.K. and Singapore posited in their report entitled “Finding The Greedy, Prodigal, and Suicidal Contracts at Scale.”
In their paper, the authors identified three major categories of smart contracts that are easy targets for being hacked:
- Greedy: These contracts lock funds indefinitely.
- Prodigal: These leak funds to arbitrary users.
- Suicidal: These contracts can be killed by any user.
Smart contracts and their codes exist in a decentralized blockchain network. Blockchain is the technology that undergirds bitcoin.
While smart contracts have been hailed for their ease of use and relatively lower costs, they are vulnerable to cyberhackers. In 2017, $500 million was lost or stolen due to poorly coded contracts, and one-half of those involved ethereum, Bitcoin.com reported.
“We’re dealing with applications that have two very unpleasant traits: They manage your money, and they cannot be amended,” the report’s co-author Ilya Sergey, an assistant professor of computer science at University College London, told Motherboard.
The authors of “Finding The Greedy, Prodigal, and Suicidal Contracts at Scale” analyzed 970,898 smart contracts and discovered that 34,200 of them are easy targets for hacking. That means about 1 in 20 smart contracts are at risk.
“The maximal amount of Ether that could have been withdrawn…is nearly 4,905 Ether,” the authors wrote. Using today’s price of about $894 per ETH token, that’s almost $4.4 million.
The report added: “In addition, 6,239 Ether (about $5.6 million) is locked inside posthumous contracts currently on the blockchain, of which 313 Ether have been sent to dead contracts after they have been killed.”
Because researchers did not reveal which smart contracts are vulnerable, they’re presumably safe from hackers – for now. But the report’s co-author says given the multi-million-dollar jackpot they could uncover, it wouldn’t surprise him if cyberattackers pounced. All it takes to identify the at-risk contracts is some work. “If someone wants to exploit this idea, they’ll have to do at least as much work as we did,” Ilya Sergey said.