Ethereum holds multiple billions of U.S. dollars in the form of Ether
cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts
algorithmically operating these funds. Unsurprisingly, the security of Ethereum
smart contracts has been under rigorous scrutiny. In recent years, numerous
defense tools have been developed to detect different types of smart contract
code vulnerabilities. When opportunities for exploiting code vulnerabilities
diminish, the attackers start resorting to social engineering attacks, which
aim to influence humans — often the weakest link in the system. The only known
class of social engineering attacks in Ethereum are honeypots, which plant
hidden traps for attackers attempting to exploit existing vulnerabilities,
thereby targeting only a small population of potential victims.

In this work, we explore the possibility and existence of new social
engineering attacks beyond smart contract honeypots. We present two novel
classes of Ethereum social engineering attacks – Address Manipulation and
Homograph – and develop six zero-day social engineering attacks. To show how
the attacks can be used in popular programming patterns, we conduct a case
study of five popular smart contracts with combined market capitalization
exceeding $29 billion, and integrate our attack patterns in their source codes
without altering their existing functionality. Moreover, we show that these
attacks remain dormant during the test phase but activate their malicious logic
only at the final production deployment. We further analyze 85,656 open-source
smart contracts, and discover that 1,027 of them can be used for the proposed
social engineering attacks. We conduct a professional opinion survey with
experts from seven smart contract auditing firms, corroborating that the
exposed social engineering attacks bring a major threat to the smart contract
systems.

By admin