The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts

TL;DR

Horus is a framework that detects, investigates, and traces attacks on Ethereum smart contracts, providing insights into attack patterns and stolen asset flows through large-scale analysis and case studies.

Contribution

This paper introduces Horus, a novel framework for automated detection and analysis of smart contract attacks, including asset tracing and quantification, which was not addressed by prior vulnerability detection tools.

Findings

Identified 1,888 attacked contracts and 8,095 malicious transactions on Ethereum.

Attack frequency remained constant for some vulnerabilities over years.

Demonstrated effectiveness through analysis of recent high-profile attacks.

Abstract

In recent years, Ethereum gained tremendously in popularity, growing from a daily transaction average of 10K in January 2016 to an average of 500K in January 2020. Similarly, smart contracts began to carry more value, making them appealing targets for attackers. As a result, they started to become victims of attacks, costing millions of dollars. In response to these attacks, both academia and industry proposed a plethora of tools to scan smart contracts for vulnerabilities before deploying them on the blockchain. However, most of these tools solely focus on detecting vulnerabilities and not attacks, let alone quantifying or tracing the number of stolen assets. In this paper, we present Horus, a framework that empowers the automated detection and investigation of smart contract attacks based on logic-driven and graph-driven analysis of transactions. Horus provides quick means to quantify and trace the flow of stolen assets across the Ethereum blockchain. We perform a large-scale analysis of all the smart contracts deployed on Ethereum until May 2020. We identified 1,888 attacked smart contracts and 8,095 adversarial transactions in the wild. Our investigation shows that the number of attacks did not necessarily decrease over the past few years, but for some vulnerabilities remained constant. Finally, we also demonstrate the practicality of our framework via an in-depth analysis on the recent Uniswap and Lendf.me attacks.