EtherClue: Digital investigation of attacks on Ethereum smart contracts

TL;DR

EtherClue introduces a comprehensive approach for post-attack investigation of Ethereum smart contracts, utilizing multi-level Indicators of Compromise to identify exploit transactions and involved accounts effectively.

Contribution

This work presents a novel model for Ethereum attack investigation using multi-level IoCs and a prototype tool, EtherClue, to evaluate their effectiveness and practicality.

Findings

Coarse-grained IoCs detect exploits with less computation but have false negatives.

Fine-grained IoCs are more accurate but require more computation.

EtherClue demonstrates practical utility in Ethereum attack investigations.

Abstract

Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency. While vulnerability detectors can prevent vulnerable contracts from being deployed, this does not mean that such contracts will not be deployed. Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks, the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved. In this work, we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise (IoCs) specially crafted for use in the blockchain. IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain. Therefore, we define a model for smart contract execution, comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain. Subsequently, we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue, a prototype tool for investigating Ethereum security incidents. Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation; however, they are contract-specific and suffer from false negatives. On the other hand, fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation which are nevertheless applicable for practical use.