Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts

TL;DR

This paper introduces new social engineering attack methods targeting Ethereum smart contracts, demonstrating their feasibility, potential impact, and the need for improved security measures in smart contract deployment.

Contribution

The work presents two novel classes of social engineering attacks and six zero-day attack patterns, expanding the understanding of human-targeted vulnerabilities in Ethereum smart contracts.

Findings

Identified 1,027 vulnerable smart contracts out of 85,656 analyzed.

Demonstrated attacks can be embedded without altering contract functionality.

Experts agree these attacks pose a significant threat to smart contract security.

Abstract

Ethereum holds multiple billions of U.S. dollars in the form of Ether cryptocurrency and ERC-20 tokens, with millions of deployed smart contracts algorithmically operating these funds. Unsurprisingly, the security of Ethereum smart contracts has been under rigorous scrutiny. In recent years, numerous defense tools have been developed to detect different types of smart contract code vulnerabilities. When opportunities for exploiting code vulnerabilities diminish, the attackers start resorting to social engineering attacks, which aim to influence humans -- often the weakest link in the system. The only known class of social engineering attacks in Ethereum are honeypots, which plant hidden traps for attackers attempting to exploit existing vulnerabilities, thereby targeting only a small population of potential victims. In this work, we explore the possibility and existence of new social engineering attacks beyond smart contract honeypots. We present two novel classes of Ethereum social engineering attacks - Address Manipulation and Homograph - and develop six zero-day social engineering attacks. To show how the attacks can be used in popular programming patterns, we conduct a case study of five popular smart contracts with combined market capitalization exceeding $29 billion, and integrate our attack patterns in their source codes without altering their existing functionality. Moreover, we show that these attacks remain dormant during the test phase but activate their malicious logic only at the final production deployment. We further analyze 85,656 open-source smart contracts, and discover that 1,027 of them can be used for the proposed social engineering attacks. We conduct a professional opinion survey with experts from seven smart contract auditing firms, corroborating that the exposed social engineering attacks bring a major threat to the smart contract systems.