Et tu, Blockchain? Outsmarting Smart Contracts via Social Engineering

TL;DR

This paper uncovers six zero-day social engineering vulnerabilities in Ethereum smart contracts, demonstrating their potential to be exploited stealthily in real-world deployments and providing tools for detection and analysis.

Contribution

It identifies new social engineering attack vectors in smart contracts, demonstrates their practical impact, and offers open-source tools and datasets for further research.

Findings

Six zero-day social engineering attacks identified

Over 1,000 contracts vulnerable to these attacks

Demonstrated attacks can remain dormant and activate post-deployment

Abstract

We reveal six zero-day social engineering attacks in Ethereum, and subdivide them into two classes: Address Manipulation and Homograph. We demonstrate the attacks by embedding them in source codes of five popular smart contracts with combined market capitalization of over \$29 billion, and show that the attacks have the ability to remain dormant during the testing phase and activate only after production deployment. We analyze 85,656 open source smart contracts and find 1,027 contracts that can be directly used for performing social engineering attacks. For responsible disclosure, we contact seven smart contract security firms. In the spirit of open research, we make the source codes of the attack benchmark, tools, and datasets available to the public.