Abusing the Ethereum Smart Contract Verification Services for Fun and Profit

TL;DR

This paper conducts the first comprehensive security analysis of Ethereum smart contract verification services, revealing multiple vulnerabilities that can be exploited to spread malicious contracts and facilitate scams.

Contribution

It identifies eight types of verification vulnerabilities, proposes detection and exploitation methods, and uncovers 19 exploitable flaws in popular services.

Findings

All studied services can be exploited to spread malicious contracts.

Researchers discovered 19 vulnerabilities in verification services.

Verification services are vulnerable to abuse for scams.

Abstract

Smart contracts play a vital role in the Ethereum ecosystem. Due to the prevalence of kinds of security issues in smart contracts, the smart contract verification is urgently needed, which is the process of matching a smart contract's source code to its on-chain bytecode for gaining mutual trust between smart contract developers and users. Although smart contract verification services are embedded in both popular Ethereum browsers (e.g., Etherscan and Blockscout) and official platforms (i.e., Sourcify), and gain great popularity in the ecosystem, their security and trustworthiness remain unclear. To fill the void, we present the first comprehensive security analysis of smart contract verification services in the wild. By diving into the detailed workflow of existing verifiers, we have summarized the key security properties that should be met, and observed eight types of vulnerabilities that can break the verification. Further, we propose a series of detection and exploitation methods to reveal the presence of vulnerabilities in the most popular services, and uncover 19 exploitable vulnerabilities in total. All the studied smart contract verification services can be abused to help spread malicious smart contracts, and we have already observed the presence of using this kind of tricks for scamming by attackers. It is hence urgent for our community to take actions to detect and mitigate security issues related to smart contract verification, a key component of the Ethereum smart contract ecosystem.