Ethereum reversal attack: understand the risks and attenuations
The Ethereum blockchain, built on a system of decentralized consensus, has made enormous progress in recent years, allowing transparent interactions between intelligent contracts. One of the main features that make Ethereum if attractive is its support for tokens transfers, which allow users to send and receive Ether (ETH) from other accounts. However, this feature also has a significant security risk: reversal attacks.
Resenting attacks
An attack on reversal occurs when an attacker exploits a vulnerability in the flow of execution of the intelligent contract, allowing them to call the same function on several occasions, draining the funds of the contract indefinitely. In the case of ERC20 tokens transfers, the problem arises because these transactions do not invoke any function or external contract, which makes it difficult for blockchain to detect and prevent reversal attacks.
Vulnerability
The ERC20 tokens are designed to be used as a decentralized digital asset, with their value fixed at the price of the ether. However, this conception based on tokens also creates an opportunity for reversal attacks. When an attacker transfers ETH from one account to another using ERC20 tokens, he can then repeatedly call the same transfer function in external contracts, drain the funds without anyone noticing.
the problem
To understand why the update of the State after an external contract call is a problem, let us deepen the operation of the reversal attacks. Suppose we have two smart contracts:
- “Transfer” (in a normal and secure context)
- “Returning” (an external function which calls “transfer” on several occasions)
When an attacker transfers ETH of account A to account B using the “transfer” function in one of these contracts, he can then call “back” several times, draining the funds without anyone noticing.
Athorize the risk
Fortunately, there are ways to alleviate this risk. Here are some potential solutions:
- Use secure contractual interactions : Instead of calling an external function directly from the intelligent contract, use a more secure approach such as web3.JS or integrated truffle support for secure contractual interactions. These libraries provide mechanisms to safely call external functions and transactions.
- Implement the detection of reversal : Develop a mechanism to detect and prevent reversal attacks in your contracts. This can be done using techniques such as transactions verification, audit or even the implementation of a “double -reversing” protected approach when an attacker must repeat the call several times before triggering the attack.
- Use a “sure” token transfer : introduce a “sure” token transfer concept, which prevents repeated calls to the “transfer” function of the emptying of funds indefinitely. Instead, use a mechanism as a transaction locking or a “token transfer recharge” which limits the number of successful transfers before asking an attacker to wait a certain period.
- Make an “AWARE” BECOME portfolio: Develop a portfolio that detects and prevents reversal attacks in real time. This can be done using the `
Web3web3.js instance, which provides methods such as “Calltransaction” or “Checkrtrance”.
Conclusion
Ethereum support for ERC20 tokens transfers has significant security risks due to the lack of secure contractual interactions and the invocation of the external function. Although there are potential solutions to mitigate this risk, it is essential to understand how reversal attacks work and implement strategies such as secure contractual interactions, reversal detection or token transfer mechanisms ” sure “. In doing so, we can make sure that our blockchain remains secure for users and developers.
Recommendations
- Find and implement secure contractual interactions using web3.JS or integrated truffle support.
Leave a Reply