Peer-to-Peer Networking and Applications

https://doi.org/10.1007/s12083-020-00991-6

Penetration testing framework for smart contract Blockchain

Akashdeep Bhardwaj 1 & Syed Bilal Hussian Shah 2 & Achyut Shankar 3 & Mamoun Alazab 4 & Manoj Kumar 1 &
Thippa Reddy Gadekallu 5

Received: 8 June 2020 / Accepted: 21 August 2020

# Springer Science+Business Media, LLC, part of Springer Nature 2020

Abstract
Smart contracts powered by blockchain ensure transaction processes are effective, secure and efficient as compared to conven-
tional contacts. Smart contracts facilitate trustless process, time efficiency, cost effectiveness and transparency without any
intervention by third party intermediaries like lawyers. While blockchain can counter traditional cybersecurity attacks on smart
contract applications, cyberattacks keep evolving in the form of new threats and attack vectors that influence blockchain similar
to other web and application based systems. Effective blockchain testing help organizations to build and utilize the technology
securely withe connected infrastructure. However, during the course of our research, the authors detected that Blockchain
technology comes with security considerations like irreversible transactions, insufficient access, and non-competent strategies.
Attack vectors, like these are not found on web portals and other applications. This research presents a new Penetration Testing
framework for smart contracts and decentralized apps. The authors compared results from the proposed penetration-testing
framework with automated penetration test Scanners. The results detected missing vulnerability that were not reported during
regular pen test process.

Keywords Attack vectors . Blockchain . Cyber threats . Cybersecurity . OWASP . Smart contracts

Highlights
This research presents a new framework to perform manual penetration
1 Introduction
testing framework on smart contract application and decentralized apps.
• Results from the new proposed penetration-testing framework and au- Blockchain technology has gained enormous growth in terms
tomated penetration test scanners are compared in this research for of research and implementations by various type of indus-
Blockchain applications. No other framework currently performs such
tries. Blockchain works on peer-to-peer transactions, being
validations.
• The new framework detected missing vulnerabilities that were initially distributed decentralized anonymity with no third party or
not reported during the regular penetration testing process, which could any centralized control. Smart Contracts [1] are digital pro-
have made the Blockchain contract app vulnerable to Cyber-attacks and grams scripts of codes stored inside a Blockchain. These pro-
threats.
grams are temper proof, self-verifying, self-executable and
• While in real-time Cyber space, no one can ensure that the operations
would be executed in a predefined order. Any malicious user could cheat self-enforceable [2] digital contracts when certain clauses
the seller if the buyer intentionally changes the order of transactions or [3] with specific predefined conditions are met. Smart
execution process. The proposed framework performs validation and Contracts are capable of performing transaction in real-time,
compares input as well as any mismatch for actual steps against the
at low cost and provide a greater degree of security [4]. The
predefined properties and process.
• The authors also compared the tool and manual penetration testing network of Blockchain cryptocurrency nodes execute to up-
results to analyze in the wake of removing the vulnerabilities discovered date the distributed transparent ledger. This update is seen by
amid penetration Tests for the smart contract applications. all nodes and verified [5] before acceptance in the network.
This article is part of the Topical Collection: Special Issue on Blockchain As an example, imagine buying a new car, the traditional
for Peer-to-Peer Computing process starts by going to a car dealer (intermediary third
Guest Editors: Keping Yu, Chunming Rong, Yang Cao, and Wenjuan Li party), bargaining for your choice of car. Instead of going
to a bank for a car loan (another third party) and involving
* Syed Bilal Hussian Shah
the transport department and insurance, (more third parties for
bilalshah@dlut.edu.cn
the paperwork. Once all formalities and payments are com-
* Thippa Reddy Gadekallu
pleted, there is a waiting period before the car’s delivery. This
thippareddy.g@vit.ac.in
process takes time and involves interactions with multiple
Extended author information available on the last page of the article other third parties.
 Peer-to-Peer Netw. Appl.

Assuming the same car details, ownership, papers and offer & Government Control: Cryptocurrencies can render the
is available and with no third party involved, with higher-level government-controlled currencies to become less valuable
security and details being available, unchanged and distribut- or go out of use and destabilize the world’s economy.
ed over the Blockchain network. The details validated by each Such authorities would always want some regulation and
node on the network, but no one person is in absolute control. level of control, which goes against the decentralized con-
Execution of the purchase order done using the Smart cept of Smart contracts.
Contract. This system would be secure and paid by & Third Party integrations: Use of non-standard third-par-
Cryptocurrency in real time [6]. Ownership is transferred im- ty platforms can introduce flaws even as Blockchain net-
mediately as digital identity on the Blockchain Ledger. All work maybe secure, e.g. 400 BTCs were hacked from
nodes update the ledger on the Blockchain network and con- NiceHash Mining marketplace and $ 60 million stolen as
clude the transaction [7]. Similar process is followed by Banks user funds in 2017, Bitcoin Gold was hacked in 2018
or lending organization for processing Loans or receiving au- losing $18 million awhile Crypto Exchange Zaif
tomatic payments. Insurance companies can use Blockchain confronted $ 60 million bitcoin theft.
for processing claims. Postal departments can process pay- & Security of Keys and Certificate: Darkweb has over 60
ment on delivery with Smart Contract systems [8] instead of marketplace portals selling SSL and TLS certificates and
traditional transaction process. related services for $ 250 to $ 2000 in March 2019.
This concept [6] is implemented for buying or renting apart- Blockchain keys and Smart Contracts face yet another
ments that would involve tenant and property owner. Monthly set of challenge where Criminals assume identifies of
rent or EMIs can be deducted using tokens or cryptocurrencies. trusted machine nodes.
So in effect performing any transaction are handled securely and & Insecure Source Code: Source code issues Reentrancy
efficiently using Smart Contract systems that are powered by the attack can lead to passing on the control to untrusted func-
Blockchain Technology [9]. Global Securities Exchanges in tions of other Smart Contracts, which can have undefined
United States [10] and Australia [11] have accepted these. behavior or use for malicious purposes. Source code bugs
However, much like Cyber threats [10] and attacks on cloud in an Ethereum [14] Smart contract cost $80 million in
hosted systems and applications, Blockchain networks also suf- 2016.
fer attacks like Denial of Service (DoS) [12], Decentralized & Virtual Machine Vulnerabilities: These are low-level
Autonomous Organization (DAO) [13] and Blockchain specific attacks using Ethereum Virtual Machine. EVM has been
cyberattacks that are discussed in the subsequent sections in this detected to have immutable defects. Blockchain blocks
research. Traditional IT infrastructure and hosted Applications as after creation can be changed or cryptocurrency can be
well as Blockchain environments, both face similar lost during transfer or access control of systems by hackers
Cybersecurity threats. In most use cases, the attack vectors are can lead to sensitive functionality access of the Smart
same; however, the mitigation strategies can vary. While it may Contract.
seem that the Blockchain is a perfect solution for transactions, the & Mining Pools: Miners unite to combine and create pools
technology still has points of vulnerabilities. The attack vectors of computing power. This helps to mine more blocks and
have been categorized based on Network, Applications, Data receive more rewards instead of individual miners, which
Integrity and End User levels are mentioned in Table 1. hardly earn any profit or receive any BTCs. Miner Pools
While designing and implementing the Blockchain based [15] increase their reward share by delaying the broadcasts
Smart Contract solutions, security threats associated with of mined blocks to others. Then suddenly all the blocks are
Smart Contracts relate to various direction, ranging from released at once. This makes other miners lose their
source code bugs, virtual machine vulnerability, insecure blocks. The largest pool of Bitcoin Miner is namely
runtime environment to the Blockchain network itself. Some AntPool, BTC.com and ViaBTC. Mitigation strategies
of them are: against such threats are having only trusted miners on
the network or modify the Smart Contract protocols to
& Complex Technology: When trying to design and build hide the variance between partial or full proof of work
Smart Contracts from scratch or localized version, the se- inside the Smart Contracts [16].
curity vulnerabilities lie with the execution and not the
system. Average programmers and developers cannot im-
plement Blockchain. This needs specialized skills.
& Inception Vulnerability: For a proper Blockchain to per- 2 Literature survey
form, thousands of nodes are required to work in unison. If
one node or group of nodes, control 51% of the system For this research, the authors identified 144 research papers
nodes then they can control the Blockchain outcome. For a published from 2016 until date on Blockchain and Security
small setup of nodes, it is easily possible. Testing, after a four stage selection process shortlisted 38
Peer-to-Peer Netw. Appl.

Table 1 Attack vector classification

Attack Vectors Process Description

DoS attack IT infrastructures face denial of service attacks, which typically involve flooding the network pipes and applications with requests.
Legitimate users are denied access to the service resources.
• Blockchain Smart Contracts face service denial attacks when one or more execute and updates or creation of new blocks requests
are submitted to the Blockchain, which is more than what can be handled. Transaction tampering with group routing is another
such attacks. Attacker sub-divide the Blockchain network into separate groups. These are not allowed to communicate with each
other. Then the transactions are sent to the peer nodes. This makes it impossible for other peers to detect the tampering.
• Routing attacks involve partitioning the peer nodes with delays introduced into the network interfering the message broadcasts
being sent on the network.
Network Currently in most Blockchain ecosystems, the maximum possible transactions per second is between 3.3 and 7. Credit cards attain
Efficiency around 2000 transactions per second, while Twitter achieves around 5000 transactions per second.
• Low efficiency of transactions often holds back Blockchain adoption for potential nodes. This also involves greater processing and
throughput efforts inside Blockchain and the miners.
• As the Blockchain network grows, complexity increases which in turn interferes with the processing speed and efficiency of the
Blockchain network.
Code This involves use of multiple iterations of Penetration Testing using secure coding, with manual and automated tools. Smart Contract
vulnerabilities can be written by any node, which then spreads in the network. Integer Overflow vulnerability was the only major flow detected in
Blockchain.
• Points of Failure involve use of single primary database server or one master backups can be a glaring vulnerability, IT setups
typically use multiple systems and backups and plan for business continuity and disaster recovery. Being Distributed Ledger with
multiple nodes involved in the network, there are no such issues visible in Blockchain.
• Timejacking exploits the Bitcoin timestamp vulnerability; this is done by altering the node time counter or by adding multiple fake
peers having erroneous timestamps. This forces the victim node to agree on using another Blockchain network.
Eclipse Attacks has the hacker taking control of large number of distributed nodes as network bots. Once the nodes are restarted,
outgoing connections are redirected to the attacker’s IP address, which is controlled by the attackers. The victim nodes are then
unable to obtain their transactions.
Data Integrity IT Infrastructure manages data security using the CIA triad. This includes backups and implementation of strong security policies and
processes with audits. For Blockchain systems, cybercriminals target user wallet credentials.
• Wallet Access involves traditional hacking means like use of phishing emails, dictionary attacks as well as new-sophisticated
attacks, which seek vulnerabilities in the cryptographic algorithms. Blockchain utilizes ECDSA Cryptographic algorithm, which
automatically generates unique private keys. ECDSA has insufficient entropy vulnerability. This results in the same random value
being utilized by more than one signatures.
• Fraudulent Modifications are done by Man-in-the-middle and privilege escalation attacks. These are usually mitigated by security
policy, data encryption, salting for IT Infrastructure involving databases. Since Blockchain exists in form of sequential chain of
blocks, anyone trying to alter records would have to first alter all transactions leading to that specific transaction, which is
complicated. However, attackers can alter transaction ID and broadcast that transaction with modified hash value to the nodes.
They would try to get it confirmed before the original transaction completes. The initiator would tend to believe the initial
transaction might have failed, even as funds in form of BTCs had been withdrawn from their accounts. This is termed as
Transaction Malleability. The attacker tricks the victim into paying twice. In 2014, MtGox Bitcoin Exchange was bankrupt due to
such a Malleability attack.
End User • Endpoint threats: Endpoint Security is controlled by enterprise with organization wise policies and console management for
monitoring and detection of end user systems and mobile devices [13]. For Blockchain, the nodes are the endpoints, which can be
homogeneous, so flaw in one node can be exploited as flaw in Blockchain network systems.
• Intentional Misuse: Traditional setup faces insider threats by staff and employees who can steal data and affect the setup. In
Blockchain, Miners are incentivized for Proof of Work, who can group together to take control of the network. Majority attack or
51% Attack occur in Blockchain network with one group or hacker harnessing enough computing power to compromise the whole
network. Hacker can gain control of network hash rates to create alternate forks and then take precedence over existing forks.
• Sybil Attack: is performed by controlling multiple nodes as Bots. These surround the victim node with fake nodes transactions or
take time verifying the transactions. Victim node thus becomes is vulnerable to double-spend attacks which are difficult to detect
and prevent. The attackers use same coins or tokens for multiple different transactions tricking the Blockchain system to accept the
fraud transaction.

relevant publication works as illustrated in Fig. 1 below. Some Table 2 represents the overall spread of the research papers,
of the relevant reviews are mentioned in this section. The subcategories selected for literature review.
reason for concentrating on last 3 years was the immense Tonelli et al. (2019) [17] implemented Blockchain based
growth and changes on the Blockchain Smart Contract do- Smart Contract using Micro-Service applications. The authors
main has happened primarily in the past few years along with analyzed and replicated the Smart Contract micro-service ar-
latest cybersecurity attacks, threat vectors and vulnerabilities chitecture in form of a case study using set of Smart Contracts.
discovered and exploited by Cybersecurity attackers. The results displayed the possibility of implementing simple
 Peer-to-Peer Netw. Appl.

Fig. 1 Staged literature survey selection criteria

micro-services while maintain the similar paradigms and Mohammed et al. (2019) [22] discussed adoption of
functionality. Blockchain and Smart Contract for industrial sectors primarily
Amoordon et al. (2019) [18] proposed a fault tolerant ap- the manufacturing industry. The authors observed that for ef-
plication promoting the awareness and ease of programing in fective integration with multiple systems and components,
Blockchain. The authors proposed one application per there were challenges to overcome. The authors proposed
Blockchain displayed the improved performance and reduced adopting middleware approach in order to effectively utilize
weakness against security attacks. This platform could poten- Blockchain and use the capabilities to full extent leading to
tially be an ideal Smart Contract application for Blockchain smart manufacturing.
platforms like Ethereum and Bitcoin. Draper et al. (2019) [23] reviewed security applications like
Yamashita et al. (2019) [19] presented a survey on security PGP, Proxy chain and studied the challenges faced by
risks for Blockchain, focusing on the programming languages Blockchain. The authors studied major problems faced and
and development tools. The authors utilized Java and Go lan- discussed ways of solving the problems like latency, integra-
guage that existed before Blockchain was created, even as tion, throughput, and regulatory as well as provided direction
these languages are not designed for writing Smart for future research.
Contracts. The authors focused on 14 primary risks and ob- Mahmood et al. (2019) [24] focused on providing en-
served that existing tools would not cover some risks as also hanced safety and productivity of logistics operations using
developed static analysis detecting tool. Smart Contracts, Big Data and ICT. Implementation of
Al-Jaroodi et al. (2019) [20] surveyed the application of Supply Chain for tracking containers in real time was present-
Blockchain technologies and Smart Contracts for various in- ed with Email and SMS alerting system for customers.
dustrial domains [21]. The authors observed that deploying Customers to track international and national delivery of their
Blockchain increased the industrial transparency, security, ef- consignments utilized the systems.
ficiency and traceability increased even as the cost of deploy- Tateshi et al. (2019) [25] presented a unique model to auto
ment and delivery was reduced. generate executable Smart Contracts in Blockchain based Hyper

Table 2 Blockchain related

literaturec review categorization Paper Classifications Stage 1 Stage 2 Stage 3 Stage 4 Final Review Breakup %

Smart Contract 38 29 17 12 10 26.8%

Blockchain Threat 33 26 18 14 9 23.7%
Attack Vectors 38 30 21 16 10 26.3%
Blockchain Cybersecurity 35 28 20 15 9 23.2%
144 140 98 66 43
Peer-to-Peer Netw. Appl.

Fig. 2 AWS Node Instance setup

ledger using human written and understandable Contract docu- storage, high availability, mining and denial of service attacks
ment. The authors created this using a template with a controlled for Smart Contracts systems that typically employ trustless
natural language and evaluated the results using case studies nodes in decentralized manner for distributed storage in
from real world Smart Contacts in various domains. Blockchain networks.
Wang et al. (2019) [26] proposed comprehensive overview Wan et al. (2019) [14] focused on industrial IoT nodes [15]
of Smart Contacts based on Blockchain. The authors intro- to restructure the original architecture and designed a new
duced the platforms and operating mechanisms of Smart decentralized model [16] based on Blockchain network. This
Contracts and six-layer architecture framework. The authors improved the security and privacy [29] as compared to tradi-
also reviewed legal and technical challenges [27] and tional architecture as well as optimized application delivery.
discussed the application security issues as well as provided As the size of network and number of nodes increase, the
references for future research. traditional architecture was unable to provide efficient support
Ozyilmaz et al. (2019) [28] designed Blockchain-based while the proposed architecture emerged as a viable solution.
Internet of Things using emerging technologies like Swarm, Suliman et al. (2019) [30] utilized the features of
Ethereum and LoRa. The authors addressed the issues of data Blockchain Smart Contract as a concept for carrying out

Fig. 3 AWS Node Volume and Snapshots for changes

 Peer-to-Peer Netw. Appl.

Table 3 Blockchain environment setup prerequisite

Tool Name Installation Steps Tool Description

MIST $ sudo git clone https://github.com/ethereum/mist.git Browser for decentralized applications using Yarn package manager
Browser $ cd mist
$ yarn
$ curl –o –L https://yarnpackg.com/install.sh bas -s
Install Google $ sudo wget https://dl.google. Download the Google Chrome package and then install
Chrome com/linux/direct/google-chrome-stable_current_amd64.
deb
$ sudo apt install. /google-chrome-stable_current_
amd64.deb
Nodejs & $ sudo apt install nodejs Install JavaScript runtime for Chrome engine and node package manager
NPM $ node –version
$ sudo apt install npm
Metamask Open https://metamask.io/ on Google Chrome Allows user accounts and key management, including hardware wallets
Use “Get Chrome Extension” to install Metamask instead of having keys on central server.
Select add to Chrome ➔ Add Extension ➔ click on
Metamask Logo and Agree terms to use
Solidity $ sudo npm install solc Setup Solidity compiler
Complier

transactions. The authors discussed the architecture, applica- As cybercrimes are increasing day by day, the evalua-
tion logic, entity and the interaction workflow using tion of such attacks to provide protection measures were
decentralized and highly trusted network having no interme- suggested by Ch et al. (2020) [33]. Use of manual methods
diary. This model is based on using for live data exchange with technical approaches often fail to control cyberattacks
using Smart Contracts for Ethereum, Wood et al. (2016) [31]. [34, 35]. The authors proposed a machine learning compu-
Alladi et al. (2019) [32] presented existing trends in research tational application that can analyze and classify the rate of
related to blockchain implementations for industrial sectors. The cybercrimes as per country or state locations. The authors
authors discussed implementation challenges and also presented implemented security and data analytics to analyze and
issues hampering the adoption of the blockchain technology for classify structured and unstructured data. The testing anal-
industry 4.0 and discussed future application areas. ysis reportedly produced an accuracy of 99%.

Fig. 4 AWS Setup Console for the Smart Contract Blockchain

Peer-to-Peer Netw. Appl.

Fig. 5 Deep level application security test

2.1 Gaps identified & Scalability of the nodes and storage related to
cryptocurrencies is being able to handle the dynamic
The authors reviewed research papers on Blockchain and transaction rate in a centralized system even as its technol-
Security Tests and identified that there are gaps that need to ogy core remains unchanged.
be addressed.

& Classification of the research papers themselves is a huge

problem as new classifications needs to be defined related
to blockchain and penetration testing as compared to web 3 System model
and application security testing or OWASP.
& Other challenges like latency and robustness of the appli- Blockchain environment setup includes installation of few pre-
cation and systems are also researched by lots of organi- requisites as part of essential tools required for Blockchain nodes.
zations and researchers. The authors setup Amazon Web Service general-purpose in-
& Survey and research on the legal and regulatory compli- stances running multiple nodes with Ubuntu OS 18.04. Each
ance issues due to different countries rules and node created on the AWS use T3 instance model with dedicated
regulations. single tenant hardware. Each node has been designed to run the
& Cyber-risks and privacy are accorded the highest priority Smart Contract application on m 5.4x large with 8 vCPU (Alpha
as some of the most difficult features to implement and CC), 32 GB RAM and 300 GB SSD drive each. In order to
deploy. Since blockchain is permission less, public sys- connect the nodes, the authors utilized Amazon Web Services
tems in the form of nodes can be controlled and utilized Instances accessible via RDP, Putty and SSH using IP v4 Public
for unlawful purposes. This further complicates the pro- address as shown in Fig. 2.
cess as the global transactions are completely anonymous) AWS Instance Volume and Snapshots were taken after
transactions without any check or involvement of any cen- each major application and configuration change at regular
tralize authority durations as illustrated in Fig. 3 below. The systems have

Fig. 6 Blockchain environment setup

 Peer-to-Peer Netw. Appl.

Fig. 7 Proposed architecture

3500 Mbps of committed EBS transmission capacity up to 10 vulnerabilities are distinguished. Nevertheless, DAST is
Gbps. This performs weakness evaluation utilizing latent sen- oblivious in regard to what happens inside the application,
sors [36, 37]. (Table 3). and gives just restricted inclusion. Like SAST, DAST [39]
The second is the Centralized administration server that instruments are moderate, with an average examining move-
gathers and reports on vulnerabilities recognized by the oper- ment taking hours, if not days, to finish. This performs a full
ators, and controls the organization local mix with different runtime information and control stream examination, joined
instruments like IDEs and CI/CDs supporting highlights for with static investigation of all the code, as depicted above,
announcing, warnings and API get to procedure with RESTful while likewise dissecting all the inbound and outbound
API for custom integrations as illustrated in Fig. 4 below. HTTP traffic produced amid typical testing of the application.
This permit performing dynamic investigation like, however
more powerful than DAST, without requiring any devoted
4 Proposed framework security tests, misuse of the objective application, or security
specialists to be associated with the testing procedure is illus-
The Penetration Testing framework comprises of core testing trated in Fig. 5. Since, evaluate works from inside the appli-
strategies and services, such as cloud testing services, func- cation, this gives more precise examination than customary
tional testing, API testing, integration testing, security testing, Penetration (Pen) Testing apparatuses. What’s more, not at
and performance testing. It also includes Blockchain specific all like either SAST or DAST items. The authors performed
testing strategies such as block testing, smart contract testing Software Composition Analysis (SCA) to assemble a stock of
and peer/node testing. The authors propose utilization of all outsider segments (for example libraries, structures and so
Static Application Security Analysis at introductory stage, be- on.), including open source programming (OSS), that are uti-
fore execution of the Blockchain code. This includes custom lized by the application. Use of proper Penetration Testing
application code alongside Runtime stage and incorporates the tools is equally important. This helps differentiate between
Blockchain Application Server, Framework and Code the known and hidden ambiguous vulnerabilities in the appli-
Libraries. Regularly, Dynamic Application Security Testing cation and modules. The authors performed Blockchain Pen
just includes utilization of devices that adventures the running Tests using two specific tools and recommend them for all
Blockchain applications. This is performed utilizing potential Blockchain Pen Testers. The first is Truffle
reproduced focused on assaults or exceptionally made HTTP Framework provides simple and easy Pen Testing and
inputs [38]. By dissecting the HTTP reaction, the Management environment for Smart contracts related

Table 4 Threat Severity Levels

Rating Severity Description

1 Insignificant Result of low or irrelevant log entry, can be ignored,

2 Minor Alert due to more than one node or transaction, can be false positive
3 Moderate Verified security event leading to a true positive event
4 Major Ongoing security breach, requires significant management intervention
Peer-to-Peer Netw. Appl.

Fig. 8 Blockchain node transaction Delays

applications. This framework includes support of complex to In order to calculate the threat level, first treat level estima-
standard Blockchain based implementations, customized de- tion is done by applying thresholds and then use weighted
ployment as well as linking libraries. methodology. Threat point levels are collaborated with the
The framework even offers JS and Solidity development Threat rating. This represents the threat severity range from
environment to run automated use case and codes. Pen testers one to four as illustrated in Table 4 below to determine the
can also run automated scripts for migration and deployments Total Risk Points. This is calculated as the sum of risk points
as well as build pipeline for end-to-end support for custom with threat severity weight, as per the risk point and ratings.
Blockchain processes and perform asset rebuilding during de- Risk Points = [Risk Point (Maximum) * Rating (Major)] +
velopment phase. The second is Ethereum Tester tool to per- [Risk Point (High) * Rating (Moderate)] + [Risk Point (Low)
form full test suite with customized API support to improve * Rating (Minor] + [Risk Point (Minimum) * Rating
the Pen Tester and Developer efficiency, time and efforts. (Insignificant)].
These tools in particular helped detect and block vulnerabil-
ities that were never found and reported any time earlier dur-
ing the pre-penetration testing reconnaissance phase. Sum of Risk Point Sum ðRPÞ
8 9
Blockchain architecture and execution environment is illus-
> ½RPðmaxÞ*SRðmajorÞ >
< =
trated in Fig. 6 below. Cybercriminals have been abusing ½RPðhighÞ*SRðmoderateÞ
¼ :
Blockchain requesting ransoms in type of digital currencies, >
: ½RPðlowÞ*SRðminorÞ >
;
ransomware assaults. In any case, presently the attacks focus ½RPðminÞ*SRðinsignificantÞ
on Blockchain Smart Contract vulnerabilities as the primary
wellspring of income, assaults. Proposed Penetration Testing 8 9
ð4 ðMajorÞif RP > HTiÞ
> >
architecture is presented in Fig. 7. < =
3 ðModerateÞ if RP ≥ HTi
The authors estimate the risk level by determining the total Severity Rating SR ¼ :
relationships for each threat as per the incident. : 2 ðMinorÞ if RP ¼ HTi
> >
;
1 ðInsignificant Þ if RP ≤ HTi

Fig. 9 Vulnerability, Attack and Consequence Relations

 Peer-to-Peer Netw. Appl.

The authors implemented the below mentioned algorithm

for Client-side Authentication and Validation.
Peer-to-Peer Netw. Appl.

Fig. 10 Workflow for vulnerability detection

4.1 Research performed Swap, allows a third person to snoop into the communication
and download files from either of the two user’s device, with-
The authors performed Penetration Testing on a production out their permission.
ready, commercial Blockchain application; the testing was
performed in the pre-production environment, with the critical & Vulnerability Type: Transaction Routing Attack
vulnerabilities as mentioned below. These vulnerabilities map
the critical vulnerabilities found and mapped to OWASP Threat Level: High
Top10 for the Blockchain Smart Contracts. Process: Hack peer nodes to change the state of transac-
tions before they are committed on the network.
& Vulnerability Type: Injection Issue: Divide the Smart network into groups, in order to
delay the transactions, tamper the propagating messages sent
Threat Level: High on the network and even divert the Blockchain traffic as illus-
Process: Validated strings with white listing before the trated in Fig. 8.
Database SQL query. The below code illustrates the nodejs connectivity to the
Issue: Buffer-out-of-Bound issue detected on system in the node.
Smart Contract Parsing module. This poor sensitization of
input allowed authentication to be bypassed and unauthorized
commands to be executed. This vulnerability on the Sandbox
launched a reverse shell on the infected nodes on the network.
The authors found three functions in Data sub-directory code
that were using string concatenation query for performing
Database operations on packages supplied parameters.

& Vulnerability Type: Broken Authentication

Threat Level: High

Process: Design issues in LISK Cryptocurrency do not
bind short addresses immediately to Public Keys. Attackers
can overtake any unclaimed account.
Issue: Incorrect implementation of Near-Swap feature
makes it prone to different attacks. Best option is not opening To demonstrate the advantages of using manual penetra-
Web server access for everyone. There should be some level tion testing approach against the automated scanner, the
of authentication in place. The application’s feature for Near- authors compared the manual results against two state-of-

Table 5 Comparing Manual and

Automated for benchmarks Vulnerability types Manual V Automated Manual – Automated Automated – Manual
reported for project effectiveness
Timestamp Value 522 671 103
Reentrancy Routine 15 129 17
 Peer-to-Peer Netw. Appl.

Table 6 Analysis of resulting

rates after complete Penetration Benchmark Manual FP Rate Manual FN Rate Automated FP Rate Automated FN Rate
Testing for Random Samples
Timestamp 6% 11% 39% 31%
Reentrancy 15% 8% 44% 39%

the-art Penetration Testing analyzer. For sake of confiden- set to three, having a delay timeout of 15 min for each Smart
tiality, the names cannot be revealed. One of the tools is Contract. To comprehend the adequacy of the Manual Static
based on Symbolic Execution while the other tool is based Penetration Testing performed, correlation performed utiliz-
on dynamic random testing. This ensured testing of the ing computerized dynamic Penetration Testing apparatuses.
smart contract was performed any vulnerable related to The outcomes got have been displayed in the Tables 5 and 6.
double-dealing. The authors performed functional and To confirm the final release of the pen tested Blockchain, the
non-functional testing in order to validate and resolve any authors compared the results with previous version releases.
smart contract anomalies. During Non-Functional Testing Table 7 displays this based four major security features as
the Smart Contract performance and security is taken into Tamper proof, Authentication, Decentralization and
account at highest level. Security Pen test ensured Common Authorization. Thus, is validated that the production release after
Vulnerabilities and Exploits reentrancy, buffer under and undergoing multiple pen test iterations show no major issues
overflow, call for delegate or visibility while the related to the four security feature, as compared to the pre-pen
Performance guaranteed peak transaction amount for con- test or the multiple pen test iterations.
tract behaviors. While in the Functional Testing, business
requirements and rules were validated using various use
cases that included boundary test rules, valid/invalid argu- 6 Conclusion and future work
ment and argument combinations as illustrated in the
Figs. 9 and 10. The authors compared manual Penetration Testing with two
Application Security Testing tools for automated synthesis of
Smart Contracts that can exploit the vulnerabilities of victim
5 Results nodes. To ensure the synthesis is tractable, summary-based
symbolic evaluation was introduced. This reduced the number
The shows an untested contract that is vulnerable to cheating. of data paths that tools needs to traverse and explore while
In the parallel/decentralized world, no one can ensure that the maintaining the precision of the vulnerability queries. By
operations are executed in the predefined order. A malevolent building on the summary-based symbolic evaluation, manual
buyer could cheat the seller of Product X if the buyer inten- Penetration Testing further introduced optimizations that en-
tionally changes the order of transaction execution. abled parallel exploration and other form of cyberattacks. The
Comparison with the first tool, Smart Contract is taken as authors encoded known Smart Contact vulnerabilities in the
input and checked for any match for concrete traces in the search query and evaluated the entire data set with over 25,000
tools predefined security properties [40–43]. This is compared Smart Contracts. The experimental results show manual Pen
to the manual Penetration Testing results obtained. The au- Testing significantly outperformed the automated Smart
thors performed two comparisons that analyze in the wake of Contract tools in terms of execution time, precision and
relieving the vulnerabilities discovered amid Penetration Tests soundness of issues detected. In addition, manual
for the Smart Contract. Right off the bat, the viability of this Penetration Testing uncovered over 12 previously unknown
present reality vulnerabilities was resolved and furthermore, instances with the Batch Overflow vulnerability.
computerized Penetration Testing apparatuses are looked at Even as Blockchain technology for Smart Contract appli-
which are used in the business for Smart Contracts cations is relatively new, this holds huge promise for future of
Penetration Testing. The creators included more than 30,000 contracts. The Blockchain attack vectors which can exploit the
Smart Contracts with the most extreme assault program size vulnerabilities and perform cybersecurity attacks on the

Table 7 Comparison of Pen

Testing Solution with Previous/ Security Feature Pre-Pen Test-1 Pen Test Post-Pen Test-1 Post-Pen Test-2 Production
untested versions
Tamper Proof X X X √ √
Authentication X √ √ √ √
Decentralized X X √ X √
Authorization √ X √ √ √
Peer-to-Peer Netw. Appl.

Blockchain networks. This can in turn slow down the adop- workshops (INFOCOM WKSHPS), Honolulu, HI, 2018, pp. 1–2,
https://doi.org/10.1109/INFCOMW.2018.8406996
tion process. Most of the attack vectors at end user or data
16. Choo K, Gritzalis S, Park J (2018) Cryptographic solutions for
integrity level can easily be avoided by creating awareness industrial internet-of-things: research challenges and opportunities.
and effective Blockchain implementation users, others like IEEE Trans Industrial Info 14(8):3567–3569. https://doi.org/10.
Network and Application levels can only be mitigated with 1109/TII.2018.2841049
professional expertise. OWASP Top10 vulnerabilities are 17. Tonelli R, Lunesu M, Pinna A, Taibi D, Marchesi M (2019)
Implementing a microservices system with Blockchain smart con-
mapped to threats and attacks on Blockchain, which also il- tracts. IEEE international workshop on Blockchain oriented soft-
lustrates that most Cybersecurity attacks, can be performed on ware engineering (IWBOSE), Hangzhou. https://doi.org/10.1109/
both cloud-hosted applications and Blockchain-based Smart IWBOSE.2019.8666520
Contract applications. 18. Amoordon A, Rocha H (2019) Presenting Tendermint:
Idiosyncrasies, Weaknesses, and Good Practices. IEEE interna-
tional workshop on Blockchain oriented software engineering
(IWBOSE), Hangzhou. https://doi.org/10.1109/IWBOSE.2019.
8666541
References 19. Yamashita K, Nomura Y, Zhou F, Pi B, Jun S (2019) Potential risks
of hyper ledger fabric smart contracts. IEEE international workshop
1. Greenspan G (2018) Why Many Smart Contract Use Cases Are on Blockchain oriented software engineering (IWBOSE),
Simply Impossible. Retrieved March 10, 2020, from https://www. Hangzhou. https://doi.org/10.1109/IWBOSE.2019.8666486
coindesk.com/three-smart-contract-misconceptions 20. Al-Jaroodi J, Mohamed N (2019) Industrial applications of
2. Tsankov P (2018) Security practical security analysis of smart con- Blockchain. IEEE 9th annual computing and communication work-
tracts. ArXiv preprint, arXiv: 1806.01143v2 shop and conference (CCWC), Las Vegas. https://doi.org/10.1109/
3. Wang F, Yuan Y, Rong C, Zhang J (2018) Parallel Blockchain: an CCWC.2019.8666530
architecture for CPSS-based smart societies. IEEE transactions of. 21. The Energy Web Foundation (2018) Promising Blockchain
Comput Soc 5(2):303–310 Applications for Energy: Separating the Signal from the Noise.
4. Zhang Y (2018) Smart contract-based access control for internet of Retrieved April 2, 2020, from http://www.coinsay.com/wp-
things (IoT). ArXiv Preprint arXiv 1802(04410):2018 content/uploads/2018/07/Energy-Futures-Initiative-Promising-
5. Xu L, Mcardle G (2018) Internet of too many things in smart trans- Blockchain-Applications-for-Energy.pdf
port: the problem, the side effects and the solution. IEEE Access 6: 22. Mohamed N, Al-Jaroodi J (2019) Applying Blockchain in industry
62840–62848. https://doi.org/10.1109/ACCESS.2018.2877175 4.0 applications. IEEE 9th annual computing and communication
6. Li Y, Cheng X, Cao Y, Wang D, Yang Y (2018) Smart choice for workshop and conference (CCWC), Las Vegas. https://doi.org/10.
the smart grid: narrowband internet of things (NB-IoT). IEEE 1109/CCWC.2019.8666558
Internet Things J 5(3):1505–1515. https://doi.org/10.1109/JIOT. 23. Draper A, Familrouhani A, Cao D, Heng T, Han W (2019) Security
2017.2781251 applications and challenges in Blockchain. IEEE international con-
7. Amani S, Bégel M, Bortin M, Staples M (2018) Towards verifying ference on consumer electronics (ICCE), Las Vegas, NV https://
Ethereum smart contract Bytecode in Isabelle/HOL. Proceedings of doi.org/10.1109/ICCE.2019.8661914
7th ACM SIGPLAN international conference for certified program 24. Mahmood S, Hasan R, Ullah A, Sarker U (2019) SMART security
proofs (CPP), Los Angeles, 66–77 alert system for monitoring and controlling container transportation.
8. Wang S (2018) A preliminary research of prediction markets based 4th MEC international conference on big data and Smart City
on Blockchain powered smart contracts. Proceedings of IEEE in- (ICBDSC), Muscat. https://doi.org/10.1109/ICBDSC.2019.
ternational conference of Blockchain, 1287–1293 8645574
9. Chang T, Svetinovic D (2019) Improving Bitcoin ownership iden- 25. Tateishi T, Yoshihama S, Sato N, Saito S (2019) Automatic smart
tification using transaction patterns analysis. IEEE Trans Syst Man contract generation using controlled natural language and template.
Cyber Syst Pub 50:9–20. https://doi.org/10.1109/TSMC.2018. IBM J Res Dev (Early Access), IBM. https://doi.org/10.1147/JRD.
2867497 2019.2900643
10. Australian Securities Exchange (2018) CHESS Replacement. 26. Wang S, Ouyang L, Yuan Y, Ni X, Han X, Wang F (2019)
Retrieved February 15, 2020 from https://www.asx.com.au/ Blockchain-enabled smart contracts: architecture, applications,
services/chess-replacement.htm and future trends. IEEE transactions on systems, man, and cyber-
11. US Securities and Exchange Commission (2018). Investor Bulletin: netics: systems (early access), IEEE systems, man, and cybernetics
Initial Coin Offerings. Retrieved February 5, 2020, from https:// society. https://doi.org/10.1109/TSMC.2019.2895123
www.sec.gov/oiea/investor-alerts-and-bulletins/ib_coinofferings 27. Hildenbrandt E (2018) KEVM: A complete formal semantics of the
12. Zhang J (2018) Cyber-physical social systems: the state of the art Ethereum virtual machine. IEEE 31 st computer Security
and perspectives. IEEE Trans Comput Soc 5(3):829–840 Foundation symposium (CSF), 204–217
13. What is a DAO? (2018) Retrieved February 17, 2020, from https:// 28. Ozyilmaz R, Yurdakul A (2019) Designing a Blockchain-based IoT
blockchainhub.net/dao-decentralized-autonomous-organization with Ethereum, swarm, and LoRa: the software solution to create
14. Wan J, Li J, Imran M, Li M, Fazal A (2019) Blockchain-based high availability with minimal security risks. IEEE consumer elec-
solution for enhancing security and privacy in smart factory. tronics magazine, volume: 8, issue 2, 28–34. IEEE Consum
IEEE transactions on industrial informatics (early access), IEEE Electron Soc 8:28–34. https://doi.org/10.1109/MCE.2018.2880806
systems, man, and cybernetics society. https://doi.org/10.1109/TII. 29. Knirsch F, Unterweger A, Engel D (2018) Privacy-preserving
2019.2894573 Blockchain-based electric vehicle charging with dynamic tariff de-
15. Pouttu A, Liinamaa O, Destino G (2018) 5G test network (5GTN) cisions. Compute. Sci. Res. Develop. 33(1–2):71–79
— environment for demonstrating 5G and IoT convergence during 30. Suliman A, Husain Z, Abououf M, Alblooshi M, Salah K (2019)
2018 Korean Olympics between Finland and Korea," IEEE Monetization of IoT data using smart contracts. IET Networks 8(1):
INFOCOM 2018 - IEEE conference on computer communications 32–37. https://doi.org/10.1049/iet-net.2018.5026
 Peer-to-Peer Netw. Appl.

Akashdeep Bhardwaj is current-

31. Wood G (2016). Ethereum: A secure decentralized generalized
ly working in School of Computer
transaction ledger. Retrieved March 15, 2020, from https://
Science, University of Petroleum
ethereum.github.io/yellowpaper/paper.pdf
and Energy Studies, Dehradun,
32. Alladi T, Chamola V, Parizi R Choo R (2019) Blockchain applica- India. He completed his
tions for industry 4.0 and industrial IoT: a review. IEEE access, Bachelors of Engineering in
special section on distributed computing infrastructure for cyber- Computer Science at Pune
physical systems, volume 2019 (7). https://doi.org/10.1109/ University, Pune, India, Post
ACCESS.2019.2956748 Graduate Diploma in
33. Ch R, Gadekallu T, Abidi M, Al-Ahmari A (2020) Computational Management, AIMA-CME, New
system to classify cyber crime offenses using machine learning. Delhi, India and Ph.D (Computer
MDPI J Sustainability 12. https://doi.org/10.3390/su12104087 Science), University of Petroleum
34. Azab A, Alazab M, Aiash M (2016) Machine learning based botnet and Energy Studies Dehradun.
identification traffic. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp His areas of research are Cyber
1788-1794). IEEE Security, Digital Forensics,
35. Reddy GT, Sudheer K, Rajesh K, Lakshmanna K (2014) Cloud Security, Information Security, IT Management, IT
Employing data mining on highly secured private clouds for Infrastructure. Mailing Address: School of Computer Science,
implementing a security-asa-service framework. J Theor Appl Inf University of Petroleum and Energy Studies, Dehradun, India. Pin
Technol 59(2):317–326 Code: 248001. E-Mail id: bhrdwh@yahoo.com
36. Qin R, Yuan Y, Wang Y (2018) Research on the selection strategies
of Blockchain mining pools. IEEE Trans Comput Soc 5(3):748–
757
37. Gatteschi V, Lamberti F, Demartini C, Pranteda C, Santamaria V
(2018) Blockchain and smart contracts for insurance: is the tech-
nology mature enough? IEEE Future Internet 10(2):20–26
38. Lin C, Wang Z, Deng J, Wang L, Ren J, Wu G (2018) mTS:
temporal-and spatial-collaborative charging for wireless recharge- Syed Bilal Hussain Shah is cur-
able sensor networks with multiple vehicles. IEEE INFOCOM rently a Postdoctoral Researcher
2018 - IEEE conference on computer communications. Honolulu, with the School of Software,
HI 2018:99–107. https://doi.org/10.1109/INFOCOM.2018. Dalian University of Technology,
8486402 China. He authored/coauthored
39. Struye J, Braem B, Latré S, Marquez-Barja J (2018) The CityLab more than 25 research articles in
testbed — large-scale multi-technology wireless experimentation in reputable journals and confer-
a city environment: neural network-based interference prediction in ences, such as Peer-to-Peer
a smart city, vol 2018. IEEE INFOCOM 2018 - IEEE conference Networking and Applications,
on computer communications workshops (INFOCOM WKSHPS), Future Generation Computer
Honolulu, pp 529–534. https://doi.org/10.1109/INFCOMW.2018. Systems IF, and Sustainable
8407018 Cities and Society. Furthermore,
he published articles in ACM,
40. Shah B, Chen Z, Yin F, Khan I, Ahmad N (2018) Energy and
the IEEE, and Springer confer-
interoperable aware routing for throughput optimization in clus-
ences. His main research interests
tered IoT-wireless sensor networks. Futur Gener Comput Syst 81:
include wireless sensor networks, the IoT, throughput optimization in
372–381
WSN, node localization, energy efficient routing in smart wireless sensor
41. Shah B, Zhe C, Yin F, Khan I, Begum S, Faheem M, Khan F (2018)
networks, distributed and centralized clustering in WSN, IoT-based cog-
3D weighted centroid algorithm & RSSI ranging model strategy for
nitive radio, opportunistic networks, and Industry 4.0 technology. He
node localization in WSN based on smart devices. Sustain Cities
presented his article in a conference at Cambridge, U.K., in July 2017.
Soc 39:298–308
Mailing Address: School of Software, Dalian University of Technology
42. Numan M, Subhan F, Khan WZ, Hakak S, Haider S, Reddy G, China- 116,000. E-Mail id: bilalshah@dlut.edu.cn
Alazab M (2020) A systematic review on clone node detection in
static wireless sensor networks. IEEE Access 8:65450–65461
43. Bhattacharya S, Kaluri R, Singh S, Alazab M, Tariq U (2020) A
novel PCA-firefly based XGBoost classification model for intru-
sion detection in networks using GPU. Electronics 9(2):219

Publisher’s note Springer Nature remains neutral with regard to jurisdic-

tional claims in published maps and institutional affiliations.
Peer-to-Peer Netw. Appl.

Achyut Shankar Amity School Manoj Kumar is currently work-

of Engineering and Technology ing in School of Computer
is currently working as an Science, University of Petroleum
Assistant Professor in Amity and Energy Studies, Dehradun,
University, India. He completed India. He completed his
his Ph.D in Vellore Institute of Bachelors in Technology in
Technology, India. His areas of Computer Science Engineering
research are Computer Networks, at Kurukshetra University,
Security, Blockchain. Mailing M a s t e r s i n Te c h n o l o g y i n
Address: Department of Computer Science Engineering
Computer Science, Amity at ITM University, India, M.Sc.
University, Noida, Uttar Pradesh, (Information Security & Digital
India. Pin Code: 201313. E-mail: Forensics), ITB, Ireland, and
ashankar2711@gmail.com Ph.D. (Computer Science)(DIF),
The Northcap University, India.
His areas of specialization are Digital Image Forensics, Image
Processing, Information Security, Machine Learning, Artificial
Intelligence. Mailing Address: School of Computer Science, University
of Petroleum and Energy Studies, Dehradun, India. Pin Code: 248001. E-
Mail: wss.manojkumar@gmail.com.

Mamoun Alazab (Senior

Member, IEEE) received the
Ph.D. degree in computer science
from the School of Science,
Information Technology and
Engineering, Federation
University of Australia. He is cur- G Thippa Reddy is currently
rently an Associate Professor with working as Assistant Professor
the College of Engineering, IT, (Senior) in School of
and Environment, Charles Information Technology and
Darwin University, Australia. He Engineering, VIT, Vellore, Tamil
is also a Cyber Security Nadu, India. He obtained his
Researcher and a Practitioner with Bachelor of Technology degree
industry and academic experi- in Computer Science and
ence. His research is multidisci- Engineering from Nagarjuna
plinary that focuses on cyber security and digital forensics of computer University, Andhra Pradesh,
systems with a focus on cybercrime detection and prevention. He has India, Master of Engineering in
more than 150 research articles in many international journals and con- Computer Science and
ferences, he delivered many invited and keynote speeches, 24 events in Engineering from Anna
2019 alone. He convened and chaired more than 50 conferences and University, Chennai, Tamil
workshops. He also works closely with government and industry on Nadu, India and completed his
many projects, including Northern Territory (NT) Department of Ph.D. in Vellore Institute of Technology, Vellore, Tamil Nadu, India. He
Information and Corporate Services, IBM, Trend Micro, the Australian has 14 years of experience in teaching. He produced more than 25
Federal Police (AFP), the Australian Communications and Media international/national publications. Currently, his research interests in-
Authority (ACMA),Westpac, and United Nations Office on Drugs and clude Machine Learning, Deep Learning, Computer Vision, Big Data
Crime (UNODC). He is also the Founding Chair of the IEEE NT Analytics, Blockchain. Mailing Address: SITE, VIT University, Vellore,
Subsection. Mailing Address: College of Engineering, IT and Tamil Nadu, India- 632,014. E-Mail id: thippareddy.g@vit.ac.in.
Environment, Charles Darwin University, NT 0909 Australia. E-Mail:
alazab.m@ieee.org.
 Peer-to-Peer Netw. Appl.

Affiliations

Akashdeep Bhardwaj 1 & Syed Bilal Hussian Shah 2 & Achyut Shankar 3 & Mamoun Alazab 4 & Manoj Kumar 1 &
Thippa Reddy Gadekallu 5

Akashdeep Bhardwaj Mamoun Alazab

bhrdwh@yahoo.com alazab.m@ieee.org

Achyut Shankar Manoj Kumar

ashankar2711@gmail.com wss.manojkumar@gmail.com

1 4
School of Computer Science, University of Petroleum and Energy College of Engineering, IT and Environment, Charles Darwin
Studies, Dehradun, India University, Brinkin, NT 0909, Australia
2 5
School of Software, Dalian University of Technology China, School of Information technology and Engineering, Vellore Institute
Dalian, China of Technology, Vellore, India
3
Department of Computer Science, Amity University, Noida, Uttar
Pradesh, India