Analysing security risks in the architecture of blockchain-based systems and smart contracts

Ahmadjee, Sabreen ORCID: 0000-0003-4553-4770 (2023). Analysing security risks in the architecture of blockchain-based systems and smart contracts. University of Birmingham. Ph.D.

Preview

Ahmadjee2023PhD.pdf
Text - Accepted Version
Available under License All rights reserved.
Download (7MB) | Preview

Abstract

Blockchain is a revolutionary technology that aims to provide secure, decentralised distributed systems where users can share, store and verify transactional data without the need for a central authority to perform authentication or verification. However, the widespread use of this technology, especially after the emergence of smart contracts, the blockchain-based computer programs, has incentivised attackers to exploit its existing security challenges. Moreover, the distinguishing properties and internal complex structure of the technology increase the chance of making poorly informed architectural design decisions, which might introduce security weaknesses to the systems supported by blockchain. Malicious attacks with severe consequences result from weak designs in blockchain systems and smart contracts. For instance, in recent years, the decentralised finance (DeFi) sector experienced a series of highprofile attacks resulting in multi million-dollar losses. These concerns advocate the need for architecture-centric approaches to abstract the complexity of the blockchain components, address architectural-level security risks specific to smart contracts and blockchain-based systems, and make the development of such systems secure, easier, and more organised.

Within this context, we propose architectural-centric analysis approaches for security risk assessment that allow security to be incorporated into blockchain-based systems from the ground up. We present a classification of the state-of-the-art that provides secure architectural design approaches and supports blockchain security risk assessment methods. We also provide a taxonomy of blockchain architecture design decisions and map these decisions to related security attacks and threats. Additionally, we explore the use of the security technical debt metaphor to identify smart contracts’ security issues related to sub-optimal design decisions and to estimate the accumulation of the security risk ramifications. By leveraging security debt, we contribute to a technical debt-aware approach to design secure smart contracts, and we provide a decision support model to select a secure and cost-effective blockchain oracle platform.

As part of the demonstration and evaluation, we use three case studies that represent blockchain-based systems and decentralised applications; we leverage a dataset of representative vulnerable smart contracts; and we distribute a survey and conduct interviews with smart contract experts to assess and refine our approaches. The significance of this work is that it uses architecture-centric approaches that provide a systematic guide for blockchain systems and smart contract software engineers to make justifiable design decisions that result in more secure implementations and reduced security complications.

Type of Work:

Thesis (Doctorates > Ph.D.)

Award Type:

Doctorates > Ph.D.

Supervisor(s):