Yuxuan Zhou
Guofei Gu
ABSTRACT
In public blockchains, leaking secret keys can cause the permanent loss of crypto assets. It is imperative to understand the illicit activities on blockchains related to leaked keys. This paper presents the first measurement study that uncovers, quantifies, and characterizes the actual misuses of the leaked keys from top websites on the Internet to withdraw assets on Ethereum. By finding key-leaking web pages and joining them with transactions, the study reveals 7.29*10^6/0.59*10^6 USD worth of assets on Ethereum mainnet/Binance Smart Chain (BSC) are withdrawn from 1421/1514 leaked secret keys. Mitigations are proposed to avoid the financial loss caused by leaked keys.
Supplemental Material
- 2019. Ethercombing: Finding Secrets in Popular Places. https://www.ise.io/ casestudies/ethercombing/Google Scholar
- 2019. Stealing Ethereum by Guessing Weak Private Keys, Schneier on Security. https://www.schneier.com/blog/archives/2019/04/stealing_ethere.htmlGoogle Scholar
- Retrieved May. 26, 2023. Telethon: an Python 3 library to interact with Telegram's API. https://pypi.org/project/Telethon/.Google Scholar
- Retrieved May, 5, 2021. Etherscan: Ethereum (ETH) Blockchain Explorer. https: //etherscan.io/.Google Scholar
- Retrieved Sep, 2023. 0xDeadList collects the "dead" address with leaked private key. https://github.com/0xDeadList/0xDeadList.Google Scholar
- Retrieved Sep, 2023. Brainwallet ). https://brainwalletx.github.io/.Google Scholar
- Michael Brengel and Christian Rossow. 2018. Identifying Key Leakage of Bitcoin Users. In Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10--12, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 11050), Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis (Eds.). Springer, 623--643. https://doi.org/10.1007/978--3-030-00470--5_29Google ScholarCross Ref
- Runhan Feng, Ziyang Yan, Shiyan Peng, and Yuanyuan Zhang. 2022. Automated Detection of Password Leakage from Public GitHub Repositories. In 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25--27, 2022. ACM, 175--186. https://doi.org/10.1145/ 3510003.3510150Google ScholarDigital Library
- Tyler Kell, Haaroon Yousaf, Sarah Allen, Sarah Meiklejohn, and Ari Juels. 2021. Forsage: Anatomy of a Smart-Contract Pyramid Scheme. CoRR abs/2105.04380 (2021). arXiv:2105.04380 https://arxiv.org/abs/2105.04380Google Scholar
- Michael Meli, Matthew R. McNiece, and Bradley Reaves. 2019. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24--27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/how-bad-can-it-gitcharacterizing- secret-leakage-in-public-github-repositories/Google Scholar
- Marie Vasek, Joseph Bonneau, Ryan Castellucci, Cameron Keith, and Tyler Moore. 2016. The Bitcoin Brain Drain: Examining the Use and Abuse of Bitcoin BrainWallets. In Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22--26, 2016, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 9603), Jens Grossklags and Bart Preneel (Eds.). Springer, 609--618. https://doi.org/10.1007/978--3--662- 54970--4_36Google ScholarCross Ref
- Marie Vasek and Tyler Moore. 2015. There's No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams. In Financial Cryptography and Data Security - 19th International Conference, FC 2015, San Juan, Puerto Rico, January 26--30, 2015, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 8975), Rainer Böhme and Tatsuaki Okamoto (Eds.). Springer, 44--61. https://doi.org/10.1007/978--3--662--47854--7_4Google ScholarCross Ref
- Pengcheng Xia, Haoyu Wang, Bingyu Gao, Weihang Su, Zhou Yu, Xiapu Luo, Chao Zhang, Xusheng Xiao, and Guoai Xu. 2022. Trade or Trick?: Detecting and Characterizing Scam Tokens on Uniswap Decentralized Exchange. In SIGMETRICS/PERFORMANCE '22: ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, Mumbai, India, June 6 - 10, 2022, D. Manjunath, Jayakrishnan Nair, Niklas Carlsson, Edith Cohen, and Philippe Robert (Eds.). ACM, 23--24. https://doi.org/10.1145/3489048.3522636Google ScholarDigital Library
Index Terms
- Towards Understanding Crypto-Asset Risks on Ethereum Caused by Key Leakage on the Internet
Recommendations
Threat Analysis of Poisoning Attack Against Ethereum Blockchain
Information Security Theory and PracticeAbstractIn recent years, blockchain technology has witnessed remarkable developments in its application to crypto assets (cryptocurrency) considering not only function storing values but also extension of the smart contract and anonymity improvement. ...
A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
Blockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency, the second generation (i.e., Blockchain ...
Comments