<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta>
      <journal-title-group>
        <journal-title>Distributed Ledger Technology Workshop, June</journal-title>
      </journal-title-group>
    </journal-meta>
    <article-meta>
      <title-group>
        <article-title>Evaluating Blockchain Systems: A Comprehensive Study of Security and Dependability Attributes</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Stefano De Angelis</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Gilberto Zanfino</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Leonardo Aniello</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Federico Lombardi</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Vladimiro Sassone</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Conio Inc.</institution>
          ,
          <addr-line>San Francisco, California</addr-line>
          ,
          <country country="US">U.S.A</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>University of Southampton</institution>
          ,
          <addr-line>University Rd, Southampton SO171BJ</addr-line>
          ,
          <country country="UK">UK</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2022</year>
      </pub-date>
      <volume>20</volume>
      <issue>2022</issue>
      <fpage>0000</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>Blockchain is the enabling technology behind decentralised, fully peer-to-peer, systems. It distributes trust across a network of autonomous entities without the need for centralised trusted authority. It is therefore easier for an attacker to add malicious nodes that remain undetected. The absence of trust results in a more vulnerable system, where adversaries may come both from the inside and outside. In this context, security guarantees become crucial to ensure blockchains' reliability and trust. In this work, we propose a comprehensive evaluation of security attributes for blockchains. We refer to the well-established concepts of security and dependability, broadly used in distributed systems, to identify the most relevant properties for blockchains. Thus, we use such properties to evaluate five of the most prominent, platforms, such as three permissionless blockchains -Bitcoin, Ethereum 2.0, and Algorand- and two permissioned blockchains -Ethereum-private and Hyperledger Fabric. We assess security over three dimensions, i.e. the consensus, infrastructure, and smart contracts.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Blockchain</kwd>
        <kwd>Security and Dependability</kwd>
        <kwd>Consensus</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        Blockchain replaces traditional centralised infrastructures through a distributed network of
entities that collectively fulfill operations without the need of trusting each other. The
advantages of decentralisation are threefold: no single point of failure, distributed trust, and a
system harder to compromise [
        <xref ref-type="bibr" rid="ref40">40</xref>
        ]. However, correctness and reliability are traded for complex
distributed computing procedures. The increased complexity and lack of trust lead to a more
vulnerable system due to a wider attack surface. For instance, in 2021 about US$ 1.3B got stolen
in decentralised finance applications [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] by exploiting code issues related to smart contracts
programs deployed and executed on the blockchain.
      </p>
      <p>
        Security is nowadays a paramount need for blockchains. In traditional distributed systems,
security is often paired with dependability. Those properties include a set of attributes that
identify the reliability, availability, confidentiality, and integrity of a system during its execution
[
        <xref ref-type="bibr" rid="ref6 ref7">6, 7</xref>
        ]. In a blockchain context, where several parties exchange value via peer-to-peer
transactions, it is crucial ensuring that the system remains secure and dependable thus avoiding
problems like double-spending. However, blockchain systems entail several infrastructures
and architectural choices such as the use of either a permissionless or permissioned network,
the consensus protocol, and the use of smart-contracts for applications. As a result, assessing
the security of each component might be a challenging task. In literature, some efort has
been devoted to studying security in consensus protocols employed for blockchain systems
[
        <xref ref-type="bibr" rid="ref11 ref38 ref41">11, 38, 41</xref>
        ]. However, a fair comparison is elusive due to several contrasting assumptions.
Moreover, some works attempted to provide security evaluation of blockchains applications by
assessing exploited vulnerabilities of smart contracts [
        <xref ref-type="bibr" rid="ref28 ref37 ref5">28, 5, 37</xref>
        ], however, most of these studies
mainly focus on the Ethereum platform [
        <xref ref-type="bibr" rid="ref43">43</xref>
        ].
      </p>
      <p>
        In this paper, we propose a comprehensive evaluation of blockchains’ security aspects. We
provide a refined definition of security and dependability referencing the traditional properties
of safety and liveness and the CIA Triad - confidentiality , integrity, and availability. Thus
we introduce two new properties, namely profiling and fairness. The former determines the
ability of a blockchain to authenticate participants and define access control rules. The latter
models the willingness of a system to be accessible by any participant and to process operations
democratically. We evaluate those properties with respect to three dimensions, namely consensus,
infrastructure and smart contracts. We consider five most prominent blockchain platforms,
namely Bitcoin [
        <xref ref-type="bibr" rid="ref32">32</xref>
        ], Ethereum 2.0 [
        <xref ref-type="bibr" rid="ref20">20</xref>
        ], Algorand [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ] Hyperledger Fabric [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ] and a private
instance of Ethereum, called Ethereum private [
        <xref ref-type="bibr" rid="ref23">23</xref>
        ]. Firstly, we study the architectural models of
these platforms. Then, we focus on the underlying consensus protocols, i.e. the mechanism
used by the network to democratically agree on the order operations. The proposed analysis
distinguishes three types of attack vectors targeting assets, i.e. ‘computing’ in PoW and ‘stake’
in PoS, or network nodes, i.e. the maximum number of subverted nodes that PoA and PBFT
can tolerate. Finally, we drift the analysis to the application layer built on top of the
smartcontracts capabilities of blockchains. We provide a detailed description of well-known code
issues afecting smart contracts and thus evaluate how each issue impacts security.
      </p>
      <p>The rest of this paper is divided as follows. Section 2 introduces the blockchain platforms we
consider in our study and Section 3 describes their underlying consensus protocols, whereas
Section 4 presents a collection of smart contract code issues. Then, Section 5 defines the refined
security and dependability properties and the security analysis of those properties at consensus,
platform, and smart contract layers. Finally, Section 6 sums up the results.</p>
    </sec>
    <sec id="sec-2">
      <title>2. Blockchain Platforms</title>
      <p>In this section, we describe the blockchain platforms considered in our analysis, namely Bitcoin,
Ethereum, Algorand, Ethereum-private and Hyperledger Fabric. We briefly introduce the
architectures, yet an overview of their performance and security.</p>
      <p>
        Bitcoin. Bitcoin [
        <xref ref-type="bibr" rid="ref32">32</xref>
        ] is the first, open-source, permissionless blockchain born for electronic
machine-to-machine payment without need of any central authority. Bitcoin transactions are
processed in a fully decentralised manner and their ordering is guaranteed by an underlying
lottery-based (i.e. probabilistic) consensus mechanism, i.e., the PoW. Such a solution allows
a consistent, immutable, and therefore trustworthy, public ledger of transactions ever made.
However, in the lottery-based consensus model, valid blocks can get mined at the same time;
this makes it possible to fork the blockchain in multiple valid branches. To compromise a block
an attacker must control 51% of the computational power of the miners. Compromising more
than 6 blocks is considered computationally infeasible, therefore a block is considered final after
≈ 6 blocks. To avoid double spending and/or avoid spending tokens not owned, Bitcoin uses
the UTXO model, i.e., each transaction is composed of a list of unspent transactions indicating
the balance of accounts. Besides, the sender of a transaction is charged a mining fee whose
amount depends on the size of the transaction, i.e., the number of UTXO addresses used. To
ensure strong (eventual) integrity Bitcoin sacrifices performance, indeed the throughput is only
about 5 txn/s with a block confirmation period of about 10 minutes.
      </p>
      <p>
        Ethereum. Ethereum [
        <xref ref-type="bibr" rid="ref43">43</xref>
        ] is the second main open-source blockchain project. The underlying
idea is to make the blockchain programmable through smart contracts, i.e., immutable pieces of
code deployed and executed autonomously on the so-called Ethereum Virtual Machine (EVM).
Smart contracts are developed in Solidity [
        <xref ref-type="bibr" rid="ref19">19</xref>
        ], a Turing-complete programming language.
The first version of Ethereum is based on the PoW consensus, like Bitcoin, but with a shorter
confirmation time (about 14 seconds) which increases the throughput to about 30 txn/sec.
This makes Ethereum more prone to forks than Bitcoin which are similarly solved with a
longest-chain rule. The PoW makes Ethereum vulnerable to 51% attacks, like Bitcoin, therefore
a block is considered final after 6 blocks. Ethereum does not employ a UTXO model to manage
transactions, but an account-based model, i.e., each account has its balance stored within the
state of the ledger. Each transaction is charged according to (i) gas price: the amount of ETH
(the Ethereum’s cryptocurrency) to be paid for each computational step; (ii) gas limit: a scalar
value representing the total amount of gas that can be consumed by the transactions in a block.
      </p>
      <p>Ethereum 2.0. It is the most important update of the Ethereum protocol to cope with
scalability and performance issues. Among others, it proposes two major improvements, such
as the shift from PoW to a new PoS implementation called Casper Proof of Stake, and the
implementation of Shard Chains. The upgrade to PoS evolves Ethereum to a more
energyeficient platform, while Shard Chains may drastically improve scalability by changing the way
the blockchain is replicated across the nodes of the network. Sharding allows parallel execution,
enabling the achievement of better throughputs. However, it comes at a security cost since each
shard is not managed by the entire network and hence is more vulnerable.</p>
      <p>
        Ethereum Private Networks. Many implementations of the Ethereum protocol can run
private networks. We refer them to as Ethereum-private. Two of the most common Ethereum
clients are Geth [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ], the Ethereum implementation in Golang language, and Parity [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ], a
Rustbased implementation. Both allow the creation of a private instance, in which transactions are
visible only to a subset of network participants. Ethereum clients running private networks
enable the integration of pluggable lightweight consensus algorithms. These types of chains
are mainly used for business-to-business private enterprise settings which require higher
performance (hundreds of txn/sec) and privacy guarantees. The security of Ethereum-private
does not depend on computational power, but on the number of nodes, the attacker can control.
The attacker needs to control at least 1/3 of nodes, but a wrong consensus implementation may
drastically increase the probability of attack success.
      </p>
      <p>
        Algorand. Algorand [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ] is a novel permissionless blockchain platform that aims at solving
the so-called blockchain trilemma, namely, scalability, decentralisation, and security. Algorand
embeds a distributed computation engine, i.e., Algorand Virtual Machine (AVM), that runs on
every node of the network and executes smart contracts, similarly to Ethereum. Algorand’s
smart contracts are self-verifiable pieces of code that run on the blockchain and automatically
approve or reject transactions according to a certain logic. The AVM interprets smart contracts
written in an assembler-like language called Transaction Execution Approval Language
(TEAL). The transaction model is similar to Ethereum, namely is account-based. Algorand’s core
innovation is its new consensus protocol, PPoS, which can reach agreement in large networks
without giving up neither scalability nor security. Algorand blockchain is designed not to fork
ever, transactions are considered final as soon as executed and included in a block. This makes
Algorand much faster than Ethereum with a block time of about 4.5 sec and throughput of
about 1000 txn/s. Compromising Algorand requires an attacker to control 1/3 of the stake.
Hyperledger Fabric. Hyperledger Fabric [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ] is a permissioned blockchain platform featured by
a modular architecture. The distinguishing characteristic of Fabric is that it splits the transactions
ordering, i.e. the consensus process, from transactions execution, i.e. the operations on users’
assets. The assets within the ledger state are represented as a collection of key-value pairs, and
through smart contracts (called chain-codes in Fabric’s jargon), it is possible to combine their
values to carry out complex functions according to users’ needs, e.g. to perform an auction.
Being permissioned, Fabric ofers an authentication layer that identifies the system entities by
issuing X.509 digital certificates. Additionally, the authentication process enforces authorisation
policies on the operations. Fabric introduces the concept of channels to represent restricted
consortium networks. Transactions within a channel remain private and shared only across
channel participants, enabling data isolation and confidentiality. As the operating environment
is more trusted than a permissionless setting, it allows employing a lighter consensus, which
results in better performances despite restricted security assumptions.
      </p>
    </sec>
    <sec id="sec-3">
      <title>3. Blockchain Consensus Protocols</title>
      <p>In this section, we describe the consensus underlying the blockchain platforms mentioned in
the previous section, namely PoW, CPoS, PPoS, PoA and PBFT.</p>
      <p>
        Proof-of-Work. The PoW is a lottery-based consensus schema consisting of
computationallyintensive hashing tasks executed by some distinctive network nodes, called miners. Specifically,
miners create a block by retrieving transactions from a local pool and rush looking for a random
number that, if concatenated with the transactions included in a block, makes the hash of the
block lower than a target number. Such target number is adjusted over time according to a
desired dificulty . The dificulty is chosen to keep constant the block period, i.e., the average
time required by miners to solve the puzzle. The more the global computational power of the
network, the higher the dificulty, thus the lower is the target number. After solving the PoW,
the miner can broadcast the corresponding block to the network for being accepted by other
nodes. If accepted, all the correct nodes consider it as the latest block in the chain and start
mining new blocks on top of it. Due to the probabilistic nature of the PoW, forks may happen. It
is the responsibility of the platform implementing the PoW to find a strategy to cope with forks.
The standard approach used by Bitcoin and Ethereum, as mentioned in the previous section,
is the longest-chain rule. Transactions may include a mining fee to incentive miners to pick
that from the pool. Thus, transactions with zero or low mining fees may never be included in a
block generating starvation [
        <xref ref-type="bibr" rid="ref32 ref34">34, 32</xref>
        ]. The verification and subsequent acceptance procedures
happening in PoW make a block persistent unless an attacker controls the majority of the
miners’ hash power (the aforementioned 51% attack), which enables it to create a chain fork
with modified transactions. However, being based on computational power rather than several
nodes, it is not vulnerable to sibling attacks. Although provides strong integrity properties,
besides energy ineficiency, PoW has performance limitation due to the intensive hashing tasks.
Casper Proof-of-Stake. The Proof-of-Stake (PoS) works by deterministically selecting a set of
validators according to their cryptocurrency holdings, i.e. their stake. Any node committing a
stake can become a validator by locking up their stake amount into a deposit. The validators
propose and vote on the next block, and the weight of each validator’s vote depends on the
deposit amount. In Ethereum’s PoS implementation, called Casper (CPoS) [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ], each validator’s
turn is determined by one of the following techniques: Chain-based PoS: the algorithm
pseudorandomly selects a validator during each time slot to propose a block; BFT-style PoS: a multi-round
process, in which each validator sends its vote for a specific block. At the end of the process, all
(honest and online) validators permanently agree on whether or not any given block is part of
the chain. Conversely to PoW, the CPoS protocol causes no waste of energy since it does not
requires computational tasks to be solved, therefore, performance can be much better. However,
if a validator does not follow the consensus rules, PoS applies penalties. Attacking a PoS requires
an attacker to control the majority of committed staking, making it not vulnerable to sibling
attacks. However, it is crucial not to make predictable the leader, otherwise, the attacker just
needs to compromise a much smaller set of nodes that may be elected as a leader; in this case,
the security drops from the ideal majority of committed staking to compromised nodes.
Pure Proof-of-Stake. The PPoS [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ] is the underlying consensus of Algorand. It leverages
VRF (Verifiable Random Functions) [
        <xref ref-type="bibr" rid="ref30">30</xref>
        ] to significantly decrease the high volume of exchanged
messages occurring in traditional voting-based and lottery-based consensus. Specifically, PPoS
works as follows: it proceeds in rounds, and for each round there are three phases: block proposal,
soft vote, and certify vote. When a round starts, users use the VRF to select themselves as leader
and committee members. In the block proposal phase, the leader selected by the VRF propagates
a new block along with the VRF output, which proves that the account is a valid proposer. Then
in the soft vote, a selected committee of users cast a vote on the block proposals. This phase
reduces the number of proposals down to one, guaranteeing that only one block gets certified in
a round. When a quorum of votes from the committee members is reached starts the certify vote.
In this last phase, a new committee checks the validity of the block at the soft vote stage. Thus a
new vote begins to certify the block. When a quorum is reached, the block is committed and the
round terminates. Each phase is characterized by a timeout to ensure safety when partitions
occur. PPoS can achieve higher throughput and lower block time than traditional PoS due to a
reduced message exchange. Furthermore, the VRF makes the leader unpredictable, dismissing
the possibility of having fixed validators such as in traditional PoS.
      </p>
      <p>
        Practical Byzantine Fault Tolerance. The PBFT consensus protocol [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ] is characterised by a
single-leader and view-change approach. The algorithm proceeds in views, for each view there
exists a leader and a set of replicas. Each view executes a three-phase commit protocol where
replicas exchange messages to reach the total order of transactions. In case of misbehaving
leaders, all the correct replicas run a view change operation which starts a new view and elects
a new leader. In an eventually-synchronous network, where messages are delayed and network
partitions may happen, the PBFT consensus protocol guarantees strong consistency provided
that  &lt; / 3, with  malicious nodes and  replicas. PBFT has been proven to be optimal
with  ≥ 3 + 1 nodes [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ]. PBFT is vulnerable to sibling attacks though since it cannot
distinguish if an attacker is falsely impersonating multiple nodes.
      </p>
      <p>
        Proof-of-Authority. The PoA has been proposed as part of the Ethereum consortium for private
networks and implemented with two protocols called AuRa and Clique [
        <xref ref-type="bibr" rid="ref35 ref39">35, 39</xref>
        ]. PoA relies on a
set of trusted authorities running the consensus. Consensus in PoA relies on a leader rotation
schema, which distributes the responsibility of block creation among the authorities [
        <xref ref-type="bibr" rid="ref22 ref9">9, 22</xref>
        ].
Time is divided into steps. In each step, an authority is elected as the proposer. The way
authorities are elected difers in the two consensus protocols. AuRa proposes a deterministic
function based on UNIX times, which requires strong synchronisation assumptions. Conversely,
Clique computes leaders according to the number of the next block on the blockchain. The
PoA is a hybrid consensus protocol between the lottery-based and voting-based approaches.
PoA protocols guarantee eventual consensus on transactions. Indeed, the lightweight leader
election may lead to forks that eventually get resolved. Consequently, PoA cannot achieve
instant finality but this is delayed in time. According to the concept of the longest chain, a block
in PoA is considered final when a majority of further blocks have been proposed, under the
assumption that blocks are proposed at a constant rate [
        <xref ref-type="bibr" rid="ref35">35</xref>
        ]. These algorithms are vulnerable to
sibling attacks, and thus cannot be used in permissionless settings.
      </p>
    </sec>
    <sec id="sec-4">
      <title>4. Smart Contracts Issues</title>
      <p>Beyond secure-by-design due to consensus algorithms, a prominent security role is played by
smart contracts. In this section, we evaluate potential issues that afect the smart
contractenabled platforms, such as Ethereum, Algornad, and Hyperledger Fabric, thus we consider
possible preventions/mitigation methods.</p>
      <p>
        ( 1) Reentrancy. This vulnerability occurs when a caller contract invokes a function of an
external callee contract. Specifically, a malicious actor can call back from the callee contract
funds withdraw function of the caller contract, i.e., reentrancy, before the execution of the
caller triggering an infinite loop of calls. This allows the attacker to bypass the validity checks
of the caller and iterate infinitely. Ethereum is vulnerable to reentrancy and its exploitation
may lead to indefinite withdrawal calls. Two reasons cause this vulnerability [
        <xref ref-type="bibr" rid="ref36">36</xref>
        ]: (i) validity
checks are handled by state variables that are not updated until other transactions terminate,
(ii) no gas limit is required when handling interactions between external smart contracts.
Prevention methods consists in (i) update the state variables before calling external contracts;
(ii) introduce a mutex lock [
        <xref ref-type="bibr" rid="ref19">19</xref>
        ] in the contract state so that only the owner can update such
state. Similarly, Hyperledger Fabric sufers reentrancy since chaincodes-to-chaincodes are
allowed with no limitations inter-channel. Fabric mitigates such issues through a timeout,
however, it is important to note that reentrancy has a limited impact on private settings since no
cryptocurrencies are involved. Conversely, Algorand does not sufer reentrancy since
contractto-contract calls are allowed one way only, thus if smart contract A calls a smart contract B, the
latter cannot call back A.
      </p>
      <p>
        ( 2) Integer overflow and underflow. This vulnerability occurs when a function computes an
arithmetic operation that falls outside a specific datatype. A prominent role is played by the
programming language. Furthermore, some protections there exist both natively or through
an external library. Ethereum does not provide native prevention for smart contracts, but
some recommendation has been defined, such as (i) using SafeMath library [
        <xref ref-type="bibr" rid="ref33">33</xref>
        ] to check on
underflow/overflow, (ii) using Mythril library [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ] to check the security of EVM bytecode before
its execution. Algorand does not need any prevention library as TEAL natively copes with
under/overflow issues. Hyperledger Fabric, being based on golang makes us of the native
under/overflow management or common libraries such as overflow .
      </p>
      <p>
        ( 3) Frozen Token. This vulnerability causes users’ funds deposited in the contract account to
be locked and impossible to withdraw back, efectively freezing them into the contract. Both
Ethereum and Algorand are vulnerable to such an issue. The causes of this vulnerability are
twofold: (i) the deposit contract account does not provide any function to spend funds using a
function from an external contract as a library, (ii) the callee contract function (selfdestruct
for Ethereum, ClearState for Algorand) is executed without checks. Prevention method
[
        <xref ref-type="bibr" rid="ref14 ref37">14, 37</xref>
        ]: a deposit contract shall assure that the mission-critical functions or money-spending
functions are not outsourced to external contracts. Hyperledger Fabric is not vulnerable since
no cryptocurrencies are involved.
      </p>
      <p>( 4) DoS with unexpected revert. This issue occurs if the execution of a transaction is reverted
due to a thrown error or a malicious callee contract that deliberately interrupts the execution.
Ethereum, Algorand and Hyperledger Fabric are vulnerable. For Ethereum, a best practice
to mitigate the issue regards the transaction sender to provide to the callee a certain amount
as a reward for the execution of a transaction so that the callee is not incentivized to revert.
Algorand does not have mitigation in place since no reward fees are available. Fabric, similarly,
does not have solutions to avoid it, due to the absence of cryptocurrencies.</p>
      <p>( 5) DoS with GasLimit. This vulnerability causes transactions to be aborted due to exceeding
the gas limit. This afects only Ethereum due to the presence of gas. To mitigate this issue the
contracts should not execute loops on accounts accessible data structures. Loops should be
controlled, such that the execution always terminates, even when transactions are aborted.</p>
      <p>
        ( 6) Insuficient signature information. This vulnerability causes a digital signature to be valid
for multiple transactions. This happens when a sender uses a proxy contract [
        <xref ref-type="bibr" rid="ref14 ref37">14, 37</xref>
        ] as a deposit
for one or more authorised receivers. An authorised receiver owns a digitally signed message
delivered of-chain from the sender. The receiver withdraws funds from the proxy, which must
verify the validity of the digital signature. If the signature is malformed (missing nonces, or
proxy contract address), a malicious receiver can reuse the signature to reply to the withdrawal
transaction and drain the proxy balance. Prevention method: The contract shall check the
address and the nonce within digitally signed messages. Both Ethereum and Algorand are
vulnerable to this issue, while Hyperledger Fabric is not since it authenticates network nodes.
      </p>
      <p>( 7) Generating randomness. This vulnerability concerns smart contracts using pseudorandom
number generators (PRNG) to create random numbers for application-specific use cases.
Specifically, this vulnerability afects methods using random numbers created by a PRNG, in which the
base seed of the generator is a parameter controlled by miners, e.g. Solidity’s block.number,
block.difficulty. A malicious miner can manipulate the PRNG to generate an output that
is advantageous for itself. Ethereum, Algorand and Hyperledger Fabric are all afected by this
issue. For mitigation, mining variables should not be used in control-flow decisions. Therefore,
of-chain approaches to PRNG should be used, such as the use of oracles.</p>
      <p>
        ( 8) Block Timestamp manipulation. This vulnerability afects smart contracts that use
timestamp parameter in the control-flow ( e.g. for periodic payments) or as source of
randomness [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. As miners can control this parameter, they could adjust that value to change the
logic of functions, and thus take profit. Ethereum is vulnerable to such issues and a prevention
method consists in avoiding the parameter in any control-flow decision logic. Algorand is not
vulnerable since it employs a maximum timestamp ofset of 20 seconds between two blocks.
Similarly, Hyperledger Fabric has no constant block time.
      </p>
      <p>
        ( 9) Transaction ordering dependence. This vulnerability is caused by a malicious manipulation
of the transaction priority mechanism used in Ethereum. Gas is usually used to prioritise the
execution of certain transactions over others [
        <xref ref-type="bibr" rid="ref43">43</xref>
        ]. However, malicious miners can alter this
procedure and always prioritise their transactions regardless of the gas price, hence manipulating
the global state of the blockchain in its favor [
        <xref ref-type="bibr" rid="ref37">37</xref>
        ]. Mitigation method: hide the gas price from
transactions using cryptographic committees or guard conditions [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. Algorand and Hyperldger
Fabric are not afected by this issue since they do not use gas.
      </p>
      <p>
        ( 10) Under-priced opcodes. This vulnerability is caused by under-priced opcodes that can be
executed at low cost and that consume a large number of resources. Misuse of the opcodes,
or a malicious actor, might trigger several invocations of these opcodes wasting the majority
of resources. This vulnerability regards Ethereum and it is caused by misconfigured gas price
parameters [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. The Ethereum protocol has been upgraded to limit opcodes under-pricing.
Algorand is not afected since the cost is set 1 to all opcodes with a limit of 700 per application.
Hyperledger is not afected due to the nature of private blockchains’ costless computation.
      </p>
      <p>
        ( 11) Token lost to orphan address. This vulnerability is caused by a lack of validation checks
on payment transactions. Ethereum only checks the recipient’s address format but not if such
an address is valid nor if it exists. If a user sends money to non-existing addresses, Ethereum
automatically creates a new orphan address [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ]. An orphan address is neither an EOA nor a
contract address, hence the user can’t move the money which is indeed lost. Algorand has the
very same issue, with a small client-side check of existence as mitigation implemented in all
the oficial clients and SDKs. The only efective prevention method at the time of writing is to
manually assure the correctness of the recipient’s address [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. Hyperledger nodes are instead
authenticated, thus it is not afected.
      </p>
      <p>
        ( 12) Short address. This vulnerability afects only Ethereum and it is caused by the EVM
missing validation check on addresses. Recall that inputs are expressed as an ordered set of bytes,
in which the first four bytes identify the callee’s function, then other inputs are concatenated
in chunks of 32 bytes. In case of arguments with fewer bytes, EVM auto-pads with zeros to
generate the 32 bytes chunk. An attacker could manipulate this process to execute malicious
actions. For instance, if we consider the transfer(address addr, uint tokens) function
and a bad formatted addr with one missing byte, the auto-pad adds extra zeros at the end
of addr, and consequently increases the number of tokens to transfer [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. To prevent that,
write functions that validate the length of the transaction’s inputs. Algorand has prevention by
design, it does not add extra zeros as padding and the transaction fails in case of a short address.
Hyperledger Fabric, as above, is not afected due to the authentication of nodes.
      </p>
      <p>
        ( 13) Erroneous visibility. This vulnerability takes advantage of Ethereum’s public nature.
Transactions (including data, balances and contract codes) are visible to any user. However,
Solidity provides four types of visibility to restrict the access to a contract’s functions, namely
public open to everyone, external only externally from the contract, internal only
internally (the contract and its related contracts) , and private only within the contract. By
default, Solidity assigns the type public to functions, hence in case of erroneous visibility
configuration, an attacker might be able to call the function from the external [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. To avoid
this, with Solidity 0.5.0 and above, it is mandatory to specify the function visibility. Algorand
conversely has all functions public only. Hyperledger can hide data in several methods such as
Trusted Execution Environment with Intel SGX, channels [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ].
      </p>
      <p>( 14) Unprotected suicide. In Ethereum, Solidity contracts can be killed or deleted using the
suicide or self-destruct methods. Usually, only the contract’s owner, or authorised external
users, can invoke these functions. However, there might be cases in which the owner is not
verified by the functions, or the owner itself is malicious, in that case, an attacker can invoke one
of these methods and kill the contract. The very same situation happens with Algorand through
the ClearState function. Prevention method: enhance security checks with, permissions
mechanisms, to assure that the suicide/self-destruct and ClearState calls are approved
by diferent parties. Hyperledger Fabric is not afected.</p>
      <p>( 15) Unrequested Token. In Ethereum ERC-20 tokens can be sent to an arbitrary address.
This is used as a common phishing technique where a malicious actor creates an ERC-20 token
and sends some amount to random addresses. The token is designed with a sell smart contract
function which drains the wallet. When a phished user attaches his wallet to the application
controlling this contract, the user unintentionally authorises the smart contract to steal his
funds. Algorand mitigates this issue via opt-ins. Hyperledger Fabric is not afected since no
cryptocurrencies are involved.</p>
    </sec>
    <sec id="sec-5">
      <title>5. Evaluation of Security Properties for Blockchain</title>
      <p>
        In this section we introduce security and dependability attributes for blockchains and we
evaluate them over three dimensions, i.e., consensus, infrastructure and smart contracts. The
proposed analysis follows a qualitative evaluation that takes into account the descriptions of the
platforms and protocols detailed in the previous section. Therefore, the analysis considers how
the identified properties are met in each system. The methodology used assumes the deployment
of  nodes responsible for consensus, which communicate over an eventually synchronous
network [
        <xref ref-type="bibr" rid="ref17">17</xref>
        ]. Such a model realistically describes the Internet network, where messages can be
arbitrarily delayed, but eventually delivered within a fixed time-bound.
      </p>
      <p>
        A distributed protocol is considered if satisfies safety and liveness properties [
        <xref ref-type="bibr" rid="ref11">11</xref>
        ]. However,
in a blockchain context, the traditional definition of such properties does not straightforwardly
apply. For instance, transactions are asynchronously committed by the network after the
execution of a consensus protocol. For this reason, safety and liveness must be refined in order
to explicitly reflect the behavior of a blockchain system. To cope with this limitation, we start
from the traditional definitions of safety and liveness [
        <xref ref-type="bibr" rid="ref11 ref6 ref7">11, 6, 7</xref>
        ] to introduce two novel properties,
namely persistency and termination. We also provide a new metric for blockchains, i.e. the
fairness property. Following seminar work by Francez [
        <xref ref-type="bibr" rid="ref21">21</xref>
        ], we distinguish two aspects of the
fairness: validator fairness, for consensus protocols and client fairness, for infrastructures. The
novel security attributes for consensus in blockchain are thus summarised as follows:
1. Persistency: nothing wrong happens during the consensus execution; unwanted
executions must be prevented. When an honest node accepts a transaction, then all the
other honest nodes will make the same decision, which is irreversible. If persistency is
violated after a certain threshold (i.e. confirmation time), it will never be satisfied again.
      </p>
      <p>
        Persistency is also referred to as finality [
        <xref ref-type="bibr" rid="ref41">41</xref>
        ].
2. Termination: ensures that a protocol makes progress towards an end, hence transactions
correctly terminate, i.e. the block including those transactions reaches persistency.
3. Validator fairness: in a blockchain, the consensus mechanism is fair if any honest node
can be potentially selected to the set of nodes that will participate in the agreement to
select the next block.
      </p>
      <p>
        Table 1 summarises the consensus resilience of the four algorithms acting under the
adversarial model presented with our methodology. Firstly, we observe that PoW and CPoS enjoy
strong termination thanks to their probabilistic leader election based on mining, and staking.
Transactions are guaranteed to be added to the blockchain as soon as the mining proceeds, or
there is a majority of stakeholders. Conversely, probability in leader election afects persistency,
because of the possibility of having forks. However, such forks will eventually be resolved,
according to the specifics of the platform. For this reason, persistency must be classified as
eventual. Conversely, the PPoS protocol does not allow forks, and blocks are instantly finalised,
prioritising persistency over termination [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ]. Indeed, the PPoS allows stalls in case of
misbehaviors or network issues. However, PPoS’ introduces a recovery mechanism to ensure
termination, so we classify that as eventual. Both PoS protocols ensure security until a majority
of the stake remains in honest hands. If this condition is not verified, such systems can be
easily compromised. Validators with the majority of the stake can determine the next blocks
straightforwardly. This behavior is reflected with the validator fairness property in Table 1.
Diferently in PoW, such property is strongly related to hardware capabilities. Miners with
outstanding computational power will have more chances to produce blocks.
      </p>
      <p>
        Moving to permissioned blockchains, these systems rely on a higher level of trust, due to the
presence of node authentication. The consensus protocols used in this context are either classical
voting-based ones, such as PBFT, or hybrid, as for PoA. PBFT has been broadly demonstrated to
guarantee persistency in the eventually synchronous model, as long as there are  ≥ 3 + 1
active nodes in the network. Whereas as soon as  ≥ 2 + 1 are honest, termination can be
also guaranteed [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ]. In PoA, persistency is only eventually guaranteed, because PoAs are open
to forks. Termination is instead eventual, according to the number of honest validators. As long
as a majority of validators are active, termination is guaranteed, otherwise, the protocol stalls
and transactions are not finalised [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ]. Finally, PoA’s validator fairness is guaranteed, since
every honest validator has the same chance of being elected as a leader as the others.
      </p>
      <p>
        Turning to the security evaluation of blockchain platforms, we define six attributes based on
the traditional definitions of security and dependability [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ], i.e. the CIA triad and the user’s
profiling . We identify the relevance of the properties of accountability and authorisation. Such
properties lead to fairness constraints which can be used to detect misbehaving participants.
Hence, our suggested attributes are:
1. Confidentiality : the possibility to keep some transactions confidential; absence of
unauthorised leaking of sensitive information owned by one or more nodes;
2. Integrity: absence of improper alterations of the blockchain data from unauthorised users;
3. Availability: the ability of the system to run correct services without interruptions;
4. Authorisation: the ability of the system to specify access rights and privileges to resources
and to define permission roles for participants;
5. Accountability: the ability of the system to trace back the operations and the behaviour
of a certain user identity/physical entity;
6. Client fairness: the willingness of the system to democratically accept transactions from
any client without any preference.
      </p>
      <p>
        Table 2, shows our analysis with the aforementioned six attributes. We observed that the
integrity of Bitcoin, Ethereum 2.0, and Algorand is strongly linked to where hash power and
stake lie. Indeed, an attacker owing the majority of the hash power (or stake), could break the
consensus protocol as already mentioned, hence maliciously injecting a fork with a subverted
chain [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ]. In contrast, in Hyperledger and Ethereum-private, the integrity property is strongly
tied to the persistency property of their underlying consensus algorithms. Fabric employs PBFT,
which ensures persistency under the assumption of  ≥ 3 + 1, while Ethereum-private adopts
PoA algorithms, which can only guarantee eventual persistency. Despite strong availability,
the full replication of the blockchain in the Bitcoin, Ethereum 2.0, and Algorand platforms
leads to a lack of confidentiality due to the public nature of the information stored on these
blockchains [
        <xref ref-type="bibr" rid="ref25">25</xref>
        ]. However, if for Bitcoin and Ethereum 2.0 there is no way to mitigate this
issue, Algorand recently designed a solution which combines the public, permissionless network
with several private networks interconnected, a.k.a., Co-Chains [
        <xref ref-type="bibr" rid="ref29">29</xref>
        ]. Contrarily, confidentiality
in both Hyperledger and Ethereum-private can be guaranteed through the use of channels
and private transactions, respectively. Hyperledger Fabric and Ethereum-private can enforce
the so-called profiling properties of authorisation and accounting. This is because nodes
are authenticated. Authorisation is guaranteed by managing the permission of each node.
Accountability is achieved by tracing the interaction of nodes with the blockchain [
        <xref ref-type="bibr" rid="ref26">26</xref>
        ]. This is
not so in public permissionless blockchains like Bitcoin, Ethereum 2.0, and Algorand where
identities are pseudo-anonymous [
        <xref ref-type="bibr" rid="ref25">25</xref>
        ] and users are not authenticated. However, although
actions are dificult to attributable to specific entities, it is possible to analyze the behaviour of
specific accounts. Therefore, the public, permissionless nature of these blockchains ensures that
anyone can access the history of transactions and trace behavioural patterns. We deduce that
permissionless blockchain ofer partial accountability [
        <xref ref-type="bibr" rid="ref27 ref31">27, 31</xref>
        ]. On the other hand, being these
systems public and decentralised, authorisation is not provided. Lastly, we evaluate the property
of client fairness. Permissioned blockchain benefits from fairness guarantees in that each client’s
transactions are processed without any preference or priority. On the contrary, the execution of
transactions in Bitcoin and Ethereum 2.0 is costly (either hardware or staking), hence making
incentive mechanisms for miners and validators necessary. Low-rewards transactions may
be stalled forever waiting to be processed [
        <xref ref-type="bibr" rid="ref42">42</xref>
        ]. Incentives mechanisms for permissionless
blockchain, like Bitcoin and Ethereum 2.0, lead therefore to a lack of client fairness. Diferently,
in the Algorand blockchain, every transaction counts the same, and there is no such mechanism.
Everything in Algorand is handled by PPoS cryptography and the computation of VRFs. This
allows Algorand to have very low transaction fees, which are thus distributed to rewards
accounts for the users, and to ensure client fairness.
      </p>
      <p>We conclude our analysis with smart contracts. Table 3 illustrates a classification of the CIA
triad and profiling security properties against the issues described in Section 4. From the table
emerges that most of the smart contract issues may cause violation of confidentiality, integrity,
and authorisation properties. The platform that shows better resilience results in Hyperledger
Fabric and this is clearly due to its permissioned nature. Among the public blockchain instead,
Algorand outperforms Ethereum for many issues. This is due mainly to the usage of a constant
fee for transactions and opcodes conversely to Ethereum which is based on gas with a diferent
amount for opcodes. Also, the programming language used plays a key role. Both Hyperledger
Fabric and Algorand use languages that give some primitive control to avoid issues, such as
control against under/overflow concerning Ethereum. Finally, some design choice related to the
management of asset and smart contract calls makes Algorand more secure than Ethereum. For
instance, reentrancy ( 1) in Algorand cannot happen by design, and tokens require to be opted-in
before they can be received ( 15). The Ethereum naive solutions and lack of controls make it
the worst in terms of security. The only situation where Ethereum outperforms Algorand is
for erroneous visibility ( 13), indeed it allows to build private functions within a smart contract,
while Algorand does not.</p>
    </sec>
    <sec id="sec-6">
      <title>6. Conclusion</title>
      <p>In this paper, we studied the security aspects of modern blockchain systems. We defined the
security and dependability attributes which are relevant in the context of a blockchain. Thus, we
analysed how five blockchain platforms, namely Bitcoin, Ethereum (with its variants Ethereum
2.0 and private chains), Algorand, and Hyperledger Fabric, guarantee those attributes. The
analysis we proposed is divided into three dimensions, i.e. consensus, infrastructure, and smart
contracts. Firstly, we highlighted the infrastructures’ characteristics and how they difer in
terms of performance (infrastructure). Then, we described their built-in consensus protocols,
respectively, PoW, Casper PoS, PoA, Pure PoS and PBFT, analysing the approaches they adopt
to order transactions and create blocks in a Byzantine, eventually synchronous, network model
(consensus). Then, we listed smart contract issues evaluating whether blockchains are vulnerable
and their native resistance/mitigations (smart contracts).</p>
      <p>From our study emerged that permissioned blockchains like Hyperledger Fabric and
Ethereumprivate can guarantee fairness and confidentiality while providing accountability and
authorisation. However, these platforms require strong assumptions on the underlying network and
the number of possibly subverted nodes to also ensure integrity and availability. This is also
reflected in the consensus protocol they adopt, specifically PBFT guarantees persistency at the
cost of eventual termination, whereas in PoAs, both properties are ensured only eventually.
Conversely, permissionless platforms such as Bitcoin, Ethereum 2.0, and Algorand ofer
better integrity and availability, despite failing on profiling, confidentiality, and client fairness
properties. Finally, by studying smart contract issues we observed that Ethereum is the most
vulnerable smart contract platform compared to Algorand and Hyperledger Fabric.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <surname>Algorand</surname>
          </string-name>
          . https://www.algorand.com.
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <surname>Go</surname>
          </string-name>
          ethereum - geth. https://geth.ethereum.org.
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          <article-title>[3] Hyperledger fabric</article-title>
          . https://www.hyperledger.org/use/fabric.
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          <article-title>[4] Parity ethereum</article-title>
          . https://www.parity.io,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>Nicola</given-names>
            <surname>Atzei</surname>
          </string-name>
          , Massimo Bartoletti, and
          <string-name>
            <given-names>Tiziana</given-names>
            <surname>Cimoli</surname>
          </string-name>
          .
          <article-title>A survey of attacks on ethereum smart contracts (sok)</article-title>
          .
          <source>In POST - 6th International Conference, Proceedings, volume 10204 of Lecture Notes in Computer Science</source>
          , pages
          <fpage>164</fpage>
          -
          <lpage>186</lpage>
          . Springer,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>Algirdas</given-names>
            <surname>Avizienis</surname>
          </string-name>
          ,
          <string-name>
            <surname>Jean-Claude</surname>
            <given-names>Laprie</given-names>
          </string-name>
          , Brian Randell, and
          <string-name>
            <given-names>Carl</given-names>
            <surname>Landwehr</surname>
          </string-name>
          .
          <article-title>Basic concepts and taxonomy of dependable and secure computing</article-title>
          .
          <source>IEEE Trans. Dep. Secur. Comput.</source>
          ,
          <year>2004</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>Algirdas</given-names>
            <surname>Avizienis</surname>
          </string-name>
          ,
          <string-name>
            <surname>Vytautas</surname>
            <given-names>U</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Jean-claude Laprie</surname>
            , and
            <given-names>Brian</given-names>
          </string-name>
          <string-name>
            <surname>Randell</surname>
          </string-name>
          .
          <article-title>Fundamental concepts of dependability</article-title>
          .
          <year>2001</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>Fabrice</given-names>
            <surname>Benhamouda</surname>
          </string-name>
          , Shai Halevi, and
          <string-name>
            <given-names>Tzipora</given-names>
            <surname>Halevi</surname>
          </string-name>
          .
          <article-title>Supporting private data on hyperledger fabric with secure multiparty computation</article-title>
          .
          <source>IBM Journal of Research and Dev</source>
          ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>BitFury</given-names>
            <surname>Group and Jef Garzik</surname>
          </string-name>
          .
          <article-title>Public versus private blockchains part 1: Permissioned blockchains</article-title>
          .
          <source>White Paper</source>
          ,
          <year>2015</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <surname>Joseph</surname>
            <given-names>Bonneau</given-names>
          </string-name>
          ,
          <string-name>
            <given-names>Andrew</given-names>
            <surname>Miller</surname>
          </string-name>
          , Jeremy Clark, Arvind Narayanan,
          <article-title>Joshua A Kroll,</article-title>
          and Edward W Felten.
          <article-title>Sok: Research perspectives and challenges for bitcoin and cryptocurrencies</article-title>
          .
          <source>In 2015 IEEE Symposium on Security and Privacy</source>
          , pages
          <fpage>104</fpage>
          -
          <lpage>121</lpage>
          . IEEE,
          <year>2015</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>Christian</given-names>
            <surname>Cachin</surname>
          </string-name>
          and
          <string-name>
            <given-names>Marko</given-names>
            <surname>Vukolic</surname>
          </string-name>
          .
          <article-title>Blockchain consensus protocols in the wild</article-title>
          .
          <source>CoRR, abs/1707</source>
          .
          <year>01873</year>
          ,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <given-names>Miguel</given-names>
            <surname>Castro</surname>
          </string-name>
          and
          <string-name>
            <given-names>Barbara</given-names>
            <surname>Liskov</surname>
          </string-name>
          .
          <article-title>Practical byzantine fault tolerance</article-title>
          .
          <source>In Proceedings of the Third Symposium on Operating Systems Design and Implementation</source>
          , OSDI '
          <volume>99</volume>
          , pages
          <fpage>173</fpage>
          -
          <lpage>186</lpage>
          , Berkeley, CA, USA,
          <year>1999</year>
          . USENIX Association.
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <surname>CertiK.</surname>
          </string-name>
          <article-title>The state of defi security - 2021</article-title>
          . https://certik-2.hubspotpagebuilder.
          <article-title>com/ the-state-of-defi-security-2021.</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <surname>Huashan</surname>
            <given-names>Chen</given-names>
          </string-name>
          , Marcus Pendleton, Laurent Njilla, and
          <string-name>
            <given-names>Shouhuai</given-names>
            <surname>Xu</surname>
          </string-name>
          .
          <article-title>A survey on ethereum systems security: Vulnerabilities, attacks, and defenses</article-title>
          .
          <source>ACM Comput. Surv.</source>
          ,
          <year>2020</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <surname>ConsenSys</surname>
          </string-name>
          . Mythril. https://github.com/ConsenSys/mythril.
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <string-name>
            <surname>Stefano De Angelis</surname>
            , Leonardo Aniello, Roberto Baldoni, Federico Lombardi, Andrea Margheri, and
            <given-names>Vladimiro</given-names>
          </string-name>
          <string-name>
            <surname>Sassone</surname>
          </string-name>
          .
          <article-title>PBFT vs proof-of-authority: Applying the CAP theorem to permissioned blockchain</article-title>
          .
          <source>In Proceedings of ITASEC</source>
          ,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [17]
          <string-name>
            <surname>Cynthia</surname>
            <given-names>Dwork</given-names>
          </string-name>
          , Nancy Lynch, and
          <string-name>
            <given-names>Larry</given-names>
            <surname>Stockmeyer</surname>
          </string-name>
          .
          <article-title>Consensus in the presence of partial synchrony</article-title>
          .
          <source>Journal of the ACM (JACM)</source>
          ,
          <volume>35</volume>
          (
          <issue>2</issue>
          ):
          <fpage>288</fpage>
          -
          <lpage>323</lpage>
          ,
          <year>1988</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          [18]
          <string-name>
            <surname>Ethereum</surname>
          </string-name>
          .
          <article-title>Proof-of-stake</article-title>
          . https://eth.wiki/en/concepts/proof
          <article-title>-of-stake-faqs.</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          [19]
          <string-name>
            <surname>Ethereum</surname>
          </string-name>
          . Solidity. https://soliditylang.org.
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          [20]
          <string-name>
            <surname>Ethereum</surname>
          </string-name>
          . Vision of ethereum2. https://ethereum.org/en/upgrades/vision/.
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          [21]
          <string-name>
            <given-names>Nissim</given-names>
            <surname>Francez</surname>
          </string-name>
          . Fairness. Springer-Verlag, Berlin, Heidelberg,
          <year>1986</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          [22]
          <string-name>
            <surname>Edoardo</surname>
            <given-names>Gaetani</given-names>
          </string-name>
          , Leonardo Aniello, Roberto Baldoni, Federico Lombardi, Andrea Margheri, and
          <string-name>
            <given-names>Vladimiro</given-names>
            <surname>Sassone</surname>
          </string-name>
          .
          <article-title>Blockchain-based database to ensure data integrity in cloud computing environments</article-title>
          .
          <source>In ITA-SEC</source>
          , volume
          <year>1816</year>
          .
          <article-title>CEUR-WS</article-title>
          .org,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          [23]
          <string-name>
            <surname>Geth</surname>
          </string-name>
          . Ethereum. https://geth.ethereum.org/docs/interface/private-network.
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          [24]
          <string-name>
            <surname>Yossi</surname>
            <given-names>Gilad</given-names>
          </string-name>
          , Rotem Hemo, Silvio Micali, Georgios Vlachos, and
          <string-name>
            <given-names>Nickolai</given-names>
            <surname>Zeldovich</surname>
          </string-name>
          . Algorand:
          <article-title>Scaling byzantine agreements for cryptocurrencies</article-title>
          .
          <source>In Proceedings of the 26th Symposium on Operating Systems Principles</source>
          ,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref25">
        <mixed-citation>
          [25]
          <string-name>
            <surname>Ryan</surname>
            <given-names>Henry</given-names>
          </string-name>
          , Amir Herzberg, and
          <string-name>
            <given-names>Aniket</given-names>
            <surname>Kate</surname>
          </string-name>
          .
          <article-title>Blockchain access privacy: Challenges and directions</article-title>
          .
          <source>IEEE Security Privacy</source>
          ,
          <volume>16</volume>
          (
          <issue>4</issue>
          ):
          <fpage>38</fpage>
          -
          <lpage>45</lpage>
          ,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref26">
        <mixed-citation>
          [26]
          <string-name>
            <given-names>Maurice</given-names>
            <surname>Herlihy</surname>
          </string-name>
          and
          <string-name>
            <given-names>Mark</given-names>
            <surname>Moir</surname>
          </string-name>
          .
          <article-title>Enhancing accountability and trust in distributed ledgers</article-title>
          .
          <source>CoRR</source>
          ,
          <year>2016</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref27">
        <mixed-citation>
          [27]
          <string-name>
            <surname>Ghassan</surname>
            <given-names>O.</given-names>
          </string-name>
          <string-name>
            <surname>Karame</surname>
            , Elli Androulaki, Marc Roeschlin, Arthur Gervais, and
            <given-names>Srdjan</given-names>
          </string-name>
          <string-name>
            <surname>Čapkun</surname>
          </string-name>
          .
          <article-title>Misbehavior in bitcoin: A study of double-spending and accountability</article-title>
          .
          <source>ACM Trans. Inf. Syst. Secur.</source>
          ,
          <volume>18</volume>
          (
          <issue>1</issue>
          ):2:
          <fpage>1</fpage>
          -
          <lpage>2</lpage>
          :
          <fpage>32</fpage>
          , May
          <year>2015</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref28">
        <mixed-citation>
          [28]
          <string-name>
            <given-names>Alexander</given-names>
            <surname>Mense</surname>
          </string-name>
          and
          <string-name>
            <given-names>Markus</given-names>
            <surname>Flatscher</surname>
          </string-name>
          .
          <article-title>Security vulnerabilities in ethereum smart contracts</article-title>
          .
          <source>In Proceedings of the 20th IIWBAS</source>
          ,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref29">
        <mixed-citation>
          [29]
          <string-name>
            <given-names>Silvio</given-names>
            <surname>Micali. Algorand</surname>
          </string-name>
          co-chains. https://www.algorand.com/resources/blog/ algorand-co-chains.
        </mixed-citation>
      </ref>
      <ref id="ref30">
        <mixed-citation>
          [30]
          <string-name>
            <surname>Silvio</surname>
            <given-names>Micali</given-names>
          </string-name>
          ,
          <string-name>
            <given-names>Michael</given-names>
            <surname>Rabin</surname>
          </string-name>
          , and
          <string-name>
            <given-names>Salil</given-names>
            <surname>Vadhan</surname>
          </string-name>
          .
          <article-title>Verifiable random functions</article-title>
          .
          <source>In 40th annual symposium on foundations of computer science</source>
          , pages
          <fpage>120</fpage>
          -
          <lpage>130</lpage>
          . IEEE,
          <year>1999</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref31">
        <mixed-citation>
          [31]
          <string-name>
            <given-names>Malte</given-names>
            <surname>Möser</surname>
          </string-name>
          .
          <source>Anonymity of bitcoin transactions an analysis of mixing services</source>
          ,
          <year>2013</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref32">
        <mixed-citation>
          [32]
          <string-name>
            <given-names>Satoshi</given-names>
            <surname>Nakamoto</surname>
          </string-name>
          .
          <article-title>Bitcoin: A peer-to-peer electronic cash system</article-title>
          . https://bitcoin.org/ bitcoin.pdf,
          <year>2008</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref33">
        <mixed-citation>
          [33]
          <string-name>
            <surname>OpenZeppelin</surname>
          </string-name>
          .
          <article-title>Solidity safemath library</article-title>
          . https://docs.openzeppelin.com/.
        </mixed-citation>
      </ref>
      <ref id="ref34">
        <mixed-citation>
          [34]
          <string-name>
            <given-names>White</given-names>
            <surname>Paper</surname>
          </string-name>
          .
          <article-title>Incentive mechanisms for securing the bitcoin blockchain white paper</article-title>
          .
          <year>2015</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref35">
        <mixed-citation>
          [35]
          <string-name>
            <surname>Parity</surname>
          </string-name>
          .
          <article-title>Aura - authority round consensus protocol</article-title>
          . https://wiki.parity.io/Aura.
        </mixed-citation>
      </ref>
      <ref id="ref36">
        <mixed-citation>
          [36]
          <string-name>
            <given-names>Michael</given-names>
            <surname>Rodler</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Wenting</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Ghassan O.</given-names>
            <surname>Karame</surname>
          </string-name>
          , and
          <string-name>
            <given-names>Lucas</given-names>
            <surname>Davi</surname>
          </string-name>
          . Sereum:
          <article-title>Protecting existing smart contracts against re-entrancy attacks</article-title>
          .
          <source>CoRR</source>
          , abs/
          <year>1812</year>
          .05934,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref37">
        <mixed-citation>
          [37]
          <string-name>
            <given-names>Noama</given-names>
            <surname>Fatima Samreen and Manar H. Alalfi</surname>
          </string-name>
          .
          <article-title>A survey of security vulnerabilities in ethereum smart contracts</article-title>
          .
          <source>CoRR, abs/2105.06974</source>
          ,
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref38">
        <mixed-citation>
          [38]
          <string-name>
            <surname>Bano</surname>
            <given-names>Shehar</given-names>
          </string-name>
          , Sonnino Alberto,
          <string-name>
            <surname>Al-Bassam</surname>
            <given-names>Mustafa</given-names>
          </string-name>
          , Azouvi Sarah,
          <string-name>
            <surname>McCorry Patrick</surname>
          </string-name>
          , Meiklejohn Sarah, and
          <string-name>
            <given-names>Danezis</given-names>
            <surname>George</surname>
          </string-name>
          .
          <article-title>Sok: Consensus in the age of blockchains</article-title>
          .
          <source>In Proceedings of the 1st ACM Conference on Advances in Financial Technologies</source>
          ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref39">
        <mixed-citation>
          [39]
          <string-name>
            <given-names>Péter</given-names>
            <surname>Szilágyi</surname>
          </string-name>
          .
          <article-title>Clique - ethereum proof-of-authority consensus protocol</article-title>
          . https://github. com/ethereum/EIPs/issues/225.
        </mixed-citation>
      </ref>
      <ref id="ref40">
        <mixed-citation>
          [40]
          <string-name>
            <surname>Carmela</surname>
            <given-names>Troncoso</given-names>
          </string-name>
          , Marios Isaakidis, George Danezis, and
          <string-name>
            <given-names>Harry</given-names>
            <surname>Halpin</surname>
          </string-name>
          .
          <article-title>Systematizing decentralization and privacy: Lessons from 15 years of research and deployments</article-title>
          .
          <source>Proceedings on Privacy Enhancing Technologies</source>
          ,
          <year>2017</year>
          :
          <fpage>404</fpage>
          -
          <lpage>426</lpage>
          ,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref41">
        <mixed-citation>
          [41]
          <string-name>
            <given-names>Marko</given-names>
            <surname>Vukolić</surname>
          </string-name>
          .
          <article-title>The quest for scalable blockchain fabric: Proof-of-work vs. bft replication</article-title>
          .
          <source>In Jan Camenisch and Doğan Kesdoğan</source>
          , editors, Open Problems in Network Security,
          <year>2016</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref42">
        <mixed-citation>
          [42]
          <string-name>
            <surname>Ingo</surname>
            <given-names>Weber</given-names>
          </string-name>
          , Vincent Gramoli, Alex Ponomarev, Mark Staples,
          <string-name>
            <given-names>Ralph</given-names>
            <surname>Holz</surname>
          </string-name>
          , An Binh Tran, and
          <string-name>
            <given-names>Paul</given-names>
            <surname>Rimba</surname>
          </string-name>
          .
          <article-title>On availability for blockchain-based systems</article-title>
          .
          <source>In 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS)</source>
          , pages
          <fpage>64</fpage>
          -
          <lpage>73</lpage>
          . IEEE,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref43">
        <mixed-citation>
          [43]
          <string-name>
            <given-names>Gavin</given-names>
            <surname>Wood</surname>
          </string-name>
          .
          <article-title>Ethereum: A secure decentralised generalised transaction ledger</article-title>
          .
          <year>2014</year>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>