SGXonerated: Finding (and Partially Fixing) Privacy Flaws in TEE-based Smart Contract Platforms Without Breaking the TEE

Nerla Jean-Louis; Yunqi Li; Yan Ji; Harjasleen Malvai; Thomas Yurek; Sylvain Bellemare; Andrew Miller

Paper 2023/378

SGXonerated: Finding (and Partially Fixing) Privacy Flaws in TEE-based Smart Contract Platforms Without Breaking the TEE

Nerla Jean-Louis, University of Illinois Urbana-Champaign

Yunqi Li, University of Illinois Urbana-Champaign

Yan Ji, Cornell University

Harjasleen Malvai, University of Illinois Urbana-Champaign

Thomas Yurek, University of Illinois Urbana-Champaign

Sylvain Bellemare, Cornell University, IC3

Andrew Miller, University of Illinois Urbana-Champaign, IC3

Abstract

TEE-based smart contracts are an emerging blockchain architecture, offering fully programmable privacy with better performance than alternatives like secure multiparty computation. They can also support compatibility with existing smart contract languages, such that existing (plaintext) applications can be readily ported, picking up privacy enhancements automatically. While previous analysis of TEE-based smart contracts have focused on failures of TEE itself, we asked whether other aspects might be understudied. We focused on state consistency, a concern area highlighted by Li et al., as well as new concerns including access pattern leakage and software upgrade mechanisms. We carried out a code review of a cohort of four TEE-based smart contract platforms. These include Secret Network, the first to market with in-use applications, as well as Oasis, Phala, and Obscuro, which have at least released public test networks. The first and most broadly applicable result is that access pattern leakage occurs when handling persistent contract storage. On Secret Network, its fine-grained access pattern is catastrophic for the transaction privacy of SNIP-20 tokens. If ERC-20 tokens were naively ported to Oasis they would be similarly vulnerable; the others in the cohort leak coarse-grained information at approximately the page level (4 kilobytes). Improving and characterizing this will require adopting techniques from ORAMs or encrypted databases. Second, the importance of state consistency has been under-appreciated, in part because exploiting such vulnerabilities is thought to be impractical. We show they are fully practical by building a proof-of-concept tool that breaks all advertised privacy properties of SNIP-20 tokens, able to query the balance of individual accounts and the token amount of each transfer. We additionally demonstrate MEV attacks against the Sienna Swap application. As a final consequence of lacking state consistency, the developers have inadvertently introduced a decryption backdoor through their software upgrade process. We have helped the Secret developers mitigate this through a coordinated vulnerability disclosure, after which their state consistency should be roughly on par with the rest.

Metadata

Available format(s): PDF
Category: Applications
Publication info: Preprint.
Keywords: blockchain smart contracts TEE
Contact author(s): nerlaj2 @ illinois edu
yunqil3 @ illinois edu
yj348 @ cornell edu
hmalvai2 @ illinois edu
yurek2 @ illinois edu
sbellemare @ cornell edu
soc1024 @ illinois edu
History: 2023-09-29: revised; 2023-03-15: received; See all versions
Short URL: https://ia.cr/2023/378
License: CC BY-NC

BibTeX

@misc{cryptoeprint:2023/378,
      author = {Nerla Jean-Louis and Yunqi Li and Yan Ji and Harjasleen Malvai and Thomas Yurek and Sylvain Bellemare and Andrew Miller},
      title = {SGXonerated: Finding (and Partially Fixing) Privacy Flaws in TEE-based Smart Contract Platforms Without Breaking the TEE},
      howpublished = {Cryptology ePrint Archive, Paper 2023/378},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/378}},
      url = {https://eprint.iacr.org/2023/378}
}