Singapore Academic Cybersecurity R&D

Harnessing R&D to Secure our Nation


Testing for Blockchain Security by Design

  • Lead PIs : Mark van Staalduinen, TNO and Aditya Mathur, Professor, SUTD ( )
  • Host Institution : TNO
  • Partner Institution : Information Systems Technology Design Pillar, SUTD

I. Goal

Blockchain technology is relative new, and with emerging risks not well understood and sometimes ignored to gain first mover advantage, we see a fast developing eco-system with a need for Blockchain Security. The commercialisation process for the project outcomes is guided by TNO’s Blockchain Security program. This program focuses on the development of sufficient insights and maturity level of testing tools from a technology and security perspective towards implementation of security by design, coupled with tangible and concrete requirements and inputs from the blockchain industry to ensure user relevancy and market feasibility. The exploitation plan consists of three phases:

  1. Attract industry and build capacity – Key is to attract the industry as participants into the program and to initiate an open dialogue about the vulnerabilities. In the end, Blockchain Security is a joint responsibility among multiple stakeholders from users, technology suppliers, system integrator till regulators. To achieve sufficient knowledge for this dialogue, capacity is built through a training course: Blockchain Basics and its Security Perspectives. The feedback of these stakeholders meetings will be applied to amend our in-house blockchain security training course to demands.
  2. Experiment and implement security testing – By means of the BCS Stakeholder Group a first attempt is settled towards industry commitment and to create a safe environment for translating and transiting research results and outcomes into practical solutions.
  3. Certification of blockchain technology and applications (2019) – This project focuses on testing for Blockchain Security by Design, but it requires certification to realise Security by Design. Certification is out-of-scope.

Smart contracts are an innovation built on top of the blockchain technology. It provides a platform for automatically executing contracts in an anonymous, distributed, and trusted way, which has the potential to revolutionize many industries. The most popular programming language for creating smart contracts is called Solidity, which is supported by Ethereum. Like any program, smart contracts written in Solidity may contain vulnerabilities, which potentially lead to attacks. The problem is magnified by the fact that smart contracts, unlike ordinary programs, cannot be patched once deployed. It is thus important that smart contracts are checked against potential vulnerabilities.

Security Reference Architecture

We aim to develop a security reference architecture for blockchain, to identify components in the design that requires security controls to be implemented. A reference architecture is an abstract architecture that is meant as a reference for designers, implementers, users, operators, and managers of design, implementation and deployments, often represented by diagrams and a detailed description. This architecture will define a common, unambiguous, yet informal, comprehensible set of concepts.

Smart Contracts

The objectives are to develop systematic methods and tools to identify vulnerabilities in smart contract automatically and accurately. Towards this goal, a series of software toolkits, including a symbolic execution engine, a fuzzing engine and a formal verifier are being built.

II. Technologies

Smart Contracts

For now, we have developed a “smart” compiler for smart contracts based on symbolic execution techniques. Details of this work can be found online. For future, we aim to publish a smart fuzzer which extends the famuous AFL fuzzer with machine learning capabilities. Furthermore, we aim to combine the fuzzer and the symbolic execution engine so as to build a formal verifier for smart contracts. The idea is to apply machine learning techniques to learn loop invariants based on the fuzzer outputs and then apply symbolic execution to verify the loop invariants and subsequently the smart contract.


  • V.Chia, P.Hartel, Q.Hum, S.Ma, G.Piliouras, D.Reijsbergen, M.Staalduinen, P.Szalachowski, Rethinking Blockchain Security: Position Paper, In Proceedings of the IEEE International Conference on Blockchain (Blockchain), 2018
  • P.Szalachowski, (Short Paper) Towards More Reliable Bitcoin Timestamps, In Proceedings of Crypto Valley Conference on Blockchain  echnology (CVCBT), 2018

Report on Use Cases

The report has focus on two use case mainly Fintech and logistics. For Fintech, the case study will be on Project Ubin. As for logistics, it is South32. With these two use cases, six blockchain challenges were identified:

  1. Key Management,
  2. Smart Contract Security,
  3. Consensus Protocol Incentives,
  4. Secure Transactions,
  5. Digital Identities and
  6. Blockchain Security Policy