WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Bitcoin vs Ethereum Smart Contracts: Security Comparisons

Dec 19, 2024
Est Read Time: 9 min
Jacob Fox

Bitcoin vs. Ethereum smart contracts: how do they compare from a security standpoint? 

Both blockchain platforms support smart contracts, but they have different native purposes and use different technology. When used for smart contracts, they face overlapping security risks, though each platform has its own unique vulnerabilities. 

In this guide, we'll compare Bitcoin vs. Ethereum from a security perspective, identify some leading vulnerabilities, and suggest some mitigation strategies.

Bitcoin as a Smart Contract Platform

Bitcoin provides a payment network for exchanging digital cryptocurrency through peer-to-peer connections without a central authority such as a government or bank. The network exchanges digital units called bitcoins, divisible to eight decimal places. The smallest bitcoin unit is the satoshi (sat), named after bitcoin's founder, equal to one hundred millionth (1/100,000,000) of a bitcoin.

Any participant in a bitcoin network can exchange currency through a digital ledger system where records are distributed across multiple devices in the network. The ledger stores digital transaction data in records called blocks. Blocks contain information about transactions, including a timestamp and a cryptographic hash of the previous block. This allows blocks to be linked in chronological order so that the link between each transaction is verified by a digital signature. A group of linked blocks forms a blockchain.

To instill trust across the network, blocks can't be changed without altering every other block in the chain. Blocks get added to blockchains every 10 minutes on average, updating every other block. This preserves a permanent, verified record of any transactions without need for a central authenticating authority.

While bitcoin originally served as cryptocurrency and supported only basic smart contract functions, since 2023 the platform has expanded its smart contract functionality through a number of innovations.

L2 for Bitcoin Smart Contracts

Some smart contract frameworks integrate bitcoin by building secondary protocol layers (L2) on top of blockchains to expand functionality and improve scalability without changing underlying blockchain behavior. For example, Stacks uses a functional language with a LISP-like syntax called Clarity to add a layer to blockchains.

Ordinals for Bitcoin Smart Contracts

Bitcoin also can add smart contract functionality by deploying digital collectibles called Ordinals, so named because they encode the order of each bitcoin's creation in its blockchain. Ordinals customize bitcoins by adding unique features such as text, images, or videos. These features get inserted in codes called inscriptions contained in a wrapper of unexecuted conditionals called an envelope. A constant called OP_FALSE keeps the code in the inscription from being executed.

Envelope inscriptions allow bitcoins to serve as non-fungible tokens (NFTs) with unique characteristics, in contrast to ordinary (fungible) bitcoins that look interchangeable. Non-fungibility gives Ordinals a collectible quality, creating demand for them to be traded, bought, or sold.

In an NFT context, Ordinal inscriptions can be used for smart contracts. Because inscriptions can contain any code but don't execute, they can be integrated into smart contract scripts without altering their behavior. For example, sCrypt uses a Typescript framework to create smart contracts usable on bitcoin blockchains.

Ethereum as a Smart Contract Platform

Conceived as an outgrowth of bitcoin, Ethereum goes beyond bitcoin's basic smart contract features by providing a native design with robust smart contract functionality. 

Ethereum automates contract terms by using blockchain technology in conjunction with specialized programming languages such as Solidity, which resembles JavaScript and C. Smart contract codes can be designed to execute contract terms when triggered by blockchain events. 

For example, a smart contract can release funds from an account once a blockchain transaction gets validated. To understand how Ethereum's smart contract functionality informs its security vulnerabilities, it helps to understand some of the network's key features:

Ether Cryptocurrency and Ethereum Transactions

Ethereum accounts maintain balances using the network's native cryptocurrency, known as Ether (ETH), and can contain tokens that digitally represent physical or digital objects. Transactions on Ethereum accounts can transfer Ether or tokens from one account to another. The network preserves a blockchain record of all transactions, updated approximately every 12 seconds.

Transaction Validations

Each account in the chain, known as a node, connects with a limited number of other accounts to receive blocks and unvalidated transactions from other network peers and to offer them to other accounts. A given node maintains a record of unvalidated transactions, known as a mempool. Ethereum accounts may deposit (stake) Ether to validate transactions, and in turn receive rewards for validating transactions.

Paying Gas for Transactions

Transactions may be controlled either by private key holders or by automated smart contract scripts. Sending a cryptocurrency transaction or creating a contract costs a transaction fee called gas. Gas gets paid to transaction validators as an incentive. Transaction senders set a gas limit on how much they're willing to pay per transaction and a gas price defining how much they want to pay the network per unit of gas. Gas fees for smart contract transactions cost more than fees for manual transactions.

Smart Contract Composability

To extend their functionality, smart contracts can call other smart contracts or applications that combine smart contracts with frontend user interfaces, known as decentralized applications or dApps. This capability, known as composability, allows Ethereum smart contracts to perform highly complex functions similar to application programming interfaces (APIs).

Third-party Oracles

Normally, Ethereum smart contracts only interact with data within blockchains. However, blockchains depend on external data to perform certain functions, such as generating random numbers. To access external data, Ethereum uses third-party applications called oracles. Oracles can source, verify, and transmit external data to smart contracts, as well as send data from smart contracts.

Bitcoin and Ethereum Compared

Now that we've reviewed the individual characteristics of bitcoin Ordinals and Ethereum, let's compare their major features before considering their security issues. In general, a few points stand out for comparison:

  • Both bitcoin and Ethereum use cryptocurrency, but bitcoin primarily functions as cryptocurrency, while Ethereum employs cryptocurrency in the service of smart contracts
  • Both bitcoin and Ethereum support smart contracts, but bitcoin requires external integrations to expand beyond basic smart contract functionality, while Ethereum natively supports advanced smart contracts
  • Bitcoin's validation method requires validators to solve complex cryptographic puzzles (known as proof of work or PoW), requiring significant computational resources and time, while Ethereum requires validators to stake cryptocurrency (proof of stake or PoS), consuming less energy and time
  • Bitcoin limits its supply to 21 million bitcoins, promoting scarcity and deflation, while Ether has not fixed limit, making it prone to inflationary tendencies
  • The market value of bitcoin vs. Ether has fluctuated over time, with Ether overtaking bitcoin in 2017 and 2022 but falling behind again this year, with a surge again anticipated after the 2024 U.S. elections

With these general features in mind, let's compare these platforms from a smart contract security perspective.

Smart Contract Security Issues

To the extent bitcoin and Ethereum share similar smart contract functionality, they share certain vulnerabilities inherent in smart contracts. Smart contract vulnerabilities stem from a few major vectors. These include:

  • Code auditing
  • Upgrade management
  • External oracle vulnerabilities
  • Cross-contract interaction
  • Social engineering and phishing

Some of these vulnerabilities are more characteristic of one platform versus the other, but they illustrate some major attack vectors common to most smart contract platforms.

Code Auditing

Vulnerabilities can enter into smart contracts through insufficient code auditing. The decentralized nature of blockchain leaves auditing procedures up to the initiative of users. Blockchain relies on users to spot bugs, trusting that its widespread user base will tend to catch any errors. This tends to catch errors, but any upgrades may introduce new bugs that take time to catch.

For both Bitcoin and Etherium, complex smart contract coding layers can introduce additional bugs. Failing to audit code at this level can introduce virtually any type of vulnerability.

External Oracle Vulnerabilities

Blockchain relies on external services called oracles to supply pseudorandom numbers, critical for cryptography. Because blockchain networks follow deterministic algorithms, they lack native random number generation capability. Oracle services supply random number values to blockchain applications. However, this opens the risk of bad actors manipulating oracle services to provide nonrandom values that impart an unfair advantage in games, lotteries, random-seed generation, or other contracts dependent on random numbers.

Cross-contract Interaction

Smart contracts can call other smart contracts, introducing potential risks if the external contract contains vulnerable or malicious code. For example, bad actors can introduce code that causes smart contracts to endlessly repeat financial withdrawals, draining accounts of funds. This illustration represents just one potential vulnerability. External smart contracts can contain any conceivable code, introducing a wide range of possible risks.

Social Engineering and Phishing

Although smart contracts get executed automatically, they require interaction with human users at some point, opening risks of social engineering and phishing. Users can be manipulated into interacting with contracts containing malicious code. For example, scam artists may offer users fake investment opportunities designed to lure them into engaging with contracts designed to drain account funds.

Bitcoin Security Issues

Bitcoin's blockchain encryption strategy makes it inherently resistant to hacking. If one computer in the chain gets hacked, any invalid data will alert other computers in the network. Other computers will either correct the discrepancy or exclude the compromised block from the chain. Mathematically, hackers would need enormous computational power to decrypt significant portions of chains. While quantum computers theoretically could achieve this, in practice, current quantum computer technology lacks the power to hack bitcoin efficiently.

However, hackers can use various methods to bypass these barriers by exploiting bitcoin weaknesses. Bitcoin vulnerabilities include:

  • Sybil attacks: Named after a famous book about a woman with multiple personalities, Sybil attacks involve bad actors creating multiple identities on networks in order to exercise undue influence on validation processes, controlling which blocks get approved and which get rejected and enabling multiple blocks to be leveraged for decryption of legitimate blocks.
  • 51% attacks: If hacking rings can use Sybil attacks or other means to gain control of the majority of a network's blocks, they can corrupt the validation process and create alternate blockchains (forks), allowing the same bitcoin units to be spent multiple times (double spend).
  • Backup wallets: Old bitcoin wallets with outdated passwords often can be accessed through backups, enabling hackers to use them to drain current wallet funds.
  • Coin history exposure: Bitcoin blocks may contain information that can be used to trace transactions and chain participants to their owners.
  • Packet sniffing: Hackers who can see your Internet traffic can deduce when you originate transactions.
  • Denial of service attacks (DoS attacks): Bad actors can overwhelm blockchain networks with traffic, excluding other users from validation processes, disrupting services, or setting the stage for double spend attacks.
  • Timestamp hijacking (timejacking): Attackers connecting from multiple computers can report inaccurate timestamps and alter how chains calculate time, giving them control over validation processes.
  • Malicious and illegal content injection: Since Ordinals can contain any type of content, attackers can use them to pollute blockchains with malicious or illegal content.
  • Security upgrade domino chains: Discovery of security vulnerabilities at one point in a blockchain could force all other users to upgrade or be excluded from chains, potentially disrupting chains.
  • Energy overconsumption: Bitcoin exchange rates correlate closely with electricity costs, creating the potential for exchanges to become unprofitable through excessive resource consumption.

In addition to these potential vulnerabilities, bitcoin smart contracts face the same general smart contract issues described above.

Ethereum Security Issues

The Open Worldwide Application Security Project has complied a list of OWASP Smart Contact Top 10 vulnerabilities faced primarily by Ethereum smart contracts. These include:

  • Reentrancy attacks: Smart contracts that call external contracts before updating their own states can be manipulated into repeating actions such as withdrawals or inserting malicious code.
  • Integer overflow and underflow: By introducing values that fall outside the integer range allowed by a contract's defined fixed-size data types, attackers can increase account and token amounts and make excessive withdrawals or change contact logic to perform actions such as multiplying tokens or stealing funds.
  • Timestamp dependence: By altering timestamps, hackers can accelerate or delay actions, alter conditions that initiate functions, or initiate actions before other users, allowing them to manipulate auctions, lotteries, and token vesting.
  • Access control vulnerabilities: Hackers can exploit weak permissions to access or alter contract data or functions or steal funds or assets managed by contracts.
  • Front-running attacks: Attackers who can see mempool data can leverage thins information to increase gas fees and ensure their transactions take priority, allowing them to make victims spend more for tokens, reduce payments, or alter token value.
  • Denial of service (DoS) attacks: Hackers can leverage smart contract vulnerabilities to exhaust network resources such as such as gas, CPU cycles, or storage.
  • Logic errors (business logic vulnerabilities): Smart contract coding errors can trigger unexpected behavior or functionality disruption, for instance, by causing funds loss or token misallocation.
  • Insecure randomness: Attackers who can exploit contracts or oracles to control pseudorandom values can manipulate elements such as timestamps, block numbers and addresses, and encryption hashes.
  • Gas limit vulnerabilities: By using vulnerabilities such as iterative loops to manipulate limits on gas available to blocks, hackers can prevent contract execution, freezing contracts or locking funds.
  • Unchecked external calls: If smart contracts fail to verify external function call outcomes, calls can fail without generating exception errors, causing contracts to proceed under false assumptions that risk loss of funds or creation of exploitable inconsistencies.

For more details, see our blog on smart contract security risks.

Bitcoin vs. Ethereum Smart Contract Security Comparison

In general, although bitcoin and Ethereum have different native functionality, when bitcoin is adapted for smart contract use, both platforms face similar security vulnerabilities. However, they do have some differences stemming from their native differences:

  • Bitcoin's reliance on proof of work validation differs from Ethereum's reliance on proof of stake, making bitcoin more vulnerable to energy overconsumption and Ethereum more vulnerable to other risks such as 51% attacks. In fact, Ethereum can be manipulated with just 34% of stake.

  • Because Ethereum uses gas, gas limit vulnerabilities are more characteristic of Ethereum than bitcoin, although in theory, bitcoin transaction fees could be manipulated in similar ways.

When used for NFTs, Ordinals and Ether face similar vulnerabilities, such as risk of malicious content injection. Likewise, both platforms face similar risks when calling external contracts.

Secure your smart contract applications 

As usage of bitcoin Ordinals and Ethereum increases, smart contract security vulnerabilities will become increasingly high priorities. Application security services can help you secure your smart contracts against common risks.

At Cobalt, our expert pentesting team works with OWASP and other industry leaders to create and update security standards protecting applications and networks against today's top risks. Our user-friendly pentesting platform lets your security team easily and efficiently collaborate with our experts to plan, schedule, and execute tests of your attack surface.

New call-to-action
Back to Blog
About Jacob Fox
Jacob Fox is a search engine optimization manager at Cobalt. He graduated from the University of Kansas with a Bachelor of Arts in Political Science. With a passion for technology, he believes in Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. He focuses on increasing Cobalt's marketing presence by helping craft positive user experiences on the Cobalt website. More By Jacob Fox

Related readings

Smart Contract Security Risks: Today's 10 Top Vulnerabilities and Mitigations
Cybersecurity Insights
Blog
Dec 3, 2024
Read more
NSA launch AI Security Center cover image
NSA Launches AI Security Center
NEWS
Blog
Oct 12, 2023
Read more
Cover Image Offensive Security Maturity: How Offensive Security Strategies Evolve Based on Company Maturity
Offensive Security Maturity: How Offensive Security Strategies Evolve Based on Company Maturity
Cybersecurity Services
Blog
Sep 15, 2023
Read more
see more

Never miss a story

Stay updated about Cobalt news as it happens