Potential Risks of Hyperledger Fabric Smart Contracts

Blockchain is a decentralized ledger technology, and it is the technology underlying Bitcoin and Ethereum. The interest in blockchain has been increasing since its emergence. Hyperledger Fabric is one of the permissioned blockchain frameworks. One of the characteristics of Hyperledger Fabric is it utilizes general-purpose programming languages, e.g., Go, Node.js, and Java, to implement smart contracts (called chaincode in Hyperledger Fabric). The advantages of utilizing these languages are already known to potential developers, and development tools might already exist. However, one of the disadvantages is that these languages were not originally designed for writing smart contracts. Hence, there may be risks that developers do not need to consider when using specific languages such as Solidity of Ethereum. Furthermore, even though development tools exist, how many risks are covered by the tools is an open question. In this paper, we focus on Go language and the tools. First, we surveyed what kind of risks are associated with chaincodes are developed using Go language and observed there are 14 potential risks. Then, we investigated how many risks can be covered by Go tools, e.g., golint and gosec, and a vulnerability detection tool for chaincodes called Chaincode Scanner. From our results, we observed that some risks are not covered by the existing tools. Hence, we develop a detection tool to cover risks by static analysis. Finally, in this paper, we describe how to find the risks with our tool and evaluate the usefulness.