Nothing Special   »   [go: up one dir, main page]
Skip to main content

Advertisement

Springer Nature Link
Log in

An integrated deep learning model for Ethereum smart contract vulnerability detection

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Smart contracts are utilized widely in developing safe, secure, and efficient decentralized applications. Smart contracts hold a significant amount of cryptocurrencies, and upgrading or changing them after deployment on the blockchain is difficult. Therefore, it is essential to analyze the integrity of contracts to design secure contracts before deploying them. As a result, the effective detection of various class vulnerabilities in smart contracts is a significant concern. While human specialists are still necessary for vulnerability detection methods that utilize machine learning and deep learning, these approaches often miss numerous vulnerabilities, leading to a significant false-negative rate. This research proposes a two-step hierarchical model using deep learning techniques that significantly improve the feature extraction mechanism for Ethereum smart contracts to circumvent these limitations. The first step is to determine the relationship between opcodes using a transformer for extracting the internal features of contracts to strengthen the contextual information. Then, a Bi-GRU is employed to aggregate forward and backward sequential information for long-term reliance, including vulnerable code. In the second step, the Text-CNN and spatial attention extract the local features to emphasize the significant semantics. Experiments conducted on 49,552 real-world smart contracts have demonstrated that the proposed method is more effective than state-of-the-art methods. Extensive ablation experiments are carried out to additional illustrate the framework design option's efficacy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

The datasets analyzed during the current study are available in the SmartBugs-Wild repository [https://github.com/smartbugs/smartbugs-wild] and smart contract dataset [https://github.com/jianwei76/SoliAudit].

Notes

  1. https://dasp.co/.

  2. https://swcregistry.io/.

  3. https://solidity.readthedocs.io.

References

  1. Yang, X., Li, W.: A zero-knowledge-proof-based digital identity management scheme in blockchain. Comput. Secu. 99, 102050 (2020). https://doi.org/10.1016/j.cose.2020.102050

    Article  Google Scholar 

  2. Rahman, M.S., Al Omar, A., Bhuiyan, M.Z., Basu, A., Kiyomoto, S., Wang, G.: Accountable cross-border data sharing using blockchain under relaxed trust assumption. IEEE Trans. Eng. Manage. 67(4), 1476–1486 (2020). https://doi.org/10.1109/TEM.2019.2960829

    Article  Google Scholar 

  3. Wan, Z., Guan, Z., & Cheng, X.: PRIDE: A Private and Decentralized Usage-Based Insurance Using Blockchain. 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1349–1354, (2018). doi:https://doi.org/10.1109/Cybermatics_2018.2018.00232

  4. Wood, G.: Ethereum: a secure decentralized generalized transaction ledger. Ethereum Project Yellow Paper. (2014) URL https://ethereum.github.io/yellowpaper/paper.pdf. (Accessed 11 Dec 2021)

  5. Buterin, V.: A next generation smart contract & decentralized application platform, (2015). (Accessed 05 Nov 2021)

  6. Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts (SoK). Lecture Notes in Computer Science, pp. 164–186 (2017). https://doi.org/10.1007/978-3-662-54455-6_8

  7. Michael del Castillo: http://www.coindesk.com/daoattacked-code-issue-leads-60-million-ether-theft. (Accessed 05 Dec 2021)

  8. SANTIAGO PALLADINO: https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/.(Accessed 11 Dec 2021)

  9. Integer Overflow and Underflow attacks on Smart contracts: https://dasp.co/#item-3. (Accessed 15 Dec 2021)

  10. DODOexhelp: https://dodoexhelp.zendesk.com/hc/en-us/articles/900004851126v. (Accessed 15 Dec 2021)

  11. Binance Feed. DeFi Protocol DForce Loses $3.6M in Reentrancy Attack. URL: https://www.binance.com/en-IN/feed/post/211448. (Accessed 11 Feb 2023)

  12. Praitheeshan, P., Pan, L., Yu, J., Liu, J., Doss, R.: Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey. (2019). https://doi.org/10.48550/arxiv.1908.08605

  13. Lv, C., Ji, S., Zhang, C., Li, Y., Lee, W., Song, Y., Beyah, R.: The art of the scam: demystifying honeypots in ethereum smart contracts. Proceedings of the 28th USENIX Conference on Security Symposium, USENIX Association, 2019, pp. 1591–1607. SEC’19

  14. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the ACM Conference on Computer and Communications Security. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, 2016, pp. 254–269, https://doi.org/10.1145/2976749.2978309. CCS '16

  15. ConsenSys, Mythril-reversing and bug hunting framework for the ethereum blockchain, 2021, https://pypi.org/project/mythril/0.22.0. (Accessed 10 Nov 2021)

  16. Nikolić, I., Kolluri, A., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. Proceedings of the 34th Annual Computer Security Applications Conference, (2018). https://doi.org/10.1145/3274694

  17. Grossman, S., Abraham, I., Golan-Gueta, G., Michalevsky, Y., Rinetzky, N., Sagiv, M., & Zohar, Y.: Online detection of effectively callback free objects with applications to smart contracts. CoRR, abs/1801.04032. (2018). http://arxiv.org/abs/1801.04032

  18. Yang, Z., Lei, H.: FEther: An extensible definitional interpreter for smart-contract verifications in Coq. IEEE Access (2019). https://doi.org/10.1109/ACCESS.2019.2905428

    Article  Google Scholar 

  19. Amani, S., Bortin, M., Bégel, M., Staples, M.: Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In: CPP 2018—Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, Co-located with POPL 2018 (2018)

  20. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Gollamudi, A., Gonthier, G., Kobeissi, N., Kulatova, N., Rastogi, A., Sibut-Pinote, T., Swamy, N., Zanella-Béguelin, S.: Formal verification of smart contracts: Short paper. In: PLAS 2016—Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, co-located with CCS 2016 (2016)

  21. Jiang, B., Liu, Y., Chan, W.K.: ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In: ASE 2018—Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (2018)

  22. Grieco, G., Song, W., Cygan, A., Feist, J., Groce, A.: Echidna: Effective, usable, and fast fuzzing for smart contracts. In: ISSTA 2020—Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (2020)

  23. He ETH Zurich, J., Balunović ETH Zurich, M., Ambroladze ETH Zurich, N., anodar, S., Petar Tsankov ETH Zurich, ethzch, Vechev ETH Zurich, M.: Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Learning: §5.2. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/3319535

  24. Sun, Y., Gu, L.: Attention-based machine learning model for smart contract vulnerability detection. Int. J. Phys. Conf. Ser. 1820 012004 (2021)

  25. Gogineni, A.K., Swayamjyoti, S., Sahoo, D., Sahu, K.K., Kishore, R.: Multi-Class classification of vulnerabilities in smart contracts using AWD-LSTM, with pre-trained encoder inspired from natural language processing. IOP SciNotes. (2020). https://doi.org/10.1088/2633-1357/abcd29

    Article  Google Scholar 

  26. Momeni, P., Wang, Y., Samavi, R.: Machine learning model for smart contracts security analysis. In: 2019 17th International Conference on Privacy, Security and Trust, Fredericton, NB, Canada, (2019), pp. 1–6, doi: https://doi.org/10.1109/PST47121.2019.8949045

  27. Liu, Z., Qian, P., Wang, X., Zhuang, Y., Qiu, L., Wang, X.: Combining graph neural networks with expert knowledge for smart contract vulnerability detection. IEEE Trans Knowl. Data Eng. (2021). https://doi.org/10.1109/TKDE.2021.3095196

    Article  Google Scholar 

  28. Wesley Tann, J.W., Han, X.J., Gupta, S. Sen, Ong, Y.S.: Towards Safer Smart Contracts A Sequence Learning Approach to Detecting Vulnerabilities. (2018) https://doi.org/10.48550/arXiv.1811.06632

  29. Wang, W., Song, J., Xu, G., Li, Y., Wang, H., Su, C.: ContractWard: automated vulnerability detection models for Ethereum smart contracts. IEEE Trans Netw Sci Eng. 8, 1133–1144 (2021). https://doi.org/10.1109/TNSE.2020.2968505

    Article  Google Scholar 

  30. Yu, X., Zhao, H., Hou, B., Ying, Z., Wu, B.: DeeSCVHunter: a deep learning-based framework for smart contract vulnerability detection. Proc. Int. Joint Conf. Neur. Netw. (2021). https://doi.org/10.1109/IJCNN52387.2021.9534324

    Article  Google Scholar 

  31. Jeon, S., Lee, G., Kim, H., Woo, S.S.: SmartConDetect: Highly Accurate Smart Contract Code Vulnerability Detection Mechanism using BERT. (2021)

  32. Scicchitano, F., Liguori, A., Guarascio, M., Ritacco, E., & Manco, G. A deep learning approach for detecting security attacks on Blockchain. Italian Conference on Cybersecurity. (2020)

  33. Qian, P., Liu, Z., He, Q., Zimmermann, R., Wang, X.: Towards automated reentrancy detection for smart contracts based on sequential models. IEEE Access. (2020). https://doi.org/10.1109/ACCESS.2020.2969429

    Article  Google Scholar 

  34. Huang, T.H.D.: Hunting the ethereum smart contract: color-inspired inspection of potential attacks. (2018). arXiv:1807.01868. https://doi.org/10.48550/arXiv.1807.01868

  35. Zhang, L., Wang, J., Wang, W., Jin, Z., Su, Y., Chen, H.: Smart contract vulnerability detection combined with multi-objective detection. Comput. Netw. (2022). https://doi.org/10.1016/j.comnet.2022.109289

    Article  Google Scholar 

  36. Liu, Z., Qian, P., Wang, X., Zhuang, Y., Qiu, L., Wang, X.: Combining graph neural networks with expert knowledge for smart contract vulnerability detection. IEEE Trans. Knowl. Data Eng. 35, 1296–1310 (2023). https://doi.org/10.1109/TKDE.2021.3095196

    Article  Google Scholar 

  37. Jie, W., Chen, Q., Wang, J., Voundi Koe, A.S., Li, J., Huang, P., Wu, Y., Wang, Y.: A novel extended multimodal AI framework towards vulnerability detection in smart contracts. Inf. Sci. NY (2023). https://doi.org/10.1016/j.ins.2023.03.132

    Article  Google Scholar 

  38. Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A.N., Kaiser, Ł., Polosukhin, I.: Attention is all you need. In: Advances in Neural Information Processing Systems, (2017). https://doi.org/10.48550/arXiv.1706.03762

  39. Cho, K., van Merriënboer, B., Bahdanau, D., Bengio, Y.: On the Properties of Neural Machine Translation: Encoder-Decoder Approaches. Proceedings of SSST 2014—8th Workshop on Syntax, Semantics and Structure in Statistical Translation. pp. 103–111 (2014). https://doi.org/10.48550/arxiv.1409.1259

  40. Wang, W., Khalil-Ur-Rehman, M., Feng, J., TaoKim, J.Y.: Convolutional neural networks for sentence classification. In EMNLP, J. Plant. Physiol. 218, 1746–1751 (2014)

    Google Scholar 

  41. Woo Sanghyun and Park, J. and L.J.Y. and K.I.S.: CBAM: Convolutional Block Attention Module. In: Ferrari Vittorio and Hebert, M. and S.C. and W.Y. (ed.) Computer Vision—ECCV 2018. pp. 3–19. Springer International Publishing, Cham (2018)

  42. Etherscan, Etherscan China ethereum (ETH) blockchain explorer, 2021. https://goto.etherscan.com. (Accessed 15 Dec 2021)

  43. Durieux, T., Ferreira, J. F., Abreu, R., & Cruz, P. Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts. Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 530–541. Presented at the Seoul, South Korea. doi:https://doi.org/10.1145/3377811.3380364.(2020)

  44. Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., & Alexandrov, Y. (2018). SmartCheck: Static Analysis of Ethereum Smart Contracts. 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 9–16.

  45. Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., & Vechev, M. Securify: Practical Security Analysis of Smart Contracts. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 67–82. Presented at the Toronto, Canada. (2018). doi:https://doi.org/10.1145/3243734.3243780

  46. Feist, J., Grieco, G., Groce, A.: Slither: A static analysis framework for smart contracts. Proceedings—2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB 2019. 8–15 (2019). https://doi.org/10.1109/WETSEB.2019.00008

  47. Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by back-propagating errors. Nature 323(6088), 533–536 (1986). https://doi.org/10.1038/323533a0

    Article  Google Scholar 

  48. Niu, Y., Xie, R., Liu, Z., & Sun, M.: Improved word representation learning with sememes. Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics, Vol. 1, pp. 2049–2058. (2017). https://doi.org/10.18653/v1/P17-1187

  49. Russell, R., Kim, L., Hamilton, L., Lazovich, T., Harer, J., Ozdemir, O., Ellingwood, P., McConley, M.: Automated vulnerability detection in source code using deep representation learning. Proceedings—17th IEEE International Conference on Machine Learning and Applications, ICMLA 2018. pp. 757–762 (2019). https://doi.org/10.1109/ICMLA.2018.00120

  50. Liao, J.W., Tsai, T.T., He, C.K., & Tien, C.W.: SoliAudit: Smart contract vulnerability assessment based on machine learning and fuzz testing. Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), 458–465. (2019). doi:https://doi.org/10.1109/IOTSMS48152.2019.8939256

  51. Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: Synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002). https://doi.org/10.1613/jair.953

    Article  Google Scholar 

  52. Batista, G.E., Prati, R.C., Monard, M.C.: A study of the behavior of several methods for balancing machine learning training data. ACM SIGKDD Explor. Newsl 6(1), 20–29 (2004). https://doi.org/10.1145/1007730.1007735

    Article  Google Scholar 

  53. Zhuang, Y., Liu, Z., Qian, P., Liu, Q., Wang, X., He, Q.: Smart Contract Vulnerability Detection using Graph Neural Network. IJCAI International Joint Conference on Artificial Intelligence. Vol. 3, pp. 3283–3290, (2020) https://doi.org/10.24963/IJCAI.2020/454

  54. Wang, X., He, J., Xie, Z., Zhao, G., Cheung, S.C.: ContractGuard: defend Ethereum smart contracts with embedded intrusion detection. IEEE Trans. Serv. Comput. 13, 314–328 (2020). https://doi.org/10.1109/TSC.2019.2949561

    Article  Google Scholar 

  55. Grossman, S., Abraham, I., Golan-Gueta, G., Michalevsky, Y., Rinetzky, N., Sagiv, M., Zohar, Y.: Online Detection of Effectively Callback Free Objects with Applications to Smart Contracts. CoRR. abs/1801.04032, (2018)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Malaviya National Institute of Technology, Jaipur, Rajasthan, 302017, India

    Vikas Kumar Jain & Meenakshi Tripathi

Authors
  1. Vikas Kumar Jain
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meenakshi Tripathi
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

VKJ helped in conceptualization, methodology, formal analysis, resources, validation, data curation, visualization, and writing—original draft. MT contributed to formal analysis, methodology, validation, writing—review and editing, and supervision.

Corresponding author

Correspondence to Vikas Kumar Jain.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest with regard to this manuscript.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jain, V.K., Tripathi, M. An integrated deep learning model for Ethereum smart contract vulnerability detection. Int. J. Inf. Secur. 23, 557–575 (2024). https://doi.org/10.1007/s10207-023-00752-5

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00752-5

Keywords

Search

Navigation