research-article

Definition and Detection of Defects in NFT Smart Contracts

Authors:

Zibin ZhengAuthors Info & Claims

ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 373 - 384

https://doi.org/10.1145/3597926.3598063

Published: 13 July 2023 Publication History

Abstract

Recently, the birth of non-fungible tokens (NFTs) has attracted great attention. NFTs are capable of representing users’ ownership on the blockchain and have experienced tremendous market sales due to their popularity. Unfortunately, the high value of NFTs also makes them a target for attackers. The defects in NFT smart contracts could be exploited by attackers to harm the security and reliability of the NFT ecosystem. Despite the significance of this issue, there is a lack of systematic work that focuses on analyzing NFT smart contracts, which may raise worries about the security of users’ NFTs. To address this gap, in this paper, we introduce 5 defects in NFT smart contracts. Each defect is defined and illustrated with a code example highlighting its features and consequences, paired with possible solutions to fix it. Furthermore, we propose a tool named NFTGuard to detect our defined defects based on a symbolic execution framework. Specifically, NFTGuard extracts the information of the state variables from the contract abstract syntax tree (AST), which is critical for identifying variable-loading and storing operations during symbolic execution. Furthermore, NFTGuard recovers source-code-level features from the bytecode to effectively locate defects and report them based on predefined detection patterns. We run NFTGuard on 16,527 real-world smart contracts and perform an evaluation based on the manually labeled results. We find that 1,331 contracts contain at least one of the 5 defects, and the overall precision achieved by our tool is 92.6%.

References

[1]

1994. IEEE Standards Collection for Software Engineering.

[2]

2022. ethereum/go-ethereum. https://github.com/ethereum/go-ethereum

[3]

2022. Hacker drains $1.4 million worth of ETH from NFT lender Omni. https://www.theblock.co/post/156800/hacker-drains-1-4-million-worth-of-eth-from-nft-lender-omni Section: Hacks

[4]

2022. Layout of State Variables in Storage — Solidity 0.8.16 documentation. https://docs.soliditylang.org/en/v0.8.16/internals/layout_in_storage.html

[5]

2022. Medium – Where good ideas find you. https://medium.com/

[6]

2022. OpenZeppelin - ReentrancyGuard. https://github.com/OpenZeppelin/openzeppelin-contracts/blob/36951d58386b9fee81b237e6c6626c9115ccef3a/contracts/security/ReentrancyGuard.sol

[7]

2022. PeckShield. https://peckshield.com/##home

[8]

2022. Slowmist. https://www.slowmist.com/

[9]

2022. Smart contract statistic. Web: https://github.com/tintinweb/smart-contract-sanctuary. [Accessed: 19-August-2022].

[10]

2022. Solidity 0.8.16 documentation. https://docs.soliditylang.org/en/v0.8.16/

[11]

2022. Source Mappings — Solidity 0.8.16 documentation. https://docs.soliditylang.org/en/v0.8.16/internals/source_mappings.html

[12]

2022. Stack Overflow - Where Developers Learn, Share, & Build Careers. https://stackoverflow.com/

[13]

2022. Twitter. https://twitter.com/

[14]

2022. Wyvern Protocol. https://wyvernprotocol.com/

[15]

acampana. 2022. How to transfer a NFT from one account to another using ERC721? https://stackoverflow.com/q/67317392

[16]

Kent Beck, Martin Fowler, and Grandma Beck. 1999. Bad smells in code. Refactoring: Improving the design of existing code, 1, 1999 (1999), 75–88.

[17]

BlockSec. 2022. How Akutar NFT loses 34M USD. https://blocksecteam.medium.com/how-akutar-nft-loses-34m-usd-60d6cb053dff

[18]

BlockSec. 2022. When “SafeMint” Becomes Unsafe: Lessons from the HypeBears Security Incident. https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a

[19]

Jaya Klara Brekke and Aron Fischer. 2021. Digital scarcity. Internet Policy Review, 10, 2 (2021), April, issn:2197-6775 https://policyreview.info/glossary/digital-scarcity

[20]

Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis Smaragdakis. 2020. Ethainter: a smart contract security analyzer for composite vulnerabilities. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 454–469.

Digital Library

[21]

Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2020. Defining smart contract defects on ethereum. IEEE Transactions on Software Engineering.

Digital Library

[22]

Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2021. Defectchecker: Automated smart contract defect detection by analyzing evm bytecode. IEEE Transactions on Software Engineering.

[23]

Ting Chen, Zihao Li, Yufei Zhang, Xiapu Luo, Ting Wang, Teng Hu, Xiuzhuo Xiao, Dong Wang, Jin Huang, and Xiaosong Zhang. 2019. A large-scale empirical study on control flow identification of smart contracts. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). 1–11.

[24]

Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang Kil Cha. 2021. Smartian: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 227–239.

Digital Library

[25]

Fabian Vogelsteller Jordi Baylina Konrad Feldmeier William Entriken Christian Reitwießner, Nick Johnson. 2018. EIP-165: Standard Interface Detection. https://eips.ethereum.org/EIPS/eip-165

[26]

2023. Sample Size Calculator. https://www.surveysystem.com/sscalc.htm

[27]

Dipanjan Das, Priyanka Bose, Nicola Ruaro, Christopher Kruegel, and Giovanni Vigna. 2021. Understanding security Issues in the NFT Ecosystem. arXiv preprint arXiv:2111.08893.

[28]

Jim Dee. 2022. Strategies for Reserved NFTs in Generative NFT Sets. https://medium.com/web-design-web-developer-magazine/strategies-for-reserved-nfts-in-generative-nft-sets-23213db68552

[29]

Vitalik Buterin Fabian Vogelsteller. 2015. EIP-20: Token Standard. https://eips.ethereum.org/EIPS/eip-20

[30]

Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 8–15.

Digital Library

[31]

João F Ferreira, Pedro Cruz, Thomas Durieux, and Rui Abreu. 2020. SmartBugs: a framework to analyze solidity smart contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 1349–1352.

Digital Library

[32]

Gustavo Grieco, Will Song, Artur Cygan, Josselin Feist, and Alex Groce. 2020. Echidna: effective, usable, and fast fuzzing for smart contracts. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 557–560.

Digital Library

[33]

2023. How The DAO Hack Changed Ethereum and Crypto. https://www.coindesk.com/consensus-magazine/2023/05/09/coindesk-turns-10-how-the-dao-hack-changed-ethereum-and-crypto/

[34]

Bo Jiang, Ye Liu, and Wing Kwong Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). 259–269.

Digital Library

[35]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: analyzing safety of smart contracts. In Ndss. 1–12.

[36]

Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. Reguard: finding reentrancy bugs in smart contracts. In 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion). 65–68.

Digital Library

[37]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 254–269.

Digital Library

[38]

Michael R Lyu. 1996. Handbook of software reliability engineering. 222, IEEE computer society press Los Alamitos.

[39]

Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. 337–340.

[40]

2023. Mythril. https://mythril-classic.readthedocs.io/en/master/module-list.html

[41]

Tai D Nguyen, Long H Pham, Jun Sun, Yun Lin, and Quang Tran Minh. 2020. sfuzz: An efficient adaptive fuzzer for solidity smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. 778–788.

Digital Library

[42]

Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th annual computer security applications conference. 653–663.

Digital Library

[43]

OpenSea. 2022. OpenSea, the largest NFT marketplace. https://opensea.io/

[44]

OpenZeppelin. 2022. ERC721 - OpenZeppelin Docs. https://docs.openzeppelin.com/contracts/4.x/erc721

[45]

Sriram Rao, Raghu Ramakrishnan, Adam Silberstein, Mike Ovsiannikov, and Damian Reeves. 2012. Sailfish: A framework for large scale data processing. In Proceedings of the Third ACM Symposium on Cloud Computing. 1–14.

Digital Library

[46]

2023. Securify 2.0. https://github.com/eth-sri/securify2

[47]

Carmen Siakam. 2022. NFT MARKET– STATISTICS 2021-2022. https://metav.rs/blog/nft-market-statistics-2021-2022/

[48]

Smartmud. 2022. Unlimited Minting of Bored Ape Yacht Club NFTs? www.reddit.com/r/CryptoCurrency/comments/sn8x78/unlimited_minting_of_bored_ape_yacht_club_nfts/

[49]

Donna Spencer. 2009. Card sorting: Designing usable categories. Rosenfeld Media.

[50]

Nick Szabo. 1997. Formalizing and securing relationships on public networks. First monday.

[51]

Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th Annual Computer Security Applications Conference. 664–676.

Digital Library

[52]

Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67–82.

Digital Library

[53]

Qin Wang, Rujia Li, Qi Wang, and Shiping Chen. 2021. Non-fungible token (NFT): Overview, evaluation, opportunities and challenges. arXiv preprint arXiv:2105.07447.

[54]

2023. Confidence interval. https://en.wikipedia.org/wiki/Confidence_interval

[55]

Jacob Evans Nastassia Sachs William Entriken, Dieter Shirley. 2018. EIP-721: Non-Fungible Token Standard. https://eips.ethereum.org/EIPS/eip-721

[56]

2018. ERC-1155: Multi Token Standard. https://eips.ethereum.org/EIPS/eip-1155

[57]

Zibin Zheng, Shaoan Xie, Hongning Dai, Xiangping Chen, and Huaimin Wang. 2017. An overview of blockchain technology: Architecture, consensus, and future trends. In 2017 IEEE international congress on big data (BigData congress). 557–564.

[58]

Zibin Zheng, Shaoan Xie, Hong-Ning Dai, Xiangping Chen, and Huaimin Wang. 2018. Blockchain challenges and opportunities: A survey. International journal of web and grid services, 14, 4 (2018), 352–375.

Cited By

Li ZLi WLi XZhang YChua TNgo CKumar RLauw HKa-Wei Lee R(2024)StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart ContractCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651562(810-813)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651562
Lin ZChen JWu JZhang WWang YZheng Z(2024)CRPWarner: Warning the Risk of Contract-Related Rug Pull in DeFi Smart ContractsIEEE Transactions on Software Engineering10.1109/TSE.2024.339245150:6(1534-1547)Online publication date: Jun-2024
https://doi.org/10.1109/TSE.2024.3392451
Razi QDevrani AAbhyankar HChalapathi GHassija VGuizani M(2024)Non-Fungible Tokens (NFTs)—Survey of Current Applications, Evolution, and Future DirectionsIEEE Open Journal of the Communications Society10.1109/OJCOMS.2023.33439265(2765-2791)Online publication date: 2024
https://doi.org/10.1109/OJCOMS.2023.3343926

Index Terms

Definition and Detection of Defects in NFT Smart Contracts
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

Shackled: A 3D Rendering Engine Programmed Entirely in Ethereum Smart Contracts
Blockchain – ICBC 2022
Abstract
The Ethereum blockchain permits the development and deployment of smart contracts which can store and execute code “on-chain” — that is, entirely on nodes in the blockchain’s network. Smart contracts have traditionally been used for financial ...
Formal Modeling and Verification of Smart Contracts
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer Applications

Smart contracts can automatically perform the contract terms according to the received information, and it is one of the most important research fields in digital society. The core of smart contracts is algorithm contract, that is, the parties reach an ...
Security Vulnerabilities in Ethereum Smart Contracts
iiWAS2018: Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services

Smart contracts (SC) are one of the most appealing features of blockchain technologies facilitating, executing, and enforcing predefined terms of coded contracts without intermediaries. The steady adoption of smart contracts on the Ethereum blockchain ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2023

1554 pages

ISBN:9798400702211

DOI:10.1145/3597926

General Chair:
René Just
University of Washington, USA
,
Program Chair:
Gordon Fraser
University of Passau, Germany

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China
Technology Program of Guangzhou, China

Conference

ISSTA '23

Sponsor:

SIGSOFT

ISSTA '23: 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

July 17 - 21, 2023

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
347
Total Downloads

Downloads (Last 12 months)261
Downloads (Last 6 weeks)35

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li ZLi WLi XZhang YChua TNgo CKumar RLauw HKa-Wei Lee R(2024)StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart ContractCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651562(810-813)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651562
Lin ZChen JWu JZhang WWang YZheng Z(2024)CRPWarner: Warning the Risk of Contract-Related Rug Pull in DeFi Smart ContractsIEEE Transactions on Software Engineering10.1109/TSE.2024.339245150:6(1534-1547)Online publication date: Jun-2024
https://doi.org/10.1109/TSE.2024.3392451
Razi QDevrani AAbhyankar HChalapathi GHassija VGuizani M(2024)Non-Fungible Tokens (NFTs)—Survey of Current Applications, Evolution, and Future DirectionsIEEE Open Journal of the Communications Society10.1109/OJCOMS.2023.33439265(2765-2791)Online publication date: 2024
https://doi.org/10.1109/OJCOMS.2023.3343926

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents