research-article

Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts

Author:

Asem GhalebAuthors Info & Claims

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

Article No.: 127, Pages 1 - 5

https://doi.org/10.1145/3551349.3559567

Published: 05 January 2023 Publication History

Abstract

The growth in the popularity of smart contracts has been accompanied by a rise in security attacks targeting smart contracts, which have led to financial losses of millions of dollars and erosion of trust. To enable developers discover vulnerabilities in smart contracts, several static analysis tools have been proposed. However, despite the numerous bug-finding tools, security vulnerabilities abound in smart contracts, and developers rely on finding vulnerabilities manually. Our goal in this dissertation study is to expand the space of security vulnerabilities detection by proposing effective static analysis approaches for smart contracts. We study the effectiveness of the existing static analysis tools and propose solutions for security vulnerabilities detection relying on analyzing the dependency of the contract code on user inputs that lead to security vulnerabilities. Our results of evaluating static analysis tools show that existing static tools for smart contracts have significant false-negatives and false-positives. Further, the results show that our first vulnerability detection approach achieves a significant improvement in the effectiveness of detecting vulnerabilities compared to the prior work.

References

[1]

2016. The DAO smart contract. http://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code.

[2]

2017. History of Ethereum Security Vulnerabilities, Hacks, and Their Fixes. https://applicature.com/blog/blockchain-technology/history-of-ethereum-security-vulnerabilities-hacks-and-their-fixes

[3]

2017. The parity wallet breach. https://bitcoinexchangeguide.com/parity-wallet-breach.

[4]

2018. Accidental’s bug froze $280 million worth of ether in Parity wallet. https://www.cnbc.com/2017/11/08/accidental-bug-may-have-frozen-280-worth-of-ether-on-parity-wallet.html.

[5]

2018. New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299). https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536

[6]

2022. Smart Contract Weakness Classification. https://swcregistry.io.

[7]

Sefa Akca, Ajitha Rajan, and Chao Peng. 2019. SolAnalyser: A Framework for Analysing and Testing Smart Contracts. In 2019 26th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 482–489.

[8]

Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for Android using systematic mutation. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 1263–1280.

[9]

Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis Smaragdakis. 2020. Ethainter: a smart contract security analyzer for composite vulnerabilities. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 454–469.

Digital Library

[10]

Ting Chen, Youzheng Feng, Zihao Li, Hao Zhou, Xiapu Luo, Xiaoqi Li, Xiuzhuo Xiao, Jiachi Chen, and Xiaosong Zhang. 2020. Gaschecker: Scalable analysis for discovering gas-inefficient smart contracts. IEEE Transactions on Emerging Topics in Computing (2020).

[11]

Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. 2017. Under-optimized smart contracts devour your money. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 442–446.

[12]

Ting Chen, Zihao Li, Hao Zhou, Jiachi Chen, Xiapu Luo, Xiaoqi Li, and Xiaosong Zhang. 2018. Towards saving money in using smart contracts. In 2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER). IEEE, 81–84.

Digital Library

[13]

Chris Dannen. 2017. Introducing Ethereum and Solidity. Vol. 1. Springer.

[14]

Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale automated vulnerability addition. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 110–121.

[15]

Thomas Durieux, João F Ferreira, Rui Abreu, and Pedro Cruz. 2020. Empirical review of automated analysis tools on 47,587 ethereum smart contracts. In Proceedings of the ACM/IEEE 42nd International conference on software engineering. 530–541.

Digital Library

[16]

Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15.

Digital Library

[17]

Asem Ghaleb and Karthik Pattabiraman. 2020. How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 415–427.

Digital Library

[18]

Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. 2022. eTainter: Detecting Gas-Related Vulnerabilities in Smart Contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 728–739.

Digital Library

[19]

GitHub. 2020. SolidiFI. https://github.com/DependableSystemsLab/SolidiFI

[20]

GitHub. 2020. SolidiFI Benchmark. https://github.com/DependableSystemsLab/SolidiFI-benchmark

[21]

GitHub. 2022. eTainter. https://github.com/DependableSystemsLab/eTainter

[22]

Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. Proceedings of the ACM on Programming Languages 2, OOPSLA(2018), 1–27.

Digital Library

[23]

Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. 2018. A semantic framework for the security analysis of ethereum smart contracts. In International Conference on Principles of Security and Trust. Springer, 243–269.

[24]

Johannes Krupp and Christian Rossow. 2018. {teEther}: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In 27th USENIX Security Symposium (USENIX Security 18). 1317–1333.

[25]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 254–269.

Digital Library

[26]

Florian Mathieu and Ryno Mathee. 2017. Blocktix: decentralized event hosting and ticket distribution network. https://www.cryptoground.com/storage/files/1527588859-blocktix-wp-draft.pdf.

[27]

Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186–1189.

Digital Library

[28]

Bernhard Mueller. 2022. Mythril. https://github.com/ConsenSys/mythril. https://github.com/ConsenSys/mythril

[29]

Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th annual computer security applications conference. 653–663.

Digital Library

[30]

Daniel Perez and Benjamin Livshits. 2019. Smart Contract Vulnerabilities: Does Anyone Care?arXiv preprint arXiv:1902.06710(2019).

[31]

Jannik Pewny and Thorsten Holz. 2016. EvilCoder: automated bug insertion. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 214–225.

Digital Library

[32]

Andrei Sabelfeld and Andrew C Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1(2003), 5–19.

Digital Library

[33]

Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain. 9–16.

Digital Library

[34]

Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67–82.

Digital Library

[35]

Web. 2017. GovernMental. https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals_1100_eth_jackpot_payout_is_stuck

[36]

Web. 2022. Decentralized Application Security Project (or DASP) Top 10. https://dasp.co

[37]

Web. 2022. Decentralized finance (DeFi). https://ethereum.org/en/defi

[38]

Weiqin Zou, David Lo, Pavneet Singh Kochhar, Xuan-Bach D Le, Xin Xia, Yang Feng, Zhenyu Chen, and Baowen Xu. 2019. Smart contract development: Challenges and opportunities. IEEE Transactions on Software Engineering(2019).

Cited By

Le TKim JLee SKim H(2024)Robust Vulnerability Detection in Solidity-Based Ethereum Smart Contracts Using Fine-Tuned Transformer Encoder ModelsIEEE Access10.1109/ACCESS.2024.348238912(154700-154717)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3482389
Liu TZhao GZheng K(2024)SolSecure: A Security Analyzer for Integer Bugs in Smart ContractsBlockchain and Web3.0 Technology Innovation and Application10.1007/978-981-97-9412-6_9(97-105)Online publication date: 3-Nov-2024
https://doi.org/10.1007/978-981-97-9412-6_9
Mohanty DAnand D(2023)Evaluating the Remix Solidity Static Analysis Plugin Using SB Curated Dataset2023 7th International Conference On Computing, Communication, Control And Automation (ICCUBEA)10.1109/ICCUBEA58933.2023.10391994(1-4)Online publication date: 18-Aug-2023
https://doi.org/10.1109/ICCUBEA58933.2023.10391994

Index Terms

Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts
1. Security and privacy
  1. Software and application security

Recommendations

eTainter: detecting gas-related vulnerabilities in smart contracts
ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

The execution of smart contracts on the Ethereum blockchain consumes gas paid for by users submitting contracts' invocation requests. A contract execution proceeds as long as the users dedicate enough gas, within the limit set by Ethereum. If ...
How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

Security attacks targeting smart contracts have been on the rise, which have led to financial loss and erosion of trust. Therefore, it is important to enable developers to discover security vulnerabilities in smart contracts before deployment. A number ...
Empirical vulnerability analysis of automated smart contracts security testing on blockchains
CASCON '18: Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering

The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

October 2022

2006 pages

ISBN:9781450394758

DOI:10.1145/3551349

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ASE '22

ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering

October 10 - 14, 2022

MI, Rochester, USA

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
274
Total Downloads

Downloads (Last 12 months)112
Downloads (Last 6 weeks)7

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Le TKim JLee SKim H(2024)Robust Vulnerability Detection in Solidity-Based Ethereum Smart Contracts Using Fine-Tuned Transformer Encoder ModelsIEEE Access10.1109/ACCESS.2024.348238912(154700-154717)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3482389
Liu TZhao GZheng K(2024)SolSecure: A Security Analyzer for Integer Bugs in Smart ContractsBlockchain and Web3.0 Technology Innovation and Application10.1007/978-981-97-9412-6_9(97-105)Online publication date: 3-Nov-2024
https://doi.org/10.1007/978-981-97-9412-6_9
Mohanty DAnand D(2023)Evaluating the Remix Solidity Static Analysis Plugin Using SB Curated Dataset2023 7th International Conference On Computing, Communication, Control And Automation (ICCUBEA)10.1109/ICCUBEA58933.2023.10391994(1-4)Online publication date: 18-Aug-2023
https://doi.org/10.1109/ICCUBEA58933.2023.10391994

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents