Yue Li,Han Liu,Zhiqiang Yang,Qian Ren,Lei Wang,Bangdao Chen

DOI: https://doi.org/10.1109/ICDCS47774.2020.00116

2020-01-01

Abstract:Smart contracts on the Ethereum blockchain are notoriously known as vulnerable to external attacks. Many of their issues led to a considerably large financial loss as they resulted from broken payments by digital assets, e.g., cryptocurrency. Existing research focused on specific patterns to find such problems, e.g., reentrancy bug, nondeterministic recipient etc., yet may lead to false alarms or miss important issues. To mitigate these limitations, we designed the SAFEPAY analysis framework to find unfair payments in Ethereum smart contracts. Compared to existing analyzers, SAFEPAY can detect potential blockchain transactions with feasible exploits thus effectively avoid false reports. Specifically, the detection is driven by a systematic search for violations on fair value exchange (FVE), i.e., a new security invariant introduced in SAFEPAY to indicate that each party "fairly" pays to others. The preliminary evaluation validated the efficacy of SAFEPAY by reporting previously unknown issues and decreasing the number of false alarms.

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Jian Liu,Wenting Li,Ghassan O. Karame,N. Asokan

DOI: https://doi.org/10.1109/msp.2018.2701163

IF: 3.105

2018-01-01

IEEE Security & Privacy

Abstract:Motivated by the great success and adoption of Bitcoin, a number of cryptocurrencies such as Litecoin, Dogecoin, and Ethereum are becoming increasingly popular. Although existing blockchain-based cryptocurrency schemes can ensure reasonable security for transactions, they do not consider any notion of fairness. Fair exchange allows two players to exchange digital "items", such as digital signatures, over insecure networks fairly, so that either each player gets the other's item, or neither player does. Given that blockchain participants typically do not trust each other, enabling fairness in existing cryptocurrencies is an essential but insufficiently explored problem. In this paper, we explore the solution space for enabling the fair exchange of a cryptocurrency payment for a receipt. We identify the timeliness of an exchange as an important property especially when one of the parties involved in the exchange is resource-constrained. We introduce the notion of strong timeliness for a fair exchange protocol and propose two fair payment-for-receipt protocol instantiations that leverage functionality of the blockchain to achieve strong timeliness. We implement both and compare their security and efficiency.

Tengyun Jiao,Zhiyu Xu,Minfeng Qi,Sheng Wen,Yang Xiang,Gary Nan

DOI: https://doi.org/10.1145/3643895

2024-02-12

Abstract:A smart contract is a computerised transaction agreement that carries out predefined terms without human involvement or third-party intermediaries. It serves as a trust intermediary in several industries, including finance, insurance, and supply chain management, in the blockchain 2.0 era. With the increasing interest in smart contracts, security has become a serious problem. Examining typical vulnerability types and vulnerability detection methodologies is of special importance. In this research, a comprehensive evaluation of common smart contract security vulnerabilities is conducted, and a three-tier threat model is then provided to classify the vulnerabilities. In addition, we examine fourteen existing smart contract analysis tools for finding vulnerabilities and classify them according to the main technique they apply. This paper is designed to serve as a reference for people who wish to analyse deployed code and enhance existing detection techniques. At the conclusion, open issues and future research paths regarding smart contract vulnerability detection are presented.

Xiaoli Zhang,Wenxiang Sun,Zhicheng Xu,Hongbing Cheng,Chengjun Cai,Helei Cui,Qi Li

DOI: https://doi.org/10.1109/tifs.2024.3349852

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:Recently, smart contracts have been widely applied in security-sensitive fields yet are fragile to various vulnerabilities and attacks. Regarding this, existing research efforts either statically scrutinize smart contracts' code or detect suspicious transaction execution flows. However, they either fail to timely protect contracts or only handle a small subset of well-known vulnerabilities. In the paper, we propose - that secures vulnerable smart contracts in real-time via fine-grained access control over sensitive states. The behind rationale is most of attacks aim to manipulate money-related states (e.g., tokens) for profits. Specifically, transaction-level state access control policies are first defined by developers and then translated into EVM-level policies with contract-aware function-level state access permissions. In policy enforcement, - introduces a hybrid storage analyzer to accurately identify (dynamic-allocated) storage locations for policy-involved states and a multi-stage cache based filter to fast revert bad transactions with unexpected state access behaviors. Finally, we conduct thorough experiments using 12 types of real-world contract vulnerabilities and all open-source smart contracts on the first blocks of Ethereum. The results demonstrate that - outperforms two state-of-the-art runtime analysis tools in terms of attack detection. Extensive performance evaluations with real-world transactions show that - can block 100% unexpected state accesses at the cost of 8% throughput degradation (compared with the native EVM).

computer science, theory & methods,engineering, electrical & electronic

Yue Zhu

DOI: https://doi.org/10.1155/2022/1331237

2022-07-18

Abstract:Smart contracts are widely employed in many industries as a result of the high-quality development of science and economic technology, as well as the introduction of blockchain, which can automatically conduct retrieval, verification, and payment tasks. Smart contracts as an emerging topic, particularly the study of smart legal contracts, must remain forward-looking, and the smart contract sector cannot wait for the legal status of smart contracts to be resolved before advancing. The relative lag of the law becomes unavoidable due to the unassembled and unpredictable character of the law and thus its legislation. In this paper, we explore the incorporation of smart contracts into the scope of legal regulation, the construction of a series of systems for smart contracts, and the prognosis of smart contracts in terms of contract logic, arbitration process, and formal verification from the current law. Furthermore, a smart contract payment template based on semantic-aware graph neural networks is proposed to address the traditional smart contract vulnerability detection payment template method's low detection accuracy and high false alarm rate, as well as the neural network-based method's insufficient mining of bytecode-level smart contract features. Experiments comparing the method described in this research to comparable methods reveal that the strategy proposed in this study improves all types of indicators significantly.

Shoupeng Ren,Lipeng He,Tianyu Tu,Di Wu,Jian Liu,Kui Ren,Chun Chen

2024-09-19

Abstract:Decentralized Finance (DeFi) incidents stemming from the exploitation of smart contract vulnerabilities have culminated in financial damages exceeding 3 billion US dollars. Existing defense mechanisms typically focus on detecting and reacting to malicious transactions executed by attackers that target victim contracts. However, with the emergence of private transaction pools where transactions are sent directly to miners without first appearing in public mempools, current detection tools face significant challenges in identifying attack activities effectively. Based on the fact that most attack logic rely on deploying one or more intermediate smart contracts as supporting components to the exploitation of victim contracts, in this paper, we propose a new direction for detecting DeFi attacks that focuses on identifying adversarial contracts instead of adversarial transactions. Our approach allows us to leverage common attack patterns, code semantics and intrinsic characteristics found in malicious smart contracts to build the LookAhead system based on Machine Learning (ML) classifiers and a transformer model that is able to effectively distinguish adversarial contracts from benign ones, and make just-in-time predictions of potential zero-day attacks. Our contributions are three-fold: First, we construct a comprehensive dataset consisting of features extracted and constructed from recent contracts deployed on the Ethereum and BSC blockchains. Secondly, we design a condensed representation of smart contract programs called Pruned Semantic-Control Flow Tokenization (PSCFT) and use it to train a combination of ML models that understand the behaviour of malicious codes based on function calls, control flows and other pattern-conforming features. Lastly, we provide the complete implementation of LookAhead and the evaluation of its performance metrics for detecting adversarial contracts.

Cryptography and Security

Peng Qian,Rui Cao,Zhenguang Liu,Wenqing Li,Ming Li,Lun Zhang,Yufeng Xu,Jianhai Chen,Qinming He

DOI: https://doi.org/10.48550/arXiv.2309.02391

2023-09-07

Abstract:Decentralized Finance (DeFi) is emerging as a peer-to-peer financial ecosystem, enabling participants to trade products on a permissionless blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has experienced explosive growth in recent years. Unfortunately, smart contracts hold a massive amount of value, making them an attractive target for attacks. So far, attacks against smart contracts and DeFi protocols have resulted in billions of dollars in financial losses, severely threatening the security of the entire DeFi ecosystem. Researchers have proposed various security tools for smart contracts and DeFi protocols as countermeasures. However, a comprehensive investigation of these efforts is still lacking, leaving a crucial gap in our understanding of how to enhance the security posture of the smart contract and DeFi landscape. To fill the gap, this paper reviews the progress made in the field of smart contract and DeFi security from the perspective of both vulnerability detection and automated repair. First, we analyze the DeFi smart contract security issues and challenges. Specifically, we lucubrate various DeFi attack incidents and summarize the attacks into six categories. Then, we present an empirical study of 42 state-of-the-art techniques that can detect smart contract and DeFi vulnerabilities. In particular, we evaluate the effectiveness of traditional smart contract bug detection tools in analyzing complex DeFi protocols. Additionally, we investigate 8 existing automated repair tools for smart contracts and DeFi protocols, providing insight into their advantages and disadvantages. To make this work useful for as wide of an audience as possible, we also identify several open issues and challenges in the DeFi ecosystem that should be addressed in the future.

Cryptography and Security,Software Engineering

Nikolay Ivanov,Chenning Li,Qiben Yan,Zhiyuan Sun,Zhichao Cao,Xiapu Luo

DOI: https://doi.org/10.1145/3593293

2023-01-01

Abstract:The blockchain technology has been used for recording state transitions of smart contracts - decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other programs, smart contracts are prone to security vulnerabilities that have incurred multimillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy a regularly updated comprehensive open-source online registry of threat mitigation solutions.

Hanting Chu,Pengcheng Zhang,Hai Dong,Yan Xiao,Shunhui Ji,Wenrui Li

DOI: https://doi.org/10.1016/j.infsof.2023.107221

IF: 3.9

2023-07-01

Information and Software Technology

Abstract:Smart contracts contain many built-in security features, such as non-immutability once being deployed and non-involvement of third parties for contract execution. These features reduce security risks and enhance users’ trust towards smart contracts. However, smart contract security issues still persist, resulting in huge financial losses. Contract publishers cannot fully cover contract vulnerabilities through contract version updating. These security issues affect further development of blockchain technologies. So far, there are many related studies focusing on smart contract security issues and tend to discuss from a particular perspective (e.g., development cycle, vulnerability attack methods, security detection tools, etc.). However, smart contract security is a complicated issue that needs to be explored from a multi-dimensional perspective. In this paper, we explore smart contract security from the perspectives of vulnerability data sources, vulnerability detection, and vulnerability defense. We first analyze the existing security issues and challenges of smart contracts, investigate the existing vulnerability classification frameworks and common security vulnerabilities, followed by reviewing the existing contract vulnerability injection, detection, and repair methods. We then analyze the performance of existing security methods. Next, we summarize the current status of smart contract security-related research. Finally, we summarize the state of the art and future trends of smart contract security-related research. This paper aims to provide systematic knowledge and references to this research field.

computer science, information systems, software engineering

Fuchen Ma,Meng Ren,Ying Fu,Mingzhe Wang,Huizhong Li,Houbing Song,Yu Jiang

DOI: https://doi.org/10.1016/j.ipm.2021.102565

IF: 7.466

2021-01-01

Information Processing & Management

Abstract:Smart contracts are more sensitive from a security perspective than other software due to several reasons. First, smart contracts are immutable thus cannot be easily patched once deployed. Second, smart contracts are directly tied to payments and can hold millions of dollars' worth of digital currencies. Third, smart contracts are still a new practice thus do not have best coding practices and development lifecycles tailored for decentralized apps yet. Even though several testing and verification tools have been developed, smart contract vulnerabilities remain a clear and present danger. In this paper, we present an approach that is different from existing ones that attempt to eliminate vulnerabilities from smart contracts. Instead, we fortify Ethereum virtual machines (EVM) to stop dangerous transactions once vulnerabilities are detected in real-time. Since proving programs written in Turing-complete languages is undecidable, our approach complements current approaches by catching vulnerabilities and interrupts their executions during runtime. We have implemented our reinforcement on two widely used EVMs (js-evm and FISCO-BCOS-evm). The reinforced EVMs detects and interrupts all the vulnerabilities, 20% of them missed by testing tools, in 100 real smart contracts. Our approach is practical with less than 34% overhead. In fact, the reinforced FISCO-BCOS-evm has been integrated into the official release of FISCO-BCOS adopted by a large Chinese bank WeBank.

Haijun Wang,Yurui Hu,Hao Wu,Dijun Liu,Chenyang Peng,Yin Wu,Ming Fan,Ting Liu

DOI: https://doi.org/10.1145/3691620.3695526

2024-01-01

Abstract:Smart contracts are susceptible to various vulnerabilities that can be exploited by hackers via developing adversarial contracts. Existing vulnerability detection techniques often concentrate solely on vulnerable contracts, neglecting adversarial contracts, which may weaken the effectiveness of vulnerability detection and fail to meet practical needs. In this paper, we propose Skyeye, a novel technique that integrates adversarial and vulnerable contracts together to detect vulnerabilities and resulting imminent attacks. Skyeye works during the stage after adversarial contracts have been deployed but before attack transactions are initiated, providing a critical time window for emergency response to mitigate potential losses. Upon deployment of a smart contract, Skyeye detects whether it is adversarial, and then utilizes the probabilistic matching technique to localize victim contracts. By pairing adversarial and victim contracts, Skyeye comprehensively extracts complete attack behaviors. Furthermore, Skyeye leverages Large Language Model (LLM) to decide the types of vulnerabilities exploited by adversarial contracts. Our evaluation, conducted on 174 real-world adversarial contracts from 159 incidents resulting in financial losses totaling approximately $1.36 billion, demonstrates Skyeye's effectiveness in detecting vulnerabilities and imminent attacks. Compared to state-of-the-art techniques, e.g., BlockWatchdog and Slither, Skyeye also reveals the superior performance.

Jianzhong Su,Jiyi Liu,Yuhong Nan,Yin Li

DOI: https://doi.org/10.1109/icss55994.2022.00016

2022-01-01

Abstract:As a computer program running on top of blockchain, smart contract not only proliferates the diversity of applications but also brings a myriad of security issues that lead to huge financial losses. As a result, security evaluation of smart contracts, such as vulnerability identification and attack detection, has received extensive attention in recent years. Given that various types of approaches have been proposed for smart contract security analysis, a systematization of knowledge for this domain is needed. To this end, in this paper, we systematically review the related literature in recent years and describe the mainstream approaches to the security evaluation of smart contracts. Specifically, we classify state-of-the-art analysis techniques for smart contract analysis into two categories, namely, code-based approaches and transaction-based approaches. Further, we elaborate on the key techniques adopted by these works respectively. We highlight and summarize the key challenges in future research for smart contract security analysis. Our research provides a more in-depth understanding of the state-of-the-art works for securing smart contracts, which may shed light on future research in this area.

Shunfan Zhou,Zhemin Yang,Jie Xiang,Yinzhi Cao,Min Yang,Yuan Zhang

2020-01-01

Abstract:Smart contract security has drawn much attention due to many severe incidents with huge ether and token losses. As a consequence, researchers have proposed to detect smart contract vulnerabilities via code analysis. However, code analysis only shows what contracts can be attacked, but not what have been attacked, and more importantly, what attacks have been prevented in the real world. In this paper, we present the first comprehensive measurement study to analyze real-world attacks and defenses adopted in the wild based on the transaction logs produced by uninstrumented Ethereum Virtual Machine (EVM). Specifically, our study decouples two important factors of an adversarial transaction--i.e., (i) an adversarial action exploiting the vulnerable contract and (ii) an adversarial consequence like ether or token transfers resulted from the action--for the analysis of attacks and defenses. The results of our study reveal a huge volume of attacks beyond what have been studied in the literature, e.g., those targeting new vulnerability types like airdrop hunting and those targeting zero-day variants of known vulnerabilities. Besides successful attacks, our study also shows attempted attacks that are prevented due to the deployments of defenses. As the nature of cyber-security, those defenses have also been evaded, mainly due to incomplete defense deployments. To summarize it, we believe that this is an ever-evolving game between adversaries obtaining illegal profits and defenders shielding their own contracts.

Yi Chen,Luyi Xing,Yue Qin,Xiaojing Liao,XiaoFeng Wang,Kai Chen,Wei Zou

2019-01-01

Abstract:Finding logic flaws today relies on the program analysis that leverages the functionality information reported in the program's documentation. Our research, however, shows that the documentation alone may already contain information for predicting the presence of some logic flaws, even before the code is analyzed. Our first step on this direction focuses on emerging syndication services that facilitate integration of multiple payment services (e.g., Alipay, Wechat Pay, PayPal, etc.) into merchant systems. We look at whether a syndication service will cause some security requirements (e.g., checking payment against price) to become unenforceable due to losing visibility of some key parameters (e.g., payment, price) to the parties involved in the syndication, or bring in implementation errors when required security checks fail to be communicated to the developer. For this purpose, we developed a suite of Natural Language Processing techniques that enables automatic inspection of the syndication developer's guide, based upon the payment models and security requirements from the payment service. Our approach is found to be effective in identifying these potential problems from the guide, and leads to the discovery of 5 new security-critical flaws in popular Chinese merchant systems that can cause circumvention of payment once exploited.

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Wansen Wang,Wenchao Huang,Zhaoyi Meng,Yan Xiong,Fuyou Miao,Xianjin Fang,Caichang Tu,Renjie Ji

2023-01-01

Abstract:Nowadays millions of Ethereum smart contracts are created per year and become attractive targets for financially motivated attackers. However, existing analyzers are not sufficient to analyze the financial security of a large number of contracts precisely. In this paper, we propose and implement FASVERIF, an automated inference system for fine-grained analysis of smart contracts. FASVERIF automatically generates models to be verified against security properties of smart contracts. Besides, different from existing approaches of formal verifications, our inference system also automatically generates the security properties. Specifically, we propose two types of security properties, invariant properties and equivalence properties, which can be used to detect various types of finance-related vulnerabilities and can be automatically generated based on our statistical analysis. As a result, FASVERIF can automatically process source code of smart contracts, and uses formal methods whenever possible to simultaneously maximize its accuracy. We also prove the soundness of verifying our properties using our translated model based on a custom semantics of Solidity. We evaluate FASVERIF on a vulnerabilities dataset of 549 contracts by comparing it with other automatic tools. Our evaluation shows that FASVERIF greatly outperforms the representative tools using different technologies, with respect to accuracy and coverage of types of vulnerabilities. We also evaluate FASVERIF on a real-world dataset of 1700 contracts, and find 13 contracts with bugs that can still be leveraged by adversaries online.

Yuyao Zhang,Siqi Ma,Juanru Li,Kailai Li,Surya Nepal,Dawu Gu

DOI: https://doi.org/10.1109/saner48275.2020.9054825

2020-01-01

Abstract:The immutable feature of blockchain determines that traditional security response mechanisms (e.g., code patching) must change to remedy insecure smart contracts. The only proper way to protect a smart contract is to fix potential risks in its code before it is deployed to the blockchain. However, existing tools for smart contract security analysis focus on the detection of bugs but seldom consider the code fix issues. Meanwhile, it is often time-consuming and error-prone for a developer to understand and fix flawed code manually. In this paper we propose SMARTSHIELD, a bytecode rectification system, to fix three typical security-related bugs (i.e., state changes after external calls, missing checks for out-of-bound arithmetic operations, and missing checks for failing external calls) in smart contracts automatically and help developers release secure contracts. Moreover, SMARTSHIELD guarantees that the rectified contract is not only immune to certain attacks but also gas-friendly (i.e., a slightly increase of gas cost). To evaluate the effectiveness and efficiency of SMARTSHIELD, we applied it to 28,621 real-world buggy contracts on Ethereum blockchain (as of January 2nd2019). Experiment results demonstrated that among 95,502 insecure cases in those contracts, 87,346 (91.5%) of them were automatically fixed by SMARTSHIELD. A following test with both program analysis and real-world exploits further testified that the rectified contracts were secure against common attacks. Moreover, the rectification only introduced a 0.2 % gas increment for each contract on average.

Meihua Xiao,Yangping Xu,Zehuan Li,Hongbin Wan

DOI: https://doi.org/10.3390/electronics13204093

IF: 2.9

2024-10-18

Electronics

Abstract:The development of smart contracts remains in its early stages, with significant differences in underlying programming languages and application platforms resulting in a lack of standardization. This lack of standardization increases the susceptibility to vulnerabilities and associated financial losses. To address security vulnerabilities in smart contracts on the Ethereum blockchain platform, this paper proposes a security audit method based on formal verification. The method integrates an input module, static analysis module, formal verification module, analog execution module, and report and recommendation module, which can accurately discover the security vulnerabilities and logical flaws of smart contracts through formal verification and other analysis techniques, thus realizing correctness detection. During the experiment, the method detects 8 types of common vulnerabilities in 148 smart contracts and marks 21 smart contracts with vulnerabilities. After manual review and analysis, it is found that 17 of these 21 marked smart contracts do have security vulnerabilities. The experimental results show that the proposed method can accurately detect security vulnerabilities and logic flaws in smart contracts through formal verification and other analysis techniques before smart contracts are deployed, thus significantly improving the security of smart contracts and reducing the economic losses that may be caused by code defects.

engineering, electrical & electronic,computer science, information systems,physics, applied