Peng Qian,Zhenguang Liu,Yifang Yin,Qinming He

DOI: https://doi.org/10.1145/3543507.3583367

2023-01-01

Abstract:Over the past couple of years, smart contracts have been plagued by multifarious vulnerabilities, which have led to catastrophic financial losses. Their security issues, therefore, have drawn intense attention. As countermeasures, a family of tools has been developed to identify vulnerabilities in smart contracts at the source-code level. Unfortunately, only a small fraction of smart contracts is currently open-sourced. Another spectrum of work is presented to deal with pure bytecode, but most such efforts still suffer from relatively low performance due to the inherent difficulty in restoring abundant semantics in the source code from the bytecode. This paper proposes a novel cross-modality mutual learning framework for enhancing smart contract vulnerability detection on bytecode. Specifically, we engage in two networks, a student network as the primary network and a teacher network as the auxiliary network. takes two modalities, i.e., source code and its corresponding bytecode as inputs, while is fed with only bytecode. By learning from , is trained to infer the missed source code embeddings and combine both modalities to approach precise vulnerability detection. To further facilitate mutual learning between and , we present a cross-modality mutual learning loss and two transfer losses. As a side contribution, we construct and release a labeled smart contract dataset that concerns four types of common vulnerabilities. Experimental results show that our method significantly surpasses state-of-the-art approaches.

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Ruidong Chen,Yangyang Liu,Shiping Huang,Yuyan Sun,Guozheng Li,Qiwen Jiang

DOI: https://doi.org/10.1109/ICCBD-AI62252.2023.00022

2023-12-15

Abstract:The increasement of blockchain applications has brought about many security issues, with smart contract vulnerabilities causing significant financial losses. The majority of current smart contract vulnerability detection methods predominantly rely on static analysis of the source code and predefined expert rules. However, these approaches exhibit certain limitations, characterized by their restricted scalability and lower detection accuracy. Therefore in this paper, we use graph neural networks to perform smart contract vulnerability detection at the bytecode level, aiming to address the aforementioned issues. In particular, we propose a novel detection model. In order to acquire a comprehensive understanding of the dependencies among individual functions within a smart contract, we first construct a Program Dependency Graph(PDG) of functions, extract function-level features using graph neural networks, then augment function-level features using a self-attentive mechanism to learn the dependencies between functions, and finally aggregate function-level features for detecting the vulnerabilities. Our model possesses the capability to identify the subtle nuances in the interactions and interdependencies among different functions, consequently enhancing the precision of vulnerability detection. Experimental results show the performance of the method compared to existing smart contract vulnerability detection methods across multiple evaluation metrics.

Computer Science

Yujian Zhang,Daifu Liu

DOI: https://doi.org/10.3390/fi14110326

2022-11-12

Future Internet

Abstract:With the blooming of blockchain-based smart contracts in decentralized applications, the security problem of smart contracts has become a critical issue, as vulnerable contracts have resulted in severe financial losses. Existing research works have explored vulnerability detection methods based on fuzzing, symbolic execution, formal verification, and static analysis. In this paper, we propose two static analysis approaches called ASGVulDetector and BASGVulDetector for detecting vulnerabilities in Ethereum smart contacts from source-code and bytecode perspectives, respectively. First, we design a novel intermediate representation called abstract semantic graph (ASG) to capture both syntactic and semantic features from the program. ASG is based on syntax information but enriched by code structures, such as control flow and data flow. Then, we apply two different training models, i.e., graph neural network (GNN) and graph matching network (GMN), to learn the embedding of ASG and measure the similarity of the contract pairs. In this way, vulnerable smart contracts can be identified by calculating the similarity to labeled ones. We conduct extensive experiments to evaluate the superiority of our approaches to state-of-the-art competitors. Specifically, ASGVulDetector improves the best of three source-code-only static analysis tools (i.e., SmartCheck, Slither, and DR-GCN) regarding the F1 score by 12.6% on average, while BASGVulDetector improves that of the three detection tools supporting bytecode (i.e., ContractFuzzer, Oyente, and Securify) regarding the F1 score by 25.6% on average. We also investigate the effectiveness and advantages of the GMN model for detecting vulnerabilities in smart contracts.

Dawei Yuan,Xiaohui Wang,Yao Li,Tao Zhang

DOI: https://doi.org/10.1016/j.jss.2023.111699

IF: 3.5

2023-04-08

Journal of Systems and Software

Abstract:Smart contracts have been widely used in the blockchain world these years, and simultaneously vulnerability detection has gained more and more attention due to the staggering economic losses caused by the attacker. Existing tools that analyze vulnerabilities for smart contracts heavily rely on rules predefined by experts, which are labour-intense and require domain knowledge. Moreover, predefined rules tend to be misconceptions and increase the risk of crafty potential back-doors in the future. Recently, researchers mainly used static and dynamic execution analysis to detect the vulnerabilities of smart contracts and have achieved acceptable results. However, the dynamic method cannot cover all the program inputs and execution paths, which leads to some vulnerabilities that are hard to detect. The static analysis method commonly includes symbolic execution and theorem proving, which requires using constraints to detect vulnerability. These shortcomings show that traditional methods are challenging to apply and expand on a large scale. This paper aims to detect vulnerabilities via the Bug Injection framework and transfer learning techniques. First, we train a Transformer encoder using multi-modality code, which contains source code, intermediate representation, and assembly code. The input code consists separately of Solidity source code, intermediate representation, and assembly code. Specifically, we translate source code into the intermediate representation and decompile the byte code into assembly code by the EVM compiler. Then, we propose a novel entropy embedding technique, which combines token embedding, segment embedding, and positional embedding of the Transformer encoder in our approach. After that, we utilize the Bug Injection framework to automatically generate specific types of buggy code for fine-tuning and evaluating the performance of vulnerability detection. The experimental results show that our proposed approach improves the performance in detecting reentrancy vulnerabilities and timestamp dependence. Moreover, our approach is more flexible and scalable than static and dynamic analysis approaches in detecting smart contract vulnerabilities. Our approach improves the baseline approaches by an average of 11.89% in term of F1 score.

computer science, theory & methods, software engineering

Zhenguang Liu,Peng Qian,Xiang Wang,Lei Zhu,Qinming He,Shouling Ji

DOI: https://doi.org/10.48550/arXiv.2106.09282

2021-06-17

Abstract:Smart contracts hold digital coins worth billions of dollars, their security issues have drawn extensive attention in the past years. Towards smart contract vulnerability detection, conventional methods heavily rely on fixed expert rules, leading to low accuracy and poor scalability. Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge. In this paper, we explore combining deep learning with expert patterns in an explainable fashion. Specifically, we develop automatic tools to extract expert patterns from the source code. We then cast the code into a semantic graph to extract deep graph features. Thereafter, the global graph feature and local expert patterns are fused to cooperate and approach the final prediction, while yielding their interpretable weights. Experiments are conducted on all available smart contracts with source code in two platforms, Ethereum and VNT Chain. Empirically, our system significantly outperforms state-of-the-art methods. Our code is released.

Machine Learning,Programming Languages

Li Duan,Wei Wang,Chunhong Liu,Liu Yang,Wei Ni

DOI: https://doi.org/10.1109/TNSM.2023.3278311

2023-12-01

IEEE Transactions on Network and Service Management

Abstract:Digital assets involved in smart contracts are on the rise. Security vulnerabilities in smart contracts have resulted in significant losses for the blockchain community. Existing smart contract vulnerability detection techniques have been typically single-purposed and focused only on the source code or opcode of contracts. This paper presents a new smart contract vulnerability detection method, which extracts features from different levels of smart contracts to train machine learning models for effective detection of vulnerabilities. Specifically, we propose to extract 2-gram features from the opcodes of smart contracts and token features from the source code using a pre-trained CodeBERT model, thereby capturing the semantic information of smart contracts at different levels. The 2-gram and token features are separately aggregated and then fused and input into machine-learning models to mine the vulnerability features of contracts. Over 10,266 smart contracts are used to verify the proposed method. Widespread reentrancy, timestamp dependence, and transaction-ordering dependence vulnerabilities are considered. Experiments show the fused features can help significantly improve smart contract vulnerability detection compared to the single-level features. The detection accuracy is as high as 98%, 98% and 94% for the three vulnerabilities, respectively. The average detection time is 0.99 second per contract, indicating the proposed method is suitable for automatic batch detection of vulnerabilities in smart contracts.

Computer Science

Zhigang Xu,Xingxing Chen,Xinhua Dong,Hongmu Han,Zhongzhen Yan,Kangze Ye,Chaojun Li,Zhiqiang Zheng,Haitao Wang,Jiaxi Zhang

DOI: https://doi.org/10.4018/ijdwm.320473

2023-03-22

International Journal of Data Warehousing and Mining

Abstract:Efficient and convenient vulnerability detection for smart contracts is a key issue in the field of smart contracts. The earlier vulnerability detection for smart contracts mainly relies on static symbol analysis, which has high accuracy but low efficiency and is prone to path explosion. In this paper, the authors propose a static method for vulnerability detection based on deep learning. It first disassembles Ethereum smart contracts into opcode sequences and then converts the vulnerability detection problem into a natural language text classification problem. The word vector method is employed to map each opcode to a uniform vector space, and the opcode sequence matrix is trained by the TextCNN method to detect vulnerabilities. Furthermore, a code obfuscation method is given to enhance and balance the dataset, while three different opcode sequence generation methods are proposed to construct features. The experimental results verify that the average prediction accuracy of each smart contract exceeds 96%, and the average detection time is less than 0.1 s.

computer science, software engineering

Dongcheng Li,W. Eric Wong,Xiaodan Wang,Sean Pan,Liang-Seng Koh

2024-10-01

Abstract:This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm. We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies. Initially, smart contracts are compiled into an abstract syntax tree to analyze relationships between contracts and functions, including calls, inheritance, and data flow. These analyses are transformed into static evaluations and intermediate representations that reveal internal relations. Based on these representations, we examine contract's functions, variables, and data dependencies to detect the specified vulnerabilities. To enhance detection accuracy and coverage, we apply a multi-objective optimization algorithm to the static analysis process. This involves assigning initial numeric values to input data and monitoring changes in statement coverage and detection accuracy. Using coverage and accuracy as fitness values, we calculate Pareto front and crowding distance values to select the best individuals for the new parent population, iterating until optimization criteria are met. We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts. Experimental results show that our method outperforms state-of-the-art tools in terms of coverage, accuracy, efficiency, and effectiveness in detecting the targeted vulnerabilities.

Software Engineering

Zeqin Liao,Zibin Zheng,Xiao Chen,Yuhong Nan

DOI: https://doi.org/10.1145/3533767.3534222

2022-01-01

Abstract:With the increasing popularity of blockchain, automatically detecting vulnerabilities in smart contracts is becoming a significant problem. Prior research mainly identifies smart contract vulnerabilities without considering the interactions between multiple contracts. Due to the lack of analyzing the fine-grained contextual information during cross-contract invocations, existing approaches often produced a large number of false positives and false negatives. This paper proposes SmartDagger, a new framework for detecting cross-contract vulnerability through static analysis at the bytecode level. SmartDagger integrates a set of novel mechanisms to ensure its effectiveness and efficiency for cross-contract vulnerability detection. Particularly, SmartDagger effectively recovers the contract attribute information from the smart contract bytecode, which is critical for accurately identifying cross-contract vulnerabilities. Besides, instead of performing the typical whole-programanalysis which is heavy-weight and time-consuming, SmartDagger selectively analyzes a subset of functions and reuses the data-flow results, which helps to improve its efficiency. Our further evaluation over a manually labelled dataset showed that SmartDagger significantly outperforms other state-of-the-art tools (i.e., Oyente, Slither, Osiris, and Mythril) for detecting cross-contract vulnerabilities. In addition, running SmartDagger over a randomly selected dataset of 250 smart contracts in the real-world, SmartDagger detects 11 cross-contract vulnerabilities, all of which are missed by prior tools.

Zhenguang Liu,Peng Qian,Xiaoyang Wang,Yuan Zhuang,Lin Qiu,Xun Wang

DOI: https://doi.org/10.1109/tkde.2021.3095196

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Smart contract vulnerability detection draws extensive attention in recent years due to the substantial losses caused by hacker attacks. Existing efforts for contract security analysis heavily rely on rigid rules defined by experts, which are labor-intensive and non-scalable. More importantly, expert-defined rules tend to be error-prone and suffer the inherent risk of being cheated by crafty attackers. Recent researches focus on the symbolic execution and formal analysis of smart contracts for vulnerability detection, yet to achieve a precise and scalable solution. Although several methods have been proposed to detect vulnerabilities in smart contracts, there is still a lack of effort that considers combining expert-defined security patterns with deep neural networks. In this paper, we explore using graph neural networks and expert knowledge for smart contract vulnerability detection. Specifically, we cast the rich control- and data- flow semantics of the source code into a contract graph. To highlight the critical nodes in the graph, we further design a node elimination phase to normalize the graph. Then, we propose a novel temporal message propagation network to extract the graph feature from the normalized graph, and combine the graph feature with designed expert patterns to yield a final detection system. Extensive experiments are conducted on all the smart contracts that have source code in Ethereum and VNT Chain platforms. Empirical results show significant accuracy improvements over the state-of-the-art methods on three types of vulnerabilities, where the detection accuracy of our method reaches 89.15, 89.02, and 83.21 percent for reentrancy, timestamp dependence, and infinite loop vulnerabilities, respectively.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Zhaoxuan Li,Siqi Lu,Rui Zhang,Ziming Zhao,Rujin Liang,Rui Xue,Wenhao Li,Fan Zhang,Sheng Gao

DOI: https://doi.org/10.1109/tse.2023.3317209

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:With the economic development of Ethereum, the frequent security incidents involving smart contracts running on this platform have caused billions of dollars in losses. Consequently, there is a pressing need to identify the vulnerabilities in contracts, while the state-of-the-art (SOTA) detection methods have been limited in this regard as they cannot overcome three challenges at the same time. (i) Meet the requirements of detecting the source code, bytecode, and opcode of contracts simultaneously; (ii) reduce the reliance on manual pre-defined rules/patterns and expert involvement; (iii) assist contract developers in completing the contract lifecycle more safely, e.g., vulnerability repair and abnormal monitoring. With the development of machine learning (ML), using it to detect the contract runtime execution sequences (called instances) has made it possible to address these challenges. However, the lack of datasets with fine-grained sequence labels poses a significant obstacle, given the unreadability of bytecode/opcode. To this end, we propose a method named VulHunter that extracts the instances by traversing the Control Flow Graph built from contract opcodes. Based on the hybrid attention and multi-instance learning mechanisms, VulHunter reasons the instance labels and designs an optional classifier to automatically capture the subtle features of both normal and defective contracts, thereby identifying the vulnerable instances. Then, it combines the symbolic execution to construct and solve symbolic constraints to validate their feasibility. Finally, we implement a prototype of VulHunter with 15K lines of code and compare it with 9 SOTA methods on five open source datasets including 52,042 source codes and 184,289 bytecodes. The results indicate that VulHunter can detect contract vulnerabilities more accurately (90.04% accurate rate and 85.60% F1 score), efficiently (only took 4.4 seconds per contract), and robustly (0% analysis failed rate) than the SOTA methods. Also, it can focus on specific metrics such as precision and recall by employing different baseline models and hyperparameters to meet the various user requirements, e.g., vulnerability discovery and misreport mitigation. More importantly, compared with the previous ML-based arts, it can not only provide classification results, defective contract source code statements, key opcode fragments, and vulnerable execution paths, but also eliminate misreports and facilitate more operations such as vulnerability repair and attack simulation during the contract lifecycle.

engineering, electrical & electronic,computer science, software engineering

Bing Chen,Jie Cai,Xiaobing Sun,Jiale Zhang,Bin Li

DOI: https://doi.org/10.1109/saner56733.2023.00101

2023-03-01

Abstract:Existing smart contract vulnerability detection efforts heavily rely on fixed rules defined by experts, which are inefficient and inflexible. To overcome the limitations of existing vulnerability detection approaches, we propose a GNN based approach. First, we construct a graph representation for a smart contract function with syntactic and semantic features by combining abstract syntax tree (AST), control flow graph (CFG), and program dependency graph (PDG). To further strengthen the presentation ability of our approach, we perform program slicing to normalize the graph and eliminate the redundant information unrelated to vulnerabilities. Then, we use a Bidirectional Gated Graph Neural-Network model with hybrid attention pooling to identify potential vulnerabilities in smart contract functions. Experiment results show that our approach can achieve 89.2% precision and 92.9% recall in smart contract vulnerability detection on our dataset and reveal the effectiveness and efficiency of our approach.

Computer Science

Jiale Li,Xiao Yu,Jie Yu,Haoxin Sun,Mengdi Sun

DOI: https://doi.org/10.1007/978-981-97-5588-2_27

2024-01-01

Abstract:Smart contracts can contain vulnerable program code, making their security a significant concern in the past few years. Traditional detection techniques rely on expert defined features and source code analysis, but both have scalability issues and high false alarm rates. This paper presents a method for the detection of vulnerabilities in smart contracts, employing a multi graph convolutional neural network and self-attention mechanism. The method models the key function information, flow of control, and flow of data information of the smart contract source code as a semantic graph to emphasize the relationship between the flow of data and the flow of control in program operation. It predicts learning edges between nodes in the graph using an edge prediction network and constructs a multi graph of the smart contract semantics. Additionally, it utilizes a self-attention mechanism to gather and extract features from many layers to achieve precise detection of smart contract vulnerabilities. Outcomes of an experiment demonstrate that the proposed vulnerability detection method has significant advantages in identifying reentrant vulnerabilities and timestamp dependency vulnerabilities, with accuracy rates of 92.5% and 92.67%.

Yingli Zhang,Jiali Ma,Xin Liu,Guodong Ye,Qun Jin,Jianhua Ma,Qingguo Zhou

DOI: https://doi.org/10.1109/jiot.2023.3294496

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) has become a focus of information infrastructure development in recent years. The smart blockchain can provide various solutions for trust, security, and privacy (TSP) challenges to protect IoT data, and smart contracts are the foundation of blockchain intelligence, and greatly enhance the ability of smart blockchain to solve TSP problems. So the security of smart contracts must be addressed. We propose an efficient smart contract vulnerability detector to improve the safety of smart contracts. It comprises a graph extraction method and a complete vulnerability detection process. The graph extraction method consists of vulnerability pattern extraction and a graph generation process. The vulnerability detection process first uses the approximate graph matching algorithm to select representative SCGraphs from the dataset to build vulnerability SCGraph libraries. Secondly, determine whether the contract contains vulnerabilities by calculating the similarity between the SCGraphs generated from the contracts to be detected and the SCGraphs in the vulnerability library. Experiments show that our approach achieves an inspiring high detection rate and is the fastest among existing vulnerability detection tools, which indicates that it can provide good vulnerability detection for smart contracts.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Feng,Yuyang Cui

DOI: https://doi.org/10.4018/ijswis.342850

2024-05-02

International Journal on Semantic Web and Information Systems

Abstract:In recent years, smart contracts have risen rapidly in the blockchain field, but security issues have also become increasingly prominent. Due to the lack of unified evaluation standards, the security analysis of smart contracts mainly relies on complex and not easily scalable expert rules. To address these issues, we employ slicing techniques to reduce the interference of extraneous code on the detection process, apply normalisation techniques to eliminate the differences between different compiler versions and use particle swarm optimisation algorithms to determine the similarity between contracts, thus improving the accuracy and efficiency of detection. In addition, we combine a variety of features such as static analysis, dynamic analysis and symbolic execution to gain a more comprehensive understanding of contract characteristics and behaviours for more accurate vulnerability identification. Experimental results show that the scheme significantly improves the detection capability and provides a new solution for the security detection of smart contracts.

computer science, information systems, artificial intelligence

Zhipeng Gao,Lingxiao Jiang,Xin Xia,David Lo,John Grundy

DOI: https://doi.org/10.1109/TSE.2020.2971482

2020-01-20

Abstract:Smart contracts have been increasingly used together with blockchains to automate financial and business transactions. However, many bugs and vulnerabilities have been identified in many contracts which raises serious concerns about smart contract security, not to mention that the blockchain systems on which the smart contracts are built can be buggy. Thus, there is a significant need to better maintain smart contract code and ensure its high reliability. In this paper, we propose an automated approach to learn characteristics of smart contracts in Solidity, which is useful for clone detection, bug detection and contract validation on smart contracts. Our new approach is based on word embeddings and vector space comparison. We parse smart contract code into word streams with code structural information, convert code elements (e.g., statements, functions) into numerical vectors that are supposed to encode the code syntax and semantics, and compare the similarities among the vectors encoding code and known bugs, to identify potential issues. We have implemented the approach in a prototype, named SmartEmbed. Results show that our tool can effectively identify many repetitive instances of Solidity code, where the clone ratio is around 90\%. Code clones such as type-III or even type-IV semantic clones can also be detected accurately. Our tool can identify more than 1000 clone related bugs based on our bug databases efficiently and accurately. Our tool can also help to efficiently validate any given smart contract against a known set of bugs, which can help to improve the users' confidence in the reliability of the contract. The anonymous replication packages can be accessed at: <a class="link-external link-https" href="https://drive.google.com/file/d/1kauLT3y2IiHPkUlVx4FSTda-dVAyL4za/view?usp=sharing" rel="external noopener nofollow">this https URL</a>, and evaluated it with more than 22,000 smart contracts collected from the Ethereum blockchain.

Software Engineering

Feng Luo,Ruijie Luo,Ting Chen,Ao Qiao,Zheyuan He,Shuwei Song,Yu Jiang,Sixing Li

DOI: https://doi.org/10.1145/3597503.3639213

2023-01-01

Abstract:Due to the rapid development of blockchain, security issues caused by smart contract vulnerabilities are receiving increasingly widespread attention. Unfortunately, traditional smart contract vulnerability detection methods rely heavily on expert knowledge and elaborate rules, while neural network-based vulnerability detection methods have not yet achieved satisfactory accuracy either. In this paper, we propose a novel vulnerability detection method for smart contracts called VULDET. We first construct a contract graph based on the structure of the smart contract source code and combine security domain knowledge to attach additional features to nodes in the graph that are closely associated with vulnerabilities to highlight key nodes, and finally use graph attention networks for contract vulnerability detection. We apply VULDET to reentrancy vulnerability as well as timestamp dependency vulnerability detection and conduct extensive experiments, and the results show that our approach has significant advantages over existing methods.

Di Zhu,Feng Yue,Jianmin Pang,Xin Zhou,Wenjie Han,Fudong Liu

DOI: https://doi.org/10.3390/electronics11040597

IF: 2.9

2022-02-15

Electronics

Abstract:In recent years, the number of smart contracts running in the blockchain has increased rapidly, accompanied by many security problems, such as vulnerability propagation caused by code reuse or vicious transaction caused by malicious contract deployment, for example. Most smart contracts do not publish the source code, but only the bytecode. Based on the research of bytecode similarity of smart contract, smart contract upgrade, vulnerability search and malicious contract analysis can be carried out. The difficulty of bytecode similarity research is that different compilation versions and optimization options lead to the diversification of bytecode of the same source code. This paper presents a solution, including a series of methods to measure the similarity of smart contract bytecode. Starting from the opcode of smart contract, a method of pre-training the basic block sequence of smart contract is proposed, which can embed the basic block vector. Positive samples were obtained by basic block marking, and the negative sampling method is improved. After these works, we put the obtained positive samples, negative samples and basic blocks themselves into the triplet network composed of transformers. Our solution can obtain evaluation results with an accuracy of 97.8%, so that the basic block sequence of optimized and unoptimized options can be transformed into each other. At the same time, the instructions are normalized, and the order of compiled version instructions is normalized. Experiments show that our solution can effectively reduce the bytecode difference caused by optimization options and compiler version, and improve the accuracy by 1.4% compared with the existing work. We provide a data set covering 64 currently used Solidity compilers, including one million basic block pairs extracted from them.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhifeng Wang,Wanxuan Wu,Chunyan Zeng,Jialong Yao,Yang Yang,Hongmin Xu

2023-03-08

Abstract:With the development of blockchain technology, more and more attention has been paid to the intersection of blockchain and education, and various educational evaluation systems and E-learning systems are developed based on blockchain technology. Among them, Ethereum smart contract is favored by developers for its ``event-triggered" mechanism for building education intelligent trading systems and intelligent learning platforms. However, due to the immutability of blockchain, published smart contracts cannot be modified, so problematic contracts cannot be fixed by modifying the code in the educational blockchain. In recent years, security incidents due to smart contract vulnerabilities have caused huge property losses, so the detection of smart contract vulnerabilities in educational blockchain has become a great challenge. To solve this problem, this paper proposes a graph neural network (GNN) based vulnerability detection for smart contracts in educational blockchains. Firstly, the bytecodes are decompiled to get the opcode. Secondly, the basic blocks are divided, and the edges between the basic blocks according to the opcode execution logic are added. Then, the control flow graphs (CFG) are built. Finally, we designed a GNN-based model for vulnerability detection. The experimental results show that the proposed method is effective for the vulnerability detection of smart contracts. Compared with the traditional approaches, it can get good results with fewer layers of the GCN model, which shows that the contract bytecode and GCN model are efficient in vulnerability detection.

Cryptography and Security,Machine Learning