Zheng Cao,Yi Zhen,Gang Fan,Sheng Gao

DOI: https://doi.org/10.48550/arxiv.2208.05168

2022-01-01

Abstract: The emergence of metaverse brings tremendous evolution to Non-Fungible Tokens (NFTs), which could certify the ownership the unique digital asset in the cyber world. The NFT market has garnered unprecedented attention from investors and created billions of dollars in transaction volume. Meanwhile, securing NFT is still a challenging issue. Recently, numerous incidents of NFT theft have been reported, leading to incalculable losses for holders. We propose a decentralized NFT anti-theft mechanism called TokenPatronus, which supports the general ERC-721 standard and provide the holders with strong property protection. TokenPatronus contains pre-event protection, in-event interruption, and post-event replevin enhancements for the complete NFTs transactions stages. Four modules are designed to make up the decentralized anti-theft mechanism, including the decentralized access control (DAC), the decentralized risk management (DRM), the decentralized arbitration system (DAS) and the ERC-721G standard smart contract. TokenPatronus is performing on the Turtlecase NFT project of Ethereum and will support more blockchains in the future.

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Ting Chen,Yufei Zhang,Zihao Li,Xiapu Luo,Ting Wang,Rong Cao,Xiuzhuo Xiao,Xiaosong Zhang

DOI: https://doi.org/10.1145/3319535.3345664

2019-01-01

Abstract:Motivated by the success of Bitcoin, lots of cryptocurrencies have been created, the majority of which were implemented as smart contracts running on Ethereum and called tokens. To regulate the interaction between these tokens and users as well as third-party tools (e.g., wallets, exchange markets, etc.), several standards have been proposed for the implementation of token contracts. Although existing tokens involve lots of money, little is known whether or not their behaviors are consistent with the standards. Inconsistent behaviors can lead to user confusion and financial loss, because users/third-party tools interact with token contracts by invoking standard interfaces and listening to standard events. In this work, we take the first step to investigate such inconsistent token behaviors with regard to ERC-20, the most popular token standard. We propose a novel approach to automatically detect such inconsistency by contrasting the behaviors derived from three different sources, including the manipulations of core data structures recording the token holders and their shares, the actions indicated by standard interfaces, and the behaviors suggested by standard events. We implement our approach in a new tool named TokenScope and use it to inspect all transactions sent to the deployed tokens. We detected 3,259,001 transactions that trigger inconsistent behaviors, and these behaviors resulted from 7,472 tokens. By manually examining all (2,353) open-source tokens having inconsistent behaviors, we found that the precision of TokenScope is above 99.9%. Moreover, we revealed 11 major reasons behind the inconsistency, e.g., flawed tokens, standard methods missing, lack of standard events, etc. In particular, we discovered 50 unreported flawed tokens.

Zheyuan He,Shuwei Song,Yang Bai,Xiapu Luo,Ting Chen,Wensheng Zhang,Peng He,Hongwei Li,Xiaodong Lin,Xiaosong Zhang

DOI: https://doi.org/10.1145/3560263

IF: 3.685

2023-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Tokens have become an essential part of blockchain ecosystem, so recognizing token transfer behaviors is crucial for applications depending on blockchain. Unfortunately, existing solutions cannot recognize token transfer behaviors accurately and efficiently because of their incomplete patterns and inefficient designs. This work proposes TokenAware , a novel online system for recognizing token transfer behaviors. To improve accuracy, TokenAware infers token transfer behaviors from modifications of internal bookkeeping of a token smart contract for recording the information of token holders (e.g., their addresses and shares). However, recognizing bookkeeping is challenging, because smart contract bytecode does not contain type information. TokenAware overcomes the challenge by first learning the instruction sequences for locating basic types and then deriving the instruction sequences for locating sophisticated types that are composed of basic types. To improve efficiency, TokenAware introduces four optimizations. We conduct extensive experiments to evaluate TokenAware with real blockchain data. Results show that TokenAware can automatically identify new types of bookkeeping and recognize 107,202 tokens with 98.7% precision. TokenAware with optimizations merely incurs 4% overhead, which is 1/345 of the overhead led by the counterpart with no optimization. Moreover, we develop an application based on TokenAware to demonstrate how it facilitates malicious behavior detection.

computer science, software engineering

Hao Tan,Shuangzhou Yan,Xin Zou,Guanghuan Xie,Hongxin Zhang,Zhuo Li

DOI: https://doi.org/10.1109/icdmw60847.2023.00093

2023-01-01

Abstract:Tokenization has emerged as a pivotal topic in fintech. It involves converting indivisible assets into divisible tokens, streamlining their trade and management. While asset tokenization offers benefits like reduced entry barriers, faster transaction settlements, and improved asset liquidity, it also presents challenges, notably concerns like money laundering and terrorism financing. The current landscape lacks comprehensive regulatory measures, allowing unrestricted access for both token issuers and buyers. To address the aforementioned challenges, this paper introduces the FCToken framework, meticulously designed to facilitate compliance tokenization across diverse scenarios and asset types. Innovatively, the framework operates at both the Token and Identity levels, encompassing four core modules to actualize compliance token issuance. Leveraging this framework, we have devised a prototype system, integrating both a GUI low-code module and a gas fee prediction mechanism. Such integrations not only bolster compliance-centric development efficiency but also proffer users methodologies to curtail gas expenditures during the token issuance process.

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Reza Rahimian,Jeremy Clark

DOI: https://doi.org/10.48550/arXiv.2107.02997

2021-07-07

Abstract:ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.

Cryptography and Security

Tianle Sun,Ningyu He,Jiang Xiao,Yinliang Yue,Xiapu Luo,Haoyu Wang

2024-05-31

Abstract:In Ethereum, the practice of verifying the validity of the passed addresses is a common practice, which is a crucial step to ensure the secure execution of smart contracts. Vulnerabilities in the process of address verification can lead to great security issues, and anecdotal evidence has been reported by our community. However, this type of vulnerability has not been well studied. To fill the void, in this paper, we aim to characterize and detect this kind of emerging vulnerability. We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation. Its three-phase detector can progressively rule out false positives and false negatives based on the intrinsic characteristics. Upon a well-established and unbiased benchmark, AVVERIFIER can improve efficiency 2 to 5 times than the SOTA while maintaining a 94.3% precision and 100% recall. After a large-scale evaluation of over 5 million Ethereum smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community before this work, and 348 open source smart contracts were further verified, whose largest total value locked is over $11.2 billion. We further deploy AVVERIFIER as a real-time detector on Ethereum and Binance Smart Chain, and the results suggest that AVVERIFIER can raise timely warnings once contracts are deployed.

Cryptography and Security,Software Engineering

Fuchen Ma,Meng Ren,Lerong Ouyang,Yuanliang Chen,Juan Zhu,Ting Chen,Yingli Zheng,Xiao Dai,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3560264

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:With the development of decentralized networks, smart contracts, especially those for ERC tokens, are attracting more and more Dapp users to implement their applications. There are some functions in ERC token contracts that only a specific group of accounts could invoke. Among those functions, some even can influence other accounts or the whole system without prior notice or permission. These functions are referred to as contract backdoors. Once exploited by an attacker, they can cause property losses and harm users' privacy. In this work, we propose Pied-Piper, a hybrid analysis method that integrates datalog analysis and directed fuzzing to detect backdoor threats in Ethereum ERC token contracts. First, datalog analysis is applied to abstract the data structures and identification rules related to the threats for preliminary static detection. Then, directed fuzzing is applied to eliminate false positives caused by the static analysis. We first evaluated PiedPiper on 200 smart contracts, which are injected with different types of backdoors. It reported all problems without false positives, and none of the injected problems was missed. Then, we applied Pied-Piper on 13,484 real token contracts deployed on Ethereum. Pied-Piper reported 189 confirmed problems, four of which have been assigned unique CVE ids while others are still in the review process. Each contract takes 8.03 seconds for datalog analysis on average, and the fuzzing engine can eliminate the false positives within one minute.

Mingpei Cao,Yueze Zhang,Zhenxuan Feng,Jiahao Hu,Yuesheng Zhu

DOI: https://doi.org/10.1109/qrs57517.2022.00071

2022-01-01

Abstract:Decentralized cryptocurrencies are influential smart contract applications in the blockchain, drawing interest from industry and academia. The capacity to govern and manage token behavior provided by the token smart contract adds to thriving decentralized applications. However, token smart contracts face security challenges in technology weakness and manipulation risks. In this work, we briefly describe the manipulation risk and propose TokenAuditor, a fuzzing framework detecting those risks in token smart contracts. TokenAuditor constructs basic blocks based on the contract bytecodes and adopts the rarity selection and mutation strategy to generate test cases. The main idea is to select the test cases that have hit rare basic blocks since the fuzzing started as candidates and perform mutation operations on them. In our evaluation, TokenAudiotr discovered 664 manipulation risks of four types in 4021 real-world token contracts.

Shuo Yang,Jiachi Chen,Zibin Zheng

DOI: https://doi.org/10.1145/3597926.3598063

2023-08-04

Abstract:Recently, the birth of non-fungible tokens (NFTs) has attracted great attention. NFTs are capable of representing users' ownership on the blockchain and have experienced tremendous market sales due to their popularity. Unfortunately, the high value of NFTs also makes them a target for attackers. The defects in NFT smart contracts could be exploited by attackers to harm the security and reliability of the NFT ecosystem. Despite the significance of this issue, there is a lack of systematic work that focuses on analyzing NFT smart contracts, which may raise worries about the security of users' NFTs. To address this gap, in this paper, we introduce 5 defects in NFT smart contracts. Each defect is defined and illustrated with a code example highlighting its features and consequences, paired with possible solutions to fix it. Furthermore, we propose a tool named NFTGuard to detect our defined defects based on a symbolic execution framework. Specifically, NFTGuard extracts the information of the state variables from the contract abstract syntax tree (AST), which is critical for identifying variable-loading and storing operations during symbolic execution. Furthermore, NFTGuard recovers source-code-level features from the bytecode to effectively locate defects and report them based on predefined detection patterns. We run NFTGuard on 16,527 real-world smart contracts and perform an evaluation based on the manually labeled results. We find that 1,331 contracts contain at least one of the 5 defects, and the overall precision achieved by our tool is 92.6%.

Software Engineering,Cryptography and Security

Jiashuo Zhang,Yiming Shen,Jiachi Chen,Jianzhong Su,Yanlin Wang,Ting Chen,Jianbo Gao,Zhong Chen

2024-08-09

Abstract:Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 10% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted the first study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 2,406 real-world security reports, we defined nine types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed CrySol, a fuzzing-based tool to automate the detection of cryptographic defects in smart contracts. It combines transaction replaying and dynamic taint analysis to extract fine-grained crypto-related semantics and employs crypto-specific strategies to guide the test case generation process. Furthermore, we collected a large-scale dataset containing 25,745 real-world crypto-related smart contracts and evaluated CrySol's effectiveness on it. The result demonstrated that CrySol achieves an overall precision of 95.4% and a recall of 91.2%. Notably, CrySol revealed that 5,847 (22.7%) out of 25,745 smart contracts contain at least one cryptographic defect, highlighting the prevalence of these defects.

Cryptography and Security,Software Engineering

Nikolay Ivanov,Hanqing Guo,Qiben Yan

DOI: https://doi.org/10.48550/arXiv.2107.10979

2021-07-17

Cryptography and Security

Abstract:The developers of Ethereum smart contracts often implement administrating patterns, such as censoring certain users, creating or destroying balances on demand, destroying smart contracts, or injecting arbitrary code. These routines turn an ERC20 token into an administrated token - the type of Ethereum smart contract that we scrutinize in this research. We discover that many smart contracts are administrated, and the owners of these tokens carry lesser social and legal responsibilities compared to the traditional centralized actors that those tokens intend to disrupt. This entails two major problems: a) the owners of the tokens have the ability to quickly steal all the funds and disappear from the market; and b) if the private key of the owner's account is stolen, all the assets might immediately turn into the property of the attacker. We develop a pattern recognition framework based on 9 syntactic features characterizing administrated ERC20 tokens, which we use to analyze existing smart contracts deployed on Ethereum Mainnet. Our analysis of 84,062 unique Ethereum smart contracts reveals that nearly 58% of them are administrated ERC20 tokens, which accounts for almost 90% of all ERC20 tokens deployed on Ethereum. To protect users from the frivolousness of unregulated token owners without depriving the ability of these owners to properly manage their tokens, we introduce SafelyAdministrated - a library that enforces a responsible ownership and management of ERC20 tokens. The library introduces three mechanisms: deferred maintenance, board of trustees and safe pause. We implement and test SafelyAdministrated in the form of Solidity abstract contract, which is ready to be used by the next generation of safely administrated ERC20 tokens.

Qiang Han,Lu Wang,Haoyu Zhang,Leyi Shi,Danxin Wang,Zhang, Haoyu

DOI: https://doi.org/10.1007/s11227-024-05954-9

IF: 3.3

2024-03-14

The Journal of Supercomputing

Abstract:Ethereum is the most widely used open-source public chain project, with smart contracts serving as the pattern for developing decentralized applications. The prevalence of attacks against smart contracts has increased in recent years due to the attached amounts of high-value cryptocurrency. Various attacks against smart contracts have caused significant financial losses, amounting to hundreds of millions of dollars. As manual auditing of smart contracts is time-consuming and costly, automatic detection of vulnerabilities is crucial. Existing work does not dig deeper into contextual information contained in the program, which suffers from the difficulty of covering paths with more complex conditions. In this paper, we propose Ethchecker, a smart contract vulnerability detection tool which combines fuzzing and symbolic execution techniques together. Particularly, we propose an analysis module to extract static information from smart contracts. Besides, the tool introduces a genetic algorithm to enlarge code coverage, while considering the contextual information of the code. The results of the experiment show that in terms of F1-score for vulnerability detection, Ethchecker outperforms sFuzz by an average of 21.89% and outperforms Mythril by an average of 12.5%. Furthermore, in the comparison experiments on a dataset consisting of 1000 long smart contract codes (comprising over 3000 instructions), the proposed algorithm can improve the code coverage by 18.56% compared to the random fuzzing algorithm. In addition, we also used Ethchecker to test against 8922 randomly crawled real-world smart contracts. The result demonstrates the stability of this tool.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Danielle Gonzalez,Michael Rath,Mehdi Mirakhorli

DOI: https://doi.org/10.1145/3379597.3387471

2020-06-29

Abstract:Authentication is a critical security feature for confirming the identity of a system's users, typically implemented with help from frameworks like Spring Security. It is a complex feature which should be robustly tested at all stages of development. Unit testing is an effective technique for fine-grained verification of feature behaviors that is not widely-used to test authentication. Part of the problem is that resources to help developers unit test security features are limited. Most security testing guides recommend test cases in a "black box" or penetration testing perspective. These resources are not easily applicable to developers writing new unit tests, or who want a security-focused perspective on coverage. In this paper, we address these issues by applying a grounded theory-based approach to identify common (unit) test cases for token authentication through analysis of 481 JUnit tests exercising Spring Security-based authentication implementations from 53 open source Java projects. The outcome of this study is a developer-friendly unit testing guide organized as a catalog of 53 test cases for token authentication, representing unique combinations of 17 scenarios, 40 conditions, and 30 expected outcomes learned from the data set in our analysis. We supplement the test guide with common test smells to avoid. To verify the accuracy and usefulness of our testing guide, we sought feedback from selected developers, some of whom authored unit tests in our dataset.

Arianna Trozze,Bennett Kleinberg,Toby Davies

DOI: https://doi.org/10.1186/s40854-023-00572-5

IF: 6.793

2024-02-21

Financial Innovation

Abstract:Decentralized Finance (DeFi) is a system of financial products and services built and delivered through smart contracts on various blockchains. In recent years, DeFi has gained popularity and market capitalization. However, it has also been connected to crime, particularly various types of securities violations. The lack of Know Your Customer requirements in DeFi poses challenges for governments trying to mitigate potential offenses. This study aims to determine whether this problem is suited to a machine learning approach, namely, whether we can identify DeFi projects potentially engaging in securities violations based on their tokens' smart contract code. We adapted prior works on detecting specific types of securities violations across Ethereum by building classifiers based on features extracted from DeFi projects' tokens' smart contract code (specifically, opcode-based features). Our final model was a random forest model that achieved an 80% F-1 score against a baseline of 50%. Notably, we further explored the code-based features that are the most important to our model's performance in more detail by analyzing tokens' Solidity code and conducting cosine similarity analyses. We found that one element of the code that our opcode-based features can capture is the implementation of the SafeMath library, although this does not account for the entirety of our features. Another contribution of our study is a new dataset, comprising (a) a verified ground truth dataset for tokens involved in securities violations and (b) a set of legitimate tokens from a reputable DeFi aggregator. This paper further discusses the potential use of a model like ours by prosecutors in enforcement efforts and connects it to a wider legal context.

social sciences, mathematical methods,business, finance

Hengyan Zhang,Weizhe Zhang,Yuming Feng,Yang Liu

DOI: https://doi.org/10.1016/j.jisa.2023.103484

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:Blockchain is a significant advancement in technology recently, transforming the traditional centralized system into a decentralized one. Smart contracts, as one of the best applications of blockchain, show great potential in various fields, such as finance, supply chain, and the Internet of Things (IoT). As the world's first blockchain platform to support turing complete smart contracts, Ethereum has become the most critical infrastructure for the digital world. However, with the vigorous development of smart contracts, malicious attacks against smart contracts have frequently occurred in recent years. The issue of smart contract security has attracted widespread attention due to the huge financial losses caused by smart contract vulnerabilities. Although researchers have made some progress in detecting smart contract vulnerabilities through symbolic execution and fuzzing-based methods, existing methods mainly rely on expert knowledge and hand-crafted features, leading to many detection errors. Even worse, existing methods take tens of seconds or even minutes to detect each smart contract on average, which is extremely time-consuming. In this work, we present SVScanner, the new method combining two features of heterogeneous patterns to detect smart contract vulnerabilities in the blockchain. Specifically, we first extract global semantic features from the sequence of contract code tokens. Then we further use the attention mechanism to capture deep structural semantics from the Abstract Syntax Tree (AST) of smart contracts. Finally, we combine these two features from different patterns and use a text convolutional neural network (TextCNN) to detect contract bugs. Experimental results show that SVScanner has the ability to detect vulnerabilities effectively in real-world smart contract datasets. SVScanner achieves a 7.33% improvement in accuracy compared with other traditional methods. Moreover, our method requires significantly less detection time.

Zeqin Liao,Yuhong Nan,Henglong Liang,Sicheng Hao,Juan Zhai,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3643738

2024-06-23

Abstract:With the increasing popularity of blockchain, different blockchain platforms coexist in the ecosystem (e.g., Ethereum, BNB, EOSIO, etc.), which prompts the high demand for cross-chain communication. Cross-chain bridge is a specific type of decentralized application for asset exchange across different blockchain platforms. Securing the smart contracts of cross-chain bridges is in urgent need, as there are a number of recent security incidents with heavy financial losses caused by vulnerabilities in bridge smart contracts, as we call them Cross-Chain Vulnerabilities (CCVs). However, automatically identifying CCVs in smart contracts poses several unique challenges. Particularly, it is non-trivial to (1) identify application-specific access control constraints needed for cross-bridge asset exchange, and (2) identify inconsistent cross-chain semantics between the two sides of the bridge. In this paper, we propose SmartAxe, a new framework to identify vulnerabilities in cross-chain bridge smart contracts. Particularly, to locate vulnerable functions that have access control incompleteness, SmartAxe models the heterogeneous implementations of access control and finds necessary security checks in smart contracts through probabilistic pattern inference. Besides, SmartAxe constructs cross-chain control-flow graph (xCFG) and data-flow graph (xDFG), which help to find semantic inconsistency during cross-chain data communication. To evaluate SmartAxe, we collect and label a dataset of 88 CCVs from real-attacks cross-chain bridge contracts. Evaluation results show that SmartAxe achieves a precision of 84.95% and a recall of 89.77%. In addition, SmartAxe successfully identifies 232 new/unknown CCVs from 129 real-world cross-chain bridge applications (i.e., from 1,703 smart contracts). These identified CCVs affect a total amount of digital assets worth 1,885,250 USD.

Software Engineering

Jiachi Chen,Jiang Hu,Xin Xia,David Lo,John Grundy,Zhipeng Gao,Ting Chen

DOI: https://doi.org/10.1007/s10515-024-00459-4

IF: 1.677

2024-01-01

Automated Software Engineering

Abstract:Decentralized Finance (DeFi) uses blockchain technologies to transform traditional financial activities into decentralized platforms that run without intermediaries and centralized institutions. Smart contracts are programs that run on the blockchain, and by utilizing smart contracts, developers can more easily develop DeFi applications. Some key features of smart contracts—self-executed and immutability—ensure the trustworthiness, transparency and efficiency of DeFi applications and have led to a fast-growing DeFi market. However, misbehaving developers can add traps or backdoor code snippets to a smart contract, which are hard for contract users to discover. We call these code snippets in a DeFi smart contract as “DeFi Contract Traps” (DCTs). In this paper, we identify five DeFi contract traps and introduce their behaviors, describe how attackers use them to make unfair profits and analyze their prevalence in the Ethereum platform. We propose a symbolic execution tool, DeFiDefender, to detect such traps and use a manually labeled small-scale dataset that consists of 700 smart contracts to evaluate it. Our results show that our tool is not only highly effective but also highly efficient.DeFiDefender only needs 0.48 s to analyze one DeFi smart contract and obtains a high average accuracy (98.17%), precision (99.74%)and recall (89.24%). Among the five DeFi contract traps introduced in this paper, four of them can be detected through contract bytecode without the need for source code. We also apply DeFiDefender to a large-scale dataset that consists of 20,679 real DeFi-related Ethereum smart contracts. We found that 52.13% of these DeFi smart contracts contain at least one contract trap. Although a smart contract that contains contract traps is not necessarily malicious, our finding suggests that DeFi-related contracts have many centralized issues in a zero-trust environment and in the absence of a trusted party.

S. Porkodi,D. Kesavaraja

DOI: https://doi.org/10.1007/s11276-023-03552-w

IF: 2.701

2023-11-13

Wireless Networks

Abstract:In the rapidly upgrading world, blockchain is evolving where smart contract emerges as an important aspect that is automated to execute when the pre-conditions are satisfied. Properties like self-execution, non-reversible and non-terminating properties are mainly developed to eliminate the presence of third parties. However, such properties are misused by scammers to create malicious contracts, causing financial losses. Self-destruction property is also misused whereas the scammers remain anonymous after causing the destruction. So, it is necessary to identify the fraudulent nodes before they escape acquiring large sum of money. In this paper, the smart contract Ethereum Fraud Detection dataset was tested against various machine learning algorithms. Categorial Boosting (CatBoost) emerges as the best algorithm having a balanced tree structure contributing to its superior performance. Finally, comparative analysis shows that CatBoost outperforms obtaining 96.85% accuracy and obtains 97% when normalizing continuous features. Hence, this research addresses a way to detect scammers and contributes to interacting with safer smart contracts in blockchain networks.

computer science, information systems,telecommunications,engineering, electrical & electronic