Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Hao Tan,Shuangzhou Yan,Xin Zou,Guanghuan Xie,Hongxin Zhang,Zhuo Li

DOI: https://doi.org/10.1109/icdmw60847.2023.00093

2023-01-01

Abstract:Tokenization has emerged as a pivotal topic in fintech. It involves converting indivisible assets into divisible tokens, streamlining their trade and management. While asset tokenization offers benefits like reduced entry barriers, faster transaction settlements, and improved asset liquidity, it also presents challenges, notably concerns like money laundering and terrorism financing. The current landscape lacks comprehensive regulatory measures, allowing unrestricted access for both token issuers and buyers. To address the aforementioned challenges, this paper introduces the FCToken framework, meticulously designed to facilitate compliance tokenization across diverse scenarios and asset types. Innovatively, the framework operates at both the Token and Identity levels, encompassing four core modules to actualize compliance token issuance. Leveraging this framework, we have devised a prototype system, integrating both a GUI low-code module and a gas fee prediction mechanism. Such integrations not only bolster compliance-centric development efficiency but also proffer users methodologies to curtail gas expenditures during the token issuance process.

Peng Qian,Hanjie Wu,Zeren Du,Turan Vural,Dazhong Rong,Zheng Cao,Lun Zhang,Yanbin Wang,Jianhai Chen,Qinming He

2023-12-10

Abstract:As blockchain smart contracts become more widespread and carry more valuable digital assets, they become an increasingly attractive target for attackers. Over the past few years, smart contracts have been subject to a plethora of devastating attacks, resulting in billions of dollars in financial losses. There has been a notable surge of research interest in identifying defects in smart contracts. However, existing smart contract fuzzing tools are still unsatisfactory. They struggle to screen out meaningful transaction sequences and specify critical inputs for each transaction. As a result, they can only trigger a limited range of contract states, making it difficult to unveil complicated vulnerabilities hidden in the deep state space. In this paper, we shed light on smart contract fuzzing by employing a sequence-aware mutation and seed mask guidance strategy. In particular, we first utilize data-flow-based feedback to determine transaction orders in a meaningful way and further introduce a sequence-aware mutation technique to explore deeper states. Thereafter, we design a mask-guided seed mutation strategy that biases the generated transaction inputs to hit target branches. In addition, we develop a dynamic-adaptive energy adjustment paradigm that balances the fuzzing resource allocation during a fuzzing campaign. We implement our designs into a new smart contract fuzzer named MuFuzz, and extensively evaluate it on three benchmarks. Empirical results demonstrate that MuFuzz outperforms existing tools in terms of both branch coverage and bug finding. Overall, MuFuzz achieves higher branch coverage than state-of-the-art fuzzers (up to 25%) and detects 30% more bugs than existing bug detectors.

Cryptography and Security

Fuchen Ma,Meng Ren,Lerong Ouyang,Yuanliang Chen,Juan Zhu,Ting Chen,Yingli Zheng,Xiao Dai,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3560264

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:With the development of decentralized networks, smart contracts, especially those for ERC tokens, are attracting more and more Dapp users to implement their applications. There are some functions in ERC token contracts that only a specific group of accounts could invoke. Among those functions, some even can influence other accounts or the whole system without prior notice or permission. These functions are referred to as contract backdoors. Once exploited by an attacker, they can cause property losses and harm users' privacy. In this work, we propose Pied-Piper, a hybrid analysis method that integrates datalog analysis and directed fuzzing to detect backdoor threats in Ethereum ERC token contracts. First, datalog analysis is applied to abstract the data structures and identification rules related to the threats for preliminary static detection. Then, directed fuzzing is applied to eliminate false positives caused by the static analysis. We first evaluated PiedPiper on 200 smart contracts, which are injected with different types of backdoors. It reported all problems without false positives, and none of the injected problems was missed. Then, we applied Pied-Piper on 13,484 real token contracts deployed on Ethereum. Pied-Piper reported 189 confirmed problems, four of which have been assigned unique CVE ids while others are still in the review process. Each contract takes 8.03 seconds for datalog analysis on average, and the fuzzing engine can eliminate the false positives within one minute.

Mingxi Ye,Yuhong Nan,Hong-Ning Dai,Shuo Yang,Xiapu Luo,Zibin Zheng

DOI: https://doi.org/10.1145/3674725

IF: 3.685

2024-06-28

ACM Transactions on Software Engineering and Methodology

Abstract:With the increasing popularity of Decentralized Applications (DApps) in blockchain, securing smart contracts has been a long-term, high-priority subject in the domain. Among the various research directions for vulnerability detection, fuzzing has received extensive attention because of its high effectiveness. However, with the increasing complexity of smart contracts, existing fuzzers may waste substantial time exploring locations irrelevant to smart contract vulnerabilities. In this paper, we present FunFuzz , a function-oriented fuzzer, which is dedicatedly tailored for detecting smart contract vulnerability with high effectiveness and efficiency. The key observation in our research is that most smart contract vulnerabilities exist in specific functions rather than randomly distributed in all program code like other traditional software. To this end, unlike traditional fuzzers which mainly target code coverage, FunFuzz identifies risky functions while pruning non-risky ones in smart contracts. In this way, it significantly narrows down the exploration scope during the fuzzing process. In addition, FunFuzz employs three unique strategies to direct itself towards effectively discovering vulnerabilities specific to smart contracts (e.g., reentrancy, block dependency, and gasless send). Extensive experiments on 170 real-world contracts demonstrate that FunFuzz outperforms state-of-the-art fuzzers in terms of effectiveness and efficiency.

computer science, software engineering

Shuohan Wu,Zihao Li,Luyi Yan,Weimin Chen,Muhui Jiang,Chenxu Wang,Xiapu Luo,Hao Zhou

2024-02-05

Abstract:Given the growing importance of smart contracts in various applications, ensuring their security and reliability is critical. Fuzzing, an effective vulnerability detection technique, has recently been widely applied to smart contracts. Despite numerous studies, a systematic investigation of smart contract fuzzing techniques remains lacking. In this paper, we fill this gap by: 1) providing a comprehensive review of current research in contract fuzzing, and 2) conducting an in-depth empirical study to evaluate state-of-the-art contract fuzzers' usability. To guarantee a fair evaluation, we employ a carefully-labeled benchmark and introduce a set of pragmatic performance metrics, evaluating fuzzers from five complementary perspectives. Based on our findings, we provide direction for the future research and development of contract fuzzers.

Software Engineering

Dongfang Jia,Zhicong Liu,Zhengqi Zhang,Jun Ye

DOI: https://doi.org/10.1007/978-981-16-7469-3_108

2022-01-01

Abstract:In recent years, the second-generation blockchain platforms and applications represented by smart contracts have seen explosive growth, but frequent smart contract vulnerability incidents have seriously threatened the ecological security of blockchain. In view of the low efficiency of code audit based on expert experience, it is important to develop a general automation tool to mine smart contract vulnerabilities. In the beginning, the security threats of smart contracts should be investigated and analyzed, and many smart contract vulnerabilities and attack modes that occur frequently, such as code reentrant, access control, integer overflow, etc., were summarized. Then, the technology method of smart contract vulnerability detection conforming to The Times is obtained, and the current samples of smart contract vulnerability detection are summarized. The current investigation includes too few types of vulnerabilities, with a variety of inaccuracies and deviations. It is only carried out through manual audit. Through these methods, according to the state of including after put forward the general ideas of this kind of situation, and puts forward a kind of symbolic execution auxiliary fuzzy test framework, can reduce the symbolic execution channel congestion and fuzzy test code coverage degree is too little, so as to improve test efficiency, easy to dig holes of large and medium-sized intelligent contracts quality improvement.

Tianle Sun,Ningyu He,Jiang Xiao,Yinliang Yue,Xiapu Luo,Haoyu Wang

2024-05-31

Abstract:In Ethereum, the practice of verifying the validity of the passed addresses is a common practice, which is a crucial step to ensure the secure execution of smart contracts. Vulnerabilities in the process of address verification can lead to great security issues, and anecdotal evidence has been reported by our community. However, this type of vulnerability has not been well studied. To fill the void, in this paper, we aim to characterize and detect this kind of emerging vulnerability. We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation. Its three-phase detector can progressively rule out false positives and false negatives based on the intrinsic characteristics. Upon a well-established and unbiased benchmark, AVVERIFIER can improve efficiency 2 to 5 times than the SOTA while maintaining a 94.3% precision and 100% recall. After a large-scale evaluation of over 5 million Ethereum smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community before this work, and 348 open source smart contracts were further verified, whose largest total value locked is over $11.2 billion. We further deploy AVVERIFIER as a real-time detector on Ethereum and Binance Smart Chain, and the results suggest that AVVERIFIER can raise timely warnings once contracts are deployed.

Cryptography and Security,Software Engineering

Qiang Han,Lu Wang,Haoyu Zhang,Leyi Shi,Danxin Wang,Zhang, Haoyu

DOI: https://doi.org/10.1007/s11227-024-05954-9

IF: 3.3

2024-03-14

The Journal of Supercomputing

Abstract:Ethereum is the most widely used open-source public chain project, with smart contracts serving as the pattern for developing decentralized applications. The prevalence of attacks against smart contracts has increased in recent years due to the attached amounts of high-value cryptocurrency. Various attacks against smart contracts have caused significant financial losses, amounting to hundreds of millions of dollars. As manual auditing of smart contracts is time-consuming and costly, automatic detection of vulnerabilities is crucial. Existing work does not dig deeper into contextual information contained in the program, which suffers from the difficulty of covering paths with more complex conditions. In this paper, we propose Ethchecker, a smart contract vulnerability detection tool which combines fuzzing and symbolic execution techniques together. Particularly, we propose an analysis module to extract static information from smart contracts. Besides, the tool introduces a genetic algorithm to enlarge code coverage, while considering the contextual information of the code. The results of the experiment show that in terms of F1-score for vulnerability detection, Ethchecker outperforms sFuzz by an average of 21.89% and outperforms Mythril by an average of 12.5%. Furthermore, in the comparison experiments on a dataset consisting of 1000 long smart contract codes (comprising over 3000 instructions), the proposed algorithm can improve the code coverage by 18.56% compared to the random fuzzing algorithm. In addition, we also used Ethchecker to test against 8922 randomly crawled real-world smart contracts. The result demonstrates the stability of this tool.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Yuhe Huang,Bo Jiang,W.K. Chan

DOI: https://doi.org/10.48550/arXiv.2007.14903

2020-08-06

Abstract:EOSIO is one typical public blockchain platform. It is scalable in terms of transaction speeds and has a growing ecosystem supporting smart contracts and decentralized applications. However, the vulnerabilities within the EOSIO smart contracts have led to serious attacks, which caused serious financial loss to its end users. In this work, we systematically analyzed three typical EOSIO smart contract vulnerabilities and their related attacks. Then we presented EOSFuzzer, a general black-box fuzzing framework to detect vulnerabilities within EOSIO smart contracts. In particular, EOSFuzzer proposed effective attacking scenarios and test oracles for EOSIO smart contract fuzzing. Our fuzzing experiment on 3963 EOSIO smart contracts shows that EOSFuzzer is both effective and efficient to detect EOSIO smart contract vulnerabilities with high accuracy.

Software Engineering

Zheyuan He,Shuwei Song,Yang Bai,Xiapu Luo,Ting Chen,Wensheng Zhang,Peng He,Hongwei Li,Xiaodong Lin,Xiaosong Zhang

DOI: https://doi.org/10.1145/3560263

IF: 3.685

2023-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Tokens have become an essential part of blockchain ecosystem, so recognizing token transfer behaviors is crucial for applications depending on blockchain. Unfortunately, existing solutions cannot recognize token transfer behaviors accurately and efficiently because of their incomplete patterns and inefficient designs. This work proposes TokenAware , a novel online system for recognizing token transfer behaviors. To improve accuracy, TokenAware infers token transfer behaviors from modifications of internal bookkeeping of a token smart contract for recording the information of token holders (e.g., their addresses and shares). However, recognizing bookkeeping is challenging, because smart contract bytecode does not contain type information. TokenAware overcomes the challenge by first learning the instruction sequences for locating basic types and then deriving the instruction sequences for locating sophisticated types that are composed of basic types. To improve efficiency, TokenAware introduces four optimizations. We conduct extensive experiments to evaluate TokenAware with real blockchain data. Results show that TokenAware can automatically identify new types of bookkeeping and recognize 107,202 tokens with 98.7% precision. TokenAware with optimizations merely incurs 4% overhead, which is 1/345 of the overhead led by the counterpart with no optimization. Moreover, we develop an application based on TokenAware to demonstrate how it facilitates malicious behavior detection.

computer science, software engineering

Ting Chen,Yufei Zhang,Zihao Li,Xiapu Luo,Ting Wang,Rong Cao,Xiuzhuo Xiao,Xiaosong Zhang

DOI: https://doi.org/10.1145/3319535.3345664

2019-01-01

Abstract:Motivated by the success of Bitcoin, lots of cryptocurrencies have been created, the majority of which were implemented as smart contracts running on Ethereum and called tokens. To regulate the interaction between these tokens and users as well as third-party tools (e.g., wallets, exchange markets, etc.), several standards have been proposed for the implementation of token contracts. Although existing tokens involve lots of money, little is known whether or not their behaviors are consistent with the standards. Inconsistent behaviors can lead to user confusion and financial loss, because users/third-party tools interact with token contracts by invoking standard interfaces and listening to standard events. In this work, we take the first step to investigate such inconsistent token behaviors with regard to ERC-20, the most popular token standard. We propose a novel approach to automatically detect such inconsistency by contrasting the behaviors derived from three different sources, including the manipulations of core data structures recording the token holders and their shares, the actions indicated by standard interfaces, and the behaviors suggested by standard events. We implement our approach in a new tool named TokenScope and use it to inspect all transactions sent to the deployed tokens. We detected 3,259,001 transactions that trigger inconsistent behaviors, and these behaviors resulted from 7,472 tokens. By manually examining all (2,353) open-source tokens having inconsistent behaviors, we found that the precision of TokenScope is above 99.9%. Moreover, we revealed 11 major reasons behind the inconsistency, e.g., flawed tokens, standard methods missing, lack of standard events, etc. In particular, we discovered 50 unreported flawed tokens.

Songyan Ji,Jian Dong,Junfu Qiu,Bowen Gu,Ye Wang,Tongqi Wang

DOI: https://doi.org/10.1109/qrs54544.2021.00035

2021-01-01

Abstract:Nowadays, smart contracts manage more and more digital assets and have become an attractive target for adversaries. To prevent smart contracts from malicious attacks, a thorough test is indispensable and must be finished before deployment because smart contracts cannot be modified after being deployed. Fuzzing is an important testing approach, but most existing smart contract fuzzers can hardly solve the constraints which involve deeply nested conditional statements, resulting in low coverage. To address this problem, we propose Targy, an efficient targeted mutation strategy based on dynamic taint analysis. We obtain the taint flow by dynamic taint propagation, and generate a more accurate mutation strategy for the input parameters of functions to simultaneously satisfy all conditional statements. We implemented Targy on sFuzz with 3.6 thousand smart contracts running on Ethereum. The numbers of covered branches and detected vulnerabilities increase by 6% and 7% respectively, and the average time required for covering a branch is reduced by 11 %.

Yuanhang Zhou,Jingxuan Sun,Fuchen Ma,Yuanliang Chen,Zhen Yan,Yu Jiang

DOI: https://doi.org/10.1145/3639477.3639722

2024-01-01

Abstract:Crypto token is a digital asset used in blockchain-based decentralized applications. Today, tokens have attracted many investors and collected a large amount of money. Unfortunately, the booming token market has simultaneously spawned numerous fraudulent schemes. Rug pull is one of the well-known scams, where fraudulent developers lure investors into seemingly profitable projects and then run off with their money, leaving the investors with worthless assets. To prevent future losses, researchers in both industry and academia have attempted to expose rug pull risks in advance. However, rug pull can manifest in various scenarios during the transfer process, posing significant challenges for effective detection. In this paper, we first conduct an in-depth study of 201 real-world rug pull incidents for their root causes, and summarize 4 common types of rug pull risks. Then, we establish a component-configurable transfer model to locate and analyze the transfer process in token contracts. Based on the model, we generate effective oracles for the 4 rug pull risks, which can overcome the interference of diverse implementation structures. We propose Tokeer, a token verification tool that implements the transfer model and oracles with datalog technique to expose rug pull risks hidden in token contracts. We apply Tokeer on real-world tokens and compare it with state-of-the-art tools: the commercial tool GoPlus and the academic tool Pied-Piper. Tokeer achieves an average of 98.0% recall and 98.9% precision, and successfully detects 27.2% more real rug pull risks in wild production, significantly outperforming the state-of-the-art tools in terms of detection accuracy and effectiveness.

Yinxing Xue,Jiaming Ye,Wei Zhang,Jun Sun,Lei Ma,Haijun Wang,Jianjun Zhao

DOI: https://doi.org/10.1109/TDSC.2022.3182373

2022-06-30

Abstract:Smart contract transactions are increasingly interleaved by cross-contract calls. While many tools have been developed to identify a common set of vulnerabilities, the cross-contract vulnerability is overlooked by existing tools. Cross-contract vulnerabilities are exploitable bugs that manifest in the presence of more than two interacting contracts. Existing methods are however limited to analyze a maximum of two contracts at the same time. Detecting cross-contract vulnerabilities is highly non-trivial. With multiple interacting contracts, the search space is much larger than that of a single contract. To address this problem, we present xFuzz, a machine learning guided smart contract fuzzing framework. The machine learning models are trained with novel features (e.g., word vectors and instructions) and are used to filter likely benign program paths. Comparing with existing static tools, machine learning model is proven to be more robust, avoiding directly adopting manually-defined rules in specific tools. We compare xFuzz with three state-of-the-art tools on 7,391 contracts. xFuzz detects 18 exploitable cross-contract vulnerabilities, of which 15 vulnerabilities are exposed for the first time. Furthermore, our approach is shown to be efficient in detecting non-cross-contract vulnerabilities as well -- using less than 20% time as that of other fuzzing tools, xFuzz detects twice as many vulnerabilities.

Cryptography and Security,Software Engineering

Li Duan,Wei Wang,Chunhong Liu,Liu Yang,Wei Ni

DOI: https://doi.org/10.1109/TNSM.2023.3278311

2023-12-01

IEEE Transactions on Network and Service Management

Abstract:Digital assets involved in smart contracts are on the rise. Security vulnerabilities in smart contracts have resulted in significant losses for the blockchain community. Existing smart contract vulnerability detection techniques have been typically single-purposed and focused only on the source code or opcode of contracts. This paper presents a new smart contract vulnerability detection method, which extracts features from different levels of smart contracts to train machine learning models for effective detection of vulnerabilities. Specifically, we propose to extract 2-gram features from the opcodes of smart contracts and token features from the source code using a pre-trained CodeBERT model, thereby capturing the semantic information of smart contracts at different levels. The 2-gram and token features are separately aggregated and then fused and input into machine-learning models to mine the vulnerability features of contracts. Over 10,266 smart contracts are used to verify the proposed method. Widespread reentrancy, timestamp dependence, and transaction-ordering dependence vulnerabilities are considered. Experiments show the fused features can help significantly improve smart contract vulnerability detection compared to the single-level features. The detection accuracy is as high as 98%, 98% and 94% for the three vulnerabilities, respectively. The average detection time is 0.99 second per contract, indicating the proposed method is suitable for automatic batch detection of vulnerabilities in smart contracts.

Computer Science

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Haoyu Wang,Zan Wang,Shuang Liu,Jun Sun,Yingquan Zhao,Yan Wan,Tai D. Nguyen

DOI: https://doi.org/10.1002/smr.2557

2023-03-18

Abstract:sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). sFuzz2.0 tackles the problem with two sequence generation strategies, that is, by generating function call sequences that trigger different storage‐access patterns passively or actively. The experiment result has shown that the passive strategy achieves better code coverage as well as reveals more vulnerabilities. Smart contracts are distributed self‐enforcing programs which execute on top of blockchain networks. They have the potential to revolutionize many industries and have already been adopted for applications such as distributed finance and crowdfunding. Because smart contracts are immutable once they are deployed, it is important to identify and eliminate code vulnerabilities in smart contracts systematically. In this work, we propose sFuzz2.0, a storage‐access‐pattern guided adaptive fuzzer based on sFuzz. sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). Given that there are exponentially many function call sequences, sFuzz randomly generates sequences without guidance. As a result, the probability of discovering those vulnerabilities is negligible. sFuzz2.0 tackles the problem with two approaches, that is, by generating function call sequences that trigger different storage‐access patterns passively (i.e., by prioritizing seeds which cover new patterns) or actively (i.e., by actively seeking out different patterns). The experiment results suggest that the passive strategy outperforms sFuzz by achieving better code coverage (i.e., 37.53%) and discovering more vulnerabilities (i.e., 20.49%).

computer science, software engineering

Zhenguang Liu,Peng Qian,Jiaxu Yang,Lingfeng Liu,Xiaojun Xu,Qinming He,Xiaosong Zhang

DOI: https://doi.org/10.48550/arXiv.2301.03943

2023-01-12

Abstract:Blockchain smart contracts have given rise to a variety of interesting and compelling applications and emerged as a revolutionary force for the Internet. Quite a few practitioners have devoted themselves to developing tools for detecting bugs in smart contracts. One line of efforts revolve around static analysis techniques, which heavily suffer from high false-positive rates. Another line of works concentrate on fuzzing techniques. Unfortunately, current fuzzing approaches for smart contracts tend to conduct fuzzing starting from the initial state of the contract, which expends too much energy revolving around the initial state and thus is usually unable to unearth bugs triggered by other states. Moreover, most existing methods treat each branch equally, failing to take care of the branches that are rare or more likely to possess bugs. This might lead to resources wasted on normal branches. In this paper, we try to tackle these challenges from three aspects: (1) In generating function invocation sequences, we explicitly consider data dependencies between functions to facilitate exploring richer states. We further prolong a function invocation sequence S1 by appending a new sequence S2, so that S2 can start fuzzing from states that are different from the initial state. (2) We incorporate a branch distance-based measure to evolve test cases iteratively towards a target branch. (3) We engage a branch search algorithm to discover rare and vulnerable branches, and design an energy allocation mechanism to take care of exercising these crucial branches. We implement IR-Fuzz and extensively evaluate it over 12K real-world contracts. Empirical results show that: (i) IR-Fuzz achieves 28% higher branch coverage than state-of-the-art fuzzing approaches, and (ii) IR-Fuzz detects more vulnerabilities and increases the average accuracy of vulnerability detection by 7% over current methods.

Cryptography and Security,Programming Languages,Software Engineering