Shuo Yang,Xingwei Lin,Jiachi Chen,Qingyuan Zhong,Lei Xiao,Renke Huang,Yanlin Wang,Zibin Zheng

2024-08-12

Abstract:The rapid advancement of blockchain platforms has significantly accelerated the growth of decentralized applications (DApps). Similar to traditional applications, DApps integrate front-end descriptions that showcase their features to attract users, and back-end smart contracts for executing their business logic. However, inconsistencies between the features promoted in front-end descriptions and those actually implemented in the contract can confuse users and undermine DApps's trustworthiness. In this paper, we first conducted an empirical study to identify seven types of inconsistencies, each exemplified by a real-world DApp. Furthermore, we introduce HYPERION, an approach designed to automatically identify inconsistencies between front-end descriptions and back-end code implementation in DApps. This method leverages a fine-tuned large language model LLaMA2 to analyze DApp descriptions and employs dataflow-guided symbolic execution for contract bytecode analysis. Finally, HYPERION reports the inconsistency based on predefined detection patterns. The experiment on our ground truth dataset consisting of 54 DApps shows that HYPERION reaches 84.06% overall recall and 92.06% overall precision in reporting DApp inconsistencies. We also implement HYPERION to analyze 835 real-world DApps. The experimental results show that HYPERION discovers 459 real-world DApps containing at least one inconsistency.

Software Engineering

Kaidong Wu,Yun Ma,Gang Huang,Xuanzhe Liu

DOI: https://doi.org/10.1002/spe.2751

2019-01-01

Abstract:With the increasing popularity of blockchain technologies in recent years, blockchain-based decentralized applications (DApps for short in this paper) have been rapidly developed and widely adopted in many areas, being a hot topic in both academia and industry. Despite of the importance of DApps, we still have quite little understanding of DApps along with its ecosystem. To bridge the knowledge gap, this paper presents the first comprehensive empirical study of blockchain-based DApps to date, based on an extensive dataset of 995 Ethereum DApps and 29,846,075 transaction logs over them. We make a descriptive analysis of the popularity of DApps, summarize the patterns of how DApps use smart contracts to access the underlying blockchain, and explore the worth-addressing issues of deploying and operating DApps. Based on the findings, we propose some implications for DApp users to select proper DApps, for DApp developers to improve the efficiency of DApps, and for blockchain vendors to enhance the support of DApps.

Mingxi Ye,Yuhong Nan,Zibin Zheng,Dongpeng Wu,Huizhong Li

DOI: https://doi.org/10.1145/3597926.3598057

2023-01-01

Abstract:Decentralized applications (DApps) consist of multiple smart contracts running on Blockchain. With the increasing popularity of the DApp ecosystem, vulnerabilities in DApps could bring significant impacts such as financial losses. Identifying vulnerabilities in DApps is by no means trivial, as modern DApps consist of complex interactions across multiple contracts. Previous research suffers from either high false positives or false negatives, due to the lack of precise contextual information which is mandatory for confirming smart contract vulnerabilities when analyzing smart contracts. In this paper, we present IcyChecker , a new fuzzing-based framework to effectively identify State inconsistency (SI) Bugs – a specific type of bugs that can cause vulnerabilities such as re-entrancy, front-running with complex patterns. Different from prior works, IcyChecker utilizes a set of accurate contextual information for contract fuzzing by replaying the on-chain historical transactions. Besides, instead of designing specific testing oracles which are required by other fuzzing approaches, IcyChecker implements novel mechanisms to mutate a set of fuzzing transaction sequences, and further identify SI bugs by observing their state differences. Evaluation of IcyChecker over the top 100 popular DApps showed it effectively identifies a total number of 277 SI bugs, with a precision of 87%. By comparing IcyChecker with other state-of-the-art tools (i.e., Smartian, Confuzzius, and Sailfish), we show IcyChecker not only identifies more SI bugs but also with much lower false positives, thanks to its integration of accurate on-chain data and unique fuzzing strategies. Our research sheds light on new ways of detecting smart contract vulnerabilities in DApps.

HU Teng,WANG Yan-ping,ZHANG Xiao-song,NIU Wei-na

DOI: https://doi.org/10.11896/jsjkx.210200134

2021-01-01

Abstract:Blockchain technology has evolved rapidly in recent years,as a result,many organizations and enterprises have started using decentralized applications (DApps) based on blockchain and smart contracts to enhance the functionality and security of their information systems,or to expand new businesses.However,DApps may also introduce new problems due to the possible security and performance issues of blockchain and smart contracts.In order to deeply study and analyze the data and behavioral phenomena of DApps so as to help users better apply blockchain and DApps,a total of 2 565 DApps in 21 categories are first collected,as well as data related to these DApps from July 30,2015 to May 4,2020 (about 10 million block heights),including 16 302 smart contracts,7 678 185 EOA,95 889 930 external transactions,and 30 833 719 internal transactions.Then the DApp distribution is deeply analyzed from four perspectives:number,time,category,and smart contract,and some findings are summarized from them,which can provide valuable references for DApp developers and blockchain researchers.

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Tian Min,Wei Cai

DOI: https://doi.org/10.1007/s42486-022-00094-6

2022-02-15

CCF Transactions on Pervasive Computing and Interaction

Abstract:Decentralized application (DApp) is an emerging technology designed to address distrust, privacy, and security issues. However, we note that the research community in human factors has not conducted in-depth research on user behavior in this unique distributed environment yet. In this paper, unlike a small sample of user interviews, we attempt to profile DApp users through publicly available data. Using Ethereum as an example, we build a series of datasets containing more than 73.8 million transactions generated by 230,000 addresses. By transforming hexadecimal addresses into readable application names, we analyze the behavioral characteristics of the user based on the categories of DApp. Furthermore, we apply an unsupervised clustering method on the 230,000 addresses to distinguish investors and players and analyze their behavioral patterns and sensitivity to blockchain markets, such as ETH prices. In addition, we implement heuristics to demonstrate how blockchain data mining can facilitate practical systems, including anomaly detection and recommend systems. Finally, we discuss future directions for studying human factors in a decentralized context and hope that this work will attract more research attention and support the development of DApp and further Metaverse ecosystems.

Hao Zhou,Haoyu Wang,Yajin Zhou,Xiapu Luo,Yutian Tang,Lei Xue,Ting Wang

DOI: https://doi.org/10.1145/3324884.3416637

2020-01-01

Abstract:Smartphone vendors are using multiple methods to kill processes of Android apps to reduce the battery consumption. This motivates developers to find ways to extend the liveness time of their apps, hence the name diehard apps in this paper. Although there are blogs and articles illustrating methods to achieve this purpose, there is no systematic research about them. What's more important, little is known about the prevalence of diehard apps in the wild. In this paper, we take a first step to systematically investigate diehard apps by answering the following research questions. First, why and how can they circumvent the resource-saving mechanisms of Android? Second, how prevalent are they in the wild? In particular, we conduct a semi -automated analysis to illustrate insights why existing methods to kill app processes could be evaded, and then systematically present 12 diehard methods. After that, we develop a system named DiehardDetector to detect diehard apps in a large scale. The experimental result of applying DiehardDetector to more than 80k Android apps downloaded from Google Play showed that around 21 % of apps adopt various diehard methods. Moreover, our system can achieve high precision and recall.

Kaidong Wu

DOI: https://doi.org/10.48550/arXiv.1902.04969

2019-02-13

Abstract:A decentralized application (dapp for short) refers to an application that is executed by multiple users over a decentralized network. In recent years, the number of dapp keeps fast growing, mainly due to the popularity of blockchain technology. Despite the increasing importance of dapps as a typical application type that is assumed to promote the adoption of blockchain, little is known on what, how, and how well dapps are used in practice. In addition, the insightful knowledge of whether and how a traditional application can be transformed to a dapp is yet missing. To bridge the knowledge gap, this paper presents a comprehensive empirical study on an extensive dataset of 734 dapps that are collected from three popular open dapp marketplaces, i.e., ethereum, state of the dapp, and DAppRadar. We analyze the popularity of dapps, and summarize the patterns of how smart contracts are organized in a dapp. Based on the findings, we draw some implications to help dapp developers and users better understand and deploy dapps.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Yuning Cui,Yi Sun,Zhaowen Lin,Baoquan Ma,Yujie Li

DOI: https://doi.org/10.1109/jiot.2023.3262594

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Android is a mobile operating system with a high degree of openness, which attracts an increasing number of developers. Android application (or simply, app) marketplace provides a trusted source of apps for users and a more equitable competition environment for individual developers and commercial teams. Blockchain’s advantages of decentralization and data immutability are suitable for the Android app marketplace, which is mainly characterized by openness, equality, and security. However, this may also facilitate malicious developers to publish low-quality apps to display ads or steal users’ privacy for revenue. Therefore, blockchain-based app marketplaces have a strong need to identify those potentially unwanted apps (PUAs). In this article, we first introduce our blockchain-based app marketplace model. Then, we propose a new PUA detection method, mainly based on metadata and user ratings, and they are easily accessible from blockchain-based app marketplaces. Moreover, we introduce dynamic analysis to check whether the URLs visited by the app are in malicious URL blacklists since apps with massive access to these URLs tend to affect user experience. After that, we preprocess those complex and redundant features and represent each app as an embedding. Finally, to validate the effectiveness of our method, we utilize several clustering algorithms to represent these apps as clusters and search for suspicious PUA clusters. Our study reveals several characteristics of PUA and suggests that PUAs are still present and need to be urgently removed.

Sabrina Aufiero,Giacomo Ibba,Silvia Bartolucci,Giuseppe Destefanis,Rumyana Neykova,Marco Ortu

2024-01-04

Abstract:In recent years, decentralized applications (dApps) built on blockchain platforms such as Ethereum and coded in languages such as Solidity, have gained attention for their potential to disrupt traditional centralized systems. Despite their rapid adoption, limited research has been conducted to understand the underlying code structure of these applications. In particular, each dApp is composed of multiple smart contracts, each containing a number of functions that can be called to trigger a specific event, e.g., a token transfer. In this paper, we reconstruct and analyse the network of contracts and functions calls within the dApp, which is helpful to unveil vulnerabilities that can be exploited by malicious attackers. We show how decentralization is architecturally implemented, identifying common development patterns and anomalies that could influence the system's robustness and efficiency. We find a consistent network structure characterized by modular, self-sufficient contracts and a complex web of function interactions, indicating common coding practices across the blockchain community. Critically, a small number of key functions within each dApp play a pivotal role in maintaining network connectivity, making them potential targets for cyber attacks and highlighting the need for robust security measures.

Computers and Society,Cryptography and Security,Information Theory,Software Engineering

Zigui Jiang,Kai Chen,Hailin Wen,Zibin Zheng

DOI: https://doi.org/10.1016/j.dcan.2022.08.011

IF: 6.348

2022-12-01

Digital Communications and Networks

Abstract:Smart contract has been the core of blockchain systems and other blockchain-based systems since Blockchain 2.0. Various operations on blockchain are performed through the invocation and execution of smart contracts. This leads to extensive combinations between blockchain, smart contract, Internet of Things (IoT) and Cyber-Physical System (CPS) applications, and then many blockchain-based IoT or CPS applications emerge to provide multiple benefits to the economy and society. In this case, obtaining a better understanding of smart contracts will contribute to the easier operation, higher efficiency and stronger security of those blockchain-based systems and applications. Many existing studies on smart contract analysis are based on similarity calculation and smart contract classification. However, smart contract is a piece of code with special characteristics and most of smart contracts are stored without any category labels, which leads to difficulties of smart contract classification. As the back end of a blockchain-based Decentralized Application (DApp) is one or several smart contracts, DApps with labeled categories and open source codes are applied to achieve a supervised smart contract classification. A three-phase approach is proposed to categorize DApps based on various data features. In this approach, 5,659 DApps with smart contract source codes and pre-tagged categories are first obtained based on massive collected DApps and smart contracts from Ethereum, State of the DApps and DappRadar. Then feature extraction and construction methods are designed to form multi-feature vectors that could present the major characteristics of DApps. Finally, a fused classification model consisting of KNN, XGBoost and random forests is applied to the multi-feature vectors of all DApps for performing DApp classification. The experimental results show that the method is effective. In addition, some positive correlations between feature variables and categories, as well as several user behavior patterns of DApp calls, are found in this paper.

telecommunications

Haotian Lu,Xuetao Wei,Ziwei Wang

DOI: https://doi.org/10.1109/MetaCom57706.2023.00074

2023-06-01

Abstract:Decentralized Finance (DeFi) has been gaining rising importance due to advanced blockchain technology and web3.0. Consequently, many decentralized finance applications (DeFi apps) have emerged, which aim to reconstruct traditional finance and provide financial services with decentralization, transparency, and autonomy. To better understand the characteristics of DeFi apps in this rapidly evolving era, in this paper, we propose to profile DeFi apps based on 666 rigorously classified DeFi apps from a multi-layer perspective, which includes the transaction layer, token layer, and value layer. Our research provides insight into the multiple layers of DeFi apps, including both the breadth and the depth of current transactions, the degree to which apps are interconnected at the level of value flow, and an initial investigation into the relationship between whale trading and market crashes, which better help DeFi app developers with app design, performance evaluation, and optimization.

Computer Science,Business

Pengcheng Xia,Haoyu wang,Bingyu Gao,Weihang Su,Zhou Yu,Xiapu Luo,Chao Zhang,Xusheng Xiao,Guoai Xu

DOI: https://doi.org/10.48550/arXiv.2109.00229

2021-11-11

Abstract:The prosperity of the cryptocurrency ecosystem drives the need for digital asset trading platforms. Beyond centralized exchanges (CEXs), decentralized exchanges (DEXs) are introduced to allow users to trade cryptocurrency without transferring the custody of their digital assets to the middlemen, thus eliminating the security and privacy issues of traditional CEX. Uniswap, as the most prominent cryptocurrency DEX, is continuing to attract scammers, with fraudulent cryptocurrencies flooding in the ecosystem. In this paper, we take the first step to detect and characterize scam tokens on Uniswap. We first collect all the transactions related to Uniswap V2 exchange and investigate the landscape of cryptocurrency trading on Uniswap from different perspectives. Then, we propose an accurate approach for flagging scam tokens on Uniswap based on a guilt-by-association heuristic and a machine-learning powered technique. We have identified over 10K scam tokens listed on Uniswap, which suggests that roughly 50% of the tokens listed on Uniswap are scam tokens. All the scam tokens and liquidity pools are created specialized for the "rug pull" scams, and some scam tokens have embedded tricks and backdoors in the smart contracts. We further observe that thousands of collusion addresses help carry out the scams in league with the scam token/pool creators. The scammers have gained a profit of at least \$16 million from 39,762 potential victims. Our observations in this paper suggest the urgency to identify and stop scams in the decentralized finance ecosystem, and our approach can act as a whistleblower that identifies scam tokens at their early stages.

Cryptography and Security

Nguyen Truong,Gyu Myoung Lee,Kai Sun,Florian Guitton,YiKe Guo

DOI: https://doi.org/10.1016/j.future.2021.05.025

IF: 7.307

2021-11-01

Future Generation Computer Systems

Abstract:<p>Blockchain technology has been envisaged to commence an era of decentralised applications and services (DApps) without the need for a trusted intermediary. Such DApps open a marketplace in which services are delivered to end-users by contributors which are then incentivised by cryptocurrencies in an automated, peer-to-peer, and trustless fashion. However, blockchain, consolidated by smart contracts, only ensures on-chain data security, autonomy and integrity of the business logic execution defined in smart contracts. It cannot guarantee the quality of service of DApps, which entirely depends on the services' performance. Thus, there is a critical need for a trust system to reduce the risk of dealing with fraudulent counterparts in a blockchain network. These reasons motivate us to develop a fully decentralised trust framework deployed on top of a blockchain platform, operating along with DApps in the marketplace to demoralise deceptive entities while encouraging trustworthy ones. The trust system works as an underlying decentralised service providing a feedback mechanism for end-users and maintaining trust relationships among them in the ecosystem accordingly. We believe this research fortifies the DApps ecosystem by introducing an universal trust middleware for DApps as well as shedding light on the implementation of a decentralised trust system.</p>

Jiachi Chen,Jiang Hu,Xin Xia,David Lo,John Grundy,Zhipeng Gao,Ting Chen

DOI: https://doi.org/10.1007/s10515-024-00459-4

IF: 1.677

2024-01-01

Automated Software Engineering

Abstract:Decentralized Finance (DeFi) uses blockchain technologies to transform traditional financial activities into decentralized platforms that run without intermediaries and centralized institutions. Smart contracts are programs that run on the blockchain, and by utilizing smart contracts, developers can more easily develop DeFi applications. Some key features of smart contracts—self-executed and immutability—ensure the trustworthiness, transparency and efficiency of DeFi applications and have led to a fast-growing DeFi market. However, misbehaving developers can add traps or backdoor code snippets to a smart contract, which are hard for contract users to discover. We call these code snippets in a DeFi smart contract as “DeFi Contract Traps” (DCTs). In this paper, we identify five DeFi contract traps and introduce their behaviors, describe how attackers use them to make unfair profits and analyze their prevalence in the Ethereum platform. We propose a symbolic execution tool, DeFiDefender, to detect such traps and use a manually labeled small-scale dataset that consists of 700 smart contracts to evaluate it. Our results show that our tool is not only highly effective but also highly efficient.DeFiDefender only needs 0.48 s to analyze one DeFi smart contract and obtains a high average accuracy (98.17%), precision (99.74%)and recall (89.24%). Among the five DeFi contract traps introduced in this paper, four of them can be detected through contract bytecode without the need for source code. We also apply DeFiDefender to a large-scale dataset that consists of 20,679 real DeFi-related Ethereum smart contracts. We found that 52.13% of these DeFi smart contracts contain at least one contract trap. Although a smart contract that contains contract traps is not necessarily malicious, our finding suggests that DeFi-related contracts have many centralized issues in a zero-trust environment and in the absence of a trusted party.

Guorui Yu,Shibin Zhao,Chao Zhang,Zhiniang Peng,Yuandong Ni,Xinhui Han

DOI: https://doi.org/10.1109/infocom42981.2021.9488749

2021-01-01

Abstract:Blockchains promise to provide a tamper-proof medium for transactions, and thus enable many applications including cryptocurrency. As a system built on consensus, the correctness of a blockchain heavily relies on the consistency of states between its nodes. But consensus protocols of blockchains only guarantee the consistency in the transaction sequence rather than nodes’ internal states. Instead, nodes must replay and exe-cute all transactions to maintain their local states independently. When executing transactions, any different execution result could cause a node out-of-sync and thus gets isolated from other nodes.After systematically modeling the transaction execution process in blockchains, we present a new attack INCITE, which can lead different nodes to different states. Specifically, attackers could invoke an ambiguous transaction of a vulnerable smart contract, utilize software bugs in smart contracts to lead nodes that execute this transaction into different states. Unlike attacks that bring short-term inconsistencies, such as fork attacks, INCITE can cause nodes in the blockchain to fall into a long-term inconsistent state, which further leads to great damages to the chain (e.g., double-spending attacks and expelling mining power). We have discovered 7 0day vulnerabilities in 5 popular blockchains which can enable this attack. We also proposed a defense solution to mitigate this threat. Experiments showed that it is effective and lightweight.

Jianbo Gao,Han Liu,Yue Li,Chao Liu,Zhiqiang Yang,Qingshan Li,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1109/ICPC.2019.00048

2019-01-01

Abstract:Blockchain-based decentralized applications (DApp) have been widely adopted in different areas and trusted by more and more users due to the fact that the back end code of a DApp is publicly run on the blockchain and cannot be modified implicitly. However, there are few effective methods and tools for testing DApps and bugs can be easily introduced by inexperienced developers. The existing testing techniques either focus on testing front-end programs or back-end code but ignore the interaction between them, which makes it difficult to apply the techniques directly on DApp. In this paper, we present an automated testing technique for DApps which works in a two-phase manner. First, we employ random events to infer an abstract relation between browser-side events and blockchain-side contracts. Second, our technique generates a set of test cases under the guidance of inferred relations and orders the test cases based on a read-write graph. We also use taint analysis to track data flow of the smart contract and feed it to the generation procedure for following test cases. We have developed a tool called Sungari to implement our approach, and evaluated it on representative real-world DApps. The preliminary evaluation results demonstrated the potential of Sungari in achieving a significant optimization compared to random testing approaches.

Ting Chen,Yufei Zhang,Zihao Li,Xiapu Luo,Ting Wang,Rong Cao,Xiuzhuo Xiao,Xiaosong Zhang

DOI: https://doi.org/10.1145/3319535.3345664

2019-01-01

Abstract:Motivated by the success of Bitcoin, lots of cryptocurrencies have been created, the majority of which were implemented as smart contracts running on Ethereum and called tokens. To regulate the interaction between these tokens and users as well as third-party tools (e.g., wallets, exchange markets, etc.), several standards have been proposed for the implementation of token contracts. Although existing tokens involve lots of money, little is known whether or not their behaviors are consistent with the standards. Inconsistent behaviors can lead to user confusion and financial loss, because users/third-party tools interact with token contracts by invoking standard interfaces and listening to standard events. In this work, we take the first step to investigate such inconsistent token behaviors with regard to ERC-20, the most popular token standard. We propose a novel approach to automatically detect such inconsistency by contrasting the behaviors derived from three different sources, including the manipulations of core data structures recording the token holders and their shares, the actions indicated by standard interfaces, and the behaviors suggested by standard events. We implement our approach in a new tool named TokenScope and use it to inspect all transactions sent to the deployed tokens. We detected 3,259,001 transactions that trigger inconsistent behaviors, and these behaviors resulted from 7,472 tokens. By manually examining all (2,353) open-source tokens having inconsistent behaviors, we found that the precision of TokenScope is above 99.9%. Moreover, we revealed 11 major reasons behind the inconsistency, e.g., flawed tokens, standard methods missing, lack of standard events, etc. In particular, we discovered 50 unreported flawed tokens.

Pengcheng Xia,Haoyu Wang,Bowen Zhang,Ru Ji,Bingyu Gao,Lei Wu,Xiapu Luo,Guoai Xu

DOI: https://doi.org/10.1016/j.cose.2020.101993

2020-11-01

Abstract:<p>As the indispensable trading platforms of the ecosystem, hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. While, it also attracts the attention of attackers. A number of scam attacks were reported targeting cryptocurrency exchanges, leading to a huge amount of financial loss. However, no previous work in the research community has systematically studied this problem. This paper makes the first effort to identify and characterize the cryptocurrency exchange scams. First, over 1,500 scam domains and over 300 fake apps are identified, by collecting existing reports and using typosquatting generation techniques. Then, by investigating the relationship between the scam domains and fake apps, this paper identifies 94 scam domain families and 30 fake app families. By further characterizing the impacts of such scams, it is revealed that these scams have incurred financial loss of 520k US dollars at least. It is further observed that the fake apps have been sneaked to major app markets (including Google Play) to infect unsuspicious users. The findings in this paper demonstrate the urgency to identify and prevent cryptocurrency exchange scams. To facilitate future research, all the identified scam domains and fake apps have been publicly released to the research community.</p>

computer science, information systems

Yuheng Huang,Haoyu Wang,Lei Wu,Gareth Tyson,Xiapu Luo,Run Zhang,Xuanzhe Liu,Gang Huang,Xuxian Jiang

DOI: https://doi.org/10.1145/3392155

2020-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:EOSIO has become one of the most popular blockchain platforms since its mainnet launch in June 2018. In contrast to the traditional PoW-based systems (e.g., Bitcoin and Ethereum), which are limited by low throughput, EOSIO is the first high throughput Delegated Proof of Stake system that has been widely adopted by many decentralized applications. Although EOSIO has millions of accounts and billions of transactions, little is known about its ecosystem, especially related to security and fraud. In this paper, we perform a large-scale measurement study of the EOSIO blockchain and its associated DApps. We gather a large-scale dataset of EOSIO and characterize activities including money transfers, account creation and contract invocation. Using our insights, we then develop techniques to automatically detect bots and fraudulent activity. We discover thousands of bot accounts (over 30% of the accounts in the platform) and a number of real-world attacks (301 attack accounts). By the time of our study, 80 attack accounts we identified have been confirmed by DApp teams, causing 828,824 EOS tokens losses (roughly \$2.6 million) in total.