Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Peng Qian,Zhenguang Liu,Yifang Yin,Qinming He

DOI: https://doi.org/10.1145/3543507.3583367

2023-01-01

Abstract:Over the past couple of years, smart contracts have been plagued by multifarious vulnerabilities, which have led to catastrophic financial losses. Their security issues, therefore, have drawn intense attention. As countermeasures, a family of tools has been developed to identify vulnerabilities in smart contracts at the source-code level. Unfortunately, only a small fraction of smart contracts is currently open-sourced. Another spectrum of work is presented to deal with pure bytecode, but most such efforts still suffer from relatively low performance due to the inherent difficulty in restoring abundant semantics in the source code from the bytecode. This paper proposes a novel cross-modality mutual learning framework for enhancing smart contract vulnerability detection on bytecode. Specifically, we engage in two networks, a student network as the primary network and a teacher network as the auxiliary network. takes two modalities, i.e., source code and its corresponding bytecode as inputs, while is fed with only bytecode. By learning from , is trained to infer the missed source code embeddings and combine both modalities to approach precise vulnerability detection. To further facilitate mutual learning between and , we present a cross-modality mutual learning loss and two transfer losses. As a side contribution, we construct and release a labeled smart contract dataset that concerns four types of common vulnerabilities. Experimental results show that our method significantly surpasses state-of-the-art approaches.

Li Duan,Wei Wang,Chunhong Liu,Liu Yang,Wei Ni

DOI: https://doi.org/10.1109/TNSM.2023.3278311

2023-12-01

IEEE Transactions on Network and Service Management

Abstract:Digital assets involved in smart contracts are on the rise. Security vulnerabilities in smart contracts have resulted in significant losses for the blockchain community. Existing smart contract vulnerability detection techniques have been typically single-purposed and focused only on the source code or opcode of contracts. This paper presents a new smart contract vulnerability detection method, which extracts features from different levels of smart contracts to train machine learning models for effective detection of vulnerabilities. Specifically, we propose to extract 2-gram features from the opcodes of smart contracts and token features from the source code using a pre-trained CodeBERT model, thereby capturing the semantic information of smart contracts at different levels. The 2-gram and token features are separately aggregated and then fused and input into machine-learning models to mine the vulnerability features of contracts. Over 10,266 smart contracts are used to verify the proposed method. Widespread reentrancy, timestamp dependence, and transaction-ordering dependence vulnerabilities are considered. Experiments show the fused features can help significantly improve smart contract vulnerability detection compared to the single-level features. The detection accuracy is as high as 98%, 98% and 94% for the three vulnerabilities, respectively. The average detection time is 0.99 second per contract, indicating the proposed method is suitable for automatic batch detection of vulnerabilities in smart contracts.

Computer Science

Dongcheng Li,W. Eric Wong,Xiaodan Wang,Sean Pan,Liang-Seng Koh

2024-10-01

Abstract:This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm. We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies. Initially, smart contracts are compiled into an abstract syntax tree to analyze relationships between contracts and functions, including calls, inheritance, and data flow. These analyses are transformed into static evaluations and intermediate representations that reveal internal relations. Based on these representations, we examine contract's functions, variables, and data dependencies to detect the specified vulnerabilities. To enhance detection accuracy and coverage, we apply a multi-objective optimization algorithm to the static analysis process. This involves assigning initial numeric values to input data and monitoring changes in statement coverage and detection accuracy. Using coverage and accuracy as fitness values, we calculate Pareto front and crowding distance values to select the best individuals for the new parent population, iterating until optimization criteria are met. We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts. Experimental results show that our method outperforms state-of-the-art tools in terms of coverage, accuracy, efficiency, and effectiveness in detecting the targeted vulnerabilities.

Software Engineering

Peiqiang Li,Guojun Wang,Xiaofei Xing,Xiangbin Li,Jinyao Zhu

DOI: https://doi.org/10.1080/09540091.2024.2313853

2024-02-15

Connection Science

Abstract:Unknown vulnerabilities, also known as zero-day vulnerabilities, are vulnerabilities in software, systems, or networks that have not yet been publicly disclosed or fixed. If these vulnerabilities are ever discovered by hackers, intentionally or unintentionally, they pose a major threat to network security. This is particularly true in the blockchain field, as smart contracts hold a lot of money, and if they are discovered and exploited by hackers, the financial losses to users will be even greater. However, the current research on smart contract vulnerabilities mainly focuses on known vulnerabilities, and the research on unknown vulnerabilities has been limited. Based on this, we introduce a machine learning-based method for detecting unknown vulnerabilities in smart contracts. First, the method obtains the opcode sequences executed by smart contract transactions in the EVM by instrumenting Geth and replaying the Ethereum transactions. Next, we employ an n-gram model and a vector weight penalty mechanism to extract the opcode sequence features. We then use machine learning algorithms to detect unknown vulnerabilities based on the similarity principle. Finally, we test the effectiveness of our method with four machine learning models: the K-Nearest Neighbor algorithm (KNN), Support Vector Machine (SVM), Logistic Regression (LR), and Decision Tree (DT). The SVM model performs best at detecting unknown vulnerabilities, with an accuracy of 96%, a precision of 91%, a recall of 100%, and an F1-score of 95%. We also discuss the benefits of the method: timely detection of attacks due to unknown vulnerabilities, thus reducing user losses.

computer science, artificial intelligence, theory & methods

Zhigang Xu,Xingxing Chen,Xinhua Dong,Hongmu Han,Zhongzhen Yan,Kangze Ye,Chaojun Li,Zhiqiang Zheng,Haitao Wang,Jiaxi Zhang

DOI: https://doi.org/10.4018/ijdwm.320473

2023-03-22

International Journal of Data Warehousing and Mining

Abstract:Efficient and convenient vulnerability detection for smart contracts is a key issue in the field of smart contracts. The earlier vulnerability detection for smart contracts mainly relies on static symbol analysis, which has high accuracy but low efficiency and is prone to path explosion. In this paper, the authors propose a static method for vulnerability detection based on deep learning. It first disassembles Ethereum smart contracts into opcode sequences and then converts the vulnerability detection problem into a natural language text classification problem. The word vector method is employed to map each opcode to a uniform vector space, and the opcode sequence matrix is trained by the TextCNN method to detect vulnerabilities. Furthermore, a code obfuscation method is given to enhance and balance the dataset, while three different opcode sequence generation methods are proposed to construct features. The experimental results verify that the average prediction accuracy of each smart contract exceeds 96%, and the average detection time is less than 0.1 s.

computer science, software engineering

Mengliang Li,Xiaoxue Ren,Han Fu,Zhuo Li,Jianling Sun

DOI: https://doi.org/10.1109/issre59848.2023.00025

2023-01-01

Abstract:Smart contracts are essential for executing computing logic on blockchain networks. However, they are also susceptible to various vulnerabilities. In recent years, the detection of smart contract vulnerabilities has become a significant concern due to the substantial losses caused by hacker attacks. Traditional vulnerability detection approaches rely on expert rules, which often suffer from limitations in accuracy and completeness. Deep learning-based methods offer better coverage of vulnerabilities but may overlook certain vulnerability characteristics and suffer from overfitting during training. In this paper, we propose a novel approach called ConvMHSA-SCVD, which combines knowledge-driven and data-driven algorithms together to detect smart contract vulnerabilities. By incorporating feature selection, data balancing, and a combination of multi-channel convolution and multi-head self-attention neural networks, our ConvMHSA-SCVD achieves effective vulnerability detection in smart contracts. Extensive experiments demonstrate that our approach outperforms the state-of-the-art method in accuracy and F1 score, with improvements ranging from 0.4% to 3.84% and 1.28% to 1.90%, respectively.

Lee Song Haw Colin,Purnima Murali Mohan,Jonathan Pan,Peter Loh Kok Keong

DOI: https://doi.org/10.1109/access.2024.3364351

IF: 3.9

2024-02-20

IEEE Access

Abstract:perceptron (MLP). We use feature vectors from the Opcodes and CFG for the machine learning (ML) model training. The existing ML-based approaches for analyzing the smart contract code are constrained by the vulnerability detection space, significantly varying Solidity versions, and no unified approach to verify against the ground truth. The primary contributions in this paper are 1) a standardized pre-processing method for smart contract training data, 2) introducing bugs to create a balanced dataset of flawed files across Solidity versions using AST, and 3) standardizing vulnerability identification using the Smart Contract Weakness Classification (SWC) registry. The ML models employed for benchmarking the proposed MLP, and a multi-input model combining MLP and Long short-term memory (LSTM) in our study are Random forest (RF), XGBoost (XGB), Support vector machine (SVM). The performance evaluation on real-time smart contracts deployed on the Ethereum Blockchain show an accuracy of up to 91% using MLP with the lowest average False Positive Rate (FPR) among all tools and models, measuring at 0.0125.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yingli Zhang,Jiali Ma,Xin Liu,Guodong Ye,Qun Jin,Jianhua Ma,Qingguo Zhou

DOI: https://doi.org/10.1109/jiot.2023.3294496

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) has become a focus of information infrastructure development in recent years. The smart blockchain can provide various solutions for trust, security, and privacy (TSP) challenges to protect IoT data, and smart contracts are the foundation of blockchain intelligence, and greatly enhance the ability of smart blockchain to solve TSP problems. So the security of smart contracts must be addressed. We propose an efficient smart contract vulnerability detector to improve the safety of smart contracts. It comprises a graph extraction method and a complete vulnerability detection process. The graph extraction method consists of vulnerability pattern extraction and a graph generation process. The vulnerability detection process first uses the approximate graph matching algorithm to select representative SCGraphs from the dataset to build vulnerability SCGraph libraries. Secondly, determine whether the contract contains vulnerabilities by calculating the similarity between the SCGraphs generated from the contracts to be detected and the SCGraphs in the vulnerability library. Experiments show that our approach achieves an inspiring high detection rate and is the fastest among existing vulnerability detection tools, which indicates that it can provide good vulnerability detection for smart contracts.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dawei Yuan,Xiaohui Wang,Yao Li,Tao Zhang

DOI: https://doi.org/10.1016/j.jss.2023.111699

IF: 3.5

2023-04-08

Journal of Systems and Software

Abstract:Smart contracts have been widely used in the blockchain world these years, and simultaneously vulnerability detection has gained more and more attention due to the staggering economic losses caused by the attacker. Existing tools that analyze vulnerabilities for smart contracts heavily rely on rules predefined by experts, which are labour-intense and require domain knowledge. Moreover, predefined rules tend to be misconceptions and increase the risk of crafty potential back-doors in the future. Recently, researchers mainly used static and dynamic execution analysis to detect the vulnerabilities of smart contracts and have achieved acceptable results. However, the dynamic method cannot cover all the program inputs and execution paths, which leads to some vulnerabilities that are hard to detect. The static analysis method commonly includes symbolic execution and theorem proving, which requires using constraints to detect vulnerability. These shortcomings show that traditional methods are challenging to apply and expand on a large scale. This paper aims to detect vulnerabilities via the Bug Injection framework and transfer learning techniques. First, we train a Transformer encoder using multi-modality code, which contains source code, intermediate representation, and assembly code. The input code consists separately of Solidity source code, intermediate representation, and assembly code. Specifically, we translate source code into the intermediate representation and decompile the byte code into assembly code by the EVM compiler. Then, we propose a novel entropy embedding technique, which combines token embedding, segment embedding, and positional embedding of the Transformer encoder in our approach. After that, we utilize the Bug Injection framework to automatically generate specific types of buggy code for fine-tuning and evaluating the performance of vulnerability detection. The experimental results show that our proposed approach improves the performance in detecting reentrancy vulnerabilities and timestamp dependence. Moreover, our approach is more flexible and scalable than static and dynamic analysis approaches in detecting smart contract vulnerabilities. Our approach improves the baseline approaches by an average of 11.89% in term of F1 score.

computer science, theory & methods, software engineering

Weichu Deng,Huanchun Wei,Teng Huang,Cong Cao,Yun Peng,Xuan Hu

DOI: https://doi.org/10.3390/s23167246

IF: 3.9

2023-08-19

Sensors

Abstract:With the rapid development and widespread application of blockchain technology in recent years, smart contracts running on blockchains often face security vulnerability problems, resulting in significant economic losses. Unlike traditional programs, smart contracts cannot be modified once deployed, and vulnerabilities cannot be remedied. Therefore, the vulnerability detection of smart contracts has become a research focus. Most existing vulnerability detection methods are based on rules defined by experts, which are inefficient and have poor scalability. Although there have been studies using machine learning methods to extract contract features for vulnerability detection, the features considered are singular, and it is impossible to fully utilize smart contract information. In order to overcome the limitations of existing methods, this paper proposes a smart contract vulnerability detection method based on deep learning and multimodal decision fusion. This method also considers the code semantics and control structure information of smart contracts. It integrates the source code, operation code, and control-flow modes through the multimodal decision fusion method. The deep learning method extracts five features used to represent contracts and achieves high accuracy and recall rates. The experimental results show that the detection accuracy of our method for arithmetic vulnerability, re-entrant vulnerability, transaction order dependence, and Ethernet locking vulnerability can reach 91.6%, 90.9%, 94.8%, and 89.5%, respectively, and the detected AUC values can reach 0.834, 0.852, 0.886, and 0.825, respectively. This shows that our method has a good vulnerability detection effect. Furthermore, ablation experiments show that the multimodal decision fusion method contributes significantly to the fusion of different modalities.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

KeXin Gong,Xiangmei Song,Na Wang,Chunyang Wang,Huijuan Zhu

DOI: https://doi.org/10.1049/blc2.12046

2023-09-07

IET Blockchain

Abstract:A novel vulnerability detection method based on transformer is proposed by constructing the control flow graph (CFG) of smart contracts operation codes (opcodes), which shields the difference of various versions of program language. Extensive experiments are conducted to evaluate the effectiveness of the proposed method on the authors' own collected dataset. The experimental results show that the proposed method achieves 94.36% accuracy in vulnerability detection, which performs better than other state‐of‐the‐art methods The security of smart contract has always been one of the significant problems in blockchain. As shown in previous studies, vulnerabilities in smart contracts can lead to unpredictable losses. With the rapid growth of the number of smart contracts, more and more data driven detection technologies based on machine learning have been proposed. However, some state‐of‐the‐art approaches mainly rely on the source code of smart contract. These methods are limited by the openness of the source code and the version of the programming language. To address this problem, we propose a novel vulnerability detection method based on transformer by constructing the control flow graph (CFG) of smart contracts operation codes (opcodes), which shields the difference of various versions of program language. Extensive experiments are conducted to evaluate the effectiveness of the proposed method on the authors' own collected dataset. The experimental results show that the proposed method achieves 94.36% accuracy in vulnerability detection, which performs better than other state‐of‐the‐art methods.

Zhaoxuan Li,Siqi Lu,Rui Zhang,Ziming Zhao,Rujin Liang,Rui Xue,Wenhao Li,Fan Zhang,Sheng Gao

DOI: https://doi.org/10.1109/tse.2023.3317209

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:With the economic development of Ethereum, the frequent security incidents involving smart contracts running on this platform have caused billions of dollars in losses. Consequently, there is a pressing need to identify the vulnerabilities in contracts, while the state-of-the-art (SOTA) detection methods have been limited in this regard as they cannot overcome three challenges at the same time. (i) Meet the requirements of detecting the source code, bytecode, and opcode of contracts simultaneously; (ii) reduce the reliance on manual pre-defined rules/patterns and expert involvement; (iii) assist contract developers in completing the contract lifecycle more safely, e.g., vulnerability repair and abnormal monitoring. With the development of machine learning (ML), using it to detect the contract runtime execution sequences (called instances) has made it possible to address these challenges. However, the lack of datasets with fine-grained sequence labels poses a significant obstacle, given the unreadability of bytecode/opcode. To this end, we propose a method named VulHunter that extracts the instances by traversing the Control Flow Graph built from contract opcodes. Based on the hybrid attention and multi-instance learning mechanisms, VulHunter reasons the instance labels and designs an optional classifier to automatically capture the subtle features of both normal and defective contracts, thereby identifying the vulnerable instances. Then, it combines the symbolic execution to construct and solve symbolic constraints to validate their feasibility. Finally, we implement a prototype of VulHunter with 15K lines of code and compare it with 9 SOTA methods on five open source datasets including 52,042 source codes and 184,289 bytecodes. The results indicate that VulHunter can detect contract vulnerabilities more accurately (90.04% accurate rate and 85.60% F1 score), efficiently (only took 4.4 seconds per contract), and robustly (0% analysis failed rate) than the SOTA methods. Also, it can focus on specific metrics such as precision and recall by employing different baseline models and hyperparameters to meet the various user requirements, e.g., vulnerability discovery and misreport mitigation. More importantly, compared with the previous ML-based arts, it can not only provide classification results, defective contract source code statements, key opcode fragments, and vulnerable execution paths, but also eliminate misreports and facilitate more operations such as vulnerability repair and attack simulation during the contract lifecycle.

engineering, electrical & electronic,computer science, software engineering

Ruidong Chen,Yangyang Liu,Shiping Huang,Yuyan Sun,Guozheng Li,Qiwen Jiang

DOI: https://doi.org/10.1109/ICCBD-AI62252.2023.00022

2023-12-15

Abstract:The increasement of blockchain applications has brought about many security issues, with smart contract vulnerabilities causing significant financial losses. The majority of current smart contract vulnerability detection methods predominantly rely on static analysis of the source code and predefined expert rules. However, these approaches exhibit certain limitations, characterized by their restricted scalability and lower detection accuracy. Therefore in this paper, we use graph neural networks to perform smart contract vulnerability detection at the bytecode level, aiming to address the aforementioned issues. In particular, we propose a novel detection model. In order to acquire a comprehensive understanding of the dependencies among individual functions within a smart contract, we first construct a Program Dependency Graph(PDG) of functions, extract function-level features using graph neural networks, then augment function-level features using a self-attentive mechanism to learn the dependencies between functions, and finally aggregate function-level features for detecting the vulnerabilities. Our model possesses the capability to identify the subtle nuances in the interactions and interdependencies among different functions, consequently enhancing the precision of vulnerability detection. Experimental results show the performance of the method compared to existing smart contract vulnerability detection methods across multiple evaluation metrics.

Computer Science

Lejun Zhang,Yuan Li,Tianxing Jin,Weizheng Wang,Zilong Jin,Chunhui Zhao,Zhennao Cai,Huiling Chen

DOI: https://doi.org/10.3390/s22124621

2022-06-19

Abstract:With countless devices connected to the Internet of Things, trust mechanisms are especially important. IoT devices are more deeply embedded in the privacy of people's lives, and their security issues cannot be ignored. Smart contracts backed by blockchain technology have the potential to solve these problems. Therefore, the security of smart contracts cannot be ignored. We propose a flexible and systematic hybrid model, which we call the Serial-Parallel Convolutional Bidirectional Gated Recurrent Network Model incorporating Ensemble Classifiers (SPCBIG-EC). The model showed excellent performance benefits in smart contract vulnerability detection. In addition, we propose a serial-parallel convolution (SPCNN) suitable for our hybrid model. It can extract features from the input sequence for multivariate combinations while retaining temporal structure and location information. The Ensemble Classifier is used in the classification phase of the model to enhance its robustness. In addition, we focused on six typical smart contract vulnerabilities and constructed two datasets, CESC and UCESC, for multi-task vulnerability detection in our experiments. Numerous experiments showed that SPCBIG-EC is better than most existing methods. It is worth mentioning that SPCBIG-EC can achieve F1-scores of 96.74%, 91.62%, and 95.00% for reentrancy, timestamp dependency, and infinite loop vulnerability detection.

Tao Feng,Yuyang Cui

DOI: https://doi.org/10.4018/ijswis.342850

2024-05-02

International Journal on Semantic Web and Information Systems

Abstract:In recent years, smart contracts have risen rapidly in the blockchain field, but security issues have also become increasingly prominent. Due to the lack of unified evaluation standards, the security analysis of smart contracts mainly relies on complex and not easily scalable expert rules. To address these issues, we employ slicing techniques to reduce the interference of extraneous code on the detection process, apply normalisation techniques to eliminate the differences between different compiler versions and use particle swarm optimisation algorithms to determine the similarity between contracts, thus improving the accuracy and efficiency of detection. In addition, we combine a variety of features such as static analysis, dynamic analysis and symbolic execution to gain a more comprehensive understanding of contract characteristics and behaviours for more accurate vulnerability identification. Experimental results show that the scheme significantly improves the detection capability and provides a new solution for the security detection of smart contracts.

computer science, information systems, artificial intelligence

Zeqin Liao,Zibin Zheng,Xiao Chen,Yuhong Nan

DOI: https://doi.org/10.1145/3533767.3534222

2022-01-01

Abstract:With the increasing popularity of blockchain, automatically detecting vulnerabilities in smart contracts is becoming a significant problem. Prior research mainly identifies smart contract vulnerabilities without considering the interactions between multiple contracts. Due to the lack of analyzing the fine-grained contextual information during cross-contract invocations, existing approaches often produced a large number of false positives and false negatives. This paper proposes SmartDagger, a new framework for detecting cross-contract vulnerability through static analysis at the bytecode level. SmartDagger integrates a set of novel mechanisms to ensure its effectiveness and efficiency for cross-contract vulnerability detection. Particularly, SmartDagger effectively recovers the contract attribute information from the smart contract bytecode, which is critical for accurately identifying cross-contract vulnerabilities. Besides, instead of performing the typical whole-programanalysis which is heavy-weight and time-consuming, SmartDagger selectively analyzes a subset of functions and reuses the data-flow results, which helps to improve its efficiency. Our further evaluation over a manually labelled dataset showed that SmartDagger significantly outperforms other state-of-the-art tools (i.e., Oyente, Slither, Osiris, and Mythril) for detecting cross-contract vulnerabilities. In addition, running SmartDagger over a randomly selected dataset of 250 smart contracts in the real-world, SmartDagger detects 11 cross-contract vulnerabilities, all of which are missed by prior tools.

Yujian Zhang,Daifu Liu

DOI: https://doi.org/10.3390/fi14110326

2022-11-12

Future Internet

Abstract:With the blooming of blockchain-based smart contracts in decentralized applications, the security problem of smart contracts has become a critical issue, as vulnerable contracts have resulted in severe financial losses. Existing research works have explored vulnerability detection methods based on fuzzing, symbolic execution, formal verification, and static analysis. In this paper, we propose two static analysis approaches called ASGVulDetector and BASGVulDetector for detecting vulnerabilities in Ethereum smart contacts from source-code and bytecode perspectives, respectively. First, we design a novel intermediate representation called abstract semantic graph (ASG) to capture both syntactic and semantic features from the program. ASG is based on syntax information but enriched by code structures, such as control flow and data flow. Then, we apply two different training models, i.e., graph neural network (GNN) and graph matching network (GMN), to learn the embedding of ASG and measure the similarity of the contract pairs. In this way, vulnerable smart contracts can be identified by calculating the similarity to labeled ones. We conduct extensive experiments to evaluate the superiority of our approaches to state-of-the-art competitors. Specifically, ASGVulDetector improves the best of three source-code-only static analysis tools (i.e., SmartCheck, Slither, and DR-GCN) regarding the F1 score by 12.6% on average, while BASGVulDetector improves that of the three detection tools supporting bytecode (i.e., ContractFuzzer, Oyente, and Securify) regarding the F1 score by 25.6% on average. We also investigate the effectiveness and advantages of the GMN model for detecting vulnerabilities in smart contracts.

Jinggang Li,Gehao Lu,Yulian Gao,Feng Gao

DOI: https://doi.org/10.3390/math11234823

IF: 2.4

2023-11-30

Mathematics

Abstract:With the proliferation of blockchain technology in decentralized applications like decentralized finance and supply chain and identity management, smart contracts operating on a blockchain frequently encounter security issues such as reentrancy vulnerabilities, timestamp dependency vulnerabilities, tx.origin vulnerabilities, and integer overflow vulnerabilities. These security concerns pose a significant risk of causing substantial losses to user accounts. Consequently, the detection of vulnerabilities in smart contracts has become a prominent area of research. Existing research exhibits limitations, including low detection accuracy in traditional smart contract vulnerability detection approaches and the tendency of deep learning-based solutions to focus on a single type of vulnerability. To address these constraints, this paper introduces a smart contract vulnerability detection method founded on multimodal feature fusion. This method adopts a multimodal perspective to extract three modal features from the lifecycle of smart contracts, leveraging both static and dynamic features comprehensively. Through deep learning models like Graph Convolutional Networks (GCNs) and bidirectional Long Short-Term Memory networks (bi-LSTMs), effective detection of vulnerabilities in smart contracts is achieved. Experimental results demonstrate that the proposed method attains detection accuracies of 85.73% for reentrancy vulnerabilities, 85.41% for timestamp dependency vulnerabilities, 83.58% for tx.origin vulnerabilities, and 90.96% for integer Overflow vulnerabilities. Furthermore, ablation experiments confirm the efficacy of the newly introduced modal features, highlighting the significance of fusing dynamic and static features in enhancing detection accuracy.

mathematics

Daojing He,Rui Wu,Xinji Li,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2023.3241544

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the wide application of IoT and blockchain, research on smart contracts has received increased attention, and security threat detection for smart contracts is one of the main focuses. This paper first introduces the common security vulnerabilities in blockchain smart contracts, and then classifies the vulnerabilities detection tools for smart contracts into six categories according to the different detection methods: formal verification method, symbol execution method, fuzzy testing method, intermediate representation method, stain analysis method and deep learning method. We test 27 detection tools, and analyze them from several perspectives, including the capability of detecting a smart contract version. Finally, it is concluded that most of the current vulnerability detection tools can only detect vulnerabilities in a single and old version of smart contracts. Although the deep learning method detects fewer types of smart contract vulnerabilities, it has higher detection accuracy and efficiency. Therefore, the combination of static detection methods such as deep learning method and dynamic detection methods including the fuzzy testing method to detect more types of vulnerabilities in multi-version smart contracts to achieve higher accuracy is a direction worthy of research in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic