Noama Fatima Samreen,Manar H. Alalfi

DOI: https://doi.org/10.1109/IWBOSE50093.2020.9050260

2021-05-07

Abstract:Ethereum Smart contracts use blockchain to transfer values among peers on networks without central agency. These programs are deployed on decentralized applications running on top of the blockchain consensus protocol to enable people to make agreements in a transparent and conflict-free environment. The security vulnerabilities within those smart contracts are a potential threat to the applications and have caused huge financial losses to their users. In this paper, we present a framework that combines static and dynamic analysis to detect Reentrancy vulnerabilities in Ethereum smart contracts. This framework generates an attacker contract based on the ABI specifications of smart contracts under test and analyzes the contract interaction to precisely report Reentrancy vulnerability. We conducted a preliminary evaluation of our proposed framework on 5 modified smart contracts from Etherscan and our framework was able to detect the Reentrancy vulnerability in all our modified contracts. Our framework analyzes smart contracts statically to identify potentially vulnerable functions and then uses dynamic analysis to precisely confirm Reentrancy vulnerability, thus achieving increased performance and reduced false positives.

Cryptography and Security

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Peng Qian,Zhenguang Liu,Qinming He,Roger Zimmermann,Xun Wang

DOI: https://doi.org/10.1109/access.2020.2969429

IF: 3.9

2020-01-01

IEEE Access

Abstract:In the last decade, smart contract security issues lead to tremendous losses, which has attracted increasing public attention both in industry and in academia. Researchers have embarked on efforts with logic rules, symbolic analysis, and formal analysis to achieve encouraging results in smart contract vulnerability detection tasks. However, the existing detection tools are far from satisfactory. In this paper, we attempt to utilize the deep learning-based approach, namely bidirectional long-short term memory with attention mechanism (BLSTM-ATT), aiming to precisely detect reentrancy bugs. Furthermore, we propose contract snippet representations for smart contracts, which contributes to capturing essential semantic information and control flow dependencies. Our extensive experimental studies on over 42,000 real-world smart contracts show that our proposed model and contract snippet representations significantly outperform state-of-the-art methods. In addition, this work proves that it is practical to apply deep learning-based technology on smart contract vulnerability detection, which is able to promote future research towards this area.

Mingtao Ji,GuangJun Liang,Meng Li,Haoyan Zhang,Jiacheng He

DOI: https://doi.org/10.1007/978-3-030-78621-2_41

2021-01-01

Abstract:As the blockchain enters the 2.0 era, the smart contract which is based on the blockchain platform has gradually entered people’s field of vision. By its transparency, non-tampering, independence from third-party arbitration, and trustlessness, it is widely applied in equity crowdfunding, games, insurance, particularly the Internet of Things. However, the attack on the TheDAO smart contract alert public awareness of the security of a smart contract. The essence of the smart contract is an electronic contract written in code. Due to reasons like lacking standard libraries for its programming language, several loopholes will inevitably appear in the code. Once they are found by attackers, the interests of the main body using smart contracts will be damaged. There are many types of vulnerabilities in smart contracts, such as reentrancy, short address attacks, and timestamp dependence. This article mainly focuses on re-entry vulnerabilities as the research object and analyzes the principle of re-entry vulnerabilities. Featuring immutable after being chained, the smart contract must be checked before it is chained to make up for the vulnerability. This paper provides a detection method based on symbolic execution to detect reentrancy vulnerabilities. We hope to strengthen people’s security awareness of smart contracts and boost the research of smart contracts in terms of security by our study of the smart contract reentrancy vulnerability in this article. Promote the research and development of smart contracts.

Shuo Yang,Jiachi Chen,Mingyuan Huang,Zibin Zheng,Yuan Huang

2024-03-28

Abstract:Reentrancy, a notorious vulnerability in smart contracts, has led to millions of dollars in financial loss. However, current smart contract vulnerability detection tools suffer from a high false positive rate in identifying contracts with reentrancy vulnerabilities. Moreover, only a small portion of the detected reentrant contracts can actually be exploited by hackers, making these tools less effective in securing the Ethereum ecosystem in practice.

Cryptography and Security,Software Engineering

Yuichiro Chinen,Naoto Yanai,Jason Paul Cruz,Shingo Okamura

DOI: https://doi.org/10.48550/arXiv.2007.01029

2020-07-02

Abstract:Ethereum smart contracts are programs that are deployed and executed in a consensus-based blockchain managed by a peer-to-peer network. Several re-entrancy attacks that aim to steal Ether, the cryptocurrency used in Ethereum, stored in deployed smart contracts have been found in the recent years. A countermeasure to such attacks is based on dynamic analysis that executes the smart contracts themselves, but it requires the spending of Ether and knowledge of attack patterns for analysis in advance. In this paper, we present a static analysis tool named \textit{RA (Re-entrancy Analyzer)}, a combination of symbolic execution and equivalence checking by a satisfiability modulo theories solver to analyze smart contract vulnerabilities to re-entrancy attacks. In contrast to existing tools, RA supports analysis of inter-contract behaviors by using only the Etherum Virtual Machine bytecodes of target smart contracts, i.e., even without prior knowledge of attack patterns and without spending Ether. Furthermore, RA can verify existence of vulnerabilities to re-entrancy attacks without execution of smart contracts and it does not provide false positives and false negatives. We also present an implementation of RA to evaluate its performance in analyzing the vulnerability of deployed smart contracts to re-entrancy attacks and show that RA can precisely determine which smart contracts are vulnerable.

Cryptography and Security

Zulfiqar Ali Khan,Akbar Siami Namin

DOI: https://doi.org/10.1109/access.2024.3401623

IF: 3.9

2024-05-24

IEEE Access

Abstract:Ethereum Blockchain technology introduced a competitive environment in the financial sector. Consequently, new technologies emerged, such as Smart Contracts (SCs), which preclude code corrections due to their immutable nature. However, the incorrect and faulty uploaded SCs led to uninvited penetrations into SCs' accounts, resulting in considerable customer losses. This SC's drawback requires tools to test the SCs and paves the way for research on vulnerability detection techniques. Our survey paper comprehensively reviews 41 SC tools and presents the vulnerability detection techniques (VDTs) of several previously invented tools by dividing them into general and specific classes. Finally, we also perform a classification of detection techniques to standardize the approaches. Thus, our study will help SC developers and security analysts to streamline the security of SCs and reduce the chances of malicious monetary transfers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zulfiqar Ali Khan,Akbar Siami Namin

DOI: https://doi.org/10.48550/arXiv.2012.14481

2020-12-29

Abstract:Smart contract (SC) is an extension of BlockChain technology. Ethereum BlockChain was the first to incorporate SC and thus started a new era of crypto-currencies and electronic transactions. Solidity helps to program the SCs. Still, soon after Solidity's emergence in 2014, Solidity-based SCs suffered many attacks that deprived the SC account holders of their precious funds. The main reason for these attacks was the presence of vulnerabilities in SC. This paper discusses SC vulnerabilities and classifies them according to the domain knowledge of the faulty operations. This classification is a source of reminding developers and software engineers that for SC's safety, each SC requires proper testing with effective tools to catch those classes' vulnerabilities.

Cryptography and Security

Zexu Wang,Jiachi Chen,Yanlin Wang,Yu Zhang,Weizhe Zhang,Zibin Zheng

2024-03-18

Abstract:Reentrancy vulnerability as one of the most notorious vulnerabilities, has been a prominent topic in smart contract security research. Research shows that existing vulnerability detection presents a range of challenges, especially as smart contracts continue to increase in complexity. Existing tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts. To effectively detect reentrancy vulnerabilities in contracts with complex logic, we propose a tool named SliSE. SliSE's detection process consists of two stages: Warning Search and Symbolic Execution Verification. In Stage I, SliSE utilizes program slicing to analyze the Inter-contract Program Dependency Graph (I-PDG) of the contract, and collects suspicious vulnerability information as warnings. In Stage II, symbolic execution is employed to verify the reachability of these warnings, thereby enhancing vulnerability detection accuracy. SliSE obtained the best performance compared with eight state-of-the-art detection tools. It achieved an F1 score of 78.65%, surpassing the highest score recorded by an existing tool of 9.26%. Additionally, it attained a recall rate exceeding 90% for detection of contracts on Ethereum. Overall, SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.

Software Engineering

Dongcheng Li,W. Eric Wong,Xiaodan Wang,Sean Pan,Liang-Seng Koh

2024-10-01

Abstract:This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm. We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies. Initially, smart contracts are compiled into an abstract syntax tree to analyze relationships between contracts and functions, including calls, inheritance, and data flow. These analyses are transformed into static evaluations and intermediate representations that reveal internal relations. Based on these representations, we examine contract's functions, variables, and data dependencies to detect the specified vulnerabilities. To enhance detection accuracy and coverage, we apply a multi-objective optimization algorithm to the static analysis process. This involves assigning initial numeric values to input data and monitoring changes in statement coverage and detection accuracy. Using coverage and accuracy as fitness values, we calculate Pareto front and crowding distance values to select the best individuals for the new parent population, iterating until optimization criteria are met. We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts. Experimental results show that our method outperforms state-of-the-art tools in terms of coverage, accuracy, efficiency, and effectiveness in detecting the targeted vulnerabilities.

Software Engineering

Fuchen Ma,Meng Ren,Ying Fu,Mingzhe Wang,Huizhong Li,Houbing Song,Yu Jiang

DOI: https://doi.org/10.1016/j.ipm.2021.102565

IF: 7.466

2021-01-01

Information Processing & Management

Abstract:Smart contracts are more sensitive from a security perspective than other software due to several reasons. First, smart contracts are immutable thus cannot be easily patched once deployed. Second, smart contracts are directly tied to payments and can hold millions of dollars' worth of digital currencies. Third, smart contracts are still a new practice thus do not have best coding practices and development lifecycles tailored for decentralized apps yet. Even though several testing and verification tools have been developed, smart contract vulnerabilities remain a clear and present danger. In this paper, we present an approach that is different from existing ones that attempt to eliminate vulnerabilities from smart contracts. Instead, we fortify Ethereum virtual machines (EVM) to stop dangerous transactions once vulnerabilities are detected in real-time. Since proving programs written in Turing-complete languages is undecidable, our approach complements current approaches by catching vulnerabilities and interrupts their executions during runtime. We have implemented our reinforcement on two widely used EVMs (js-evm and FISCO-BCOS-evm). The reinforced EVMs detects and interrupts all the vulnerabilities, 20% of them missed by testing tools, in 100 real smart contracts. Our approach is practical with less than 34% overhead. In fact, the reinforced FISCO-BCOS-evm has been integrated into the official release of FISCO-BCOS adopted by a large Chinese bank WeBank.

Dawei Yuan,Xiaohui Wang,Yao Li,Tao Zhang

DOI: https://doi.org/10.1016/j.jss.2023.111699

IF: 3.5

2023-04-08

Journal of Systems and Software

Abstract:Smart contracts have been widely used in the blockchain world these years, and simultaneously vulnerability detection has gained more and more attention due to the staggering economic losses caused by the attacker. Existing tools that analyze vulnerabilities for smart contracts heavily rely on rules predefined by experts, which are labour-intense and require domain knowledge. Moreover, predefined rules tend to be misconceptions and increase the risk of crafty potential back-doors in the future. Recently, researchers mainly used static and dynamic execution analysis to detect the vulnerabilities of smart contracts and have achieved acceptable results. However, the dynamic method cannot cover all the program inputs and execution paths, which leads to some vulnerabilities that are hard to detect. The static analysis method commonly includes symbolic execution and theorem proving, which requires using constraints to detect vulnerability. These shortcomings show that traditional methods are challenging to apply and expand on a large scale. This paper aims to detect vulnerabilities via the Bug Injection framework and transfer learning techniques. First, we train a Transformer encoder using multi-modality code, which contains source code, intermediate representation, and assembly code. The input code consists separately of Solidity source code, intermediate representation, and assembly code. Specifically, we translate source code into the intermediate representation and decompile the byte code into assembly code by the EVM compiler. Then, we propose a novel entropy embedding technique, which combines token embedding, segment embedding, and positional embedding of the Transformer encoder in our approach. After that, we utilize the Bug Injection framework to automatically generate specific types of buggy code for fine-tuning and evaluating the performance of vulnerability detection. The experimental results show that our proposed approach improves the performance in detecting reentrancy vulnerabilities and timestamp dependence. Moreover, our approach is more flexible and scalable than static and dynamic analysis approaches in detecting smart contract vulnerabilities. Our approach improves the baseline approaches by an average of 11.89% in term of F1 score.

computer science, theory & methods, software engineering

Zeqin Liao,Sicheng Hao,Yuhong Nan,Zibin Zheng

DOI: https://doi.org/10.1145/3597926.3598111

2024-06-23

Abstract:Smart contracts written in Solidity are widely used in different blockchain platforms such as Ethereum, TRON and BNB Chain. One of the unique designs in Solidity smart contracts is its state-reverting mechanism for error handling and access control. Unfortunately, a number of recent security incidents showed that adversaries also utilize this mechanism to manipulate critical states of smart contracts, and hence, bring security consequences such as illegal profit-gain and Deny-of-Service (DoS). In this paper, we call such vulnerabilities as the State-reverting Vulnerability (SRV). Automatically identifying SRVs poses unique challenges, as it requires an in-depth analysis and understanding of the state-dependency relations in smart contracts. This paper presents SmartState, a new framework for detecting state-reverting vulnerability in Solidity smart contracts via fine-grained state-dependency analysis. SmartState integrates a set of novel mechanisms to ensure its effectiveness. Particularly, Smart-State extracts state dependencies from both contract bytecode and historical transactions. Both of them are critical for inferring dependencies related to SRVs. Further, SmartState models the generic patterns of SRVs (i.e., profit-gain and DoS) as SRV indicators, and hence effectively identify SRVs based on the constructed state-dependency graph. To evaluate SmartState, we manually annotated a ground-truth dataset which contains 91 SRVs in the real world. Evaluation results showed that SmartState achieves a precision of 87.23% and a recall of 89.13%. In addition, SmartState successfully identifies 406 new SRVs from 47,351 real-world smart contracts. 11 of these SRVs are from popular smart contracts with high transaction amounts (i.e., top 2000). In total, our reported SRVs affect a total amount of digital assets worth 428,600 USD.

Software Engineering

Zibin Zheng,Neng Zhang,Jianzhong Su,Zhijie Zhong,Mingxi Ye,Jiachi Chen

2023-03-24

Abstract:Smart contracts are programs deployed on a blockchain and are immutable once deployed. Reentrancy, one of the most important vulnerabilities in smart contracts, has caused millions of dollars in financial loss. Many reentrancy detection approaches have been proposed. It is necessary to investigate the performance of these approaches to provide useful guidelines for their application. In this work, we conduct a large-scale empirical study on the capability of five well-known or recent reentrancy detection tools such as Mythril and Sailfish. We collect 230,548 verified smart contracts from Etherscan and use detection tools to analyze 139,424 contracts after deduplication, which results in 21,212 contracts with reentrancy issues. Then, we manually examine the defective functions located by the tools in the contracts. From the examination results, we obtain 34 true positive contracts with reentrancy and 21,178 false positive contracts without reentrancy. We also analyze the causes of the true and false positives. Finally, we evaluate the tools based on the two kinds of contracts. The results show that more than 99.8% of the reentrant contracts detected by the tools are false positives with eight types of causes, and the tools can only detect the reentrancy issues caused by call.value(), 58.8% of which can be revealed by the Ethereum's official IDE, Remix. Furthermore, we collect real-world reentrancy attacks reported in the past two years and find that the tools fail to find any issues in the corresponding contracts. Based on the findings, existing works on reentrancy detection appear to have very limited capability, and researchers should turn the rudder to discover and detect new reentrancy patterns except those related to call.value().

Software Engineering

Yinxing Xue,Mingliang Ma,Yun Lin,Yulei Sui,Jiaming Ye,Tianyong Peng

DOI: https://doi.org/10.1145/3324884.3416553

2020-12-21

Abstract:Reentrancy bugs, one of the most severe vulnerabilities in smart contracts, have caused huge financial loss in recent years. Researchers have proposed many approaches to detecting them. However, empirical studies have shown that these approaches suffer from undesirable false positives and false negatives, when the code under detection involves the interaction between multiple smart contracts. In this paper, we propose an accurate and efficient cross-contract reentrancy detection approach in practice. Rather than design rule-of-thumb heuristics, we conduct a large empirical study of 11714 real-world contracts from Etherscan against three well-known general-purpose security tools for reentrancy detection. We manually summarized the reentrancy scenarios where the state-of-the-art approaches cannot address. Based on the empirical evidence, we present Clairvoyance, a cross-function and cross-contract static analysis to detect reentrancy vulnerabilities in real world with significantly higher accuracy. To reduce false negatives, we enable, for the first time, a cross-contract call chain analysis by tracking possibly tainted paths. To reduce false positives, we systematically summarized five major path protective techniques (PPTs) to support fast yet precise path feasibility checking. We implemented our approach and compared Clairvoyance with five state-of-the-art tools on 17770 real-worlds contracts. The results show that Clairvoyance yields the best detection accuracy among all the five tools and also finds 101 unknown reentrancy vulnerabilities.

Nikolay Ivanov,Qiben Yan,Anurag Kompalli

DOI: https://doi.org/10.1109/TIFS.2023.3234895

2023-01-21

Abstract:Ethereum is a permissionless blockchain ecosystem that supports execution of smart contracts, the key enablers of decentralized finance (DeFi) and non-fungible tokens (NFT). However, the expressiveness of Ethereum smart contracts is a double-edged sword: while it enables blockchain programmability, it also introduces security vulnerabilities, i.e., the exploitable discrepancies between expected and actual behaviors of the contract code. To address these discrepancies and increase the vulnerability coverage, we propose a new smart contract security testing approach called transaction encapsulation. The core idea lies in the local execution of transactions on a fully-synchronized yet isolated Ethereum node, which creates a preview of outcomes of transaction sequences on the current state of blockchain. This approach poses a critical technical challenge -- the well-known time-of-check/time-of-use (TOCTOU) problem, i.e., the assurance that the final transactions will exhibit the same execution paths as the encapsulated test transactions. In this work, we determine the exact conditions for guaranteed execution path replicability of the tested transactions, and implement a transaction testing tool, TxT, which reveals the actual outcomes of Ethereum transactions. To ensure the correctness of testing, TxT deterministically verifies whether a given sequence of transactions ensues an identical execution path on the current state of blockchain. We analyze over 1.3 billion Ethereum transactions and determine that 96.5% of them can be verified by TxT. We further show that TxT successfully reveals the suspicious behaviors associated with 31 out of 37 vulnerabilities (83.8% coverage) in the smart contract weakness classification (SWC) registry. In comparison, the vulnerability coverage of all the existing defense approaches combined only reaches 40.5%.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Longtao Guo,Huakun Huang,Lingjun Zhao,Peiliang Wang,Shan Jiang,Chunhua Su

DOI: https://doi.org/10.1016/j.cose.2024.103894

IF: 5.105

2024-05-11

Computers & Security

Abstract:Smart contracts with automatic execution capability provide a vast development space for transactions in Blockchain. However, due to the vulnerabilities in smart contracts, Blockchain has suffered huge economic losses, which greatly undermines people's trust in Blockchain and smart contracts. In this paper, we explore a vulnerability detection method based on graph neural networks and combine both contract source code and opcode. The structure of the method consists of four modules, i.e., preprocessing, subspace mapping, feature extraction, and detection modules. In the feature mapping module, we use a multi-subspace mapping approach to explore the impact of different subspace mappings on the detection method. For reentrancy vulnerability, we conducted extensive experiments. The experiments prove that our method achieves 95% accuracy and 94% F1-Score on average.

computer science, information systems

Reza M. Parizi,Ali Dehghantanha,Kim-Kwang Raymond Choo,Amritraj Singh

DOI: https://doi.org/10.5555/3291291.3291303

2018-09-08

Abstract:The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity to provide the first...

Cryptography and Security

Usman Tahir,Michele Ianni,Fiza Siyal,Giancarlo Fortino,Antonella Guzzo

DOI: https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361441

2023-11-14

Abstract:Reentrancy is a type of attack that can occur in smart contracts, enabling untrusted external code execution within the contract. This method exploits a vulnerability that allows an attacker to repeatedly invoke a function in the contract, resulting in an infinite loop and potentially leading to fund theft. Therefore, the reentrancy attack represents a critical concern in blockchain security, prompting the development of various methods for analyzing and detecting reentrancy vulnerabilities over the last decade. Among these methods, the most recent ones leverage the advantages of AI and deep learning techniques. Nonetheless, several limitations persist in existing approaches. Many current methods rely on complex code analysis rules, resulting in a high number of false positives and false negatives. Additionally, the feature engineering process involving word embedding techniques can lead to the loss of critical information. Lastly, the majority of proposed methods necessitate access to the actual source code of the smart contracts for analysis. In this study, we introduce a straightforward and lightweight approach to address these limitations in reentrancy detection. Our approach employs an image-based detection method utilizing deep learning. The pipeline of our method involves disassembling the smart contracts into opcodes and transforming them into RGB images. These images are then used to train a VGG16 CNN model to detect similarities between images labeled as either “Vulnerable” or “Not Vulnerable”. To address class imbalance, we implement image augmentation techniques to expand the training dataset. Experimental results conducted on a publicly available dataset demonstrate that our model achieves a significantly high accuracy rate of 99.07%.

Computer Science