Detection of Vulnerabilities of Blockchain Smart Contracts

With the wide application of Internet of Things and blockchain, research on smart contracts has received increased attention, and security threat detection for smart contracts is one of the main focuses. This article first introduces the common security vulnerabilities in blockchain smart contracts, and then classifies the vulnerabilities detection tools for smart contracts into six categories according to the different detection methods: 1) formal verification method; 2) symbol execution method; 3) fuzzy testing method; 4) intermediate representation method; 5) stain analysis method; and 6) deep learning method. We test 27 detection tools and analyze them from several perspectives, including the capability of detecting a smart contract version. Finally, it is concluded that most of the current vulnerability detection tools can only detect vulnerabilities in a single and old version of smart contracts. Although the deep learning method detects fewer types of smart contract vulnerabilities, it has higher detection accuracy and efficiency. Therefore, the combination of static detection methods, such as deep learning method and dynamic detection methods, including the fuzzy testing method to detect more types of vulnerabilities in multi-version smart contracts to achieve higher accuracy is a direction worthy of research in the future.

[1]  Songlin Hu,et al.  Co-Estimation of State and FDI Attacks and Attack Compensation Control for Multi-Area Load Frequency Control Systems Under FDI and DoS Attacks , 2022, IEEE Transactions on Smart Grid.

[2]  Alex Groce,et al.  SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses , 2021, 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Rachit Agarwal,et al.  Vulnerability and Transaction behavior based detection of Malicious Smart Contracts , 2021, CSS.

[4]  Shouling Ji,et al.  Smart Contract Vulnerability Detection: From Pure Neural Network to Interpretable Graph Feature and Expert Pattern Fusion , 2021, IJCAI.

[5]  L. Javier García-Villalba,et al.  A security framework for Ethereum smart contracts , 2021, Comput. Commun..

[6]  Antonio Ken Iannillo,et al.  ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Paul A. Watters,et al.  A Mechanism to Detect and Prevent Ethereum Blockchain Smart Contract Reentrancy Attacks , 2021, Frontiers in Computer Science.

[8]  Shashank Gupta,et al.  Security of Cryptocurrencies in blockchain technology: State-of-art, challenges and future prospects , 2020, J. Netw. Comput. Appl..

[9]  Zhenguang Liu,et al.  Smart Contract Vulnerability Detection using Graph Neural Network , 2020, IJCAI.

[10]  Chunhua Su,et al.  ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts , 2020, IEEE Transactions on Network Science and Engineering.

[11]  Wenjun Luo,et al.  Static Analysis of Integer Overflow of Smart Contracts in Ethereum , 2020, ICCSP.

[12]  Xinming Wang,et al.  ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection , 2019, IEEE Transactions on Services Computing.

[13]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.

[14]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[15]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[16]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[17]  Sourav Sengupta,et al.  Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Vulnerabilities , 2018, ArXiv.

[18]  Chao Liu,et al.  EASYFLOW: Keep Ethereum Away from Overflow , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[19]  Yannis Smaragdakis,et al.  MadMax: surviving out-of-gas conditions in Ethereum smart contracts , 2018, Proc. ACM Program. Lang..

[20]  Vincent Gramoli,et al.  Vandal: A Scalable Security Analysis Framework for Smart Contracts , 2018, ArXiv.

[21]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[22]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[23]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[24]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[25]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[26]  Albert Rubio,et al.  EthIR: A Framework for High-Level Analysis of Ethereum Bytecode , 2018, ATVA.

[27]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[28]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[29]  Sidney Amani,et al.  Towards verifying ethereum smart contract bytecode in Isabelle/HOL , 2018, CPP.

[30]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[31]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.