An Automated Analyzer for Financial Security of Ethereum Smart Contracts

At present, millions of Ethereum smart contracts are created per year and attract financially motivated attackers. However, existing analyzers do not meet the need to precisely analyze the financial security of large numbers of contracts. In this paper, we propose and implement FASVERIF, an automated analyzer for fine-grained analysis of smart contracts' financial security. On the one hand, FASVERIF automatically generates models to be verified against security properties of smart contracts. On the other hand, our analyzer automatically generates the security properties, which is different from existing formal verifiers for smart contracts. As a result, FASVERIF can automatically process source code of smart contracts, and uses formal methods whenever possible to simultaneously maximize its accuracy. We evaluate FASVERIF on a vulnerabilities dataset by comparing it with other automatic tools. Our evaluation shows that FASVERIF greatly outperforms the representative tools using different technologies, with respect to accuracy and coverage of types of vulnerabilities.

[1]  A. Juels,et al.  Clockwork Finance: Automated Analysis of Economic Security in Smart Contracts , 2021, 2023 IEEE Symposium on Security and Privacy (SP).

[2]  Isil Dillig,et al.  SmartPulse: Automated Checking of Temporal Properties in Smart Contracts , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[3]  Kazuki Yoneyama,et al.  Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts , 2020, INDOCRYPT.

[4]  Xiaoyu Yang,et al.  A Formal Verification Method for Smart Contract , 2020, 2020 7th International Conference on Dependable Systems and Their Applications (DSA).

[5]  Ralf Sasse,et al.  A Spectral Analysis of Noise: A Comprehensive, Automated, Formal Analysis of Diffie-Hellman Protocols , 2020, USENIX Security Symposium.

[6]  Shang-Wei Lin,et al.  A Survey of Smart Contract Formal Specification and Verification , 2020, ACM Comput. Surv..

[7]  Ralf Sasse,et al.  The EMV Standard: Break, Fix, Verify , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[8]  Clara Schneidewind,et al.  eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts , 2020, CCS.

[9]  Dimitar Dimitrov,et al.  VerX: Safety Verification of Smart Contracts , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[10]  Jun Sun,et al.  Semantic Understanding of Smart Contracts: Executable Operational Semantics of Solidity , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[11]  Rui Abreu,et al.  Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts , 2019, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[12]  Heejo Lee,et al.  VERISMART: A Highly Precise Safety Verifier for Ethereum Smart Contracts , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  Huashan Chen,et al.  A Survey on Ethereum Systems Security , 2019, ACM Comput. Surv..

[14]  Bas Spitters,et al.  ConCert: a smart contract certification framework in Coq , 2019, CPP.

[15]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[16]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[17]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[18]  Prateek Saxena,et al.  Exploiting the laws of order in smart contracts , 2018, ISSTA.

[19]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[20]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[21]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[22]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[23]  Grigore Rosu,et al.  Matching μ-Logic , 2017, 2019 34th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[24]  Gianluca Stringhini,et al.  MaMaDroid , 2019, ACM Trans. Priv. Secur..

[25]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[26]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[27]  Robert Künnemann,et al.  Automated Analysis of Security Protocols with Global State , 2014, 2014 IEEE Symposium on Security and Privacy.

[28]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[29]  Grigore Rosu,et al.  Checking reachability using matching logic , 2012, OOPSLA '12.

[30]  Grigore Rosu,et al.  An overview of the K semantic framework , 2010, J. Log. Algebraic Methods Program..

[31]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[32]  Shengchao Qin,et al.  Automated Verification of Shape, Size and Bag Properties , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[33]  Nick Szabo,et al.  Formalizing and Securing Relationships on Public Networks , 1997, First Monday.

[34]  Cas Cremers,et al.  A Formal Analysis of IEEE 802.11's WPA2: Countering the Kracks Caused by Cracking the Counters , 2020, USENIX Security Symposium.

[35]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[36]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.