SolSaviour: A Defending Framework for Deployed Defective Smart Contracts

A smart contract cannot be modified once deployed. Bugs in deployed smart contracts may cause devastating consequences. For example, the infamous reentrancy bug in the DAO contract allows attackers to arbitrarily withdraw ethers, which caused millions of dollars loss. Currently, the main countermeasure against contract bugs is to thoroughly detect and verify contracts before deployment, which, however, cannot defend against unknown bugs. These detection methods also suffer from possible false negative results. In this paper, we propose SolSaviour, a framework for repairing and recovering deployed defective smart contracts by redeploying patched contracts and migrating old contracts’ internal states to the new ones. SolSaviour consists of a voteDestruct mechanism and a TEE cluster. The voteDestruct mechanism allows contract stake holders to decide whether to destroy the defective contract and withdraw inside assets. The TEE cluster is responsible for asset escrow, redeployment of patched contracts, and state migration. Our experiment results show that SolSaviour can successfully repair vulnerabilities, reduce asset losses, and recover all defective contracts. To the best of our knowledge, we are the first to propose a defending mechanism for repairing and recovering deployed defective smart contracts.

[1]  Ghassan O. Karame,et al.  BITE: Bitcoin Lightweight Client Privacy using Trusted Execution , 2018, IACR Cryptol. ePrint Arch..

[2]  Thorsten Holz,et al.  ETHBMC: A Bounded Model Checker for Smart Contracts , 2020, USENIX Security Symposium.

[3]  Radu State,et al.  Osiris , 2018, Proceedings of the 34th Annual Computer Security Applications Conference.

[4]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[5]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[6]  Yannis Smaragdakis,et al.  Ethainter: a smart contract security analyzer for composite vulnerabilities , 2020, PLDI.

[7]  Xiao Liang Yu,et al.  Smart Contract Repair , 2019, ACM Trans. Softw. Eng. Methodol..

[8]  Emin Gün Sirer,et al.  Teechain: a secure payment network with asynchronous blockchain access , 2017, SOSP.

[9]  Fan Zhang,et al.  REM: Resource-Efficient Mining for Blockchains , 2017, IACR Cryptol. ePrint Arch..

[10]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[11]  Fan Long,et al.  Securing smart contract with runtime validation , 2020, PLDI.

[12]  Fan Zhang,et al.  Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[13]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[14]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[15]  Jiachi Chen,et al.  Defining Smart Contract Defects on Ethereum , 2019 .

[16]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[17]  Robert Norvill,et al.  ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks , 2020, AsiaCCS.

[18]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[19]  Surya Nepal,et al.  SMARTSHIELD: Automatic Smart Contract Protection Made Easy , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[20]  Tommaso Frassetto,et al.  FastKitten: Practical Smart Contracts on Bitcoin , 2019, IACR Cryptol. ePrint Arch..

[21]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[22]  Gordon J. Pace,et al.  Runtime Verification of Ethereum Smart Contracts , 2018, 2018 14th European Dependable Computing Conference (EDCC).

[23]  Ting Chen,et al.  DefectChecker: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode , 2020, IEEE Transactions on Software Engineering.

[24]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[25]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[26]  Jun Sun,et al.  Semantic Understanding of Smart Contracts: Executable Operational Semantics of Solidity , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[27]  Robert Norvill,et al.  {\AE}GIS: Shielding Vulnerable Smart Contracts Against Attacks , 2020, 2003.05987.

[28]  Ghassan O. Karame,et al.  EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts , 2020, USENIX Security Symposium.

[29]  Long H. Pham,et al.  SGUARD: Towards Fixing Vulnerable Smart Contracts Automatically , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[30]  Yuxing Tang,et al.  SODA: A Generic Online Detection Framework for Smart Contracts , 2020, NDSS.

[31]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[32]  Mic Bowman,et al.  Private Data Objects: an Overview , 2018, ArXiv.

[33]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.