{\AE}GIS: Shielding Vulnerable Smart Contracts Against Attacks

In recent years, smart contracts have suffered major exploits, costing millions of dollars. Unlike traditional programs, smart contracts are deployed on a blockchain. As such, they cannot be modified once deployed. Though various tools have been proposed to detect vulnerable smart contracts, the majority fails to protect vulnerable contracts that have already been deployed on the blockchain. Only very few solutions have been proposed so far to tackle the issue of post-deployment. However, these solutions suffer from low precision and are not generic enough to prevent any type of attack. In this work, we introduce AEGIS, a dynamic analysis tool that protects smart contracts from being exploited during runtime. Its capability of detecting new vulnerabilities can easily be extended through so-called attack patterns. These patterns are written in a domain-specific language that is tailored to the execution model of Ethereum smart contracts. The language enables the description of malicious control and data flows. In addition, we propose a novel mechanism to streamline and speed up the process of managing attack patterns. Patterns are voted upon and stored via a smart contract, thus leveraging the benefits of tamper-resistance and transparency provided by the blockchain. We compare AEGIS to current state-of-the-art tools and demonstrate that our solution achieves higher precision in detecting attacks. Finally, we perform a large-scale analysis on the first 4.5 million blocks of the Ethereum blockchain, thereby confirming the occurrences of well reported and yet unreported attacks in the wild.

[1]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[2]  Mathis Steichen,et al.  The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts , 2019, USENIX Security Symposium.

[3]  Prateek Saxena,et al.  Exploiting the laws of order in smart contracts , 2018, ISSTA.

[4]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[5]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[6]  Feng Hao,et al.  A Smart Contract for Boardroom Voting with Maximum Voter Privacy , 2017, IACR Cryptol. ePrint Arch..

[7]  Hyoung Joong Kim,et al.  Electronic Voting Service Using Block-Chain , 2016, J. Digit. Forensics Secur. Law.

[8]  Pascal Bouvry,et al.  Management of an academic HPC cluster: The UL experience , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[9]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[10]  Yew-Soon Ong,et al.  Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Security Threats. , 2018 .

[11]  Feng Hao,et al.  Anonymous voting by two-round public discussion , 2010, IET Inf. Secur..

[12]  Sidney Amani,et al.  Towards verifying ethereum smart contract bytecode in Isabelle/HOL , 2018, CPP.

[13]  Pengcheng Zhang,et al.  SolidityCheck : Quickly Detecting Smart Contract Problems Through Regular Expressions , 2019, ArXiv.

[14]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[15]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[16]  Sourav Sengupta,et al.  Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Vulnerabilities , 2018, ArXiv.

[17]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[18]  Yi Zhou,et al.  Erays: Reverse Engineering Ethereum's Opaque Smart Contracts , 2018, USENIX Security Symposium.

[19]  Quanlong Wang,et al.  A Simple Voting Protocol on Quantum Blockchain , 2018, International Journal of Theoretical Physics.

[20]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[21]  Ahmed Ben Ayed,et al.  A Conceptual Secure Blockchain Based Electronic Voting System , 2017 .

[22]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[23]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[24]  Yang Liu,et al.  VULTRON: Catching Vulnerable Smart Contracts Once and for All , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).

[25]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[26]  T.-H. Hubert Chan,et al.  How to Vote Privately Using Bitcoin , 2015, ICICS.

[27]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[28]  Ari Juels,et al.  Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts , 2018, IACR Cryptol. ePrint Arch..

[29]  Valentin Wüstholz,et al.  Harvey: a greybox fuzzer for smart contracts , 2019, ESEC/SIGSOFT FSE.

[30]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[31]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[32]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[33]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[34]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.