Towards Automatic Exploit Generation for Identifying Re-Entrancy Attacks on Cross-Contract

The core of Ethereum is a smart contract, which enables developers to create blockchain-based applications in a secure and inexpensive manner. Everyone has access to the source code of Ethereum-based smart contracts. The smart contract has become a target for numerous attackers due to its transparency. Since 2015, when the first Ethereum block was discovered, many security incidents have occurred. Several code analysis methods have been developed for detecting the re-entrancy vulnerability of smart contracts. However, Existing strategies for detecting cross-contract vulnerability tend to experience both false negative and false positive results. To enhance the re-entrancy detection technique of existing works, we propose a challenge to enhance re-entrancy detection technique for Ethereum blockchain smart cross-contract. We proposed multi-agent deep reinforcement learning fuzzing to provide an exploit generator on cross-contract. We will discover a novel solution for enhancing re-entrancy detection techniques for cross-contract by integrating all these systems.

[1]  Wei Du,et al.  A survey on multi-agent deep reinforcement learning: from the perspective of challenges and applications , 2020, Artificial Intelligence Review.

[2]  Yinxing Xue,et al.  Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts , 2020, 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Alex Groce,et al.  Echidna: effective, usable, and fast fuzzing for smart contracts , 2020, ISSTA.

[4]  Zhenguang Liu,et al.  Smart Contract Vulnerability Detection using Graph Neural Network , 2020, IJCAI.

[5]  Yannis Smaragdakis,et al.  Ethainter: a smart contract security analyzer for composite vulnerabilities , 2020, PLDI.

[6]  Clara Schneidewind,et al.  eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts , 2020, CCS.

[7]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[8]  S. Swayamjyoti,et al.  Multi-Class classification of vulnerabilities in smart contracts using AWD-LSTM, with pre-trained encoder inspired from natural language processing , 2020, IOP SciNotes.

[9]  Ahmed E. Hassan,et al.  An exploratory study of smart contracts in the Ethereum blockchain platform , 2020, Empirical Software Engineering.

[10]  Qingzhao Zhang,et al.  EthPloit: From Fuzzing to Efficient Exploit Generation against Smart Contracts , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[11]  Surya Nepal,et al.  SMARTSHIELD: Automatic Smart Contract Protection Made Easy , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[12]  Chunhua Su,et al.  ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts , 2020, IEEE Transactions on Network Science and Engineering.

[13]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.

[14]  Lei Ma,et al.  Oracle-Supported Dynamic Exploit Generation for Smart Contracts , 2019, IEEE Transactions on Dependable and Secure Computing.

[15]  Christian Esposito,et al.  NeuCheck: A more practical Ethereum smart contract security analysis tool , 2019, Softw. Pract. Exp..

[16]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Valentin Wüstholz,et al.  Harvey: a greybox fuzzer for smart contracts , 2019, ESEC/SIGSOFT FSE.

[18]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[19]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[20]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[21]  Yew-Soon Ong,et al.  Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Security Threats. , 2018 .

[22]  Yannis Smaragdakis,et al.  MadMax: surviving out-of-gas conditions in Ethereum smart contracts , 2018, Proc. ACM Program. Lang..

[23]  Vincent Gramoli,et al.  Vandal: A Scalable Security Analysis Framework for Smart Contracts , 2018, ArXiv.

[24]  Gordon J. Pace,et al.  Runtime Verification of Ethereum Smart Contracts , 2018, 2018 14th European Dependable Computing Conference (EDCC).

[25]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[26]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[27]  TonTon Hsien-De Huang,et al.  Hunting the Ethereum Smart Contract: Color-inspired Inspection of Potential Attacks , 2018, ArXiv.

[28]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[29]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[30]  Zhong Chen,et al.  ReGuard: Finding Reentrancy Bugs in Smart Contracts , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[31]  Albert Rubio,et al.  EthIR: A Framework for High-Level Analysis of Ethereum Bytecode , 2018, ATVA.

[32]  Weinan Zhang,et al.  Real-Time Bidding with Multi-Agent Reinforcement Learning in Display Advertising , 2018, CIKM.

[33]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[34]  Sebastian Ruder,et al.  Universal Language Model Fine-tuning for Text Classification , 2018, ACL.

[35]  Rishabh Singh,et al.  Deep Reinforcement Fuzzing , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[36]  Richard Socher,et al.  Regularizing and Optimizing LSTM Language Models , 2017, ICLR.

[37]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[38]  Amnon Shashua,et al.  Safe, Multi-Agent, Reinforcement Learning for Autonomous Driving , 2016, ArXiv.

[39]  Alex Graves,et al.  Asynchronous Methods for Deep Reinforcement Learning , 2016, ICML.

[40]  Jun He,et al.  Automatic software vulnerability detection based on guided deep fuzzing , 2014, 2014 IEEE 5th International Conference on Software Engineering and Service Science.

[41]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[42]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[43]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[44]  Haijun Wang,et al.  Machine Learning Guided Cross-Contract Fuzzing , 2021, ArXiv.

[45]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[46]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .