Static Analysis of Integer Overflow of Smart Contracts in Ethereum

In recent years, vulnerabilities of smart contracts have frequently break out. In particular, integer overflow of smart contracts, a high-risk vulnerability, has caused huge financial losses. However, most tools currently fail to detect integer overflow in smart contracts. In this paper, we summarize 11 types of integer overflow features for Solidity smart contracts in Ethereum and abstractly define 83 corresponding XPath patterns. And we design an extensible static analysis tool to detect common integer overflow vulnerabilities of Solidity smart contracts in Ethereum through the defined XPath patterns. To evaluate our tool, we tested 7,000 verified Solidity smart contracts and found that there were 430 smart contracts with vulnerabilities of integer overflow. Experimental results show that there are still high-risk vulnerabilities of integer overflow in verified smart contracts.

[1]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Nick Szabo,et al.  Smart Contracts: Building Blocks for Digital Markets , 2018 .

[3]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[4]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[5]  Alexander Mense,et al.  Security Vulnerabilities in Ethereum Smart Contracts , 2018, iiWAS.

[6]  Zhong Chen,et al.  ReGuard: Finding Reentrancy Bugs in Smart Contracts , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[7]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[8]  Xiapu Luo,et al.  Under-optimized smart contracts devour your money , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[9]  Yoichi Hirai,et al.  Defining the Ethereum Virtual Machine for Interactive Theorem Provers , 2017, Financial Cryptography Workshops.

[10]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[11]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[12]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[13]  K. Bhargavan,et al.  : Formal Verification of Smart Contracts , 2016 .