Computer Science

Computer Science ›› 2022, Vol. 49 ›› Issue (3): 52-61.doi: 10.11896/jsjkx.210700004

• Novel Distributed Computing Technology and System • Previous Articles     Next Articles

Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts

ZHANG Ying-li, MA Jia-li, LIU Zi-ang, LIU Xin, ZHOU Rui   

  1. School of Information Science & Engineering,Lanzhou University,Lanzhou 730000,China
  • Received:2021-07-01 Revised:2021-08-19 Online:2022-03-15 Published:2022-03-15
  • About author:ZHANG Ying-li,born in 1997,postgra-duate.Her main research interests include web security and blockchain security.
    ZHOU Rui,born in 1981,associate professor.His main research interests include distributed systems,embedded systems and machine learning.
  • Supported by:
    National Key R & D Program of China(2020YFC0832500),Gansu Provincial Science and Technology Major Special Innovation Consortium Project(Project No.1),National Natural Science Foundation of China(61402210),Science and Technology Plan of Qinghai Province(2020-GX-164),Ministry of Education-China Mobile Research Foundation(MCM20170206) and Fundamental Research Funds for the Central Universities(lzujbky-2021-sp47,lzujbky-2020-sp02,lzujbky-2019-kb51,lzujbky-2018-k12).

PDF (PC)

3695

Abstract: Based on blockchain technology,Ethereum Solidity smart contract as a computer protocol is designed to spread,verify,or execute contracts in an informative way,and it provides a foundation for various distributed application services.Although implemented for less than six years,its security problems have frequently broken out and caused substantial financial losses,which attracts more attention in the security inspection research.This paper firstly introduces some specific mechanisms and operating principles of smart contracts based on Ethereum related techniques,and analyzes some smart contract vulnerabilities occurring frequently and deriving from the characteristics of smart contracts.Then,this paper explains the traditional mainstream smart contract vulnerability detecting tools in terms of symbolic execution,fuzzing,formal verification,and taint analysis.In addition,in order to cope with the endless new vulnerabilities and the need to improve the efficiency of detection,vulnerabilities detection based on machine learning in recent years is classified and summarized according to the various ways of problem transformation in three perspectives including text processing,non-Euclidean graph and standard image.Finally,this paper proposes to formulate more extensive and accurate standardized information database and measurement indicators towards the insufficiency of the detection methods in two directions.

Key words: Blockchain, Machine learning, Security vulnerability, Smart contracts, Vulnerability detection tools

CLC Number: 

  • TP311
[1]WEI A,HUANG Z Y,ZHOU M A.Research on Smart Contract Security and Implementation Specifications[J].Information Security and Technology,2020,11(3):44-49.
[2]YUAN Y,WANG F Y.Current status and prospects of blockchain technology development[J].Acta Automatica Sinica,2016,42(4):481-494.
[3]YIN M,MALKHI D,REITER M K,et al.HotStuff:BFT Consensus in the Lens of Blockchain[J].arXiv:1803.05069,2019.
[4]KIAYIAS A,MILLER A,ZINDROS D.Non-interactive proofs of proof-of-work[C]//International Conference on Financial Cryptography and Data Security.Cham:Springer,2020:505-522.
[5]BUTERIN V.A next-generation smart contract and decentra-lized application platform[EB/OL].https://the -blockchain.com/docs/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf.
[6]FU M L,WU L F,HONG Z,et al.Research on mining techno-logy of smart contract security vulnerabilities[J].Journal of Computer Applications,2019,39(7):1959-1966.
[7]SHIER C,MEHAR M I,GIAMBATTISTA A,et al.Under-standing a Revolutionary and Flawed Grand Experiment in Blockchain:The DAO Attack[J].Social Science Electronic Publishing,2017.
[8]SeeBug[EB/OL].https://paper.seebug.org/.
[9]BUTERIN V.Ethereum:a next-generation smart contract and decentralized application platform[EB/OL].https://bitcoinmagazine.com/articles/ethereum-next-generation-cryptocurrency-decentralized-application-platform-1390528211/.
[10]NI Y D,ZHANG C,YIN T T.A Review of Research on Smart Contract Security Vulnerabilities[J].Journal of Information Security,2020,5(3):78-99.
[11]ATZEI N,BARTOLETTI M,CIMOLI T.A Survey of Attacks on Ethereum Smart Contracts (SoK)[C]//International Confe-rence on Principles of Security and Trust.2017:164-186.
[12]SUN J,HUANG S,ZHENG C,et al.Mutation testing for integer overflow in ethereum smart contracts[J].Tsinghua Science and Technology,2022,27(1):27-40.
[13]HESSENAUER S.Batch Overflow bug on Ethereum ERC20 token contracts and SafeMath[EB/OL].https://blog.matryx.ai/batch-overflow-bug-on-ethereum-erc20-token-contracts-and-safe-math-f9ebcc137434.
[14]ARIAS L,SPAGNUOLO F,GIORDANO F,et al.OpenZeppelin [EB/OL].https://github.com/OpenZeppelin/openzeppelin-Solidity.
[15]KotET-Post-MortemInvestigation[EB/OL].https://www.kingoftheether.com/postmortem.html.
[16]YE Z B,YAN B.Summary of symbolic execution research[J].Computer Science,2018,45(s1):28-35.
[17]LOI L,DUC-HIEP C,HRISHI O,et al.Making Smart Con-tracts Smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16).New York,NY,USA:Association for Computing Machi-nery,2016:254-269.
[18]MOURA L D,LOPES N,WINTERSTEIGER C M.Z3Prover/z3:The Z3 Theorem Prover[EB/OL].https://github.com/Z3Prover/z3.
[19]ZOU Q C,WU R P,MA J X,et al.Research progress of constraint solving problems in symbolic execution[J].Journal of Beijing University of Technology,2019,39(9):957-966.
[20]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for Integer Bugs in Ethereum Smart Contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC’18).New York,NY,USA:Association for Computing Machinery,2018:664-676.
[21]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.SmartCheck:Static Analysis of Ethereum Smart Contracts[C]// 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).2018:9-16.
[22]KRUPP J,ROSSOW C.TEETHER:gnawing at ethereum to automatically exploit smart contracts[C]//Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18).USA:USENIX Association,2018:1317-1333.
[23]TORRES C F,STEICHEN M,STATE R.The art of the scam:demystifying honeypots in ethereum smart contracts[C]//Proceedings of the 28th USENIX Conference on Security Sympo-sium (SEC ’19).USA:USENIX Association,2019:1591-1607.
[24]NIKOLIC I,KOLLURI A,SERGEY I,et al.Finding TheGreedy,Prodigal,and Suicidal Contracts at Scale[C]//Procee-dings of the 34th Annual Computer Security Applications Conference.2018:653-663.
[25]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).2019:1186-1189.
[26]BRENT L,JURISEVIC A,KONG M,et al.Vandal:A Scalable Security Analysis Framework for Smart Contracts[EB/OL].https://arxiv.org/abs/1809.03981.
[27]ZHANG X,LI Z J.Review of fuzzy testing technology[J].Computer Science,2016(5):1-8.
[28]GODEFROID P,LEVIN M,MOLNAR D,et al.Automatedwhitebox fuzz testing[C]//Proceedings of the Network and Distributed System Security Symposium,San Diego.https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf.
[29]MASI M.ContractFuzzer:fuzzing smart contracts for vulnerability detection[J].Computing Reviews,2019,60(12):467-468.
[30]NGUYEN T D,PHAM L H,SUN J.SFuzz:an efficient adaptive fuzzer for solidity smart contracts[C]//Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20).New York,NY,USA:Association for Computing Machinery,2020:778-788.
[31]TORRES C F ,LANNILLO A K,GERVAIS A,et al.ConFuz-zius:A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts[C]//6th IEEE European Symposium on Security and Privacy.https://akiannillo.github.io/misc/publications/EUROSP2021_Torres.pdf.
[32]WÜSTHOLZ V,CHRISTAKIS M.Harvey:A Greybox Fuzzer for Smart Contracts[C]//Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2020).New York,NY,USA:Association for Computing Machinery,2020:1398-1409.
[33]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical Security Analysis of Smart Contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18).New York,NY,USA:Association for Computing Machinery,2018:67-82.
[34]VaaS[EB/OL].https://www.lianantech.com/.
[35]IDELBERGER F,GOVERNATORI G,RIVERET R,et al.Evaluation of Logic-Based Smart Contracts for BlockchainSystems[C]//International Symposium on Rules and Rule Markup Languages for the Semantic Web.2016:167-183.
[36]PERMENEV A,DIMITROV D,TSANKOV P,et al.VerX:Safety Verification of Smart Contracts[C]//2020 IEEE Symposium on Security and Privacy (SP).2020:1661-1677.
[37]ZHU J,HU K,ZHANG B J.A review of formal verification methods for smart contracts[J].Acta Electronica Sinica,2021,49(4):792-804.
[38]XU W,GLENN A F.Building Executable Secure Design Modelsfor Smart Contracts with Formal Methods[EB/OL].(2019-12-09)[2021-06-20].https://arxiv.org/abs/1912.04051.
[39]WANG J,ZHAN N J,FENG X Y,et al.Overview of formalmethods[J].Journal of Software,2019,30(1):33-61.
[40]GAO J,LIU H,LIU C,et al.EASYFLOW:Keep EthereumAway from Overflow[C]//2019 IEEE/ACM 41st International Conference on Software Engineering.2019:23-26.
[41]Mythril:Security analysis tool for Ethereum smart contracts[EB/OL].[2021-06-20].https://pypi.org/project/mythril/.
[42]BREIDENBACH L,DAIAN P,TRAM F,et al.Enter the hy-dra:towards principled bug bounties and exploit-resistant smart contracts[C]//Proceedings of the 27th USENIX Security Symposium.2018:1335-1352.
[43]ZHAO J S,SONG M X,GAO X.Overview of the development and application of natural language processing[J].Information Technology and Informatization,2019(7):142-145.
[44]WANG W,SONG J,XU G,et al.ContractWard:AutomatedVulnerability Detection Models for Ethereum Smart Contracts[J].IEEE Transactions on Network Science and Engineering,2021,8(2):1133-1144.
[45]LIAO J,TSAI T,HE C,et al.SoliAudit:Smart Contract Vul-nerability Assessment Based on Machine Learning and Fuzz Testing[C]//2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS).2019:458-465.
[46]LUTZ O,CHEN H,FEREIDOONI H,et al.ESCORT:Ethe-reum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning[EB/OL].[2021-06-20].https://arxiv.org/abs/2103.12607.
[47]QIAN P,LIU Z,HE Q,et al.Towards Automated Reentrancy Detection for Smart Contracts Based on Sequential Models[J].IEEE Access,2020,8:19685-19695.
[48]WANG R,YE K J,XU C Z.A smart contract vulnerability detection method based on deep learning:China Patent,2019112576541[P].2020-05-15.
[49]MOMENI P,WANG Y,SAMAVI R.Machine Learning Model for Smart Contracts Security Analysis[C]//2019 17th International Conference on Privacy,Security and Trust (PST).2019:1-6.
[50]GAO Z,JAYASUNDARA V,JIANG L,et al.SmartEmbed:A Tool for Clone and Bug Detection in Smart Contracts through Structural Code Embedding[C]//2019 IEEE International Conference on Software Maintenance and Evolution (ICSME).2019:394-397.
[51]WENG J,CHEN X K,LI M,et al.An intelligent contract secu-rity vulnerability detection method based on machine learning:China Patent,2019109045392[P].2020-01-31.
[52]ASHIZAWA N,YANAI N,CRUZ J P,et al.Eth2Vec:Learning Contract-Wide Code Representations for Vulnerability Detection on Ethereum Smart Contracts[C]//Proceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical Infrastructure (BSCI ’21).New York,NY,USA:Association for Computing Machinery,2021:47-59.
[53]ZHOU Y J.A method,device and storage medium for fuzz testing of smart contracts:CN Patent,112131115[P].2020-09-23.
[54]GOGINENI A K,SWAYAMJYOTI S,SAHOO D,et al.Multi-Class classification of vulnerabilities in Smart Contracts using AWD-LSTM,with pre-trained encoder inspired from natural language processing[EB/OL].(2020-03-21)[2021-06-20].https://arxiv.org/abs/2004.00362v1.
[55]ZOU Y,BAN B,XUE Y,et al.CCGraph:a PDG-based codeclone detector with approximate graph matching[C]//2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).2020:931-942.
[56]MC A,YUAN J,CG A,et al.Learning features from enhanced function call graphs for Android malware detection[J].Neurocomputing,2021,423:301-307.
[57]ZHUANG Y,LIU Z,QIAN P,et al.Smart Contract Vulnerabi-lity Detection using Graph Neural Network[C]//Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence.2020:3283-3290.
[58]HAN Z G,YUAN L,GENG J H,et al.Smart contract vulnerability detection methods,devices and electronic equipment:China Patent,2018101589863[P].2020-07-17.
[59]WU Z,PAN S,CHEN F,et al.A comprehensive survey ongraph neural networks[J].IEEE Transactions on Neural Networks and Learning Systems,2020,32(1):4-24.
[60]CAO S C,SUN X B,BO L B,et al.BGNN4VD:Constructing Bidirectional Graph Neural-Network for Vulnerability Detection[J].Information and Software Technology,2021,136:106576.
[61]HUANG H D,KAO H Y.R2-D2:ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections[C]//2018 IEEE International Conference on Big Data (Big Data).2018:2633-2642.
[62]HUANG H D.Hunting the Ethereum Smart Contract:Color-inspired Inspection of Potential Attacks[J].arXiv:1807.01868,2018.
[63]YU Z,CAO R,TANG Q,et al.Order Matters:Semantic-Aware Neural Networks for Binary Code Similarity Detection[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2020:1145-1152.
[64]XU X,CHANG L,QIAN F,et al.Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17).2017:363-376.
[65]HUANG B T,DING J,QIAN P,et al.An interpretable method for smart contract vulnerability detection based on codec:China Patent,2020108267923[P].2020-12-04.
[66]LIU Z,QIAN P,WANG X,et al.Smart Contract Vulnerability Detection:From Pure Neural Network to Interpretable Graph Feature and Expert Pattern Fusion[C]//Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence.2021:2751-2759.
[67]ZHANG P,XIAO F,LUO X.A Framework and DataSet forBugs in Ethereum Smart Contracts[C]//2020 IEEE International Conference on Software Maintenance and Evolution (ICSME).2020:139-150.
[68]IEEE Computer Society.IEEE Standard Classification for Software Anomalies[S].IEEE Std 1044-2009 (Revision of IEEE Std 1044-1993),2010.
[69]CHEN J,XIA X,LO D,et al.Defining Smart Contract Defects on Ethereum[J].arXiv:1905.01467,2019.
[1] LENG Dian-dian, DU Peng, CHEN Jian-ting, XIANG Yang. Automated Container Terminal Oriented Travel Time Estimation of AGV [J]. Computer Science, 2022, 49(9): 208-214.
[2] NING Han-yang, MA Miao, YANG Bo, LIU Shi-chang. Research Progress and Analysis on Intelligent Cryptology [J]. Computer Science, 2022, 49(9): 288-296.
[3] WANG Zi-kai, ZHU Jian, ZHANG Bo-jun, HU Kai. Research and Implementation of Parallel Method in Blockchain and Smart Contract [J]. Computer Science, 2022, 49(9): 312-317.
[4] HE Qiang, YIN Zhen-yu, HUANG Min, WANG Xing-wei, WANG Yuan-tian, CUI Shuo, ZHAO Yong. Survey of Influence Analysis of Evolutionary Network Based on Big Data [J]. Computer Science, 2022, 49(8): 1-11.
[5] LI Yao, LI Tao, LI Qi-fan, LIANG Jia-rui, Ibegbu Nnamdi JULIAN, CHEN Jun-jie, GUO Hao. Construction and Multi-feature Fusion Classification Research Based on Multi-scale Sparse Brain Functional Hyper-network [J]. Computer Science, 2022, 49(8): 257-266.
[6] ZHANG Guang-hua, GAO Tian-jiao, CHEN Zhen-guo, YU Nai-wen. Study on Malware Classification Based on N-Gram Static Analysis Technology [J]. Computer Science, 2022, 49(8): 336-343.
[7] CHEN Ming-xin, ZHANG Jun-bo, LI Tian-rui. Survey on Attacks and Defenses in Federated Learning [J]. Computer Science, 2022, 49(7): 310-323.
[8] XIAO Zhi-hong, HAN Ye-tong, ZOU Yong-pan. Study on Activity Recognition Based on Multi-source Data and Logical Reasoning [J]. Computer Science, 2022, 49(6A): 397-406.
[9] FU Li-yu, LU Ge-hao, WU Yi-ming, LUO Ya-ling. Overview of Research and Development of Blockchain Technology [J]. Computer Science, 2022, 49(6A): 447-461.
[10] GAO Jian-bo, ZHANG Jia-shuo, LI Qing-shan, CHEN Zhong. RegLang:A Smart Contract Programming Language for Regulation [J]. Computer Science, 2022, 49(6A): 462-468.
[11] YAO Ye, ZHU Yi-an, QIAN Liang, JIA Yao, ZHANG Li-xiang, LIU Rui-liang. Android Malware Detection Method Based on Heterogeneous Model Fusion [J]. Computer Science, 2022, 49(6A): 508-515.
[12] MAO Dian-hui, HUANG Hui-yu, ZHAO Shuang. Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance [J]. Computer Science, 2022, 49(6A): 523-530.
[13] ZHOU Hang, JIANG He, ZHAO Yan, XIE Xiang-peng. Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit [J]. Computer Science, 2022, 49(6A): 771-776.
[14] WANG Fei, HUANG Tao, YANG Ye. Study on Machine Learning Algorithms for Life Prediction of IGBT Devices Based on Stacking Multi-model Fusion [J]. Computer Science, 2022, 49(6A): 784-789.
[15] LI Ya-ru, ZHANG Yu-lai, WANG Jia-chen. Survey on Bayesian Optimization Methods for Hyper-parameter Tuning [J]. Computer Science, 2022, 49(6A): 86-92.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.