ABSTRACT
Smart contracts on permissionless blockchains are exposed to inherent security risks due to interactions with untrusted entities. Static analyzers are essential for identifying security risks and avoiding millions of dollars worth of damage.
We introduce Ethainter, a security analyzer checking information flow with data sanitization in smart contracts. Ethainter identifies composite attacks that involve an escalation of tainted information, through multiple transactions, leading to severe violations. The analysis scales to the entire blockchain, consisting of hundreds of thousands of unique smart contracts, deployed over millions of accounts. Ethainter is more precise than previous approaches, as we confirm by automatic exploit generation (e.g., destroying over 800 contracts on the Ropsten network) and by manual inspection, showing a very high precision of 82.5% valid warnings for end-to-end vulnerabilities. Ethainter’s balance of precision and completeness offers significant advantages over other tools such as Securify, Securify2, and teEther.
- [n. d.]. 0x: Powering the decentralized exchange of tokens on Ethereum. https://0x.org.Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014.Google ScholarDigital Library
- FlowDroid: Precise Context, Flow, Field, Objectsensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). ACM, New York, NY, USA, 259–269. Google ScholarDigital Library
- Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts. In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. Springer-Verlag New York, Inc., New York, NY, USA, 164–186. Google ScholarDigital Library
- Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. 2020. Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact. Future Generation Computer Systems 102 (2020), 259 – 277. Google ScholarCross Ref
- Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, François Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. CoRR abs/1809.03981 (2018).Google Scholar
- arXiv: 1809.03981 http://arxiv.org/abs/1809.Google Scholar
- 03981Google Scholar
- Vitalik Buterin. 2013. A Next-Generation Smart Contract and Decentralized Application Platform. https://github.com/ethereum/wiki/wiki/ White-Paper.Google Scholar
- ChainSecurity. [n. d.]. Securify2. https://github.com/eth-sri/securify2Google Scholar
- T. Chen, X. Li, X. Luo, and X. Zhang. 2017. Under-optimized smart contracts devour your money. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER). 442–446. Google ScholarCross Ref
- cnbc.com. 2018.Google Scholar
- ’Accidental’ bug froze $280 million worth of ether in Parity wallet. https://www.cnbc.com/2017/11/08/accidental-bugmay-have-frozen-280-worth-of-ether-on-parity-wallet.htmlGoogle Scholar
- Consensys. 2018.Google Scholar
- Ethereum Smart Contract Best Practices. https: //consensys.github.io/smart-contract-best-practices/ Accessed: 2019- 11-19.Google Scholar
- Kevin Delmolino, Mitchell Arnett, Ahmed E. Kosba, Andrew Miller, and Elaine Shi. 2015.Google Scholar
- Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab. IACR Cryptology ePrint Archive 2015 (2015), 460.Google Scholar
- Dorothy E. Denning and Peter J. Denning. 1977.Google Scholar
- Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (July 1977), 504–513. Google ScholarDigital Library
- Neville Grech, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2019. Gigahorse: Thorough, Declarative Decompilation of Smart Contracts. In International Conference on Software Engineering (ICSE).Google Scholar
- Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. MadMax: Surviving Out-of-Gas Conditions in Ethereum Smart Contracts. Proc. ACM Programming Languages 2, OOPSLA (Nov. 2018). Google ScholarDigital Library
- Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2020. MadMax: Analyzing the Outof-Gas World of Smart Contracts. Commun. ACM (June 2020).Google ScholarDigital Library
- Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Pointsto and Taint Analysis. Proc. ACM Programming Languages (PACMPL) 1, OOPSLA, Article 102 (Oct. 2017), 28 pages. 3133926 Google ScholarDigital Library
- Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. 2018. Foundations and Tools for the Static Analysis of Ethereum Smart Contracts. In Computer Aided Verification, Hana Chockler and Georg Weissenbacher (Eds.). Springer International Publishing, Cham, 51–78.Google Scholar
- Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2017. Online Detection of Effectively Callback Free Objects with Applications to Smart Contracts. Proc. ACM Programming Languages 2, POPL, Article 48 (Dec. 2017), 28 pages. Google ScholarDigital Library
- Christian Hammer and Gregor Snelting. 2009. Flow-sensitive, contextsensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 6 (2009), 399–422. Google ScholarDigital Library
- Jingxuan He, Mislav Balunović, Nodar Ambroladze, Petar Tsankov, and Martin Vechev. 2019. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). ACM, New York, NY, USA, 531–548. Google ScholarDigital Library
- Bo Jiang, Ye Liu, and W. K. Chan. 2018.Google Scholar
- ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018). ACM, New York, NY, USA, 259–269. 1145/3238147.3238177 Google ScholarDigital Library
- Herbert Jordan, Bernhard Scholz, and Pavle Subotić. 2016.Google Scholar
- Soufflé: On Synthesis of Program Analyzers. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 422–430.Google Scholar
- Sukrit Kalra, Seep Goel, Seep Goel, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In 25th Annual Network and Distributed System Security Symposium (NDSS’18).Google Scholar
- Tomasz Kolinko. 2018. Eveem/Panoramix – Showing Contract Sources since 2018. http://eveem.com/Google Scholar
- Johannes Krupp and Christian Rossow. 2018. TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, Berkeley, CA, USA, 1317–1333. http://dl.acm.org/citation. cfm?id=3277203.3277303Google Scholar
- Benjamin Livshits. 2006.Google Scholar
- Improving Software Security with Precise Static and Runtime Analysis. Ph.D. Dissertation. Stanford University.Google Scholar
- LLVM. 2018.Google Scholar
- The LLVM Compiler Infrastructure Project. https: //llvm.org/Google Scholar
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016.Google Scholar
- Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). ACM, New York, NY, USA, 254–269. Google ScholarDigital Library
- Anastasia Mavridou and Aron Laszka. 2018.Google Scholar
- Tool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts. In Proceedings of the 7th International Conference on Principles of Security and Trust (POST).Google Scholar
- Satoshi Nakamoto. 2009.Google Scholar
- Bitcoin: A Peer-to-Peer Electronic Cash System. https://www.bitcoin.org/bitcoin.pdf.Google Scholar
- Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC ’18). ACM, New York, NY, USA, 653–663. Google ScholarDigital Library
- Daniel Pérez and Benjamin Livshits. 2019. Smart Contract Vulnerabilities: Does Anyone Care? CoRR abs/1902.06710 (2019). arXiv: 1902.06710 http://arxiv.org/abs/1902.06710Google Scholar
- Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019.Google Scholar
- Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society.Google Scholar
- https://www.ndss-symposium.org/ndss-paper/sereum-protectingexisting-smart-contracts-against-re-entrancy-attacks/ PLDI ’20, June 15–20, 2020, London, UK Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis SmaragdakisGoogle Scholar
- A. Sabelfeld and A. C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1 (Jan 2003), 5–19. Google ScholarDigital Library
- SeaHorn. 2018. SeaHorn | A Verification Framework. http://seahorn. github.io/Google Scholar
- Ilya Sergey and Aquinas Hobor. 2017. A Concurrent Perspective on Smart Contracts. In Financial Cryptography and Data Security, Michael Brenner, Kurt Rohloff, Joseph Bonneau, Andrew Miller, Peter Y.A. Ryan, Vanessa Teague, Andrea Bracciali, Massimiliano Sala, Federico Pintore, and Markus Jakobsson (Eds.). Springer International Publishing, Cham, 478–493.Google Scholar
- Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, New York, NY, USA, 67–82. Google ScholarDigital Library
- Various. [n. d.]. Echidna - Ethereum fuzz testing framework. https: //github.com/crytic/echidna. Accessed: 2019-11-20.Google Scholar
- Various. [n. d.]. ETHSecurity Community on Telegram. Accessed: 2019-05-11.Google Scholar
- Various. 2018.Google Scholar
- GitHub - ethereum/solidity: The Solidity Contract-Oriented Programming Language. https://github.com/ethereum/ solidityGoogle Scholar
- wired.com. 2016. A $50 Million Hack Just Showed That the DAO Was All Too Human. https://www.wired.com/2016/06/50-million-hackjust-showed-dao-human/Google Scholar
- Gavin Wood. 2014.Google Scholar
- Ethereum: A Secure Decentralised Generalised Transaction Ledger. http://gavwood.com/Paper.pdf.Google Scholar
- E. Zhou, S. Hua, B. Pi, J. Sun, Y. Nomura, K. Yamashita, and H. Kurihara. 2018. Security Assurance for Smart Contract. In 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). 1–5. Google ScholarCross Ref
- Yi Zhou, Deepak Kumar, Surya Bakshi, Joshua Mason, Andrew Miller, and Michael Bailey. 2018.Google Scholar
- Erays: Reverse Engineering Ethereum’s Opaque Smart Contracts. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, USA, 1371–1385.Google Scholar
Index Terms
- Ethainter: a smart contract security analyzer for composite vulnerabilities
Recommendations
Security Vulnerabilities in Ethereum Smart Contracts
iiWAS2018: Proceedings of the 20th International Conference on Information Integration and Web-based Applications & ServicesSmart contracts (SC) are one of the most appealing features of blockchain technologies facilitating, executing, and enforcing predefined terms of coded contracts without intermediaries. The steady adoption of smart contracts on the Ethereum blockchain ...
A survey on smart contract vulnerabilities: Data sources, detection and repair
AbstractSmart contracts contain many built-in security features, such as non-immutability once being deployed and non-involvement of third parties for contract execution. These features reduce security risks and enhance users’ trust towards ...
Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts
ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software EngineeringReentrancy bugs, one of the most severe vulnerabilities in smart contracts, have caused huge financial loss in recent years. Researchers have proposed many approaches to detecting them. However, empirical studies have shown that these approaches suffer ...
Comments