research-article

Ethainter: a smart contract security analyzer for composite vulnerabilities

Authors:
Lexi Brent

International Computer Science Institute, USA / University of Sydney, Australia

International Computer Science Institute, USA / University of Sydney, Australia
View Profile

,
Neville Grech

University of Athens, Greece

University of Athens, Greece
View Profile

,
Sifis Lagouvardos

University of Athens, Greece

University of Athens, Greece
View Profile

,
Bernhard Scholz

University of Sydney, Australia

University of Sydney, Australia
View Profile

,
Yannis Smaragdakis

University of Athens, Greece

University of Athens, Greece
View Profile

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2020Pages 454–469https://doi.org/10.1145/3385412.3385990

Published:11 June 2020Publication History

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 454–469

ABSTRACT

Smart contracts on permissionless blockchains are exposed to inherent security risks due to interactions with untrusted entities. Static analyzers are essential for identifying security risks and avoiding millions of dollars worth of damage.

We introduce Ethainter, a security analyzer checking information flow with data sanitization in smart contracts. Ethainter identifies composite attacks that involve an escalation of tainted information, through multiple transactions, leading to severe violations. The analysis scales to the entire blockchain, consisting of hundreds of thousands of unique smart contracts, deployed over millions of accounts. Ethainter is more precise than previous approaches, as we confirm by automatic exploit generation (e.g., destroying over 800 contracts on the Ropsten network) and by manual inspection, showing a very high precision of 82.5% valid warnings for end-to-end vulnerabilities. Ethainter’s balance of precision and completeness offers significant advantages over other tools such as Securify, Securify2, and teEther.

References

[n. d.]. 0x: Powering the decentralized exchange of tokens on Ethereum. https://0x.org.Google Scholar
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014.Google ScholarDigital Library
FlowDroid: Precise Context, Flow, Field, Objectsensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). ACM, New York, NY, USA, 259–269. Google ScholarDigital Library
Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts. In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. Springer-Verlag New York, Inc., New York, NY, USA, 164–186. Google ScholarDigital Library
Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. 2020. Dissecting Ponzi schemes on Ethereum: Identification, analysis, and impact. Future Generation Computer Systems 102 (2020), 259 – 277. Google ScholarCross Ref
Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, François Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. CoRR abs/1809.03981 (2018).Google Scholar
arXiv: 1809.03981 http://arxiv.org/abs/1809.Google Scholar
03981Google Scholar
Vitalik Buterin. 2013. A Next-Generation Smart Contract and Decentralized Application Platform. https://github.com/ethereum/wiki/wiki/ White-Paper.Google Scholar
ChainSecurity. [n. d.]. Securify2. https://github.com/eth-sri/securify2Google Scholar
T. Chen, X. Li, X. Luo, and X. Zhang. 2017. Under-optimized smart contracts devour your money. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER). 442–446. Google ScholarCross Ref
cnbc.com. 2018.Google Scholar
’Accidental’ bug froze $280 million worth of ether in Parity wallet. https://www.cnbc.com/2017/11/08/accidental-bugmay-have-frozen-280-worth-of-ether-on-parity-wallet.htmlGoogle Scholar
Consensys. 2018.Google Scholar
Ethereum Smart Contract Best Practices. https: //consensys.github.io/smart-contract-best-practices/ Accessed: 2019- 11-19.Google Scholar
Kevin Delmolino, Mitchell Arnett, Ahmed E. Kosba, Andrew Miller, and Elaine Shi. 2015.Google Scholar
Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab. IACR Cryptology ePrint Archive 2015 (2015), 460.Google Scholar
Dorothy E. Denning and Peter J. Denning. 1977.Google Scholar
Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (July 1977), 504–513. Google ScholarDigital Library
Neville Grech, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2019. Gigahorse: Thorough, Declarative Decompilation of Smart Contracts. In International Conference on Software Engineering (ICSE).Google Scholar
Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. MadMax: Surviving Out-of-Gas Conditions in Ethereum Smart Contracts. Proc. ACM Programming Languages 2, OOPSLA (Nov. 2018). Google ScholarDigital Library
Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2020. MadMax: Analyzing the Outof-Gas World of Smart Contracts. Commun. ACM (June 2020).Google ScholarDigital Library
Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Pointsto and Taint Analysis. Proc. ACM Programming Languages (PACMPL) 1, OOPSLA, Article 102 (Oct. 2017), 28 pages. 3133926 Google ScholarDigital Library
Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. 2018. Foundations and Tools for the Static Analysis of Ethereum Smart Contracts. In Computer Aided Verification, Hana Chockler and Georg Weissenbacher (Eds.). Springer International Publishing, Cham, 51–78.Google Scholar
Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2017. Online Detection of Effectively Callback Free Objects with Applications to Smart Contracts. Proc. ACM Programming Languages 2, POPL, Article 48 (Dec. 2017), 28 pages. Google ScholarDigital Library
Christian Hammer and Gregor Snelting. 2009. Flow-sensitive, contextsensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 6 (2009), 399–422. Google ScholarDigital Library
Jingxuan He, Mislav Balunović, Nodar Ambroladze, Petar Tsankov, and Martin Vechev. 2019. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). ACM, New York, NY, USA, 531–548. Google ScholarDigital Library
Bo Jiang, Ye Liu, and W. K. Chan. 2018.Google Scholar
ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018). ACM, New York, NY, USA, 259–269. 1145/3238147.3238177 Google ScholarDigital Library
Herbert Jordan, Bernhard Scholz, and Pavle Subotić. 2016.Google Scholar
Soufflé: On Synthesis of Program Analyzers. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 422–430.Google Scholar
Sukrit Kalra, Seep Goel, Seep Goel, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In 25th Annual Network and Distributed System Security Symposium (NDSS’18).Google Scholar
Tomasz Kolinko. 2018. Eveem/Panoramix – Showing Contract Sources since 2018. http://eveem.com/Google Scholar
Johannes Krupp and Christian Rossow. 2018. TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, Berkeley, CA, USA, 1317–1333. http://dl.acm.org/citation. cfm?id=3277203.3277303Google Scholar
Benjamin Livshits. 2006.Google Scholar
Improving Software Security with Precise Static and Runtime Analysis. Ph.D. Dissertation. Stanford University.Google Scholar
LLVM. 2018.Google Scholar
The LLVM Compiler Infrastructure Project. https: //llvm.org/Google Scholar
Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016.Google Scholar
Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). ACM, New York, NY, USA, 254–269. Google ScholarDigital Library
Anastasia Mavridou and Aron Laszka. 2018.Google Scholar
Tool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts. In Proceedings of the 7th International Conference on Principles of Security and Trust (POST).Google Scholar
Satoshi Nakamoto. 2009.Google Scholar
Bitcoin: A Peer-to-Peer Electronic Cash System. https://www.bitcoin.org/bitcoin.pdf.Google Scholar
Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC ’18). ACM, New York, NY, USA, 653–663. Google ScholarDigital Library
Daniel Pérez and Benjamin Livshits. 2019. Smart Contract Vulnerabilities: Does Anyone Care? CoRR abs/1902.06710 (2019). arXiv: 1902.06710 http://arxiv.org/abs/1902.06710Google Scholar
Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019.Google Scholar
Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society.Google Scholar
https://www.ndss-symposium.org/ndss-paper/sereum-protectingexisting-smart-contracts-against-re-entrancy-attacks/ PLDI ’20, June 15–20, 2020, London, UK Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis SmaragdakisGoogle Scholar
A. Sabelfeld and A. C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1 (Jan 2003), 5–19. Google ScholarDigital Library
SeaHorn. 2018. SeaHorn | A Verification Framework. http://seahorn. github.io/Google Scholar
Ilya Sergey and Aquinas Hobor. 2017. A Concurrent Perspective on Smart Contracts. In Financial Cryptography and Data Security, Michael Brenner, Kurt Rohloff, Joseph Bonneau, Andrew Miller, Peter Y.A. Ryan, Vanessa Teague, Andrea Bracciali, Massimiliano Sala, Federico Pintore, and Markus Jakobsson (Eds.). Springer International Publishing, Cham, 478–493.Google Scholar
Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, New York, NY, USA, 67–82. Google ScholarDigital Library
Various. [n. d.]. Echidna - Ethereum fuzz testing framework. https: //github.com/crytic/echidna. Accessed: 2019-11-20.Google Scholar
Various. [n. d.]. ETHSecurity Community on Telegram. Accessed: 2019-05-11.Google Scholar
Various. 2018.Google Scholar
GitHub - ethereum/solidity: The Solidity Contract-Oriented Programming Language. https://github.com/ethereum/ solidityGoogle Scholar
wired.com. 2016. A $50 Million Hack Just Showed That the DAO Was All Too Human. https://www.wired.com/2016/06/50-million-hackjust-showed-dao-human/Google Scholar
Gavin Wood. 2014.Google Scholar
Ethereum: A Secure Decentralised Generalised Transaction Ledger. http://gavwood.com/Paper.pdf.Google Scholar
E. Zhou, S. Hua, B. Pi, J. Sun, Y. Nomura, K. Yamashita, and H. Kurihara. 2018. Security Assurance for Smart Contract. In 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). 1–5. Google ScholarCross Ref
Yi Zhou, Deepak Kumar, Surya Bakshi, Joshua Mason, Andrew Miller, and Michael Bailey. 2018.Google Scholar
Erays: Reverse Engineering Ethereum’s Opaque Smart Contracts. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, USA, 1371–1385.Google Scholar

Index Terms

Ethainter: a smart contract security analyzer for composite vulnerabilities
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis

Recommendations

Security Vulnerabilities in Ethereum Smart Contracts
iiWAS2018: Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services

Smart contracts (SC) are one of the most appealing features of blockchain technologies facilitating, executing, and enforcing predefined terms of coded contracts without intermediaries. The steady adoption of smart contracts on the Ethereum blockchain ...
Read More
A survey on smart contract vulnerabilities: Data sources, detection and repair
Abstract
Smart contracts contain many built-in security features, such as non-immutability once being deployed and non-involvement of third parties for contract execution. These features reduce security risks and enhance users’ trust towards ...
Read More
Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts
ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

Reentrancy bugs, one of the most severe vulnerabilities in smart contracts, have caused huge financial loss in recent years. Researchers have proposed many approaches to detecting them. However, empirical studies have shown that these approaches suffer ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2020
1174 pages
ISBN:9781450376136
DOI:10.1145/3385412
General Chair:
Alastair F. Donaldson
Imperial College London, UK
,
Program Chair:
Emina Torlak
University of Washington, USA
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 June 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Evaluated & Functional / v1.1
- Artifacts Available / v1.1
Author Tags
information flow
smart contracts
static analysis
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate406of2,067submissions,20%
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 84
  Total Citations
  View Citations
- 1,242
  Total Downloads
- Downloads (Last 12 months)277
- Downloads (Last 6 weeks)23
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Ethainter: a smart contract security analyzer for composite vulnerabilities

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security Vulnerabilities in Ethereum Smart Contracts

A survey on smart contract vulnerabilities: Data sources, detection and repair

Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts