ABSTRACT
Security attacks targeting smart contracts have been on the rise, which have led to financial loss and erosion of trust. Therefore, it is important to enable developers to discover security vulnerabilities in smart contracts before deployment. A number of static analysis tools have been developed for finding security bugs in smart contracts. However, despite the numerous bug-finding tools, there is no systematic approach to evaluate the proposed tools and gauge their effectiveness. This paper proposes SolidiFI, an automated and systematic approach for evaluating smart contracts’ static analysis tools. SolidiFI is based on injecting bugs (i.e., code defects) into all potential locations in a smart contract to introduce targeted security vulnerabilities. SolidiFI then checks the generated buggy contract using the static analysis tools, and identifies the bugs that the tools are unable to detect (false-negatives) along with identifying the bugs reported as false-positives. SolidiFI is used to evaluate six widely-used static analysis tools, namely, Oyente, Securify, Mythril, SmartCheck, Manticore and Slither, using a set of 50 contracts injected by 9369 distinct bugs. It finds several instances of bugs that are not detected by the evaluated tools despite their claims of being able to detect such bugs, and all the tools report many false positives.
- 2016. Analysis of the DAO exploit. https://hackingdistributed.com/ 2016 /06/18/ analysis-of-the-dao-exploitGoogle Scholar
- 2017. History of Ethereum Security Vulnerabilities, Hacks, and Their Fixes. https://applicature.com/blog/blockchain-technology/ history-ofethereum-security-vulnerabilities-hacks-and-their-fixesGoogle Scholar
- 2017. The parity wallet breach. https://bitcoinexchangeguide.com/parity-walletbreachGoogle Scholar
- 2017. Remix-Solidity IDE. http://remix.ethereum.orgGoogle Scholar
- 2018. eth-mutants. https://github.com/federicobond/eth-mutantsGoogle Scholar
- 2018. New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE2018-10299). https://medium.com/@peckshield/alert-new-batchoverflow-bugin-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536Google Scholar
- 2020. CVE-2018-10299 Detail. https://nvd.nist.gov/vuln/detail/CVE-2018-10299Google Scholar
- 2020. INFURA. https://infura.ioGoogle Scholar
- 2020. MetaMask. https://metamask.ioGoogle Scholar
- 2020. solidity-security-blog. https://github.com/sigp/solidity-security-blogGoogle Scholar
- Sefa Akca, Ajitha Rajan, and Chao Peng. 2019. SolAnalyser: A Framework for Analysing and Testing Smart Contracts. In 2019 26th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 482-489.Google Scholar
- Sidney Amani, Myriam Bégel, Maksym Bortin, and Mark Staples. 2018. Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs. ACM, 66-77.Google ScholarDigital Library
- Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A survey of attacks on ethereum smart contracts (sok). In Principles of Security and Trust. Springer, 164-186.Google Scholar
- Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Anitha Gollamudi, Georges Gonthier, Nadim Kobeissi, Natalia Kulatova, Aseem Rastogi, Thomas Sibut-Pinote, Nikhil Swamy, et al. 2016. Formal verification of smart contracts: Short paper. In Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. ACM, 91-96.Google ScholarDigital Library
- Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for Android using systematic mutation. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 1263-1280.Google Scholar
- Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, Francois Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. arXiv preprint arXiv: 1809. 03981 ( 2018 ).Google Scholar
- Vitalik Buterin. 2014. Ethereum: A next-generation smart contract and decentralized application platform. URL https://github. com/ethereum/wiki/wiki/% 5BEnglish% 5D-White-Paper 7 ( 2014 ).Google Scholar
- WK Chan and Bo Jiang. 2018. Fuse: An Architecture for Smart Contract Fuzz Testing Service. In 2018 25th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 707-708.Google Scholar
- Christopher D Clack, Vikram A Bakshi, and Lee Braine. 2016. Smart contract templates: foundations, design landscape and research directions. arXiv preprint arXiv:1608.00771 ( 2016 ).Google Scholar
- Crytic. [n.d.]. Echdina. https://github.com/crytic/echidnaGoogle Scholar
- Chris Dannen. 2017. Introducing Ethereum and Solidity: Foundations of Cryptocurrency and Blockchain Programming for Beginners. Springer.Google Scholar
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08/ETAPS'08). 337-340.Google ScholarCross Ref
- Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale automated vulnerability addition. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 110-121.Google ScholarCross Ref
- Thomas Durieux, João F Ferreira, Rui Abreu, and Pedro Cruz. 2019. Empirical Review of Automated Analysis Tools on 47 ,587 Ethereum Smart Contracts. arXiv preprint arXiv: 1910. 10601 ( 2019 ).Google Scholar
- Etherscan. [n.d.]. Etherscan. https://etherscan.ioGoogle Scholar
- Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8-15.Google ScholarDigital Library
- Yu Feng, Emina Torlak, and Rastislav Bodík. 2019. Precise Attack Synthesis for Smart Contracts. CoRR abs/ 1902.06067 ( 2019 ). arXiv: 1902.06067 http://arxiv.org/ abs/ 1902.06067Google Scholar
- Ilya Grishchenko, Matteo Mafei, and Clara Schneidewind. 2018. A Semantic Framework for the Security Analysis of Ethereum smart contracts. In International Conference on Principles of Security and Trust. Springer, 243-269.Google ScholarCross Ref
- Everett Hildenbrandt, Manasvi Saxena, Xiaoran Zhu, Nishant Rodrigues, Philip Daian, Dwight Guth, and Grigore Rosu. 2017. Kevm: A complete semantics of the ethereum virtual machine. Technical Report.Google Scholar
- Yoichi Hirai. 2017. Defining the ethereum virtual machine for interactive theorem provers. In International Conference on Financial Cryptography and Data Security. Springer, 520-535.Google ScholarCross Ref
- Bo Jiang, Ye Liu, and WK Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, 259-269.Google ScholarDigital Library
- Johannes Krupp and Christian Rossow. 2018. teether: Gnawing at ethereum to automatically exploit smart contracts. In 27th {USENIX} Security Symposium ({USENIX} Security 18 ). {USENIX Association}, 1317-1333.Google Scholar
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 254-269.Google ScholarDigital Library
- Florian Mathieu and Ryno Mathee. 2017. Blocktix: decentralized event hosting and ticket distribution network. https://www.cryptoground.com/storage/files/ 1527588859-blocktix-wp-draft.pdfGoogle Scholar
- Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A userfriendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186-1189.Google ScholarDigital Library
- Bernhard Mueller. 2018. Smashing ethereum smart contracts for fun and real profit. HITB SECCONF Amsterdam ( 2018 ).Google Scholar
- Reza M Parizi, Ali Dehghantanha, Kim-Kwang Raymond Choo, and Amritraj Singh. 2018. Empirical vulnerability analysis of automated smart contracts security testing on blockchains. In Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering. IBM Corp., 103-113.Google ScholarDigital Library
- Chao Peng, Sefa Akca, and Ajitha Rajan. 2019. SIF: A Framework for Solidity Contract Instrumentation and Analysis. In 2019 26th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 466-473.Google Scholar
- Daniel Perez and Benjamin Livshits. 2019. Smart Contract Vulnerabilities: Does Anyone Care? arXiv preprint arXiv: 1902. 06710 ( 2019 ).Google Scholar
- Jannik Pewny and Thorsten Holz. 2016. EvilCoder: automated bug insertion. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 214-225.Google ScholarDigital Library
- Ferdian Thung, David Lo, Lingxiao Jiang, Foyzur Rahman, Premkumar T Devanbu, et al. 2012. To what extent could we detect field defects? an empirical study of false negatives in static bug finding tools. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. ACM, 50-59.Google ScholarDigital Library
- Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static Analysis of Ethereum Smart Contracts. ( 2018 ).Google Scholar
- Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67-82.Google ScholarDigital Library
- Xingya Wang, Haoran Wu, Weisong Sun, and Yuan Zhao. 2019. Towards Generating Cost-Efective Test-Suite for Ethereum Smart Contract. In 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 549-553.Google Scholar
- Haoran Wu, Xingya Wang, Jiehui Xu, Weiqin Zou, Lingming Zhang, and Zhenyu Chen. 2019. Mutation testing for ethereum smart contract. arXiv preprint arXiv: 1908. 03707 ( 2019 ).Google Scholar
Index Terms
- How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection
Recommendations
Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts
ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software EngineeringThe growth in the popularity of smart contracts has been accompanied by a rise in security attacks targeting smart contracts, which have led to financial losses of millions of dollars and erosion of trust. To enable developers discover vulnerabilities ...
Empirical review of automated analysis tools on 47,587 Ethereum smart contracts
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software EngineeringOver the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present an empirical ...
Smart Contract and Blockchain Based Contract Management System
ECBS 2021: 7th Conference on the Engineering of Computer Based SystemsThis paper presents theoretical and practical research on the possibilities of applying smart contracts in the field of law and a contract management system which allows users to conclude contracts based on blockchain technology. The transition from ...
Comments