ABSTRACT
Ethereum smart contract exploits have inflicted enormous monetary damage due to vulnerabilities introduced accidentally by the contract authors. Many of these errors can now be detected automatically by a growing number of security analysis tools that specifically target the most common vulnerabilities present in the Ethereum smart contract ecosystem. The aim of this work is to identify state-of-the-art security analysis tools that assist auditors in automatically testing and verifying real-world contracts. We compare two such symbolic executioners, Manticore (which we also extend) and Mythril, and one fuzz tester, Echidna, to evaluate their effectiveness when analysing a set of challenge contracts hosted online, as well as twenty of the most popular ERC-20 tokens found on the main Ethereum network. Our results showed that the tools were able to solve 24 of the 39 challenge contracts and both symbolic tools achieved on average more than 80% code coverage on successful evaluations of the popular ERC-20 token data. Code coverage plateaued after the second symbolic transaction, suggesting a good performance target for continuous integration environments.
- Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A survey of attacks on ethereum smart contracts (sok). In International Conference on Principles of Security and Trust. Springer, Berlin, Heidelberg, 164–186. Google ScholarDigital Library
- Vitalik Buterin 2014. A next-generation smart contract and decentralized application platform. Ethereum project white paper(2014).Google Scholar
- Huashan Chen, Marcus Pendleton, Laurent Njilla, and Shouhuai Xu. 2019. A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses. arXiv preprint arXiv:1908.04507(2019).Google Scholar
- ConsenSys. 2019. ConsenSys/mythril: Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.https://github.com/ConsenSys/mythril. (Accessed on 10/31/2019).Google Scholar
- ConsenSys. 2019. Overview · Smart Contract Weakness Classification and Test Cases. https://swcregistry.io. (Accessed on 10/25/2019).Google Scholar
- Echidna 2019. crytic/echidna: Ethereum fuzz testing framework. https://github.com/crytic/echidna. (Accessed on 10/28/2019).Google Scholar
- Enigmatic. 2018. Smart Contract Exploits Part 1 — Featuring Capture the Ether (Lotteries). https://medium.com/coinmonks/smart-contract-exploits-part-1-featuring-capture-the-ether-lotteries-8a061ad491b. (Accessed on 09/26/2019).Google Scholar
- Etherscan. 2019. Ethereum (ETH) Blockchain Explorer. https://etherscan.io. (Accessed on 09/23/2019).Google Scholar
- Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15. Google ScholarDigital Library
- Yu Feng, Emina Torlak, and Rastislav Bodik. 2019. Precise Attack Synthesis for Smart Contracts. arXiv preprint arXiv:1902.06067(2019).Google Scholar
- Ying Fu, Meng Ren, Fuchen Ma, Heyuan Shi, Xin Yang, Yu Jiang, Huizhong Li, and Xiang Shi. 2019. EVMFuzzer: detect EVM vulnerabilities via fuzz testing. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 1110–1114. Google ScholarDigital Library
- Osman Güçlütürk. 2018. The DAO Hack Explained: Unfortunate Take-off of Smart Contracts. https://medium.com/@ogucluturk/the-dao-hack-explained-unfortunate-take-off-of-smart-contracts-2bd8c8db3562. (Accessed on 12/15/2019).Google Scholar
- Dominik Harz and William Knottenbelt. 2018. Towards safer smart contracts: A survey of languages and verification methods. arXiv preprint arXiv:1809.09805(2018).Google Scholar
- hevm 2019. hevm: Ethereum virtual machine evaluator. http://hackage.haskell.org/package/hevm. (Accessed on 11/14/2019).Google Scholar
- Alexander Leid. 2020. Testing Smart Contracts. Master’s thesis. Stellenbosch University.Google Scholar
- Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arXiv preprint arXiv:1907.03890(2019).Google Scholar
- Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th Annual Computer Security Applications Conference. ACM, 653–663. Google ScholarDigital Library
- Trail of Bits. 2019. crytic/not-so-smart-contracts: Examples of Solidity security issues. https://github.com/crytic/not-so-smart-contracts. (Accessed on 12/11/2019).Google Scholar
- Trail of Bits. 2019. trailofbits/manticore: Symbolic execution tool. https://github.com/trailofbits/manticore. (Accessed on 11/14/2019).Google Scholar
- OpenZeppelin. 2019. Ethernaut. https://ethernaut.openzeppelin.com. (Accessed on 09/23/2019).Google Scholar
- OpenZeppelin. 2019. OpenZeppelin/ethernaut: Web3/Solidity based wargame. https://github.com/OpenZeppelin/ethernaut. (Accessed on 09/23/2019).Google Scholar
- OpenZeppelin. 2020. Proxy Patterns – OpenZeppelin blog. https://blog.openzeppelin.com/proxy-patterns/. (Accessed on 05/10/2020).Google Scholar
- SMARX. 2019. Capture the Ether - the game of Ethereum smart contract security. https://capturetheether.com. (Accessed on 09/23/2019).Google Scholar
- Vyper Team. 2019. Vyper — Vyper documentation. https://vyper.readthedocs.io/en/v0.1.0-beta.13/. (Accessed on 10/24/2019).Google Scholar
Recommendations
Empirical review of automated analysis tools on 47,587 Ethereum smart contracts
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software EngineeringOver the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present an empirical ...
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityFuzzing and symbolic execution are two complementary techniques for discovering software vulnerabilities. Fuzzing is fast and scalable, but can be ineffective when it fails to randomly select the right inputs. Symbolic execution is thorough but slow and ...
Parameterized unit testing: theory and practice
ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2Unit testing has been widely recognized as an important and valuable means of improving software reliability, as it exposes bugs early in the software development life cycle. However, manual unit testing is often tedious and insufficient. Testing tools ...
Comments