Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
132 tokens/sec
GPT-4o
28 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Abusing the Ethereum Smart Contract Verification Services for Fun and Profit (2307.00549v1)

Published 2 Jul 2023 in cs.CR

Abstract: Smart contracts play a vital role in the Ethereum ecosystem. Due to the prevalence of kinds of security issues in smart contracts, the smart contract verification is urgently needed, which is the process of matching a smart contract's source code to its on-chain bytecode for gaining mutual trust between smart contract developers and users. Although smart contract verification services are embedded in both popular Ethereum browsers (e.g., Etherscan and Blockscout) and official platforms (i.e., Sourcify), and gain great popularity in the ecosystem, their security and trustworthiness remain unclear. To fill the void, we present the first comprehensive security analysis of smart contract verification services in the wild. By diving into the detailed workflow of existing verifiers, we have summarized the key security properties that should be met, and observed eight types of vulnerabilities that can break the verification. Further, we propose a series of detection and exploitation methods to reveal the presence of vulnerabilities in the most popular services, and uncover 19 exploitable vulnerabilities in total. All the studied smart contract verification services can be abused to help spread malicious smart contracts, and we have already observed the presence of using this kind of tricks for scamming by attackers. It is hence urgent for our community to take actions to detect and mitigate security issues related to smart contract verification, a key component of the Ethereum smart contract ecosystem.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (63)
  1. “Github repository for displaying each attack,” june 2023. [Online]. Available: https://github.com/source-code-scam-paper/source-scam-all-in-one/
  2. “Sourcify—the ethereum source code verifier,” june 2023. [Online]. Available: https://github.com/ethereum/sourcify
  3. S. Akca, A. Rajan, and C. Peng, “Solanalyser: A framework for analysing and testing smart contracts,” in 2019 26th Asia-Pacific Software Engineering Conference (APSEC).   IEEE, 2019, pp. 482–489.
  4. A. Biryukov and S. Tikhomirov, “Security and privacy of mobile wallet users in bitcoin, dash, monero, and zcash,” Pervasive and Mobile Computing, vol. 59, p. 101030, 2019.
  5. Blockscout, “Blockscout—implementation of differential extraction metadata,” 2023. [Online]. Available: https://github.com/blockscout/blockscout-rs/blob/stats/v1.0.0/smart-contract-verifier/smart-contract-verifier/src/verifier/contract_verifier.rs#L95-L121
  6. ——, “Blockscout—the ethereum explorer,” May 2023. [Online]. Available: https://github.com/blockscout/blockscout-rs
  7. ——, “Implementation of blockscout for differential metadata extraction,” 2023. [Online]. Available: https://github.com/blockscout/blockscout-rs/blob/stats/v1.0.0/smart-contract-verifier/smart-contract-verifier/src/verifier/contract_verifier.rs#L100-L121
  8. T. Chen, R. Cao, T. Li, X. Luo, G. Gu, Y. Zhang, Z. Liao, H. Zhu, G. Chen, Z. He et al., “Soda: A generic online detection framework for smart contracts.” in NDSS, 2020.
  9. T. Chen, X. Li, Y. Wang, J. Chen, Z. Li, X. Luo, M. H. Au, and X. Zhang, “An adaptive gas cost mechanism for ethereum to defend against under-priced dos attacks,” in Information Security Practice and Experience: 13th International Conference, ISPEC 2017, Melbourne, VIC, Australia, December 13–15, 2017, Proceedings 13.   Springer, 2017, pp. 3–24.
  10. W. Chen, X. Li, Y. Sui, N. He, H. Wang, L. Wu, and X. Luo, “Sadponzi: Detecting and characterizing ponzi schemes in ethereum smart contracts,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 5, no. 2, pp. 1–30, 2021.
  11. W. Chen, Z. Sun, H. Wang, X. Luo, H. Cai, and L. Wu, “Wasai: uncovering vulnerabilities in wasm smart contracts,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 703–715.
  12. Y. Chen, F. Ma, Y. Zhou, Y. Jiang, T. Chen, and J. Sun, “Tyr: Finding consensus failure bugs in blockchain system with behaviour divergent model,” in 2023 IEEE Symposium on Security and Privacy (SP).   IEEE Computer Society, 2022, pp. 1186–1201.
  13. Z. Cheng, X. Hou, R. Li, Y. Zhou, X. Luo, J. Li, and K. Ren, “Towards a first step to understand the cryptocurrency stealing attack on ethereum.” in RAID, vol. 2019, 2019, pp. 47–60.
  14. Coinmarketcap, “Coinmarketcap—market capitalization of ethereum,” 2023. [Online]. Available: https://coinmarketcap.com/currencies/ethereum/
  15. J. Cvllr, “Solidity tutorial: all about libraries,” 2023. [Online]. Available: https://jeancvllr.medium.com/solidity-tutorial-all-about-libraries-762e5a3692f9
  16. T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, “Empirical review of automated analysis tools on 47,587 ethereum smart contracts,” in Proceedings of the ACM/IEEE 42nd International conference on software engineering, 2020, pp. 530–541.
  17. Eip-721, “Non-fungible token standard,” june 2023. [Online]. Available: https://eips.ethereum.org/EIPS/eip-721
  18. Ethereum, “Decentralized autonomous organizations,” 2023. [Online]. Available: https://ethereum.org/en/dao/#dao-governance
  19. ethereum, “Evm opcode introduction.” june 2023. [Online]. Available: https://ethereum.org/en/developers/docs/evm/opcodes/
  20. Ethereum, “Geth 0.6.2 version, where create2 was added,” 2023. [Online]. Available: https://github.com/ethereum/solidity/releases/tag/v0.6.2
  21. Ethereum-Magicians, “Potential security implications of create2 eip 1014,” 2023. [Online]. Available: https://ethereum-magicians.org/t/potential-security-implications-of-create2-eip-1014/2614/2
  22. Etherscan, “Etherscan—api documentation for getting creation transaction hash,” 2023. [Online]. Available: https://docs.etherscan.io/api-endpoints/contracts#get-contract-creator-and-creation-tx-hash
  23. ——, “Etherscan—the ethereum blockchain explorer,” May 2023. [Online]. Available: https://etherscan.io
  24. J. Feist, G. Grieco, and A. Groce, “Slither: a static analysis framework for smart contracts,” in 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).   IEEE, 2019, pp. 8–15.
  25. J. F. Ferreira, P. Cruz, T. Durieux, and R. Abreu, “Smartbugs: A framework to analyze solidity smart contracts,” in Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, 2020, pp. 1349–1352.
  26. B. Gao, H. Wang, P. Xia, S. Wu, Y. Zhou, X. Luo, and G. Tyson, “Tracking counterfeit cryptocurrency end-to-end,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 4, no. 3, pp. 1–28, 2020.
  27. G. Grieco, W. Song, A. Cygan, J. Feist, and A. Groce, “Echidna: effective, usable, and fast fuzzing for smart contracts,” in Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2020, pp. 557–560.
  28. Á. Hajdu and D. Jovanović, “solc-verify: A modular verifier for solidity smart contracts,” in Verified Software. Theories, Tools, and Experiments: 11th International Conference, VSTTE 2019, New York City, NY, USA, July 13–14, 2019, Revised Selected Papers 11.   Springer, 2020, pp. 161–179.
  29. N. He, R. Zhang, H. Wang, L. Wu, X. Luo, Y. Guo, T. Yu, and X. Jiang, “Eosafe: Security analysis of eosio smart contracts.” in USENIX Security Symposium, 2021, pp. 1271–1288.
  30. E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse attacks on bitcoin’s peer-to-peer network,” in 24th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 15), 2015, pp. 129–144.
  31. IPFS, “Ipfs—the decentralised file system,” May 2023. [Online]. Available: https://docs.ipfs.tech
  32. K. Li, J. Chen, X. Liu, Y. R. Tang, X. Wang, and X. Luo, “As strong as its weakest link: How to break blockchain dapps at rpc service.” in NDSS, 2021.
  33. S.-W. Lin, P. Tolmach, Y. Liu, and Y. Li, “Solsee: a source-level symbolic execution engine for solidity,” in Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2022, pp. 1687–1691.
  34. M. Mossberg, F. Manzano, E. Hennenfent, A. Groce, G. Grieco, J. Feist, T. Brunson, and A. Dinaburg, “Manticore: A user-friendly symbolic execution framework for binaries and smart contracts,” in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).   IEEE, 2019, pp. 1186–1189.
  35. M. Neuder, D. J. Moroz, R. Rao, and D. C. Parkes, “Low-cost attacks on ethereum 2.0 by sub-1/3 stakeholders,” arXiv preprint arXiv:2102.02247, 2021.
  36. M. Ortner and S. Eskandari, “Smart contract sanctuary,” june 2023. [Online]. Available: https://github.com/tintinweb/smart-contract-sanctuary
  37. R. Park, “Inline assembly, good or bad practice,” 2023. [Online]. Available: https://ethereum.stackexchange.com/questions/72895/inline-assembly-good-or-bad-practice
  38. Z. Peng and Y. Chen, “All roads lead to rome: Many ways to double spend your cryptocurrency,” arXiv preprint arXiv:1811.06751, 2018.
  39. REKT, “Saddle finance attack,” june 2023. [Online]. Available: https://rekt.news/saddle-finance-rekt2/
  40. rekt, “Tornado cash governance - rekt,” 2023. [Online]. Available: https://rekt.news/tornado-gov-rekt/
  41. G. Richards, C. Hammer, B. Burg, and J. Vitek, “The eval that men do: A large-scale study of the use of eval in javascript applications,” in ECOOP 2011–Object-Oriented Programming: 25th European Conference, Lancaster, Uk, July 25-29, 2011 Proceedings 25.   Springer, 2011, pp. 52–78.
  42. Samczsun, “Hiding in plain sight,” May 2023. [Online]. Available: https://www.paradigm.xyz/2021/11/hiding-in-plain-sight
  43. Solidity, “Allow verbatim in solidity assembly blocks,” june 2023. [Online]. Available: https://github.com/ethereum/solidity/issues/12067
  44. ——, “Function selector,” 2023. [Online]. Available: https://docs.soliditylang.org/en/v0.8.20/abi-spec.html#function-selector
  45. ——, “Return back loose assembly and forbid optimizer to touch its output,” june 2023. [Online]. Available: https://github.com/ethereum/solidity/issues/6517
  46. ——, “Solidity—the solidity doc,” june 2023. [Online]. Available: https://solidity.readthedocs.io/
  47. ——, “Solidity documentation—contract metadata,” 2023. [Online]. Available: https://docs.soliditylang.org/en/v0.8.19/metadata.html
  48. ——, “Yul — an intermediate language in solc,” june 2023. [Online]. Available: https://docs.soliditylang.org/en/v0.8.20/yul.html#verbatim
  49. Sourcify, “Sourcify— matchwithsimulation implementation in sourcify,” 2023. [Online]. Available: https://github.com/ethereum/sourcify/blob/v2.0.0/packages/lib-sourcify/src/lib/verification.ts#L186-L244
  50. ——, “Sourcify—full vs partial match,” 2023. [Online]. Available: https://docs.sourcify.dev/docs/full-vs-partial-match/
  51. ——, “Sourcify—prefix checking implementation in sourcify,” 2023. [Online]. Available: https://github.com/ethereum/sourcify/blob/v2.1.1/packages/lib-sourcify/src/lib/verification.ts#L287
  52. M. Stephenson, “Medium—ethereum, fomo3d, and dangerous game theory,” 2023. [Online]. Available: https://medium.com/hackernoon/fomo3d-and-dangerous-game-theory-97bd5f47ab3b
  53. Tenderly, “Smart contract verification in tenderly,” june 2023. [Online]. Available: https://docs.tenderly.co/monitoring/smart-contract-verification
  54. S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov, “Smartcheck: Static analysis of ethereum smart contracts,” in Proceedings of the 1st international workshop on emerging trends in software engineering for blockchain, 2018, pp. 9–16.
  55. C. F. Torres, M. Steichen, and R. State, “The art of the scam: Demystifying honeypots in ethereum smart contracts,” arXiv preprint arXiv:1902.06976, 2019.
  56. Uniswap, “Uniswap—the ethereum decentralised exchange,” june 2023. [Online]. Available: https://github.com/Uniswap
  57. Wikipedia, “Tornado cash,” 2023. [Online]. Available: https://en.wikipedia.org/wiki/Tornado_Cash
  58. K. Wüst and A. Gervais, “Ethereum eclipse attacks,” ETH Zurich, Tech. Rep., 2016.
  59. P. Xia, H. Wang, B. Gao, W. Su, Z. Yu, X. Luo, C. Zhang, X. Xiao, and G. Xu, “Trade or trick? detecting and characterizing scam tokens on uniswap decentralized exchange,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 5, no. 3, pp. 1–26, 2021.
  60. P. Xia, H. Wang, Z. Yu, X. Liu, X. Luo, G. Xu, and G. Tyson, “Challenges in decentralized name management: the case of ens,” in Proceedings of the 22nd ACM Internet Measurement Conference, 2022, pp. 65–82.
  61. P. Xia, H. Wang, B. Zhang, R. Ji, B. Gao, L. Wu, X. Luo, and G. Xu, “Characterizing cryptocurrency exchange scams,” Computers & Security, vol. 98, p. 101993, 2020.
  62. Y. Yang, T. Kim, and B.-G. Chun, “Finding consensus bugs in ethereum via multi-transaction differential fuzzing.” in OSDI, 2021, pp. 349–365.
  63. X. Yu, “Evm opcode jop,” 2023. [Online]. Available: https://github.com/xhyumiracle/defcon27/
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now