Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
12 tokens/sec
GPT-4o
12 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
37 tokens/sec
DeepSeek R1 via Azure Pro
33 tokens/sec
2000 character limit reached

Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart Contracts (2403.11254v1)

Published 17 Mar 2024 in cs.SE

Abstract: Reentrancy vulnerability as one of the most notorious vulnerabilities, has been a prominent topic in smart contract security research. Research shows that existing vulnerability detection presents a range of challenges, especially as smart contracts continue to increase in complexity. Existing tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts. To effectively detect reentrancy vulnerabilities in contracts with complex logic, we propose a tool named SliSE. SliSE's detection process consists of two stages: Warning Search and Symbolic Execution Verification. In Stage I, SliSE utilizes program slicing to analyze the Inter-contract Program Dependency Graph (I-PDG) of the contract, and collects suspicious vulnerability information as warnings. In Stage II, symbolic execution is employed to verify the reachability of these warnings, thereby enhancing vulnerability detection accuracy. SliSE obtained the best performance compared with eight state-of-the-art detection tools. It achieved an F1 score of 78.65%, surpassing the highest score recorded by an existing tool of 9.26%. Additionally, it attained a recall rate exceeding 90% for detection of contracts on Ethereum. Overall, SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (48)
  1. SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds. In 2022 IEEE Symposium on Security and Privacy (SP). 161–178. https://doi.org/10.1109/SP46214.2022.9833721
  2. Conditioned program slicing. Information and Software Technology 40, 11-12 (1998), 595–607.
  3. Compositional Security for Reentrant Applications. In 2021 IEEE Symposium on Security and Privacy (SP). 1249–1267. https://doi.org/10.1109/SP40001.2021.00084
  4. Smart contract and defi security: Insights from tool evaluations and practitioner surveys. arXiv preprint arXiv:2304.02981 (2023).
  5. To Healthier Ethereum: A Comprehensive and Iterative Smart Contract Weakness Enumeration. arXiv:cs.SE/2308.10227
  6. Defining Smart Contract Defects on Ethereum. IEEE Transactions on Software Engineering 48, 1 (2022), 327–345. https://doi.org/10.1109/TSE.2020.2989002
  7. TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA, 1503–1520. https://doi.org/10.1145/3319535.3345664
  8. SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 227–239. https://doi.org/10.1109/ASE51524.2021.9678888
  9. ConsenSys. 2020. Mythril. https://github.com/ConsenSys/mythril
  10. Ethersolve: Computing an accurate control-flow graph from ethereum bytecode. In 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC). IEEE, 127–137.
  11. Phil Daian. 2016. Analysis of the DAO exploit. https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
  12. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15.
  13. eTainter: detecting gas-related vulnerabilities in smart contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 728–739.
  14. Seungwon Go. 2018. Smart Contract : Security Patterns. https://medium.com/returnvalues/smart-contract-security-patterns-79e03b5a1659
  15. A Smart Contract Vulnerability Detection Model Based on Syntactic and Semantic Fusion Learning. Wireless Communications and Mobile Computing 2023 (2023).
  16. Efficient construction of program dependence graphs. ACM SIGSOFT Software Engineering Notes 18, 3 (1993), 160–170.
  17. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA, 531–548. https://doi.org/10.1145/3319535.3363230
  18. HoRStify: Sound Security Analysis of Smart Contracts. arXiv preprint arXiv:2301.13769 (2023).
  19. insurgent. 2022. Solidity Smart Contract Security: 4 Ways to Prevent Reentrancy Attacks. https://betterprogramming.pub/solidity-smart-contract-security-preventing-reentrancy-attacks-fc729339a3ff
  20. Thomas Shababi Jacques Dafflon, Jordi Baylina. 2017. ERC-777: Token Standard. https://eips.ethereum.org/EIPS/eip-777
  21. ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE ’18). Association for Computing Machinery, New York, NY, USA, 259–269. https://doi.org/10.1145/3238147.3238177
  22. Zeus: analyzing safety of smart contracts.. In Ndss. 1–12.
  23. Johannes Krupp and Christian Rossow. 2018. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In 27th USENIX Security Symposium (USENIX Security 18). 1317–1333.
  24. SmartDagger: A Bytecode-Based Static Analysis Approach for Detecting Cross-Contract Vulnerability. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 752–764. https://doi.org/10.1145/3533767.3534222
  25. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). Association for Computing Machinery, New York, NY, USA, 254–269. https://doi.org/10.1145/2976749.2978309
  26. Pluto: Exposing vulnerabilities in inter-contract scenarios. IEEE Transactions on Software Engineering 48, 11 (2021), 4380–4396.
  27. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186–1189.
  28. SFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20). Association for Computing Machinery, New York, NY, USA, 778–788. https://doi.org/10.1145/3377811.3380334
  29. Automatic Identification of Crash-inducing Smart Contracts. In 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 108–119. https://doi.org/10.1109/SANER56733.2023.00020
  30. EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation. arXiv preprint arXiv:2304.06341 (2023).
  31. smartbugs. 2020. Smartbugs wild dataset. https://github.com/smartbugs/smartbugs-wild
  32. SmarTest: Effectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution. In 30th USENIX Security Symposium (USENIX Security 21). 1361–1378.
  33. Effectively Generating Vulnerable Transaction Sequences in Smart Contracts with Reinforcement Learning-Guided Fuzzing. In 37th IEEE/ACM International Conference on Automated Software Engineering (ASE22). Association for Computing Machinery, New York, NY, USA, Article 36, 12 pages. https://doi.org/10.1145/3551349.3560429
  34. Phuwanai Thummavet. 2022a. Solidity Security By Example 04: Cross-Function Reentrancy. https://medium.com/valixconsulting/solidity-smart-contract-security-by-example-04-cross-function-reentrancy-de9cbce0558e
  35. Phuwanai Thummavet. 2022b. Solidity Security By Example 05: Cross-Contract Reentrancy. https://medium.com/valixconsulting/solidity-smart-contract-security-by-example-05-cross-contract-reentrancy-30f29e2a01b9
  36. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th Annual Computer Security Applications Conference. 664–676.
  37. Securify: Practical Security Analysis of Smart Contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). Association for Computing Machinery, New York, NY, USA, 67–82. https://doi.org/10.1145/3243734.3243780
  38. Philippe Castonguay Witek Radomski, Andrew Cooke. 2018. ERC-1155: Multi Token Standard. https://eips.ethereum.org/EIPS/eip-1155
  39. Gavin Wood et al. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, 2014 (2014), 1–32.
  40. Clairvoyance: Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings. 274–275.
  41. TXSPECTOR: Uncovering Attacks in Ethereum from Transactions. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA, Article 156, 18 pages.
  42. Mpro: Combining static and symbolic analysis for scalable testing of smart contract. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 456–462.
  43. Park: Accelerating Smart Contract Vulnerability Detection via Parallel-Fork Symbolic Execution. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 740–751. https://doi.org/10.1145/3533767.3534395
  44. A Survey of Large Language Models for Code: Evolution, Benchmarking, and Future Trends. arXiv:cs.SE/2311.10372
  45. DAppSCAN: Building Large-Scale Datasets for Smart Contract Weaknesses in DApp Projects. arXiv:cs.SE/2305.08456
  46. Turn the Rudder: A Beacon of Reentrancy Detection for Smart Contracts on Ethereum. In Proceedings of the 45th International Conference on Software Engineering (ICSE ’23). IEEE Press, 295–306. https://doi.org/10.1109/ICSE48619.2023.00036
  47. Sok: Decentralized finance (defi) attacks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2444–2461.
  48. An Ever-Evolving Game: Evaluation of Real-World Attacks and Defenses in Ethereum Ecosystem. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA, Article 157, 17 pages.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets