Bo Jiang
W. K. Chan
ABSTRACT
Decentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while minimizing trusts. Millions of smart contracts have been deployed in various decentralized applications. The security vulnerabilities within those smart contracts pose significant threats to their applications. Indeed, many critical security vulnerabilities within smart contracts on Ethereum platform have caused huge financial losses to their users. In this work, we present ContractFuzzer, a novel fuzzer to test Ethereum smart contracts for security vulnerabilities. ContractFuzzer generates fuzzing inputs based on the ABI specifications of smart contracts, defines test oracles to detect security vulnerabilities, instruments the EVM to log smart contracts runtime behaviors, and analyzes these logs to report security vulnerabilities. Our fuzzing of 6991 smart contracts has flagged more than 459 vulnerabilities with high precision. In particular, our fuzzing tool successfully detects the vulnerability of the DAO contract that leads to USD 60 million loss and the vulnerabilities of Parity Wallet that have led to the loss of USD 30 million and the freezing of USD 150 million worth of Ether.
- N. Atzei, M. Bartoletti, T. Cimoli. A Survey of Attacks on Ethereum Smart Contracts. In proceedings of the 6th International Conference on Principles of Security and Trust, pp: 164-186, Berlin, Heidelberg, 2017. Google Scholar
Digital Library
- D. Aitel. SPIKE. http://immunityinc.com/resourcesfreesoftware.shtml, 2002.Google Scholar
- K. Bhargavan, N. Swamy, S. Zanella-Béguelin, et al. Formal Verification of Smart Contracts. In Proceedings of the 2016 ACM Workshop, pp: 91-96, 2016. Google ScholarDigital Library
- K. Delmolino, M. Arnett, A Kosba, et al. Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab. In Proceedings of the 16th Financial Cryptography and Data Security, pp: 79-94, Berlin, Heidelberg, 2016.Google ScholarCross Ref
- M. Eddington. Peach. http://www.peachfuzzer.com, 2004.Google Scholar
- J.C. Filliâtre, A. Paskevich. Why3 - Where Programs Meet Provers. In Proceedings of the 20th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp: 125-128, Berlin, Heidelberg, 2013. Google ScholarDigital Library
- K.V. Hanford. Automatic generation of test cases. IBM Systems Journal, 9(4): 242-257, 1970. Google ScholarDigital Library
- Y. Hirai. Formal verification of Deed contract in Ethereum name service. http://yoichihirai.com/deed.pdf, 2016.Google Scholar
- L. Luu, D.H. Chu, H. Olickel, et al. Making Smart Contracts Smarter. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, pp:254-269, Vienna, Austria, 2016. Google ScholarDigital Library
- A. Miller. B. Warner, N. Wilcox et al. Gas economics. http://github.com /LeastAuthority/ethereumanalyses/blob/master/GasEcon.md, 2015.Google Scholar
- Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, 2009.Google Scholar
- I. Nikolic, A. Kolluri, I. Sergey, et al. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. https://arxiv.org/pdf/1802.06038, 2018.Google Scholar
- P. Purdom. A sentence generator for testing parsers. Bit Numerical Mathematics, 12(3): 366-375, 1972.Google ScholarDigital Library
- N. Swammy, C. Keller, A. Rastogi, et al. Dependent types and multi-monadic effects in F*. In Proceedings of the 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp: 256-270, St. Petersburg, Florida, 2016. Google ScholarDigital Library
- ABI of Ethereum Smart Contracts. https://github.com/ethereum/wiki/wiki/Ethereum-Contract-ABI. Last access 2018.Google Scholar
- ABI specification of Ethereum smart contracts. http://solidity.readthedocs.io/en/v0.4.21/abi-spec.html#.Google Scholar
- Analysis of the DAO exploit. http://hackingdistributed.com/2016/06/18/analysis-of-thedao-exploit/. Last access, 2018.Google Scholar
- Announcement of imminent of hard work for EIP150 gas cost changes, https://blog.ethereum.org/2016/10/13/announcementimminent-hard-fork-eip150-gas-cost-changes/.Google Scholar
- Cryptocurrency Market Capital. https://coinmarketcap.com. Last access, 2018.Google Scholar
- Data Types in Solidity. https://solidity.readthedocs.io/en/develop/types.html#. Last access 2018.Google Scholar
- Echidna. https://github.com/trailofbits/echidna.Google Scholar
- Ethereum White Paper. https://github.com/ethereum/wiki/wiki/White-Paper. Last access, 2018.Google Scholar
- Ethereum Yellow Paper. https://ethereum.github.io/yellowpaper/paper.pdf. Last access, 2018.Google Scholar
- Ethereum Block validation algorithm. https://github.com/ethereum/wiki/wiki/Block-Protocol- 2.0#block-validation-algorithm.Google Scholar
- Etherscan. The Ethereum Block Explorer. https://etherscan.io/. Last access, 2018.Google Scholar
- Formal verification for solidity contracts. http://forum.ethereum.org/discussion//3779/formalverfication-for-solidity-contracts, 2015.Google Scholar
- Introduction to Smart Contracts. http://solidity.readthedocs.io/en/v0.4.21/introduction-tosmart-contracts.html. Last access, 2018.Google Scholar
- Number of Smart Contracts on Ethereum. https://etherscan.io/accounts/c. Last access, 2018.Google Scholar
- Oyente Analysis Tool for Smart Contracts. https://github.com/melonproject/oyente. Last access, 2018.Google Scholar
- Predicting Random Members in Ethereum Smart Contracts. https://blog.positive.com/predicting-random-numbers-inethereum-smart-contracts-e5358c6b8620. Last access, 2018.Google Scholar
- Smart Contracts with Verified Source Code. https://etherscan.io/contractsVerified. Last access, 2018Google Scholar
- The Parity Wallet Hack Explained. https://blog.zeppelin.solutions/on-the-parity-wallet-multisighack-405a8c12e8f7. Last access, 2018Google Scholar
- The Wallet Smart Contract Frozen by the Parity Bug. https://github.com/paritytech/parity/blob/4d08e7b0aec46443 bf26547b17d10cb302672835/js/src/contracts/snippets/enhanc ed-wallet.sol. Last access, 2018.Google Scholar
- Upgradable Smart Contracts. https://ethereum.stackexchange.com/questions/2404/upgrade able-smart-contracts. Last access, 2018.Google Scholar
Index Terms
- ContractFuzzer: fuzzing smart contracts for vulnerability detection
Recommendations
EOSFuzzer: Fuzzing EOSIO Smart Contracts for Vulnerability Detection
Internetware '20: Proceedings of the 12th Asia-Pacific Symposium on InternetwareEOSIO is one typical public blockchain platform. It is scalable in terms of transaction speeds and has a growing ecosystem supporting smart contracts and decentralized applications. However, the vulnerabilities within the EOSIO smart contracts have led ...
HFContractFuzzer: Fuzzing Hyperledger Fabric Smart Contracts for Vulnerability Detection
EASE '21: Proceedings of the 25th International Conference on Evaluation and Assessment in Software EngineeringWith its unique advantages such as decentralization and immutability, blockchain technology has been widely used in various fields in recent years. The smart contract running on the blockchain is also playing an increasingly important role in ...
Your Smart Contracts Are Not Secure: Investigating Arbitrageurs and Oracle Manipulators in Ethereum
CYSARM '21: Proceedings of the 3rd Workshop on Cyber-Security Arms RaceSmart contracts on Ethereum enable billions of dollars to be transacted in a decentralized, transparent and trustless environment. However, adversaries lie await in the Dark Forest, waiting to exploit any and all smart contract vulnerabilities in order ...
Comments