-
Mining Domain Models in Ethereum DApps using Code Cloning
Authors:
Noama Fatima Samreen,
Manar H. Alalfi
Abstract:
This research study explores the use of near-miss clone detection to support the characterization of domain models of smart contracts for each of the popular domains in which smart contracts are being rapidly adopted. In this paper, we leverage the code clone detection techniques to detect similarities in functions of the smart contracts deployed onto the Ethereum blockchain network. We analyze th…
▽ More
This research study explores the use of near-miss clone detection to support the characterization of domain models of smart contracts for each of the popular domains in which smart contracts are being rapidly adopted. In this paper, we leverage the code clone detection techniques to detect similarities in functions of the smart contracts deployed onto the Ethereum blockchain network. We analyze the clusters of code clones and the semantics of the code fragments in the clusters in an attempt to categorize them and discover the structural models of the patterns in code clones.
△ Less
Submitted 1 March, 2022;
originally announced March 2022.
-
VOLCANO: Detecting Vulnerabilities of Ethereum Smart Contracts Using Code Clone Analysis
Authors:
Noama Fatima Samreen,
Manar H. Alalfi
Abstract:
Ethereum Smart Contracts based on Blockchain Technology (BT) enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum Smart Contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This enables consumers to make agreements in a transparent and conflict-free…
▽ More
Ethereum Smart Contracts based on Blockchain Technology (BT) enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum Smart Contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This enables consumers to make agreements in a transparent and conflict-free environment. However, there exist some security vulnerabilities within these smart contracts that are a potential threat to the applications and their consumers and have shown in the past to cause huge financial losses. This paper presents a framework and empirical analysis that use code clone detection techniques for identifying vulnerabilities and their variations in smart contracts. Our empirical analysis is conducted using the Nicad code clone detection tool on a dataset of approximately 50k Ethereum smart contracts. We evaluated VOLCANO on two datasets, one with confirmed vulnerabilities and another with approximately 50k random smart contracts collected from the Etherscan. Our approach shows an improvement in the detection of vulnerabilities in terms of coverage and efficiency when compared to two of the publicly available static analyzers to detect vulnerabilities in smart contracts. To the best of our knowledge, this is the first study that uses a clone detection technique to identify vulnerabilities and their evolution in Ethereum smart contracts.
△ Less
Submitted 1 March, 2022;
originally announced March 2022.
-
A Survey of Security Vulnerabilities in Ethereum Smart Contracts
Authors:
Noama Fatima Samreen,
Manar H. Alalfi
Abstract:
Ethereum Smart Contracts based on Blockchain Technology (BT)enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum smart contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This enables consumers to make agreements in a transparent and conflict-free…
▽ More
Ethereum Smart Contracts based on Blockchain Technology (BT)enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum smart contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This enables consumers to make agreements in a transparent and conflict-free environment. However, there exist some security vulnerabilities within these smart contracts that are a potential threat to the applications and their consumers and have shown in the past to cause huge financial losses. In this study, we review the existing literature and broadly classify the BT applications. As Ethereum smart contracts find their application mostly in e-commerce applications, we believe these are more commonly vulnerable to attacks. In these smart contracts, we mainly focus on identifying vulnerabilities that programmers and users of smart contracts must avoid. This paper aims at explaining eight vulnerabilities that are specific to the application level of BT by analyzing the past exploitation case scenarios of these security vulnerabilities. We also review some of the available tools and applications that detect these vulnerabilities in terms of their approach and effectiveness. We also investigated the availability of detection tools for identifying these security vulnerabilities and lack thereof to identify some of them
△ Less
Submitted 14 May, 2021;
originally announced May 2021.
-
Reentrancy Vulnerability Identification in Ethereum Smart Contracts
Authors:
Noama Fatima Samreen,
Manar H. Alalfi
Abstract:
Ethereum Smart contracts use blockchain to transfer values among peers on networks without central agency. These programs are deployed on decentralized applications running on top of the blockchain consensus protocol to enable people to make agreements in a transparent and conflict-free environment. The security vulnerabilities within those smart contracts are a potential threat to the application…
▽ More
Ethereum Smart contracts use blockchain to transfer values among peers on networks without central agency. These programs are deployed on decentralized applications running on top of the blockchain consensus protocol to enable people to make agreements in a transparent and conflict-free environment. The security vulnerabilities within those smart contracts are a potential threat to the applications and have caused huge financial losses to their users. In this paper, we present a framework that combines static and dynamic analysis to detect Reentrancy vulnerabilities in Ethereum smart contracts. This framework generates an attacker contract based on the ABI specifications of smart contracts under test and analyzes the contract interaction to precisely report Reentrancy vulnerability. We conducted a preliminary evaluation of our proposed framework on 5 modified smart contracts from Etherscan and our framework was able to detect the Reentrancy vulnerability in all our modified contracts. Our framework analyzes smart contracts statically to identify potentially vulnerable functions and then uses dynamic analysis to precisely confirm Reentrancy vulnerability, thus achieving increased performance and reduced false positives.
△ Less
Submitted 6 May, 2021;
originally announced May 2021.
-
SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts
Authors:
Noama Fatima Samreen,
Manar H. Alalfi
Abstract:
Blockchain technology (BT) Ethereum Smart Contracts allows programmable transactions that involve the transfer of monetary assets among peers on a BT network independent of a central authorizing agency. Ethereum Smart Contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This technology enables consumers to make agr…
▽ More
Blockchain technology (BT) Ethereum Smart Contracts allows programmable transactions that involve the transfer of monetary assets among peers on a BT network independent of a central authorizing agency. Ethereum Smart Contracts are programs that are deployed as decentralized applications, having the building blocks of the blockchain consensus protocol. This technology enables consumers to make agreements in a transparent and conflict-free environment. However, the security vulnerabilities within these smart contracts are a potential threat to the applications and their consumers and have shown in the past to cause huge financial losses. In this paper, we propose a framework that combines static and dynamic analysis to detect Denial of Service (DoS) vulnerability due to an unexpected revert in Ethereum Smart Contracts. Our framework, SmartScan, statically scans smart contracts under test (SCUTs) to identify patterns that are potentially vulnerable in these SCUTs and then uses dynamic analysis to precisely confirm their exploitability of the DoS-Unexpected Revert vulnerability, thus achieving increased performance and more precise results. We evaluated SmartScan on a set of 500 smart contracts collected from the Etherscan. Our approach shows an improvement in precision and recall when compared to available state-of-the-art techniques.
△ Less
Submitted 20 May, 2021; v1 submitted 6 May, 2021;
originally announced May 2021.