-
SmartBugs 2.0: An Execution Framework for Weakness Detection in Ethereum Smart Contracts
Authors:
Monika di Angelo,
Thomas Durieux,
João F. Ferreira,
Gernot Salzer
Abstract:
Smart contracts are blockchain programs that often handle valuable assets. Writing secure smart contracts is far from trivial, and any vulnerability may lead to significant financial losses. To support developers in identifying and eliminating vulnerabilities, methods and tools for the automated analysis have been proposed. However, the lack of commonly accepted benchmark suites and performance me…
▽ More
Smart contracts are blockchain programs that often handle valuable assets. Writing secure smart contracts is far from trivial, and any vulnerability may lead to significant financial losses. To support developers in identifying and eliminating vulnerabilities, methods and tools for the automated analysis have been proposed. However, the lack of commonly accepted benchmark suites and performance metrics makes it difficult to compare and evaluate such tools. Moreover, the tools are heterogeneous in their interfaces and reports as well as their runtime requirements, and installing several tools is time-consuming.
In this paper, we present SmartBugs 2.0, a modular execution framework. It provides a uniform interface to 19 tools aimed at smart contract analysis and accepts both Solidity source code and EVM bytecode as input. After describing its architecture, we highlight the features of the framework. We evaluate the framework via its reception by the community and illustrate its scalability by describing its role in a study involving 3.25 million analyses.
△ Less
Submitted 8 June, 2023;
originally announced June 2023.
-
Consolidation of Ground Truth Sets for Weakness Detection in Smart Contracts
Authors:
Monika di Angelo,
Gernot Salzer
Abstract:
Smart contracts are small programs on the blockchain that often handle valuable assets. Vulnerabilities in smart contracts can be costly, as time has shown over and over again. Countermeasures are high in demand and include best practice recommendations as well as tools supporting development, program verification, and post-deployment analysis. Many tools focus on detecting the absence or presence…
▽ More
Smart contracts are small programs on the blockchain that often handle valuable assets. Vulnerabilities in smart contracts can be costly, as time has shown over and over again. Countermeasures are high in demand and include best practice recommendations as well as tools supporting development, program verification, and post-deployment analysis. Many tools focus on detecting the absence or presence of a subset of the known vulnerabilities, delivering results of varying quality. Most comparative tool evaluations resort to selecting a handful of tools and testing them against each other. In the best case, the evaluation is based on a smallish ground truth. For Ethereum, there are commendable efforts by several author groups to manually classify contracts. However, a comprehensive ground truth is still lacking. In this work, we construct a ground truth based on publicly available benchmark sets for Ethereum smart contracts with manually checked ground truth data. We develop a method to unify these sets. Additionally, we devise strategies for matching entries that pertain to the same contract, such that we can determine overlaps and disagreements between the sets and consolidate the disagreements. Finally, we assess the quality of the included ground truth sets. Our work reduces inconsistencies, redundancies, and incompleteness while increasing the number of data points and heterogeneity.
△ Less
Submitted 2 May, 2023; v1 submitted 23 April, 2023;
originally announced April 2023.
-
Evolution of Automated Weakness Detection in Ethereum Bytecode: a Comprehensive Study
Authors:
Monika di Angelo,
Thomas Durieux,
João F. Ferreira,
Gernot Salzer
Abstract:
Blockchain programs (also known as smart contracts) manage valuable assets like cryptocurrencies and tokens, and implement protocols in domains like decentralized finance (DeFi) and supply-chain management. These types of applications require a high level of security that is hard to achieve due to the transparency of public blockchains. Numerous tools support developers and auditors in the task of…
▽ More
Blockchain programs (also known as smart contracts) manage valuable assets like cryptocurrencies and tokens, and implement protocols in domains like decentralized finance (DeFi) and supply-chain management. These types of applications require a high level of security that is hard to achieve due to the transparency of public blockchains. Numerous tools support developers and auditors in the task of detecting weaknesses. As a young technology, blockchains and utilities evolve fast, making it challenging for tools and developers to keep up with the pace.
In this work, we study the robustness of code analysis tools and the evolution of weakness detection on a dataset representing six years of blockchain activity. We focus on Ethereum as the crypto ecosystem with the largest number of developers and deployed programs. We investigate the behavior of single tools as well as the agreement of several tools addressing similar weaknesses.
Our study is the first that is based on the entire body of deployed bytecode on Ethereum's main chain. We achieve this coverage by considering bytecodes as equivalent if they share the same skeleton. The skeleton of a bytecode is obtained by omitting functionally irrelevant parts. This reduces the 48 million contracts deployed on Ethereum up to January 2022 to 248328 contracts with distinct skeletons. For bulk execution, we utilize the open-source framework SmartBugs that facilitates the analysis of Solidity smart contracts, and enhance it to accept also bytecode as the only input. Moreover, we integrate six further tools for bytecode analysis. The execution of the 12 tools included in our study on the dataset took 30 CPU years. While the tools report a total of 1307486 potential weaknesses, we observe a decrease in reported weaknesses over time, as well as a degradation of tools to varying degrees.
△ Less
Submitted 7 November, 2023; v1 submitted 18 March, 2023;
originally announced March 2023.
-
Wallet Contracts on Ethereum -- Identification, Types, Usage, and Profiles
Authors:
Monika di Angelo,
Gernot Salzer
Abstract:
In the area of blockchains, a wallet is anything that manages the access to cryptocurrencies and tokens. Off-chain wallets appear in different forms, from paper wallets to hardware wallets to dedicated wallet apps, while on-chain wallets are realized as smart contracts. Wallet contracts are supposed to increase trust and security by being transparent and by offering features like daily limits, app…
▽ More
In the area of blockchains, a wallet is anything that manages the access to cryptocurrencies and tokens. Off-chain wallets appear in different forms, from paper wallets to hardware wallets to dedicated wallet apps, while on-chain wallets are realized as smart contracts. Wallet contracts are supposed to increase trust and security by being transparent and by offering features like daily limits, approvals, multiple signatures, and recovery mechanisms. The most prominent platform for smart contracts in general and the token ecosystem im particular, and thus also for wallet contracts is Ethereum. Our work aims at a better understanding of wallet contracts on Ethereum, since they are one of the most frequently deployed smart contracts. By analyzing source code, bytecode, and execution traces, we derive usage scenarios and patterns. We discuss methods for identifying wallet contracts in a semi-automatic manner by looking at the deployed bytecodes and the on-chain interaction patterns. We extract blueprints for wallets and compile a ground truth. Furthermore, we differentiate characteristics of wallets in use, and group them into six types. We provide numbers and temporal perspectives regarding the creation and use of wallets. For the 40 identified blueprints, we compile detailed profiles. We analyze the data of the Ethereum main chain up to block 11,500,000, mined on December 22, 2020.
△ Less
Submitted 4 April, 2021; v1 submitted 19 January, 2020;
originally announced January 2020.