Evolution of Automated Weakness Detection in Ethereum Bytecode: a
Comprehensive Study
- URL: http://arxiv.org/abs/2303.10517v2
- Date: Tue, 7 Nov 2023 21:42:18 GMT
- Title: Evolution of Automated Weakness Detection in Ethereum Bytecode: a
Comprehensive Study
- Authors: Monika di Angelo, Thomas Durieux, Jo\~ao F. Ferreira, Gernot Salzer
- Abstract summary: We study the robustness of code analysis tools and the evolution of weakness detection on a dataset representing six years of blockchain activity.
Our study is the first that is based on the entire body of deployed bytecode on a CPU's main chain.
We observe a decrease in reported weaknesses over time, as well as a degradation of tools to varying degrees.
- Score: 0.757843972001219
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Blockchain programs (also known as smart contracts) manage valuable assets
like cryptocurrencies and tokens, and implement protocols in domains like
decentralized finance (DeFi) and supply-chain management. These types of
applications require a high level of security that is hard to achieve due to
the transparency of public blockchains. Numerous tools support developers and
auditors in the task of detecting weaknesses. As a young technology,
blockchains and utilities evolve fast, making it challenging for tools and
developers to keep up with the pace.
In this work, we study the robustness of code analysis tools and the
evolution of weakness detection on a dataset representing six years of
blockchain activity. We focus on Ethereum as the crypto ecosystem with the
largest number of developers and deployed programs. We investigate the behavior
of single tools as well as the agreement of several tools addressing similar
weaknesses.
Our study is the first that is based on the entire body of deployed bytecode
on Ethereum's main chain. We achieve this coverage by considering bytecodes as
equivalent if they share the same skeleton. The skeleton of a bytecode is
obtained by omitting functionally irrelevant parts. This reduces the 48 million
contracts deployed on Ethereum up to January 2022 to 248328 contracts with
distinct skeletons. For bulk execution, we utilize the open-source framework
SmartBugs that facilitates the analysis of Solidity smart contracts, and
enhance it to accept also bytecode as the only input. Moreover, we integrate
six further tools for bytecode analysis. The execution of the 12 tools included
in our study on the dataset took 30 CPU years. While the tools report a total
of 1307486 potential weaknesses, we observe a decrease in reported weaknesses
over time, as well as a degradation of tools to varying degrees.
Related papers
- Vulnerability anti-patterns in Solidity: Increasing smart contracts security by reducing false alarms [0.0]
We show how integrating and extending current analyses is not only feasible, but also a next logical step in smart-contract security.
We propose light-weight static checks on the morphology and dynamics of Solidity code, stemming from a developer-centric notion of vulnerability.
arXiv Detail & Related papers (2024-10-22T17:21:28Z) - The Latency Price of Threshold Cryptosystem in Blockchains [52.359230560289745]
We study the interplay between threshold cryptography and a class of blockchains that use Byzantine-fault tolerant (BFT) consensus protocols.
Existing approaches for threshold cryptosystems introduce a latency overhead of at least one message delay for running the threshold cryptographic protocol.
We propose a mechanism to eliminate this overhead for blockchain-native threshold cryptosystems with tight thresholds.
arXiv Detail & Related papers (2024-07-16T20:53:04Z) - Dual-view Aware Smart Contract Vulnerability Detection for Ethereum [5.002702845720439]
We propose a Dual-view Aware Smart Contract Vulnerability Detection Framework named DVDet.
The framework initially converts the source code and bytecode of smart contracts into weighted graphs and control flow sequences.
Comprehensive experiments on the dataset show that our method outperforms others in detecting vulnerabilities.
arXiv Detail & Related papers (2024-06-29T06:47:51Z) - Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study [44.25093111430751]
In 2023 alone, such vulnerabilities led to substantial financial losses exceeding a billion of US dollars.
Various tools have been developed to detect and mitigate vulnerabilities in smart contracts.
This study investigates the gap between the effectiveness of existing security scanners and the vulnerabilities that still persist in practice.
arXiv Detail & Related papers (2023-12-27T11:26:26Z) - SmartBugs 2.0: An Execution Framework for Weakness Detection in Ethereum
Smart Contracts [0.757843972001219]
Smart contracts are blockchain programs that often handle valuable assets.
To support developers in identifying and eliminating vulnerabilities, methods and tools for the automated analysis have been proposed.
We present SmartBugs 2.0, a modular execution framework for smart contract analysis.
arXiv Detail & Related papers (2023-06-08T09:22:25Z) - Graph Neural Networks Enhanced Smart Contract Vulnerability Detection of
Educational Blockchain [4.239144309557045]
This paper proposes a graph neural network based vulnerability detection for smart contracts in educational blockchains.
The experimental results show that the proposed method is effective for the vulnerability detection of smart contracts.
arXiv Detail & Related papers (2023-03-08T09:58:58Z) - Token Spammers, Rug Pulls, and SniperBots: An Analysis of the Ecosystem of Tokens in Ethereum and in the Binance Smart Chain (BNB) [50.888293380932616]
We study the ecosystem of the tokens and liquidity pools.
We find that about 60% of tokens are active for less than one day.
We estimate that 1-day rug pulls generated $240 million in profits.
arXiv Detail & Related papers (2022-06-16T14:20:19Z) - Smart Contract Vulnerability Detection: From Pure Neural Network to
Interpretable Graph Feature and Expert Pattern Fusion [48.744359070088166]
Conventional smart contract vulnerability detection methods heavily rely on fixed expert rules.
Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge.
We develop automatic tools to extract expert patterns from the source code.
We then cast the code into a semantic graph to extract deep graph features.
arXiv Detail & Related papers (2021-06-17T07:12:13Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z) - Quantum Multi-Solution Bernoulli Search with Applications to Bitcoin's
Post-Quantum Security [67.06003361150228]
A proof of work (PoW) is an important cryptographic construct enabling a party to convince others that they invested some effort in solving a computational task.
In this work, we examine the hardness of finding such chain of PoWs against quantum strategies.
We prove that the chain of PoWs problem reduces to a problem we call multi-solution Bernoulli search, for which we establish its quantum query complexity.
arXiv Detail & Related papers (2020-12-30T18:03:56Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.