Related papers: SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis

SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis

URL: http://arxiv.org/abs/2406.15999v1
Date: Sun, 23 Jun 2024 03:25:27 GMT
Title: SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis
Authors: Zeqin Liao, Yuhong Nan, Henglong Liang, Sicheng Hao, Juan Zhai, Jiajing Wu, Zibin Zheng,
Abstract summary: Cross-chain bridge is a decentralized application for asset exchange across different blockchain platforms. There are a number of recent security incidents with heavy financial losses caused by vulnerabilities in bridge smart contracts. We propose SmartAxe, a new framework to identify vulnerabilities in cross-chain bridge smart contracts.
Score: 28.420618636956924
License: http://creativecommons.org/licenses/by/4.0/
Abstract: With the increasing popularity of blockchain, different blockchain platforms coexist in the ecosystem (e.g., Ethereum, BNB, EOSIO, etc.), which prompts the high demand for cross-chain communication. Cross-chain bridge is a specific type of decentralized application for asset exchange across different blockchain platforms. Securing the smart contracts of cross-chain bridges is in urgent need, as there are a number of recent security incidents with heavy financial losses caused by vulnerabilities in bridge smart contracts, as we call them Cross-Chain Vulnerabilities (CCVs). However, automatically identifying CCVs in smart contracts poses several unique challenges. Particularly, it is non-trivial to (1) identify application-specific access control constraints needed for cross-bridge asset exchange, and (2) identify inconsistent cross-chain semantics between the two sides of the bridge. In this paper, we propose SmartAxe, a new framework to identify vulnerabilities in cross-chain bridge smart contracts. Particularly, to locate vulnerable functions that have access control incompleteness, SmartAxe models the heterogeneous implementations of access control and finds necessary security checks in smart contracts through probabilistic pattern inference. Besides, SmartAxe constructs cross-chain control-flow graph (xCFG) and data-flow graph (xDFG), which help to find semantic inconsistency during cross-chain data communication. To evaluate SmartAxe, we collect and label a dataset of 88 CCVs from real-attacks cross-chain bridge contracts. Evaluation results show that SmartAxe achieves a precision of 84.95% and a recall of 89.77%. In addition, SmartAxe successfully identifies 232 new/unknown CCVs from 129 real-world cross-chain bridge applications (i.e., from 1,703 smart contracts). These identified CCVs affect a total amount of digital assets worth 1,885,250 USD.

Related papers

Safeguarding Blockchain Ecosystem: Understanding and Detecting Attack Transactions on Cross-chain Bridges [3.07869141026886]
Attacks on cross-chain bridges have resulted in losses of nearly 4.3 billion dollars since 2021. This paper collects the largest number of cross-chain bridge attack incidents to date, including 49 attacks that occurred between June 2021 and September 2024. We propose the BridgeGuard tool to detect attacks against cross-chain business logic.
arXiv Detail & Related papers (2024-10-18T14:25:05Z)
CONNECTOR: Enhancing the Traceability of Decentralized Bridge Applications via Automatic Cross-chain Transaction Association [25.765477747143432]
Cross-chain transaction association identifies and matches unique transactions executed by bridge DApps. We present CONNECTOR, an automated cross-chain transaction association analysis method based on bridge smart contracts. We conduct real-world experiments on different types of bridges to demonstrate the effectiveness of CONNECTOR.
arXiv Detail & Related papers (2024-09-08T00:52:06Z)
Dual-view Aware Smart Contract Vulnerability Detection for Ethereum [5.002702845720439]
We propose a Dual-view Aware Smart Contract Vulnerability Detection Framework named DVDet. The framework initially converts the source code and bytecode of smart contracts into weighted graphs and control flow sequences. Comprehensive experiments on the dataset show that our method outperforms others in detecting vulnerabilities.
arXiv Detail & Related papers (2024-06-29T06:47:51Z)
Generative AI-enabled Blockchain Networks: Fundamentals, Applications, and Case Study [73.87110604150315]
Generative Artificial Intelligence (GAI) has emerged as a promising solution to address challenges of blockchain technology. In this paper, we first introduce GAI techniques, outline their applications, and discuss existing solutions for integrating GAI into blockchains.
arXiv Detail & Related papers (2024-01-28T10:46:17Z)
Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study [44.25093111430751]
In 2023 alone, such vulnerabilities led to substantial financial losses exceeding a billion of US dollars. Various tools have been developed to detect and mitigate vulnerabilities in smart contracts. This study investigates the gap between the effectiveness of existing security scanners and the vulnerabilities that still persist in practice.
arXiv Detail & Related papers (2023-12-27T11:26:26Z)
SoK: Security of Cross-chain Bridges: Attack Surfaces, Defenses, and Open Problems [43.80265187232706]
Cross-chain bridges are used to facilitate token and data exchanges across blockchains. Although bridges are becoming increasingly popular, they are still in their infancy and have been attacked multiple times recently. This paper analyzes the security landscape of cross-chain bridges in a holistic manner.
arXiv Detail & Related papers (2023-12-19T20:13:21Z)
Security Analysis of Smart Contract Migration from Ethereum to Arbitrum [6.814035037486222]
This study is the first to conduct an in-depth analysis of the migration of smart contracts from secure to Arbitrum. The research shows that smart contracts deployed on Arbitrum may face certain potential security risks during migration to Arbitrum.
arXiv Detail & Related papers (2023-07-27T11:05:29Z)
Quantization Aware Attack: Enhancing Transferable Adversarial Attacks by Model Quantization [57.87950229651958]
Quantized neural networks (QNNs) have received increasing attention in resource-constrained scenarios due to their exceptional generalizability. Previous studies claim that transferability is difficult to achieve across QNNs with different bitwidths. We propose textitquantization aware attack (QAA) which fine-tunes a QNN substitute model with a multiple-bitwidth training objective.
arXiv Detail & Related papers (2023-05-10T03:46:53Z)
ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z)
Quantum Multi-Solution Bernoulli Search with Applications to Bitcoin's Post-Quantum Security [67.06003361150228]
A proof of work (PoW) is an important cryptographic construct enabling a party to convince others that they invested some effort in solving a computational task. In this work, we examine the hardness of finding such chain of PoWs against quantum strategies. We prove that the chain of PoWs problem reduces to a problem we call multi-solution Bernoulli search, for which we establish its quantum query complexity.
arXiv Detail & Related papers (2020-12-30T18:03:56Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.