Vulnerability anti-patterns in Solidity: Increasing smart contracts security by reducing false alarms
- URL: http://arxiv.org/abs/2410.17204v1
- Date: Tue, 22 Oct 2024 17:21:28 GMT
- Title: Vulnerability anti-patterns in Solidity: Increasing smart contracts security by reducing false alarms
- Authors: Tommaso Oss, Carlos E. Budde,
- Abstract summary: We show how integrating and extending current analyses is not only feasible, but also a next logical step in smart-contract security.
We propose light-weight static checks on the morphology and dynamics of Solidity code, stemming from a developer-centric notion of vulnerability.
- Score: 0.0
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: Turing completeness has made Ethereum smart contracts attractive to blockchain developers and attackers alike. To increase code security, many tools can now spot most known vulnerabilities$-$at the cost of production efficiency. Recent studies show false-positive ratios over 99% in state-of-the-art technologies: this makes them impractical for use in industry and have raised questions on the direction of academic research. In this work we show how integrating and extending current analyses is not only feasible, but also a next logical step in smart-contract security. We propose light-weight static checks on the morphology and dynamics of Solidity code, stemming from a developer-centric notion of vulnerability, that we use to verify the output of other tools, flag potential false alarms, and suggest verifications. Besides technical details we implemented an open-source prototype. For three top-10 vulnerabilities it flags 324 warnings of other tools as false-positives, in 60 verified de-duplicated smart contracts selected from the blockchain by the presence of true (and false) vulnerabilities. This amounts to a 92%- to 100%-reduction in the number of false-positives for these vulnerabilities.
Related papers
- Automated Vulnerability Injection in Solidity Smart Contracts: A Mutation-Based Approach for Benchmark Development [2.0074256613821033]
This work evaluates whether mutation seeding can effectively inject vulnerabilities into Solidity-based smart contracts.
We propose MuSe, a tool to generate vulnerable smart contracts by leveraging pattern-based mutation operators.
We analyzed these vulnerable smart contracts using Slither, a static analysis tool, to determine its capacity to identify them and assess their validity.
arXiv Detail & Related papers (2025-04-22T14:46:18Z) - Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts [8.824841117757655]
We present SKANF, a novel bytecode analysis tool tailored for closed-source and obfuscated contracts.
SKANF combines control-flow deobfuscation, symbolic execution, and concolic execution based on historical transactions to identify and exploit asset management vulnerabilities.
Our evaluation on real-world Maximal Extractable Value (MEV) bots reveals that SKANF detects vulnerabilities in 1,028 contracts and successfully generates exploits for 373 of them, with potential losses exceeding $9.0M.
arXiv Detail & Related papers (2025-04-18T01:22:58Z) - EXPLICATE: Enhancing Phishing Detection through Explainable AI and LLM-Powered Interpretability [44.2907457629342]
EXPLICATE is a framework that enhances phishing detection through a three-component architecture.
It is on par with existing deep learning techniques but has better explainability.
It addresses the critical divide between automated AI and user trust in phishing detection systems.
arXiv Detail & Related papers (2025-03-22T23:37:35Z) - Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - Analyzing the Impact of Copying-and-Pasting Vulnerable Solidity Code Snippets from Question-and-Answer Websites [3.844857617939819]
We conduct a study on the impact of vulnerable code reuse from Q&A websites during the development of smart contracts.
This paper proposes a pattern-based vulnerability detection tool that is able to analyze code snippets (i.e., incomplete code) as well as full smart contracts.
Our results show that our vulnerability search, as well as our code clone detection, are comparable to state-of-the-art while being applicable to code snippets.
arXiv Detail & Related papers (2024-09-11T19:33:27Z) - Dual-view Aware Smart Contract Vulnerability Detection for Ethereum [5.002702845720439]
We propose a Dual-view Aware Smart Contract Vulnerability Detection Framework named DVDet.
The framework initially converts the source code and bytecode of smart contracts into weighted graphs and control flow sequences.
Comprehensive experiments on the dataset show that our method outperforms others in detecting vulnerabilities.
arXiv Detail & Related papers (2024-06-29T06:47:51Z) - All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts [24.881450403784786]
Vulnerabilities in the process of address verification can lead to great security issues.
We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation.
After a large-scale evaluation of over 5 million smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community.
arXiv Detail & Related papers (2024-05-31T01:02:07Z) - Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? [14.974832502863526]
In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them.
To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts.
In this paper, we propose an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts.
arXiv Detail & Related papers (2024-04-28T13:40:18Z) - Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study [44.25093111430751]
In 2023 alone, such vulnerabilities led to substantial financial losses exceeding a billion of US dollars.
Various tools have been developed to detect and mitigate vulnerabilities in smart contracts.
This study investigates the gap between the effectiveness of existing security scanners and the vulnerabilities that still persist in practice.
arXiv Detail & Related papers (2023-12-27T11:26:26Z) - An Automated Vulnerability Detection Framework for Smart Contracts [18.758795474791427]
We propose a framework to automatically detect vulnerabilities in smart contracts on the blockchain.
More specifically, first, we utilize novel feature vector generation techniques from bytecode of smart contract.
Next, the collected vectors are fed into our novel metric learning-based deep neural network(DNN) to get the detection result.
arXiv Detail & Related papers (2023-01-20T23:16:04Z) - Sample-Efficient Safety Assurances using Conformal Prediction [57.92013073974406]
Early warning systems can provide alerts when an unsafe situation is imminent.
To reliably improve safety, these warning systems should have a provable false negative rate.
We present a framework that combines a statistical inference technique known as conformal prediction with a simulator of robot/environment dynamics.
arXiv Detail & Related papers (2021-09-28T23:00:30Z) - Combining Graph Neural Networks with Expert Knowledge for Smart Contract
Vulnerability Detection [37.7763374870026]
Existing efforts for contract security analysis rely on rigid rules defined by experts, which are labor-intensive and non-scalable.
We propose a novel temporal message propagation network to extract the graph feature from the normalized graph, and combine the graph feature with designed expert patterns to yield a final detection system.
arXiv Detail & Related papers (2021-07-24T13:16:30Z) - Smart Contract Vulnerability Detection: From Pure Neural Network to
Interpretable Graph Feature and Expert Pattern Fusion [48.744359070088166]
Conventional smart contract vulnerability detection methods heavily rely on fixed expert rules.
Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge.
We develop automatic tools to extract expert patterns from the source code.
We then cast the code into a semantic graph to extract deep graph features.
arXiv Detail & Related papers (2021-06-17T07:12:13Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.