Detection of Vulnerabilities in Smart Contracts Specifications in Ethereum Platforms

Authors Mauro C. Argañaraz, Mario M. Berón, Maria J. Varanda Pereira, Pedro Rangel Henriques



PDF
Thumbnail PDF

File

OASIcs.SLATE.2020.2.pdf
  • Filesize: 0.48 MB
  • 16 pages

Document Identifiers

Author Details

Mauro C. Argañaraz
  • Departamento de Informática, Facultad de Ciencias Física Matemáticas y Naturales (FCFMyN), Universidad Nacional de San Luis, Argentina
Mario M. Berón
  • Departamento de Informática, Facultad de Ciencias Física Matemáticas y Naturales (FCFMyN), Universidad Nacional de San Luis, Argentina
Maria J. Varanda Pereira
  • Research Centre in Digitalization and Intelligent Robotics (CeDRI), Instituto Politécnico de Bragança, Portugal
Pedro Rangel Henriques
  • Centro Algoritmi (CAlg-CTC), Department of Informatics, University of Minho, Braga, Portugal

Cite AsGet BibTex

Mauro C. Argañaraz, Mario M. Berón, Maria J. Varanda Pereira, and Pedro Rangel Henriques. Detection of Vulnerabilities in Smart Contracts Specifications in Ethereum Platforms. In 9th Symposium on Languages, Applications and Technologies (SLATE 2020). Open Access Series in Informatics (OASIcs), Volume 83, pp. 2:1-2:16, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)
https://doi.org/10.4230/OASIcs.SLATE.2020.2

Abstract

Ethereum is the principal ecosystem based on blockchain that provides a suitable environment for coding and executing smart contracts, which have been receiving great attention due to the commercial apps and among the scientific community. The process of writing secure and well performing contracts in the Ethereum platform is a major challenge for developers. It consists of the application of non-conventional programming paradigms due to the inherent characteristics of the execution of distributed computing programs. Furthermore, the errors in the deployed contracts could have serious consequences because of the immediate linkage between the contract code and the financial transactions. The direct handling of the assets means that the errors can be more relevant for security and have greater economic consequences than a mistake in the conventional apps. In this paper, we propose a tool for the detection of vulnerabilities in high-level languages based on automatized static analysis.

Subject Classification

ACM Subject Classification
  • Security and privacy → Vulnerability scanners
Keywords
  • blockchain
  • ethereum
  • smart contract
  • solidity
  • static analysis
  • verification

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. M. Alharby and A. van Moorsel. Blockchain-based smart contracts: A systematic mapping study. Fourth International Conference on Computer Science and Information Technology (CSIT-2017), 2017. URL: http://arxiv.org/abs/1710.06372v1.
  2. N. Atzei, M. Bartoletti, and T. Cimoli. A survey of attacks on ethereum smart contracts sok. In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204, page 164–186, 2017. URL: https://doi.org/10.1007/978-3-662-54455-6_8.
  3. M. Bartoletti and L. Pompianu. An empirical analysis of smart contracts: Platforms, applications, and design patterns. In Financial Cryptography and Data Security, 2017. Google Scholar
  4. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T. Sibut-Pinote, N. Swamy, and S. Zanella-Béguelin. Formal verification of smart contracts: Short paper. In Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, 2016. URL: https://doi.org/10.1145/2993600.2993611.
  5. V. Buterin. Ethereum: A next-generation smart contract and decentralized application platform, 2014. URL: https://github.com/ethereum/wiki/wiki/White-Paper.
  6. M. Coblenz. Obsidian: A safer blockchain programming language. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), page 97–99, 2017. Google Scholar
  7. ConsenSys. Mythril. https://github.com/ConsenSys/mythril, 2018.
  8. T. Cook, A. Latham, and J.H. Lee. Dappguard: Active monitoring and defense for solidity smart contracts. https://courses.csail.mit.edu/6.857/2017/project/23.pdf, 2017.
  9. Ethereum. Solidity. https://media.readthedocs.org/pdf/solidity/develop/solidity.pdf, 2018.
  10. S. Grossman, I. Abraham, G. Golan-Gueta, Y. Michalevsky, N. Rinetzky, M. Sagiv, and Y. Zohar. Online detection of effectively callback free objects with applications to smart contracts. Proc. ACM Program. Lang., 2(POPL), December 2017. URL: https://doi.org/10.1145/3158136.
  11. E. Hildenbrandt, E. Saxena, X. Zhu, N. Rodrigues, P. Daian, D. Guth, and G. Rosu. Kevm: A complete formal semantics of the ethereum virtual machine. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 204-217, 2018. Google Scholar
  12. Y. Hirai. Defining the ethereum virtual machine for interactive theorem provers. In Financial Cryptography and Data Security, page 520–535. Springer International Publishing, 2017. Google Scholar
  13. S. Kalra, S. Goel, M. Dhawan, and S. Sharma. Zeus: Analyzing safety of smart contracts. In 25th Annual Network and Distributed System Security Symposium, 2018. URL: https://doi.org/10.14722/ndss.2018.23092.
  14. L. Luu, D.H. Chu, H. Olickel, P. Saxena, and A. Hobor. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, page 254–269, 2016. URL: https://doi.org/10.1145/2976749.2978309.
  15. A. Mavridou and A. Laszka. Designing secure ethereum smart contracts: A finite state machine based approach, 2017. URL: http://arxiv.org/abs/1711.09327.
  16. S. Nakamoto. Bitcoin: Un sistema de efectivo electrónico usuario-a-usuario, 2008. URL: http://bitcoin.org/bitcoin.pdf.
  17. I. Nikolic, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th Annual Computer Security Applications Conference, page 653–663, 2018. URL: https://doi.org/10.1145/3274694.3274743.
  18. Trail of Bits. Manticore. https://github.com/trailofbits/manticore, 2018.
  19. OpenZeppeling. Safemath, 2019. Accessed: 2019-05-03. URL: https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol.
  20. OWASP. Software Assurance Maturity Model: A guide to building security into software development. Version 1.5, 2020. URL: https://owasp.org/www-pdf-archive/SAMM_Core_V1-5_FINAL.pdf.
  21. F. Schrans, S. Eisenbach, and S. Drossopoulou. Writing safe smart contracts in flint. In Conference Companion of the 2nd International Conference on Art, Science, and Engineering of Programming, page 218–219, 2018. URL: https://doi.org/10.1145/3191697.3213790.
  22. I. Sergey, V. Nagaraj, J. Johannsen, A. Kumar, A. Trunov, and K.C.G. Hao. Safer smart contract programming with scilla. Proc. ACM Program. Lang., 2019. URL: https://doi.org/10.1145/3360611.
  23. SmartDec. Smartcheck: a static analysis tool that detects vulnerabilities and bugs in solidity programs, 2019. Accessed: 2019-05-03. URL: https://github.com/smartdec/smartcheck.
  24. P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Bünzli, and M. Vechev. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, page 67–82, 2018. URL: https://doi.org/10.1145/3243734.3243780.
  25. G. Wood. Ethereum: A secure decentralised generalised transaction ledger, 2017. URL: https://ethereum.github.io/yellowpaper/paper.pdf.
  26. I. Wöhrer and U. Zdun. Smart contracts: Security patterns in the ethereum ecosystem and solidity. In 2018 International Workshop on Blockchain Oriented Software Engineering, 2018. Google Scholar
  27. E. Zhou, S. Hua, B. Pi, J. Sun, Y. Nomura, K. Yamashita, and H. Kurihara. Security assurance for smart contract. In 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pages 1-5, 2018. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail