OASIcs.FMBC.2022.3.pdf
- Filesize: 0.57 MB
- 14 pages
Document
Automatic Generation of Attacker Contracts in Solidity
Authors
Ignacio Ballesteros 
,
Clara Benac-Earle ,
Luis Eduardo Bueso de Barrio ,
Lars-Åke Fredlund ,
Ángel Herranz ,
Julio Mariño
-
Part of:
Volume:
4th International Workshop on Formal Methods for Blockchains (FMBC 2022)
Series: Open Access Series in Informatics (OASIcs)
Conference: Workshop on Formal Methods for Blockchains (FMBC) - License:
Creative Commons Attribution 4.0 International license
- Publication Date: 2022-10-06
File
Document Identifiers
Author Details
Cite AsGet BibTex
Ignacio Ballesteros, Clara Benac-Earle, Luis Eduardo Bueso de Barrio, Lars-Åke Fredlund, Ángel Herranz, and Julio Mariño. Automatic Generation of Attacker Contracts in Solidity. In 4th International Workshop on Formal Methods for Blockchains (FMBC 2022). Open Access Series in Informatics (OASIcs), Volume 105, pp. 3:1-3:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)
https://doi.org/10.4230/OASIcs.FMBC.2022.3
https://doi.org/10.4230/OASIcs.FMBC.2022.3
Abstract
Smart contracts on the Ethereum blockchain continue to suffer from well-published problems. A particular example is the well-known smart contract reentrancy vulnerability, which continues to be exploited. In this article, we present preliminary work on a method which, given a smart contract that may be vulnerable to such a reentrancy attack, proceeds to attempt to automatically derive an "attacker" contract which can be used to successfully attack the vulnerable contract. The method uses property-based testing to generate, semi-randomly, large numbers of potential attacker contracts, and then proceeds to check whether any of them is a successful attacker. The method is illustrated using a case study where an attack is derived for a vulnerable contract.
Subject Classification
ACM Subject Classification
- Software and its engineering → Software testing and debugging
- Software and its engineering → Dynamic analysis
- Software and its engineering → Empirical software validation
Keywords
- Property-Based Testing
- Smart Contracts
- Reentrancy Attack
Metrics
- Access Statistics
-
Total Accesses (updated on a weekly basis)
0PDF Downloads
References
- Thomas Arts, John Hughes, Joakim Johansson, and Ulf T. Wiger. Testing telecoms software with Quviq QuickCheck. In Marc Feeley and Philip W. Trinder, editors, Proceedings of the 2006 ACM SIGPLAN Workshop on Erlang, Portland, Oregon, USA, September 16, 2006, pages 2-10. ACM, 2006. URL: https://doi.org/10.1145/1159789.1159792.
- Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on Ethereum smart contracts (SoK). In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204, pages 164-186, Berlin, Heidelberg, 2017. Springer-Verlag. URL: https://doi.org/10.1007/978-3-662-54455-6_8.
- Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform. white paper, 2013. URL: http://ethereum.org/ethereum.html.
- Koen Claessen and John Hughes. Quickcheck: A lightweight tool for random testing of haskell programs. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming, ICFP '00, pages 268-279, New York, NY, USA, 2000. ACM. URL: https://doi.org/10.1145/351240.351266.
- Luis Eduardo Bueso de Barrio, Lars-Ake Fredlund, Ángel Herranz, Clara Benac Earle, and Julio Mariño. Makina: A new quickcheck state machine library. In Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang, Erlang 2021, pages 41-53, New York, NY, USA, 2021. Association for Computing Machinery. URL: https://doi.org/10.1145/3471871.3472964.
-
Luis Eduardo Bueso de Barrio, Lars-Åke Fredlund, Ángel Herranz, Clara Benac Earle, and Julio Mariño. Makina: a new quickcheck state machine library. In Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang, pages 41-53, 2021.
-
Monika di Angelo and Gernot Salzer. A survey of tools for analyzing Ethereum smart contracts. 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), pages 69-78, 2019.
- Bo Jiang, Ye Liu, and W. K. Chan. ContractFuzzer: fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, September 2018. URL: https://doi.org/10.1145/3238147.3238177.
- Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study of the reliability of UNIX utilities. Commun. ACM, 33(12):32-44, 1990. URL: https://doi.org/10.1145/96267.96279.
- Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. white paper, May 2009. URL: https://bitcoin.org/bitcoin.pdf.
- Manolis Papadakis and Konstantinos Sagonas. A proper integration of types and function specifications with property-based testing. In Proceedings of the 10th ACM SIGPLAN Workshop on Erlang, Erlang '11, pages 39-50, New York, NY, USA, 2011. Association for Computing Machinery. URL: https://doi.org/10.1145/2034654.2034663.
- Kamil Polak. https://hackernoon.com/hack-solidity-reentrancy-attack, January 2022.
- Noama Fatima Samreen and Manar H. Alalfi. Reentrancy vulnerability identification in Ethereum smart contracts. In 2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE). IEEE, February 2020. URL: https://doi.org/10.1109/iwbose50093.2020.9050260.
-
J. Smith. Echidna, a smart fuzzer for Ethereum, 2018.
-
Ari Takanen, Jared D. Demott, and Charles Miller. Fuzzing for Software Security Testing and Quality Assurance. Artech House, Inc., Norwood, MA, USA, 2nd edition, 2018.
- Valentin Wüstholz and Maria Christakis. Harvey: A Greybox Fuzzer for Smart Contracts, pages 1398-1409. Association for Computing Machinery, New York, NY, USA, 2020. URL: https://doi.org/10.1145/3368089.3417064.