Document Open Access Logo

Automatic Generation of Attacker Contracts in Solidity

Authors Ignacio Ballesteros , Clara Benac-Earle , Luis Eduardo Bueso de Barrio , Lars-Åke Fredlund , Ángel Herranz , Julio Mariño

PDF
Thumbnail PDF

File

OASIcs.FMBC.2022.3.pdf
  • Filesize: 0.57 MB
  • 14 pages

Document Identifiers

Author Details

Ignacio Ballesteros
  • Polytechnic University of Madrid, Spain
Clara Benac-Earle
  • Polytechnic University of Madrid, Spain
Luis Eduardo Bueso de Barrio
  • Polytechnic University of Madrid, Spain
Lars-Åke Fredlund
  • Polytechnic University of Madrid, Spain
Ángel Herranz
  • Polytechnic University of Madrid, Spain
Julio Mariño
  • Polytechnic University of Madrid, Spain

Funding

This work has been partly funded under the grant S2018/TCS-4339 (BLOQUES-CM) co-funded by EIE Funds of the European Union and Comunidad de Madrid and by the Spanish MCI/AEI under grant ref. PID2019-104735RB-C44.

Cite As Get BibTex

Ignacio Ballesteros, Clara Benac-Earle, Luis Eduardo Bueso de Barrio, Lars-Åke Fredlund, Ángel Herranz, and Julio Mariño. Automatic Generation of Attacker Contracts in Solidity. In 4th International Workshop on Formal Methods for Blockchains (FMBC 2022). Open Access Series in Informatics (OASIcs), Volume 105, pp. 3:1-3:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022) https://doi.org/10.4230/OASIcs.FMBC.2022.3

Abstract

Smart contracts on the Ethereum blockchain continue to suffer from well-published problems. A particular example is the well-known smart contract reentrancy vulnerability, which continues to be exploited. In this article, we present preliminary work on a method which, given a smart contract that may be vulnerable to such a reentrancy attack, proceeds to attempt to automatically derive an "attacker" contract which can be used to successfully attack the vulnerable contract. The method uses property-based testing to generate, semi-randomly, large numbers of potential attacker contracts, and then proceeds to check whether any of them is a successful attacker. The method is illustrated using a case study where an attack is derived for a vulnerable contract.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Software testing and debugging
  • Software and its engineering → Dynamic analysis
  • Software and its engineering → Empirical software validation
Keywords
  • Property-Based Testing
  • Smart Contracts
  • Reentrancy Attack

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

References

  1. Thomas Arts, John Hughes, Joakim Johansson, and Ulf T. Wiger. Testing telecoms software with Quviq QuickCheck. In Marc Feeley and Philip W. Trinder, editors, Proceedings of the 2006 ACM SIGPLAN Workshop on Erlang, Portland, Oregon, USA, September 16, 2006, pages 2-10. ACM, 2006. URL: https://doi.org/10.1145/1159789.1159792.
  2. Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on Ethereum smart contracts (SoK). In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204, pages 164-186, Berlin, Heidelberg, 2017. Springer-Verlag. URL: https://doi.org/10.1007/978-3-662-54455-6_8.
  3. Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform. white paper, 2013. URL: http://ethereum.org/ethereum.html.
  4. Koen Claessen and John Hughes. Quickcheck: A lightweight tool for random testing of haskell programs. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming, ICFP '00, pages 268-279, New York, NY, USA, 2000. ACM. URL: https://doi.org/10.1145/351240.351266.
  5. Luis Eduardo Bueso de Barrio, Lars-Ake Fredlund, Ángel Herranz, Clara Benac Earle, and Julio Mariño. Makina: A new quickcheck state machine library. In Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang, Erlang 2021, pages 41-53, New York, NY, USA, 2021. Association for Computing Machinery. URL: https://doi.org/10.1145/3471871.3472964.
  6. Luis Eduardo Bueso de Barrio, Lars-Åke Fredlund, Ángel Herranz, Clara Benac Earle, and Julio Mariño. Makina: a new quickcheck state machine library. In Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang, pages 41-53, 2021. Google Scholar
  7. Monika di Angelo and Gernot Salzer. A survey of tools for analyzing Ethereum smart contracts. 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), pages 69-78, 2019. Google Scholar
  8. Bo Jiang, Ye Liu, and W. K. Chan. ContractFuzzer: fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, September 2018. URL: https://doi.org/10.1145/3238147.3238177.
  9. Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study of the reliability of UNIX utilities. Commun. ACM, 33(12):32-44, 1990. URL: https://doi.org/10.1145/96267.96279.
  10. Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. white paper, May 2009. URL: https://bitcoin.org/bitcoin.pdf.
  11. Manolis Papadakis and Konstantinos Sagonas. A proper integration of types and function specifications with property-based testing. In Proceedings of the 10th ACM SIGPLAN Workshop on Erlang, Erlang '11, pages 39-50, New York, NY, USA, 2011. Association for Computing Machinery. URL: https://doi.org/10.1145/2034654.2034663.
  12. Kamil Polak. https://hackernoon.com/hack-solidity-reentrancy-attack, January 2022.
  13. Noama Fatima Samreen and Manar H. Alalfi. Reentrancy vulnerability identification in Ethereum smart contracts. In 2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE). IEEE, February 2020. URL: https://doi.org/10.1109/iwbose50093.2020.9050260.
  14. J. Smith. Echidna, a smart fuzzer for Ethereum, 2018. Google Scholar
  15. Ari Takanen, Jared D. Demott, and Charles Miller. Fuzzing for Software Security Testing and Quality Assurance. Artech House, Inc., Norwood, MA, USA, 2nd edition, 2018. Google Scholar
  16. Valentin Wüstholz and Maria Christakis. Harvey: A Greybox Fuzzer for Smart Contracts, pages 1398-1409. Association for Computing Machinery, New York, NY, USA, 2020. URL: https://doi.org/10.1145/3368089.3417064.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact