基于Ethereum智能合约的安全策略分析

doi:10.3969/j.issn.0255-8297.2021.01.013

应用科学学报 ›› 2021, Vol. 39 ›› Issue (1): 151-163.doi: 10.3969/j.issn.0255-8297.2021.01.013

• 区块链 • 上一篇

基于Ethereum智能合约的安全策略分析

张登记¹, 赵相福², 陈中育¹, 童向荣²

1. 浙江师范大学数学与计算机科学学院, 浙江金华 321004;
2. 烟台大学计算机与控制工程学院, 山东烟台 264005

收稿日期:2020-11-12 发布日期:2021-02-04
通信作者: 赵相福,教授,研究方向为基于模型的故障诊断、区块链。E-mail:xiangfuzhao@163.com E-mail:xiangfuzhao@163.com
基金资助:
国家自然科学基金（No.61972360）资助

Analysis of Security Strategies for Smart Contracts Based on Ethereum

ZHANG Dengji¹, ZHAO Xiangfu², CHEN Zhongyu¹, TONG Xiangrong²

1. College of Mathematics and Computer Science, Zhejiang Normal University, Jinhua 321004, Zhejiang, China;
2. School of Computer and Control Engineering, Yantai University, Yantai 264005, Shandong, China

Received:2020-11-12 Published:2021-02-04

摘要/Abstract

摘要： 智能合约是代码和数据的集合，一旦部署便无法更改，且其自身持有金融属性，若出现安全漏洞问题将会造成巨大损失，可见编写出安全可靠的智能合约是至关重要的。为此，基于Ethereum平台研究并分析智能合约的安全漏洞，总结了几种易见的安全漏洞，包括可重入漏洞、整数溢出漏洞、拒绝服务（denial of service，DoS）漏洞、时间戳依赖漏洞、交易序列依赖漏洞等；针对上述合约的漏洞进行详细的原理分析和场景复现，提出了相应的预防安全策略并通过实验进行有效性验证；最后分析并比较了几种主流的智能合约安全漏洞检测工具。

关键词: 区块链, 以太坊, 智能合约, 漏洞分析, 预防策略

Abstract: A smart contract is a collection of code and data. Once a smart contract is deployed, it cannot be changed. Smart contracts have financial properties, thus, it would cause huge losses if there were vulnerabilities in smart contracts. Therefore, it is essential to write safe and reliable smart contracts. Based on the Ethereum platform, related security of smart contracts is analyzed, and several common vulnerabilities are summarized, including reentrancy vulnerabilities, integer overflow vulnerabilities, deny of service (DoS) vulnerabilities, timestamp dependence vulnerabilities, and transaction-ordering dependence vulnerabilities. We made theoretical analysis in detail and scenario recurrence on these vulnerabilities, proposed corresponding preventive security strategies, and verified the effectiveness of these strategies. Finally, we analyzed and compared several popular tools for detecting smart contract vulnerabilities.

Key words: blockchain, Ethereum, smart contract, vulnerability analysis, prevention strategy

中图分类号:

TP311

张登记, 赵相福, 陈中育, 童向荣. 基于Ethereum智能合约的安全策略分析[J]. 应用科学学报, 2021, 39(1): 151-163.

ZHANG Dengji, ZHAO Xiangfu, CHEN Zhongyu, TONG Xiangrong. Analysis of Security Strategies for Smart Contracts Based on Ethereum[J]. Journal of Applied Sciences, 2021, 39(1): 151-163.

参考文献

[1] Nakamoto S. Bitcoin:a peer-to-peer electronic cash system[EB/OL].[2020-09-10]. https://bitcoin.org/bitcoin.pdf.
[2] Szabo N. Formalizing and securing relationships on public networks[EB/OL].[2020-09-10]. https://firstmonday.org/ojs/index.php/fm/article/view/548.
[3] Buterin V. A next-generation smart contract and decentralized application platform[EB/OL].[2020-09-10]. https://ethereum.org/en/whitepaper/.
[4] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Acta Automatica Sinica, 2016, 42(4):481-494. (in Chinese)
[5] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity[EB/OL].[2020-09-10]. http://solidity.readthedocs.org.
[6] Delmolino K, Arnett M, Kosba A, et al. Step by step towards creating a safe smart contract:lessons and insights from a cryptocurrency lab[C]//International Conference on Financial Cryptography and Data Security. Heidelberg, Berlin:Springer, 2016:79-94.
[7] Buterin V. Critical update Re:DAO vulnerability Ethereum blog[EB/OL].[2020-09-10]. https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.
[8] Breidenbach L, Daian P, Juels A, et al. An in-depth look at the parity multisig bug[EB/OL].[2020-09-10]. http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.
[9] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity's security considerations[EB/OL].[2020-09-10]. https://solidity.readthedocs.io/en/latest/security-considerations.html.
[10] Wohrer M, Zdun U. Smart contracts:security patterns in the Ethereum ecosystem and solidity[C]//2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2018:2-8.
[11] Giordano F, Bachfischer A, Carder G, et al. OpenZeppelin is a library for secure smart contract development[EB/OL].[2020-09-10]. https://github.com/OpenZeppelin/openzeppelincontracts.
[12] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. Smartcheck:static analysis of Ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, 2018:9-16.
[13] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016:254-269.
[14] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on Ethereum smart contracts (SoK)[C]//International Conference on Principles of Security & Trust. Heidelberg, Berlin:Springer, 2017:164-186.
[15] Mense A, Flatscher M. Security vulnerabilities in Ethereum smart contracts[C]//Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 2018:375-380.
[16] Tsankov P, Dan A, Drachsler-Cohen D, et al. Securify:practical security analysis of smart contracts[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:67-82.
[17] Husikyan L, Husikyan L, Guezengar F, et al. Remix-IDE[EB/OL].[2020-09-10]. https://remix-ide.readthedocs.io/en/latest/layout.html.
[18] Yang X, Guo W S, Gao Z Y, et al. Beosin:blockchain security one-stop service[EB/OL].[2020-09-10]. https://lianantech.com/beosin/#/.
[19] Bhargavan K, Delignat-Lavaud A, Fournet C, et al. Formal verification of smart contracts:short paper[C]//Proceedings of 2016 ACM Workshop on Programming Languages and Analysis for Security, 2016:91-96.
[20] Liu C, Liu H, Cao Z, et al. Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion, 2018:65-68.
[21] Zhou E, Hua S, Pi B, et al. Security assurance for smart contract[C]//20189th IFIP International Conference on New Technologies, Mobility and Security, 2018:1-5.
[22] Jiang B, Liu Y, Chan W K. ContractFuzzer:fuzzing smart contracts for vulnerability detection[C]//201833rd IEEE/ACM International Conference on Automated Software Engineering, 2018:259-269.

基于Ethereum智能合约的安全策略分析

Analysis of Security Strategies for Smart Contracts Based on Ethereum

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	赵颖琪, 朱雪阳, 李广元, 高雅, 包玉龙. 带时间约束的智能合约验证[J]. 应用科学学报, 2021, 39(1): 1-16.
[2]	范俊松, 陈建海, 沈睿, 刘振广, 何钦铭, 黄步添. 基于SGX的区块链交易隐私安全保护方法[J]. 应用科学学报, 2021, 39(1): 17-28.
[3]	赵晓琦, 李勇. 可审计且可追踪的区块链匿名交易方案[J]. 应用科学学报, 2021, 39(1): 29-41.
[4]	张学旺, 冯家琦, 殷梓杰, 林金朝. 基于区块链的数据溯源可信查询方法[J]. 应用科学学报, 2021, 39(1): 42-54.
[5]	王思源, 邹仕洪. 多域物联网中基于区块链和权能的访问控制机制[J]. 应用科学学报, 2021, 39(1): 55-69.
[6]	周琦, 沈韬, 朱艳, 刘英莉. 基于区块链的综合能源管理系统身份验证方法[J]. 应用科学学报, 2021, 39(1): 70-78.
[7]	涂园超, 陈玉玲, 李涛, 任晓军, 卿欣艺. 基于信誉投票的PBFT改进方案[J]. 应用科学学报, 2021, 39(1): 79-89.
[8]	杨迪, 徐涵, 龙承念, 彭绍亮. 基于区块链技术的道路路边停车管理系统[J]. 应用科学学报, 2021, 39(1): 90-98.
[9]	范君, 李茹, 张祎航. 一种适用于车联云任务调度的轻量级区块链架构[J]. 应用科学学报, 2021, 39(1): 99-108.
[10]	向伟静, 蔡维德. 法律智能合约平台模型的研究与设计[J]. 应用科学学报, 2021, 39(1): 109-122.
[11]	周正强, 陈玉玲, 李涛, 任晓军, 卿欣艺. 基于联盟链的医疗数据安全共享方案[J]. 应用科学学报, 2021, 39(1): 123-134.
[12]	张利华, 黄阳, 王欣怡, 白甲义, 曹宇, 张赣哲. 基于区块链的精准扶贫数据保护方案[J]. 应用科学学报, 2021, 39(1): 135-150.
[13]	方俊杰, 雷凯. 面向边缘人工智能计算的区块链技术综述[J]. 应用科学学报, 2020, 38(1): 1-21.
[14]	何正源, 段田田, 张颖, 张瀚文, 孙毅. 物联网中区块链技术的应用与挑战[J]. 应用科学学报, 2020, 38(1): 22-33.
[15]	李忠诚, 黄建华, 唐瑞琮, 胡庆春, 夏旭. 一种基于权益代表的可扩展共识协议[J]. 应用科学学报, 2020, 38(1): 51-64.