智能合约是代码和数据的集合,一旦部署便无法更改,且其自身持有金融属性,若出现安全漏洞问题将会造成巨大损失,可见编写出安全可靠的智能合约是至关重要的。为此,基于Ethereum平台研究并分析智能合约的安全漏洞,总结了几种易见的安全漏洞,包括可重入漏洞、整数溢出漏洞、拒绝服务(denial of service,DoS)漏洞、时间戳依赖漏洞、交易序列依赖漏洞等;针对上述合约的漏洞进行详细的原理分析和场景复现,提出了相应的预防安全策略并通过实验进行有效性验证;最后分析并比较了几种主流的智能合约安全漏洞检测工具。
A smart contract is a collection of code and data. Once a smart contract is deployed, it cannot be changed. Smart contracts have financial properties, thus, it would cause huge losses if there were vulnerabilities in smart contracts. Therefore, it is essential to write safe and reliable smart contracts. Based on the Ethereum platform, related security of smart contracts is analyzed, and several common vulnerabilities are summarized, including reentrancy vulnerabilities, integer overflow vulnerabilities, deny of service (DoS) vulnerabilities, timestamp dependence vulnerabilities, and transaction-ordering dependence vulnerabilities. We made theoretical analysis in detail and scenario recurrence on these vulnerabilities, proposed corresponding preventive security strategies, and verified the effectiveness of these strategies. Finally, we analyzed and compared several popular tools for detecting smart contract vulnerabilities.
[1] Nakamoto S. Bitcoin:a peer-to-peer electronic cash system[EB/OL].[2020-09-10]. https://bitcoin.org/bitcoin.pdf.
[2] Szabo N. Formalizing and securing relationships on public networks[EB/OL].[2020-09-10]. https://firstmonday.org/ojs/index.php/fm/article/view/548.
[3] Buterin V. A next-generation smart contract and decentralized application platform[EB/OL].[2020-09-10]. https://ethereum.org/en/whitepaper/.
[4] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Acta Automatica Sinica, 2016, 42(4):481-494. (in Chinese)
[5] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity[EB/OL].[2020-09-10]. http://solidity.readthedocs.org.
[6] Delmolino K, Arnett M, Kosba A, et al. Step by step towards creating a safe smart contract:lessons and insights from a cryptocurrency lab[C]//International Conference on Financial Cryptography and Data Security. Heidelberg, Berlin:Springer, 2016:79-94.
[7] Buterin V. Critical update Re:DAO vulnerability Ethereum blog[EB/OL].[2020-09-10]. https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.
[8] Breidenbach L, Daian P, Juels A, et al. An in-depth look at the parity multisig bug[EB/OL].[2020-09-10]. http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/.
[9] Reitwiessner C, Wood G, Beregszaszi A, et al. Solidity's security considerations[EB/OL].[2020-09-10]. https://solidity.readthedocs.io/en/latest/security-considerations.html.
[10] Wohrer M, Zdun U. Smart contracts:security patterns in the Ethereum ecosystem and solidity[C]//2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2018:2-8.
[11] Giordano F, Bachfischer A, Carder G, et al. OpenZeppelin is a library for secure smart contract development[EB/OL].[2020-09-10]. https://github.com/OpenZeppelin/openzeppelincontracts.
[12] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. Smartcheck:static analysis of Ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, 2018:9-16.
[13] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016:254-269.
[14] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on Ethereum smart contracts (SoK)[C]//International Conference on Principles of Security & Trust. Heidelberg, Berlin:Springer, 2017:164-186.
[15] Mense A, Flatscher M. Security vulnerabilities in Ethereum smart contracts[C]//Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 2018:375-380.
[16] Tsankov P, Dan A, Drachsler-Cohen D, et al. Securify:practical security analysis of smart contracts[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:67-82.
[17] Husikyan L, Husikyan L, Guezengar F, et al. Remix-IDE[EB/OL].[2020-09-10]. https://remix-ide.readthedocs.io/en/latest/layout.html.
[18] Yang X, Guo W S, Gao Z Y, et al. Beosin:blockchain security one-stop service[EB/OL].[2020-09-10]. https://lianantech.com/beosin/#/.
[19] Bhargavan K, Delignat-Lavaud A, Fournet C, et al. Formal verification of smart contracts:short paper[C]//Proceedings of 2016 ACM Workshop on Programming Languages and Analysis for Security, 2016:91-96.
[20] Liu C, Liu H, Cao Z, et al. Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion, 2018:65-68.
[21] Zhou E, Hua S, Pi B, et al. Security assurance for smart contract[C]//20189th IFIP International Conference on New Technologies, Mobility and Security, 2018:1-5.
[22] Jiang B, Liu Y, Chan W K. ContractFuzzer:fuzzing smart contracts for vulnerability detection[C]//201833rd IEEE/ACM International Conference on Automated Software Engineering, 2018:259-269.
