SlightDetection：一种以太坊智能合约安全漏洞的静态分析工具

doi:10.3969/j.issn.0255-8297.2022.04.012

Abstract

Abstract: Security vulnerabilities in Ethereum smart contracts may lead to immeasurable losses. To alleviate this problem, a smart contract vulnerability detection tool SlightDetection is proposed, which uses static program analysis technology to achieve full code coverage. The tool converts smart contract source codes into a corresponding abstract syntax tree, and translates it into an XML intermediate representation. Taking the characteristics of several classic vulnerabilities as an example, the tool writes a custom XPath rule library, and using the XML intermediate representation and the XPath library as inputs, the tool keeps traversing and matching the XPath rule base, till getting the report of vulnerability detection. This work tests 3 classic contracts, and fully demonstrates the faster and more accurate detection features of SlightDetection. The effectiveness of the tool is proved by testing a large number of smart contracts provided on Etherscan and manually verifying more than 100 of them.

Key words: smart contract, vulnerability detection, static analysis, Ethereum

CLC Number:

TP311

CHEN Xiaohan, ZHAO Xiangfu, ZHANG Dengji, FEI Jiajia. SlightDetection: A Static Analysis Tool for Smart Contracts Security Vulnerabilities on Ethereum[J]. Journal of Applied Sciences, 2022, 40(4): 695-712.

References

[1] Nakamoto S.Bitcoin:a peer-to-peer electronic cash system[R/OL].(2008-10-31)[2021-08-10].https://www.debr.io/article/21260-bitcoin-a-peer-to-peer-electronic-cash-system.
[2] 邵奇峰,金澈清,张召,等.区块链技术:架构及进展[J].计算机学报, 2018, 41(5):969-988.Shao Q F, Jin C Q, Zhang Z, et al.Blockchain:architecture and research progress[J].Chinese Journal of Computers, 2018, 41(5):969-988.(in Chinese)
[3] Buterin V.A next-generation smart contract and decentralized application platform[R/OL].(2013-12-31)[2021-08-10].https://ethereum.org/en/whitepaper/.
[4] 陈伟利,郑子彬.区块链数据分析:现状、趋势与挑战[J].计算机研究与发展, 2018, 55(9):1853-1870.Chen W L, Zheng Z B.Blockchain data analysis:a review of status, trend and challenges[J].Journal of Computer Research and Development, 2018, 55(9):1853-1870.(in Chinese)
[5] 张亮,刘百祥,张如意.区块链技术综述[J].计算机工程, 2019, 45(5):1-12.Zhang L, Liu B X, Zhang R Y.Overview of blockchain technology[J].Computer Engineering, 2019, 45(5):1-12.(in Chinese)
[6] 袁勇,王飞跃.区块链技术发展现状与展望[J].自动化学报, 2016, 42(4):481-494.Yuan Y, Wang F Y.Blockchain:the state of the art and future trends[J].Acta Automatica Sinica, 2016, 42(4):481-494.(in Chinese)
[7] Atzei N, Bartoletti M, Cimoli T.A survey of attacks on Ethereum smart contracts (SoK)[C]//International Conference on Principles of Security&Trust.Berlin Heidelberg:Springer, 2017:164-186.
[8] 倪远东,张超,殷婷婷.智能合约安全漏洞研究综述[J].信息安全学报, 2020, 5(3):78-99.Ni Y D, Zhang C, Yin T T.A survey of smart contract vulnerability research[J].Journal of Cyber Security, 2020, 5(3):78-99.(in Chinese)
[9] Buterin V.Critical update Re:DAO vulnerability Ethereum blog[EB/OL].(2016-06-17)[2021-08-10].https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.
[10] 张登记,赵相福,陈中育,等.基于Ethereum智能合约的安全策略分析[J].应用科学学报, 2021, 39(1):151-163.Zhang D J, Zhao X F, Chen Z Y, et al.Analysis of security strategies for smart contract based on Ethereum[J].Journal of Applied Sciences, 2021, 39(1):151-163.(in Chinese)
[11] Hessenauer M S.Batch overflow bug on Ethereum ERC20 token contracts[EB/OL].(2017-06-30)[2021-08-10].https://blog.matryx.ai/batch-over-flow-bug-on-ethereum-erc20-tokencontracts-and-safemath-f9ebcc.
[12] 刘汉卿,阮娜.区块链中攻击方式的研究[J].计算机学报, 2021, 44(4):786-805.Liu H Q, Ruan N.A survey on attacking strategies in blockchain[J].Chinese Journal of Computers, 2021, 44(4):786-805.(in Chinese).
[13] 任艳丽,徐丹婷,张新鹏.可修改的区块链方案[J].软件学报, 2020, 31(12):3909-3922.Ren Y L, Xu D T, Zhang X P.Scheme of revisable blockchain[J].Journal of Software, 2020, 31(12):3909-3922.
[14] Luu L, Chu D H, Olickel H, et al.Making smart contracts smarter[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016:254-269.
[15] Husikyan L, Guezengar F.Remix-IDE layout[EB/OL].2016[2021-08-10].https://remixide.readthedocs.io/en/latest/layout.html.
[16] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al.Smartcheck:static analysis of Ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, 2018:9-16.
[17] Gao J, Han L, Chao L, et al.EASYFLOW:keep Ethereum away from overflow[C]//IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings, 2019:23-26.
[18] Reitwiessner C, Wood G, Beregszaszi A, et al.Solidity[EB/OL].2017[2021-08-10].https://solidity.readthedocs.org.
[19] Terence P.ANTLR[EB/OL].(2013-04-30)[2021-08-10].http://www.antlr.org/.
[20] Robie J, Dyck M, Spiegel J.XML path language (XPath)3.1[EB/OL].2014[2021-08-10].https://www.w3.org/TR/xpath-3/.
[21] Tan M, Chuan W, Paulin, et al.Etherscan is the blockchain explorer for Ethereum[EB/OL].2016[2021-08-10].https://cn.etherscan.com/.
[22] Wagner G.Verified contracts synced from Etherscan[EB/OL].(2021-04-30)[2021-08-10].https://github.com/thec00n/etherscan verified contracts.

SlightDetection: A Static Analysis Tool for Smart Contracts Security Vulnerabilities on Ethereum

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 11

Recommended Articles

Metrics

Comments

[1]	WU Ou, ZHANG He, WANG Yanze, LI Haoming, LI Shanshan. Architecture Design and Implementation of Seafood-Oriented Supply Chain Platform Based on Multiple Heterogeneous Blockchains [J]. Journal of Applied Sciences, 2022, 40(4): 539-554.
[2]	ZHU Ziqiang, YAO Zhongyuan, ZHU Weihua, ZHAO Haihong, PAN Changfeng, SI Xueming. Anonymous and Traceable Data Trading Scheme Based on Blockchain [J]. Journal of Applied Sciences, 2022, 40(4): 653-665.
[3]	WANG Cheng, ZHENG Hong, HUANG Jianhua, QIAN Shihui. PKI Model Based on Dual Blockchain [J]. Journal of Applied Sciences, 2022, 40(3): 528-538.
[4]	ZHAO Yingqi, ZHU Xueyang, LI Guangyuan, GAO Ya, BAO Yulong. Verification of Smart Contracts with Time Constraints [J]. Journal of Applied Sciences, 2021, 39(1): 1-16.
[5]	WANG Siyuan, ZOU Shihong. Blockchain and Capability Based Access Control Mechanism in Multi-domain IoT [J]. Journal of Applied Sciences, 2021, 39(1): 55-69.
[6]	XIANG Weijing, TSAI Weitek. Research and Design of Legal Smart Contract Platform Model [J]. Journal of Applied Sciences, 2021, 39(1): 109-122.
[7]	ZHOU Zhengqiang, CHEN Yuling, LI Tao, REN Xiaojun, QING Xinyi. Medical Data Security Sharing Scheme Based on Consortium Blockchain [J]. Journal of Applied Sciences, 2021, 39(1): 123-134.
[8]	ZHANG Dengji, ZHAO Xiangfu, CHEN Zhongyu, TONG Xiangrong. Analysis of Security Strategies for Smart Contracts Based on Ethereum [J]. Journal of Applied Sciences, 2021, 39(1): 151-163.
[9]	HE Zhengyuan, DUAN Tiantian, ZHANG Ying, ZHANG Hanwen, SUN Yi. Blockchain in Internet of Things: Application and Challenges [J]. Journal of Applied Sciences, 2020, 38(1): 22-33.
[10]	YUAN Chenjuan, SUN Guozi, LI Huakang, WANG Jitao. Credible Depository Chain System of Card Games [J]. Journal of Applied Sciences, 2020, 38(1): 81-92.
[11]	WANG CHEN, ZHAO HONGWEI, YIN HANCHUN, WANG BAOPING, TONG LINSU. Electrostatic Analysis of the Newly Fabricated T -Shaped Disk-Edge Field Emitter Arrays [J]. Journal of Applied Sciences, 1998, 16(3): 313-319.