基于Smartcheck的智能合约漏洞分析及其改进策略

doi:10.3969/j.issn.0255-8297.2024.06.011

Abstract

Abstract: Smart contracts on blockchain operate on quantity of digital assets. Once deployed on blockchain, they are difficult to modify. Therefore, the analysis and detection of security vulnerabilities of smart contracts has become an important research topic. Smartcheck is a static analysis tool for Ethereum smart contracts that converts Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. While Smartcheck can analyze most of the vulnerabilities, it has limitations in terms of coverage and accuracy. To address these issues, we developed a new tool, SmartETH, to further improve Smartcheck by analyzing typical vulnerabilities such as timestamp dependency, integer overflow and delegatecall vulnerabilities. The improved Smartcheck is tested on a large dataset and verified by five specific contracts, demonstrating improved accuracy in vulnerability detection. In addition, improvements have reduced false positives and missed positives for many vulnerabilities.

Key words: smart contract, security vulnerability, Smartcheck, Ethereum, blockchain

CLC Number:

TP31

FEI Jiajia, ZHAO Xiangfu, CHEN Xiaohan, ZHANG Dengji. Smart Contract Vulnerability Analysis and Improvement Based on Smartcheck[J]. Journal of Applied Sciences, 2024, 42(6): 1027-1039.

References

[1] Nakamoto S. Bitcoin: a peer-to-peer electronic cash system [EB/OL]. 2008[2022-04-15]. https://bitcoin.org/en/bitcoin-paper.
[2] Buterin V. A next-generation smart contract and decentralized application platform [EB/OL]. 2014[2022-04-15]. https://ethereum.org/en/whitepaper/.
[3] Szabo N. Formalizing and securing relationships on public networks [EB/OL]. 1997[2022-04- 15]. https://firstmonday.org/ojs/index.php/fm/article/view/548.
[4] 贺海武, 延安, 陈泽华. 基于区块链的智能合约技术与应用综述[J]. 计算机研究与发展, 2018, 55(11): 2452-2466. He H W, Yan A, Chen Z H. Survey of smart contract technology and application based on blockchain [J]. Journal of Computer Research and Development, 2018, 55(11): 2452-2466. (in Chinese)
[5] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4): 481-494. Yuan Y, Wang F Y. Blockchain: the state of the art and future trends [J]. Acta Automatica Sinica, 2016, 42(4): 481-494. (in Chinese)
[6] Ang M, Xiao P. A survey of the basic technology and application of block chain [J]. Journal of Information Security Research, 2017, 3(11): 968-980.
[7] 林诗意, 张磊, 刘德胜. 基于区块链智能合约的应用研究综述[J]. 计算机应用研究, 2021, 38(9): 2570-2581. Lin S Y, Zhang L, Liu D S. Survey of application research based on blockchain-smart-contract [J]. Application Research of Computers, 2021, 38(9): 2570-2581. (in Chinese)
[8] 刘志勇, 朱峰, 吴东升, 等. 区块链智能合约安全漏洞问题研究[C]//第九届中国指挥控制大会论文集, 2021: 558-563.
[9] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter [C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016: 254-269.
[10] De Moura L, Bjørner N. Z3: an efficient SMT solver [C]//International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Berlin, Heidelberg: Springer, 2008: 337-340.
[11] Feist J, Grieco G, Groce A. Slither: a static analysis framework for smart contracts [C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 2019: 8-15.
[12] Kalra S, Goel S, Dhawan M, et al. ZEUS: analyzing safety of smart contracts [C]//Network and Distributed System Security Symposium, 2018: 23092.
[13] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. SmartCheck: static analysis of ethereum smart contracts [C]//2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 2018: 9-16.
[14] 张登记, 赵相福, 陈中育, 等. 基于Ethereum智能合约的安全策略分析[J]. 应用科学学报, 2021, 39(1): 151-163. Zhang D J, Zhao X F, Chen Z Y, et al. Analysis of security strategies for smart contracts based on ethereum [J]. Journal of Applied Sciences, 2021, 39(1): 151-163. (in Chinese)
[15] Giordano F, Bachfischer A, Carder G, et al. OpenZeppelin is a library for secure smart contract development [EB/OL]. 2022[2022-04-15]. https://github.com/OpenZeppelin/openzeppelin-contracts.
[16] Gao J B, Liu H, Liu C, et al. EASYFLOW: keep ethereum away from overflow [C]//2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), 2019: 23-26.
[17] 郑忠斌, 王朝栋, 蔡佳浩. 智能合约的安全研究现状与检测方法分析综述[J]. 信息安全与通信保密, 2020, 18(7): 93-105. Zheng Z B, Wang C D, Cai J H. Analysis of the current status of smart contract security research and detection methods [J]. Information Security and Communications Privacy, 2020, 18(7): 93-105. (in Chinese)
[18] Palladino S. The parity wallet hack explained [EB/OL]. 2017[2022-04-15]. https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7.
[19] 田国华, 胡云瀚, 陈晓峰. 区块链系统攻击与防御技术研究进展[J]. 软件学报, 2021, 32(5): 1495- 1525. Tian G H, Hu Y H, Chen X F. Research progress on attack and defense techniques in block-chain system [J]. Journal of Software, 2021, 32(5): 1495-1525. (in Chinese)
[20] 沈鑫, 裴庆祺, 刘雪峰. 区块链技术综述[J]. 网络与信息安全学报, 2016, 2(11): 11-20. Shen X, Pei Q Q, Liu X F. Survey of block chain [J]. Chinese Journal of Network and Information Security, 2016, 2(11): 11-20. (in Chinese)
[21] 倪远东, 张超, 殷婷婷. 智能合约安全漏洞研究综述[J]. 信息安全学报, 2020, 5(3): 78-99. Ni Y D, Zhang C, Yin T T. A survey of smart contract vulnerability research [J]. Journal of Cyber Security, 2020, 5(3): 78-99. (in Chinese)
[22] Atzei N, Bartoletti M, Cimoli T. A survey of attacks on ethereum smart contracts (SoK) [C]//International Conference on Principles of Security and Trust. Berlin, Heidelberg: Springer, 2017: 164-186.
[23] 孙家泽, 余盼盼, 王小银, 等. 智能合约漏洞检测技术研究综述[J]. 西安邮电大学学报, 2020, 25(5): 1-9, 32. Sun J Z, Yu P P, Wang X Y, et al. Research overview on smart contract vulnerability detection technology [J]. Journal of Xi’an University of Posts and Telecommunications, 2020, 25(5): 1-9, 32. (in Chinese)

Smart Contract Vulnerability Analysis and Improvement Based on Smartcheck

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	LIU Shaojie, ZHAO Hongbo, LIU Han. Trusted Blockchain Automation Protocol Based on Domain Programming Model [J]. Journal of Applied Sciences, 2024, 42(4): 569-584.
[2]	SHI Zhigang, HUANG Jianhua, LI Tianqi. A Blockchain Scheme for Vehicular Internet of Things [J]. Journal of Applied Sciences, 2024, 42(4): 549-568.
[3]	WANG Na, ZHU Huijuan, SONG Xiangmei, FENG Xia. A Domain Adaptive Security Analysis Framework for Smart Contracts [J]. Journal of Applied Sciences, 2024, 42(4): 585-597.
[4]	WU Meng, QI Yong. Auditable and Traceable Blockchain Privacy Protection Model under Zero-Knowledge Proof [J]. Journal of Applied Sciences, 2024, 42(4): 598-612.
[5]	XIA Xiaoliang, QIN Zhi, WAN Wunan, ZHANG Shibin, ZHANG Jinquan. Medical Data Classification Encryption Sharing Scheme Based on Blockchain [J]. Journal of Applied Sciences, 2024, 42(4): 613-628.
[6]	LEI Ming, LIN Yijing, GAO Zhipeng. Value-Driven Ethereum Transaction Tracing Rank Method [J]. Journal of Applied Sciences, 2024, 42(4): 629-641.
[7]	LIU Kai, WANG Jiaxin, MAO Qian'ang, CHEN Yufei, YAN Jiaqi. Dynamic Role Identification and Evolutionary Analysis of Blockchain Game Ecosystems: A Case Study of Axie Infinity [J]. Journal of Applied Sciences, 2024, 42(4): 642-658.
[8]	WANG Zexu, WEN Bin. Smart Contract Vulnerability Detection of Symbol Execution with Critical Path Pre-searching [J]. Journal of Applied Sciences, 2024, 42(2): 364-374.
[9]	WU Guangfu, YANG Zi, HUANG Baozhu. Dynamic Byzantine Fault Tolerance Algorithm Based on Reputation and Clustering [J]. Journal of Applied Sciences, 2023, 41(6): 1046-1057.
[10]	MA Xue, PAN Heng, YAO Zhongyuan, SI Xueming. Dual Authorization Sharing Scheme of Searchable Electronic Medical Data Based on Consortium Blockchain [J]. Journal of Applied Sciences, 2023, 41(5): 881-895.
[11]	ZHANG Yong, YAO Zhongyuan, WANG Chao, GUO Shangkun, GUO Xiaohan, SI Xueming. Consortium Chain Multi-chain Collaboration Scheme for Complex Application Scenarios [J]. Journal of Applied Sciences, 2023, 41(4): 601-613.
[12]	PAN Liang, CHEN Bin, DAI Mingjun, WANG Taotao, ZHANG Shengli. Dynamic Spectrum Sharing Based on Blockchain Smart Contract [J]. Journal of Applied Sciences, 2023, 41(4): 590-600.
[13]	WANG Weiyuan, BI Yuanwei, CHEN Xiaohan, LI Chuanbiao. A PBFT Consensus Algorithm for Consortium Chain Optimization [J]. Journal of Applied Sciences, 2023, 41(4): 577-589.
[14]	CAO Haohao, LIU Yang, LI Xiangyang, LIU Xinlei, WANG Yaoqi, ZHANG Yuan. Food Supply Chain Traceability System Based on Multi-blockchain [J]. Journal of Applied Sciences, 2023, 41(4): 563-576.
[15]	LIU Hong, ZHANG Jingyu, LEI Mengting, XIAO Yunpeng. Fair and Verifiable Voting Smart Contract Based on Blockchain [J]. Journal of Applied Sciences, 2023, 41(4): 541-562.