This paper proposes a pre-searching paths for symbolic execution method to guide the critical path symbol execution of scanning smart contract vulnerabilities through static detection. This approach aims to avoid unnecessary resource consumption of path search, thereby achieving accurate and fast smart contract vulnerability detection. This method is compared with existing mainstream detection tools. The results show that the Gas exhaustion denial of service vulnerability coverage reaches 98%, with a detection accuracy of 84.3%, which is far higher than the average value of 37.2%. Furthermore, the full coverage of storage coverage vulnerability contracts is realized with a detection accuracy of 86.1%, which validates the efficiency and stability of this method.
[1] Zheng Z B, Xie S A, Dai H N, et al. An overview of blockchain technology:architecture, consensus, and future trends [C]//2017 IEEE International Congress on Big Data (BigData Congress). IEEE, 2017:557-564.
[2] Kushwaha S S, Joshi S, Singh D, et al. Ethereum smart contract analysis tools:a systematic review [J]. IEEE Access, 2022, 10:57037-57062.
[3] Wan Z Y, Xia X, Lo D, et al. Smart contract security:a practitioners' perspective [C]//2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 2021:1410-1422.
[4] Mariano B, Chen Y J, Feng Y, et al. Demystifying loops in smart contracts [C]//202035th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 2020:262-274.
[5] Baldoni R, Coppa E, D'elia D C, et al. A survey of symbolic execution techniques [J]. ACM Computing Surveys, 51(3):1-39.
[6] 魏昂, 黄忠义, 周鸣爱. 智能合约安全与实施规范研究[J]. 网络空间安全, 2020, 11(3):44-49. Wei A, Huang Z Y, Zhou M A. Research on the security and implementation of smart contract [J]. Information Security and Technology, 2020, 11(3):44-49.(in Chinese)
[7] 倪远东, 张超, 殷婷婷. 智能合约安全漏洞研究综述[J]. 信息安全学报, 2020, 5(3):78-99. Ni Y D, Zhang C, Yin T T. A survey of smart contract vulnerability research [J]. Journal of Cyber Security, 2020, 5(3):78-99.(in Chinese)
[8] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter [C]//2016 ACM SIGSAC conference on Computer and Communications Security, 2016:254-269.
[9] Chen T, Feng Y Z, Li Z H, et al. GasChecker:scalable analysis for discovering gas-inefficient smart contracts [J]. IEEE Transactions on Emerging Topics in Computing, 2021, 9(3):1433-1448.
[10] 陈霄汉, 赵相福, 张登记, 等. SlightDetection:一种以太坊智能合约安全漏洞的静态分析工具[J]. 应用科学学报, 2022, 40(4):695-712. Chen X H, Zhao X F, Zhang D J, et al. SlightDetection:a static analysis tool for smart contracts security vulnerabilities on ethereum [J]. Journal of Applied Sciences, 2022, 40(4):695-712. (in Chinese)
[11] 张登记, 赵相福, 陈中育, 等. 基于Ethereum智能合约的安全策略分析[J]. 应用科学学报, 2021, 39(1):151-163. Zhang D J, Zhao X F, Chen Z Y, et al. Analysis of security strategies for smart contracts based on ethereum [J]. Journal of Applied Sciences, 2021, 39(1):151-163. (in Chinese)
[12] 林锦滨, 张晓菲, 刘晖. 符号执行技术研究[C]//全国计算机安全学术交流会, 2009:412-416.
[13] 付梦琳, 吴礼发, 洪征, 等. 智能合约安全漏洞挖掘技术研究[J]. 计算机应用, 2019, 39(7):1959-1966. Fu M L, Wu L F, Hong Z, et al. Research on vulnerability mining technique for smart contracts [J]. Journal of Computer Applications, 2019, 39(7):1959-1966. (in Chinese)
[14] 袁勇, 王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. Yuan Y, Wang F Y. Blockchain:the state of the art and future trends [J]. Acta Automatica Sinica, 2016, 42(4):481-494.(in Chinese)
[15] Liu Y, Zhou X, Gong W W. A survey of search strategies in the dynamic symbolic execution [J]. ITM Web of Conferences, 2017, 12:03025.
[16] Nassirzadeh B, Sun H, Banescu S, et al. Gas gauge:a security analysis tool for smart contract out-of-gas vulnerabilities [DB/OL]. 2021[2022-08-14]. http://arxiv.org/abs/2112.14771.
[17] Feist J, Grieco G, Groce A. Slither:a static analysis framework for smart contracts [C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 2019:8-15.
[18] Mossberg M, Manzano F, Hennenfent E, et al. Manticore:a user-friendly symbolic execution framework for binaries and smart contracts [C]//201934th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2019:1186-1189.
[19] Zhang W, Banescu S, Pasos L, et al. Mpro:combining static and symbolic analysis for scalable testing of smart contract [C]//2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2019:456-462.
[20] Zhang W, Banescu S, Pasos L, et al. MPro:combining static and symbolic analysis for scalable testing of smart contract [C]//2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2019:456-462.
[21] Tsankov P, Dan A, Drachsler-Cohen D, et al. Securify:practical security analysis of smart contracts [C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:67-82.
[22] Tikhomirov S, Voskresenskaya E, Ivanitskiy I, et al. SmartCheck:static analysis of ethereum smart contracts [C]//2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 2018:9-16.
