Smart Contract Defense through Bytecode Rewriting

Ayoade, Gbadebo; Bauman, Erick; Khan, Latifur; Hamlen, Kevin W.

doi:10.1109/blockchain.2019.00059

Cited by 24 publications

(9 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we have reviewed Ethereum Smart Contract vulnerabilities [9], [31]- [45], [122], [123], [131], [132], [138]- [142] with some well-known attacks/example [32], [46]- [49], detection tools [30], [37], [50]- [58], [125], [133]- [137], [143], and their suggested preventive methods [30], [47], [59]- [63], [124], [126]. Researchers classified these vulnerabilities based on different criteria such as seriousness, root cause, flaws in solidity, security flaws, privacy flaws, performance flaws, flaws in EVM [27] byte code, and blockchain [64] characteristics.…”

Section: Ethereum Smart Contract Vulnerabilities and Preventive Methodsmentioning

confidence: 99%

Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract

et al. 2022

View full text Add to dashboard Cite

Blockchain is a revolutionary technology that enables users to communicate in a trust-less manner. It revolutionizes the modes of business between organizations without the need for a trusted third party. It is a distributed ledger technology based on a decentralized peer-to-peer (P2P) network. It enables users to store data globally on thousands of computers in an immutable format and empowers users to deploy small pieces of programs known as smart contracts. The blockchain-based smart contract enables auto enforcement of the agreed terms between two untrusted parties. There are several security vulnerabilities in Ethereum blockchain-based smart contracts, due to which sometimes it does not behave as intended. Because a smart contract can hold millions of dollars as cryptocurrency, so these security vulnerabilities can lead to disastrous losses. In this paper, a systematic review of the security vulnerabilities in the Ethereum blockchain is presented. The main objective is to discuss Ethereum smart contract security vulnerabilities, detection tools, real life attacks and preventive mechanisms. Comparisons are drawn among the Ethereum smart contract analysis tools by considering various features. From the extensive depth review, various issues associated with the Ethereum blockchain-based smart contract are highlighted. Finally, various future directions are also discussed in the field of the Ethereum blockchain-based smart contract that can help the researchers to set the directions for future research in this domain.

show abstract

Section: Ethereum Smart Contract Vulnerabilities and Preventive Methodsmentioning

confidence: 99%

Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract

et al. 2022

View full text Add to dashboard Cite

show abstract

“…ContractGuard inserts runtime checks into the bytecode of smart contracts, and the instrumented smart contracts will reject all transactions that hijack the control flow of smart contracts [31]. Ayoade et al's work inserts protection code into the bytecode of smart contracts to prevent integer overflow/underflow attacks [33]. However, the protection abilities of these approaches [29], [31]- [33] are restricted by the blockchain architecture for two reasons.…”

Section: A Online Approachesmentioning

confidence: 99%

“…Ayoade et al's work inserts protection code into the bytecode of smart contracts to prevent integer overflow/underflow attacks [33]. However, the protection abilities of these approaches [29], [31]- [33] are restricted by the blockchain architecture for two reasons. First, complicated runtime checks may not be inserted into smart contracts, because the bytecode of a smart contract must not exceed 24KB [38].…”

Section: A Online Approachesmentioning

confidence: 99%

“…Online approaches attempt to detect attacks targeting smart contracts or protect smart contracts from attacks after deployment [29]- [37], which can be classified into two categories. The first category inserts protection code into the source/bytecode of smart contracts [29], [31]- [33]. However, their capabilities [29], [31]- [33] are restricted by the size limit of EVM bytecode [38] and the gas mechanism [39].…”

Section: Introductionmentioning

confidence: 99%

“…The first category inserts protection code into the source/bytecode of smart contracts [29], [31]- [33]. However, their capabilities [29], [31]- [33] are restricted by the size limit of EVM bytecode [38] and the gas mechanism [39]. The second category inserts protection code into the runtime of smart contracts (e.g., EVM) [30], [34]- [37].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SODA: A Generic Online Detection Framework for Smart Contracts

Chen

Cao

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Smart contracts have become lucrative and profitable targets for attackers because they can hold a great amount of money. Unfortunately, existing offline approaches for discovering the vulnerabilities in smart contracts or checking the correctness of smart contracts cannot conduct online detection of attacking transactions. Besides, existing online approaches only focus on specific attacks and cannot be easily extended to detect other attacks. Moreover, developing a new online detection system for smart contracts from scratch is time-consuming and requires deep understanding of blockchain internals, thus making it difficult to quickly implement and deploy mechanisms to detect new attacks. In this paper, we propose a novel generic online detection framework named SODA for smart contracts on any blockchains that support Ethereum virtual machine (EVM). SODA distinguishes itself from existing online approaches through its capability, efficiency, and compatibility. First, SODA empowers users to easily develop apps for detecting various attacks online (i.e., when attacks happen) by separating information collection and attack detection with layered design. At the higher layer, SODA provides unified interfaces to develop detection apps against various attacks. At the lower layer, SODA instruments EVM to collect all primitive information necessary to detect various attacks and constructs 11 kinds of structural information for the ease of developing apps. Based on SODA, users can develop new apps in a few lines of code without modifying EVM. Second, SODA is efficient, because we design on-demand information retrieval to reduce the overhead of information collection and adopt dynamic linking to eliminate the overhead of inter-process communication. Such design allows users to develop detection apps using any programming languages that can generate dynamic link libraries. Third, since more and more blockchains adopt EVM as smart contract runtime, SODA can be easily migrated to such blockchains without modifying apps. Based on SODA, we develop 8 detection apps to detect the attacks exploiting major vulnerabilities in smart contracts, and integrate SODA (including all apps) into 3 popular blockchains: Ethereum, Expanse and Wanchain. The extensive experimental results demonstrate the effectiveness and efficiency of SODA and our detection apps.

show abstract

A large‐scale empirical study of low‐level function use in Ethereum smart contracts and automated replacement

Pattabiraman

2022

Softw Pract Exp

View full text Add to dashboard Cite

The Ethereum blockchain stores and executes complex logic via smart contracts written in Solidity, a high‐level programming language. The Solidity language (in its early versions) provides features to exercise fine‐grained control over smart contracts, whose usage is discouraged by later‐released Solidity documentation, but nonetheless supported in later versions for backward compatibility. We define these features as low‐level functions. However, the high‐volume of transactions and the improper use of low‐level functions lead to security exploits with heavy financial loss. Consequently, the documentation suggests secure alternatives to the use of low‐level functions. In this article, we first perform an empirical study on the use of low‐level functions in Ethereum smart contracts. We study a smart contract dataset consisting of over 2,100,000 real‐world smart contracts. We find that low‐level functions are widely used and that the majority of these uses are gratuitous. We then propose GoHigh, a source‐to‐source transformation tool to eliminate low‐level function‐related vulnerabilities, by replacing low‐level functions with secure alternatives. Our experimental evaluation on the dataset shows that GoHigh successfully replaces all low‐level functions with 4.9% fewer compiler warnings. Further, no unintended side‐effects are introduced in 80% of the contracts, and the remaining 20% are not verifiable due to their external dependency. GoHigh saves more than 5% of the gas cost of the contract. Finally, GoHigh takes 7 s on average per contract.

show abstract

Smart Contract Defense through Bytecode Rewriting

Cited by 24 publications

References 10 publications

Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract

Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract

SODA: A Generic Online Detection Framework for Smart Contracts

A large‐scale empirical study of low‐level function use in Ethereum smart contracts and automated replacement

Contact Info

Product

Resources

About