2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS) 2021
DOI: 10.1109/qrs54544.2021.00102
|View full text |Cite
|
Sign up to set email alerts
|

WANA: Symbolic Execution of Wasm Bytecode for Extensible Smart Contract Vulnerability Detection

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
9
0

Year Published

2022
2022
2023
2023

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 19 publications
(9 citation statements)
references
References 12 publications
0
9
0
Order By: Relevance
“…Vulnerable code line (8) figure 11: 4.14 SWE-116: Block values as a proxy for time Access to time values is frequently required for contracts to carry out specific sorts of functionality. However, using the value of block.timestamp, or block.number is not a safe operation as those values could be manipulated by the nodes that execute the smart contract [7], [11]- [15], [17], [19]- [21], [23]. To fix this code, a developer should either use an Oracle system to check for the exact time or allow an error range.…”
Section: Swe-104: Unchecked Call Return Valuementioning
confidence: 99%
See 2 more Smart Citations
“…Vulnerable code line (8) figure 11: 4.14 SWE-116: Block values as a proxy for time Access to time values is frequently required for contracts to carry out specific sorts of functionality. However, using the value of block.timestamp, or block.number is not a safe operation as those values could be manipulated by the nodes that execute the smart contract [7], [11]- [15], [17], [19]- [21], [23]. To fix this code, a developer should either use an Oracle system to check for the exact time or allow an error range.…”
Section: Swe-104: Unchecked Call Return Valuementioning
confidence: 99%
“…However, it is difficult to build a reliable adequate source of randomness for apps in the Blockchain. In the Ethereum Blockchain for example smart contract using the blockhash block timestamp or any node-controlled global variable as a source of randomness is insecure as they can be controlled and known by the other smart contract in the same block [7], [11], [13]- [15], [17], [20], [21], [23]. Vulnerable code [24] lines (5,10,11,12) Figure 15: To get a good source of randomization and to keep the Blockchain result deterministic, developers should use Oracles.…”
Section: Swe-118: Incorrect Constructor Namementioning
confidence: 99%
See 1 more Smart Citation
“…(2) Applications with bi-directional security requirements, i.e., the application does not trust the computing device and vice versa. The smart contract application [22,27,52] is the most suitable case. The sandboxed execution facilitated by WebAssembly and WAIT is necessary for these applications, and compiling to native code on the cloud enlarges the attack surface.…”
Section: Design Alternatives Of Waitmentioning
confidence: 99%
“…Similarly, Feng et al 47 presented the state dependency of exploits as summaries and employed symbolic execution to query possible exploits in Solidity smart contracts. WANA 48 detects smart contract vulnerabilities in an alternative blockchain, EOS, whose underlying virtual machine is different from EVM, named Wasm VM. WANA works directly on the Wasm bytecode format of the smart contracts, but due to the lack of Solidity support to Wasm compilers, WANA cannot detect bugs on Solidity smart contracts.…”
Section: Detectionmentioning
confidence: 99%