TLDR
- The researcher introduces eight common vulnerabilities and categorizes them based on call-related and call-irrelated vulnerabilities.
- They proposed SuperDetector, a framework for detecting both vulnerabilities by combining the different tools and static analysis technology.
- The research shows that SuperDetector can analyze the performance of each tool and that vulnerability coverage and detection accuracy on call-related vulnerabilities is much better than that on call-irrelated vulnerabilities.
Core Research Question
What tool can accurately detect smart contracts while comparing the performance of each tool used?
Citation
Dai, M., Yang, Z., & Guo, J. (2022). SuperDetector: A framework for performance detection on vulnerabilities of smart contracts. Journal of Physics. Conference Series, 2289(1), 012010. doi:10.1088/1742-6596/2289/1/012010
Background
- Smart Contract Vulnerabilities: Security issues in smart contracts that can be exploited. There are many different types. In this paper, the researchers focused purely on CallVUL and CallIRVUL bugs which combined have resulted in millions of dollars of losses in DeFi protocols.
- Call-related and Call-Irrelated Vulnerabilities (CallVUL and CallIRVUL): CallVUL and CallIRVUL are the causes of eight typical vulnerabilities of smart contracts. Caller functions ensure the flexible development of smart contracts. Furthermore, they support the transfer of Ether (ETH) between smart contracts. This characteristic and relationship between multiple calls make them vulnerable. In addition, factors like mining and Ethereum Virtual Machine’s (EVM) execution cause call-irrelated vulnerabilities (CallIRVUL).
- Static Analysis Technology: Static analysis is a technique for analyzing computer programs without executing the code. The process gives the user a better understanding of the code structure and ensures the code meets industry standards. Static analysis is usually performed by an automated tool controlled by a human researcher.
- Re-Entrancy (RE): Re-entrancy attacks are well-known due to the famous 2016 DAO hack on the Ethereum blockchain. It is one of the most destructive attacks in Solidity smart contracts and occurs when a call function makes an external call to another. Its other causes are:
- No gas restriction
- Transferring before recording
- Using call() function to transfer money
- Unhandled Exception (UE): An operation in Solidity used to send Ether that reports the return state with booleans. If the return value is unchecked, the contract will continue executing the instructions leading to inconsistencies. It is caused by:
- Using call() or send() function to call
- Never throwing an exception when call() or send() fails
- Dangerous Tx.origin (DT): Tx.origin is a global transaction variable in Solidity which reports the address of the account that sent the transaction. Contracts that use tx.origin to authorize transactions are dangerous as they are vulnerable to phishing attacks. The vulnerability is due to obtained permissions of the caller smart contract through the tx.origin variable.
- Dangerous Delegatecall (DD): This vulnerability happens when a ContractA calls ContractB using delegatecall. The transaction tells ContractB to run ContractA’s code inside its context (storage, msg.sender, msg.value, msg.data, etc). However, the called smart contract can affect the current state of the caller smart contract using delegatecall() function.
- Integer Bugs (IB): They are difficult unavoidable smart contract vulnerabilities due to characteristics and bugs in EVM and the Solidity programming language. Integer bugs occur while converting the type of integer.
- Transaction Ordering Dependence (TOD): This vulnerability is a race-conditioned attack. With enough computing resources, a malicious user can reorder the transactions in the mempool to get whatever result they want. TOD occurs when the execution order of transactions in the same contract causes differences in the final state of the smart contract.
- Timestamp Dependence (TD): Block timestamps execute call and fund transfer functions. This vulnerability is related to how easily miners can easily control block timestamps. A malicious actor can manipulate the timestamp of the transactions because of the execution logic, which allows miners to post a timestamp within 15 seconds of the block being validated to favor themselves.
- Dangerous Selfdestruct (DS): Selfdestruct(address) functions send all ether stored to the specified address. An attacker can create a contract with a selfdestruct() function, send ether to it, and create another called selfdestruct(target). This action forces the first smart contract to send ether to the target smart contract address.
- Oyente: This is an execution and vulnerability detection tool that works directly with Ethereum virtual machine (EVM) byte code.
- Osiris: This is an analysis tool to detect integer bugs in Ethereum smart contracts. Osiris is based on Oyente.
- Slither: Known as the Solidity source analyzer, Slither has a variety of vulnerability detectors and provides an easy-to-use API for writing custom analyses.
- Securify: This is a security scanner for Ethereum smart contracts supported by the Ethereum Foundation and ChainSecurity. The core research behind Securify was conducted at the ICE Center at ETH Zurich.
- Smartcheck: This is a static analysis tool just like those mentioned above for discovering vulnerabilities and other code issues in Ethereum smart contracts written in Solidity.
- Mythril: Mythril detects security vulnerabilities in smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.
- Transaction Variables/Hash: Each transaction made in the blockchain has data slots that store the values of the transaction. These variables vanish when the transaction is complete or canceled and specific only to the single transaction.
- Average Execution Time: This is the amount of time it takes each tool to compile the smart contract, convert the intermediate language, analyze and produce output.
- Usability: The probability that the selected tool can detect the smart contract vulnerabilities well.
- Solidity Abstract Syntax Tree: A concept in Solidity that represents a given code in a syntax tree. The tree helps developers view the code better.
- EVM Bytecode: Bytecode is a low-level programming language that is compiled from Solidity. EVM is the reason Ethereum smart contracts can run on almost any computer.
- Solidity XML Parse Tree: XML stands for eXtensible Markup Language. XML documents are structured hierarchically like trees. The Solidity XML Parse Tree is a software library containing solidity and XML-based contracts.
Summary
- Smart contracts are the core of transactions on the Ethereum blockchain. However, they possess vulnerabilities that can be exploited, leading to losses.
- This research focuses on the vulnerabilities and a framework for effectively detecting them.
- The authors analyzed vulnerability coverage, usability, detection accuracy, and execution time of the tools.
- The authors analyzed two smart contract sets (a total of 1133) provided by the HuangGai project recognized by experts.
- Six open source tools were selected in the SuperDetector Framework to detect CallVUL and CallIRVUL vulnerabilities. Oyente, Osiris, Slither, Securify, Smartcheck, and Mythril were the tools used.
- These tools use solidity and cover two or more kinds of vulnerabilities.
- SuperDetector has two main functions - vulnerability detection and computing each tool’s performance on the two kinds of vulnerabilities.
- To start the experiment, the detection tools and caller functions are selected in the framework.
- After that, the selected tools execute the inputted instructions.
- According to the experiment result and analysis, each tool can detect the two kinds of smart contract vulnerabilities, but there are differences.
- The research reveals that Mythril has 100% vulnerability coverage, Smartcheck only covers three vulnerabilities, while Osiris, Securify, and Slither perform well by detecting more vulnerabilities.
- According to the detection results, Securify’s usability is about 67%, Smartcheck is about 33%, and the other three tools are over 94%. Also, Securify and Mythril take longer to analyze the smart contract.
- Finally, the analysis shows that optimal vulnerability detection, coverage, and accuracy are not guaranteed if a single tool is used.
- Therefore, the authors design a selector in SuperDetector that matches each tool with the best-suited vulnerability. This will increase the vulnerability coverage and detection accuracy for developers.
Method
- The framework is unique as it uses different tools to detect bugs and compares each tool’s performance against specific vulnerabilities.
- Next, we list the eight vulnerabilities for the analysis and classify them according to their causes - CallVUL and CallIRVUL. Caller functions cause call-related vulnerabilities, while Call-Irrelated bugs come from mining and network activity in the Ethereum Virtual Machine.
- SuperDetector computes the tools’ performance (vulnerability coverage, detection accuracy) while they detect vulnerabilities. It has five task layers, and the core parts are input conversion, detection, and output conversion.
- The framework regards the tools as plugins to concurrently use them all. The detection process is elaborated as follows:
- The criteria for selecting the detection tools are based on research reports and previous experiments.
- Based on the data, eight open source tools are selected. These tools must be able to analyze the two kinds of smart contract vulnerabilities, accept Solidity, and cover at least three of the eight focal vulnerabilities.
- After selecting the tools and functions, the framework converts the instructions, and the process starts. For example, suppose a vulnerability is detected, SuperDetector sorts and converts the output according to the selected function. And if an exception occurs during the process, SuperDetector returns to the tool selection stage.
Results
- Each tool detects both vulnerabilities (CallVUL and CallIRVUL), but the number of vulnerabilities they cover varies.
- Due to the variety in vulnerability coverage, it is recommended to combine multiple tools to increase the number of vulnerabilities detected.
- For detection accuracy of the tools, the table below demonstrates the accuracy of four tools on CallVUL and CallIRVUL.
- The three colors indicate the proportion of hitting, missing to detect the corresponding vulnerability, and failed detection, while the number of smart contracts is displayed on the right. We can see that the accuracy of each tool on the vulnerabilities varies.
- The result also shows that Mythril, with 100% coverage, has only 80% accuracy for three vulnerabilities, while Slither’s hits RE and UE of CallVUL more than DS of CallIRVUL.
- This proves that the tools’ accuracy on CallVUL is higher than its counterpart. It was therefore speculated that this is because the former is closely related to caller functions which the tools can analyze faster. Call-Irrelated Vulnerabilities are complex, making them difficult to detect easily and quickly.
- The authors use data from the same table for usability and average execution time. They also consider the table below, which provides more information about the tools’ execution.
- In the table above, we can see each tool’s usability percentage and average execution time. We can also see that Securify and Mythril take longer to execute the instructions. This is because both tools are based on EVM bytecode (which is slower to compute), while Slither and Smartcheck compile syntax and XML tree codes.
- Because of their format, both can be compiled faster than Securify and Mythril.
- Finally, a single tool cannot accurately detect all the vulnerabilities at a time. Therefore, the researchers design a selector in SuperDetector that matches the tool with the highest accuracy to the corresponding vulnerability.
Discussion and Key Takeaways
- This work provides a solution to one of the biggest threats to smart contract security–the inaccuracy in detecting all exploitable bugs and vulnerabilities.
- The solution is a breakthrough since previous approaches and tools have failed to cover the two kinds of vulnerabilities. Before the research, developers utilized the tools separately, making the detection process tedious.
- The paper also provides insights into SuperDetector, how it works, and each tool’s performance during the experiment.
- SuperDetector provides developers with more options as they can run their code in the framework and detect vulnerabilities. Hence, developers can easily and better detect smart contract vulnerabilities in their Dapps that could be exploited.
Implications and Follow-ups
- The inaccuracy of current detection methods has pushed the researchers to pursue and create an alternative detection method, SuperDetector, which combines all the detection tools.
- SuperDetector may positively affect smart contract scalability and execution once more developers discover, start using it and get results.
- The steady adoption and use of the framework may lead to the detection of more detailed vulnerabilities.
Applicability
- DeFi/NFT hacks are regular in crypto. Most of the hacks are due to vulnerabilities in smart contracts. With SuperDetector, developers can detect bugs better in their Dapps and secure the protocols against potential asset-draining attacks.