research-article

Dynamic Vulnerability Detection on Smart Contracts Using Machine Learning

Authors:

Mojtaba Eshghie,

Dilian GurovAuthors Info & Claims

EASE '21: Proceedings of the 25th International Conference on Evaluation and Assessment in Software Engineering

Pages 305 - 312

https://doi.org/10.1145/3463274.3463348

Published: 21 June 2021 Publication History

Abstract

In this work we propose Dynamit, a monitoring framework to detect reentrancy vulnerabilities in Ethereum smart contracts. The novelty of our framework is that it relies only on transaction metadata and balance data from the blockchain system; our approach requires no domain knowledge, code instrumentation, or special execution environment. Dynamit extracts features from transaction data and uses a machine learning model to classify transactions as benign or harmful. Therefore, not only can we find the contracts that are vulnerable to reentrancy attacks, but we also get an execution trace that reproduces the attack. Using a random forest classifier, our model achieved more than 90 percent accuracy on 105 transactions, showing the potential of our technique.

References

[1]

Zeeshan Afzal, Anna Brunström, Stefan Lindskog, and Johan Garcia. 2020. Using Features of Encrypted Network Traffic to Detect Malware. In 25th Nordic Conference on Secure IT Systems(LNCS). Springer, Online.

[2]

Nami Ashizawa, Naoto Yanai, Jason Paul Cruz, and Shingo Okamura. 2021. Eth2Vec: Learning Contract-Wide Code Representations for Vulnerability Detection on Ethereum Smart Contracts. arXiv preprint arXiv:2101.02377(2021).

[3]

Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts (SoK). In Principles of Security and Trust, Matteo Maffei and Mark Ryan (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 164–186.

[4]

coinmarketcap.com. 2021. Cryptocurrency Prices, Charts And Market Capitalizations. https://coinmarketcap.com/

[5]

Yingnong Dang, Qingwei Lin, and Peng Huang. 2019. AIOps: real-world challenges and research innovations. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). IEEE, Montreal, Quebec, Canada, 4–5.

Digital Library

[6]

Chris Dannen. 2017. Introducing Ethereum and Solidity. Vol. 1. Springer, New York, NY, United States.

[7]

dasp.co. 2021. DASP - TOP 10. https://dasp.co/

[8]

Christof Ebert, Gorka Gallardo, Josune Hernantes, and Nicolas Serrano. 2016. DevOps. Ieee Software 33, 3 (2016), 94–100.

Digital Library

[9]

Ethereum. 2021. Home. https://ethereum.org

[10]

Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE Press, Montreal, Quebec, Canada, 8–15.

Digital Library

[11]

Gustavo Grieco, Will Song, Artur Cygan, Josselin Feist, and Alex Groce. 2020. Echidna: effective, usable, and fast fuzzing for smart contracts. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, Virtual Event USA, 557–560.

Digital Library

[12]

Bo Jiang, Ye Liu, and WK Chan. 2018. ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, ACM, Montpellier France, 259–269.

Digital Library

[13]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society, San Diego, California, US. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_09-1_Kalra_paper.pdf

[14]

Johannes Krupp and Christian Rossow. 2018. TeEther: Gnawing at Ethereum to automatically exploit smart contracts. In 27th USENIX Security Symposium USENIX Security. ACM, Baltimore, MD, USA, 1317–1333.

[15]

Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_03A-2_Li_paper.pdf

[16]

Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, ICSE 2018, Gothenburg, Sweden, May 27 - June 03, 2018, Michel Chaudron, Ivica Crnkovic, Marsha Chechik, and Mark Harman (Eds.). ACM, Gothenburg, Sweden, 65–68. https://doi.org/10.1145/3183440.3183495

Digital Library

[17]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2016-10-24) (CCS ’16). ACM, Vienna Austria, 254–269. https://doi.org/10.1145/2976749.2978309

Digital Library

[18]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In ACM Conference on Computer and Communications Security. ACM, ACM, Vienna Austria, 254–269.

Digital Library

[19]

Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th Annual Computer Security Applications Conference. ACM, San Juan PR USA, 653–663.

Digital Library

[20]

Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, 2011. Scikit-learn: Machine learning in Python. the Journal of Machine Learning Research 12 (2011), 2825–2830.

[21]

Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing functions in binaries with neural networks. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Berkeley, CA, United States, 611–626.

[22]

Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static analysis of Ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain. ACM, Gothenburg, Sweden, 9–16.

Digital Library

[23]

Petar Tsankov, Andrei Dan, Dana Drachsler Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In ACM Conference on Computer and Communications Security. ACM, Toronto Canada, 67–82.

Digital Library

[24]

H. Wang, Y. Li, S. Lin, L. Ma, and Y. Liu. 2019. VULTRON: Catching Vulnerable Smart Contracts Once and for All. In 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER) (2019-05). IEEE Press, Montreal, Quebec, Canada, 1–4. https://doi.org/10.1109/ICSE-NIER.2019.00009

Digital Library

[25]

H. Wang, Y. Liu, Y. Li, S.-W. Lin, C. Artho, L. Ma, and Y. Liu. 2020. Oracle-Supported Dynamic Exploit Generation for Smart Contracts. IEEE Transactions on Dependable and Secure Computing (2020), 1–1. https://doi.org/10.1109/TDSC.2020.3037332

[26]

Web3JS. 2021. Web3.Js - Ethereum JavaScript API — Web3.Js 1.0.0 Documentation. https://web3js.readthedocs.io/en/v1.3.0/

Cited By

Kiani RSheng V(2024)Ethereum Smart Contract Vulnerability Detection and Machine Learning-Driven Solutions: A Systematic Literature ReviewElectronics10.3390/electronics1312229513:12(2295)Online publication date: 12-Jun-2024
https://doi.org/10.3390/electronics13122295
Gao CYang WYe JXue YSun J(2024)sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart ContractsACM Transactions on Software Engineering and Methodology10.1145/364184633:5(1-55)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3641846
Prifti LCico BKarras D(2024)Smart Contract Vulnerability Detection Using Deep Learning Algorithms on EVM bytecode2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577852(1-7)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577852
Show More Cited By

Recommendations

ContractFuzzer: fuzzing smart contracts for vulnerability detection
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Decentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while ...
Making Smart Contracts Smarter
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has ...
Empirical vulnerability analysis of automated smart contracts security testing on blockchains
CASCON '18: Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering

The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EASE '21: Proceedings of the 25th International Conference on Evaluation and Assessment in Software Engineering

June 2021

417 pages

ISBN:9781450390538

DOI:10.1145/3463274

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EASE 2021

EASE 2021: Evaluation and Assessment in Software Engineering

June 21 - 23, 2021

Trondheim, Norway

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
659
Total Downloads

Downloads (Last 12 months)246
Downloads (Last 6 weeks)17

Reflects downloads up to 18 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kiani RSheng V(2024)Ethereum Smart Contract Vulnerability Detection and Machine Learning-Driven Solutions: A Systematic Literature ReviewElectronics10.3390/electronics1312229513:12(2295)Online publication date: 12-Jun-2024
https://doi.org/10.3390/electronics13122295
Gao CYang WYe JXue YSun J(2024)sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart ContractsACM Transactions on Software Engineering and Methodology10.1145/364184633:5(1-55)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3641846
Prifti LCico BKarras D(2024)Smart Contract Vulnerability Detection Using Deep Learning Algorithms on EVM bytecode2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577852(1-7)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577852
Kumar NHonnungar NSharwari Prakash MLohith J(2024)“Vulnerabilities in Smart Contracts: A Detailed Survey of Detection and Mitigation Methodologies”2024 International Conference on Emerging Technologies in Computer Science for Interdisciplinary Applications (ICETCS)10.1109/ICETCS61022.2024.10544155(1-7)Online publication date: 22-Apr-2024
https://doi.org/10.1109/ICETCS61022.2024.10544155
Boxin Y(2024)Research on Dynamic Detection of Vulnerabilities in Smart Contracts Based on Machine Learning2024 IEEE 3rd International Conference on Electrical Engineering, Big Data and Algorithms (EEBDA)10.1109/EEBDA60612.2024.10485831(219-223)Online publication date: 27-Feb-2024
https://doi.org/10.1109/EEBDA60612.2024.10485831
Li PWang GXing XLi XZhu J(2024)Detecting unknown vulnerabilities in smart contracts using opcode sequencesConnection Science10.1080/09540091.2024.231385336:1Online publication date: 14-Feb-2024
https://doi.org/10.1080/09540091.2024.2313853
Osei SMa ZHuang R(2024)Smart contract vulnerability detection using wide and deep neural networkScience of Computer Programming10.1016/j.scico.2024.103172(103172)Online publication date: Jul-2024
https://doi.org/10.1016/j.scico.2024.103172
Vidal FIvaki NLaranjeiro N(2024)Vulnerability detection techniques for smart contracts: A systematic literature reviewJournal of Systems and Software10.1016/j.jss.2024.112160217(112160)Online publication date: Nov-2024
https://doi.org/10.1016/j.jss.2024.112160
Vidal FIvaki NLaranjeiro N(2024)OpenSCV: an open hierarchical taxonomy for smart contract vulnerabilitiesEmpirical Software Engineering10.1007/s10664-024-10446-829:4Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1007/s10664-024-10446-8
Zhang JZhang XLiu ZFu FNie JHuang JDreibholz T(2024)A Survey of Security Vulnerabilities and Detection Methods for Smart ContractsProceedings of the 13th International Conference on Computer Engineering and Networks10.1007/978-981-99-9247-8_43(436-446)Online publication date: 4-Jan-2024
https://doi.org/10.1007/978-981-99-9247-8_43
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents