Consolidating Smart Contracts with Behavioral Contracts
Article No.: 186, Pages 965 - 989
Abstract
Ensuring the reliability of smart contracts is of vital importance due to the wide adoption of smart contract programs in decentralized financial applications. However, statically checking many rich properties of smart contract programs can be challenging. On the other hand, dynamic validation approaches have shown promise for widespread adoption in practice. Nevertheless, as part of the programming environment for smart contracts, existing dynamic validation approaches have not provided programmers with a notion to clearly articulate the interface between components, especially for addresses representing opaque contract instances. We argue that the “design-by-contract” approach should complement the development of smart contract programs. Unfortunately, there is only limited linguistic support for that in existing smart contract languages. In this paper, we design a Solidity language extension ConSol that supports behavioral contracts. ConSol provides programmers with a modular specification and monitoring system for both functional and latent address behaviors. The key capability of ConSol is to attach specifications to first-class addresses and monitor violations when invoking these addresses. We evaluate ConSol using 20 real-world cases, demonstrating its effectiveness in expressing critical conditions and preventing attacks. Additionally, we assess ConSol’s efficiency and compare gas consumption with manually inserted assertions, showing that our approach introduces only marginal gas overhead. By separating specifications and implementations using behavioral contracts, ConSol assists programmers in writing smart contract code that is more robust and readable.
References
[1]
2000. Bookshelf - The Pragmatic Programmer: From Journeyman to Master, Introduction to the Team Software Process. IEEE Softw., 17, 6 (2000), 108–110.
[2]
Hayden Adams, Noah Zinsmeister, and Dan Robinson. 2020. Uniswap v2 Core.
[3]
Hayden Adams, Noah Zinsmeister, Moody Salem, River Keefer, and Dan Robinson. 2021. Uniswap v3 core. Tech. rep., Uniswap, Tech. Rep.
[4]
Elvira Albert, Shelly Grossman, Noam Rinetzky, Clara Rodríguez-Núñez, Albert Rubio, and Mooly Sagiv. 2020. Taming callbacks for smart contract modularity. Proc. ACM Program. Lang., 4, OOPSLA (2020), 209:1–209:30.
[5]
Beosin Alert. 2023. https://twitter.com/BeosinAlert/status/1646481687445114881
[6]
Chickn Bao. 2023. Analysis and Response to the July 4th baoETH Exploit. https://medium.com/baomunity/analysis-and-response-to-the-july-4th-baoeth-exploit-3d60b886fcce
[7]
Massimo Bartoletti, Letterio Galletta, and Maurizio Murgia. 2019. A Minimal Core Calculus for Solidity Contracts. In DPM/CBT, ESORICS (Lecture Notes in Computer Science, Vol. 11737). Springer, 233–243.
[8]
Block Sec. 2022. https://twitter.com/BlockSecTeam/status/1584959295829180416
[9]
BlockSec. 2023. https://twitter.com/BlockSecTeam/status/1668084629654638592
[10]
BlockSec. 2023. https://blocksec.com/blog/yet-another-tragedy-of-precision-loss-an-in-depth-analysis-of-the-kyber-swap-incident-1
[11]
Matthias Blume and David A. McAllester. 2006. Sound and complete models of contracts. J. Funct. Program., 16, 4-5 (2006), 375–414.
[12]
Christian Bräm, Marco Eilers, Peter Müller, Robin Sierra, and Alexander J. Summers. 2021. Rich specifications for Ethereum smart contract verification. Proc. ACM Program. Lang., 5, OOPSLA (2021), 1–30.
[13]
Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis Smaragdakis. 2020. Ethainter: a smart contract security analyzer for composite vulnerabilities. In PLDI. ACM, 454–469.
[14]
Lilian Burdy, Yoonsik Cheon, David R. Cok, Michael D. Ernst, Joseph R. Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. 2005. An overview of JML tools and applications. Int. J. Softw. Tools Technol. Transf., 7, 3 (2005), 212–232.
[15]
Vitalik Buterin. 2014. A next-generation smart contract and decentralized application platform. white paper, 3, 37 (2014), 2–1.
[16]
Lorenzo Caminiti. 2023. Boost.Contract. https://www.boost.org/doc/libs/1_82_0/libs/contract/doc/html/index.html
[17]
CertiK. 2023. https://certik.medium.com/qubit-bridge-collapse-exploited-to-the-tune-of-80-million-a7ab9068e1a0
[18]
CertiK Alert. 2023. https://twitter.com/CertiKAlert/status/1647530789947469825
[19]
Patrice Chalin. 2006. Are Practitioners Writing Contracts? In RODIN Book (Lecture Notes in Computer Science, Vol. 4157). Springer, 100–113.
[20]
Haoxian Chen, Gerald Whitters, Mohammad Javad Amiri, Yuepeng Wang, and Boon Thau Loo. 2022. Declarative smart contracts. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 281–293.
[21]
Xiaohong Chen and Grigore Rosu. 2019. K - A Semantic Framework for Programming Languages and Formal Analysis. In SETSS (Lecture Notes in Computer Science, Vol. 12154). Springer, 122–158.
[22]
Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang Kil Cha. 2021. Smartian: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 227–239.
[23]
Michael Coblenz. 2017. Obsidian: A Safer Blockchain Programming Language. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). 97–99. https://doi.org/10.1109/ICSE-C.2017.150
[24]
Consensys. 2023. Consensys. https://www.consensys.net/
[25]
Consensys. 2023. solc-typed-ast. https://github.com/Consensys/solc-typed-ast
[26]
Silvia Crafa, Matteo Di Pirro, and Elena Zucca. 2019. Is Solidity Solid Enough? In Financial Cryptography Workshops (Lecture Notes in Computer Science, Vol. 11599). Springer, 138–153.
[27]
crytic. 2024. medusa. https://github.com/crytic/medusa
[28]
Numen Cyber. 2023. https://twitter.com/numencyber/status/1669278694744150016?cxt=HHwWgMDS9Z2IvKouAAAA
[29]
Phil Daian. 2016. The analysis of the DAO exploit. https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
[30]
Christos Dimoulas, Max S. New, Robert Bruce Findler, and Matthias Felleisen. 2016. Oh Lord, please don’t let contracts be misunderstood (functional pearl). In ICFP. ACM, 117–131.
[31]
Tim Disney, Cormac Flanagan, and Jay McCarthy. 2011. Temporal higher-order contracts. In ICFP. ACM, 176–188.
[32]
Joshua Ellul and Gordon J. Pace. 2018. Runtime Verification of Ethereum Smart Contracts. In EDCC. IEEE Computer Society, 158–163.
[33]
Ethereum. 2023. Solidity Documentation. https://docs.soliditylang.org/en/v0.8.21/types.html
[34]
Sturdy Finance. 2023. Sturdy Finance. https://sturdy.finance/
[35]
Robert Bruce Findler and Matthias Felleisen. 2002. Contracts for higher-order functions. In ICFP. ACM, 48–59.
[36]
fountry-rs. 2024. Foundry. https://github.com/foundry-rs/foundry
[37]
Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. 2022. eTainter: detecting gas-related vulnerabilities in smart contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 728–739.
[38]
Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. 2023. AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities. Proc. ACM ICSE.
[39]
Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. MadMax: surviving out-of-gas conditions in Ethereum smart contracts. Proc. ACM Program. Lang., 2, OOPSLA (2018), 116:1–116:27.
[40]
Gustavo Grieco, Will Song, Artur Cygan, Josselin Feist, and Alex Groce. 2020. Echidna: effective, usable, and fast fuzzing for smart contracts. In Proceedings of the 29th ACM SIGSOFT international symposium on software testing and analysis. 557–560.
[41]
Alex Groce and Gustavo Grieco. 2021. echidna-parade: A tool for diverse multicore smart contract fuzzing. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 658–661.
[42]
Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2018. Online detection of effectively callback free objects with applications to smart contracts. Proc. ACM Program. Lang., 2, POPL (2018), 48:1–48:28.
[43]
Everett Hildenbrandt, Manasvi Saxena, Nishant Rodrigues, Xiaoran Zhu, Philip Daian, Dwight Guth, Brandon M. Moore, Daejun Park, Yi Zhang, Andrei Stefanescu, and Grigore Rosu. 2018. KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine. In CSF. IEEE Computer Society, 204–217.
[44]
PeckShield Inc. 2023. https://twitter.com/peckshield/status/1690877589005778945
[45]
Jiao Jiao, Shuanglong Kan, Shang-Wei Lin, David Sanán, Yang Liu, and Jun Sun. 2020. Semantic Understanding of Smart Contracts: Executable Operational Semantics of Solidity. In IEEE Symposium on Security and Privacy. IEEE, 1695–1712.
[46]
Ping Fan Ke and Ka Chung Boris Ng. 2022. Bank Error in Whose Favor? A Case Study of Decentralized Finance Misgovernance. In ICIS. Association for Information Systems.
[47]
Ao Li, Jemin Andrew Choi, and Fan Long. 2020. Securing smart contract with runtime validation. In PLDI. ACM, 438–453.
[48]
Zeqin Liao, Sicheng Hao, Yuhong Nan, and Zibin Zheng. 2023. SmartState: Detecting State-Reverting Vulnerabilities in Smart Contracts via Fine-Grained State-Dependency Analysis. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 980–991.
[49]
Fuchen Ma, Ying Fu, Meng Ren, Mingzhe Wang, Yu Jiang, Kaixiang Zhang, Huizhong Li, and Xiang Shi. 2019. EVM^ *: From Offline Detection to Online Reinforcement for Ethereum Virtual Machine. In SANER. IEEE, 554–558.
[50]
MevRefund. 2022. https://twitter.com/MevRefund/status/1580917351217627136
[51]
Bertrand Meyer. 1991. Eiffel: The Language. Prentice-Hall.
[52]
Bertrand Meyer. 1997. Object-Oriented Software Construction, 2nd Edition. Prentice-Hall.
[53]
Bertrand Meyer. 1998. Design by Contract: The Eiffel Method. In TOOLS (26). IEEE Computer Society, 446.
[54]
Miner. 2023. https://twitter.com/minerercx/status/1757787864299934023
[55]
Cameron Moy and Matthias Felleisen. 2023. Trace contracts. J. Funct. Program., 33 (2023).
[56]
Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. Decentralized business review.
[57]
Phuc C. Nguyen, Thomas Gilray, Sam Tobin-Hochstadt, and David Van Horn. 2018. Soft contract verification for higher-order stateful programs. Proc. ACM Program. Lang., 2, POPL (2018), 51:1–51:30.
[58]
Phuc C. Nguyen, Sam Tobin-Hochstadt, and David Van Horn. 2014. Soft contract verification. In ICFP. ACM, 139–152.
[59]
Paradigm. 2023. Reth: Modular, contributor-friendly and blazing-fast implementation of the Ethereum protocol. https://github.com/paradigmxyz/reth
[60]
Parquery. 2023. icontract. Accessed: July 13, 2023
[61]
PeckShield Inc. 2023. https://twitter.com/peckshield/status/1626493024879673344
[62]
Sergio Pérez, Luis Eduardo Bueso de Barrio, Ignacio Ballesteros, Ángel Herranz, Julio Mariño, Clara Benac Earle, and Lars-Åke Fredlund. 2022. Executable contracts for Elixir. In Erlang Workshop. ACM, 40–46.
[63]
George Pîrlea, Amrit Kumar, and Ilya Sergey. 2021. Practical smart contract sharding with ownership and commutativity analysis. In PLDI. ACM, 1327–1341.
[64]
Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019. Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In NDSS. The Internet Society.
[65]
RugDoctorApe. 2023. https://twitter.com/RugDoctorApe/status/1565739119606890498
[66]
Runtime Verification. 2018. ERC20-Semantics: Formal semantics and verification properties for ERC20 smart contracts. https://github.com/runtimeverification/erc20-semantics Accessed on 2024-03-24
[67]
S7iter. 2023. https://medium.com/@S7iter_/erc2771-multicall-arbitrary-address-spoofing-attack-analysis-and-recurrence-48c57fdb9a98
[68]
Scribble. 2024. Scribble Documentation. https://docs.scribble.codes/
[69]
Ilya Sergey. 2021. The Next 700 Smart Contract Languages. Springer International Publishing, Cham. 69–94. isbn:978-3-031-01807-7 https://doi.org/10.1007/978-3-031-01807-7_3
[70]
SharkTeam. 2023. https://app.chainaegis.com/home/news/detail?contentId=341&lang=en-US
[71]
Chaofan Shou, Shangyin Tan, and Koushik Sen. 2023. ItyFuzz: Snapshot-Based Fuzzer for Smart Contract. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 322–333.
[72]
SlowMist. 2023. https://twitter.com/SlowMist_Team/status/1644936375924584449
[73]
Yannis Smaragdakis, Neville Grech, Sifis Lagouvardos, Konstantinos Triantafyllou, and Ilias Tsatiris. 2021. Symbolic value-flow static analysis: deep, precise, complete modeling of Ethereum smart contracts. Proc. ACM Program. Lang., 5, OOPSLA (2021), 1–30.
[74]
Yannis Smaragdakis, Neville Grech, Sifis Lagouvardos, Konstantinos Triantafyllou, and Tony Rocco Valentine. 2023. Program Analysis for High-Value Smart Contract Vulnerabilities: Techniques and Insights.
[75]
Solidity. 2023. https://docs.soliditylang.org/en/develop/security-considerations.html#use-the-checks-effects-interactions-pattern
[76]
Solidity. 2023. Solidity Contracts: Function Modifiers. https://docs.soliditylang.org/en/latest/contracts.html##function-modifiers Accessed on 2023-11-17
[77]
Solidity Developers. 2023. Solidity Documentation: Function Modifiers. https://docs.soliditylang.org/en/v0.8.20/contracts.html##modifiers Accessed on July 20, 2023
[78]
Jon Stephens, Kostas Ferles, Benjamin Mariano, Shuvendu K. Lahiri, and Isil Dillig. 2021. SmartPulse: Automated Checking of Temporal Properties in Smart Contracts. In SP. IEEE, 555–571.
[79]
T. Stephen Strickland, Sam Tobin-Hochstadt, Robert Bruce Findler, and Matthew Flatt. 2012. Chaperones and impersonators: run-time support for reasonable interposition. In OOPSLA. ACM, 943–962.
[80]
SunWeb3Sec. 2022. https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/past/2022/README.md#20220204-tecraspace—any-token-is-destroyed
[81]
SunWeb3Sec. 2023. https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/ERC20TokenBank_exp.sol
[82]
SunWeb3Sec. 2023. DeFi Hacks Reproduce - Foundry. https://github.com/SunWeb3Sec/DeFiHackLabs
[83]
Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, and Yu Feng. 2022. SolType: refinement types for arithmetic overflow in solidity. Proc. ACM Program. Lang., 6, POPL (2022), 1–29.
[84]
Palina Tolmach, Yi Li, Shangwei Lin, Yang Liu, and Zengxiang Li. 2022. A Survey of Smart Contract Formal Specification and Verification. ACM Comput. Surv., 54, 7 (2022), 148:1–148:38.
[85]
Trail of Bits. 2023. Trail of Bits. https://www.trailofbits.com/
[86]
Uno.Reinsure. 2022. Umbrella Network Hacked: $700K Lost. https://medium.com/uno-re/umbrella-network-hacked-700k-lost-97285b69e8c7
[87]
Fabian Vogelsteller and Vitalik Buterin. 2023. EIP-20: Token Standard. https://eips.ethereum.org/EIPS/eip-20.
[88]
Shuai Wang, Chengyu Zhang, and Zhendong Su. 2019. Detecting nondeterministic payment bugs in Ethereum smart contracts. Proc. ACM Program. Lang., 3, OOPSLA (2019), 189:1–189:29.
[89]
Guannan Wei, Danning Xie, Wuqi Zhang, Yongwei Yuan, and Zhuo Zhang. 2024. ConSol Artifact. https://github.com/Kraks/contract-for-contract/
[90]
XCarnival. 2023. https://twitter.com/XCarnival_Lab/status/1541226298399653888
[91]
Dana N. Xu, Simon L. Peyton Jones, and Koen Claessen. 2009. Static contract checking for Haskell. In POPL. ACM, 41–52.
[92]
Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin. 2023. Demystifying Exploitable Bugs in Smart Contracts. In ICSE. IEEE, 615–627.
[93]
Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, and Arthur Gervais. 2022. SoK: Decentralized Finance (DeFi) Attacks. IACR Cryptol. ePrint Arch., 1773.
Index Terms
- Consolidating Smart Contracts with Behavioral Contracts
Recommendations
Formal Modeling and Verification of Smart Contracts
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer ApplicationsSmart contracts can automatically perform the contract terms according to the received information, and it is one of the most important research fields in digital society. The core of smart contracts is algorithm contract, that is, the parties reach an ...
Complete monitors for behavioral contracts
ESOP'12: Proceedings of the 21st European conference on Programming Languages and SystemsA behavioral contract in a higher-order language may invoke methods of unknown objects. Although this expressive power allows programmers to formulate sophisticated contracts, it also poses a problem for language designers. Indeed, two distinct ...
An overview on smart contracts: Challenges, advances and platforms
AbstractSmart contract technology is reshaping conventional industry and business processes. Being embedded in blockchains, smart contracts enable the contractual terms of an agreement to be enforced automatically without the intervention of a trusted ...
Highlights- Opportunities of smart contracts for industrial internet of things.
- Lifecycle and platforms of smart contracts.
- Applications of smart contracts.
- Challenges and advances of smart contracts.
Comments
Information & Contributors
Information
Published In
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 June 2024
Published in PACMPL Volume 8, Issue PLDI
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 263Total Downloads
- Downloads (Last 12 months)263
- Downloads (Last 6 weeks)92
Reflects downloads up to 04 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in