Abstract
Smart contracts have been subjected to several attacks that have exploited various vulnerabilities of languages like Solidity, which has resulted in huge financial losses. The functioning and deployment of smart contracts are somewhat different from classical programming environments. Once a smart contract is up and running, changing it, is very complicated and nearly infeasible as the contract is expected to be immutable when created. If we find a defect in a deployed smart contract, a new version of the contract has to be created and deployed with concurrence from the stakeholders. Further, when a new version of an existing contract is deployed, data stored in the previous contract does not get transferred automatically to the newly refined contract. We have to manually initialize the new contract with the past data which makes it very cumbersome and not very trustworthy. As neither updating a contract nor rolling back an update is possible, it greatly increases the complexity of implementation and places a huge responsibility while being deployed initially on the blockchain.
The main rationale for smart contracts has been to enforce contracts safely among the stakeholders. In this paper, we shall discuss a framework for runtime monitoring to prevent the exploitation of a major class of vulnerabilities using the programmers’ annotations given in the smart contracts coded in Solidity. We have chosen several phrases for annotation mimicking declarations of concurrent programming languages so that the underlying run-time monitors can be automatically generated. The annotations simply reflect the intended constraints on the execution of programs relative to the object state relative to observables like method calls, exceptions, etc. Such a framework further adds to the advantage of debugging at the source level as the original structure is preserved and also enhances the trust of the user as the run-time monitoring assertion logs provide a rough proof-outline of the contract.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
Compiler limits like Stack size limit can also be exploited by adversaries but the current compilers have overcome such exploits.
- 5.
GitHub - trailofbits/manticore: Symbolic execution tool.
- 6.
The requirement for run-time checks for overcoming the re-entrancy vulnerability follows from the decidability issues of the problem of effective call-back free contracts discussed in [17] where the general problem is shown to be undecidable in Turing-complete languages.
- 7.
SafeMath transforms expressions in a binary manner. That is, for exception handling in compound expressions, say, for instance, a + b + c, SafeMath needs to be invoked compositionally.
- 8.
This is a constraint we have enforced for simplicity; we could enforce controls like only one writer is permitted on a shared resource whereas multiple readers are allowed on that shared resource. This will become clear when we discuss nondeterminism in ERC20.
- 9.
- 10.
- 11.
- 12.
Snehal Borse, Prateek Patidar Solidity+: Specification Enhanced Solidity to Overcome Vulnerabilities, M.Tech. Dissertation, Department of Computer Science and Engineering, IIT Bombay 2019.
- 13.
References
Akentiev, A.: Parity multisig github. https://github.com/paritytech/parity/issues/6995
Amani, S., Bégel, M., Bortin, M., Staples, M.: Towards verifying Ethereum smart contract bytecode in Isabelle/HOL. In: Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2018, pp. 66–77. ACM, New York (2018). https://doi.org/10.1145/3167084
Andrews, G.R., McGraw, J.R.: Language features for process interaction. SIGOPS Oper. Syst. Rev. 11(2), 114–127 (1977). https://doi.org/10.1145/390018.808318
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, pp. 30:1–30:15 (2018)
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS 2016, pp. 91–96. ACM, New York (2016). https://doi.org/10.1145/2993600.2993611
Campbell, R.H., Habermann, A.N.: The specification of process synchronization by path expressions. In: Gelenbe, E., Kaiser, C. (eds.) OS 1974. LNCS, vol. 16, pp. 89–102. Springer, Heidelberg (1974). https://doi.org/10.1007/BFb0029355
Crafa, S., Di Pirro, M., Zucca, E.: Is solidity solid enough? In: Bracciali, A., Clark, J., Pintore, F., Rønne, P.B., Sala, M. (eds.) FC 2019. LNCS, vol. 11599, pp. 138–153. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-43725-1_11
Das, A., Balzer, S., Hoffmann, J., Pfenning, F.: Resource-aware session types for digital contracts. CoRR abs/1902.06056 (2019)
Dickerson, T., Gazzillo, P., Herlihy, M., Saraph, V., Koskinen, E.: Proof-carrying smart contracts. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 325–338. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_22
Ellul, J., Pace, G.J.: Runtime verification of Ethereum smart contracts. In: 2018 14th European Dependable Computing Conference (EDCC), pp. 158–163 (2018). https://doi.org/10.1109/EDCC.2018.00036
Ethereum: Solidity documentation (2018). https://solidity.readthedocs.io/
Filliâtre, J.-C., Paskevich, A.: Why3—where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37036-6_8
Ghaleb, A., Pattabiraman, K.: How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. In: ISSTA 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3395363.3397385
Grishchenko, I., Maffei, M., Schneidewind, C.: Foundations and tools for the static analysis of Ethereum smart contracts. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 51–78. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96145-3_4
Grishchenko, I., Maffei, M., Schneidewind, C.: A semantic framework for the security analysis of Ethereum smart contracts. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 243–269. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_10
Grossman, S., et al.: Online detection of effectively callback free objects with applications to smart contracts. 2(POPL) (2017)
Guerraoui, R., Kuznetsov, P., Monti, M., Pavlovič, M., Seredinschi, D.A.: The consensus number of a cryptocurrency. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, PODC 2019, pp. 307–316. Association for Computing Machinery, New York (2019)
Hansen, P.B., Dijkstra, E.W., Hoare, C.A.R.: The Origins of Concurrent Programming: From Semaphores to Remote Procedure Calls. Springer, Heidelberg (2002)
Hildenbrandt, E., et al.: KEVM: a complete formal semantics of the Ethereum virtual machine. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 204–217 (2018)
Hirai, Y.: Defining the Ethereum virtual machine for interactive theorem provers. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 520–535. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_33
Kolluri, A., Nikolic, I., Sergey, I., Hobor, A., Saxena, P.: Exploiting the laws of order in smart contracts. CoRR abs/1810.11605 (2018)
Krishna Rao, M.R.K., Kapur, D., Shyamasundar, R.K.: Proving termination of GHC programs. New Gen. Comput. 15(3), 293–338 (1997). https://doi.org/10.1007/BF03037949
Lee, J.H.: DappGuard: active monitoring and defense for solidity smart contracts (2017)
Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 254–269. ACM, New York (2016). https://doi.org/10.1145/2976749.2978309
Mueller(ConsenSys), B.: Mythril: a classic security analysis tool for Ethereum smart contracts (2017). https://github.com/ConsenSys/mythril
Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, pp. 653–663. Association for Computing Machinery, New York (2018)
Openzeppelin contributors: Safemath.sol (2019). https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol. Accessed 16 June 2019
Permenev, A., Dimitrov, D., Tsankov, P., Drachsler-Cohen, D., Vechev, M.: VerX: safety verification of smart contracts. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 414–430. Los Alamitos, CA, USA (2020)
Remix: Remix - Solidity IDE (2018). https://remix.ethereum.org/
Schneidewind, C., Grishchenko, I., Scherer, M., Maffei, M.: Ethor: practical and provably sound static analysis of Ethereum smart contracts (2020). https://doi.org/10.48550/ARXIV.2005.06227
Sergey, I., Hobor, A.: A concurrent perspective on smart contracts. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 478–493. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_30
Shyamasundar, K.R.: A safety assessment of token standards for Ethereum: Erc20 and beyond. In: 6th Symposium on Distributed Ledger Technology (SDLT). SDLT, Gold Coast, Australia (2022)
Shyamsundar, R.K., Thatcher, J.W.: Language constructs for specifying concurrency in CDL. IEEE Trans. Softw. Eng. 15(8), 977–993 (1989). https://doi.org/10.1109/32.31354
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., Vechev, M.: Securify: practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 67–82. ACM, New York (2018). https://doi.org/10.1145/3243734.3243780
Zhang, W., Banescu, S., Pasos, L., Stewart, S., Ganesh, V.: MPRO: combining static and symbolic analysis for scalable testing of smart contract. arXiv abs/1911.00570 (2019)
Acknowledgments
The work was carried out at the Centre of Excellence for Blockchains supported by Ripple Corporation. I wish to thank Snehal Borse, and Prateek Patidar who initially were responsible for building the basic prototype and to Hrishikesh Saloi and Mohammad Ummair, who have been re-engineering the system in Python to handle a spectrum vulnerabilities using this approach. Special thanks to Dr. Vishwas Patil of Center for Blockchain Research for his constructive comments on an initial draft of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Shyamasundar, R.K. (2022). A Framework of Runtime Monitoring for Correct Execution of Smart Contracts. In: Chen, S., Shyamasundar, R.K., Zhang, LJ. (eds) Blockchain – ICBC 2022. ICBC 2022. Lecture Notes in Computer Science, vol 13733. Springer, Cham. https://doi.org/10.1007/978-3-031-23495-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-23495-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23494-1
Online ISBN: 978-3-031-23495-8
eBook Packages: Computer ScienceComputer Science (R0)