research-article

Public Access

TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum

Authors:

Xiaosong ZhangAuthors Info & Claims

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 1503 - 1520

https://doi.org/10.1145/3319535.3345664

Published: 06 November 2019 Publication History

Abstract

Motivated by the success of Bitcoin, lots of cryptocurrencies have been created, the majority of which were implemented as smart contracts running on Ethereum and called tokens. To regulate the interaction between these tokens and users as well as third-party tools (e.g., wallets, exchange markets, etc.), several standards have been proposed for the implementation of token contracts. Although existing tokens involve lots of money, little is known whether or not their behaviors are consistent with the standards. Inconsistent behaviors can lead to user confusion and financial loss, because users/third-party tools interact with token contracts by invoking standard interfaces and listening to standard events. In this work, we take the first step to investigate such inconsistent token behaviors with regard to ERC-20, the most popular token standard. We propose a novel approach to automatically detect such inconsistency by contrasting the behaviors derived from three different sources, including the manipulations of core data structures recording the token holders and their shares, the actions indicated by standard interfaces, and the behaviors suggested by standard events. We implement our approach in a new tool named TokenScope and use it to inspect all transactions sent to the deployed tokens. We detected 3,259,001 transactions that trigger inconsistent behaviors, and these behaviors resulted from 7,472 tokens. By manually examining all (2,353) open-source tokens having inconsistent behaviors, we found that the precision of TokenScope is above 99.9%. Moreover, we revealed 11 major reasons behind the inconsistency, e.g., flawed tokens, standard methods missing, lack of standard events, etc. In particular, we discovered 50 unreported flawed tokens.

Supplementary Material

WEBM File (p1503-chen.webm)

Download
118.36 MB

References

[1]

Sidney Amani, Myriam Bégel, Maksym Bortin, and Mark Staples. 2018. Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In ACM SIGPLAN International Conference on Certified Programs and Proofs.

Digital Library

[2]

Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Anitha Gollamudi, Georges Gonthier, Nadim Kobeissi, Natalia Kulatova, Aseem Rastogi, Thomas Sibut-Pinote, Nkhil Swamy, and Santiago Zanella-Béguelin. 2016. Formal verification of smart contracts: Short paper. In ACM Workshop on Programming Languages and Analysis for Security.

Digital Library

[3]

Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, Francois Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. https://arxiv.org/pdf/1809.03981.pdf. (2018).

[4]

Jialiang Chang, Bo Gao, Hao Xiao, Jun Sun, and Zijiang Yang. 2018. sCompile: Critical Path Identification and Analysis for Smart Contracts. https://arxiv.org/pdf/1808.00624.pdf. (2018).

[5]

Krishnendu Chatterjee, Amir Kafshdar Goharshady, and Yaron Velner. 2018. Quantitative Analysis of Smart Contracts. In European Symposium on Programming.

[6]

Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. 2017. Under-optimized smart contracts devour your money. International Conference on Software Analysis, Evolution and Reengineering.

[7]

Curvegrid. 2018. toy-block-explorer. https://github.com/curvegrid/toy-block-explorer. (2018).

[8]

enkrypt. 2018. EthVM: Open Source Ethereum Blockchain Explorer. https://github.com/enKryptIO/ethvm. (2018).

[9]

EtherDelta. 2018. EtherDelta. https://etherdelta.com/. (2018).

[10]

Ethereum. 2017a. ERC223 token standard. https://github.com/ethereum/EIPs/issues/223. (2017).

[11]

Ethereum. 2017b. Management APIs. https://github.com/ethereum/go-ethereum/wiki/Management-APIs. (2017).

[12]

Ethereum. 2017c. Token Standard Extension for Increasing & Decreasing Supply. https://github.com/ethereum/EIPs/pull/621. (2017).

[13]

Ethereum. 2018a. ETCExplorer. https://github.com/ethereumclassic/explorer. (2018).

[14]

Ethereum. 2018b. Etherscan -- The Ethereum Block Explorer. https://etherscan.io/. (2018).

[15]

EtherEx. 2018. EthEx: Decentralized exchange built on Ethereum. https://github.com/etherex/etherex. (2018).

[16]

Etherscan. 2018. Token Tracker. https://etherscan.io/tokens. (2018).

[17]

Etherscan. 2019. Decentralized Exchange Order Tracker. https://etherscan.io/dextracker. (2019).

[18]

Etherwall. 2018. Etherwall: The first Ethereum desktop wallet. https://www.etherwall.com/. (2018).

[19]

Michael Fröwis and Rainer Böhme. 2017. In Code We Trust? Measuring the Control Flow Immutability of All Smart Contracts Deployed on Ethereum. In International Workshops on Data Privacy Management, Cryptocurrencies and Blockchain Technology.

[20]

Michael Fröwis, Andreas Fuchs, and Rainer Böhme. 2018. Detecting Token Systems on Ethereum. https://arxiv.org/pdf/1811.11645.pdf. (2018).

[21]

FunFairTech. 2017. Funfair token contract update. https://www.reddit.com/r/FunfairTech/comments/6nadvm/funfair_token_contract_update/. (2017).

[22]

Google. 2019. Ethereum ETL. https://github.com/blockchain-etl/ethereum-etl. (2019).

[23]

N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis. 2018. MadMax: Surviving Out-of-Gas Conditions in Ethereum Smart Contracts. In ACM international conference on Object-oriented Programming, Systems, Languages, and Applications.

[24]

Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. 2018a. EtherTrust: Sound Static Analysis of Ethereum bytecode. https://www.netidee.at/sites/default/files/2018-07/staticanalysis.pdf. (2018).

[25]

Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. 2018b. A Semantic Framework for the Security Analysis of Ethereum smart contracts. In International Conference on Principles of Security and Trust.

[26]

Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2017. Online detection of effectively callback free objects with applications to smart contracts. In ACM SIGPLAN Symposium on Principles of Programming Languages.

Digital Library

[27]

Everett Hildenbrandt, Manasvi Saxena, Xiaoran Zhu, Nishant Rodrigues, Philip Daian, Dwight Guth, and Grigore Rosu. 2017. KEVM: A Complete Semantics of the Ethereum Virtual Machine. https://www.ideals.illinois.edu/bitstream/handle/2142/97207/hildenbrandt-saxena-zhu-rodrigues-guth-daian-rosu-2017-tr.pdf'sequence=2. (2017).

[28]

Yoichi Hirai. 2017. Defining the ethereum virtual machine for interactive theorem provers. In International Conference on Financial Cryptography and Data Security.

[29]

TonTon Hsien-De Huang. 2018. Hunting the Ethereum Smart Contract: Color-inspired Inspection of Potential Attacks. https://arxiv.org/pdf/1807.01868.pdf. (2018).

[30]

Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: fuzzing smart contracts for vulnerability detection. In ACM/IEEE International Conference on Automated Software Engineering.

[31]

Jiao Jiao, Shuanglong Kan, Shang-Wei Lin, David Sanan, Yang Liu, and Jun Sun. 2018. Executable Operational Semantics of Solidity. https://arxiv.org/pdf/1804.01295.pdf. (2018).

[32]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: Analyzing safety of smart contracts. In The Network and Distributed System Security Symposium.

[33]

Kaustav. 2018. The Effects of the ERC20 Batch Overflow Bug. https://globalcoinreport.com/the-effects-of-the-erc20-batch-overflow-bug/. (2018).

[34]

Aashish Kolluri, Ivica Nikolic, Ilya Sergey, Aquinas Hobor, and Prateek Saxena. 2018. Exploiting The Laws of Order in Smart Contracts. https://arxiv.org/pdf/1810.11605.pdf. (2018).

[35]

Johannes Krupp and Christian Rossow. 2018. teEther: Gnawing at ethereum to automatically exploit smart contracts. In USENIX Security Symposium.

[36]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[37]

METAMASK. 2018. METAMASK -- Brings Ethereum to your browser. https://metamask.io/. (2018).

[38]

MyEtherWallet. 2018. MyEtherWallet. https://www.myetherwallet.com/. (2018).

[39]

Mythril. 2018. Mythril Platform enables a secure and thriving ecosystem of Ethereum dapps & smarts contracts. https://mythril.ai/. (2018).

[40]

OKCoin. 2018. OKEx Safe from USDT "Fake Deposit" Issue. https://support.okex.com/hc/en-us/articles/360006305532-OKEx-Safe-from-USDT-Fake-Deposit-Issue. (2018).

[41]

openANX. 2017. openANX: Decentralised Exchange Token Sale Smart Contract. https://github.com/openanx/OpenANXToken. (2017).

[42]

OpenZeppelin. 2019. SafeMath Library. https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol. (2019).

[43]

Reza M. Parizi, Ali Dehghantanha, Kim-Kwang Raymond Choo, and Amritraj Singh. 2018. Empirical Vulnerability Analysis of Automated Smart Contracts Security Testing on Blockchains. In Annual International Conference on Computer Science and Software Engineering.

[44]

peckchield. 2018. New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018--10376). https://blog.peckshield.com/2018/04/25/proxyOverflow/. (2018).

[45]

PeckShield. 2018. New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018--10376). https://blog.peckshield.com/2018/04/25/proxyOverflow/. (2018).

[46]

Plutocracy. 2019. Krown whitepaper. https://plutocracy.co/resources/pdf/Plutocracy_Whitepaper.pdf. (2019).

[47]

POA. 2018. BlockScout, Blockchain Explorer for inspecting and analyzing EVM Chains. https://github.com/poanetwork/blockscout. (2018).

[48]

Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019. Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In The Network and Distributed System Security Symposium.

[49]

Grigore Rosu. 2017. K: A Semantic Framework for Programming Languages and Formal Analysis Tools.

[50]

Grigore Rosu. 2018. Formal Design, Implementation and Verification of Blockchain Languages (Invited Talk). In Leibniz International Proceedings in Informatics.

[51]

Amitabha Sanyal, Bageshri Sathe, and Uday Khedker. 2009. Data flow analysis: theory and practice. CRC Press, 2009. CRC Press.

[52]

SECBIT. 2018. bad_tokens.csv. https://github.com/sec-bit/awesome-buggy-erc20-tokens/blob/master/bad_tokens.csv. (2018).

[53]

Oguz Serdar. 2018. Ethereum bug causes integer overflow in numerous ERC20 smart contracts [Update]. https://thenextweb.com/hardfork/2018/04/25/ethereum-smart-contract-integer-overflow/. (2018).

[54]

Matthew De Silva. 2017. Ethereum Improvement Proposal 20 Finalized, Formally Establishes ERC20 Standard. https://www.ethnews.com/ethereum-improvement-proposal-20-finalized-formally-establishes-erc20-standard. (2017).

[55]

Remon Sinnema. 2013. eXtensible Access Control Markup Language (XACML) XML Media Type. https://tools.ietf.org/html/rfc7061. (2013).

[56]

Shahar Somin, Goren Gordon, and Yaniv Altshuler. 2018. Network Analysis of ERC20 Tokens Trading on Ethereum Blockchain. In International Conference on Complex Systems.

[57]

Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2016. SmartCheck: Static Analysis of Ethereum Smart Contracts. In IEEE/ACM International Workshop on Emerging Trends in Software Engineering for Blockchain.

[58]

Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In Annual Computer Security Applications Conference.

[59]

Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[60]

Haijun Wang, Yi Li, Shangwei Lin, Lei May, and Yang Liu. 2019. VULTRON: Catching Vulnerable Smart Contracts Once and for All. In International Conference on Software Engineering -- NIER.

[61]

Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. 2009. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In The Network and Distributed System Security Symposium.

[62]

WIKI. 2018. ERC20 Token Standard. https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md. (2018).

[63]

Gavin Wood. 2018. Ethereum: A Secure Decentralised Generalised Transaction Ledger. https://ethereum.github.io/yellowpaper/paper.pdf. (2018).

[64]

ZeusTrade. 2018. Topic: there was a coin out of my wallet that I did not even get what it is. https://bitcointalk.org/index.php?topic=5023796.0. (2018).

Cited By

Wang ZChen JWang YZhang YZhang WZheng Z(2024)Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart ContractsProceedings of the ACM on Software Engineering10.1145/36437341:FSE(161-181)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643734
Luo FLuo RChen TQiao AHe ZSong SJiang YLi SRoychoudhury APaiva AAbreu RStorey M(2024)SCVHunter: Smart Contract Vulnerability Detection Based on Heterogeneous Graph Attention NetworkProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639213(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639213
Wu SLi ZYan LChen WJiang MWang CLuo XZhou HRoychoudhury APaiva AAbreu RStorey M(2024)Are We There Yet? Unraveling the State-of-the-Art Smart Contract FuzzersProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639152(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639152
Show More Cited By

Index Terms

TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

DAppHunter: Identifying Inconsistent Behaviors of Blockchain-Based Decentralized Applications
ICSE-SEIP '23: Proceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice

A blockchain-based decentralized application (DApp) refers to an application typically using web pages or mobile applications as the front-end and smart contracts as the back-end. The front-end of the DApp helps users generate transactions and send ...
Fungible and non-fungible tokens with snapshots in Java
Abstract
Many blockchain applications exchange tokens, such as bitcoin and ether, or implement them through smart contracts. A trend in blockchain is to apply standards for token interoperability, unchanged, from platform to platform, easing the design ...
TokenAware: Accurate and Efficient Bookkeeping Recognition for Token Smart Contracts
Tokens have become an essential part of blockchain ecosystem, so recognizing token transfer behaviors is crucial for applications depending on blockchain. Unfortunately, existing solutions cannot recognize token transfer behaviors accurately and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

November 2019

2755 pages

ISBN:9781450367479

DOI:10.1145/3319535

General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China
National Science Foundation

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11 - 15, 2019

London, United Kingdom

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

81
Total Citations
View Citations
3,234
Total Downloads

Downloads (Last 12 months)516
Downloads (Last 6 weeks)37

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang ZChen JWang YZhang YZhang WZheng Z(2024)Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart ContractsProceedings of the ACM on Software Engineering10.1145/36437341:FSE(161-181)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643734
Luo FLuo RChen TQiao AHe ZSong SJiang YLi SRoychoudhury APaiva AAbreu RStorey M(2024)SCVHunter: Smart Contract Vulnerability Detection Based on Heterogeneous Graph Attention NetworkProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639213(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639213
Wu SLi ZYan LChen WJiang MWang CLuo XZhou HRoychoudhury APaiva AAbreu RStorey M(2024)Are We There Yet? Unraveling the State-of-the-Art Smart Contract FuzzersProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639152(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639152
Zhong ZZheng ZDai HXue QChen JNan YRoychoudhury APaiva AAbreu RStorey M(2024)PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart ContractsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639140(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639140
Xian DWei X(2024)SC-Chef: Turboboosting Smart Contract Concurrent Execution for High Contention Workloads via Chopping TransactionsIEEE Transactions on Reliability10.1109/TR.2023.329627873:1(216-229)Online publication date: Mar-2024
https://doi.org/10.1109/TR.2023.3296278
Schwiderowski JPedersen ABeck R(2024)Crypto Tokens and Token SystemsInformation Systems Frontiers10.1007/s10796-023-10382-w26:1(319-332)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s10796-023-10382-w
Chen JHu JXia XLo DGrundy JGao ZChen T(2024)Angels or demons: investigating and detecting decentralized financial traps on ethereum smart contractsAutomated Software Engineering10.1007/s10515-024-00459-431:2Online publication date: 29-Jul-2024
https://doi.org/10.1007/s10515-024-00459-4
Steffi PSam Emmanuel WRani P(2024)A Cost-Sensitive Sparse Auto-encoder Based Feature Extraction for Network Traffic Classification Using CNNProceedings of 4th International Conference on Artificial Intelligence and Smart Energy10.1007/978-3-031-61471-2_17(231-244)Online publication date: 12-Jun-2024
https://doi.org/10.1007/978-3-031-61471-2_17
Cernera FLa Morgia MMei ASassi FCalandrino JTroncoso C(2023)Token spammers, rug pulls, and sniper botsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620425(3349-3366)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620425
Luo YZhang J(2023)An Optimised Bitcoin Mining StrategyInternational Journal of Information Technologies and Systems Approach10.4018/IJITSA.31865516:2(1-19)Online publication date: 3-Mar-2023
https://doi.org/10.4018/IJITSA.318655
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents