research-article

Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts

Authors:

Tianyong PengAuthors Info & Claims

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

Pages 1029 - 1040

https://doi.org/10.1145/3324884.3416553

Published: 27 January 2021 Publication History

Abstract

Reentrancy bugs, one of the most severe vulnerabilities in smart contracts, have caused huge financial loss in recent years. Researchers have proposed many approaches to detecting them. However, empirical studies have shown that these approaches suffer from undesirable false positives and false negatives, when the code under detection involves the interaction between multiple smart contracts.

In this paper, we propose an accurate and efficient cross-contract reentrancy detection approach in practice. Rather than design rule-of-thumb heuristics, we conduct a large empirical study of 11714 real-world contracts from Etherscan against three well-known general-purpose security tools for reentrancy detection. We manually summarized the reentrancy scenarios where the state-of-the-art approaches cannot address. Based on the empirical evidence, we present Clairvoyance, a cross-function and cross-contract static analysis to detect reentrancy vulnerabilities in real world with significantly higher accuracy. To reduce false negatives, we enable, for the first time, a cross-contract call chain analysis by tracking possibly tainted paths. To reduce false positives, we systematically summarized five major path protective techniques (PPTs) to support fast yet precise path feasibility checking. We implemented our approach and compared Clairvoyance with five state-of-the-art tools on 17770 real-worlds contracts. The results show that Clairvoyance yields the best detection accuracy among all the five tools and also finds 101 unknown reentrancy vulnerabilities.

References

[1]

2015. Ethereum: Blockchain App Platform. https://www.ethereum.org/. (2015). Online; accessed 29 January 2019.

[2]

2019. A Block Explorer and Analytics Platform for Ethereum. https://etherscan.io/. (2019). Online; accessed 29 January 2019.

[3]

2019. LLVM Language Reference Manual. https://blog.sigmaprime.io/solidity-security.html. (2019). Online; accessed 29 January 2019.

[4]

2019. Octopus. https://github.com/quoscient/octopus. (2019). Online; accessed 29 January 2019.

[5]

2020. Clairvoyance:. https://toolman-demo.readthedocs.io/en/latest/index.html. (2020). Online; accessed 1 May 2020.

[6]

Adrian Manning. 30 May 2018. Solidity Security: Comprehensive List of Known Attack Vectors and Common Anti-patterns. https://blog.sigmaprime.io/solidity-security.html. (30 May 2018). Online; accessed 29 January 2019.

[7]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Acm Sigplan Notices, Vol. 49. ACM, 259--269.

Digital Library

[8]

Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2016. A survey of attacks on Ethereum smart contracts. IACR Cryptology ePrint Archive 2016 (2016), 1007.

[9]

David F Bacon and Peter F Sweeney. 1996. Fast static analysis of C++ virtual function calls. ACM Sigplan Notices 31, 10 (1996), 324--341.

Digital Library

[10]

ChainSecurity. 2019. Securify. https://securify.chainsecurity.com/. (2019). Online; accessed 29 January 2019.

[11]

ChainSecurity. 2019. Smart Check. https://tool.smartdec.net/. (2019). Online; accessed 29 January 2019.

[12]

Jialiang Chang, Bo Gao, Hao Xiao, Jun Sun, and Zijiang Yang. 2018. sCompile: Critical Path Identification and Analysis for Smart Contracts. CoRR abs/1808.00624 (2018). arXiv:1808.00624 http://arxiv.org/abs/1808.00624

[13]

ConsenSys. 2019. Mythril. https://github.com/ConsenSys/mythril-classic. (2019). Online; accessed 29 January 2019.

[14]

ConsenSys. 2019. MythX. https://mythx.io/. (2019). Online; accessed 29 January 2019.

[15]

ConsenSys Diligence. 2019. Ethereum Smart Contract Best Practices:Known Attacks. https://consensys.github.io/smart-contract-best-practices/known_attacks/. (2019). Online; accessed 29 January 2019.

[16]

David Siegel. [n. d.]. Understanding the DAO Attack. Website. ([n. d.]). https://www.coindesk.com/understanding-dao-hack-journalists.

[17]

Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In TACAS 2008. 337--340.

Digital Library

[18]

Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of object-oriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming. Springer, 77--101.

Digital Library

[19]

Xiaokang Fan, Yulei Sui, Xiangke Liao, and Jingling Xue. 2017. Boosting the precision of virtual call integrity protection with partial pointer analysis for C++. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 329--340.

Digital Library

[20]

Josselin Feist, Gustavo Greico, and Alex Groce. 2019. Slither: A Static Analysis Framework For Smart Contracts. In 2nd IEEE/ACM International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2019, MontrÃl'al, Canada. to appear.

[21]

GuardStrike. 2019. sFuzz: An AFL based fuzzer for smart contracts. https://fuzzing.gitbook.io/sfuzz/. (2019). Online; accessed 27 May 2019.

[22]

Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A. Navas. 2015. The SeaHorn Verification Framework. In CAV 2015. 343--361.

[23]

Google Inc. 2019. Google Big Query Open Dataset. https://cloud.google.com/bigquery/public-data. (2019). Online; accessed 29 January 2019.

[24]

Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: fuzzing smart contracts for vulnerability detection. In ASE. ACM, 259--269.

[25]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing Safety of Smart Contracts. In NDSS 2018.

[26]

Aashish Kolluri, Ivica Nikolic, Ilya Sergey, Aquinas Hobor, and Prateek Saxena. 2019. Exploiting the laws of order in smart contracts. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2019, Beijing, China, July 15--19, 2019. 363--373.

Digital Library

[27]

Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using S park. In International Conference on Compiler Construction. Springer, 153--169.

[28]

Yun Lin, Guozhu Meng, Yinxing Xue, Zhenchang Xing, Jun Sun, Xin Peng, Yang Liu, Wenyun Zhao, and Jinsong Dong. 2017. Mining implicit design templates for actionable code reuse. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 394--404.

[29]

Yun Lin, Xin Peng, Zhenchang Xing, Diwen Zheng, and Wenyun Zhao. 2015. Clone-based and interactive recommendation for modifying pasted code. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. 520--531.

Digital Library

[30]

Yun Lin, Jun Sun, Gordon Fraser, Ziheng Xiu, Ting Liu, and Jin Song Dong. 2020. Recovering fitness gradients for interprocedural Boolean flags in search-based testing. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 440--451.

Digital Library

[31]

Yun Lin, Jun Sun, Lyly Tran, Guangdong Bai, Haijun Wang, and Jinsong Dong. 2018. Break the dead end of dynamic slicing: localizing data and control omission bug. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 509--519.

Digital Library

[32]

Yun Lin, Jun Sun, Yinxing Xue, Yang Liu, and Jinsong Dong. 2017. Feedback-based debugging. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 393--403.

Digital Library

[33]

Yun Lin, Zhenchang Xing, Xin Peng, Yang Liu, Jun Sun, Wenyun Zhao, and Jinsong Dong. 2014. Clonepedia: Summarizing code clones by common syntactic context for software maintenance. In 2014 IEEE International Conference on Software Maintenance and Evolution. IEEE, 341--350.

Digital Library

[34]

V Benjamin Livshits and Monica S Lam. 2003. Tracking pointers with path and context sensitivity for bug detection in C programs. ACM SIGSOFT Software Engineering Notes 28, 5 (2003), 317--326.

Digital Library

[35]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In CCS 2016. 254--269.

Digital Library

[36]

melonproject. 2019. Oyente. https://github.com/melonproject/oyente. (2019). Online; accessed 29 January 2019.

[37]

Tai D Nguyen, Long H Pham, Jun Sun, Yun Lin, and Quang Tran Minh. 2020. sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts. In Proceedings of the 42nd International Conference on Software Engineering.

Digital Library

[38]

Nick Szabo. 1996. Smart Contracts: Building Blocks for Digital Markets. http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html. (1996). Online; accessed 29 January 2019.

[39]

Ivica Nikolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03--07, 2018. 653--663.

Digital Library

[40]

Anton Permenev, Dimitar Dimitrov, Petar Tsankov, Dana Drachsler-Cohen, and Martin Vechev. 2020. VerX: Safety Verification of Smart Contracts. In IEEE S&P 2020.

[41]

SlithIR Dev. Team. 2019. SlithIR Types. https://github.com/crytic/slither/wiki/SlithIR. (2019). Online; accessed 30 June 2019.

[42]

Solidity Dev. Team. 2019. Solidity --- Security Considerations. https://solidity.readthedocs.io/en/v0.5.0/security-considerations.html. (2019). Online; accessed 30 June 2019.

[43]

Yulei Sui and Jingling Xue. 2016. On-demand strong update analysis via value-flow refinement. In Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering. ACM, 460--473.

Digital Library

[44]

Yulei Sui, Ding Ye, and Jingling Xue. 2012. Static memory leak detection using full-sparse value-flow analysis. In Proceedings of the 2012 International Symposium on Software Testing and Analysis. ACM, 254--264.

Digital Library

[45]

Vijay Sundaresan, Laurie Hendren, Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and Charles Godin. 2000. Practical virtual method call resolution for Java. Vol. 35. ACM.

Digital Library

[46]

Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static Analysis of Ethereum Smart Contracts. In WETSEB@ICSE 2018. 9--16.

Digital Library

[47]

trailofbits. 2019. Echidna. https://github.com/trailofbits/echidna. (2019). Online; accessed 29 January 2019.

[48]

trailofbits. 2019. Manticore. https://github.com/trailofbits/manticore. (2019). Online; accessed 29 January 2019.

[49]

trailofbits. 2019. Slither. github. (2019). https://github.com/trailofbits/slither.

[50]

Petar Tsankov, Andrei Marian Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin T. Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In CCS 2018. 67--82.

[51]

Haijun Wang, Yun Lin, Zijiang Yang, Jun Sun, Yang Liu, Jin Song Dong, Qinghua Zheng, and Ting Liu. 2019. Explaining regressions via alignment slicing and mending. IEEE Transactions on Software Engineering (2019).

[52]

Shengqian Yang, Dacong Yan, Haowei Wu, Yan Wang, and Atanas Rountev. 2015. Static control-flow analysis of user-driven callbacks in Android applications. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 89--99.

[53]

Yifei Zhang, Yulei Sui, and Jingling Xue. 2018. Launch-mode-aware context-sensitive activity transition analysis. In 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 598--608.

Digital Library

Cited By

Ye MNan YDai HYang SLuo XZheng Z(2024)FunFuzz: A Function-Oriented Fuzzer for Smart Contract Vulnerability Detection with High Effectiveness and EfficiencyACM Transactions on Software Engineering and Methodology10.1145/367472533:7(1-20)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3674725
Li KXue YChen SLiu HSun KHu MWang HLiu YChen Y(2024)Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?Proceedings of the ACM on Software Engineering10.1145/36607721:FSE(1447-1470)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660772
Ye MLin XNan YWu JZheng ZChristakis MPradel M(2024)Midas: Mining Profitable Exploits in On-Chain Smart Contracts via Feedback-Driven Fuzzing and Differential AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680321(794-805)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680321
Show More Cited By

Index Terms

Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts
1. Security and privacy
  1. Systems security
    1. Distributed systems security
2. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Software safety

Recommendations

The treewidth of smart contracts
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

Smart contracts are programs that are stored and executed on the Blockchain and can receive, manage and transfer money (cryptocurrency units). Two important problems regarding smart contracts are formal analysis and compiler optimization. Formal ...
Android static taint analysis based on multi branch search association
Abstract
Taint analysis is a method used to detect system security problems by tracking the flow of user input or information leakage through the system. In the taint analysis for Android applications, the complete taint propagation path is generally ...
Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

Reentrancy, a notorious vulnerability in smart contracts, has led to millions of dollars in financial loss. However, current smart contract vulnerability detection tools suffer from a high false positive rate in identifying contracts with reentrancy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

December 2020

1449 pages

ISBN:9781450367684

DOI:10.1145/3324884

General Chair:
John Grundy,
Program Chairs:
Claire Le Goues,
David Lo

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 January 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China

Conference

ASE '20

Sponsor:

ASE '20: 35th IEEE/ACM International Conference on Automated Software Engineering

December 21 - 25, 2020

Virtual Event, Australia

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
627
Total Downloads

Downloads (Last 12 months)221
Downloads (Last 6 weeks)9

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ye MNan YDai HYang SLuo XZheng Z(2024)FunFuzz: A Function-Oriented Fuzzer for Smart Contract Vulnerability Detection with High Effectiveness and EfficiencyACM Transactions on Software Engineering and Methodology10.1145/367472533:7(1-20)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3674725
Li KXue YChen SLiu HSun KHu MWang HLiu YChen Y(2024)Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?Proceedings of the ACM on Software Engineering10.1145/36607721:FSE(1447-1470)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660772
Ye MLin XNan YWu JZheng ZChristakis MPradel M(2024)Midas: Mining Profitable Exploits in On-Chain Smart Contracts via Feedback-Driven Fuzzing and Differential AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680321(794-805)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680321
Liao ZNan YLiang HHao SZhai JWu JZheng Z(2024)SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static AnalysisProceedings of the ACM on Software Engineering10.1145/36437381:FSE(249-270)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643738
Gao CYang WYe JXue YSun J(2024)sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart ContractsACM Transactions on Software Engineering and Methodology10.1145/364184633:5(1-55)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3641846
Luo FLuo RChen TQiao AHe ZSong SJiang YLi SRoychoudhury APaiva AAbreu RStorey M(2024)SCVHunter: Smart Contract Vulnerability Detection Based on Heterogeneous Graph Attention NetworkProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639213(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639213
Yang SChen JHuang MZheng ZHuang YRoychoudhury APaiva AAbreu RStorey M(2024)Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker ContractsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639153(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639153
Zhong ZZheng ZDai HXue QChen JNan YRoychoudhury APaiva AAbreu RStorey M(2024)PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart ContractsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639140(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639140
Chaliasos SCharalambous MZhou LGalanopoulou RGervais AMitropoulos DLivshits BRoychoudhury APaiva AAbreu RStorey M(2024)Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners?Proceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623302(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623302
Li XYang JChen JTang YGao XChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Characterizing Ethereum Upgradable Smart Contracts and Their Security ImplicationsProceedings of the ACM Web Conference 202410.1145/3589334.3645640(1847-1858)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645640
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents