research-article

Open access

WASAI: uncovering vulnerabilities in Wasm smart contracts

Authors:

Haipeng Cai, and

Lei WuAuthors Info & Claims

ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2022

Pages 703 - 715

https://doi.org/10.1145/3533767.3534218

Published: 18 July 2022 Publication History

Abstract

WebAssembly (Wasm) smart contracts have shown growing popularity across blockchains (e.g., EOSIO) recently. Similar to Ethereum smart contracts, Wasm smart contracts suffer from various attacks exploiting their vulnerabilities. Even worse, few developers released the source code of their Wasm smart contracts for security review, raising the bar for uncovering vulnerable contracts. Although a few approaches have been proposed to detect vulnerable Wasm smart contracts, they have several major limitations, e.g., low code coverage, low accuracy and lack of scalability, unable to produce exploit payloads, etc. To fill the gap, in this paper, we design and develop WASAI, a new concolic fuzzer for uncovering vulnerabilities in Wasm smart contract after tackling several challenging issues. We conduct extensive experiments to evaluate WASAI, and the results show that it outperforms the state-of-the-art methods. For example, it achieves 2x code coverage than the baselines and surpasses them in detection accuracy, with an F1-measure of 99.2%. Moreover, WASAI can handle complicated contracts (e.g., contracts with obfuscation and sophisticated verification). Applying WASAI to 991 deployed smart contracts in the wild, we find that over 70% of smart contracts are vulnerable. By the time of this study, over 300 vulnerable contracts have not been patched and are still operating on the EOSIO Mainnet. One fake EOS vulnerability reported to the EOSIO ecosystem was recently assigned a CVE identifier (CVE-2022-27134).

References

[1]

J. Bergbom. 2021. "Memory safety: old vulnerabilities become new with WebAssembly". [Online]. Available: https://www.forcepoint.com/sites/default/files/ resources/files/report-web-assemblymemory-safety-en.pdf.

[2]

W. Bian, W. Meng, and Y. Wang. 2019. Poster: Detecting WebAssembly-Based Cryptocurrency Mining. In Proc. ACM SIGSAC Conference on Computer and Communications Security.

[3]

Block.one. 2021. A blockchain protocol with industry-leading transaction speed and flexible utility. [Online]. Available: https://eos.io/.

[4]

L. Breidenbach, P. Daian, F. Tramèr, and A. Juels. 2018. Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts. In Proc. USENIX Security Symposium.

[5]

J. Chen, X. Xia, D. Lo, J. Grundy, X. Luo, and T. Chen. 2022. DEFECTCHECKER: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode. IEEE Transactions on Software Engineering ( 2022 ).

[6]

J. Chen, X. Xia, D. Lo, J. Grundy, X. Luo, and T. Chen. 2022. Defining Smart Contract Defects on Ethereum. IEEE Transactions on Software Engineering 48, 1 ( 2022 ).

[7]

T. Chen, R. Cao, T. Li, X. Luo, G. Gu, Y. Zhang, Z. Liao, H. Zhu, G. Chen, Z. He, Y. Tang, X. Lin, and X. Zhang. 2020. SODA: A Generic Online Detection Framework for Smart Contracts. In Proc. Network and Distributed System Security Symposium.

[8]

T. Chen, Y. Zhang, Z. Li, X. Luo, T. Wang, R. Cao, X. Xiao, and X. Zhang. 2019. TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum. In Proc. ACM Conference on Computer and Communications Security.

[9]

Z. Chen, C. Wang, J. Yan, Y. Sui, and J. Xue. 2021. Runtime Detection of Memory Errors with Smart Status. In Proc.ACM SIGSOFT International Symposium on Software Testing and Analysis.

[10]

Cointelegraph. 2021. EOS DApps Lose Almost $1 Million to Hackers Over the Last Five Months. [Online]. Available: https://cointelegraph.com/news/eosdapps-lose-almost-1-million-to-hackers-over-the-last-five-months.

[11]

ConsenSys. 2021. Mythril, security analysis tool for EVM bytecode. [Online]. Available: https://github.com/ConsenSys/mythril.

[12]

B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, WK. Robertson, F. Ulrich, and R. Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In Proc. IEEE Symposium on Security and Privacy.

[13]

T. Durieux, JF. Ferreira., R. Abreu, and P. Cruz. 2020. Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts. In Proc. ACM/IEEE 42nd International Conference on Software Engineering.

[14]

Niguez Randomity Engine. 2019. [Online]. Available: https:// niguezrandomityengine.github.io/.

[15]

EOSIO. 2021. C++ API. [Online]. Available: https://developers.eos.io/manuals/ eosio.cdt/v1.5/group__cpp__api.

[16]

EOSIO. 2021. Nodeos RPC API Reference. [Online]. Available: https://developers. eos.io/welcome/v2. 2/reference/nodeos-rpc-api-reference.

[17]

EOSIO. 2021. The repository of the EOS VM. [Online]. Available: https: //github.com/EOSIO/eos-vm.

[18]

Ethereum. 2021. Ethereum Oficial Site. [Online]. Available: https://ethereum. org/.

[19]

Ethereum. 2021. A smart contract is simply a program that runs on the Ethereum blockchain. [Online]. Available: https://ethereum.org/en/developers/docs/smartcontracts/.

[20]

Ethereum. 2021. A virtual machine to run Ethereum smart contracts. [Online]. Available: https://ethereum.org/en/developers/docs/evm/.

[21]

Y. Feng, E. Torlak, and R. Bodik. 2020. Summary-Based Symbolic Evaluation for Smart Contracts. In Proc. IEEE/ACM International Conference on Automated Software Engineering.

[22]

J. Frank, C. Aschermann, and T. Holz. 2020. ETHBMC: A Bounded Model Checker for Smart Contracts. In Proc. USENIX Security Symposium.

[23]

Jake Frankenfield. 2021. EOS ICO. [Online.] Avaliable: https://www.investopedia. com/terms/i/initial-coin-ofering-ico.asp.

[24]

A. Ghaleb and K. Pattabiraman. 2020. How Efective Are Smart Contract Analysis Tools? Evaluating Smart Contract Static Analysis Tools Using Bug Injection. In Proc. ACM SIGSOFT International Symposium on Software Testing and Analysis.

[25]

N. Grech, L. Brent, B. Scholz, and Y. Smaragdakis. 2019. Gigahorse: thorough, declarative decompilation of smart contracts. In Proc. International Conference on Software Engineering.

[26]

HackersDelight. 2021. Hakmem Popcnt Algorithm. [Online]. Available: http://www.hackersdelight.org/.

[27]

J. He, B. Mislav, A. Nodar, T. Petar, and V. Martin. 2019. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proc. ACM SIGSAC Conference on Computer and Communications Security.

[28]

N. He, R. Zhang, H. Wang, L. Wu, X. Luo, Y. Guo, T. Yu, and X. Jiang. 2021. EOSAFE: Security Analysis of EOSIO Smart Contracts. In Proc. USENIX Security Symposium.

[29]

Y. Huang, B. Jiang, and W.K. Chan. 2020. EOSFuzzer: Fuzzing EOSIO Smart Contracts for Vulnerability Detection. In Proc. Asia-Pacific Symposium on Internetware.

[30]

Huobi Inc. 2021. Million EOS Disappears in a Hack Attack EOS Accounts Blocked by huobi. [Online]. Available: https://www.forexcrunch.com/eos-news-update-2-09-million-eos-disappears-in-a-hack-attack-eos-accounts-blocked-by-houbi.

[31]

PeckShield Inc. 2021. Blogs about blockchain security events. [Online]. Available: https://blog.peckshield.com/blog.html.

[32]

SlowMist Inc. 2021. Blockchain security events. [Online]. Available: https: //hacked.slowmist.io/en/.

[33]

B. Jiang, Y. Liu, and W.K. Chan. 2018. ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proc. International Conference on Automated Software Engineering.

[34]

E. Johnson, D. Thien, Y. Alhessi, S. Narayan, F. Brown, S. Lerner, T. McMullen, S. Savage, and D. Stefan. 2021. SFI safety for native-compiled Wasm. In Proc. Network and Distributed System Security Symposium.

[35]

J. Krupp and C. Rossow. 2018. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In Proc. USENIX Security Symposium.

[36]

S. Lagouvardos, N. Grech, I. Tsatiris, and Y. Smaragdakis. 2020. Precise Static Modeling of Ethereum Memory. ACM Program. Lang. OOPSLA ( 2020 ).

[37]

D. Lehmann, J. Kinder, and M. Pradel. 2020. Everything Old is New Again: Binary Security of WebAssembly. In Proc. USENIX Security Symposium.

[38]

D. Lehmann and M. Pradel. 2019. Wasabi: A Framework for Dynamically Analyzing WebAssembly. In Proc. International Conference on Architectural Support for Programming Languages and Operating Systems.

[39]

L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor. 2016. Making Smart Contracts Smarter. In Proc. ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016.

[40]

B. Mariano, Y. Chen, Y. Feng, S. Lahiri, and I. Dillig. 2020. Demystifying Loops in Smart Contracts. In Proc. IEEE/ACM International Conference on Automated Software Engineering.

[41]

Brian McFadden, Tyler Lukasiewicz, Jef, Dileo, and Justin Engler. 2020. Security Chasms of WASM. (Oct. 2020 ). [Online]. Available: https://i.blackhat.com/us-18/Thu-August-9/us-18-Lukasiewicz-WebAssemblyA-New-World-of-Native_Exploits-On-The-Web-wp.pdf.

[42]

R. Mitra. 2021. EOS/USD market drops by 4% following $7.7 million EOS hack attack. [Online]. Available: https://www.fxstreet.com/cryptocurrencies/news/eosusd-market-drops-by-4-following-77-million-eos-hack-attack-201902262151.

[43]

NEAR. 2021. A blockchain platform that accelerates the development of webAssembly smart contract. [Online]. Available: https://near.org/.

[44]

TD. Nguyen, LH. Pham, and J. Sun. 2021. SGUARD: Towards Fixing Vulnerable Smart Contracts Automatically. In Proc. Symposium on Security and Privacy.

[45]

TD. Nguyen, LH. Pham, J. Sun, Y. Lin, and QT. Minh. 2020. SFuzz: An Eficient Adaptive Fuzzer for Solidity Smart Contracts. In Proc. ACM/IEEE 42nd International Conference on Software Engineering.

[46]

Nodoes. 2019. The core service daemon that runs on every EOSIO node. [Online]. Available: https://developers.eos.io/manuals/eos/v2.1/nodeos/index.

[47]

D. Perez and B. Livshits. 2021. Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited. In Proc. USENIX Security Symposium.

[48]

J. Protzenko, B. Beurdouche, D. Merigoux, and K. Bhargavan. 2019. Formally Verified Cryptographic Web Applications in WebAssembly. In Proc. IEEE Symposium on Security and Privacy.

[49]

L. Quan, L. Wu, and H. Wang. 2019. EVulHunter: Detecting Fake Transfer Vulnerabilities for EOSIO's Smart Contracts at Webassembly-level. ( 2019 ).

[50]

M. Ren, Z. Yin, F. Ma, Z. Xu, Y. Jiang, C. Sun, H. Li, and Y. Cai. 2021. Empirical Evaluation of Smart Contract Testing: What is the Best Choice?. In Proc. ACM SIGSOFT International Symposium on Software Testing and Analysis.

[51]

Microsoft Research. 2021. Z3, a theorem prover from Microsoft Research. [Online]. Available: https://github.com/Z3Prover/z3.

[52]

M. Rodler, W. Li, G. O. Karame, and L. Davi. 2021. EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In Proc. USENIX Security Symposium.

[53]

S. So, S. Hong, and H. Oh. 2021. SmarTest: Efectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution. In Proc. USENIX Security Symposium.

[54]

N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proc. Annual Network and Distributed System Security Symposium.

[55]

S. Cha T. Avgerinos, A. Rebert and D. Brumley. 2014. Enhancing symbolic execution with veritesting. In Proc. International Conference on Software Engineering.

[56]

C. Torres, M. Baden, R. Norvill, B. Fiz, H. Jonker, and S. Mauw. 2020. ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks. In Proc. ACM Asia Conference on Computer and Communications Security.

[57]

C. Torres, M. Steichen, and R. State. 2019. The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts. In Proc. USENIX Security Symposium.

[58]

A. Turner. 2021. WebAssembly Linear Memory. [Online]. Available: https://wasmbyexample.dev/examples/webassembly-linear-memory/ webassembly-linear-memory.rust.en-us.html.

[59]

W3C. 2021. "The main page of webassembly.org". [Online]. Available: https: //webassembly.org/.

[60]

Z. Wan, X. Xia, D. Lo, J. Chen, X. Luo, and X. Yang. 2021. Smart Contract Security: a Practitioners' Perspective. In Proc. IEEE/ACM International Conference on Software Engineering.

[61]

D. Wang, B. Jiang, and W.K. Chan. 2020. WANA: Symbolic Execution of Wasm Bytecode for Cross-Platform Smart Contract Vulnerability Detection. In arXiv preprint arXiv: 2007.15510.

[62]

C. Watt, A. Rossberg, and J. Pichon-Pharabod. 2019. Weakening WebAssembly. ACM Program. Lang. OOPSLA ( 2019 ).

[63]

WebAssembly. 2021. Operation Semantic of WebAssembly. [Online]. Available: https://webassembly.github.io/spec/core/text/instructions.html.

[64]

S. Wu, L. Wu, Y. Zhou, R. Li, Z. Wang, X. Luo, C. Wang, and K. Ren. 2022. TimeTravel Investigation: Towards Building A Scalable Attack Detection Framework on Ethereum. ACM Transactions on Software Engineering and Methodology ( 2022 ).

[65]

V. Wüstholz and M. Christakis. 2020. Harvey: A Greybox Fuzzer for Smart Contracts. In Proc. European Software Engineering Conference and Symposium on the Foundations of Software Engineering.

[66]

Y. Xue, M. Ma, Y. Lin, Y. Sui, J. Ye, and T. Peng. 2020. Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts. In Proc. IEEE/ACM International Conference on Automated Software Engineering.

[67]

P. Zhang, F. Xiao, and X. Luo. 2019. SolidityCheck : Quickly Detecting Smart Contract Problems Through Regular Expressions. arXiv preprint arXiv: 1911. 09425 ( 2019 ).

[68]

Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey. 2018. Erays: Reverse Engineering Ethereum's Opaque Smart Contracts. In Proc. USENIX Security Symposium.

Cited By

Waseem MDas TAhmad ALiang PMikkonen T(2024)Issues and Their Causes in WebAssembly Applications: An Empirical StudyProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661227(170-180)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661227
Zhang YZheng SWang HWu LHuang GLiu X(2024)VM Matters: A Comparison of WASM VMs and EVMs in the Performance of Blockchain Smart ContractsACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/36411039:2(1-24)Online publication date: 27-Jan-2024
https://dl.acm.org/doi/10.1145/3641103
Vidal FIvaki NLaranjeiro N(2024)OpenSCV: an open hierarchical taxonomy for smart contract vulnerabilitiesEmpirical Software Engineering10.1007/s10664-024-10446-829:4Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s10664-024-10446-8
Show More Cited By

Index Terms

WASAI: uncovering vulnerabilities in Wasm smart contracts
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Security Vulnerabilities in Ethereum Smart Contracts
iiWAS2018: Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services

Smart contracts (SC) are one of the most appealing features of blockchain technologies facilitating, executing, and enforcing predefined terms of coded contracts without intermediaries. The steady adoption of smart contracts on the Ethereum blockchain ...
Read More
Formal Modeling and Verification of Smart Contracts
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer Applications

Smart contracts can automatically perform the contract terms according to the received information, and it is one of the most important research fields in digital society. The core of smart contracts is algorithm contract, that is, the parties reach an ...
Read More
A survey of security vulnerabilities in ethereum smart contracts
CASCON '20: Proceedings of the 30th Annual International Conference on Computer Science and Software Engineering

Ethereum Smart Contracts based on Blockchain Technology (BT) enables monetary transactions among peers on a blockchain network independent of a central authorizing agency. Ethereum Smart Contracts are programs that are deployed as decentralized ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2022

808 pages

ISBN:9781450393799

DOI:10.1145/3533767

General Chair:
Sukyoung Ryu
KAIST, South Korea
,
Program Chair:
Yannis Smaragdakis
University of Athens, Greece

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Available / v1.1

Author Tags

Qualifiers

Research-article

Conference

ISSTA '22

Sponsor:

SIGSOFT

ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

July 18 - 22, 2022

Virtual, South Korea

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '24

Sponsor:
sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,471
Total Downloads

Downloads (Last 12 months)668
Downloads (Last 6 weeks)57

Other Metrics

View Author Metrics

Citations

Cited By

Waseem MDas TAhmad ALiang PMikkonen T(2024)Issues and Their Causes in WebAssembly Applications: An Empirical StudyProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661227(170-180)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661227
Zhang YZheng SWang HWu LHuang GLiu X(2024)VM Matters: A Comparison of WASM VMs and EVMs in the Performance of Blockchain Smart ContractsACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/36411039:2(1-24)Online publication date: 27-Jan-2024
https://dl.acm.org/doi/10.1145/3641103
Vidal FIvaki NLaranjeiro N(2024)OpenSCV: an open hierarchical taxonomy for smart contract vulnerabilitiesEmpirical Software Engineering10.1007/s10664-024-10446-829:4Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s10664-024-10446-8
Liao ZHao SNan YZheng ZJust RFraser G(2023)SmartState: Detecting State-Reverting Vulnerabilities in Smart Contracts via Fine-Grained State-Dependency AnalysisProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598111(980-991)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598111
Li LZhang MYin HStavrou ACremers CShi E(2022)PosterProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3563545(3391-3393)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3563545

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents