DAppFL: Just-in-Time Fault Localization for Decentralized Applications in Web3
Authors: 
Zhiying Wu, Jiajing Wu, Hui Zhang, Ziwei Li, Jiachi Chen, Zibin Zheng, Qing Xia, Gang Fan, Yi ZhenAuthors Info & Claims
Zhiying Wu, Jiajing Wu, Hui Zhang, Ziwei Li, Jiachi Chen, Zibin Zheng, Qing Xia, Gang Fan, Yi ZhenAuthors Info & ClaimsPages 137 - 148
Abstract
Web3 describes an idea for the next evolution of the Internet, where blockchain technology enables the Internet of Value. As Web3 software, decentralized applications (DApps) have emerged in recent years. There exists a natural link between DApps and cryptocurrencies, where faults in DApps could directly lead to monetary losses associated with cryptocurrencies. Hence, efficient fault localization technology is of paramount importance for urgent DApp rescue operations and the mitigation of financial losses. However, fault localization methods applied in traditional applications are not well-suited for this specific field, due to their inability to identify DApp-specific fault features, e.g., a substantial amount of cryptocurrency is transferred from DApps to hackers. In order to explore the root cause of DApp faults, some researchers try to identify suspicious code snippets through mutation testing. Nonetheless, applying mutation testing for DApp fault localization is time-consuming and thus limited in practice. This paper conducts the first comprehensive study of DApp fault localization. We introduce DAppFL, a learning-based DApp fault localization tool that performs reverse engineering to gather executed source code and then trace cryptocurrency flow to assist in locating faulty functions. We also present the inaugural dataset for DApp fault localization, providing a new benchmark for this domain.Our experimental results demonstrate that DAppFL locates 63% of faults within the Top-5, 23% more than the state-of-the-art method. To facilitate further research, our code and dataset are freely available online: https://github.com/xplanet-sysu/awesome-works#dappfl.
References
[1]
Rui Abreu, Peter Zoeteweij, and Arjan JC Van Gemund. 2006. An evaluation of similarity coefficients for software fault localization. In 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC’06). IEEE Computer Society, University of California, Riverside,USA. 39–46. https://doi.org/10.1109/PRDC.2006.18
[2]
Kai Shin Aw. 2023. How Fee Tiers Make Or Break Your DeFi Returns. https://blog.kyberswap.com/how-fee-tiers-make-or-break-your-defi-returns/
[3]
Tien-Duy B. Le, David Lo, Claire Le Goues, and Lars Grunske. 2016. A learning-to-rank based fault localization approach using likely invariants. In Proceedings of the 25th international symposium on software testing and analysis. ACM, Saarbrücken, Germany. 177–188. https://doi.org/10.1145/2931037.2931049
[4]
Ricardo Baeza-Yates, Paolo Boldi, and Carlos Castillo. 2006. Generalizing PageRank: Damping functions for link-based ranking algorithms. In Proceedings of the 29th annual international ACM SIGIR conference on Research and development in information retrieval. ACM, Seattle, Washington, USA. 308–315. https://doi.org/10.1145/1148170.1148225
[5]
Federico Baldassarre and Hossein Azizpour. 2019. Explainability Techniques for Graph Convolutional Networks. In International Conference on Machine Learning (ICML) Workshops. Long Beach, California, USA. arxiv:1905.13686
[6]
BlockSec. 2023. Phalcon Powerful Transaction Explorer. https://explorer.phalcon.xyz/
[7]
Julien Bouteloup. 2023. Rekt - Home. https://rekt.news/
[8]
Anton Bukov. 2020. A faulty function of bZx. https://twitter.com/k06a/status/1305223409610166275
[9]
Etherscan Tx Decoder. 2023. Etherscan Transaction Decoder. https://etherscan.io/tx-decoder
[10]
Token Flow. 2023. EthTx.info. https://ethtx.info/
[11]
Kimon Fountoulakis, Di Wang, and Shenghao Yang. 2020. p-Norm flow diffusion for local graph clustering. In International Conference on Machine Learning. PMLR, Virtual Event. 3222–3232. https://proceedings.mlr.press/v119/fountoulakis20a.html
[12]
Sam Gilbert. 2022. Crypto, web3, and the Metaverse. https://www.bennettinstitute.cam.ac.uk/wp-content/uploads/2022/03/Policy-brief-Crypto-web3-and-the-metaverse.pdf
[13]
Joran J. Honig, Maarten H. Everts, and Marieke Huisman. 2019. Practical mutation testing for smart contracts. In Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer, Luxembourg. 289–303. https://doi.org/10.1007/978-3-030-31500-9_19
[14]
Ziniu Hu, Yuxiao Dong, Kuansan Wang, and Yizhou Sun. 2020. Heterogeneous Graph Transformer. In Proceedings of the Web Conference. ACM / IW3C2, Taipei, Taiwan. 2704–2710. https://doi.org/10.1145/3366423.3380027
[15]
James A Jones and Mary Jean Harrold. 2005. Empirical evaluation of the tarantula automatic fault-localization technique. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering. ACM, Long Beach, CA, USA. 273–282. https://doi.org/10.1145/1101908.1101949
[16]
Yeonsoo Kim, Seongho Jeong, Kamil Jezek, Bernd Burgstaller, and Bernhard Scholz. 2021. An $Off-The-Chain$ execution environment for scalable testing and profiling of smart contracts. In 2021 USENIX Annual Technical Conference (USENIX ATC 21). USENIX Association, Santa Clara, CA, USA. 565–579. https://www.usenix.org/conference/atc21/presentation/kim-yeonsoo
[17]
Pavneet Singh Kochhar, Xin Xia, David Lo, and Shanping Li. 2016. Practitioners’ expectations on automated fault localization. In Proceedings of the 25th international symposium on software testing and analysis. ACM, Saarbrücken, Germany. 165–176. https://doi.org/10.1145/2931037.2931051
[18]
Xia Li, Wei Li, Yuqun Zhang, and Lingming Zhang. 2019. Deepfl: Integrating multiple fault diagnosis dimensions for deep fault localization. In Proceedings of the 28th ACM SIGSOFT international symposium on software testing and analysis. ACM, Beijing, China. 169–180. https://doi.org/10.1145/3293882.3330574
[19]
Xia Li and Lingming Zhang. 2017. Transforming programs and tests in tandem for fault localization. Proceedings of the ACM on Programming Languages, 1 (2017), 1–30. https://doi.org/10.1145/3133916
[20]
Yi Li, Shaohua Wang, and Tien Nguyen. 2021. Fault localization with code coverage representation learning. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 661–673. https://doi.org/10.1109/ICSE43902.2021.00067
[21]
Zixin Li, Haoran Wu, Jiehui Xu, Xingya Wang, Lingming Zhang, and Zhenyu Chen. 2019. Musc: A tool for mutation testing of ethereum smart contract. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, San Diego, CA, USA. 1198–1201. https://doi.org/10.1109/ASE.2019.00136
[22]
Zeqin Liao, Zibin Zheng, Xiao Chen, and Yuhong Nan. 2022. SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, Virtual Event, South Korea. 752–764. https://doi.org/10.1145/3533767.3534222
[23]
Tsung-Yi Lin, Priya Goyal, Ross Girshick, Kaiming He, and Piotr Dollár. 2017. Focal loss for dense object detection. In Proceedings of the IEEE international conference on computer vision. Venice, Italy. 2980–2988. https://doi.org/10.1109/TPAMI.2018.2858826
[24]
Meng Liu and David F Gleich. 2020. Strongly local p-norm-cut algorithms for semi-supervised learning and local graph clustering. In Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems. Curran Associates Inc., Red Hook, NY, USA. https://dl.acm.org/doi/abs/10.5555/3495724.3496146
[25]
Yiling Lou, Qihao Zhu, Jinhao Dong, Xia Li, Zeyu Sun, Dan Hao, Lu Zhang, and Lingming Zhang. 2021. Boosting coverage-based fault localization via graph-based representation learning. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 664–676. https://doi.org/10.1145/3468264.3468580
[26]
Evgeny Medvedev and Allen Day. 2018. Ethereum-ETL in BigQuery: how we built this dataset. https://cloud.google.com/blog/products/data-analytics/ethereum-bigquery-how-we-built-dataset
[27]
Xiangxin Meng, Xu Wang, Hongyu Zhang, Hailong Sun, and Xudong Liu. 2022. Improving fault localization and program repair with deep semantic features and transferred knowledge. In Proceedings of the 44th International Conference on Software Engineering. ACM, Pittsburgh, PA, USA. 1169–1180. https://doi.org/10.1145/3510003.3510147
[28]
Seokhyeon Moon, Yunho Kim, Moonzoo Kim, and Shin Yoo. 2014. Ask the mutants: Mutating faulty programs for fault localization. In 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation. IEEE, Cleveland, Ohio, USA. 153–162. https://doi.org/10.1109/ICST.2014.28
[29]
Mike Papadakis and Yves Le Traon. 2015. Metallaxis-FL: mutation-based fault localization. Software Testing, Verification and Reliability, 25 (2015), 605–628. https://doi.org/10.1002/stvr.1509
[30]
Chris Parnin and Alessandro Orso. 2011. Are automated debugging techniques actually helping programmers? In Proceedings of the 2011 international symposium on software testing and analysis. ACM, Toronto, ON, Canada. 199–209. https://doi.org/10.1145/2001420.2001445
[31]
Andy Pavia. 2020. Understanding the Cream Finance Hack. https://medium.com/@AndyPavia/swissblock-post-mortem-cream-finance-hack-7c1caff4335c
[32]
Peckshield. 2020. bZx Hack Full Disclosure (With Detailed Profit Analysis). https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc
[33]
Jason Potts and Ellie Rennie. 2019. Web3 and the creative industries: how blockchains are reshaping business models. In A Research Agenda for Creative Industries. Edward Elgar Publishing, 93–111. https://ideas.repec.org/h/elg/eechap/18292_6.html
[34]
Jeongju Sohn and Shin Yoo. 2017. Fluccs: Using code and change metrics to improve fault localization. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, Santa Barbara, CA, USA. 273–283. https://doi.org/10.1145/3092703.3092717
[35]
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Mike Papadakis. 2023. Evaluating the Impact of Experimental Assumptions in Automated Fault Localization. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, Melbourne, Australia. 159–171. https://doi.org/10.1109/ICSE48619.2023.00025
[36]
Jianzhong Su, Xingwei Lin, Zhiyuan Fang, Zhirong Zhu, Jiachi Chen, Zibin Zheng, Wei Lv, and Jiashui Wang. 2023. DeFiWarder: Protecting DeFi Apps from Token Leaking Vulnerabilities. In 38th IEEE/ACM International Conference on Automated Software Engineering. IEEE, Luxembourg. 1664–1675. https://doi.org/10.1109/ASE56229.2023.00110
[37]
Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, and Baoxu Liu. 2021. Evil under the sun: understanding and discovering attacks on Ethereum decentralized applications. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Virtual Event. 1307–1324. https://www.usenix.org/conference/usenixsecurity21/presentation/su
[38]
SunWeb3Sec. 2022. DeFiHackLabs. https://github.com/SunWeb3Sec/DeFiHackLabs
[39]
SWC-registry. 2017. Smart Contract Weakness Classification and Test Cases. https://swcregistry.io/
[40]
SlowMist team. 2023. SlowMist Hacked - SlowMist Zone. https://hacked.slowmist.io/
[41]
Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of machine learning research, 9 (2008), 2579–2605. http://jmlr.org/papers/v9/vandermaaten08a.html
[42]
W Eric Wong, Vidroha Debroy, Ruizhi Gao, and Yihao Li. 2013. The DStar method for effective software fault localization. IEEE Transactions on Reliability, 63 (2013), 290–308. https://doi.org/10.1109/TR.2013.2285319
[43]
G Wood. 2019. Ethereum Yellow Paper: a formal specification of Ethereum, a programmable blockchain. Accessed on: Mar, 6 (2019), https://github.com/ethereum/yellowpaper
[44]
Gavin Wood. 2023. Solidity documentation. https://docs.soliditylang.org/en
[45]
Siwei Wu, Dabao Wang, Jianting He, Yajin Zhou, Lei Wu, Xingliang Yuan, Qinming He, and Kui Ren. 2021. Defiranger: Detecting price manipulation attacks on defi applications. CoRR, abs/2104.15068 (2021), 15068. https://doi.org/10.1109/TDSC.2023.3346888
[46]
Siwei Wu, Lei Wu, Yajin Zhou, Runhuai Li, Zhi Wang, Xiapu Luo, Cong Wang, and Kui Ren. 2022. Time-travel investigation: toward building a scalable attack detection framework on ethereum. ACM Transactions on Software Engineering and Methodology (TOSEM), 31 (2022), 1–33. https://doi.org/10.1145/3505263
[47]
Zhiying Wu, Jieli Liu, Jiajing Wu, Zibin Zheng, and Ting Chen. 2023. TRacer: Scalable Graph-based Transaction Tracing for Account-based Blockchain Trading Systems. IEEE Transactions on Information Forensics and Security, 18 (2023), 2609–2621. https://doi.org/10.1109/TIFS.2023.3266162
[48]
Zhiying Wu, Jieli Liu, Jiajing Wu, Zibin Zheng, Xiapu Luo, and Ting Chen. 2023. Know Your Transactions: Real-time and Generic Transaction Semantic Representation on Blockchain & Web3 Ecosystem. In Proceedings of the ACM Web Conference 2023. ACM, Austin, TX, USA. 1918–1927. https://doi.org/10.1145/3543507.3583537
[49]
Xiaoyuan Xie, Zicong Liu, Shuo Song, Zhenyu Chen, Jifeng Xuan, and Baowen Xu. 2016. Revisit of automatic debugging via human focus-tracking analysis. In Proceedings of the 38th International Conference on Software Engineering. ACM, Austin, TX, USA. 808–819. https://doi.org/10.1145/2884781.2884834
[50]
Mengshi Zhang, Xia Li, Lingming Zhang, and Sarfraz Khurshid. 2017. Boosting spectrum-based fault localization using pagerank. In Proceedings of the 26th ACM SIGSOFT international symposium on software testing and analysis. ACM, Santa Barbara, CA, USA. 261–272. https://doi.org/10.1145/3092703.3092731
[51]
Mengshi Zhang, Yaoxian Li, Xia Li, Lingchao Chen, Yuqun Zhang, Lingming Zhang, and Sarfraz Khurshid. 2019. An empirical study of boosting spectrum-based fault localization via pagerank. IEEE Transactions on Software Engineering, 47 (2019), 1089–1113. https://doi.org/10.1109/TSE.2019.2911283
[52]
Mengya Zhang, Xiaokuan Zhang, Yinqian Zhang, and Zhiqiang Lin. 2020. $TXSPECTOR$: Uncovering attacks in ethereum from transactions. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Berkeley, CA. 2775–2792. https://www.usenix.org/conference/usenixsecurity20/presentation/zhang-mengya
[53]
Zhuo Zhang, Yan Lei, Xiaoguang Mao, and Panpan Li. 2019. CNN-FL: An effective approach for localizing faults using convolutional neural networks. In 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, Hangzhou, China. 445–455. https://doi.org/10.1109/SANER.2019.8668002
[54]
Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin. 2023. Demystifying Exploitable Bugs in Smart Contracts. In 45th IEEE/ACM International Conference on Software Engineering. IEEE, Melbourne, Australia. 615–627. https://doi.org/10.1109/ICSE48619.2023.00061
[55]
Peilin Zheng, Zibin Zheng, Jiajing Wu, and Hong-Ning Dai. 2020. Xblock-eth: Extracting and exploring blockchain data from ethereum. IEEE Open Journal of the Computer Society, 1 (2020), 95–106. https://doi.org/10.1109/OJCS.2020.2990458
[56]
Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, and Arthur Gervais. 2022. Sok: Decentralized finance (defi) attacks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA. 2444–2461. https://doi.org/10.1145/3558535.3559780
[57]
Shunfan Zhou, Malte Möser, Zhemin Yang, Ben Adida, Thorsten Holz, Jie Xiang, Steven Goldfeder, Yinzhi Cao, Martin Plattner, and Xiaojun Qin. 2020. An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Berkeley, CA. 2793–2810. https://www.usenix.org/conference/usenixsecurity20/presentation/zhou-shunfan
Index Terms
- DAppFL: Just-in-Time Fault Localization for Decentralized Applications in Web3
Recommendations
Fault density, fault types, and spectra-based fault localization
This paper presents multiple empirical experiments that investigate the impact of fault quantity and fault type on statistical, coverage-based fault localization techniques and fault-localization interference. Fault-localization interference is a ...
ÐArcher: detecting on-chain-off-chain synchronization bugs in decentralized applications
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringSince the emergence of Ethereum, blockchain-based decentralized applications (DApps) have become increasingly popular and important. To balance the security, performance, and costs, a DApp typically consists of two layers: an on-chain layer to execute ...
Factorising the Multiple Fault Localization Problem: Adapting Single-Fault Localizer to Multi-fault Programs
APSEC '12: Proceedings of the 2012 19th Asia-Pacific Software Engineering Conference - Volume 01Software failures are not rare and fault localizations always an important but laborious activity. Since there is no guarantee that no more than one fault exists in a faulty program, the approach to locate all the faults is necessary. Spectrum-based ...
Comments
Information & Contributors
Information
Published In
September 2024
1928 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key Research and Development Program of China
- National Natural Science Foundation of China
- Natural Science Foundation of Guangdong Province
- Shanghai Committee of Science and Technology, China
Conference
ISSTA '24
Sponsor:
ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
September 16 - 20, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 133Total Downloads
- Downloads (Last 12 months)133
- Downloads (Last 6 weeks)73
Reflects downloads up to 09 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in