区块链论文速读A会-ISSTA 2023(2/2)如何检测DeFi协议中的价格操纵漏洞

图片

Conference:ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)

CCF level:CCF A

Categories:Software Engineering/System Software/Programming Languages

Year:2023

第1~5篇区块链文章 请点击此处查看

6

Title: 

SmartState: Detecting State-Reverting Vulnerabilities in Smart Contracts via Fine-Grained State-Dependency Analysis

SmartState:通过细粒度状态依赖性分析检测智能合约中的状态恢复漏洞

Authors

图片

Key words:

bug finding, smart contract, static analysis, state dependency

bug查找、智能合约、静态分析、状态依赖

Abstract

Smart contracts written in Solidity are widely used in different blockchain platforms such as Ethereum, TRON and BNB Chain. One of the unique designs in Solidity smart contracts is its statereverting mechanism for error handling and access control. Unfortunately, a number of recent security incidents showed that adversaries also utilize this mechanism to manipulate critical states of smart contracts, and hence, bring security consequences such as illegal profit-gain and Deny-of-Service (DoS). In this paper, we call such vulnerabilities as the State-reverting Vulnerability (SRV). Automatically identifying SRVs poses unique challenges, as it requires an in-depth analysis and understanding of the state-dependency relations in smart contracts. This paper presents SmartState, a new framework for detecting state-reverting vulnerability in Solidity smart contracts via finegrained state-dependency analysis. SmartState integrates a set of novel mechanisms to ensure its effectiveness. Particularly, Smart- State extracts state dependencies from both contract bytecode and historical transactions. Both of them are critical for inferring dependencies related to SRVs. Further, SmartState models the generic patterns of SRVs (i.e., profit-gain and DoS) as SRV indicators, and hence effectively identify SRVs based on the constructed statedependency graph. To evaluate SmartState, we manually annotated a ground-truth dataset which contains 91 SRVs in the real world. Evaluation results showed that SmartState achieves a precision of 87.23% and a recall of 89.13%. In addition, SmartState successfully identifies 406 new SRVs from 47,351 real-world smart contracts. 11 of these SRVs are from popular smart contracts with high transaction amounts (i.e., top 2000). In total, our reported SRVs affect a total amount of digital assets worth 428,600 USD.

用 Solidity 编写的智能合约广泛应用于以太坊、波场和 BNB Chain 等不同的区块链平台。Solidity 智能合约的独特设计之一是其用于错误处理和访问控制的状态恢复机制。不幸的是,最近的一些安全事件表明,攻击者还利用这种机制来操纵智能合约的关键状态,从而带来非法获利和拒绝服务 (DoS) 等安全后果。在本文中,我们将此类漏洞称为状态恢复漏洞 (SRV)。自动识别 SRV 带来了独特的挑战,因为它需要深入分析和理解智能合约中的状态依赖关系。本文介绍了 SmartState,这是一种通过细粒度状态依赖分析检测 Solidity 智能合约中状态恢复漏洞的新框架。SmartState 集成了一套新颖的机制来确保其有效性。特别是,Smart-State 从合约字节码和历史交易中提取状态依赖关系。它们两者对于推断与 SRV 相关的依赖关系都至关重要。此外,SmartState 将 SRV 的通用模式(即利润收益和 DoS)建模为 SRV 指标,从而根据构建的状态依赖图有效地识别 SRV。为了评估 SmartState,我们手动标注了一个包含现实世界中 91 个 SRV 的真实数据集。评估结果表明,SmartState 的准确率为 87.23%,召回率为 89.13%。此外,SmartState 还从 47,351 个现实世界智能合约中成功识别出 406 个新的 SRV。其中 11 个 SRV 来自交易金额较高的热门智能合约(即前 2000 个)。总的来说,我们报告的 SRV 影响了总价值 428,600 美元的数字资产。

图片

图片

图片

图片

图片

assertion-related state dependency (ASD)

temporal order state dependency (TSD)

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598111

7

Title: 

Toward Automated Detecting Unanticipated Price Feed in Smart Contract

在智能合约中自动检测意外价格馈送

Authors

图片

Key words:

Smart Contract, Formal Verification, Price Oracle, DeFi

智能合约、形式化验证、价格预言机、DeFi

Abstract

Decentralized finance (DeFi) based on smart contracts has reached a total value locked (TVL) of over USD 200 billion in 2022. In DeFi ecosystems, price oracles play a critical role in providing real-time price feeds for cryptocurrencies to ensure accurate asset pricing in smart contracts. However, the price oracle also faces security issues, including the possibility of unanticipated price feeds, which can lead to imbalances in debt and assets in the DeFi protocol. However, existing solutions cannot effectively combine transactions and code for real-time monitoring of price oracles. To address this limitation, we first categorize price oracles as either DON oracles, DEX oracles, or internal oracles based on trusted parties, and analyze their security risks, data sources, price duration, and query fees. Then, we propose VeriOracle, a formal verification framework for the automated detection of unanticipated price feeds in smart contracts. VeriOracle can deploy a formal semantic model of the price oracle on the blockchain to detect the status of smart contracts and identify unanticipated price feed transactions in real time. We apply VeriOracle to verify over 500,000 transactions of 13 vulnerable DeFi protocols in the real world. The experimental results show that (1) VeriOracle is effective and it can detect unanticipated price feeds before DeFi attacks (33,714 blocks ahead of the attacker in the best case); (2) VeriOracle is efficient in that its verification time (about 4s) is less than the block time of Ethereum (about 14s), which means VeriOracle can detect unsafe transactions in real time; and (3) VeriOracle is extendable for verifying defense strategies. Attacks using unanticipated price feeds can only succeed in particular smart contract states. VeriOracle can verify which smart contract states can defend against attacks.

基于智能合约的去中心化金融 (DeFi) 已在 2022 年达到超过 2000 亿美元的总锁定价值 (TVL)。在 DeFi 生态系统中,价格预言机在为加密货币提供实时价格信息以确保智能合约中资产定价准确方面发挥着关键作用。然而,价格预言机也面临安全问题,包括可能出现意外的价格信息,这可能导致 DeFi 协议中的债务和资产不平衡。然而,现有的解决方案无法有效地结合交易和代码来实时监控价格预言机。为了解决这一限制,我们首先根据可信方将价格预言机分类为 DON 预言机、DEX 预言机或内部预言机,并分析它们的安全风险、数据来源、价格持续时间和查询费用。然后,我们提出了 VeriOracle,这是一个用于自动检测智能合约中意外价格信息的形式化验证框架。VeriOracle 可以在区块链上部署价格预言机的形式化语义模型,以检测智能合约的状态并实时识别意外的价格馈送交易。我们应用 VeriOracle 验证了现实世界中 13 个易受攻击的 DeFi 协议的 500,000 多笔交易。实验结果表明:(1)VeriOracle 是有效的,它可以在 DeFi 攻击之前检测到意外的价格馈送(最好情况下比攻击者提前 33,714 个区块);(2)VeriOracle 的验证时间(约 4 秒)小于以太坊的出块时间(约 14 秒),这意味着 VeriOracle 可以实时检测不安全的交易;(3)VeriOracle 可扩展以验证防御策略。使用意外价格馈送的攻击只能在特定的智能合约状态下成功。VeriOracle 可以验证哪些智能合约状态可以抵御攻击。

图片

 decentralized exchanges (DEX)

Decentralized Oracle Networks (DONs)

图片

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598133

8

Title: 

Detecting State Inconsistency Bugs in DApps via On-Chain Transaction Replay and Fuzzing

通过链上交易重放和模糊测试检测 DApp 中的状态不一致错误

Authors

Mingxi Ye,Sun Yat-sen University,China

Yuhong Nan,Sun Yat-sen University

Zibin Zheng,Sun Yat-sen University

Dongpeng Wu, Sun Yat-sen University

Huizhong Li, WeBank,China

Abstract

Decentralized applications (DApps) consist of multiple smart contracts running on Blockchain. With the increasing popularity of the DApp ecosystem, vulnerabilities in DApps could bring significant impacts such as financial losses. Identifying vulnerabilities in DApps is by no means trivial, as modern DApps consist of complex interactions across multiple contracts. Previous research suffers from either high false positives or false negatives, due to the lack of precise contextual information which is mandatory for confirming smart contract vulnerabilities when analyzing smart contracts. In this paper, we present IcyChecker, a new fuzzing-based framework to effectively identify State inconsistency (SI) Bugs – a specific type of bugs that can cause vulnerabilities such as re-entrancy, front-running with complex patterns. Different from prior works, IcyChecker utilizes a set of accurate contextual information for contract fuzzing by replaying the on-chain historical transactions. Besides, instead of designing specific testing oracles which are required by other fuzzing approaches, IcyChecker implements novel mechanisms to mutate a set of fuzzing transaction sequences, and further identify SI bugs by observing their state differences. Evaluation of IcyChecker over the top 100 popular DApps showed it effectively identifies a total number of 277 SI bugs, with a precision of 87%. By comparing IcyChecker with other state-of-the-art tools (i.e., Smartian, Confuzzius, and Sailfish), we show IcyChecker not only identifies more SI bugs but also with much lower false positives, thanks to its integration of accurate on-chain data and unique fuzzing strategies. Our research sheds light on new ways of detecting smart contract vulnerabilities in DApps.


 

去中心化应用程序(DApps)由在区块链上运行的多个智能合约组成。随着 DApp 生态系统的日益普及,DApp 中的漏洞可能会带来重大影响,例如财务损失。识别 DApp 中的漏洞绝非易事,因为现代 DApp 包含跨多个合约的复杂交互。先前的研究存在高误报率或漏报率,这是因为缺乏精确的上下文信息,而这些信息在分析智能合约时对于确认智能合约漏洞是必不可少的。在本文中,我们提出了 IcyChecker,这是一个基于模糊测试的新框架,可有效识别状态不一致(SI)错误 - 这是一种特定类型的错误,可能导致诸如重入、具有复杂模式的抢先交易等漏洞。与之前的研究不同,IcyChecker 通过重放链上历史交易,利用一组准确的上下文信息进行合约模糊测试。此外,IcyChecker 无需设计其他模糊测试方法所需的特定测试预言机,而是实现了新颖的机制来改变一组模糊测试交易序列,并通过观察它们的状态差异进一步识别 SI 错误。对前 100 个流行 DApp 的 IcyChecker 评估表明,它有效识别了总共 277 个 SI 错误,准确率为 87%。通过将 IcyChecker 与其他最先进的工具(即 Smartian、Confuzzius 和 Sailfish)进行比较,我们发现 IcyChecker 不仅可以识别出更多的 SI 错误,而且由于其集成了准确的链上数据和独特的模糊测试策略,误报率也低得多。我们的研究为检测 DApp 中的智能合约漏洞的新方法提供了启示。

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598057

9

Title: 

DeFiTainter: Detecting Price Manipulation Vulnerabilities in DeFi Protocols

DeFiTainter:检测 DeFi 协议中的价格操纵漏洞

Authors

图片

Key words:

vulnerability detection, smart contract, taint analysis

漏洞检测、智能合约、污点分析

Abstract

DeFi protocols are programs that manage high-value digital assets on blockchain. The price manipulation vulnerability is one of the common vulnerabilities in DeFi protocols, which allows attackers to gain excessive profits by manipulating token prices. In this paper, we propose DeFiTainter, an inter-contract taint analysis framework for detecting price manipulation vulnerabilities. DeFiTainter features two innovative mechanisms to ensure its effectiveness. The first mechanism is to construct a call graph for inter-contract taint analysis by restoring call information, not only from code constants but also from contract storage and function parameters. The second mechanism is a high-level semantic induction tailored for detecting price manipulation vulnerabilities, which accurately identifies taint sources and sinks and tracks taint data across contracts. Extensive evaluation of real-world incidents and high-value DeFi protocols shows that DeFiTainter outperforms existing approaches and achieves state-of-the-art performance with a precision of 96% and a recall of 91.3% in detecting price manipulation vulnerabilities. Furthermore, DeFiTainter uncovers three previously undisclosed price manipulation vulnerabilities.

DeFi 协议是管理区块链上高价值数字资产的程序。价格操纵漏洞是 DeFi 协议中常见的漏洞之一,攻击者可以通过操纵代币价格获取超额利润。本文提出了 DeFiTainter,一个用于检测价格操纵漏洞的合约间污点分析框架。DeFiTainter 具有两种创新机制来确保其有效性。第一种机制是通过恢复调用信息来构建合约间污点分析的调用图,不仅从代码常量,而且从合约存储和函数参数中恢复调用信息。第二种机制是专门为检测价格操纵漏洞而定制的高级语义归纳,它可以准确识别污点源和污点接收器并跟踪跨合约的污点数据。对现实世界事件和高价值 DeFi 协议的广泛评估表明,DeFiTainter 优于现有方法,在检测价格操纵漏洞方面以 96% 的准确率和 91.3% 的召回率实现了最先进的性能。此外,DeFiTainter 还发现了三个以前未披露的价格操纵漏洞。

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598124

图片

关注我们,持续接收区块链最新论文

洞察区块链技术发展趋势

Follow us to keep receiving the latest blockchain papers

Insight into Blockchain Technology Trends

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/diannao/42493.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

09视图,触发器,事务,存储过程,函数,流程控制,索引,隔离机制,锁机制,三大范式

【一】视图 (1)视图须知概念 1.什么是视图? 视图就是通过查询得到一张虚拟表,然后保存下来,下次可以直接使用 2.为什么要用视图? 如果要频繁操作一张虚拟表(拼表组成),就可以制作成视图,后续直接操作 注意…

IDEA 创建springboot项目杂记-更新中

一、工具使用杂记 1、使用maven 创建新springboot项目时,因为https://start.spring.io/ 连接不上项目无法创建。直接把脚手架地址换为国内的 http://start.aliyun.com

田忌赛马 贪心

本题是更难的那道,一场50 最低为o 第一行一个整数 𝑛n ,表示他们各有几匹马(两人拥有的马的数目相同)。第二行 𝑛n 个整数,每个整数都代表田忌的某匹马的速度值(0≤0≤ 速度值 ≤100≤1…

Python】从文本字符串中提取数字、电话号码、日期、网址的方法

关于从文本字符串中提取数字、电话号码、日期和网址的方法: 提取数字: 在 Python 中,使用正则表达式 \d 来匹配数字。 \d 表示匹配一个数字字符(0-9)。如果要匹配连续的数字,可以使用 \d 。 import re def …

C++面向对象的常见面试题目(一)

1. 面向对象的三大特征 &#xff08;1&#xff09;封装&#xff1a;隐藏对象的内部状态&#xff0c;只暴露必要的接口。 #include <iostream> #include <string>// 定义一个简单的类 Person class Person { private: // 私有成员&#xff0c;外部不可直接访问std…

Mac OS ssh 连接提示 Permission denied (publickey)

这错误有点奇葩&#xff0c;MacBook的IDE(vscode和pycharm)远程都连不上&#xff0c;terminal能连上&#xff0c;windows的pycharm能连上&#xff0c;见鬼了&#xff0c;所以肯定不是秘钥的问题了&#xff0c;查了好久竟然发现是权限的问题。。 chmod 400 ~/.ssh/id_rsa http…

华为机试HJ37统计每个月兔子的总数

华为机试HJ37统计每个月兔子的总数 题目&#xff1a; 想法&#xff1a; 上述题目实际是一个斐波那契数列&#xff0c;利用斐波那契数列对问题进行求解 input_number int(input())def fib(n):if n < 2:return 1else:n_1 1n_2 1count 2while count < n:n_1, n_2 n_…

【Android】【多屏】多屏异显异触调试技巧总结

这里写目录标题 如何获取多屏IDs获取多屏的size/density如何启动应用到指定DisplayId多屏截屏/录屏screencapscreenrecord发送按键到指定DisplayId 如何获取多屏IDs dumpsys display | grep mDisplayIdtrinket:/ # dumpsys display | grep mDisplayIdmDisplayId0mDisplayId2 t…

【AI资讯】可以媲美GPT-SoVITS的低显存开源文本转语音模型Fish Speech

Fish Speech是一款由fishaudio开发的全新文本转语音工具&#xff0c;支持中英日三种语言&#xff0c;语音处理接近人类水平&#xff0c;使用Flash-Attn算法处理大规模数据&#xff0c;提供高效、准确、稳定的TTS体验。 Fish Audio

区块链技术的应用场景和优势。

区块链技术具有广泛的应用场景和优势。 区块链技术的应用场景&#xff1a; 1. 金融服务&#xff1a;区块链可用于支付、跨境汇款、借贷和结算等金融服务&#xff0c;提高交易效率、降低成本并增强安全性。 2. 物联网&#xff08;IoT&#xff09;&#xff1a;区块链可以用于物…

机器学习Day12:特征选择与稀疏学习

1.子集搜索与评价 相关特征&#xff1a;对当前学习任务有用的特征 无关特征&#xff1a;对当前学习任务没用的特征 特征选择&#xff1a;从给定的特征集合中选择出相关特征子集的过程 为什么要特征选择&#xff1f; 1.任务中经常碰到维数灾难 2.去除不相关的特征能降低学习的…

Git注释规范

主打一个有用 代码的提交规范参考如下&#xff1a; init:初始化项目feat:新功能&#xff08;feature&#xff09;fix:修补bugdocs:文档&#xff08;documentation&#xff09;style:格式&#xff08;不影响代码运行的变动&#xff09;refactor:重构&#xff08;即不是新增功能…

NodeJs获取文件扩展名

path.extname 是 Node.js 路径模块 (path) 中的一个方法&#xff0c;用于获取文件路径的扩展名。扩展名是指文件名中最后一个 .&#xff08;点&#xff09;之后的部分&#xff0c;包括这个 .。 const path require(path);const filename example.txt; const ext path.extna…

计算机网络之令牌环

1.令牌环工作原理 令牌环&#xff08;Token Ring&#xff09;是一种局域网&#xff08;LAN&#xff09;的通信协议&#xff0c;最初由IBM在1984年开发并标准化为IEEE 802.5标准。在令牌环网络中&#xff0c;所有的计算机或工作站被连接成一个逻辑或物理的环形拓扑结构。网络中…

排序(2)

我们在排序&#xff08;1&#xff09;中说到选择排序的代码&#xff1a; void SelectSort(int* a,int n) {int begin0,endn-1;int minibegin,maxbegin;for(int ibegin1;i<end;i){if(a[i]>a[max]){maxii;}if(a[i]<a[mini]){minii;}begin;--end;}Swap(&a[beign],&a…

SKF轴承故障频率查询

1&#xff0c;第一步&#xff1a;搜索轴承型号 skf官网 2&#xff0c;第二步&#xff1a;查询故障频率。 第三步&#xff1a;

尚品汇-(十四)

&#xff08;1&#xff09;提交git 商品后台管理到此已经完成&#xff0c;我们可以把项目提交到公共的环境&#xff0c;原来使用svn&#xff0c;现在使用git 首先在本地创建ssh key&#xff1b; 命令&#xff1a;ssh-keygen -t rsa -C "your_emailyouremail.com" I…

完美解决ERROR 1045 (28000): Access denied for user ‘root‘@‘localhost‘ (using password: NO)

已解决ERROR 1045 (28000): Access denied for user ‘root‘‘localhost‘ (using password: NO) 下滑查看解决方法 文章目录 报错问题解决思路解决方法交流 报错问题 ERROR 1045 (28000): Access denied for user ‘root‘‘localhost‘ (using password: NO) 解决思路 对…

InfluxDB v2.x中的Flux基本概念

InfluxDB v2.x中的Flux查询语言的核心概念主要包括以下几个方面&#xff1a; 1. 表&#xff08;Tables&#xff09; Flux以表&#xff08;Tables&#xff09;的形式处理数据。每个表包含多行数据&#xff0c;每行数据都是一个record&#xff08;记录&#xff09;&#xff0c;…

落日余晖映晚霞

落日余晖映晚霞&#xff0c;立于海滨&#xff0c;望夕阳余晖洒于波光粼粼之上&#xff0c;金光跳跃&#xff0c;若繁星闪烁&#xff0c;耀人心目。 海风轻拂&#xff0c;心境宁静&#xff0c;凡尘俗务皆于此刹那消散&#xff0c;思绪万干&#xff0c;或忆往昔点滴&#xff0c;或…