区块链论文速读A会-ISSTA 2023(2/2)如何检测DeFi协议中的价格操纵漏洞

图片

Conference:ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)

CCF level:CCF A

Categories:Software Engineering/System Software/Programming Languages

Year:2023

第1~5篇区块链文章 请点击此处查看

6

Title: 

SmartState: Detecting State-Reverting Vulnerabilities in Smart Contracts via Fine-Grained State-Dependency Analysis

SmartState:通过细粒度状态依赖性分析检测智能合约中的状态恢复漏洞

Authors

图片

Key words:

bug finding, smart contract, static analysis, state dependency

bug查找、智能合约、静态分析、状态依赖

Abstract

Smart contracts written in Solidity are widely used in different blockchain platforms such as Ethereum, TRON and BNB Chain. One of the unique designs in Solidity smart contracts is its statereverting mechanism for error handling and access control. Unfortunately, a number of recent security incidents showed that adversaries also utilize this mechanism to manipulate critical states of smart contracts, and hence, bring security consequences such as illegal profit-gain and Deny-of-Service (DoS). In this paper, we call such vulnerabilities as the State-reverting Vulnerability (SRV). Automatically identifying SRVs poses unique challenges, as it requires an in-depth analysis and understanding of the state-dependency relations in smart contracts. This paper presents SmartState, a new framework for detecting state-reverting vulnerability in Solidity smart contracts via finegrained state-dependency analysis. SmartState integrates a set of novel mechanisms to ensure its effectiveness. Particularly, Smart- State extracts state dependencies from both contract bytecode and historical transactions. Both of them are critical for inferring dependencies related to SRVs. Further, SmartState models the generic patterns of SRVs (i.e., profit-gain and DoS) as SRV indicators, and hence effectively identify SRVs based on the constructed statedependency graph. To evaluate SmartState, we manually annotated a ground-truth dataset which contains 91 SRVs in the real world. Evaluation results showed that SmartState achieves a precision of 87.23% and a recall of 89.13%. In addition, SmartState successfully identifies 406 new SRVs from 47,351 real-world smart contracts. 11 of these SRVs are from popular smart contracts with high transaction amounts (i.e., top 2000). In total, our reported SRVs affect a total amount of digital assets worth 428,600 USD.

用 Solidity 编写的智能合约广泛应用于以太坊、波场和 BNB Chain 等不同的区块链平台。Solidity 智能合约的独特设计之一是其用于错误处理和访问控制的状态恢复机制。不幸的是,最近的一些安全事件表明,攻击者还利用这种机制来操纵智能合约的关键状态,从而带来非法获利和拒绝服务 (DoS) 等安全后果。在本文中,我们将此类漏洞称为状态恢复漏洞 (SRV)。自动识别 SRV 带来了独特的挑战,因为它需要深入分析和理解智能合约中的状态依赖关系。本文介绍了 SmartState,这是一种通过细粒度状态依赖分析检测 Solidity 智能合约中状态恢复漏洞的新框架。SmartState 集成了一套新颖的机制来确保其有效性。特别是,Smart-State 从合约字节码和历史交易中提取状态依赖关系。它们两者对于推断与 SRV 相关的依赖关系都至关重要。此外,SmartState 将 SRV 的通用模式(即利润收益和 DoS)建模为 SRV 指标,从而根据构建的状态依赖图有效地识别 SRV。为了评估 SmartState,我们手动标注了一个包含现实世界中 91 个 SRV 的真实数据集。评估结果表明,SmartState 的准确率为 87.23%,召回率为 89.13%。此外,SmartState 还从 47,351 个现实世界智能合约中成功识别出 406 个新的 SRV。其中 11 个 SRV 来自交易金额较高的热门智能合约(即前 2000 个)。总的来说,我们报告的 SRV 影响了总价值 428,600 美元的数字资产。

图片

图片

图片

图片

图片

assertion-related state dependency (ASD)

temporal order state dependency (TSD)

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598111

7

Title: 

Toward Automated Detecting Unanticipated Price Feed in Smart Contract

在智能合约中自动检测意外价格馈送

Authors

图片

Key words:

Smart Contract, Formal Verification, Price Oracle, DeFi

智能合约、形式化验证、价格预言机、DeFi

Abstract

Decentralized finance (DeFi) based on smart contracts has reached a total value locked (TVL) of over USD 200 billion in 2022. In DeFi ecosystems, price oracles play a critical role in providing real-time price feeds for cryptocurrencies to ensure accurate asset pricing in smart contracts. However, the price oracle also faces security issues, including the possibility of unanticipated price feeds, which can lead to imbalances in debt and assets in the DeFi protocol. However, existing solutions cannot effectively combine transactions and code for real-time monitoring of price oracles. To address this limitation, we first categorize price oracles as either DON oracles, DEX oracles, or internal oracles based on trusted parties, and analyze their security risks, data sources, price duration, and query fees. Then, we propose VeriOracle, a formal verification framework for the automated detection of unanticipated price feeds in smart contracts. VeriOracle can deploy a formal semantic model of the price oracle on the blockchain to detect the status of smart contracts and identify unanticipated price feed transactions in real time. We apply VeriOracle to verify over 500,000 transactions of 13 vulnerable DeFi protocols in the real world. The experimental results show that (1) VeriOracle is effective and it can detect unanticipated price feeds before DeFi attacks (33,714 blocks ahead of the attacker in the best case); (2) VeriOracle is efficient in that its verification time (about 4s) is less than the block time of Ethereum (about 14s), which means VeriOracle can detect unsafe transactions in real time; and (3) VeriOracle is extendable for verifying defense strategies. Attacks using unanticipated price feeds can only succeed in particular smart contract states. VeriOracle can verify which smart contract states can defend against attacks.

基于智能合约的去中心化金融 (DeFi) 已在 2022 年达到超过 2000 亿美元的总锁定价值 (TVL)。在 DeFi 生态系统中,价格预言机在为加密货币提供实时价格信息以确保智能合约中资产定价准确方面发挥着关键作用。然而,价格预言机也面临安全问题,包括可能出现意外的价格信息,这可能导致 DeFi 协议中的债务和资产不平衡。然而,现有的解决方案无法有效地结合交易和代码来实时监控价格预言机。为了解决这一限制,我们首先根据可信方将价格预言机分类为 DON 预言机、DEX 预言机或内部预言机,并分析它们的安全风险、数据来源、价格持续时间和查询费用。然后,我们提出了 VeriOracle,这是一个用于自动检测智能合约中意外价格信息的形式化验证框架。VeriOracle 可以在区块链上部署价格预言机的形式化语义模型,以检测智能合约的状态并实时识别意外的价格馈送交易。我们应用 VeriOracle 验证了现实世界中 13 个易受攻击的 DeFi 协议的 500,000 多笔交易。实验结果表明:(1)VeriOracle 是有效的,它可以在 DeFi 攻击之前检测到意外的价格馈送(最好情况下比攻击者提前 33,714 个区块);(2)VeriOracle 的验证时间(约 4 秒)小于以太坊的出块时间(约 14 秒),这意味着 VeriOracle 可以实时检测不安全的交易;(3)VeriOracle 可扩展以验证防御策略。使用意外价格馈送的攻击只能在特定的智能合约状态下成功。VeriOracle 可以验证哪些智能合约状态可以抵御攻击。

图片

 decentralized exchanges (DEX)

Decentralized Oracle Networks (DONs)

图片

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598133

8

Title: 

Detecting State Inconsistency Bugs in DApps via On-Chain Transaction Replay and Fuzzing

通过链上交易重放和模糊测试检测 DApp 中的状态不一致错误

Authors

Mingxi Ye,Sun Yat-sen University,China

Yuhong Nan,Sun Yat-sen University

Zibin Zheng,Sun Yat-sen University

Dongpeng Wu, Sun Yat-sen University

Huizhong Li, WeBank,China

Abstract

Decentralized applications (DApps) consist of multiple smart contracts running on Blockchain. With the increasing popularity of the DApp ecosystem, vulnerabilities in DApps could bring significant impacts such as financial losses. Identifying vulnerabilities in DApps is by no means trivial, as modern DApps consist of complex interactions across multiple contracts. Previous research suffers from either high false positives or false negatives, due to the lack of precise contextual information which is mandatory for confirming smart contract vulnerabilities when analyzing smart contracts. In this paper, we present IcyChecker, a new fuzzing-based framework to effectively identify State inconsistency (SI) Bugs – a specific type of bugs that can cause vulnerabilities such as re-entrancy, front-running with complex patterns. Different from prior works, IcyChecker utilizes a set of accurate contextual information for contract fuzzing by replaying the on-chain historical transactions. Besides, instead of designing specific testing oracles which are required by other fuzzing approaches, IcyChecker implements novel mechanisms to mutate a set of fuzzing transaction sequences, and further identify SI bugs by observing their state differences. Evaluation of IcyChecker over the top 100 popular DApps showed it effectively identifies a total number of 277 SI bugs, with a precision of 87%. By comparing IcyChecker with other state-of-the-art tools (i.e., Smartian, Confuzzius, and Sailfish), we show IcyChecker not only identifies more SI bugs but also with much lower false positives, thanks to its integration of accurate on-chain data and unique fuzzing strategies. Our research sheds light on new ways of detecting smart contract vulnerabilities in DApps.


 

去中心化应用程序(DApps)由在区块链上运行的多个智能合约组成。随着 DApp 生态系统的日益普及,DApp 中的漏洞可能会带来重大影响,例如财务损失。识别 DApp 中的漏洞绝非易事,因为现代 DApp 包含跨多个合约的复杂交互。先前的研究存在高误报率或漏报率,这是因为缺乏精确的上下文信息,而这些信息在分析智能合约时对于确认智能合约漏洞是必不可少的。在本文中,我们提出了 IcyChecker,这是一个基于模糊测试的新框架,可有效识别状态不一致(SI)错误 - 这是一种特定类型的错误,可能导致诸如重入、具有复杂模式的抢先交易等漏洞。与之前的研究不同,IcyChecker 通过重放链上历史交易,利用一组准确的上下文信息进行合约模糊测试。此外,IcyChecker 无需设计其他模糊测试方法所需的特定测试预言机,而是实现了新颖的机制来改变一组模糊测试交易序列,并通过观察它们的状态差异进一步识别 SI 错误。对前 100 个流行 DApp 的 IcyChecker 评估表明,它有效识别了总共 277 个 SI 错误,准确率为 87%。通过将 IcyChecker 与其他最先进的工具(即 Smartian、Confuzzius 和 Sailfish)进行比较,我们发现 IcyChecker 不仅可以识别出更多的 SI 错误,而且由于其集成了准确的链上数据和独特的模糊测试策略,误报率也低得多。我们的研究为检测 DApp 中的智能合约漏洞的新方法提供了启示。

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598057

9

Title: 

DeFiTainter: Detecting Price Manipulation Vulnerabilities in DeFi Protocols

DeFiTainter:检测 DeFi 协议中的价格操纵漏洞

Authors

图片

Key words:

vulnerability detection, smart contract, taint analysis

漏洞检测、智能合约、污点分析

Abstract

DeFi protocols are programs that manage high-value digital assets on blockchain. The price manipulation vulnerability is one of the common vulnerabilities in DeFi protocols, which allows attackers to gain excessive profits by manipulating token prices. In this paper, we propose DeFiTainter, an inter-contract taint analysis framework for detecting price manipulation vulnerabilities. DeFiTainter features two innovative mechanisms to ensure its effectiveness. The first mechanism is to construct a call graph for inter-contract taint analysis by restoring call information, not only from code constants but also from contract storage and function parameters. The second mechanism is a high-level semantic induction tailored for detecting price manipulation vulnerabilities, which accurately identifies taint sources and sinks and tracks taint data across contracts. Extensive evaluation of real-world incidents and high-value DeFi protocols shows that DeFiTainter outperforms existing approaches and achieves state-of-the-art performance with a precision of 96% and a recall of 91.3% in detecting price manipulation vulnerabilities. Furthermore, DeFiTainter uncovers three previously undisclosed price manipulation vulnerabilities.

DeFi 协议是管理区块链上高价值数字资产的程序。价格操纵漏洞是 DeFi 协议中常见的漏洞之一,攻击者可以通过操纵代币价格获取超额利润。本文提出了 DeFiTainter,一个用于检测价格操纵漏洞的合约间污点分析框架。DeFiTainter 具有两种创新机制来确保其有效性。第一种机制是通过恢复调用信息来构建合约间污点分析的调用图,不仅从代码常量,而且从合约存储和函数参数中恢复调用信息。第二种机制是专门为检测价格操纵漏洞而定制的高级语义归纳,它可以准确识别污点源和污点接收器并跟踪跨合约的污点数据。对现实世界事件和高价值 DeFi 协议的广泛评估表明,DeFiTainter 优于现有方法,在检测价格操纵漏洞方面以 96% 的准确率和 91.3% 的召回率实现了最先进的性能。此外,DeFiTainter 还发现了三个以前未披露的价格操纵漏洞。

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597926.3598124

图片

关注我们,持续接收区块链最新论文

洞察区块链技术发展趋势

Follow us to keep receiving the latest blockchain papers

Insight into Blockchain Technology Trends

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/diannao/42493.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

C++面向对象的常见面试题目(一)

1. 面向对象的三大特征 &#xff08;1&#xff09;封装&#xff1a;隐藏对象的内部状态&#xff0c;只暴露必要的接口。 #include <iostream> #include <string>// 定义一个简单的类 Person class Person { private: // 私有成员&#xff0c;外部不可直接访问std…

华为机试HJ37统计每个月兔子的总数

华为机试HJ37统计每个月兔子的总数 题目&#xff1a; 想法&#xff1a; 上述题目实际是一个斐波那契数列&#xff0c;利用斐波那契数列对问题进行求解 input_number int(input())def fib(n):if n < 2:return 1else:n_1 1n_2 1count 2while count < n:n_1, n_2 n_…

【AI资讯】可以媲美GPT-SoVITS的低显存开源文本转语音模型Fish Speech

Fish Speech是一款由fishaudio开发的全新文本转语音工具&#xff0c;支持中英日三种语言&#xff0c;语音处理接近人类水平&#xff0c;使用Flash-Attn算法处理大规模数据&#xff0c;提供高效、准确、稳定的TTS体验。 Fish Audio

机器学习Day12:特征选择与稀疏学习

1.子集搜索与评价 相关特征&#xff1a;对当前学习任务有用的特征 无关特征&#xff1a;对当前学习任务没用的特征 特征选择&#xff1a;从给定的特征集合中选择出相关特征子集的过程 为什么要特征选择&#xff1f; 1.任务中经常碰到维数灾难 2.去除不相关的特征能降低学习的…

Git注释规范

主打一个有用 代码的提交规范参考如下&#xff1a; init:初始化项目feat:新功能&#xff08;feature&#xff09;fix:修补bugdocs:文档&#xff08;documentation&#xff09;style:格式&#xff08;不影响代码运行的变动&#xff09;refactor:重构&#xff08;即不是新增功能…

计算机网络之令牌环

1.令牌环工作原理 令牌环&#xff08;Token Ring&#xff09;是一种局域网&#xff08;LAN&#xff09;的通信协议&#xff0c;最初由IBM在1984年开发并标准化为IEEE 802.5标准。在令牌环网络中&#xff0c;所有的计算机或工作站被连接成一个逻辑或物理的环形拓扑结构。网络中…

排序(2)

我们在排序&#xff08;1&#xff09;中说到选择排序的代码&#xff1a; void SelectSort(int* a,int n) {int begin0,endn-1;int minibegin,maxbegin;for(int ibegin1;i<end;i){if(a[i]>a[max]){maxii;}if(a[i]<a[mini]){minii;}begin;--end;}Swap(&a[beign],&a…

SKF轴承故障频率查询

1&#xff0c;第一步&#xff1a;搜索轴承型号 skf官网 2&#xff0c;第二步&#xff1a;查询故障频率。 第三步&#xff1a;

尚品汇-(十四)

&#xff08;1&#xff09;提交git 商品后台管理到此已经完成&#xff0c;我们可以把项目提交到公共的环境&#xff0c;原来使用svn&#xff0c;现在使用git 首先在本地创建ssh key&#xff1b; 命令&#xff1a;ssh-keygen -t rsa -C "your_emailyouremail.com" I…

落日余晖映晚霞

落日余晖映晚霞&#xff0c;立于海滨&#xff0c;望夕阳余晖洒于波光粼粼之上&#xff0c;金光跳跃&#xff0c;若繁星闪烁&#xff0c;耀人心目。 海风轻拂&#xff0c;心境宁静&#xff0c;凡尘俗务皆于此刹那消散&#xff0c;思绪万干&#xff0c;或忆往昔点滴&#xff0c;或…

刷爆leetcode第十期

题目一 相同的树 给你两棵二叉树的根节点 p 和 q &#xff0c;编写一个函数来检验这两棵树是否相同。 如果两个树在结构上相同&#xff0c;并且节点具有相同的值&#xff0c;则认为它们是相同的。 首先我们要来判断下它们的根是否相等 根相等的话是否它们的左子树相等 是否…

在CMD中创建虚拟环境并在VSCode中使用和管理

1. 使用Conda创建虚拟环境 在CMD或Anaconda Prompt中执行以下代码以创建一个新的虚拟环境&#xff1a; conda create -n my_env python 3.8 这样会创建一个名为 my_env 的环境&#xff0c;并在Anaconda环境目录下生成一个相应的文件夹&#xff0c;包含该虚拟环境所需的所有…

GD32实战篇-双向数控BUCK-BOOST-BOOST升压理论基础

本文章基于兆易创新GD32 MCU所提供的2.2.4版本库函数开发 向上代码兼容GD32F450ZGT6中使用 后续项目主要在下面该专栏中发布&#xff1a; https://blog.csdn.net/qq_62316532/category_12608431.html?spm1001.2014.3001.5482 感兴趣的点个关注收藏一下吧! 电机驱动开发可以跳转…

MySQL之备份与恢复(八)

备份与恢复 还原逻辑备份 如果还原的是逻辑备份而不是物理备份&#xff0c;则与使用操作系统简单地复制文件到适当位置的方式不同&#xff0c;需要使用MySQL服务器本身来加载数据到表中。在加载导出文件之前&#xff0c;应该先花一点时间考虑文件有多大&#xff0c;需要多久加…

C++ 函数高级——函数的占位参数

C中函数的形参列表里可以有占位参数&#xff0c;用来做占位&#xff0c;调用函数时必须填补改位置 语法&#xff1a; 返回值类型 函数名&#xff08;数据类型&#xff09;{ } 在现阶段函数的占位参数存在意义不大&#xff0c;但是后面的课程中会用到该技术 示例&#xff1a;…

STM32快速复习(八)SPI通信

文章目录 前言一、SPI是什么&#xff1f;SPI的硬件电路&#xff1f;SPI发送的时序&#xff1f;二、库函数二、库函数示例代码总结 前言 SPI和IIC通信算是我在大学和面试中用的最多&#xff0c;问的最多的通信协议 IIC问到了&#xff0c;一般SPI也一定会问到。 SPI相对于IIC多了…

含并行连结的网络

一、Inception块 1、白色部分通过降低通道数来控制模型复杂度&#xff0c;蓝色做特征提取工作&#xff0c;每条路上的通道数可能不同&#xff0c;大概我们会把更重要的那部分特征分配更多的通道数 2、Inception只改变高宽&#xff0c;不改变通道数 3、在不同的情况下需要选择…

pin是什么?管脚

1.平面分割 1)启动Allegro PCB design &#xff0c;打开.brd。深色部分属于一个net&#xff0c;要做一下修改&#xff0c;将上面的pin包含进shape中&#xff0c;i进行a&#xff0c;b两步操作&#xff0c;删除以前存在的Anti Etch下的line&#xff0c;再将其进行补齐 使它保住上…

【帧中继实验-ensp】

实验要求 在R1上开启一个点对点子接口&#xff0c;用于连接 R1–R2&#xff0c;两端IP地址为12.1.1.x 。开启一个多点子接口 &#xff0c;用于连接R1–R3&#xff0c;R4&#xff0c;两段IP地址为134.1.1.x。 具体DLCI分配和映射关系如下&#xff1a; R1 102 R2 201—动态映射…

论文略读:Can Long-Context Language Models Subsume Retrieval, RAG, SQL, and More?

202406 arxiv 1 intro 传统上&#xff0c;复杂的AI任务需要多个专门系统协作完成。 这类系统通常需要独立的模块来进行信息检索、问答和数据库查询等任务大模型时代&#xff0c;尤其是上下文语言模型&#xff08;LCLM&#xff09;时代&#xff0c;上述问题可以“一体化”完成…