BACKRUNNER: Mitigating Smart Contract Attacks in the Real World

Chaofan Shou, Yuanyu Ke, Yupeng Yang, Qi Su, Or Dadosh, Assaf Eli, David Benchimol, Doudou Lu, Daniel Tong, Dex Chen, Zoey Tan, Jacob Chia, Koushik Sen, Wenke Lee
{"title":"BACKRUNNER: Mitigating Smart Contract Attacks in the Real World","authors":"Chaofan Shou, Yuanyu Ke, Yupeng Yang, Qi Su, Or Dadosh, Assaf Eli, David Benchimol, Doudou Lu, Daniel Tong, Dex Chen, Zoey Tan, Jacob Chia, Koushik Sen, Wenke Lee","doi":"arxiv-2409.06213","DOIUrl":null,"url":null,"abstract":"Billions of dollars have been lost due to vulnerabilities in smart contracts.\nTo counteract this, researchers have proposed attack frontrunning protections\ndesigned to preempt malicious transactions by inserting \"whitehat\" transactions\nahead of them to protect the assets. In this paper, we demonstrate that\nexisting frontrunning protections have become ineffective in real-world\nscenarios. Specifically, we collected 158 recent real-world attack transactions\nand discovered that 141 of them can bypass state-of-the-art frontrunning\nprotections. We systematically analyze these attacks and show how inherent\nlimitations of existing frontrunning techniques hinder them from protecting\nvaluable assets in the real world. We then propose a new approach involving 1)\npreemptive hijack, and 2) attack backrunning, which circumvent the existing\nlimitations and can help protect assets before and after an attack. Our\napproach adapts the exploit used in the attack to the same or similar contracts\nbefore and after the attack to safeguard the assets. We conceptualize adapting\nexploits as a program repair problem and apply established techniques to\nimplement our approach into a full-fledged framework, BACKRUNNER. Running on\nprevious attacks in 2023, BACKRUNNER can successfully rescue more than \\$410M.\nIn the real world, it has helped rescue over \\$11.2M worth of assets in 28\nseparate incidents within two months.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"17 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.06213","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Billions of dollars have been lost due to vulnerabilities in smart contracts. To counteract this, researchers have proposed attack frontrunning protections designed to preempt malicious transactions by inserting "whitehat" transactions ahead of them to protect the assets. In this paper, we demonstrate that existing frontrunning protections have become ineffective in real-world scenarios. Specifically, we collected 158 recent real-world attack transactions and discovered that 141 of them can bypass state-of-the-art frontrunning protections. We systematically analyze these attacks and show how inherent limitations of existing frontrunning techniques hinder them from protecting valuable assets in the real world. We then propose a new approach involving 1) preemptive hijack, and 2) attack backrunning, which circumvent the existing limitations and can help protect assets before and after an attack. Our approach adapts the exploit used in the attack to the same or similar contracts before and after the attack to safeguard the assets. We conceptualize adapting exploits as a program repair problem and apply established techniques to implement our approach into a full-fledged framework, BACKRUNNER. Running on previous attacks in 2023, BACKRUNNER can successfully rescue more than \$410M. In the real world, it has helped rescue over \$11.2M worth of assets in 28 separate incidents within two months.
BACKRUNNER:缓解现实世界中的智能合约攻击
为了应对这种情况,研究人员提出了攻击前置保护措施,旨在通过在恶意交易之前插入 "白帽 "交易来阻止恶意交易,从而保护资产。在本文中,我们证明了现有的前置保护措施在现实世界场景中已经失效。具体来说,我们收集了最近真实世界中的 158 个攻击交易,发现其中 141 个可以绕过最先进的前置运行保护。我们对这些攻击进行了系统分析,并展示了现有前置运行技术的固有局限性如何阻碍它们保护现实世界中的宝贵资产。然后,我们提出了一种新方法,涉及 1)抢先劫持和 2)攻击回跑,这两种方法规避了现有的限制,有助于在攻击前后保护资产。我们的方法将攻击中使用的漏洞利用程序调整为攻击前后相同或相似的合约,以保护资产。我们将调整漏洞利用概念化为程序修复问题,并应用成熟的技术将我们的方法实现为一个完整的框架--BACKRUNNER。在现实世界中,它已在两个月内的 28 起独立事件中帮助拯救了价值超过 1120 万美元的资产。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信