Who Is Pulling the Strings: Unveiling Smart Contract State Manipulation Attacks Through State-Aware Dataflow Analysis

IF 5.6 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-10-17 DOI:10.1109/TSE.2025.3605145

Shuo Yang;Jiachi Chen;Lei Xiao;Jinyuan Hu;Dan Lin;Jiajing Wu;Tao Zhang;Zibin Zheng

{"title":"Who Is Pulling the Strings: Unveiling Smart Contract State Manipulation Attacks Through State-Aware Dataflow Analysis","authors":"Shuo Yang;Jiachi Chen;Lei Xiao;Jinyuan Hu;Dan Lin;Jiajing Wu;Tao Zhang;Zibin Zheng","doi":"10.1109/TSE.2025.3605145","DOIUrl":null,"url":null,"abstract":"Recently, the increasing complexity of smart contracts and their interactions has led to more sophisticated strategies for executing attacks. Hackers often need to deploy attacker contracts as delegators to automate these attacks on their behalf. Existing identification methods for attacker contracts either rely on simple patterns (e.g., recursive callback control flow) that suffer from high false-positive rates and limited extraction of interaction and call information, or lack fully automated detection capabilities. Consequently, these limitations reduce the effectiveness of current solutions in identifying modern, intricate attacks. To overcome these challenges, we introduce the concept of <italic>state manipulation attacks</i>, which abstracts the exploitation of problematic state dependencies arising from contract interactions. During these attacks, hackers first alter the storage state of one contract (the manipulated contract), which determines the profit they can gain. They then call another contract (the victim contract) to exploit its dependency on the altered state and maximize their profits. We present SMAsher, a tool designed to automatically identify state manipulation attacker contracts. SMAsher leverages fine-grained state-aware dataflow analysis to detect exploitation traces and exploited state dependencies among contracts, focusing on recovering the call path and interaction semantics. Our extensive experiments on 1.38 million real-world contracts demonstrate that SMAsher successfully identifies 311 state manipulation attacker contracts with 100% precision, resulting in $ 6.95 million in losses. Our findings also reveal some notable malicious characteristics of hackers’ accounts through their deployed attacker contracts. Additionally, we have provided 10 PoCs (Proof-of-Concepts) for previously unidentified attacks, all of which have been confirmed and released to the community.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 10","pages":"2942-2956"},"PeriodicalIF":5.6000,"publicationDate":"2025-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11207087/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Recently, the increasing complexity of smart contracts and their interactions has led to more sophisticated strategies for executing attacks. Hackers often need to deploy attacker contracts as delegators to automate these attacks on their behalf. Existing identification methods for attacker contracts either rely on simple patterns (e.g., recursive callback control flow) that suffer from high false-positive rates and limited extraction of interaction and call information, or lack fully automated detection capabilities. Consequently, these limitations reduce the effectiveness of current solutions in identifying modern, intricate attacks. To overcome these challenges, we introduce the concept of state manipulation attacks, which abstracts the exploitation of problematic state dependencies arising from contract interactions. During these attacks, hackers first alter the storage state of one contract (the manipulated contract), which determines the profit they can gain. They then call another contract (the victim contract) to exploit its dependency on the altered state and maximize their profits. We present SMAsher, a tool designed to automatically identify state manipulation attacker contracts. SMAsher leverages fine-grained state-aware dataflow analysis to detect exploitation traces and exploited state dependencies among contracts, focusing on recovering the call path and interaction semantics. Our extensive experiments on 1.38 million real-world contracts demonstrate that SMAsher successfully identifies 311 state manipulation attacker contracts with 100% precision, resulting in $ 6.95 million in losses. Our findings also reveal some notable malicious characteristics of hackers’ accounts through their deployed attacker contracts. Additionally, we have provided 10 PoCs (Proof-of-Concepts) for previously unidentified attacks, all of which have been confirmed and released to the community.

查看原文本刊更多论文

谁在幕后操纵：通过状态感知数据流分析揭示智能合约状态操纵攻击

最近，智能合约及其交互的复杂性日益增加，导致了执行攻击的更复杂策略。黑客通常需要将攻击者契约作为委托来部署，以代表他们自动执行这些攻击。现有的攻击者契约识别方法要么依赖于简单的模式（例如，递归回调控制流），这些模式存在高误报率和有限的交互和调用信息提取，要么缺乏完全自动化的检测能力。因此，这些限制降低了当前解决方案识别现代复杂攻击的有效性。为了克服这些挑战，我们引入了状态操纵攻击的概念，它抽象了对契约交互产生的有问题的状态依赖的利用。在这些攻击中，黑客首先改变一个合约（被操纵的合约）的存储状态，这决定了他们可以获得的利润。然后，他们调用另一个合同（受害者合同）来利用其对改变状态的依赖，并最大化他们的利润。我们介绍SMAsher，一个用于自动识别状态操纵攻击者合约的工具。SMAsher利用细粒度的状态感知数据流分析来检测契约之间的利用痕迹和被利用的状态依赖，重点是恢复调用路径和交互语义。我们对138万个真实世界的合约进行了广泛的实验，结果表明SMAsher以100%的准确率成功识别了311个状态操纵攻击者合约，造成了695万美元的损失。我们的研究结果还通过部署的攻击者合约揭示了黑客账户的一些显著恶意特征。此外，我们还提供了10个poc（概念验证），用于先前未识别的攻击，所有这些攻击都已被确认并发布给社区。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.