Ethainter: a smart contract security analyzer for composite vulnerabilities

Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation Pub Date : 2020-06-06 DOI:10.1145/3385412.3385990

Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, Y. Smaragdakis

{"title":"Ethainter: a smart contract security analyzer for composite vulnerabilities","authors":"Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, Y. Smaragdakis","doi":"10.1145/3385412.3385990","DOIUrl":null,"url":null,"abstract":"Smart contracts on permissionless blockchains are exposed to inherent security risks due to interactions with untrusted entities. Static analyzers are essential for identifying security risks and avoiding millions of dollars worth of damage. We introduce Ethainter, a security analyzer checking information flow with data sanitization in smart contracts. Ethainter identifies composite attacks that involve an escalation of tainted information, through multiple transactions, leading to severe violations. The analysis scales to the entire blockchain, consisting of hundreds of thousands of unique smart contracts, deployed over millions of accounts. Ethainter is more precise than previous approaches, as we confirm by automatic exploit generation (e.g., destroying over 800 contracts on the Ropsten network) and by manual inspection, showing a very high precision of 82.5% valid warnings for end-to-end vulnerabilities. Ethainter’s balance of precision and completeness offers significant advantages over other tools such as Securify, Securify2, and teEther.","PeriodicalId":20580,"journal":{"name":"Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2020-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"81","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3385412.3385990","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 81

Abstract

Smart contracts on permissionless blockchains are exposed to inherent security risks due to interactions with untrusted entities. Static analyzers are essential for identifying security risks and avoiding millions of dollars worth of damage. We introduce Ethainter, a security analyzer checking information flow with data sanitization in smart contracts. Ethainter identifies composite attacks that involve an escalation of tainted information, through multiple transactions, leading to severe violations. The analysis scales to the entire blockchain, consisting of hundreds of thousands of unique smart contracts, deployed over millions of accounts. Ethainter is more precise than previous approaches, as we confirm by automatic exploit generation (e.g., destroying over 800 contracts on the Ropsten network) and by manual inspection, showing a very high precision of 82.5% valid warnings for end-to-end vulnerabilities. Ethainter’s balance of precision and completeness offers significant advantages over other tools such as Securify, Securify2, and teEther.

查看原文本刊更多论文

Ethainter:用于组合漏洞的智能合约安全分析器

无权限区块链上的智能合约由于与不受信任的实体交互而暴露于固有的安全风险。静态分析器对于识别安全风险和避免数百万美元的损失至关重要。我们介绍了Ethainter，一个在智能合约中使用数据清理来检查信息流的安全分析器。Ethainter识别复合攻击，这些攻击涉及通过多个事务升级受污染信息，从而导致严重违规。分析扩展到整个区块链，由数十万个独特的智能合约组成，部署在数百万个账户上。Ethainter比以前的方法更精确，正如我们通过自动漏洞生成(例如，破坏Ropsten网络上的800多个合约)和手动检查所证实的那样，显示出对端到端漏洞的有效警告的非常高的精度为82.5%。与其他工具(如Securify、Securify2和teEther)相比，Ethainter在精度和完整性方面的平衡提供了显著的优势。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格