Detection of Smart Contract Timestamp Vulnerability Based on Data-flow Path Learning

被引:0
作者
Zhang Z. [1 ]
Liu Y.-P. [2 ]
Xue J.-X. [3 ]
Yan M. [4 ]
Chen J.-C. [5 ]
Mao X.-G. [2 ]
机构
[1] School of Information Technology & Engineering, Guangzhou College of Commerce, Guangzhou
[2] College of Computer Science and Technology, National University of Defense Technology, Changsha
[3] School of Computer and Information Engineering, Shanghai Polytechnic University, Shanghai
[4] School of Big Data & Software Engineering, Chongqing University, Chongqing
[5] School of Software Engineering, Sun Yat-sen University, Zhuhai
来源
Ruan Jian Xue Bao/Journal of Software | 2024年 / 35卷 / 05期
关键词
data-flow path; pre-training; smart contract; timestamp vulnerability; vulnerability detection;
D O I
10.13328/j.cnki.jos.006989
中图分类号
学科分类号
摘要
The smart contract is a decentralized application widely deployed on the blockchain platform, e.g., Ethereum. Due to the economic attributes, the vulnerabilities in smart contracts can potentially cause huge financial losses and destroy the stable ecology of Ethereum. Thus, it is crucial to detect the vulnerabilities in smart contracts before they are deployed to Ethereum. The existing smart contract vulnerability detection methods (e.g., Oyente and Secure) are mostly based on heuristic algorithms. The reusability of these methods is weak in different application scenarios. In addition, they are time-consuming and with low accuracy. In order to improve the effectiveness of vulnerability detection, this study proposes Scruple: a smart contract timestamp vulnerability detection approach based on learning data-flow path. It first obtains all possible propagation chains of timestamp vulnerabilities, then refines the propagation chains, uses a graph pre-training model to learn the relationship in the propagation chains, and finally detects whether a smart contract has timestamp vulnerabilities using the learned model. Compared with the existing detection methods, Scruple has a stronger vulnerability capture ability and generalization ability. Meanwhile, learning the propagation chain is not only well-directed but also can avoid an unnecessarily deep hierarchy of programs for the convergence of vulnerabilities. To verify the effectiveness of Scruple, this study uses real-world distinct smart contracts to compare Scruple with 13 state-of-the-art smart contract vulnerability detection methods. The experimental results show that Scruple can achieve 96% accuracy, 90% recall, and 93% F1-score in detecting timestamp vulnerabilities. In other words, the average improvement of Scruple over 13 methods using the three metrics is 59%, 46%, and 57% respectively. It means that Scruple has substantially improved in detecting timestamp vulnerabilities. © 2024 Chinese Academy of Sciences. All rights reserved.
引用
收藏
页码:2325 / 2339
页数:14
相关论文
共 63 条
[1]  
Szabo N., Smart contracts: Building blocks for digital markets, EXTROPY: The Journal of Transhumanist Thought, 16, (1996)
[2]  
Nakamoto S., Bitcoin: A peer-to-peer electronic cash system, (2008)
[3]  
Buterin V., Understanding serenity, Part 2: Casper, (2013)
[4]  
Dannen C., Introducing Ethereum and Solidity, (2017)
[5]  
Chen WL, Ma MJ, Ye YJ, Zheng ZB, Zhou YR., IoT service based on jointcloud blockchain: The case study of smart traveling, Proc. of the 2018 IEEE Symp. on Service-oriented System Engineering (SOSE), pp. 216-221, (2018)
[6]  
Velner Y, Teutsch J, Luu L., Smart contracts make bitcoin mining pools vulnerable, Proc. of the 2017 Int’l Conf. on Financial Cryptography and Data Security, pp. 298-316, (2017)
[7]  
Chen JC, Xia X, Lo D, Grundy J, Luo XP, Chen T., Defining smart contract defects on Ethereum, IEEE Trans. on Software Engineering, 48, 2, pp. 327-345, (2022)
[8]  
del Castillo M., The DAO attacked: Code issue leads to $60 million ether theft, (2017)
[9]  
Nabilou H., How to regulate bitcoin? decentralized regulation for a decentralized cryptocurrency, Int’l Journal of Law and Information Technology, 27, 3, pp. 266-291, (2019)
[10]  
Atzei N, Bartoletti M, Cimoli T., A survey of attacks on Ethereum smart contracts (SoK), Proc. of the 6th Int’l Conf. on Principles of Security and Trust, pp. 164-186, (2017)
1234567