ContractFuzzer: fuzzing smart contracts for vulnerability detection

论文作者:Jiang, Bo,Liu, Ye,Chan, W. K.

论文发表刊物:Proceeding ASE 2018 Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering


摘要: Decentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while minimizing trusts. Millions of smart contracts have been deployed in various decentralized applications. The security vulnerabilities within those smart contracts pose significant threats to their applications. Indeed, many critical security vulnerabilities within smart contracts on Ethereum platform have caused huge financial losses to their users. In this work, we present ContractFuzzer, a novel fuzzer to test Ethereum smart contracts for security vulnerabilities. ContractFuzzer generates fuzzing inputs based on the ABI specifications of smart contracts, defines test oracles to detect security vulnerabilities, instruments the EVM to log smart contracts runtime behaviors, and analyzes these logs to report security vulnerabilities. Our fuzzing of 6991 smart contracts has flagged more than 459 vulnerabilities with high precision. In particular, our fuzzing tool successfully detects the vulnerability of the DAO contract that leads to USD 60 million loss and the vulnerabilities of Parity Wallet that have led to the loss of USD 30 million and the freezing of USD 150 million worth of Ether.

推荐人: LiuLu

推荐理由: 数以百万计的智能契约被部署在各种分散的应用程序中。这些智能契约中的安全漏洞对其应用程序构成了重大威胁。事实上,Ethereum平台上的智能合约存在很多关键的安全漏洞,给用户造成了巨大的经济损失。 研究者们在这篇论文中提出了一种新的ContractFuzzer,来测试Ethereum智能契约的安全漏洞。他们成功地检测到了DAO合同导致6000万美元损失的漏洞和平价钱包导致3000万美元损失和1.5亿美元Ether冻结的漏洞。