Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (3): 785-793.DOI: 10.11772/j.issn.1001-9081.2022020179
• Cyber security • Previous Articles Next Articles
Received:
2022-02-18
Revised:
2022-05-11
Accepted:
2022-05-11
Online:
2022-08-16
Published:
2023-03-10
Contact:
Bo ZHAO
About author:
TONG Juncheng, born in 1995, Ph. D. candidate. His research interests include blockchain security, trusted computing.
Supported by:
通讯作者:
赵波
作者简介:
童俊成(1995—),男,湖北武汉人,博士研究生,主要研究方向:区块链安全、可信计算基金资助:
CLC Number:
Juncheng TONG, Bo ZHAO. Review on blockchain smart contract vulnerability detection and automatic repair[J]. Journal of Computer Applications, 2023, 43(3): 785-793.
童俊成, 赵波. 区块链智能合约漏洞检测与自动化修复综述[J]. 《计算机应用》唯一官方网站, 2023, 43(3): 785-793.
Add to citation manager EndNote|Ris|BibTeX
URL: https://www.joca.cn/EN/10.11772/j.issn.1001-9081.2022020179
层级 | 漏洞类型 |
---|---|
Solidity | 访问控制漏洞 |
整数溢出漏洞 | |
拒绝服务漏洞 | |
重入漏洞 | |
低级调用中未检查返回值 | |
EVM | 短地址攻击 |
区块链结构 | 交易顺序依赖漏洞 |
时间戳依赖漏洞 | |
错误随机漏洞 |
Tab. 1 Smart contract vulnerability types and introduction levels
层级 | 漏洞类型 |
---|---|
Solidity | 访问控制漏洞 |
整数溢出漏洞 | |
拒绝服务漏洞 | |
重入漏洞 | |
低级调用中未检查返回值 | |
EVM | 短地址攻击 |
区块链结构 | 交易顺序依赖漏洞 |
时间戳依赖漏洞 | |
错误随机漏洞 |
1 | 袁勇,王飞跃. 区块链技术发展现状与展望[J]. 自动化学报, 2016, 42(4):481-494. 10.16383/j.aas.2016.c160158 |
YUAN Y, WANG F Y. Blockchain: the state of the art and future trends[J]. Acta Automatica Sinica, 2016, 42(4): 481-494. 10.16383/j.aas.2016.c160158 | |
2 | 曾诗钦,霍如,黄韬,等. 区块链技术研究综述:原理,进展与应用[J]. 通信学报, 2020, 41(1):134-151. 10.11959/j.issn.1000?436x.2020027 |
ZENG S Q, HUO R, HUANG T, et al. Survey of blockchain: principle, progress and application[J]. Journal on Communications, 2020, 41(1): 134-151. 10.11959/j.issn.1000?436x.2020027 | |
3 | ZHENG Z B, XIE S A, DAI H N, et al. Blockchain challenges and opportunities: a survey[J]. International Journal of Web and Grid Services, 2018, 14(4): 352-375. 10.1504/ijwgs.2018.095647 |
4 | SZABO N. Formalizing and securing relationships on public networks[J]. First Monday, 1997, 2(9): No.548. 10.5210/fm.v2i9.548 |
5 | ZHAO X F, CHEN Z Y, CHEN X, et al. The DAO attack paradoxes in propositional logic[C]// Proceeding of the 4th International Conference on Systems and Informatics. Piscataway: IEEE, 2017: 1743-1746. 10.1109/icsai.2017.8248566 |
6 | TOLMACH P, LI Y, LIN S W, et al. A survey of smart contract formal specification and verification[J]. ACM Computing Surveys, 2021, 54(7): No.148. 10.1145/3464421 |
7 | DURIEUX T, FERREIRA J F, ABREU R, et al. Empirical review of automated analysis tools on 47,587 Ethereum smart contracts[C]// Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York: ACM, 2020: 530-541. 10.1145/3377811.3380364 |
8 | 赵伟,张问银,王九如,等. 基于符号执行的智能合约漏洞检测方案[J]. 计算机应用, 2020, 40(4):947-953. 10.11772/j.issn.1001-9081.2019111919 |
ZHAO W, ZHANG W Y, WANG J R, et al. Smart contract vulnerability detection scheme based on symbol execution[J]. Journal of Computer Applications, 2020, 40(4): 947-953. 10.11772/j.issn.1001-9081.2019111919 | |
9 | LUU L, CHU D H, OLICKEL H, et al. Making smart contracts smarter[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 254-269. 10.1145/2976749.2978309 |
10 | TORRES C F, SCHÜTTE J, STATE R. Osiris: hunting for integer bugs in Ethereum smart contracts[C]// Proceedings of the 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 664-676. 10.1145/3274694.3274737 |
11 | CHEN J C, XIA X, LO D, et al. DefectChecker: automated smart contract defect detection by analyzing EVM bytecode[J]. IEEE Transactions on Software Engineering, 2022, 48(7): 2189-2207. 10.1109/tse.2021.3054928 |
12 | ConsenSys. Mythril: Security analysis tool for EVM bytecode[EB/OL]. [2022-04-27].. |
13 | TSANKOV P, DAN A, DRACHSLER-COHEN D, et al. Securify: practical security analysis of smart contracts[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 67-82. 10.1145/3243734.3243780 |
14 | MOSSBERG M, MANZANO F, HENNENFENT E, et al. Manticore: a user-friendly symbolic execution framework for binaries and smart contracts[C]// Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering. Piscataway: IEEE, 2019: 1186-1189. 10.1109/ase.2019.00133 |
15 | NIKOLIĆ I, KOLLURI A, SERGEY I, et al. Finding the greedy, prodigal, and suicidal contracts at scale[C]// Proceedings of the 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 653-663. 10.1145/3274694.3274743 |
16 | ALMAKHOUR M, SLIMAN L, SAMHAT A E, et al. Verification of smart contracts: a survey[J]. Pervasive and Mobile Computing, 2020, 67: No.101227. 10.1016/j.pmcj.2020.101227 |
17 | YI Q P, WEN J Y, YANG G W. Summary-guided incremental symbolic execution[C]// Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings. New York: ACM, 2020: 310-311. 10.1145/3377812.3390895 |
18 | WEISS K, SCHÜTTE J. Annotary: a concolic execution system for developing secure smart contracts[C]// Proceedings of the 2019 European Symposium on Research in Computer Security, LNCS 11735. Cham: Springer, 2019: 747-766. |
19 | AMANI S, BÉGEL M, BORTIN M, et al. Towards verifying Ethereum smart contract bytecode in Isabelle/HOL[C]// Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs. New York: ACM, 2018: 66-77. 10.1145/3167084 |
20 | GENET T, JENSEN T, SAUVAGE J. Termination of Ethereum’s smart contracts[C]// Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. Setúbal: SciTePress, 2020(3): 39-51. 10.5220/0009564100390051 |
21 | LI X M, SHI Z P, ZHANG Q Y, et al. Towards verifying Ethereum smart contracts at intermediate language level[C]// Proceedings of the 2019 International Conference on Formal Engineering Methods. Cham: Springer, 2019: 121-137. 10.1007/978-3-030-32409-4_8 |
22 | KALRA S, GOEL S, DHAWAN M, et al. ZEUS: analyzing safety of smart contracts[C]// Proceedings of the 2018 Network and Distributed Systems Security Symposium. Reston, VA: Internet Society, 2018: No.23082. 10.14722/ndss.2018.23082 |
23 | YANG Z, LEI H. Lolisa: formal syntax and semantics for a subset of the solidity programming language in mathematical tool Coq[J]. Mathematical Problems in Engineering, 2020, 2020: No.6191537. 10.1155/2020/6191537 |
24 | MAVRIDOU A, LASZKA A. Designing secure Ethereum smart contracts: a finite state machine based approach[C]// Proceedings of the 2018 International Conference on Financial Cryptography and Data Security, LNCS 10957. Berlin: Springer, 2018: 523-540. |
25 | MAVRIDOU A, LASZKA A, STACHTIARI E, et al. VeriSolid: correct-by-design smart contracts for Ethereum[C]// Proceedings of the 2019 International Conference on Financial Cryptography and Data Security, LNCS 11598. Cham: Springer, 2019: 446-465. |
26 | NELATURU K, MAVRIDOU A, VENERIS A, et al. Verified development and deployment of multiple interacting smart contracts with VeriSolid[C]// Proceedings of the 2020 IEEE International Conference on Blockchain and Cryptocurrency. Piscataway: IEEE, 2020: 1-9. 10.1109/icbc48266.2020.9169428 |
27 | ALAQAHTANI S, HE X C, GAMBLE R, et al. Formal verification of functional requirements for smart contract compositions in supply chain management systems[C]// Proceedings of the 53rd Hawaii International Conference on System Sciences. Honolulu, HI: University of Hawaiʻi at Mānoa, 2020: 5278-5287. 10.24251/hicss.2020.650 |
28 | ABDELLATIF T, BROUSMICHE K L. Formal verification of smart contracts based on users and blockchain behaviors models[C]// Proceedings of the 9th IFIP International Conference on New Technologies, Mobility and Security. Piscataway: IEEE, 2018: 1-5. 10.1109/ntms.2018.8328737 |
29 | WANG D, HUANG X, MA X F. Formal analysis of smart contract based on colored petri nets[J]. IEEE Intelligent Systems, 2020, 35(3): 19-30. 10.1109/mis.2020.2977594 |
30 | JIANG B, LIU Y, CHAN W K. ContractFuzzer: fuzzing smart contracts for vulnerability detection[C]// Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. New York: ACM, 2018: 259-269. 10.1145/3238147.3238177 |
31 | GRIECO G, SONG W, CYGAN A, et al. Echidna: effective, usable, and fast fuzzing for smart contracts[C]// Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2020: 557-560. 10.1145/3395363.3404366 |
32 | NGUYEN T D, PHAM L H, SUN J, et al. sFuzz: an efficient adaptive fuzzer for Solidity smart contracts[C]// Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York: ACM, 2020: 778-788. 10.1145/3377811.3380334 |
33 | HE J X, BALUNOVIĆ M, AMBROLADZE N, et al. Learning to fuzz from symbolic execution with application to smart contracts[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 531-548. 10.1145/3319535.3363230 |
34 | TORRES C F, IANNILLO A K, GERVAIS A, et al. ConFuzzius: a data dependency-aware hybrid fuzzer for smart contracts[C]// Proceedings of the 2021 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2021: 103-119. 10.1109/eurosp51992.2021.00018 |
35 | ZHANG Q Z, WANG Y Z, LI J R, et al. EthPloit: from fuzzing to efficient exploit generation against smart contracts[C]// Proceedings of the IEEE 27th International Conference on Software Analysis, Evolution and Reengineering. Piscataway: IEEE, 2020: 116-126. 10.1109/saner48275.2020.9054822 |
36 | WÜSTHOLZ V, CHRISTAKIS M. Harvey: a greybox fuzzer for smart contracts[C]// Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. New York: ACM, 2020: 1398-1409. 10.1145/3368089.3417064 |
37 | Etherum. Solidity documentation: release 0.8.11[EB/OL]. (2021-12-20) [2022-04-27].. |
38 | ConsenSys. Ethereum smart contract security best practices[EB/OL]. [2022-04-27].. |
39 | MANNING A. Solidity security: comprehensive list of known attack vectors and common anti-patterns[EB/OL]. (2018-10-20) [2022-07-09].. |
40 | ConsenSys. Software engineering techniques[EB/OL]. [2022-03-28].. |
41 | Trail of Bits. How contract migration works[EB/OL]. (2018-10-29) [2022-02-20].. |
42 | OpenZeppelin. Proxy patterns[EB/OL]. (2018-04-19) [2022-06-02].. 10.1007/978-1-4842-3603-1_12 |
43 | ZeppelinOS. Quickstart of ZeppelinOS[EB/OL]. [2022-05-18].. |
44 | ZHANG Y Y, MA S Q, LI J R, et al. SMARTSHIELD: automatic smart contract protection made easy[C]// Proceedings of the IEEE 27th International Conference on Software Analysis, Evolution and Reengineering. Piscataway: IEEE, 2020: 23-34. 10.1109/saner48275.2020.9054825 |
45 | RODLER M, LI W T, KARAME G O, et al. EVMPatch: timely and automated patching of Ethereum smart contracts[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley: USENIX Association, 2021: 1289-1306. |
46 | HE N Y, ZHANG R Y, WANG H Y, et al. EOSAFE: security analysis of EOSIO smart contracts[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley: USENIX Association, 2021: 1271-1288. |
47 | DING M J, LI P R, LI S S, et al. HFContractFuzzer: fuzzing Hyperledger Fabric smart contracts for vulnerability detection[C]// Proceedings of the 2021 International Conference on Evaluation and Assessment in Software Engineering. New York: ACM, 2021: 321-328. 10.1145/3463274.3463351 |
48 | YUAN R, XIA Y B, CHEN H B, et al. ShadowEth: private smart contract on public blockchain[J]. Journal of Computer Science Technology, 2018, 33(3): 542-556. 10.1007/s11390-018-1839-y |
49 | XIAO Y, ZHANG N, LI J, et al. PrivacyGuard: enforcing private data usage control with blockchain and attested off-chain contract execution[C]// Proceedings of the 2020 European Symposium on Research in Computer Security, LNCS 12309. Cham: Springer, 2020: 610-629. |
50 | LIND J, NAOR O, EYAL I, et al. Teechain: scalable blockchain payments using trusted execution environments[EB/OL]. (2019-10-26) [2022-02-16].. 10.1145/3341301.3359627 |
51 | HOMOLIAK I, SZALACHOWSKI P. Aquareum: a centralized ledger enhanced with blockchain and trusted computing[EB/OL]. (2020-05-27) [2022-03-17].. |
52 | RODLER M, LI W T, KARAME G O, et al. Sereum: protecting existing smart contracts against re-entrancy attacks[C]// Proceedings of the 2019 Network and Distributed Systems Security Symposium. Reston, VA: Internet Society, 2019: No.23413. 10.14722/ndss.2019.23413 |
53 | TORRES C F, BADEN M, NORVILL R, et al. Ægis: smart shielding of smart contracts[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 2589-2591. 10.1145/3319535.3363263 |
54 | CHEN T, CAO R, LI T, et al. SODA: a generic online detection framework for smart contracts[C]// Proceedings of the 2020 Network and Distributed Systems Security Symposium. Reston, VA: Internet Society, 2020: No.24449. 10.14722/ndss.2020.24449 |
55 | YANG Z, KEUNG J, YU X, et al. A multi-modal Transformer-based code summarization approach for smart contracts[C]// Proceedings of the IEEE/ACM 29th International Conference on Program Comprehension. Piscataway: IEEE, 2021: 1-12. 10.1109/icpc52881.2021.00010 |
56 | LI X Q, CHEN T, LUO X P, et al. STAN: towards describing bytecodes of smart contract[C]// Proceedings of the IEEE 20th International Conference on Software Quality, Reliability and Security. Piscataway: IEEE, 2020: 273-284. 10.1109/qrs51102.2020.00045 |
57 | ESHGHIE M, ARTHO C, GUROV D. Dynamic vulnerability detection on smart contracts using machine learning[C]// Proceedings of the 2021 International Conference on Evaluation and Assessment in Software Engineering. New York: ACM, 2021: 305-312. 10.1145/3463274.3463348 |
58 | XU Y J, HU G R, YOU L, et al. A novel machine learning-based analysis model for smart contract vulnerability[J]. Security and Communication Networks, 2021, 2021: No.5798033. 10.1155/2021/5798033 |
59 | ZHUANG Y, LIU Z G, QIAN P, et al. Smart contract vulnerability detection using graph neural network[C]// Proceedings of the 29th International Joint Conference on Artificial Intelligence. California: ijcai.org, 2020: 3283-3290. 10.24963/ijcai.2020/454 |
[1] | He HUANG, Yu JIN. Cloud data auditing scheme based on voting and Ethereum smart contracts [J]. Journal of Computer Applications, 2024, 44(7): 2093-2101. |
[2] | Peng FANG, Fan ZHAO, Baoquan WANG, Yi WANG, Tonghai JIANG. Development, technologies and applications of blockchain 3.0 [J]. Journal of Computer Applications, 2024, 44(12): 3647-3657. |
[3] | Chaoying YAN, Ziyi ZHANG, Yingnan QU, Qiuyu LI, Dixiang ZHENG, Lijun SUN. Double auction carbon trading based on consortium blockchain [J]. Journal of Computer Applications, 2024, 44(10): 3240-3245. |
[4] | Kun ZHANG, Fengyu YANG, Fa ZHONG, Guangdong ZENG, Shijian ZHOU. Source code vulnerability detection based on hybrid code representation [J]. Journal of Computer Applications, 2023, 43(8): 2517-2526. |
[5] | Luyu CHEN, Xiaofeng MA, Jing HE, Shengzhi GONG, Jian GAO. Blockchain smart contract privacy authorization method based on TrustZone [J]. Journal of Computer Applications, 2023, 43(6): 1969-1978. |
[6] | Meng CAO, Sunjie YU, Hui ZENG, Hongzhou SHI. Hierarchical access control and sharing system of medical data based on blockchain [J]. Journal of Computer Applications, 2023, 43(5): 1518-1526. |
[7] | Yihan WANG, Chen TANG, Lan ZHANG. Anti-fraud and anti-tampering online trading mechanism for bulk stock [J]. Journal of Computer Applications, 2023, 43(4): 1309-1317. |
[8] | Yang LI, Long XU, Yanqiang LI, Shaopeng LI. Smart contract-based access control architecture and verification for internet of things [J]. Journal of Computer Applications, 2022, 42(6): 1922-1931. |
[9] | Yuntao XU, Junwu ZHU, Binwen SUN, Maosheng SUN, Sihai CHEN. Election-based supply chain: a supply chain autonomy framework based on blockchain [J]. Journal of Computer Applications, 2022, 42(6): 1770-1775. |
[10] | Min WEN, Rongcun WANG, Shujuan JIANG. Source code vulnerability detection based on relational graph convolution network [J]. Journal of Computer Applications, 2022, 42(6): 1814-1821. |
[11] | Le ZHAO, En ZHANG, Leiyong QIN, Gongli LI. Multi-party privacy preserving k-means clustering scheme based on blockchain [J]. Journal of Computer Applications, 2022, 42(12): 3801-3812. |
[12] | Shengjia GONG, Linlin ZHANG, Kai ZHAO, Juntao LIU, Han YANG. Fake news detection method based on blockchain technology [J]. Journal of Computer Applications, 2022, 42(11): 3458-3464. |
[13] | NI Ping, CHEN Wei. Reflective cross-site scripting vulnerability detection based on fuzzing test [J]. Journal of Computer Applications, 2021, 41(9): 2594-2601. |
[14] | SHEN Yumin, WANG Jinlong, HU Diankai, LIU Xingyu. Multi-person collaborative creation system of building information modeling drawings based on blockchain [J]. Journal of Computer Applications, 2021, 41(8): 2338-2345. |
[15] | CHEN Weiwei, CAO Li, GU Xiang. E-forensics model for internet of vehicles based on blockchain [J]. Journal of Computer Applications, 2021, 41(7): 1989-1995. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||