As Long As I See It - OSVHunter: Understanding and Detecting Open-Secret Vulnerabilities in Smart Contracts

While Ethereum smart contracts provide users with transfer and transaction services, vulnerabilities in smart contracts are constantly damaging users’ property and user experience. At present, many detection methods for smart contract vulnerabilities have been proposed, but these methods have not fully analyzed the information of multiple modalities of smart contracts, and their effectiveness in detecting long smart contracts is not ideal. We propose a lightweight Ethereum smart contract vulnerability detection method based on bimodal and hierarchical attention to address this issue. This method can combine the source code and opcode of smart contracts for analysis, and use a hierarchical attention network composed of bidirectional GRU and attention mechanism for vulnerability feature extraction. The experimental results show that in the task of detecting vulnerabilities in long smart contracts, this method has better detection capabilities for four types of vulnerabilities: Denial of Service, Reentrancy, Arithmetic, and Timestamp Dependency, compared to the most advanced deep learning smart contract vulnerability detection methods currently available.

Financial industries operate within a framework of strict regulatory requirements, making compliance a top priority. Smart contracts, integral to the operations of FinTech companies, must align with these regulations. Cloud-based platform offers security as a service (SecaaS) to the scalable and cost-effective solution for analyzing, monitoring, and predicting vulnerabilities in smart contracts. This approach allows FinTech firms to concentrate on their core services while benefiting from specialized security tools. The potential consequences of smart contract vulnerabilities, such as financial losses, fraud, or data manipulation, underscore the critical need for proactive prediction and mitigation. By addressing vulnerabilities in advance, FinTech platforms can prevent financial losses and uphold the integrity of their transactions. Given that FinTech platforms handle customer funds, sensitive financial information, and automated transactions, maintaining trust and reliability is paramount. Predicting vulnerabilities plays a pivotal role in building and sustaining trust among users and stakeholders. This study introduces a hybrid artificial intelligence and optimization technique for smart contract vulnerability prediction in FinTech. The modified barnacles mating optimization (MBMO) algorithm is employed for the extraction of complex syntactic and semantic features, enhancing the accuracy of vulnerability predictions. Additionally, the general regressive artificial neural network (GR-ANN) is utilized to predict vulnerabilities, specifically describing vulnerability types in smart contracts deployed in a cloud environment. The evaluation of this framework involves rigorous testing using the ScrawID-real Ethereum smart contract benchmark dataset, demonstrating its capability and accuracy in predicting smart contract vulnerabilities. The study introduces a novel hybrid artificial intelligence and optimization technique aimed at predicting vulnerabilities in cloud-based smart contracts, specifically in the FinTech sector. Utilizing the modified barnacles mating optimization algorithm and the general regressive artificial neural network, this approach enhances the accuracy of vulnerability detection. The paper demonstrates the methods efficacy through rigorous testing with the ScrawID-real Ethereum smart contract benchmark dataset, highlighting its potential to bolster security in FinTech applications.

With the evolution of technology, blockchain a swiftly impending phenomenon i.e., "decentralized computing” is observed. The emergence of Smart Contracts (SC) has resulted in advancements in the application of blockchain technology. The Ethereum network’s computing capabilities and functionalities are founded on the basis of SC. A smart contract is a self-executing agreement between buyer and seller with the terms of the settlement between them, written directly as lines of code, existing across a distributed decentralized blockchain network. It is a decentralized software that runs on a blockchain autonomously, consistently, and publicly. Conversely, due to the complex semantics of fundamental domain-specific languages and their testability, constructing reliable and secure SC can be extremely difficult. SC might contain some vulnerabilities. Security vulnerabilities can originate from financial tribulations; there are a number of notorious events that specify blockchain SC could comprise numerous code-security vulnerabilities. Security and privacy of blockchain-based SC are very important, we must first identify their vulnerabilities before implementing them widely. Therefore, the purpose of this paper is to conduct a comprehensive experimental evaluation of two current security testing tools: Remix solidity static analysis plugin and Solium which are used for static analysis of SC. We have conducted an empirical analysis of SC for finding tangible and factual evidence, controlled by the scientific approach. The methodology’s first step is to gather all of the Ethereum SC and store them in a repository. The next step is to use the Remix solidity static analysis plugin and Solium to perform vulnerability assessments. The last step is to analyze the result of both tools and evaluate them on the basis of accuracy and effectiveness. The goal of this empirical analysis is to evaluate the two FOSS tools: Remix solidity static analysis plugin and Solium on the basis of accuracy and effectiveness. Some research questions were considered to reach the stated goal: What automated tools and frameworks are proposed in supporting the state-of-the-art empirical approach to SC vulnerability detection? How accurate are security analysis tools? And which tool has more accuracy rate? How effectively security analysis tools are detecting vulnerabilities in SC? And which is the most effective security analysis tool? We investigated the effectiveness and accuracy of security code analysis tools on Ethereum by testing them on a random sample of vulnerable contracts. The results indicate that the tools have significant discrepancies when it comes to certain security characteristics. In terms of effectiveness and accuracy, the Remix plugin outperformed and beat the other tool.

Ethereum smart contracts are a special type of computer programs. Once deployed on the blockchain, they cannot be modified. This presents a significant challenge to the security of smart contracts. Previous research has proposed static and dynamic detection tools to identify vulnerabilities in smart contracts. These tools check contract vulnerabilities based on predefined rules, and the accuracy of detection strongly depends on the design of the rules. However, the constant emergence of new vulnerability types and strategies for vulnerability protection leads to numerous false positives and false negatives by tools. To address this problem, we analyze the characteristics of vulnerabilities in smart contracts and the corresponding protection strategies. We convert the contracts' bytecode into an intermediate representation to extract semantic information of the contracts. Based on this semantic information, we establish a set of detection rules based on semantic facts and implement a vulnerability detection tool SafeCheck using static program analysis methods. The tool is used to detect six common types of vulnerabilities in smart contracts. We have extensively evaluated SafeCheck on real Ethereum smart contracts and compared it to other tools. The experimental results show that SafeCheck performs better in smart contract vulnerability detection compared to other typical tools, with a high F‐measure (up to 83.1%) for its entire dataset.

Digital assets involved in smart contracts are on the rise. Security vulnerabilities in smart contracts have resulted in significant losses for the blockchain community. Existing smart contract vulnerability detection techniques have been typically single-purposed and focused only on the source code or opcode of contracts. This paper presents a new smart contract vulnerability detection method, which extracts features from different levels of smart contracts to train machine learning models for effective detection of vulnerabilities. Specifically, we propose to extract 2-gram features from the opcodes of smart contracts and token features from the source code using a pre-trained CodeBERT model, thereby capturing the semantic information of smart contracts at different levels. The 2-gram and token features are separately aggregated and then fused and input into machine-learning models to mine the vulnerability features of contracts. Over 10,266 smart contracts are used to verify the proposed method. Widespread reentrancy, timestamp dependence, and transaction-ordering dependence vulnerabilities are considered. Experiments show the fused features can help significantly improve smart contract vulnerability detection compared to the single-level features. The detection accuracy is as high as 98%, 98% and 94% for the three vulnerabilities, respectively. The average detection time is 0.99 second per contract, indicating the proposed method is suitable for automatic batch detection of vulnerabilities in smart contracts.

Objective: By reviewing various previous works, this paper collects the multiple of approaches, strategies used to identify vulnerabilities in smart contracts. Blockchain is a decentralized technology that securely and immutably, records transactions across numerous computers in a visible manner. On a blockchain, smart contracts are self-executing agreements that independently execute and verify contract conditions. This reduces the need for middlemen and increases transparency. Smart contract vulnerabilities are problems in the code that could allow other parties to gain access to, alter, or steal assets as a result of mistakes, faults or imperfections made during development, thereby causing financial and operational harm. In this paper we have algorithms, techniques to detect vulnerabilities in smart contract using deep learning found in literature surveys. Methods: We have found some techniques using opcode, bytecode, Skip-Gram-Word2Vec to convert the smart contract file. Findings: We have found that LSTM, Vanilla-RNN, GRU have very less accuracy 49.64,53.68,54.54. Novelty & Applications: We will come with some different algorithms that will understand different vulnerability with more accuracy. We have come with CNN, Xception, EfficientNet-B2 which has accuracy high then LSTM, Vanilla-RNN, GRU i.e.71,69,75 percent.

Blockchain has attracted widespread attention since its inception and one of the special technologies is smart contracts. Smart contracts are programs on blockchain that act as trusted intermediary between the users and are widely used in variety of industry (e.g., IoT, supply chain management). Smart contracts can store or manipulate valuable assets which may cause huge economic losses. Unlike traditional computer programs, the code of a smart contract cannot be modified after it is deployed on the blockchain. Hence, the security analysis and vulnerability detection of the smart contract must be performed before its deployment. In this survey, we considered 15 security vulnerabilities in smart contracts and introduced the vulnerable areas and the causes of vulnerabilities. According to the methods used, we introduced the existing smart contract analysis methods and vulnerability detection tools from three aspects of static analysis, dynamic analysis and formal verification. Finally, by considering the analysis tools and security vulnerabilities, we found that a new attack cannot be detected by existing detection tools if the vulnerability without pre-defined. We recommend using machine learning methods to analyze smart contracts in combination with traditional program vulnerabilities, and find vulnerabilities that have not yet been discovered in smart contracts. In addition, many detection tools require too much resources or are too complex, so it is necessary to introduce new detection methods.KeywordsEthereumSmart contractsAnalysis toolsVulnerability detection

Smart contracts (SC) are one of the most appealing features of blockchain technologies facilitating, executing, and enforcing predefined terms of coded contracts without intermediaries. The steady adoption of smart contracts on the Ethereum blockchain has led to tens of thousands of contracts holding millions of dollars in digital currencies and small mistakes during the development of SC on immutable blockchains have already caused substantial losses and involve the danger for future incidents. Hence, today the secure development of smart contracts is an important topic and several attacks and incidents related to vulnerable smart contracts could have been avoided. To foster a secure development process of SC this paper summarizes known vulnerabilities in smart contracts found by literature research and analysis. It compares currently available code analysis tools for their capabilities to identify and detect vulnerabilities in smart contracts based on a taxonomy for vulnerabilities. Finally, based on the TheDOA attack the paper shows an example for the adoption of best practices to avoid severe vulnerabilities in smart contracts.

Security vulnerabilities in smart contracts can have severe economic consequences. Existing smart contract vulnerability detection methods rely primarily on rigid rules defined by experts and have difficulty in detecting unknown vulnerabilities. This paper proposes a new Anomalous Smart Contract Detector, named ASCD, to effectively detect known and unknown vulnerabilities in smart contracts. This is achieved by interpreting unknown vulnerabilities as code anomalies and detecting them with an anomaly detection technique named DeepSVDD. This is also attributed to a new design of feature extraction, in which we compile smart contract source codes into opcodes, extract semantic features from opcode sequences, and control flow features from control flow graphs. By joining LSTM and GIN, the semantic and control flow features are fused to offer a comprehensive representation of smart contracts suitable for anomaly detection. Extensive experiments were conducted to verify the ASCD model, and more than 30,000 smart contracts were tested. The new model offers a significantly better F1-score than existing methods in detecting known vulnerabilities and achieves a high accuracy of 77% in detecting unknown vulnerabilities.

Information and communication technology based inter-organizational systems enable companies to integrate information and conduct business electronically across different parts of the organization. For organizations embracing blockchain, smart contracts provide automation and operational efficiency for inter-organizational systems. Initially utilised for financial transactions, smart contract are extended beyond banking and deployed in wide number of organizations. Smart contracts are regarded as self-executing type of contract consisting of agreement’s terms embedded directly into the code which plays a vital role in operability for inter-organizational systems, however, smart contract vulnerabilities can arise due to programming errors, leading to security issues. The effects of smart contract vulnerabilities can be significant, including loss of funds, unauthorized access to sensitive information, manipulation of data, and loss of trust in the application leading to catastrophic financial losses followed by legal implications for an organization based on blockchain technology. The goal of smart contracts exploiting vulnerabilities is to discover and eliminate potential security vulnerabilities in smart contract code prior to it being deployed. Detecting vulnerabilities in a timely manner helps to prevent financial losses, unauthorized access, and data manipulation. In order to provide a robust solution to detect vulnerabilities in smart contracts, the proposed methodology presents a novel approach for rapid detection of vulnerabilities by integrating genetic algorithm with isolation forest. Furthermore, enhancing smart contract vulnerability identification with higher accuracy and false-positive rate provides a reliable gateway for organizations to adopt blockchain.

A smart contract is a computer protocol intended to digitally facilitate and enforce the negotiation of a contract in undependable environment. However, the number of attacks using the vulnerabilities of the smart contracts is also growing in recent years. Many solutions have been proposed in order to deal with them, such as documenting vulnerabilities or setting the security strategies. Among them, the most influential progress is made by the formal verification method. In this paper, we propose a formal verification method based on Colored Petri Nets (CPN) to verify smart contracts in blockchain system. First, we develop the smart contract models with possible attacker models based on hierarchical CPN modeling, then the smart contract models are executed by step-by-step simulation to validate their functional correctness, and finally we utilize the branch timing logic ASK-CTL based model checking technology in the CPN tools to detect latent vulnerabilities in smart contracts. We demonstrate that our CPN modeling based verification method can not only detect the logical vulnerabilities of the smart contract, but also consider the impacts of users behavior to find out potential non-logical vulnerabilities in the contracts, such as the vulnerabilities caused by the limitations of the Solidity language.

Smart contracts are nowadays at the core of most blockchain systems. Like all computer programs, smart contracts are subject to the presence of residual faults, including severe security vulnerabilities. However, the key distinction lies in how these vulnerabilities are addressed. In smart contracts, when a vulnerability is identified, the affected contract must be terminated within the blockchain, as due to the immutable nature of blockchains, it is impossible to patch a contract once deployed. In this context, research efforts have been focused on proactively preventing the deployment of smart contracts containing vulnerabilities, mainly through the development of vulnerability detection tools. Along with these efforts, several heterogeneous vulnerability classification schemes appeared (e.g., most notably DASP and SWC). At the time of writing, these are mostly outdated initiatives, even though new smart contract vulnerabilities are consistently uncovered. In this paper, we propose OpenSCV, a new and Open hierarchical taxonomy for Smart Contract vulnerabilities, which is open to community contributions and matches the current state of the practice while being prepared to handle future modifications and evolution. The taxonomy was built based on the analysis of the existing research on vulnerability classification, community-maintained classification schemes, and research on smart contract vulnerability detection. We show how OpenSCV covers the announced detection ability of the current vulnerability detection tools and highlight its usefulness in smart contract vulnerability research. To validate OpenSCV, we performed an expert-based analysis wherein we invited multiple experts engaged in smart contract security research to participate in a questionnaire. The feedback from these experts indicated that the categories in OpenSCV are representative, clear, easily understandable, comprehensive, and highly useful. Regarding the vulnerabilities, the experts confirmed that they are easily understandable.

The blockchain 2.0 age, marked by smart contract and Ethereum, has arrived couple years ago. Its technologies have expanded the application scenarios of blockchain technology and driven the boom of decentralized Finance. However, smart contract vulnerabilities and security issues are also emerging one after another. Hackers have exploited these vulnerabilities to cause huge economic losses. In recent years, a large amount of research on the analysis and detection of smart contract vulnerabilities has emerged, but there has been no common detection tool and corresponding test dataset. In this paper, we build GSVD dataset (Generalized Smart Contract Vulnerability Dataset) consisting four offline datasets using smart contracts on two chains, Polygon and BSC: two small Solidity datasets consisting of 153 labeled smart contract source codes, which can be used to test the performance of vulnerability mining tools; two large Solidity datasets consisting of 52,202 un labeled real smart contract source codes that can be used to verify the correctness of various theories and tools under a large number of real data conditions. At the same time, this paper integrates the scripting framework accompanying the GSVD dataset, which can execute a variety of popular automated vulnerability detection tools on top of these datasets and generate analysis results of contracts and potential vulnerabilities. We tested the Minor dataset under GSVD using three tools (Slither, Manticore, Mythril) that are kept up to date and found that the combined use of all tools detected 61.1% of labeled vulnerabilities, of which Mythril has the highest detection rate of 42.6%. It is not difficult to conclude that there`re still ample room for advancement for current smart contract vulnerability mining tools because of their underlying methods. Besides, our dataset can contribute to the ultimate target greatly by providing mining tools plenty real contracts information.

In the context of the rapid development of blockchain technology, smart contracts have also been widely used in the Internet of Things, finance, healthcare, and other fields. There has been an explosion in the number of smart contracts, and at the same time, the security of smart contracts has received widespread attention because of the financial losses caused by smart contract vulnerabilities. Existing analysis tools can detect many smart contract security vulnerabilities, but because they rely too heavily on hard rules defined by experts when detecting smart contract vulnerabilities, the time to perform the detection increases significantly as the complexity of the smart contract increases. In the present study, we propose a novel hybrid deep learning model named CBGRU that strategically combines different word embedding (Word2Vec, FastText) with different deep learning methods (LSTM, GRU, BiLSTM, CNN, BiGRU). The model extracts features through different deep learning models and combine these features for smart contract vulnerability detection. On the currently publicly available dataset SmartBugs Dataset-Wild, we demonstrate that the CBGRU hybrid model has great smart contract vulnerability detection performance through a series of experiments. By comparing the performance of the proposed model with that of past studies, the CBGRU model has better smart contract vulnerability detection performance.

Blockchain is a platform of distributed elaboration, which allows users to provide software for a huge range of next‐generation decentralized applications without involving reliable third parties. Smart contracts (SCs) are an important component in blockchain applications: they are programmatic agreements among two or more parties that cannot be rescinded. Furthermore, SCs have an important characteristic: they allow users to implement reliable transactions without involving third parties. However, the advantages of SCs have a price. Like any program, SCs can contain bugs, some of which may also constitute security threats. Writing correct and secure SCs can be extremely difficult because, once deployed, they cannot be modified. Although SCs have been recently introduced, a large number of approaches have been proposed to find bugs and vulnerabilities in SCs. In this article, we present a systematic literature review on the approaches for the automated detection of bugs and vulnerabilities in SCs. We survey 68 papers published between 2015 and 2020, and we annotate each paper according to our classification framework to provide quantitative results and find possible areas not explored yet. Finally, we identify the open problems in this research field to provide possible directions to future researchers.