EtherProv: Provenance-Aware Detection, Analysis, and Mitigation of Ethereum Smart Contract Security Issues

Abstract

The rapid adoption of blockchain technologies and particularly smart contracts has been overshadowed by numerous security concerns. Over the past few years, a number of reports exposed smart contracts vulnerabilities and exploits, which mainly stem from the immaturity of the field, and consequently a lack of knowledge and tools for automated analysis and verification of smart contracts. The restricting properties of the blockchain environment, such as the immutability of deployed contracts, encumber the analysis and mitigation of vulnerabilities and bugs in deployed contracts. To address these challenges, we propose EtherProv, a novel provenance tracking system that leverages static and dynamic analysis synergy to enable detection and mitigation of known security issues in Ethereum smart contracts. EtherProv leverages Solidity source code static and dynamic analysis data through contract bytecode instrumentation. The collected data is transformed into a unified, high-level representation, which can be queried using concise and descriptive Datalog queries. Within the provenance framework, EtherProv is able to analyze contracts' execution flow over time, to detect vulnerabilities within a single contract execution flow and across multiple interacting contracts, and to mitigate new security threats in already deployed contracts. Our evaluation shows that EtherProv can efficiently and precisely identify vulnerable contracts with an average contract instrumentation gas overhead of 18.9%.