TaintGuard: Preventing implicit privilege leakage in smart contract based on taint tracking at abstract syntax tree level

Abstract

Solidity smart contracts play an important role in enabling interactions and collaborations among users in a decentralized blockchain-based community, and their security has received much attention in the industry. One of the most serious security issues faced by Solidity smart contracts is that the use of delegatecall to make cross-contract calls will tamper with contract privilege, which is difficult to detect. To improve the robustness of smart contract privilege control mechanisms at the level of source code, this paper designs and implements a new cross-contract static analysis tool called TaintGuard based on the abstract syntax tree of Solidity code and by combining taint analysis and instrumentation monitoring. TaintGuard uses solc to obtain the abstract syntax tree of the contract source code and then traverses the nodes of the tree to filter call relations that use delegatecall for cross-contract calls. Then, TaintGuard obtains the control flow graph within the target function, determines whether there are problematic paths in the control flow graph that may cause implicit leakage of contract privileges through static taint analysis, and instruments monitoring code in the corresponding position of the program. In this way, the contract status in the runtime stage is monitored to prevent the contract privileges from being tampered with by malicious callers. Finally, TaintGuard is evaluated against existing static analysis tools for Solidity smart contracts. The evaluation results indicate that TaintGuard outperforms other tools in terms of execution efficiency. Also, it can effectively fix the contract code with privilege leaks with a acceptable overhead.