View in EDS HTML Full Text PDF Full Text

Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts.

Saved in:
Bibliographic Details
Title: Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts.
Authors: Yang, Shuo1 yangsh233@mail2.sysu.edu.cn, Chen, Jiachi1 chenjch86@mail.sysu.edu.cn, Huang, Mingyuan1 huangmy83@mail2.sysu.edu.cn, Zheng, Zibin1 zhzibin@mail.sysu.edu.cn, Huang, Yuan1 huangyuan5@mail.sysu.edu.cn
Source: ICSE: International Conference on Software Engineering. 2024, p1-12. 12p.
Subjects: Public contracts, Data flow computing, Language & languages, Cryptocurrencies, Tokens
Abstract: Reentrancy, a notorious vulnerability in smart contracts, has led to millions of dollars in financial loss. However, current smart contract vulnerability detection tools suffer from a high false positive rate in identifying contracts with reentrancy vulnerabilities. Moreover, only a small portion of the detected reentrant contracts can actually be exploited by hackers, making these tools less effective in securing the Ethereum ecosystem in practice. In this paper, we propose BlockWatchdog, a tool that focuses on detecting reentrancy vulnerabilities by identifying attacker contracts. These attacker contracts are deployed by hackers to exploit vulnerable contracts automatically. By focusing on attacker contracts, BlockWatchdog effectively detects truly exploitable reentrancy vulnerabilities by identifying reentrant call flow. Additionally, BlockWatchdog is capable of detecting new types of reentrancy vulnerabilities caused by poor designs when using ERC tokens or user-defined interfaces, which cannot be detected by current rule-based tools. We implement BlockWatchdog using cross-contract static dataflow techniques based on attack logic obtained from an empirical study that analyzes attacker contracts from 281 attack incidents. BlockWatchdog is evaluated on 421,889 Ethereum contract bytecodes and identifies 113 attacker contracts that target 159 victim contracts, leading to the theft of Ether and tokens valued at approximately 908.6 million USD. Notably, only 18 of the identified 159 victim contracts can be reported by current reentrancy detection tools. [ABSTRACT FROM AUTHOR]
Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: egs
DbLabel: Engineering Source
An: 185196433
AccessLevel: 6
PubType: Conference
PubTypeId: conference
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Yang%2C+Shuo%22">Yang, Shuo</searchLink><relatesTo>1</relatesTo><i> yangsh233@mail2.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Chen%2C+Jiachi%22">Chen, Jiachi</searchLink><relatesTo>1</relatesTo><i> chenjch86@mail.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Huang%2C+Mingyuan%22">Huang, Mingyuan</searchLink><relatesTo>1</relatesTo><i> huangmy83@mail2.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Zheng%2C+Zibin%22">Zheng, Zibin</searchLink><relatesTo>1</relatesTo><i> zhzibin@mail.sysu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Huang%2C+Yuan%22">Huang, Yuan</searchLink><relatesTo>1</relatesTo><i> huangyuan5@mail.sysu.edu.cn</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22ICSE%3A+International+Conference+on+Software+Engineering%22">ICSE: International Conference on Software Engineering</searchLink>. 2024, p1-12. 12p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Public+contracts%22">Public contracts</searchLink><br /><searchLink fieldCode="DE" term="%22Data+flow+computing%22">Data flow computing</searchLink><br /><searchLink fieldCode="DE" term="%22Language+%26+languages%22">Language & languages</searchLink><br /><searchLink fieldCode="DE" term="%22Cryptocurrencies%22">Cryptocurrencies</searchLink><br /><searchLink fieldCode="DE" term="%22Tokens%22">Tokens</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Reentrancy, a notorious vulnerability in smart contracts, has led to millions of dollars in financial loss. However, current smart contract vulnerability detection tools suffer from a high false positive rate in identifying contracts with reentrancy vulnerabilities. Moreover, only a small portion of the detected reentrant contracts can actually be exploited by hackers, making these tools less effective in securing the Ethereum ecosystem in practice. In this paper, we propose BlockWatchdog, a tool that focuses on detecting reentrancy vulnerabilities by identifying attacker contracts. These attacker contracts are deployed by hackers to exploit vulnerable contracts automatically. By focusing on attacker contracts, BlockWatchdog effectively detects truly exploitable reentrancy vulnerabilities by identifying reentrant call flow. Additionally, BlockWatchdog is capable of detecting new types of reentrancy vulnerabilities caused by poor designs when using ERC tokens or user-defined interfaces, which cannot be detected by current rule-based tools. We implement BlockWatchdog using cross-contract static dataflow techniques based on attack logic obtained from an empirical study that analyzes attacker contracts from 281 attack incidents. BlockWatchdog is evaluated on 421,889 Ethereum contract bytecodes and identifies 113 attacker contracts that target 159 victim contracts, leading to the theft of Ether and tokens valued at approximately 908.6 million USD. Notably, only 18 of the identified 159 victim contracts can be reported by current reentrancy detection tools. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=185196433
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1145/3597503.3639153
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 12
        StartPage: 1
    Subjects:
      – SubjectFull: Public contracts
        Type: general
      – SubjectFull: Data flow computing
        Type: general
      – SubjectFull: Language & languages
        Type: general
      – SubjectFull: Cryptocurrencies
        Type: general
      – SubjectFull: Tokens
        Type: general
    Titles:
      – TitleFull: Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Yang, Shuo
      – PersonEntity:
          Name:
            NameFull: Chen, Jiachi
      – PersonEntity:
          Name:
            NameFull: Huang, Mingyuan
      – PersonEntity:
          Name:
            NameFull: Zheng, Zibin
      – PersonEntity:
          Name:
            NameFull: Huang, Yuan
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 05
              Text: 2024
              Type: published
              Y: 2024
          Titles:
            – TitleFull: ICSE: International Conference on Software Engineering
              Type: main
ResultId 1