Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Thu 24 Sep 2020 09:10 - 09:30 at Kangaroo - Software Security and Trust (2) Chair(s): Raula Gaikovina Kula

Reentrancy bugs, one of the most severe vulnerabilities in smart contracts, has caused huge financial loss in recent years. Researchers have proposed general-purpose and rule-based approaches to detecting them. However, empirical studies have shown that they usually suffer from undesirable false positives and false negatives, especially when the code under detection involves the interaction between multiple smart contracts. In this paper, we propose an accurate and efficient cross-contract reentracy detection approach in practice. Rather than design rule-of-thumb heuristics, we conduct a large empirical study of 11714 real-world contracts from Etherscan against three well-known general-purpose security tools for reentrancy detection. We manually summarized the reentrancy scenarios where state-of-the-art approaches cannot address. Based on the empirical evidence, we present Clairvoyance, a cross-function and cross-contract static analysis to detect reentrancy vulnerabilities in real world with significantly higher accuracy. To reduce false negatives, we enable, for the first time, a cross-contract call chain analysis by tracking possibly tainted paths. To reduce false positives, we systematically summarized five major path protective techniques (PPTs) to support fast yet precise path feasibility checking. We implemented our approach and compared Clairvoyance with five state-of-the-art tools on 17770 real-worlds contracts. The results show that Clairvoyance yields the best detection accuracy among all the tools and also finds 101 unknown reentrancy vulnerabilities.

Thu 24 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time change

09:10 - 10:10: Software Security and Trust (2)Research Papers / Tool Demonstrations / Industry Showcase at Kangaroo
Chair(s): Raula Gaikovina KulaNAIST
09:10 - 09:30
Talk
Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts
Research Papers
Yinxing Xue, Mingliang MaUniversity of Science and Technology of China, Yun LinNational University of Singapore, Yulei SuiUniversity of Technology Sydney, Australia, Jiaming YeUniversity of Science and Technology of China, Tianyong PengUniversity of Science and Technology of China
09:30 - 09:50
Talk
Code-based Vulnerability Detection in Node.js Applications: How far are we?
Industry Showcase
Bodin ChinthanetNara Institute of Science and Technology, Serena Elisa PontaSAP Security Research, Henrik PlateSAP Security Research, Antonino SabettaSAP Security Research, Raula Gaikovina KulaNAIST, Takashi IshioNara Institute of Science and Technology, Kenichi MatsumotoNara Institute of Science and Technology
09:50 - 10:00
Talk
SmartBugs: A Framework to Analyze Solidity Smart Contracts
Tool Demonstrations
João F. FerreiraINESC-ID and IST, University of Lisbon, Pedro CruzIST, University of Lisbon, Portugal, Thomas DurieuxKTH Royal Institute of Technology, Sweden, Rui AbreuFaculty of Engineering, University of Porto, Portugal