Combatting Front-Running in Smart Contracts: Attack Mining, Benchmark Construction and Vulnerability Detector Evaluation
Front-running attacks have been a major concern on the blockchain. Attackers launch front-running attacks by inserting additional transactions before upcoming victim transactions to manipulate victim transaction executions and make profits. Recent studies have shown that front-running attacks are prevalent on the Ethereum blockchain and have caused millions of US dollars loss. It is the vulnerabilities in smart contracts, which are blockchain programs invoked by transactions, that enable the front-running attack opportunities. Although techniques to detect front-running vulnerabilities have been proposed, their performance on real-world vulnerable contracts is unclear. There is no large-scale benchmark based on real attacks to evaluate their capabilities. We make four contributions in this paper. First, we design an effective algorithm to mine real-world attacks in the blockchain history. The evaluation shows that our mining algorithm is more effective and comprehensive, achieving higher recall in finding real attacks than the previous study. Second, we propose an automated and scalable vulnerability localization approach to localize code snippets in smart contracts that enable front-running attacks. The evaluation also shows that our localization approaches are effective in achieving higher precision in pinpointing vulnerabilities compared to the baseline technique. Third, we build a benchmark consisting of 513 real-world attacks with vulnerable code labeled in 235 distinct smart contracts, which is useful to help understand the nature of front-running attacks, vulnerabilities in smart contracts, and evaluate vulnerability detection techniques. Last but not least, we conduct an empirical evaluation of seven state-of-the-art vulnerability detection techniques on our benchmark. The evaluation experiment reveals the inadequacy of existing techniques in detecting front-running vulnerabilities, with a low recall of <= 6.04%. Our further analysis identifies four common limitations in existing techniques: lack of support for inter-contract analysis, inefficient constraint solving for cryptographic operations, improper vulnerability patterns, and lack of token support.
| Presentation Slides (ASE-J1.pdf) | 1.68MiB |
Thu 14 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 17:00 | Vulnerability and Security 2Journal-first Papers / Industry Showcase (Papers) / Research Papers at Room E Chair(s): Ben Hermann TU Dortmund | ||
15:30 12mTalk | An Industrial Practice for Securing Android Apps in the Banking Domain Industry Showcase (Papers) Vikas K. Malviya Singapore Management University, Phong Phan i-Sprint Innovations Pte. Ltd, Yan Naing Tun Singapore Management University, Albert Ching i-Sprint Innovations Pte. Ltd, Lwin Khin Shar Singapore Management University File Attached | ||
15:42 12mTalk | Combatting Front-Running in Smart Contracts: Attack Mining, Benchmark Construction and Vulnerability Detector Evaluation Journal-first Papers Wuqi Zhang The Hong Kong University of Science and Technology, Lili Wei McGill University, Shing-Chi Cheung Hong Kong University of Science and Technology, Yepang Liu Southern University of Science and Technology, Shuqing Li The Chinese University of Hong Kong, Lu Liu The Hong Kong University of Science and Technology, Michael Lyu The Chinese University of Hong Kong Link to publication DOI Pre-print File Attached | ||
15:54 12mTalk | Software Engineering Using Autonomous Agents: Are We There Yet?Recorded talk Industry Showcase (Papers) Samdyuti Suri Accenture Tech Labs, Sankar Narayan Das Accenture Tech Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India Media Attached | ||
16:06 12mTalk | DeFiWarder: Protecting DeFi Apps from Token Leaking VulnerabilitiesRecorded talk Research Papers Jianzhong Su Sun Yat-sen University, Xingwei Lin Ant Group, Zhiyuan Fang Sun Yat-sen University, Zhirong Zhu Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen University, Wei Lv Ant Group, Jiashui Wang Zhejiang University & Ant Group Media Attached | ||
16:18 12mTalk | VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual DeviceRecorded talk Research Papers Yuwei Liu Institute of Software, Chinese Academy of Sciences, Siqi Chen Shanghai Jiao Tong University, Yuchong Xie Shanghai Jiao Tong University, Yanhao Wang Qi An Xin Group Corp., Libo Chen Shanghai Jiao Tong University, Bin Wang Beijing Institute of Computer Technology and Applications, Yingming Zeng Beijing Institute of Computer Technology and Applications, Zhi Xue Shanghai Jiao Tong University, Purui Su Institute of Software/CAS China Media Attached File Attached | ||
16:30 12mTalk | Smart Prompt Advisor: Multi-objective Prompt Framework for Consistency and Best PracticesRecorded talk Industry Showcase (Papers) Kanchanjot Kaur Phokela Accenture, Samarth Sikand Accenture Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India Media Attached | ||