ASE 2023
Mon 11 - Fri 15 September 2023 Kirchberg, Luxembourg
Thu 14 Sep 2023 15:42 - 15:54 at Room E - Vulnerability and Security 2 Chair(s): Ben Hermann

Front-running attacks have been a major concern on the blockchain. Attackers launch front-running attacks by inserting additional transactions before upcoming victim transactions to manipulate victim transaction executions and make profits. Recent studies have shown that front-running attacks are prevalent on the Ethereum blockchain and have caused millions of US dollars loss. It is the vulnerabilities in smart contracts, which are blockchain programs invoked by transactions, that enable the front-running attack opportunities. Although techniques to detect front-running vulnerabilities have been proposed, their performance on real-world vulnerable contracts is unclear. There is no large-scale benchmark based on real attacks to evaluate their capabilities. We make four contributions in this paper. First, we design an effective algorithm to mine real-world attacks in the blockchain history. The evaluation shows that our mining algorithm is more effective and comprehensive, achieving higher recall in finding real attacks than the previous study. Second, we propose an automated and scalable vulnerability localization approach to localize code snippets in smart contracts that enable front-running attacks. The evaluation also shows that our localization approaches are effective in achieving higher precision in pinpointing vulnerabilities compared to the baseline technique. Third, we build a benchmark consisting of 513 real-world attacks with vulnerable code labeled in 235 distinct smart contracts, which is useful to help understand the nature of front-running attacks, vulnerabilities in smart contracts, and evaluate vulnerability detection techniques. Last but not least, we conduct an empirical evaluation of seven state-of-the-art vulnerability detection techniques on our benchmark. The evaluation experiment reveals the inadequacy of existing techniques in detecting front-running vulnerabilities, with a low recall of <= 6.04%. Our further analysis identifies four common limitations in existing techniques: lack of support for inter-contract analysis, inefficient constraint solving for cryptographic operations, improper vulnerability patterns, and lack of token support.

Presentation Slides (ASE-J1.pdf)1.68MiB

Thu 14 Sep

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

15:30 - 17:00
Vulnerability and Security 2Journal-first Papers / Industry Showcase (Papers) / Research Papers at Room E
Chair(s): Ben Hermann TU Dortmund
15:30
12m
Talk
An Industrial Practice for Securing Android Apps in the Banking Domain
Industry Showcase (Papers)
Vikas K. Malviya Singapore Management University, Phong Phan i-Sprint Innovations Pte. Ltd, Yan Naing Tun Singapore Management University, Albert Ching i-Sprint Innovations Pte. Ltd, Lwin Khin Shar Singapore Management University
File Attached
15:42
12m
Talk
Combatting Front-Running in Smart Contracts: Attack Mining, Benchmark Construction and Vulnerability Detector Evaluation
Journal-first Papers
Wuqi Zhang The Hong Kong University of Science and Technology, Lili Wei McGill University, Shing-Chi Cheung Hong Kong University of Science and Technology, Yepang Liu Southern University of Science and Technology, Shuqing Li The Chinese University of Hong Kong, Lu Liu The Hong Kong University of Science and Technology, Michael Lyu The Chinese University of Hong Kong
Link to publication DOI Pre-print File Attached
15:54
12m
Talk
Software Engineering Using Autonomous Agents: Are We There Yet?Recorded talk
Industry Showcase (Papers)
Samdyuti Suri Accenture Tech Labs, Sankar Narayan Das Accenture Tech Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India
Media Attached
16:06
12m
Talk
DeFiWarder: Protecting DeFi Apps from Token Leaking VulnerabilitiesRecorded talk
Research Papers
Jianzhong Su Sun Yat-sen University, Xingwei Lin Ant Group, Zhiyuan Fang Sun Yat-sen University, Zhirong Zhu Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen University, Wei Lv Ant Group, Jiashui Wang Zhejiang University
Media Attached
16:18
12m
Talk
VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual DeviceRecorded talk
Research Papers
Yuwei Liu Institute of Software, Chinese Academy of Sciences, Siqi Chen Shanghai Jiao Tong University, Yuchong Xie Shanghai Jiao Tong University, Yanhao Wang Qi An Xin Group Corp., Libo Chen Shanghai Jiao Tong University, Bin Wang Beijing Institute of Computer Technology and Applications, Yingming Zeng Beijing Institute of Computer Technology and Applications, Zhi Xue Shanghai Jiao Tong University, Purui Su Institute of Software/CAS China
Media Attached File Attached
16:30
12m
Talk
Smart Prompt Advisor: Multi-objective Prompt Framework for Consistency and Best PracticesRecorded talk
Industry Showcase (Papers)
Kanchanjot Kaur Phokela Accenture, Samarth Sikand Accenture Labs, Kapil Singi Accenture, Kuntal Dey Accenture Labs, India, Vibhu Saujanya Sharma Accenture Labs, Vikrant Kaulgud Accenture Labs, India
Media Attached