Learning from the Past: Real-World Exploit Migration for Smart Contract PoC Generation
This program is tentative and subject to change.
Smart contract vulnerabilities continue to cause significant financial losses, despite the implementation of security measures such as manual audits and bug bounty platforms. A critical component often required by these security measures is the proof-of-concept (PoC) exploit, which validates vulnerability exploitability, assesses impact severity, and guides developers in fixes. Existing tools have explored automated PoC generation with techniques like symbolic execution, fuzzing, and program synthesis. However, these approaches frequently fail to generate PoCs for vulnerabilities exploited in real-world incidents, primarily due to their limitations in handling complex transaction dependencies, navigating vast on-chain state spaces, or requiring extensive manual specifications.
Our migration-based approach extracts critical information from documented security incidents and applies it to generate PoCs for similar vulnerable code. This approach leverages proven exploit patterns rather than generating PoCs from scratch. This approach is motivated by two key observations: the prevalence of code reuse in smart contracts (up to 90% at the function level) and the increasing availability of documented PoCs for real-world incidents. Our approach operates in three phases: \textit{(1)} abstracting essential components (i.e., environment properties, attack logic, and verification checks) from existing PoCs into templates, \textit{(2)} given a new target contract, selecting suitable templates with adapted values through clone-detection and property-feasibility analysis, and \textit{(3)} generating and validating PoCs in simulated environments. Our evaluation demonstrates both effectiveness and efficiency: our approach successfully generates valid PoCs for 62 out of 67 manually validated cases without false positives. Our approach also achieves significant performance gains, completing analysis in 3.8 hours compared to 133.2 and 210.5 hours required by existing tools. By the submission date, we have validated 256 vulnerable contracts on-chain, including 64 cross-chain cases, demonstrating the ability of our tool to migrate PoCs across diverse blockchain environments.
This program is tentative and subject to change.
Wed 19 NovDisplayed time zone: Seoul change
14:00 - 15:30 | |||
14:00 10mTalk | Terminator: enabling efficient fuzzing of closed-source GUI programs by automatic coverage-guided termination Research Papers | ||
14:10 10mTalk | Function Clustering-Based Fuzzing Termination: Toward Smarter Early Stopping Research Papers ding liang University of Science and Technology of China, Wenzhang Yang Institute of AI for industries, Yinxing Xue Institute of AI for Industries, Chinese Academy of Sciences | ||
14:20 10mTalk | Risk Estimation in Differential Fuzzing via Extreme Value Theory Research Papers Rafael Baez University of Texas at El Paso, Alejandro Olivas University of Texas at El Paso, Nathan K Diamond University of Texas at El Paso, Marcelo F. Frias Dept. of Software Engineering Instituto Tecnológico de Buenos Aires, Yannic Noller Ruhr University Bochum, Saeid Tizpaz-Niari University of Illinois Chicago | ||
14:30 10mTalk | Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs Journal-First Track Andrea Arcuri Kristiania University College and Oslo Metropolitan University, Man Zhang Beihang University, China, Juan Pablo Galeotti University of Buenos Aires | ||
14:40 10mTalk | BCFuzz: Bytecode-Driven Fuzzing for JavaScript Engines Research Papers Jiming Wang SKLP, Institute of Computing Technology, CAS & University of Chinese Academy of Sciences, Chenggang Wu Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory, Jikai Ren SKLP, Institute of Computing Technology, CAS & University of Chinese Academy of Sciences, Yuhao Hu SKLP, Institute of Computing Technology, CAS & University of Chinese Academy of Sciences, Yan Kang Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Xiaojie Wei SKLP, Institute of Computing Technology, CAS, Yuanming Lai Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Mengyao Xie SKLP, Institute of Computing Technology, CAS, Zhe Wang Institute of Computing Technology at Chinese Academy of Sciences; Zhongguancun Laboratory | ||
14:50 10mTalk | LSPFuzz: Hunting Bugs in Language Servers Research Papers Hengcheng Zhu The Hong Kong University of Science and Technology, Songqiang Chen The Hong Kong University of Science and Technology, Valerio Terragni University of Auckland, Lili Wei McGill University, Yepang Liu Southern University of Science and Technology, Jiarong Wu , Shing-Chi Cheung Hong Kong University of Science and Technology Pre-print | ||
15:00 10mTalk | TEPHRA: Principled Discovery of Fuzzer Limitations Research Papers Vasil Sarafov μCSRL, CODE Research Institute, University of the Bundeswehr Munich, David Markvica μCSRL, CODE Research Institute, University of the Bundeswehr Munich, Stefan Brunthaler μCSRL, CODE Research Institute, University of the Bundeswehr Munich | ||
15:10 10mTalk | Learning-Guided Fuzzing for Testing Stateful SDN Controllers Journal-First Track Raphaël Ollando University of Luxembourg, Seung Yeob Shin University of Luxembourg, Lionel Briand University of Ottawa, Canada; Lero centre, University of Limerick, Ireland | ||
15:20 10mTalk | Learning from the Past: Real-World Exploit Migration for Smart Contract PoC Generation Research Papers Kairan Sun Nanyang Technological University, Zhengzi Xu Imperial Global Singapore, Kaixuan Li Nanyang Technological University, Lyuye Zhang Nanyang Technological University, Yebo Feng Nanyang Technological University, Daoyuan Wu Lingnan University, Yang Liu Nanyang Technological University | ||