SmartShot: Hunt Hidden Vulnerabilities in Smart Contracts using Mutable Snapshots
Smart contracts, as Turing-complete programs managing billions of assets in decentralized finance, are prime targets for attackers. While fuzz testing seems effective for detecting vulnerabilities in these programs, we identify several significant challenges when targeting smart contracts: (i) the stateful nature of these contracts requires stateful exploration, but current fuzzers rely on transaction sequences to manipulate contract states, making the process inefficient; (ii) contract execution is influenced by the continuously changing blockchain environment, yet current fuzzers are limited to local deployments, failing to test contracts in real-world scenarios. These challenges hinder current fuzzers from uncovering hidden vulnerabilities, i.e., those concealed in deep contract states and specific blockchain environments.
In this paper, we present SmartShot, a mutable snapshot-based fuzzer to hunt hidden vulnerabilities within smart contracts. We innovatively formulate contract states and blockchain environments as directly fuzzable elements and design mutable snapshots to quickly restore and mutate these elements. SmartShot features a symbolic taint analysis-based mutation strategy along with double validation to soundly guide the state mutation. SmartShot mutates blockchain environments using contract’s historical on-chain states, providing real-world execution contexts. We propose a snapshot checkpoint mechanism to integrate mutable snapshots into SmartShot’s fuzzing loops. These innovations enable SmartShot to effectively fuzz contract states, test contracts across varied and realistic blockchain environments, and support on-chain fuzzing. Experimental results show that SmartShot is effective to detect hidden vulnerabilities with the highest code coverage and lowest false positive rate. SmartShot is 4.8x to 20.2x faster than state-of-the-art tools, identifying 2,150 vulnerable contracts out of 42,738 real-world contracts which is 2.1x to 13.7x more than other tools. SmartShot has demonstrated its real-world impact by detecting vulnerabilities that are only discoverable on-chain and uncovering 24 0-day vulnerabilities in the latest 10,000 deployed contracts.
Tue 24 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 12:20 | Blockchain and Smart ContractIdeas, Visions and Reflections / Research Papers at Vega Chair(s): Cuiyun Gao Harbin Institute of Technology, Shenzhen | ||
10:30 10mTalk | SmartShift: A Secure and Efficient Approach to Smart Contract Migration Ideas, Visions and Reflections Tahrim Hossain Syracuse University, Faisal Haque Bappy Syracuse University, Tarannum Shaila Zaman University of Maryland Baltimore County, Raiful Hasan Kent State University, Tariqul Islam Syracuse University | ||
10:40 20mTalk | LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts Research Papers Shoupeng Ren Zhejiang University, Lipeng He University of Waterloo, Tianyu Tu Zhejiang University, Di Wu Zhejiang University, Jian Liu Zhejiang University, Kui Ren Zhejiang University, Chun Chen Zhejiang University DOI Pre-print | ||
11:00 20mTalk | SmartShot: Hunt Hidden Vulnerabilities in Smart Contracts using Mutable Snapshots Research Papers Ruichao Liang Wuhan University, Jing Chen Wuhan University, Ruochen Cao Wuhan University, Kun He Wuhan University, Ruiying Du Wuhan University, Shuhua Li Wuhan University, Zheng Lin University of Hong Kong, Cong Wu Wuhan University DOI | ||
11:20 20mTalk | Automated and Accurate Token Transfer Identification and Its Applications in Cryptocurrency Security Research Papers Shuwei Song University of Electronic Science and Technology of China, Ting Chen University of Electronic Science and Technology of China, Ao Qiao University of Electronic Science and Technology of China, Xiapu Luo Hong Kong Polytechnic University, Leqing Wang University of Electronic Science and Technology of China, Zheyuan He University of Electronic Science and Technology of China, Ting Wang Penn State University, Xiaodong Lin University of Guelph, Peng He University of Electronic Science and Technology of China, Wensheng Zhang University of Electronic Science and Technology of China, Xiaosong Zhang University of Electronic Science and Technology of China DOI | ||
11:40 20mTalk | Detecting Smart Contract State-Inconsistency Bugs via Flow Divergence and Multiplex Symbolic Execution Research Papers Yinxi Liu Rochester Institute of Technology, Wei Meng Chinese University of Hong Kong, Yinqian Zhang Southern University of Science and Technology DOI | ||
12:00 20mTalk | Smart Contract Fuzzing Towards Profitable Vulnerabilities Research Papers Ziqiao Kong Nanyang Technological University, Cen Zhang Nanyang Technological University, Maoyi Xie Nanyang Technological University, Ming Hu Singapore Management University, Yue Xue MetaTrust Labs, Ye Liu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University DOI Pre-print File Attached |
Vega is close to the registration desk.
Facing the registration desk, its entrance is on the left, close to the hotel side entrance.