Detecting Smart Contract State-Inconsistency Bugs via Flow Divergence and Multiplex Symbolic Execution
Ethereum smart contracts determine state transition results not only by the previous states, but also by a mutable global state consisting of storage variables. This has resulted in state-inconsistency bugs, which grant an attacker the ability to modify contract states either through recursive function calls to a contract (reentrancy), or by exploiting transaction order dependence (TOD). Current studies have determined that identifying data races on global storage variables can capture all state-inconsistency bugs. Nevertheless, eliminating false positives poses a significant challenge, given the extensive number of execution paths that could potentially cause a data race.
For simplicity, existing research considers a data race to be vulnerable as long as the variable involved could have inconsistent values under different execution orders. However, such a data race could be benign when the inconsistent value does not affect any critical computation or decision-making process in the program. Besides, the data race could also be infeasible when there is no valid state in the contract that allows the execution of both orders.
In this paper, we aim to appreciably reduce these false positives without introducing false negatives. We present DivertScan, a precise framework to detect exploitable state-inconsistency bugs in smart contracts. We first introduce the use of flow divergence to check where the involved variable may flow to. This allows DivertScan to precisely infer the potential effects of a data race and determine whether it can be exploited for inducing unexpected program behaviors. We also propose multiplex symbolic execution to examine different execution orders in one time of solving. This helps DivertScan to determine whether a common starting state could potentially exist. To address the scalability issue in symbolic execution, DivertScan utilizes an overapproximated pre-checking and a selective exploration strategy. As a result, it only needs to explore a limited state space.
DivertScan significantly outperformed state-of-the-art tools by improving the precision rate by 20.72% to 74.93% while introducing no false negatives. It also identified five exploitable real-world vulnerabilities that other tools missed. The detected vulnerabilities could potentially lead to a loss of up to $68.2M, based on trading records and rate limits.
Tue 24 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 12:20 | Blockchain and Smart ContractIdeas, Visions and Reflections / Research Papers at Vega Chair(s): Cuiyun Gao Harbin Institute of Technology, Shenzhen | ||
10:30 10mTalk | SmartShift: A Secure and Efficient Approach to Smart Contract Migration Ideas, Visions and Reflections Tahrim Hossain Syracuse University, Faisal Haque Bappy Syracuse University, Tarannum Shaila Zaman University of Maryland Baltimore County, Raiful Hasan Kent State University, Tariqul Islam Syracuse University | ||
10:40 20mTalk | LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts Research Papers Shoupeng Ren Zhejiang University, Lipeng He University of Waterloo, Tianyu Tu Zhejiang University, Di Wu Zhejiang University, Jian Liu Zhejiang University, Kui Ren Zhejiang University, Chun Chen Zhejiang University DOI Pre-print | ||
11:00 20mTalk | SmartShot: Hunt Hidden Vulnerabilities in Smart Contracts using Mutable Snapshots Research Papers Ruichao Liang Wuhan University, Jing Chen Wuhan University, Ruochen Cao Wuhan University, Kun He Wuhan University, Ruiying Du Wuhan University, Shuhua Li Wuhan University, Zheng Lin University of Hong Kong, Cong Wu Wuhan University DOI | ||
11:20 20mTalk | Automated and Accurate Token Transfer Identification and Its Applications in Cryptocurrency Security Research Papers Shuwei Song University of Electronic Science and Technology of China, Ting Chen University of Electronic Science and Technology of China, Ao Qiao University of Electronic Science and Technology of China, Xiapu Luo Hong Kong Polytechnic University, Leqing Wang University of Electronic Science and Technology of China, Zheyuan He University of Electronic Science and Technology of China, Ting Wang Penn State University, Xiaodong Lin University of Guelph, Peng He University of Electronic Science and Technology of China, Wensheng Zhang University of Electronic Science and Technology of China, Xiaosong Zhang University of Electronic Science and Technology of China DOI | ||
11:40 20mTalk | Detecting Smart Contract State-Inconsistency Bugs via Flow Divergence and Multiplex Symbolic Execution Research Papers Yinxi Liu Rochester Institute of Technology, Wei Meng Chinese University of Hong Kong, Yinqian Zhang Southern University of Science and Technology DOI | ||
12:00 20mTalk | Smart Contract Fuzzing Towards Profitable Vulnerabilities Research Papers Ziqiao Kong Nanyang Technological University, Cen Zhang Nanyang Technological University, Maoyi Xie Nanyang Technological University, Ming Hu Singapore Management University, Yue Xue MetaTrust Labs, Ye Liu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University DOI Pre-print File Attached | ||
Vega is close to the registration desk.
Facing the registration desk, its entrance is on the left, close to the hotel side entrance.