Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia

As most smart contracts have a financial nature and handle valuable assets, smart contract developers use access control to protect assets managed by smart contracts from being misused by malicious or unauthorized people. Unfortunately, programming languages used for writing smart contracts, such as Solidity, were not designed with a permission-based security model in mind. Therefore, smart contract developers implement access control checks based on their judgment and in an adhoc manner, which results in several vulnerabilities in smart contracts, called access control vulnerabilities. Further, the inconsistency in implementing access control makes it difficult to reason about whether a contract meets access control needs and is free of access control vulnerabilities. In this work, we propose AChecker – an approach for detecting access control vulnerabilities. AChecker infers access control implemented in smart contracts via static dataflow analysis. Moreover, the approach performs further symbolic based analysis to distinguish cases when unauthorized people can obtain control of the contract as intended functionality.

In this artifact, we provide the implementation of the proposed approach (AChecker), and we provide scripts to reproduce the results shown in the paper. Further, we demonstrate how the implemented tool can be used beyond the paper to analyze individual smart contracts as well as datasets of smart contracts for access control vulnerabilities.