Siguard: Detecting Signature-Related Vulnerabilities in Smart Contracts
Ethereum smart contract enables developers to enforce access control policies of critical functions using built-in signature verification interfaces, i.e., ecrecover. However, due to the lack of best practices for these interfaces, improper verifications commonly exist in deployed smart contracts, leaving potential unauthorized access and financial losses. Even worse, the attack surface is ignored by both developers and existing smart contract security analyzers. In this paper, we take a close look at signature-related vulnerabilities and de-mystify them with clear classification and characterization. We present Siguard, the first automatic tool to detect these vulnerabilities in real-world smart contracts. Specifically, \tool explores signature-related paths in the smart contract and extracts data dependencies based on symbolic execution and taint analysis. Then, it conducts vulnerability detection based on a systematic search for violations of standard patterns, including EIP-712 and EIP-2621. The preliminary evaluation validated the efficacy of Siguard by reporting previously unknown vulnerabilities in deployed smart contracts on Ethereum. A video of Siguard is available at https://youtu.be/xXAEhqXWOu0.
Wed 17 MayDisplayed time zone: Hobart change
11:00 - 12:30 | Blockchain/smart contractsTechnical Track / DEMO - Demonstrations / SEIP - Software Engineering in Practice / Journal-First Papers at Meeting Room 106 Chair(s): Yi Li Nanyang Technological University | ||
11:00 15mTalk | SmartMark: Software Watermarking Scheme for Smart Contracts Technical Track Taeyoung Kim Sungkyunkwan University, Yunhee Jang Sungkyunkwan University, Chanjong Lee Sungkyunkwan University, Hyungjoon Koo Sungkyunkwan University, hyoungshick kim Sungkyunkwan University | ||
11:15 15mTalk | Turn the Rudder: A Beacon of Reentrancy Detection for Smart Contracts on Ethereum Technical Track Zibin Zheng School of Software Engineering, Sun Yat-sen University, Neng Zhang School of Software Engineering, Sun Yat-sen University, Jianzhong Su Sun Yat-sen University, Zhijie Zhong School of Software Engineering, Sun Yat-sen University, Mingxi Ye Sun Yat-sen University, Jiachi Chen School of Software Engineering, Sun Yat-sen University Pre-print | ||
11:30 15mTalk | BSHUNTER: Detecting and Tracing Defects of Bitcoin Scripts Technical Track Peilin Zheng Sun Yat-sen University, Xiapu Luo The Hong Kong Polytechnic University, Zibin Zheng School of Software Engineering, Sun Yat-sen University Pre-print File Attached | ||
11:45 15mTalk | DAppHunter: Identifying Inconsistent Behaviors of Blockchain-based Decentralized Applications SEIP - Software Engineering in Practice Jianfei Zhou University of Electronic Science and Technology of China, Jiang Tianxing , Haijun Wang Ant Group, Meng Wu Ant Group, Ting Chen University of Electronic Science and Technology of China | ||
12:00 15mTalk | Evolutionary Approach for Concurrency Testing of Ripple Blockchain Consensus Algorithm SEIP - Software Engineering in Practice Martijn van Meerten Delft University of Technology, Burcu Kulahcioglu Ozkan Delft University of Technology, Annibale Panichella Delft University of Technology | ||
12:15 7mTalk | Siguard: Detecting Signature-Related Vulnerabilities in Smart Contracts DEMO - Demonstrations Jiashuo Zhang Peking University, China, Yue Li Peking University, Jianbo Gao Peking University, Zhi Guan Peking University, Zhong Chen | ||
12:22 7mTalk | Storage State Analysis and Extraction of Ethereum Blockchain Smart Contracts Journal-First Papers Maha Ayub Information Technology University (ITU) Lahore, Pakistan, Tania Saleem Information Technology University (ITU) Lahore, Pakistan, Muhammad Umar Janjua Information Technology University (ITU) Lahore, Pakistan, Talha Ahmed Information Technology University (ITU) Lahore, Pakistan | ||