Wed 17 May 2023 15:21 - 15:23 at Meeting Room 105 - Posters 1
Exploitable bugs in smart contracts have caused significant monentary loss. Despite the substantial advances in smart contract bug finding, exploitable bugs and real-world attacks are still trending. In this paper we systematically investigate 516 unique real-world smart contract vulnerabilities in years 2021-2022, and study how many can be exploited by malicious users and cannot be detected by existing analysis tools. We further categorize the bugs that cannot be detected by existing tools into seven types and study their root causes, distributions, difficulties to audit, consequences, and repair strategies. For each type, we abstract them to a bug model (if possible), facilitating finding similar bugs in other contracts and future automation. We leverage the findings in auditing real world smart contracts, and so far we have been rewarded with $102,660 bug bounties for identifying 15 critical zero-day exploitable bugs, which could have caused up to $22.52 millions monetary loss if exploited.
Wed 17 MayDisplayed time zone: Hobart change
13:45 - 15:15 | Defect analysisJournal-First Papers / Technical Track / SEIP - Software Engineering in Practice at Meeting Room 106 Chair(s): Kla Tantithamthavorn Monash University | ||
13:45 15mTalk | RepresentThemAll: A Universal Learning Representation of Bug Reports Technical Track Sen Fang Macau University of Science and Technology, Tao Zhang Macau University of Science and Technology, Youshuai Tan Macau University of Science and Technology, He Jiang Dalian University of Technology, Xin Xia Huawei, Xiaobing Sun Yangzhou University | ||
14:00 15mTalk | Demystifying Exploitable Bugs in Smart Contracts Technical Track Zhuo Zhang Purdue University, Brian Zhang Harrison High School (Tippecanoe), Wen Xu PNM Labs, Zhiqiang Lin The Ohio State University Pre-print | ||
14:15 15mTalk | Understanding and Detecting On-the-Fly Configuration Bugs Technical Track Teng Wang National University of Defense Technology, Zhouyang Jia National University of Defense Technology, Shanshan Li National University of Defense Technology, Si Zheng National University of Defense Technology, Yue Yu College of Computer, National University of Defense Technology, Changsha 410073, China, Erci Xu National University of Defense Technology, Shaoliang Peng Hunan University, Liao Xiangke National University of Defense Technology Pre-print | ||
14:30 15mTalk | Explaining Software Bugs Leveraging Code Structures in Neural Machine Translation Technical Track Parvez Mahbub Dalhousie University, Ohiduzzaman Shuvo Dalhousie University, Masud Rahman Dalhousie University Pre-print Media Attached | ||
14:45 15mTalk | Scalable Compositional Static Taint Analysis for Sensitive Data Tracing on Industrial Micro-Services SEIP - Software Engineering in Practice Zexin Zhong Ant Group; University of Technology Sydney, Jiangchao Liu Ant Group, Diyu Wu Ant Group, Peng Di Ant Group, Yulei Sui University of New South Wales, Sydney, Alex X. Liu Ant Group, John C.S. Lui The Chinese University of Hong Kong | ||
15:00 7mTalk | Exploring the relationship between performance metrics and cost saving potential of defect prediction models Journal-First Papers | ||
15:07 7mTalk | A Machine and Deep Learning analysis among SonarQube rules, Product, and Process Metrics for Faults Prediction Journal-First Papers Francesco Lomio Constructor Institute Schaffhausen, Sergio Moreschini Tampere University, Valentina Lenarduzzi University of Oulu | ||