Fri 22 Jul 2022 16:00 - 16:20 at ISSTA 1 - Session 3-9: Smart Contracts C
WebAssembly (Wasm) smart contracts have shown growing popularity across blockchains (e.g., EOSIO) recently. Similar to Ethereum smart contracts, Wasm smart contracts suffer from various attacks exploiting their vulnerabilities. Even worse, few developers released the source code of their Wasm smart contracts for security review, raising the bar for uncovering vulnerable contracts. Although a few approaches have been proposed to detect vulnerable Wasm smart contracts, they have several major limitations, e.g., low code coverage, low accuracy and lack of scalability, unable to produce exploit payloads, etc. To fill the gap, in this paper, we design and develop WASAI, a new concolic fuzzer for uncovering vulnerabilities in Wasm smart contract after tackling several challenging issues. We conduct extensive experiments to evaluate WASAI, and the results show that it outperforms the state-of-the-art methods. For example, it achieves 2x code coverage than the baselines and surpasses them in detection accuracy, with an F1-measure of 99.2%. Moreover, WASAI can handle complicated contracts (e.g., contracts with obfuscation and sophisticated verification). Applying WASAI to 991 deployed smart contracts in the wild, we find that over 70% of smart contracts are vulnerable. By the time of this study, over 300 vulnerable contracts have not been patched and are still operating on the EOSIO Mainnet. One fake EOS vulnerability reported to the EOSIO ecosystem was recently assigned a CVE identifier (CVE-2022-27134).
Wed 20 JulDisplayed time zone: Seoul change
03:00 - 04:00 | |||
03:00 20mTalk | eTainter: Detecting Gas-Related Vulnerabilities in Smart Contracts Technical Papers Asem Ghaleb University of British Columbia, Julia Rubin University of British Columbia, Karthik Pattabiraman University of British Columbia DOI | ||
03:20 20mTalk | Park: Accelerating Smart Contract Vulnerability Detection via Parallel-fork Symbolic Execution Technical Papers Peilin Zheng Sun Yat-sen University, Zibin Zheng School of Data and Computer Science, Sun Yat-sen University, Xiapu Luo Hong Kong Polytechnic University DOI | ||
03:40 20mTalk | WASAI: Uncovering Vulnerabilities in Wasm Smart Contracts Technical Papers Weimin Chen The Hong Kong Polytechnic University, Zihan Sun Beijing University of Posts and Telecommunications, Haoyu Wang Huazhong University of Science and Technology, China, Xiapu Luo Hong Kong Polytechnic University, Haipeng Cai Washington State University, USA, Lei Wu Zhejiang University DOI |
Fri 22 JulDisplayed time zone: Seoul change
15:00 - 16:20 | |||
15:00 20mTalk | Finding Permission Bugs in Smart Contracts with Role MiningACM SIGSOFT Distinguished Paper Technical Papers Ye Liu Nanyang Technological University, Singapore, Yi Li Nanyang Technological University, Shang-Wei Lin Nanyang Technological University, Cyrille Artho KTH Royal Institute of Technology, Sweden DOI Pre-print | ||
15:20 20mTalk | Park: Accelerating Smart Contract Vulnerability Detection via Parallel-fork Symbolic Execution Technical Papers Peilin Zheng Sun Yat-sen University, Zibin Zheng School of Data and Computer Science, Sun Yat-sen University, Xiapu Luo Hong Kong Polytechnic University DOI | ||
15:40 20mTalk | SmartDagger : A Bytecode-based Static Analysis Approach for Detecting Cross-contract Vulnerability Technical Papers Zeqin Liao Sun Yat-sen University, Zibin Zheng School of Data and Computer Science, Sun Yat-sen University, Xiao Chen Sun Yat-sen University, Yuhong Nan Sun Yat-sen University DOI | ||
16:00 20mTalk | WASAI: Uncovering Vulnerabilities in Wasm Smart Contracts Technical Papers Weimin Chen The Hong Kong Polytechnic University, Zihan Sun Beijing University of Posts and Telecommunications, Haoyu Wang Huazhong University of Science and Technology, China, Xiapu Luo Hong Kong Polytechnic University, Haipeng Cai Washington State University, USA, Lei Wu Zhejiang University DOI |