Automated Attack Synthesis for Constant Product Market Makers
Decentralized Finance (DeFi) enables many novel applications that were impossible in traditional finances. However, it also introduces new types of vulnerabilities. An example of such vulnerabilities is a composability bug between token contracts and Decentralized Exchange (DEX) that follows the Constant Product Market Maker (CPMM) model. This type of bug, which we refer to as CPMM composability bug, originates from issues in token contracts that make them incompatible with CPMMs, thereby endangering other tokens within the CPMM ecosystem. Since 2022, 23 exploits of such kind have resulted in a total loss of 2.2M USD. BlockSec, a smart contract auditing company, reported that 138 exploits of such kind occurred just in February 2023.
In this paper, we propose CPMMX, a tool that automatically detects CPMM composability bugs across entire blockchains. To achieve such scalability, we first formalized CPMM composability bugs and found that these bugs can be induced by breaking two safety invariants. Based on this finding, we designed CPMMX equipped with a two-step approach, called shallow-then-deep search. In more detail, it first uses shallow search to find transactions that break the invariants. Then, it uses deep search to refine these transactions, making them profitable for the attacker. We evaluated CPMMX against five baselines on two public datasets and one synthetic dataset. In our evaluation, CPMMX detected 2.5x to 1.5x more vulnerabilities compared to baseline methods. It also analyzed contracts significantly faster, achieving higher F1 scores than the baselines. Additionally, we applied CPMMX to all contracts on the latest blocks of the Ethereum and Binance networks and discovered 26 new exploits that can result in 15.7K USD profit in total.
Fri 27 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
16:00 - 17:15 | Smart Contracts 2Research Papers at Cosmos 3B Chair(s): Zhenbang Chen College of Computer, National University of Defense Technology | ||
16:00 25mTalk | OpDiffer: LLM-Assisted Opcode-Level Differential Testing of Ethereum Virtual Machine Research Papers Jie Ma Beihang University; Zhongguancun Laboratory, Ningyu He Hong Kong Polytechnic University, Jinwen Xi , Mingzhe Xing Zhongguancun Laboratory, Haoyu Wang Huazhong University of Science and Technology, Ying Gao School of Cyber Science and Technology, Beihang University; Zhongguancun Laboratory, Yinliang Yue Zhongguancun Laboratory DOI | ||
16:25 25mTalk | Why Does My Transaction Fail? A First Look at Failed Transactions on the Solana Blockchain Research Papers Xiaoye Zheng Zhejiang University, Zhiyuan Wan Zhejiang University, David Lo Singapore Management University, Difan Xie Hangzhou High-Tech Zone (Binjiang) Institute of Blockchain and Data Security, Xiaohu Yang Zhejiang University DOI | ||
16:50 25mTalk | Automated Attack Synthesis for Constant Product Market Makers Research Papers DOI Pre-print |
Cosmos 3B is the second room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.