hh.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Statically Checking Missing Input Validations in Solidity Smart Contracts - A Case Study
Halmstad University, School of Information Technology.ORCID iD: 0000-0002-6817-6438
Eagle Games Sweden AB, Halmstad, Sweden.
Halmstad University, School of Information Technology.
Halmstad University.
2023 (English)In: 2023 IEEE International Conference on Blockchain (Blockchain), Piscataway, NJ: IEEE Computer Society, 2023, p. 47-54Conference paper, Published paper (Refereed)
Abstract [en]

Smart contracts, running on blockchains, enable transparent interactions without intermediaries. However, program-related bugs and flaws in translating business logic into code can introduce vulnerabilities, making them attractive targets for malicious users. For instance, using input from untrusted users in critical operations without proper validation may lead to exploitable functionalities. We refer to this vulnerability as Missing Input Validation (MIV). This paper focuses on the issues caused by MIV (aka MIV-related issues) in Solidity smart contracts executing on the Ethereum blockchain. In particular, we conduct a case study emphasizing how MIV-related issues can lead to unexpected behavior in smart contracts, rendering them vulnerable to malicious manipulation. We also implement an information flow analysis-based analyzer, MIV-Checker, to statically detect instances of MIV in Solidity smart contracts. We evaluated MIV-Checker against a state-of-the-art smart contract analysis tool, Securify, using 3399 distinct contracts collected from the Ethereum blockchain. Securify identified only three contracts, whereas MIV-Checker detected 86 contracts as potentially susceptible to MIV. Our manual assessment confirms that MIV-Checker outperforms Securify by detecting more true MIV cases and reducing execution time. This case study helps determine that many recently used contracts on Ethereum may still be potentially vulnerable to MIV. Additionally, we position user-provided input as a non-deterministic factor in Ethereum contract execution and discuss future research avenues for mitigating issues arising from such factors. © 2023 IEEE.
Place, publisher, year, edition, pages
Piscataway, NJ: IEEE Computer Society, 2023. p. 47-54
Keywords [en]
Ethereum, Solidity, static analysis, taint analysis, vulnerabilities, vulnerability detection
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:hh:diva-52842DOI: 10.1109/Blockchain60715.2023.00017Scopus ID: 2-s2.0-85185561604ISBN: 9798350319293 (print)OAI: oai:DiVA.org:hh-52842DiVA, id: diva2:1842640
Conference
6th IEEE International Conference on Blockchain (Blockchain 2023), 17-21 December, 2023
Available from: 2024-03-05 Created: 2024-03-05 Last updated: 2024-11-20Bibliographically approved
In thesis
1. Pre-deployment Analysis of Smart Contracts
Open this publication in new window or tab >>Pre-deployment Analysis of Smart Contracts
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Smart contracts are programs that reside and execute on top of blockchains. These programs commonly perform financial transactions and contain the backend logic of various blockchain-supported applications. The presence of errors and bugs in smart contracts poses security risks to the applications they support. This is especially concerning because operations performed by smart contracts are irreversible by design, which is a key feature enforced by blockchain technology. Thus, ensuring the correctness and security of smart contracts before deployment is crucial. To achieve this, several program analysis and verification approaches are being actively researched and applied to smart contracts. The volume of research in this area makes it challenging to articulate the stateof-the-art. The first contribution of this thesis is an investigation into how predeployment analysis techniques have been applied to ensure the correctness and security of smart contracts. This investigation factors out the relationship between vulnerabilities in smart contracts and pre-deployment analysis techniques through properties they address. Among the issues uncovered by the investigation, one notable set pertains to nondeterministic (ND) factors involved in smart contract execution in the Ethereum blockchain. For example, transactions (function invocations) dispatched to Ethereum smart contracts are scheduled in ND order, and inputs received during execution, such as inputs from asynchronous callbacks of Oracles and externally called contracts that halt unexpectedly, are nondeterministic. Consequently, these factors may cause risks of ND changes to the state of smart contracts. The second contribution of this thesis is the proposal of methods for the static (at pre-deployment) detection of program sites (for example, state variables or cryptocurrency transfer instructions) susceptible to ND changes due to ND transaction scheduling or ND inputs and return values (from asynchronous callbacks and externally called contracts) in Ethereum smart contracts. The evaluations show that our approaches can outperform existing methods with respect to efficacy and runtime
Place, publisher, year, edition, pages
Halmstad: Halmstad University Press, 2024. p. 9
Series
Halmstad University Dissertations ; 120
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-54932 (URN)978-91-89587-56-4 (ISBN)
Public defence
2024-12-18, R4129(H), Kristian IV:s väg 3, Halmstad, 13:00 (English)
Opponent
Supervisors
Available from: 2024-11-20 Created: 2024-11-20 Last updated: 2024-11-26Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Munir, Sundas

Search in DiVA

By author/editor
Munir, Sundas
By organisation
School of Information TechnologyHalmstad University
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 93 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
Halmstad University Library
|
Info for students
|
Info for researchers
|
Log in