hh.sePublications
123 3 of 3
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Pre-deployment Analysis of Smart Contracts
Halmstad University, School of Information Technology.ORCID iD: 0000-0002-6817-6438
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Smart contracts are programs that reside and execute on top of blockchains. These programs commonly perform financial transactions and contain the backend logic of various blockchain-supported applications. The presence of errors and bugs in smart contracts poses security risks to the applications they support. This is especially concerning because operations performed by smart contracts are irreversible by design, which is a key feature enforced by blockchain technology. Thus, ensuring the correctness and security of smart contracts before deployment is crucial. To achieve this, several program analysis and verification approaches are being actively researched and applied to smart contracts. The volume of research in this area makes it challenging to articulate the stateof-the-art. The first contribution of this thesis is an investigation into how predeployment analysis techniques have been applied to ensure the correctness and security of smart contracts. This investigation factors out the relationship between vulnerabilities in smart contracts and pre-deployment analysis techniques through properties they address. Among the issues uncovered by the investigation, one notable set pertains to nondeterministic (ND) factors involved in smart contract execution in the Ethereum blockchain. For example, transactions (function invocations) dispatched to Ethereum smart contracts are scheduled in ND order, and inputs received during execution, such as inputs from asynchronous callbacks of Oracles and externally called contracts that halt unexpectedly, are nondeterministic. Consequently, these factors may cause risks of ND changes to the state of smart contracts. The second contribution of this thesis is the proposal of methods for the static (at pre-deployment) detection of program sites (for example, state variables or cryptocurrency transfer instructions) susceptible to ND changes due to ND transaction scheduling or ND inputs and return values (from asynchronous callbacks and externally called contracts) in Ethereum smart contracts. The evaluations show that our approaches can outperform existing methods with respect to efficacy and runtime

Place, publisher, year, edition, pages
Halmstad: Halmstad University Press, 2024. , p. 9
Series
Halmstad University Dissertations ; 120
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:hh:diva-54932ISBN: 978-91-89587-56-4 (print)OAI: oai:DiVA.org:hh-54932DiVA, id: diva2:1914725
Public defence
2024-12-18, R4129(H), Kristian IV:s väg 3, Halmstad, 13:00 (English)
Opponent
Supervisors
Available from: 2024-11-20 Created: 2024-11-20 Last updated: 2024-11-26Bibliographically approved
List of papers
1. Pre-deployment Analysis of Smart Contracts - A Survey
Open this publication in new window or tab >>Pre-deployment Analysis of Smart Contracts - A Survey
(English)Manuscript (preprint) (Other academic)
Keywords
Smart Contract, Blockchain, Program Analysis, Properties, Vulnerabilities
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-51573 (URN)
Note

Som manuskript i avhandling / As manuscript in thesis

Available from: 2023-09-04 Created: 2023-09-04 Last updated: 2024-11-20Bibliographically approved
2. TODler: A Transaction Ordering Dependency anaLyzER - for Ethereum Smart Contracts
Open this publication in new window or tab >>TODler: A Transaction Ordering Dependency anaLyzER - for Ethereum Smart Contracts
2023 (English)In: 2023 IEEE/ACM 6th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB): Conference Proceedings, Piscataway: Institute of Electrical and Electronics Engineers (IEEE), 2023, p. 9-16Conference paper, Published paper (Refereed)
Abstract [en]

Smart contracts are programs with data (mutable state); stored on and executed by blockchain platforms. The transactions (or function invocations) dispatched to smart contracts often change their state. In the Ethereum blockchain, nodes (aka miners/validators) can schedule a set of transactions in any order in a block. Multiple transactions in a single block operating on a contract's shared state may yield different outcomes based on their execution order, thus creating a possibility for non-determinism and races between transactions. The resulting issue in Ethereum smart contracts is Transaction Ordering Dependency (TOD). Detecting a TOD requires identifying valid transactions affecting a contract's global/state variables which is equivalent to detecting read-after-write dependencies in race detection, and we expect it to be similarly nontrivial for human developers. In this paper, we identify various TODs, including a novel type previously undocumented in the literature. To detect these TODs, we propose an information flow analysis-based static analyzer, TODler. Our manual evaluation of 108 Ethereum smart contracts shows that TODler outperforms previously available approaches in terms of both run time and precision and also detects the novel TOD pattern identified in this paper. © 2023 IEEE

Place, publisher, year, edition, pages
Piscataway: Institute of Electrical and Electronics Engineers (IEEE), 2023
Keywords
smart contracts, static analysis, vulnerability detection
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:hh:diva-51572 (URN)10.1109/WETSEB59161.2023.00007 (DOI)001042168200003 ()2-s2.0-85169085075& (Scopus ID)
Conference
2023 IEEE/ACM 6th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), Melbourne, Australia, May 14, 2023
Funder
ELLIIT - The Linköping‐Lund Initiative on IT and Mobile CommunicationsKnut and Alice Wallenberg Foundation
Note

This research is part of Halmstad University projects funded by Sweden’s ELLIIT Strategic Research Environment and was partially supported by the Wallenberg Artificial Intelligence, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation. 

Available from: 2023-09-04 Created: 2023-09-04 Last updated: 2024-11-20Bibliographically approved
3. Statically Checking Transaction Ordering Dependency in Ethereum Smart Contracts
Open this publication in new window or tab >>Statically Checking Transaction Ordering Dependency in Ethereum Smart Contracts
2024 (English)In: / [ed] Keke Gai; Kim-Kwang Raymond Choo, 2024Conference paper, Published paper (Refereed)
Abstract [en]

Smart contracts are programs with mutable state. Transactions submitted to these contracts trigger functions that often modify state. Nodes of the Ethereum blockchain schedule such transactions in a nondeterministic order, potentially leading to races between transactions and concurrency issues. When the outcome of a smart contract varies depending on the order in which transactions are processed, we have a Transaction Ordering Dependency (TOD). TOD enables malicious actors to profit from a smart contract, similar to the well-known frontrunning vulnerability. Existing approaches for detecting TOD in Ethereum smart contracts yield a high rate of false positives and false negatives. To help contract developers and testers detect TOD vulnerabilities with enhanced precision, we propose and evaluate an analysis based on information flow in our tool TODChecker1 . We evaluate our approach using a benchmark comprising 513 vulnerable transactions involving 235 real-world Ethereum smart contracts susceptible to frontrunning attacks. Our evaluation finds that our approach outperforms existing approaches, including Oyente, Securify, SAILFISH, TODler, and Nyx, in precision, runtime, and in identifying novel TOD vulnerabilities. © 2024 Copyright held by the owner/author(s)

Keywords
Vulnerability detection, static analysis, Ethereum, smart contracts
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-54931 (URN)
Conference
The 6th ACM International Symposium on Blockchain and Secure Critical Infrastructure, Singapore, Singapore, 1st - 5th July, 2024
Note

8 sidor

Available from: 2024-11-20 Created: 2024-11-20 Last updated: 2024-11-20Bibliographically approved
4. Statically Checking Missing Input Validations in Solidity Smart Contracts - A Case Study
Open this publication in new window or tab >>Statically Checking Missing Input Validations in Solidity Smart Contracts - A Case Study
2023 (English)In: 2023 IEEE International Conference on Blockchain (Blockchain), Piscataway, NJ: IEEE Computer Society, 2023, p. 47-54Conference paper, Published paper (Refereed)
Abstract [en]

Smart contracts, running on blockchains, enable transparent interactions without intermediaries. However, program-related bugs and flaws in translating business logic into code can introduce vulnerabilities, making them attractive targets for malicious users. For instance, using input from untrusted users in critical operations without proper validation may lead to exploitable functionalities. We refer to this vulnerability as Missing Input Validation (MIV). This paper focuses on the issues caused by MIV (aka MIV-related issues) in Solidity smart contracts executing on the Ethereum blockchain. In particular, we conduct a case study emphasizing how MIV-related issues can lead to unexpected behavior in smart contracts, rendering them vulnerable to malicious manipulation. We also implement an information flow analysis-based analyzer, MIV-Checker, to statically detect instances of MIV in Solidity smart contracts. We evaluated MIV-Checker against a state-of-the-art smart contract analysis tool, Securify, using 3399 distinct contracts collected from the Ethereum blockchain. Securify identified only three contracts, whereas MIV-Checker detected 86 contracts as potentially susceptible to MIV. Our manual assessment confirms that MIV-Checker outperforms Securify by detecting more true MIV cases and reducing execution time. This case study helps determine that many recently used contracts on Ethereum may still be potentially vulnerable to MIV. Additionally, we position user-provided input as a non-deterministic factor in Ethereum contract execution and discuss future research avenues for mitigating issues arising from such factors. © 2023 IEEE.

Place, publisher, year, edition, pages
Piscataway, NJ: IEEE Computer Society, 2023
Keywords
Ethereum, Solidity, static analysis, taint analysis, vulnerabilities, vulnerability detection
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-52842 (URN)10.1109/Blockchain60715.2023.00017 (DOI)2-s2.0-85185561604 (Scopus ID)9798350319293 (ISBN)
Conference
6th IEEE International Conference on Blockchain (Blockchain 2023), 17-21 December, 2023
Available from: 2024-03-05 Created: 2024-03-05 Last updated: 2024-11-20Bibliographically approved
5. Static Detection of Missing Validations in Solidity Smart Contracts
Open this publication in new window or tab >>Static Detection of Missing Validations in Solidity Smart Contracts
2024 (English)In: Proceedings of the 2024 IEEE International Conference on Cyber Security and Resilience, CSR 2024, Piscataway: IEEE, 2024, p. 413-420, article id 202876Conference paper, Published paper (Refereed)
Abstract [en]

The Solidity smart contract language is deterministic by design. Nevertheless, some instances of nondeterminism (ND) in smart contracts stem from unpredictable inputs received during execution, such as inputs from asynchronous callbacks of Oracles or externally called contracts that halt unexpectedly. Such values must be validated to meet prespecified criteria before they reach critical program parts; otherwise, they can lead to nondeterministic state outcomes in smart contracts, which we refer to as ND-issues. To detect ND-issues, we propose an information flow-based analysis that tracks the unpredictable inputs and return values that are not validated before reaching critical program parts. We have implemented our proposal in FONOVA and evaluated it using 326 frequently used Ethereum smart contracts. The evaluation shows that FONOVA detects five times more exploitable instances of ND-issues with 12 times shorter analysis time than leading tools like Ethainter, Securify, and Mythril. © 2024 IEEE.

Place, publisher, year, edition, pages
Piscataway: IEEE, 2024
Keywords
Ethereum, Nondeterminism, Smart Contracts, Static Analysis, Vulnerability Detection
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-54779 (URN)10.1109/CSR61664.2024.10679381 (DOI)001327167900062 ()2-s2.0-85206163683 (Scopus ID)
Conference
2024 IEEE International Conference on Cyber Security and Resilience, CSR 2024, Hybrid, London, UK, 2-4 September, 2024
Available from: 2024-10-22 Created: 2024-10-22 Last updated: 2024-11-20Bibliographically approved

Open Access in DiVA

Fulltext(246 kB)8 downloads
File information
File name FULLTEXT02.pdfFile size 246 kBChecksum SHA-512
c6f7ebfdf1913c4469bf860bbcb2752553d6bd4fc4a70c226b46958040649f3591996609baf6585883d9537bfdd5d0a93299c33ccd42bab02d4ee6e0dd0b2502
Type fulltextMimetype application/pdf

Authority records

Munir, Sundas

Search in DiVA

By author/editor
Munir, Sundas
By organisation
School of Information Technology
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 40 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 45 hits
123 3 of 3
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf