116 research outputs found
Towards Safer Smart Contracts: A Survey of Languages and Verification Methods
With a market capitalisation of over USD 205 billion in just under ten years, public distributed ledgers have experienced significant adoption. Apart from novel consensus mechanisms, their success is also accountable to smart contracts. These programs allow distrusting parties to enter agreements that are executed autonomously. However, implementation issues in smart contracts caused severe losses to the users of such contracts. Significant efforts are taken to improve their security by introducing new programming languages and advance verification methods. We provide a survey of those efforts in two parts. First, we introduce several smart contract languages focussing on security features. To that end, we present an overview concerning paradigm, type, instruction set, semantics, and metering. Second, we examine verification tools and methods for smart contract and distributed ledgers. Accordingly, we introduce their verification approach, level of automation, coverage, and supported languages. Last, we present future research directions including formal semantics, verified compilers, and automated verification
A Survey on EOSIO Systems Security: Vulnerability, Attack, and Mitigation
EOSIO, as one of the most representative blockchain 3.0 platforms, involves
lots of new features, e.g., delegated proof of stake consensus algorithm and
updatable smart contracts, enabling a much higher transaction per second and
the prosperous decentralized applications (DApps) ecosystem. According to the
statistics, it has reached nearly 18 billion USD, taking the third place of the
whole cryptocurrency market, following Bitcoin and Ethereum. Loopholes,
however, are hiding in the shadows. EOSBet, a famous gambling DApp, was
attacked twice within a month and lost more than 1 million USD. No existing
work has surveyed the EOSIO from a security researcher perspective. To fill
this gap, in this paper, we collected all occurred attack events against EOSIO,
and systematically studied their root causes, i.e., vulnerabilities lurked in
all relying components for EOSIO, as well as the corresponding attacks and
mitigations. We also summarized some best practices for DApp developers, EOSIO
official team, and security researchers for future directions.Comment: 34 pages, 12 figure
AntFuzzer: A Grey-Box Fuzzing Framework for EOSIO Smart Contracts
In the past few years, several attacks against the vulnerabilities of EOSIO
smart contracts have caused severe financial losses to this prevalent
blockchain platform. As a lightweight test-generation approach, grey-box
fuzzing can open up the possibility of improving the security of EOSIO smart
contracts. However, developing a practical grey-box fuzzer for EOSIO smart
contracts from scratch is time-consuming and requires a deep understanding of
EOSIO internals. In this work, we proposed AntFuzzer, the first highly
extensible grey-box fuzzing framework for EOSIO smart contracts. AntFuzzer
implements a novel approach that interfaces AFL to conduct AFL-style grey-box
fuzzing on EOSIO smart contracts. Compared to black-box fuzzing tools,
AntFuzzer can effectively trigger those hard-to-cover branches. It achieved an
improvement in code coverage on 37.5% of smart contracts in our benchmark
dataset. AntFuzzer provides unified interfaces for users to easily develop new
detection plugins for continually emerging vulnerabilities. We have implemented
6 detection plugins on AntFuzzer to detect major vulnerabilities of EOSIO smart
contracts. In our large-scale fuzzing experiments on 4,616 real-world smart
contracts, AntFuzzer successfully detected 741 vulnerabilities. The results
demonstrate the effectiveness and efficiency of AntFuzzer and our detection p
- …