230 research outputs found

    Automated labeling of unknown contracts in Ethereum

    Get PDF
    Smart contracts have recently attracted interest from diverse fields including law and finance. Ethereum in particular has grown rapidly to accommodate an entire ecosystem of contracts which run using its own crypto-currency. Smart contract developers can opt to verify their contracts so that any user can inspect and audit the code before executing the contract. However, the huge numbers of deployed smart contracts and the lack of supporting tools for the analysis of smart contracts makes it very challenging to get insights into this eco-environment, where code gets executed through transactions performing value transfer of a crypto-currency. We address this problem and report on the use of unsupervised clustering techniques and a seed set of verified contracts, in this work we propose a framework to group together similar contracts within the Ethereum network using only the contracts publicly available compiled code. We report qualitative and quantitative results on a dataset and provide the dataset and project code to the research community

    PrAIoritize: Learning to Prioritize Smart Contract Bugs and Vulnerabilities

    Full text link
    Smart contract vulnerabilities and bugs have become a key concern for software engineers, as they can lead to significant financial losses, reputational damage, and legal issues. Therefore, prioritizing bug fixing for smart contracts is critical to maintaining trust. Due to the lack of tracking tools, prioritizing smart contract-reported bugs is done manually, which is a tedious task, limits bug triaging, and needs specialized knowledge. Towards this end, we propose PrAIoritize; an automated approach for predicting smart contract bug priorities that assist software engineers in prioritizing highly urgent bug reports. PrAIoritize consists of two main phases: 1) automatic labeling, which involves the automatic construction of a smart contract keyword lexicon and the automatic assignment of priority levels to unlabeled bug reports; 2) model construction, which involves feature engineering and designs layers of feed-forward neural networks (FFNNs) and bidirectional long short-term memory (BiLSTM) with multi-class classification to better capture the features of the textual descriptions of bugs and predict their priority levels. The model then is trained using smart contract bug reports collected from two data sources: open-source software (OSS) projects available on GitHub and NVD vulnerability database. Our evaluation demonstrates significant improvement over state-of-the-art baselines and commonly used pre-trained models (e.g. BERT) for similar classification tasks, with 5.75%-35.29% increase in F-measure, precision, and recall

    Smart Learning to Find Dumb Contracts

    Full text link
    We introduce Deep Learning Vulnerability Analyzer (DLVA), a vulnerability detection tool for Ethereum smart contracts based on powerful deep learning techniques for sequential data adapted for bytecode. We train DLVA to judge bytecode even though the supervising oracle, Slither, can only judge source code. DLVA's training algorithm is general: we "extend" a source code analysis to bytecode without any manual feature engineering, predefined patterns, or expert rules. DLVA's training algorithm is also robust: it overcame a 1.25% error rate mislabeled contracts, and the student surpassing the teacher; found vulnerable contracts that Slither mislabeled. In addition to extending a source code analyzer to bytecode, DLVA is much faster than conventional tools for smart contract vulnerability detection based on formal methods: DLVA checks contracts for 29 vulnerabilities in 0.2 seconds, a speedup of 10-500x+ compared to traditional tools. DLVA has three key components. Smart Contract to Vector (SC2V) uses neural networks to map arbitrary smart contract bytecode to an high-dimensional floating-point vector. Sibling Detector (SD) classifies contracts when a target contract's vector is Euclidian-close to a labeled contract's vector in a training set; although only able to judge 55.7% of the contracts in our test set, it has an average accuracy of 97.4% with a false positive rate of only 0.1%. Lastly, Core Classifier (CC) uses neural networks to infer vulnerable contracts regardless of vector distance. DLVA has an overall accuracy of 96.6% with an associated false positive rate of only 3.7%

    An Automated Vulnerability Detection Framework for Smart Contracts

    Full text link
    With the increase of the adoption of blockchain technology in providing decentralized solutions to various problems, smart contracts have become more popular to the point that billions of US Dollars are currently exchanged every day through such technology. Meanwhile, various vulnerabilities in smart contracts have been exploited by attackers to steal cryptocurrencies worth millions of dollars. The automatic detection of smart contract vulnerabilities therefore is an essential research problem. Existing solutions to this problem particularly rely on human experts to define features or different rules to detect vulnerabilities. However, this often causes many vulnerabilities to be ignored, and they are inefficient in detecting new vulnerabilities. In this study, to overcome such challenges, we propose a framework to automatically detect vulnerabilities in smart contracts on the blockchain. More specifically, first, we utilize novel feature vector generation techniques from bytecode of smart contract since the source code of smart contracts are rarely available in public. Next, the collected vectors are fed into our novel metric learning-based deep neural network(DNN) to get the detection result. We conduct comprehensive experiments on large-scale benchmarks, and the quantitative results demonstrate the effectiveness and efficiency of our approach
    corecore