ABSTRACT
A smart contract cannot be modified once deployed. Bugs in deployed smart contracts may cause devastating consequences. For example, the infamous reentrancy bug in the DAO contract allows attackers to arbitrarily withdraw ethers, which caused millions of dollars loss. Currently, the main countermeasure against contract bugs is to thoroughly detect and verify contracts before deployment, which, however, cannot defend against unknown bugs. These detection methods also suffer from possible false negative results.
In this paper, we propose SolSaviour, a framework for repairing and recovering deployed defective smart contracts by redeploying patched contracts and migrating old contracts’ internal states to the new ones. SolSaviour consists of a voteDestruct mechanism and a TEE cluster. The voteDestruct mechanism allows contract stake holders to decide whether to destroy the defective contract and withdraw inside assets. The TEE cluster is responsible for asset escrow, redeployment of patched contracts, and state migration. Our experiment results show that SolSaviour can successfully repair vulnerabilities, reduce asset losses, and recover all defective contracts. To the best of our knowledge, we are the first to propose a defending mechanism for repairing and recovering deployed defective smart contracts.
- Anthony Akentiev. 2017. Parity Multisig Hacked. Again. https://medium.com/chain-cloud-company-blog/parity-multisig-hack-again-b46771eaa838Google Scholar
- Eric Banisadr. 2018. How $800k Evaporated from the PoWH Coin Ponzi Scheme Overnight. https://medium.com/@ebanisadr/how-800k-evaporated-from-the-powh-coin-ponzi-scheme-overnight-1b025c33b530Google Scholar
- Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Anitha Gollamudi, Georges Gonthier, Nadim Kobeissi, Natalia Kulatova, Aseem Rastogi, Thomas Sibut-Pinote, Nikhil Swamy, 2016. Formal verification of smart contracts: Short paper. In Proceedings of the 2016 ACM workshop on programming languages and analysis for security. 91–96.Google ScholarDigital Library
- Ivan Bogatyy. 2017. Implementing Ethereum trading front-runs on the Bancor exchange in Python. https://hackernoon.com/front-running-bancor-in-150-lines-of-python-with-ethereum-api-d5e2bfd0d798Google Scholar
- Mic Bowman, Andrea Miele, Michael Steiner, and Bruno Vavala. 2018. Private Data Objects: An Overview. arXiv preprint arXiv:1807.05686(2018).Google Scholar
- Lorenz Breidenbach, Phil Daian, Ari Juels, and Emin Gün Sirer. 2017. An In-Depth Look at the Parity Multisig Bug. https://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/Google Scholar
- Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis Smaragdakis. 2020. Ethainter: A smart contract security analyzer for composite vulnerabilities. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 454–469.Google ScholarDigital Library
- Vitalik Buterin. 2016. CRITICAL UPDATE Re: DAO Vulnerability. https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/Google Scholar
- Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2020. Defining smart contract defects on Ethereum. IEEE Transactions on Software Engineering(2020), 1–17.Google ScholarDigital Library
- Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2021. Defectchecker: Automated smart contract defect detection by analyzing EVM bytecode. IEEE Transactions on Software Engineering(2021), 1–20.Google Scholar
- Ting Chen, Rong Cao, Ting Li, Xiapu Luo, Guofei Gu, Yufei Zhang, Zhou Liao, Hang Zhu, Gang Chen, Zheyuan He, 2020. SODA: A generic online detection framework for smart contracts. In NDSS. 1–17.Google Scholar
- Raymond Cheng, Fan Zhang, Jernej Kos, Warren He, Nicholas Hynes, Noah Johnson, Ari Juels, Andrew Miller, and Dawn Song. 2019. Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts. In 2019 IEEE European Symposium on Security and Privacy. 185–200.Google ScholarCross Ref
- Poulami Das, Lisa Eckey, Tommaso Frassetto, David Gens, Kristina Hostáková, Patrick Jauernig, Sebastian Faust, and Ahmad-Reza Sadeghi. 2019. Fastkitten: Practical Smart Contracts on Bitcoin. In 28th USENIX Security Symposium. 801–818.Google Scholar
- Joshua Ellul and Gordon J Pace. 2018. Runtime verification of Ethereum smart contracts. In 2018 14th European Dependable Computing Conference (EDCC). IEEE, 158–163.Google ScholarCross Ref
- Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15.Google ScholarDigital Library
- Josselin Feist, Gustavo Grieco, and Alex Groce. 2021. sGUARD: Towards fixing vulnerable smart contracts automatically. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1–15.Google Scholar
- Christof Ferreira Torres, Mathis Baden, Robert Norvill, Beltran Borja Fiz Pontiveros, Hugo Jonker, and Sjouke Mauw. 2020. Ægis: Shielding vulnerable smart contracts against attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (AsiaCCS). 584–597.Google ScholarDigital Library
- Joel Frank, Cornelius Aschermann, and Thorsten Holz. 2020. ETHBMC: A bounded model checker for smart contracts. In 29th USENIX Security Symposium. 2757–2774.Google Scholar
- Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2017. Online detection of effectively callback free objects with applications to smart contracts. Proceedings of the ACM on Programming Languages 2, POPL(2017), 1–28.Google Scholar
- Jiao Jiao, Shuanglong Kan, Shang-Wei Lin, David Sanan, Yang Liu, and Jun Sun. 2020. Semantic understanding of smart contracts: executable operational semantics of Solidity. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1695–1712.Google ScholarCross Ref
- Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. ZEUS: Analyzing safety of smart contracts.. In NDSS. 1–12.Google Scholar
- Katatsuki. 2016. Re: Hi! My name is Rubixi. I’m a new Ethereum Doubler. Now my new home - Rubixi.tk. https://bitcointalk.org/index.php?topic=1400536.60Google Scholar
- Johannes Krupp and Christian Rossow. 2018. teether: Gnawing at Ethereum to automatically exploit smart contracts. In 27th USENIX Security Symposium. 1317–1333.Google Scholar
- Ao Li, Jemin Andrew Choi, and Fan Long. 2020. Securing smart contract with runtime validation. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 438–453.Google ScholarDigital Library
- Joshua Lind, Oded Naor, Ittay Eyal, Florian Kelbert, Emin Gün Sirer, and Peter Pietzuch. 2019. Teechain: A secure payment network with asynchronous blockchain access. In Proceedings of the 27th ACM Symposium on Operating Systems Principles (SOSP). 63–79.Google ScholarDigital Library
- Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security (CCS). 254–269.Google ScholarDigital Library
- Sinisa Matetic, Karl Wüst, Moritz Schneider, Kari Kostiainen, Ghassan Karame, and Srdjan Capkun. 2019. BITE: Bitcoin lightweight client privacy using trusted execution. In 28th USENIX Security Symposium. 783–800.Google Scholar
- Brianna Montgomery. 2021. Fei Bonding Curve Bug Post Mortem. https://medium.com/fei-protocol/fei-bonding-curve-bug-post-mortem-98d2c6f271e9Google Scholar
- Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186–1189.Google ScholarDigital Library
- Tai D Nguyen, Long H Pham, Jun Sun, Yun Lin, and Quang Tran Minh. 2020. sFuzz: An efficient adaptive fuzzer for solidity smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE). 778–788.Google ScholarDigital Library
- Ivica Nikolić, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding the greedy, prodigal, and suicidal contracts at scale. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC). 653–663.Google ScholarDigital Library
- Michael Rodler, Wenting Li, Ghassan O Karame, and Lucas Davi. 2019. Sereum: Protecting existing smart contracts against re-entrancy attacks. In NDSS. 1–15.Google Scholar
- Michael Rodler, Wenting Li, Ghassan O Karame, and Lucas Davi. 2021. EVMPatch: timely and automated patching of Ethereum smart contracts. In 30th USENIX Security Symposium. 1–18.Google Scholar
- KoET Team. 2016. King of Ether Throne Post-Mortem Investigation. https://www.kingoftheether.com/postmortemGoogle Scholar
- Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC). 664–676.Google ScholarDigital Library
- Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). 67–82.Google ScholarDigital Library
- u/ethererik. 2016. GovernMental’s 1100 ETH jackpot payout is stuck because it uses too much gas. https://www.reddit.com/r/ethereum/comments/4ghzhv/governmentals_1100_eth_jackpot_payout_is_stuck/Google Scholar
- Xiao Liang Yu, Omar Al-Bataineh, David Lo, and Abhik Roychoudhury. 2020. Smart contract repair. ACM Transactions on Software Engineering and Methodology 29, 4(2020), 1–32.Google ScholarDigital Library
- Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. 2016. Town Crier: An Authenticated Data Feed for Smart Contracts. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS). 270–282.Google ScholarDigital Library
- Fan Zhang, Ittay Eyal, Robert Escriva, Ari Juels, and Robbert Van Renesse. 2017. REM: Resource-Efficient Mining for Blockchains. In 26th USENIX Security Symposium. 1427–1444.Google Scholar
- Yuyao Zhang, Siqi Ma, Juanru Li, Kailai Li, Surya Nepal, and Dawu Gu. 2020. Smartshield: Automatic smart contract protection made easy. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 23–34.Google ScholarCross Ref
Index Terms
- SolSaviour: A Defending Framework for Deployed Defective Smart Contracts
Recommendations
ContractFuzzer: fuzzing smart contracts for vulnerability detection
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringDecentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while ...
Making Smart Contracts Smarter
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityCryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has ...
An overview on smart contracts: Challenges, advances and platforms
AbstractSmart contract technology is reshaping conventional industry and business processes. Being embedded in blockchains, smart contracts enable the contractual terms of an agreement to be enforced automatically without the intervention of a ...
Highlights- Opportunities of smart contracts for industrial internet of things.
- Lifecycle ...
Comments