eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts

05/13/2020
by   Clara Schneidewind, et al.
0

Ethereum has emerged as the most popular smart contract development platform, with hundreds of thousands of contracts stored on the blockchain and covering a variety of application scenarios, such as auctions, trading platforms, and so on. Given their financial nature, security vulnerabilities may lead to catastrophic consequences and, even worse, they can be hardly fixed as data stored on the blockchain, including the smart contract code itself, are immutable. An automated security analysis of these contracts is thus of utmost interest, but at the same time technically challenging for a variety of reasons, such as the specific transaction-oriented programming mechanisms, which feature a subtle semantics, and the fact that the blockchain data which the contract under analysis interacts with, including the code of callers and callees, are not statically known. In this work, we present eThor, the first sound and automated static analyzer for EVM bytecode, which is based on an abstraction of the EVM bytecode semantics based on Horn clauses. In particular, our static analysis supports reachability properties, which we show to be sufficient for capturing interesting security properties for smart contracts (e.g., single-entrancy) as well as contract-specific functional properties. Our analysis is proven sound against a complete semantics of EVM bytecode and an experimental large-scale evaluation on real-world contracts demonstrates that eThor is practical and outperforms the state-of-the-art static analyzers: specifically, eThor is the only one to provide soundness guarantees, terminates on 95 set of real-world contracts, and achieves an F-measure (which combines sensitivity and specificity) of 89

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/31/2023

HoRStify: Sound Security Analysis of Smart Contracts

The cryptocurrency Ethereum is the most widely used execution platform f...
research
01/14/2021

The Good, the Bad and the Ugly: Pitfalls and Best Practices in Automated Sound Static Analysis of Ethereum Smart Contracts

Ethereum smart contracts are distributed programs running on top of the ...
research
09/09/2021

Clockwork Finance: Automated Analysis of Economic Security in Smart Contracts

We introduce the Clockwork Finance Framework (CFF), a general purpose, f...
research
10/11/2022

Abstract interpretation of Michelson smart-contracts

Static analysis of smart-contracts is becoming more widespread on blockc...
research
12/22/2018

Literature Review: Smart Contract Semantics

This review presents and evaluates various formalisms for the purpose of...
research
07/19/2021

Compositional Verification of Smart Contracts Through Communication Abstraction (Extended)

Solidity smart contracts are programs that manage up to 2^160 users on a...
research
03/31/2020

UTxO- vs account-based smart contract blockchain programming paradigms

We implement two versions of a simple but paradigmatic smart contract: o...

Please sign up or login with your details

Forgot password? Click here to reset