【Author】
Zhang, Yuyao; Ma, Siqi; Li, Juanru; Li, Kailai; Nepal, Surya; Gu, Dawu
【Source】PROCEEDINGS OF THE 2020 IEEE 27TH INTERNATIONAL CONFERENCE ON SOFTWARE ANALYSIS, EVOLUTION, AND REENGINEERING (SANER '20)
【Abstract】The immutable feature of blockchain determines that traditional security response mechanisms (e.g., code patching) must change to remedy insecure smart contracts. The only proper way to protect a smart contract is to fix potential risks in its code before it is deployed to the blockchain. However, existing tools for smart contract security analysis focus on the detection of bugs but seldom consider the code fix issues. Meanwhile, it is often time-consuming and error-prone for a developer to understand and fix flawed code manually. In this paper we propose SMART SHIELD, a bytecode rectification system, to fix three typical security-related bugs (i.e., state changes after external calls, missing checks for out-of-bound arithmetic operations, and missing checks for failing external calls) in smart contracts automatically and help developers release secure contracts. Moreover, SMART SHIELD guarantees that the rectified contract is not only immune to certain attacks but also gas-friendly (i.e., a slightly increase of gas cost). To evaluate the effectiveness and efficiency of SMART SHIELD, we applied it to 28,621 real-world buggy contracts on Ethereum blockchain (as of January 2nd 2019). Experiment results demonstrated that among 95,502 insecure cases in those contracts, 87,346 (91.5%) of them were automatically fixed by SMART SHIELD. A following test with both program analysis and real-world exploits further testified that the rectified contracts were secure against common attacks. Moreover, the rectification only introduced a 0.2% gas increment for each contract on average.
【Keywords】Ethereum blockchain; Smart contract; Automated bug fix; Bytecode rectification
评论