Securify: Practical Security Analysis of Smart Contracts

@article{Tsankov2018SecurifyPS,
  title={Securify: Practical Security Analysis of Smart Contracts},
  author={Petar Tsankov and Andrei Marian Dan and Dana Drachsler-Cohen and Arthur Gervais and Florian Buenzli and Martin T. Vechev},
  journal={Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
  year={2018}
}
Permissionless blockchains allow the execution of arbitrary programs (called smart contracts), enabling mutually untrusted entities to interact without relying on trusted third parties. Despite their potential, repeated security concerns have shaken the trust in handling billions of USD by smart contracts. To address this problem, we present Securify, a security analyzer for Ethereum smart contracts that is scalable, fully automated, and able to prove contract behaviors as safe/unsafe with… 
Security Analysis of Smart Contracts in Datalog
TLDR
Securify is a scalable and fully automated security analyzer for Ethereum smart contracts that symbolically encodes relevant control- and data-flow dependencies in stratified Datalog and uses scalable Datalogs solvers to derive key semantic facts about the contract.
Ethainter: a smart contract security analyzer for composite vulnerabilities
TLDR
Ethainter is introduced, a security analyzer checking information flow with data sanitization in smart contracts, which identifies composite attacks that involve an escalation of tainted information, through multiple transactions, leading to severe violations.
A Semantic Framework for the Security Analysis of Ethereum smart contracts
TLDR
The first complete small-step semantics of EVM bytecode is presented, which is formalized in the F* proof assistant, obtaining executable code that is successfully validate against the official Ethereum test suite.
VeriSolid: Correct-by-Design Smart Contracts for Ethereum
TLDR
The VeriSolid framework for the formal verification of contracts that are specified using a transition-system based model with rigorous operational semantics allows developers to reason about and verify contract behavior at a high level of abstraction.
SGUARD: Towards Fixing Vulnerable Smart Contracts Automatically
TLDR
This work develops an approach which automatically transforms smart contracts so that they are provably free of 4 common kinds of vulnerabilities, and applies runtime verification in an efficient and provably correct manner.
The State of Ethereum Smart Contracts Security: Vulnerabilities, Countermeasures, and Tool Support
TLDR
The findings indicate that a uniform set of smart contract vulnerability definitions does not exist in research work and bugs pertaining to the same mechanisms sometimes appear with different names, which makes it difficult to identify, categorize, and analyze vulnerabilities.
Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks
TLDR
Sereum is proposed, a novel smart contract security technology, dubbed Sereum (Secure Ethereum), which protects existing, deployed contracts against re-entrancy attacks in a backwards compatible way based on run-time monitoring and validation.
SMARTSHIELD: Automatic Smart Contract Protection Made Easy
TLDR
SMARTSHIELD, a bytecode rectification system, is proposed to fix three typical security-related bugs in smart contracts automatically and help developers release secure contracts and guarantees that the rectified contract is not only immune to certain attacks but also gas-friendly.
eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts
TLDR
This work presents eThor, the first sound and automated static analyzer for EVM bytecode, which is based on an abstraction of the EVMbytecode semantics based on Horn clauses, and demonstrates that eThor is practical and outperforms the state-of-the-art static analyzers.
Semantic Understanding of Smart Contracts: Executable Operational Semantics of Solidity
TLDR
This work develops a formal semantics for Solidity which provides a formal specification of smart contracts to define semantic-level security properties for the high-level verification and defines correct and secure high- level execution behaviours ofSmart contracts to reason about compiler bugs and assist developers in writing secure smart contracts.
...
...

References

SHOWING 1-10 OF 47 REFERENCES
A Semantic Framework for the Security Analysis of Ethereum smart contracts
TLDR
The first complete small-step semantics of EVM bytecode is presented, which is formalized in the F* proof assistant, obtaining executable code that is successfully validate against the official Ethereum test suite.
Formal Verification of Smart Contracts: Short Paper
TLDR
This paper outlines a framework to analyze and verify both the runtime safety and the functional correctness of Ethereum contracts by translation to F*, a functional programming language aimed at program verification.
Making Smart Contracts Smarter
TLDR
This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.
KEVM: A Complete Semantics of the Ethereum Virtual Machine
TLDR
KEVM is presented, the first fully executable formal semantics of the EVM, the bytecode language in which smart contracts are executed, in a framework for executable semantics, the K framework, and it is shown that the approach is feasible and not computationally restrictive.
A Survey of Attacks on Ethereum Smart Contracts (SoK)
TLDR
This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts
TLDR
Hawk is a decentralized smart contract system that does not store financial transactions in the clear on the blockchain, thus retaining transactional privacy from the public's view, and is the first to formalize the blockchain model of cryptography.
Online detection of effectively callback free objects with applications to smart contracts
TLDR
By running the history of all execution traces in Ethereum, it is verified that virtually all existing contract executions, excluding these of the DAO or of contracts with similar known vulnerabilities, are ECF, which enables modular reasoning about objects with encapsulated state.
Scripting smart contracts for distributed ledger technology
TLDR
An overview of the scripting languages used in existing cryptocurrencies, and in particular the scripts of Bitcoin, Nxt and Ethereum are reviewed in some detail, in the context of a high-level overview of Distributed Ledger Technology and cryptocurrencies.
A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM
When Satoshi Nakamoto first set the Bitcoin blockchain into motion in January 2009, he was simultaneously introducing two radical and untested concepts. The first is the "bitcoin", a decentralized
ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER
TLDR
The blockchain paradigm when coupled with cryptographically-secured transactions has demonstrated its utility through a number of projects, with Bitcoin being one of the most notable ones, and Ethereum implements this paradigm in a generalised manner.
...
...