• Corpus ID: 52190385

Vandal: A Scalable Security Analysis Framework for Smart Contracts

  title={Vandal: A Scalable Security Analysis Framework for Smart Contracts},
  author={Lexi Brent and Anton Jurisevic and Michael Kong and Eric Liu and François Gauthier and Vincent Gramoli and Ralph Holz and Bernhard Scholz},
The rise of modern blockchains has facilitated the emergence of smart contracts: autonomous programs that live and run on the blockchain. Smart contracts have seen a rapid climb to prominence, with applications predicted in law, business, commerce, and governance. Smart contracts are commonly written in a high-level language such as Ethereum's Solidity, and translated to compact low-level bytecode for deployment on the blockchain. Once deployed, the bytecode is autonomously executed, usually… 

Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey

This survey aims to identify the key vulnerabilities in smart contracts on Ethereum in the perspectives of their internal mechanisms and software security vulnerabilities by correlating 16 Ethereum vulnerabilities and 19 software security issues.

A Study of Static Analysis Tools for Ethereum Smart Contracts

SmartBugs, a new extendable execution framework, created to facilitate the integration and comparison between multiple analysis tools and the analysis of Ethereum smart contracts is introduced and it is shown that Mythril is the most sensitive and Slither has the best precision.

Annotary: A Concolic Execution System for Developing Secure Smart Contracts

Annotary is presented, a concolic execution framework to analyze smart contracts for vulnerabilities, supported by annotations which developers write directly in the Solidity source code and combines symbolic execution of EVM bytecode with a resolution of concrete values from the public Ethereum blockchain.

Smart Contract: Attacks and Protections

It is revealed that even adopting the 10 most widely used tools to detect smart contract vulnerabilities, these still contain known vulnerabilities, providing a dangerously false sense of security.

VeriSolid: Correct-by-Design Smart Contracts for Ethereum

The VeriSolid framework for the formal verification of contracts that are specified using a transition-system based model with rigorous operational semantics allows developers to reason about and verify contract behavior at a high level of abstraction.

SMARTSHIELD: Automatic Smart Contract Protection Made Easy

SMARTSHIELD, a bytecode rectification system, is proposed to fix three typical security-related bugs in smart contracts automatically and help developers release secure contracts and guarantees that the rectified contract is not only immune to certain attacks but also gas-friendly.

Towards Principled Compilation of Ethereum Smart Contracts (SoK)

  • E. J. G. Arias
  • Computer Science
    2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)
  • 2019
The main barriers to lift in order to achieve a principled compilation strategy for Solidity are explored and the standard concepts on verified and secure compilation are reviewed, and frame them in the context of the Ethereum platform.

SESCon: Secure Ethereum Smart Contracts by Vulnerable Patterns' Detection

A static analysis tool, SESCon (secure Ethereum smart contract), applying the taint analysis techniques with XPath queries, which outperforms other analyzers and detected up to 90% of the known vulnerability patterns.

SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts

  • Noama Fatima SamreenM. Alalfi
  • Computer Science
    2021 IEEE/ACM 4th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB)
  • 2021
The proposed framework, SmartScan, statically scans smart contracts under test (SCUTs) to identify patterns that are potentially vulnerable in these SCUTs and then uses dynamic analysis to precisely confirm their exploitability of the DoS-Unexpected Revert vulnerability, thus achieving increased performance and more precise results.

The State of Ethereum Smart Contracts Security: Vulnerabilities, Countermeasures, and Tool Support

The findings indicate that a uniform set of smart contract vulnerability definitions does not exist in research work and bugs pertaining to the same mechanisms sometimes appear with different names, which makes it difficult to identify, categorize, and analyze vulnerabilities.



A Semantic Framework for the Security Analysis of Ethereum smart contracts

The first complete small-step semantics of EVM bytecode is presented, which is formalized in the F* proof assistant, obtaining executable code that is successfully validate against the official Ethereum test suite.

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach

FSolidM, a framework rooted in rigorous semantics for designing con- tracts as Finite State Machines (FSM), is introduced and a tool for creating FSM on an easy-to-use graphical interface and for automatically generating Ethereum contracts is presented.

Formal Verification of Smart Contracts: Short Paper

This paper outlines a framework to analyze and verify both the runtime safety and the functional correctness of Ethereum contracts by translation to F*, a functional programming language aimed at program verification.

Making Smart Contracts Smarter

This paper investigates the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies, and proposes ways to enhance the operational semantics of Ethereum to make contracts less vulnerable.

KEVM: A Complete Semantics of the Ethereum Virtual Machine

KEVM is presented, the first fully executable formal semantics of the EVM, the bytecode language in which smart contracts are executed, in a framework for executable semantics, the K framework, and it is shown that the approach is feasible and not computationally restrictive.

Towards verifying ethereum smart contract bytecode in Isabelle/HOL

This paper extends an existing EVM formalisation in Isabelle/HOL by a sound program logic at the level of bytecode that structure bytecode sequences into blocks of straight-line code and create a program logic to reason about these.

ZEUS: Analyzing Safety of Smart Contracts

This work presents ZEUS—a framework to verify the correctness and validate the fairness of smart contracts, which leverages both abstract interpretation and symbolic model checking, along with the power of constrained horn clauses to quickly verify contracts for safety.

MadMax: surviving out-of-gas conditions in Ethereum smart contracts

MadMax is presented: a static program analysis technique to automatically detect gas-focused vulnerabilities with very high confidence and achieves high precision and scalability.

Under-optimized smart contracts devour your money

This work conducts the first investigation on Solidity, the recommended compiler, and reveals that it fails to optimize gas- costly programming patterns, and proposes and develops GASPER, a new tool for automatically locating gas-costly patterns by analyzing smart contracts' bytecodes.

A Survey of Attacks on Ethereum Smart Contracts (SoK)

This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.