Angels or demons: investigating and detecting decentralized financial traps on ethereum smart contracts

IF 2 2区 计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING Automated Software Engineering Pub Date : 2024-07-29 DOI:10.1007/s10515-024-00459-4
Jiachi Chen, Jiang Hu, Xin Xia, David Lo, John Grundy, Zhipeng Gao, Ting Chen
{"title":"Angels or demons: investigating and detecting decentralized financial traps on ethereum smart contracts","authors":"Jiachi Chen,&nbsp;Jiang Hu,&nbsp;Xin Xia,&nbsp;David Lo,&nbsp;John Grundy,&nbsp;Zhipeng Gao,&nbsp;Ting Chen","doi":"10.1007/s10515-024-00459-4","DOIUrl":null,"url":null,"abstract":"<div><p>Decentralized Finance (DeFi) uses blockchain technologies to transform traditional financial activities into decentralized platforms that run without intermediaries and centralized institutions. Smart contracts are programs that run on the blockchain, and by utilizing smart contracts, developers can more easily develop DeFi applications. Some key features of smart contracts—self-executed and immutability—ensure the trustworthiness, transparency and efficiency of DeFi applications and have led to a fast-growing DeFi market. However, misbehaving developers can add traps or backdoor code snippets to a smart contract, which are hard for contract users to discover. We call these code snippets in a DeFi smart contract as “<i>DeFi Contract Traps</i>” (DCTs). In this paper, we identify five DeFi contract traps and introduce their behaviors, describe how attackers use them to make unfair profits and analyze their prevalence in the Ethereum platform. We propose a symbolic execution tool, <span>DeFiDefender</span>, to detect such traps and use a manually labeled small-scale dataset that consists of 700 smart contracts to evaluate it. Our results show that our tool is not only highly effective but also highly efficient.<span>DeFiDefender</span> only needs 0.48 s to analyze one DeFi smart contract and obtains a high average accuracy (98.17%), precision (99.74%)and recall (89.24%). Among the five DeFi contract traps introduced in this paper, four of them can be detected through contract bytecode without the need for source code. We also apply <span>DeFiDefender</span> to a large-scale dataset that consists of 20,679 real DeFi-related Ethereum smart contracts. We found that 52.13% of these DeFi smart contracts contain at least one contract trap. Although a smart contract that contains contract traps is not necessarily malicious, our finding suggests that DeFi-related contracts have many centralized issues in a zero-trust environment and in the absence of a trusted party.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 2","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2024-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Automated Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://link.springer.com/article/10.1007/s10515-024-00459-4","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0

Abstract

Decentralized Finance (DeFi) uses blockchain technologies to transform traditional financial activities into decentralized platforms that run without intermediaries and centralized institutions. Smart contracts are programs that run on the blockchain, and by utilizing smart contracts, developers can more easily develop DeFi applications. Some key features of smart contracts—self-executed and immutability—ensure the trustworthiness, transparency and efficiency of DeFi applications and have led to a fast-growing DeFi market. However, misbehaving developers can add traps or backdoor code snippets to a smart contract, which are hard for contract users to discover. We call these code snippets in a DeFi smart contract as “DeFi Contract Traps” (DCTs). In this paper, we identify five DeFi contract traps and introduce their behaviors, describe how attackers use them to make unfair profits and analyze their prevalence in the Ethereum platform. We propose a symbolic execution tool, DeFiDefender, to detect such traps and use a manually labeled small-scale dataset that consists of 700 smart contracts to evaluate it. Our results show that our tool is not only highly effective but also highly efficient.DeFiDefender only needs 0.48 s to analyze one DeFi smart contract and obtains a high average accuracy (98.17%), precision (99.74%)and recall (89.24%). Among the five DeFi contract traps introduced in this paper, four of them can be detected through contract bytecode without the need for source code. We also apply DeFiDefender to a large-scale dataset that consists of 20,679 real DeFi-related Ethereum smart contracts. We found that 52.13% of these DeFi smart contracts contain at least one contract trap. Although a smart contract that contains contract traps is not necessarily malicious, our finding suggests that DeFi-related contracts have many centralized issues in a zero-trust environment and in the absence of a trusted party.

Abstract Image

Abstract Image

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
天使还是魔鬼:调查和检测以太坊智能合约上的去中心化金融陷阱
去中心化金融(DeFi)利用区块链技术将传统金融活动转变为去中心化平台,在没有中介和中心化机构的情况下运行。智能合约是在区块链上运行的程序,通过利用智能合约,开发人员可以更轻松地开发 DeFi 应用程序。智能合约的一些关键特性--自我执行和不可更改性--确保了 DeFi 应用程序的可信度、透明度和效率,并催生了一个快速增长的 DeFi 市场。然而,行为不端的开发者可能会在智能合约中添加陷阱或后门代码片段,而这些代码片段很难被合约用户发现。我们把 DeFi 智能合约中的这些代码片段称为 "DeFi 合约陷阱"(DeFi Contract Traps,DCTs)。在本文中,我们确定了五种 DeFi 合约陷阱并介绍了它们的行为,描述了攻击者如何利用它们来牟取不正当利益,并分析了它们在以太坊平台中的普遍性。我们提出了一个符号执行工具 DeFiDefender 来检测这些陷阱,并使用一个由 700 个智能合约组成的人工标记的小规模数据集对其进行评估。结果表明,我们的工具不仅高效,而且高效。DeFiDefender分析一份DeFi智能合约仅需0.48秒,并获得了较高的平均准确率(98.17%)、精确率(99.74%)和召回率(89.24%)。在本文介绍的五种 DeFi 合约陷阱中,有四种可以通过合约字节码检测出来,无需源代码。我们还将 DeFiDefender 应用于一个大规模数据集,该数据集由 20679 个真实的 DeFi 相关以太坊智能合约组成。我们发现,52.13% 的 DeFi 智能合约至少包含一个合约陷阱。尽管包含合约陷阱的智能合约并不一定是恶意的,但我们的发现表明,在零信任环境和缺乏可信方的情况下,与 DeFi 相关的合约存在许多中心化问题。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Automated Software Engineering
Automated Software Engineering 工程技术-计算机:软件工程
CiteScore
4.80
自引率
11.80%
发文量
51
审稿时长
>12 weeks
期刊介绍: This journal details research, tutorial papers, survey and accounts of significant industrial experience in the foundations, techniques, tools and applications of automated software engineering technology. This includes the study of techniques for constructing, understanding, adapting, and modeling software artifacts and processes. Coverage in Automated Software Engineering examines both automatic systems and collaborative systems as well as computational models of human software engineering activities. In addition, it presents knowledge representations and artificial intelligence techniques applicable to automated software engineering, and formal techniques that support or provide theoretical foundations. The journal also includes reviews of books, software, conferences and workshops.
期刊最新文献
Evoattack: suppressive adversarial attacks against object detection models using evolutionary search Multi-objective improvement of Android applications Contractsentry: a static analysis tool for smart contract vulnerability detection Exploring the impact of code review factors on the code review comment generation A holistic approach to software fault prediction with dynamic classification
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1