Contractsentry: a static analysis tool for smart contract vulnerability detection

IF 2 2区 计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING Automated Software Engineering Pub Date : 2024-10-23 DOI:10.1007/s10515-024-00471-8
Shiji Wang, Xiangfu Zhao
{"title":"Contractsentry: a static analysis tool for smart contract vulnerability detection","authors":"Shiji Wang,&nbsp;Xiangfu Zhao","doi":"10.1007/s10515-024-00471-8","DOIUrl":null,"url":null,"abstract":"<div><p>Frequent smart contract security incidents pose a threat to the credibility of the Ethereum platform, making smart contract vulnerability detection a focal point of concern. Previous research has proposed vulnerability detection methods in smart contracts. Generally, these tools rely on predefined rules to detect vulnerable smart contracts. However, using out-of-date rules for vulnerability detection may lead to a significant number of false negatives and false positives due to the growing variety of smart contract vulnerability types and the ongoing enhancement of vulnerability defense mechanisms. In this paper, we propose ContractSentry, a tool for static analysis of smart contracts. First, we preprocess Solidity code to build critical contract information and transform it into an intermediate representation. Then, based on the intermediate representations, we propose composite rules for vulnerability detection by analyzing the characteristics of different types of vulnerabilities in smart contracts. Finally, we evaluate ContractSentry with two datasets and compare it with state-of-the-art vulnerability detection tools. Experimental results demonstrate that ContractSentry achieves superior detection effectiveness.\n</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"32 1","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2024-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Automated Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://link.springer.com/article/10.1007/s10515-024-00471-8","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0

Abstract

Frequent smart contract security incidents pose a threat to the credibility of the Ethereum platform, making smart contract vulnerability detection a focal point of concern. Previous research has proposed vulnerability detection methods in smart contracts. Generally, these tools rely on predefined rules to detect vulnerable smart contracts. However, using out-of-date rules for vulnerability detection may lead to a significant number of false negatives and false positives due to the growing variety of smart contract vulnerability types and the ongoing enhancement of vulnerability defense mechanisms. In this paper, we propose ContractSentry, a tool for static analysis of smart contracts. First, we preprocess Solidity code to build critical contract information and transform it into an intermediate representation. Then, based on the intermediate representations, we propose composite rules for vulnerability detection by analyzing the characteristics of different types of vulnerabilities in smart contracts. Finally, we evaluate ContractSentry with two datasets and compare it with state-of-the-art vulnerability detection tools. Experimental results demonstrate that ContractSentry achieves superior detection effectiveness.

Abstract Image

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Contractsentry:智能合约漏洞检测静态分析工具
频繁发生的智能合约安全事件对以太坊平台的可信度构成威胁,因此智能合约漏洞检测成为人们关注的焦点。以往的研究提出了智能合约漏洞检测方法。一般来说,这些工具依靠预定义的规则来检测有漏洞的智能合约。然而,由于智能合约漏洞类型越来越多,漏洞防御机制也在不断增强,使用过时的规则进行漏洞检测可能会导致大量的假阴性和假阳性结果。在本文中,我们提出了一种用于智能合约静态分析的工具 ContractSentry。首先,我们对 Solidity 代码进行预处理,以构建关键的合约信息,并将其转换为中间表示。然后,基于中间表示法,我们通过分析智能合约中不同类型漏洞的特征,提出了漏洞检测的复合规则。最后,我们利用两个数据集对 ContractSentry 进行了评估,并将其与最先进的漏洞检测工具进行了比较。实验结果表明,ContractSentry 的检测效果更胜一筹。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Automated Software Engineering
Automated Software Engineering 工程技术-计算机:软件工程
CiteScore
4.80
自引率
11.80%
发文量
51
审稿时长
>12 weeks
期刊介绍: This journal details research, tutorial papers, survey and accounts of significant industrial experience in the foundations, techniques, tools and applications of automated software engineering technology. This includes the study of techniques for constructing, understanding, adapting, and modeling software artifacts and processes. Coverage in Automated Software Engineering examines both automatic systems and collaborative systems as well as computational models of human software engineering activities. In addition, it presents knowledge representations and artificial intelligence techniques applicable to automated software engineering, and formal techniques that support or provide theoretical foundations. The journal also includes reviews of books, software, conferences and workshops.
期刊最新文献
Evoattack: suppressive adversarial attacks against object detection models using evolutionary search Multi-objective improvement of Android applications Contractsentry: a static analysis tool for smart contract vulnerability detection Exploring the impact of code review factors on the code review comment generation A holistic approach to software fault prediction with dynamic classification
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1