ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection
release_v7prtl6lrnd7xfkf3yfjb42eoy
by
Bo Jiang, Ye Liu, W.K. Chan
2018
Abstract
Decentralized cryptocurrencies feature the use of blockchain to transfer
values among peers on networks without central agency. Smart contracts are
programs running on top of the blockchain consensus protocol to enable people
make agreements while minimizing trusts. Millions of smart contracts have been
deployed in various decentralized applications. The security vulnerabilities
within those smart contracts pose significant threats to their applications.
Indeed, many critical security vulnerabilities within smart contracts on
Ethereum platform have caused huge financial losses to their users. In this
work, we present ContractFuzzer, a novel fuzzer to test Ethereum smart
contracts for security vulnerabilities. ContractFuzzer generates fuzzing inputs
based on the ABI specifications of smart contracts, defines test oracles to
detect security vulnerabilities, instruments the EVM to log smart contracts
runtime behaviors, and analyzes these logs to report security vulnerabilities.
Our fuzzing of 6991 smart contracts has flagged more than 459 vulnerabilities
with high precision. In particular, our fuzzing tool successfully detects the
vulnerability of the DAO contract that leads to USD 60 million loss and the
vulnerabilities of Parity Wallet that have led to the loss of 30 million and
the freezing of USD 150 million worth of Ether.
In text/plain
format
Archived Files and Locations
application/pdf 1.7 MB
file_jjqur4lpjnazndbhcf2zjocbei
|
arxiv.org (repository) web.archive.org (webarchive) |
1807.03932v2
access all versions, variants, and formats of this works (eg, pre-prints)