摘要
智能合约是去中心化生态中的重要组件,它降低了多方合作的信任成本,因而广泛应用于数字货币和金融等领域。智能合约在区块链上自动执行,具有不可修改和不可中止的特性,合约常常持有大量数字资产,一旦存在漏洞就有可能会造成巨大损失。随着智能合约技术的发展,合约漏洞开始从简单的语法漏洞向复杂的逻辑漏洞转变,触发漏洞的条件也可能从单一的交易演变为特定的交易序列。目前,各种针对合约的攻击层出不穷,因此开发出有效的合约漏洞检测工具显得尤为重要。为此,首先介绍了11个著名的智能合约漏洞;然后从静态分析和动态分析2个方面介绍了21个合约漏洞检测技术和工具,并从检测方法、研究对象、检测能力等方面对比这些工具,讨论了它们的优点和不足;最后,结合当前合约的安全现状展望了未来的研究工作。
As crucial components of decentralized ecosystems,smart contracts can reduce the trust cost of multi-party cooperation,so they have been widely applied in fields of digital currency,finance,etc.Smart contracts are non-censorship,immutable,and automatically executed on the blockchain.Contracts often hold a large number of digital assets,which may cause huge losses once they are breached.With the development of smart contracts,vulnerabilities have changed from simple syntax errors to complex logic problems.The trigger conditions have also evolved from a single transaction to a specific transaction sequence.At present,there are endless attacks against contracts,so it is particularly important to develop effective contract vulnerability detection tools.Therefore,in this paper,eleven well-known smart contract vulnerabilities were introduced and twenty-one vulnerability detection tools were investigated.These investigated detection tools were compared from the aspects of static analysis,dynamic analysis,detection methods,research objects,capabilities,etc.and their strengths and weaknesses were also discussed.Finally,the future trend of the smart contract was prospected based on current research works.
作者
闫凯伦
刁文瑞
郭山清
YAN Kailun;DIAO Wenrui;GUO Shanqing(School of Cyber Science and Technology,Shandong University,Qingdao 266237,China;Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education,Shandong University,Qingdao 266237,China)
出处
《信息对抗技术》
2023年第3期1-17,共17页
Information Countermeasures Technology
基金
山东省泰山学者青年专家项目(tsqn202211001)。
关键词
智能合约
区块链
漏洞检测
自动化工具
smart contracts
blockchain
vulnerability detection
automated tools
