摘要
Smartcheck是以太坊智能合约的一个典型的静态分析工具,其将基于Solidity语言的智能合约源代码转换为基于XML的中间表示,并依据XPath模式进行检查。虽然Smartcheck能够有效地分析许多安全漏洞,但部分漏洞的分析并不完善且收录的漏洞也不够完整。针对该问题,本文通过对漏洞原理的深入分析,在时间戳依赖、整数溢出和delegatecall等典型漏洞方面进一步完善了Smartcheck,并实现了一个新的检测工具SmartETH。通过真实大数据集和5份具体合约验证表明,SmartETH能够更好地检测出相关的漏洞,同时减少了大量漏洞的误报和漏报问题。
Smart contracts on blockchain operate on quantity of digital assets.Once deployed on blockchain,they are difficult to modify.Therefore,the analysis and detection of security vulnerabilities of smart contracts has become an important research topic.Smartcheck is a static analysis tool for Ethereum smart contracts that converts Solidity source code into an XML-based intermediate representation and checks it against XPath patterns.While Smartcheck can analyze most of the vulnerabilities,it has limitations in terms of coverage and accuracy.To address these issues,we developed a new tool,SmartETH,to further improve Smartcheck by analyzing typical vulnerabilities such as timestamp dependency,integer overflow and delegatecall vulnerabilities.The improved Smartcheck is tested on a large dataset and verified by five specific contracts,demonstrating improved accuracy in vulnerability detection.In addition,improvements have reduced false positives and missed positives for many vulnerabilities.
作者
费佳佳
赵相福
陈霄汉
张登记
FEI Jiajia;ZHAO Xiangfu;CHEN Xiaohan;ZHANG Dengji(School of Computer and Control Engineering,Yantai University,Yantai 264005,Shandong,China;Department of Computer,Zhejiang Normal University,Jinhua 321004,Zhejiang,China)
出处
《应用科学学报》
CAS
CSCD
北大核心
2024年第6期1027-1039,共13页
Journal of Applied Sciences
基金
国家自然科学基金(No.61972360,No.62072392)资助。
