Research On The Vulnerability Security Protection Mechanism For Ethereum Smart Contracts

In the early era of blockchain,represented by Bitcoin,blockchain applications are mainly cryptocurrencies.Since the first smart contract blockchain,Ethereum,blockchain has been widely used in various areas with the support of Turing-complete smart contracts.However,smart contracts security issues have posed huge losses,undermining users’ confidence in the blockchain.Ethereum is one of the most popular smart contract blockchains,becoming a research hotspot in academia and industry.The main reasons for the severe security situation of Ethereum contracts are the three aspects: First,developers are unfamiliar with new programming languages and contract features,leaving multiple vulnerabilities,but existing vulnerability detection tools are imprecise;second,contracts survive in a decentralized network,the attack surface is broad,but the existing on-chain attack defense strategies have poor scalability;third,deployed contracts cannot be modified on chain,even if there are bugs,repairing them are difficult.Most contract repair strategies are off-chain,challenging to repair deployed contracts.To enhance Ethereum smart contracts security,we should comprehensively consider the contract’s off-chain audits and on-chain executions,and provide contract security protection measures,including the following three aspects.Aiming at the various smart contract vulnerabilities and the low accuracy of existing detection tools,based on static program analysis and fuzzing technologies,an automated vulnerability verification scheme is proposed,which can effectively detect whether the targets are vulnerable,enhancing contract codes security.To improve the validity of the fuzzed test cases,all slices from the function entry to the target position are extracted,and the path constraints of all slices are further drained based on data flow and control flow analysis.Then the input and state constraints are separated.Generate inputs for the target function based on input constraints,generate transaction sequences adjusting the contract state based on state constraints,and synthesize test cases to explore the targets.Meanwhile,a distance-based mutation strategy and a target location feature guidance strategy are used to find the satisfied inputs quickly.To find exploits faster,an execution subtree-coverage-based input mutation strategy is adopted to optimize transaction generation.Experiments show that the accuracy of this proposal is 41.85%,7.8% and 33.29% higher than the three existing contract vulnerability detection tools respectively.Aiming at the problem that the deployed contracts are frequently attacked and the existing defense schemes have low scalability,based on the input filter,a vulnerabilityindependent attack defense framework that can deploy defense strategies in real-time is proposed,which can effectively intercept attack transactions and improve contract performance,enhancing contract execution security.This solution decouples the defense implementation module and the defense deployment module to reduce the overhead for miners and facilitate the flexible deployment of defense strategies.Miners only need to upgrade once and embed the defense deployment module into the Ethereum virtual machine,and contract owners are responsible for the specific defense implementation.Aiming at the problem of designing a unified defense approach for kinds of vulnerabilities types is difficult.This framework adopts a diversified defense strategy based on input filters.Meanwhile,an incentive mechanism motivates miners to participate in vulnerability defense.The security of the system is discussed through security analysis.Experiments show that this framework can intercept malicious transactions while the overheads introduced to miners and contract users are within an acceptable range.Aiming at the problem that the codes of deployed contracts cannot be modified and the existing repair solutions have poor generality,based on the contract repair templates and static program analysis,an automatic repair approach for smart contracts on the blockchain is proposed to achieve vulnerability repair,enhancing contract maintenance security.This approach places the repair strategy in an independent patch contract to realize effective vulnerability repair in a distributed decentralized execution environment.Taking the three most typical vulnerabilities of Ethereum smart contracts,namely reentrancy,unchecked underlying call,and integer vulnerabilities,as examples,the repair contract template is designed,then the patch of the vulnerability contract is automatically generated on program analysis and code synthesis technology.The approach realizes the integrity of the functions of vulnerable contracts and patches by binding.Namely,when a transaction calls the vulnerability contract,its patches will be triggered to verify the transaction execution status and ensure that the vulnerable contract runs safely,indirectly repairing contracts.Experiments show that Aroc fixes 95.95% of vulnerable contracts with a 93.32% correct rate.The overheads that Aroc brings to smart contract users and miners are acceptable.Compared to existing tools,Aroc introduces fewer execution overheads or contract codes.To sum up,focusing on smart contract vulnerability security protection,based on program analysis technology and the characteristics of smart contracts,the research is conducted from vulnerability verification during the development of smart contracts to vulnerability defense and repair after contracts are deployed on the blockchain.Try to detect all contract vulnerabilities off the chain meanwhile providing vulnerability defense and repair approaches for deployed contracts.The three approaches complement each other and offer a multidimensional security guarantee for smart contracts.