A Security Detection System For Ethereum Smart Contract Code

In recent years,blockchain technology has received more and more attention,and the design and development of smart contracts based on blockchain technology has become a hot research direction.A good smart contract can provide safe and reliable services to efficiently solve real-world problems.However,due to the uneven technical level of developers,the smart contracts written by developers may present potential security issues.The release of unsafe smart contracts may cause huge losses to users.Therefore,it is meaningful to conduct a security audit before releasing the contract officially.To address above problems,we design and implement a security audit system for the Ethereum smart contracts.We claim that our system can effectively detect the potential vulnerabilities existing in the smart contracts,and further fix them to improve the security of contracts.More concretely,this thesis designs and implements a security audit system for the Ethereum smart contracts.We first discuss several common security concerns in smart contracts.Then,by exploiting a variety of technologies,we conduct a full-scale audit system for various smart contracts.Specifically,for the smart contracts with the project source code,the system first performs lexical and grammatical analysis over them by utilizing ANTLR parser with custom rules,and then forms an abstract syntax tree.Based on this,the system can find the security threats by judging whether there are vulnerabilities in the syntax tree.Moreover,by building the private chain,our system is supportive to simulate the released smart contracts,and to dynamically detect them with fuzzy text technology,where dynamic detection mainly aims at the function part in the smart contract.Specifically,to improve the efficiency of fuzzy testing,we first classify functions based on the difference in their parameters and the return values.After that,machine learning based technology is adopted to model and evaluate these functions.On the other hand,for smart contracts with only binary files,the system first disassembles the binary code into EVM assembly code.Then according to the grammar rules and memory structure of the smart contract,these EVM assembly code will be decompiled into simple high-level languages for security personnel to view.Another way to process the binary code is converting them into the intermediate language LLVM-IR form,where KLEE symbolic execution engine is exploited to dig vulnerabilities.Finally,the system summarizes the results and presents them in a report format.The main contribution of this thesis is designing and implementing a comprehensive as well as reliable security audit system for the Ethereum smart contract.We complete the abstract modeling of the vulnerability and implement the syntax tree specification of the smart contract Solidity code file.Then,we discuss the effectiveness of introducing machine learning technology in fuzzing test and complete the modeling work of smart contract symbol execution.Finally,by testing thousands of smart contracts in real scenes,we prove the practicality and reliability of the system.