| Smart contracts have become lucrative and profitable targets for attackers because they can hold a great amount of money.At present,attacks on smart contract vulnerabilities have caused serious economic losses to users.Existing approaches for detecting smart contracts vulnerability can be roughly divided into offline analysis and online detection.Most offline analysis solutions analyze contract vulnerabilities by analyzing the bytecode or source code of the contract,combined with some software security methods such as symbolic execution and taint analysis.However,offline methods cannot guarantee that all vulnerabilities can be detected and removed due to the lack of runtime information and the inherent limitations of the selected techniques.Online detection methods detect deployed smart contracts while the blockchain is running,but only some of the existing online detection methods can be successfully implemented,and they can only detect specific types of vulnerabilities and cannot be easily extended to detect new vulnerabilities.Moreover,developing a new online detection tool for smart contracts from scratch is time-consuming and requires deep understanding of blockchain internals,thus making it difficult to quickly implement and deploy mechanisms to detect new attacks.In this paper,we propose a novel online vulnerability detection framework named SODA for smart contracts on any blockchains that support Ethereum virtual machine(EVM).First,SODA empowers users to easily develop apps for detecting various smart contract vulnerabilities without modifying the code of the EVM virtual machine.In order to achieve this goal,SODA separating information collection and attack detection with layered design.At the higher layer,SODA provides unified interfaces to develop detection apps against various attacks.At the lower layer,SODA instruments EVM to collect all primitive information necessary to detect various attacks and constructs 11 kinds of structural information for the ease of developing apps.Based on SODA,users can develop new apps in a few lines of code without modifying EVM.Second,SODA is efficient,because we design on-demand information retrieval to reduce the overhead of information collection and adopt dynamic linking to eliminate the overhead of inter-process communication.Such design allows users to develop detection apps using any programming languages that can generate dynamic link libraries.Third,since more and more blockchains adopt EVM as smart contract runtime,SODA can be easily migrated to such blockchains without modifying apps.Based on SODA,we develop 8 detection apps to detect the attacks exploiting major vulnerabilities in smart contracts,and integrate SODA(including all apps)into 3 popular blockchains: Ethereum,Expanse and Wanchain.The full nodes running these blockchains synchronized 8.18 million,2.17 million,and After 3.75 million blocks,we have detected a large number of vulnerable contracts and attack transactions,and SODA is the first online vulnerability detection framework for smart comtract proposed for Expanse and Wanchain blockchains.The extensive experimental results demonstrate the effectiveness and efficiency of SODA and our detection apps. |
PDF Full Text Request