Vulnerability Detection Of Ethereum Smart Contract Based On Contract Dependence And Bytecode Matching

Ethereum,one of the world’s largest decentralized application platforms,has suffered economic losses due to smart contract vulnerabilities for many times,which makes the demand for efficient and accurate detection of smart contract vulnerabilities grow rapidly.However,with the homogenization of smart contracts and the increase of interaction between contracts,schemes and tools based on single contract detection have been unable to meet the needs of large-scale vulnerability analysis.In addition,it is found that the influence of inter-contract dependency on vulnerability detection,how to identify and classify multiple on-chain contracts affected by vulnerability exploitation,and how to effectively reduce false negative vulnerability detection in a multi-contract environment have not been fully discussed at home and abroad.The above mentioned vulnerability detection for multi-contract plays a crucial role in reducing the burden of manual code audit and building the smart contract blacklist.Therefore,this paper first designs a multi-contract vulnerability analysis method based on inter-contract dependence,and proposes a vulnerability detection scheme based on bytecode matching.The main research results are as follows:(1)Aiming at the problem of how to characterize the impact of inter-contract dependency activities on vulnerability detection and how to identify all on-chain contracts affected by vulnerability,this paper first clarified the definitions of inter-contract dependency and contract dependency graph(CDG)to characterize and model the inter-contract dependency activities of Ethereum.Secondly,three types of security violations against CDG are defined according to the location of vulnerability contracts and security attributes,which are used to identify and classify potential victim contracts.Finally,this paper proposes a multi-contract vulnerability detection method based on CDG.Combined with the existing ETHBMC vulnerability detection tool,three representative known vulnerability types are detected for 195,247 active smart contracts in the latest Ethereum block.Compared with the previous large-scale vulnerability analysis,this method clearly marks the potential victim contracts affected by different types of known vulnerabilities for the first time,and finds that their number is much higher than the vulnerable contracts themselves,accounting for 14.7% of the proportion of the analyzed smart contracts,that is,a few vulnerable contracts affect a larger number of other on-chain contracts.This is similar to a number of exploits that have occurred in the real world.(2)In order to reduce the false negative of vulnerability detection effectively in multi-contract environment,this paper proposes a general and lightweight vulnerability detection scheme based on bytecode matching.Specifically,the scheme first solves the problem of EVM bytecode diversity and noise code interference bytecode similarity detection by combining critical path extraction and program slicing technology,then converts bytecode similarity detection into feature vector similarity calculation by word embedding technology,and finally matches with the known vulnerability contract set.The detection results of whether any smart contract has vulnerabilities and vulnerability types are obtained.Simulation experiments show that the scheme detects an additional 5,058 vulnerable contracts and potential victim contracts from 52,521 unknown security contracts with timeout or abnormal operation of ETHBMC,thus effectively reducing the false negatives caused by the vulnerability detection tool without introducing a large number of false positives(5.8%).In addition,the time performance of the scheme is much better than that of the smart contract vulnerability analysis tools based on symbolic execution and bounded model testing.