PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart Contracts

Zhijie Zhong, Zibin Zheng*, Hong-Ning Dai, Qing Xue, Junjia Chen, Yuhong Nan

*Corresponding author for this work

Research output: Chapter in book/report/conference proceedingConference proceedingpeer-review

Abstract

As an essential component in Ethereum and other blockchains, token assets have been interacted with by diverse smart contracts. Effective permission policies of smart contracts must prevent token assets from being manipulated by unauthorized adversaries. Recent efforts have studied the accessibility of privileged functions or state variables to unauthorized users. However, little attention is paid to how publicly accessible functions of smart contracts can be manipulated by adversaries to steal users' digital assets. This attack is mainly caused by the permission re-delegation (PRD) vulnerability. In this work, we propose PrettySmart, a bytecode-level Permission re-delegation vulnerability detector for Smart contracts. Our study begins with an empirical study on 0.43 million open-source smart contracts, revealing that five types of widely-used permission constraints dominate 98% of the studied contracts. Accordingly, we propose a mechanism to infer these permission constraints, as well as an algorithm to identify constraints that can be bypassed by unauthorized adversaries. Based on the identification of permission constraints, we propose to detect whether adversaries could manipulate the privileged token management functionalities of smart contracts. The experimental results on real-world datasets demonstrate the effectiveness of the proposed PrettySmart, which achieves the highest precision score and detects 118 new PRD vulnerabilities.
Original languageEnglish
Title of host publicationICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering
PublisherAssociation for Computing Machinery (ACM)
Pages2073-2084
Number of pages12
ISBN (Electronic)9798400702174
ISBN (Print)9798400702174
DOIs
Publication statusPublished - May 2024
EventIEEE/ACM 46th International Conference on Software Engineering - Lisbon, Portugal
Duration: 14 Apr 202420 Apr 2024
https://dl.acm.org/doi/proceedings/10.1145/3597503

Publication series

NameProceedings of the IEEE/ACM International Conference on Software Engineering

Conference

ConferenceIEEE/ACM 46th International Conference on Software Engineering
Country/TerritoryPortugal
CityLisbon
Period14/04/2420/04/24
Internet address

Scopus Subject Areas

  • Software

User-Defined Keywords

  • Permission Control
  • Smart Contract
  • Vulnerability Detection

Fingerprint

Dive into the research topics of 'PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart Contracts'. Together they form a unique fingerprint.

Cite this