Abstract
As an essential component in Ethereum and other blockchains, token assets have been interacted with by diverse smart contracts. Effective permission policies of smart contracts must prevent token assets from being manipulated by unauthorized adversaries. Recent efforts have studied the accessibility of privileged functions or state variables to unauthorized users. However, little attention is paid to how publicly accessible functions of smart contracts can be manipulated by adversaries to steal users' digital assets. This attack is mainly caused by the permission re-delegation (PRD) vulnerability. In this work, we propose PrettySmart, a bytecode-level Permission re-delegation vulnerability detector for Smart contracts. Our study begins with an empirical study on 0.43 million open-source smart contracts, revealing that five types of widely-used permission constraints dominate 98% of the studied contracts. Accordingly, we propose a mechanism to infer these permission constraints, as well as an algorithm to identify constraints that can be bypassed by unauthorized adversaries. Based on the identification of permission constraints, we propose to detect whether adversaries could manipulate the privileged token management functionalities of smart contracts. The experimental results on real-world datasets demonstrate the effectiveness of the proposed PrettySmart, which achieves the highest precision score and detects 118 new PRD vulnerabilities.
Original language | English |
---|---|
Title of host publication | ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering |
Publisher | Association for Computing Machinery (ACM) |
Pages | 2073-2084 |
Number of pages | 12 |
ISBN (Electronic) | 9798400702174 |
ISBN (Print) | 9798400702174 |
DOIs | |
Publication status | Published - May 2024 |
Event | IEEE/ACM 46th International Conference on Software Engineering - Lisbon, Portugal Duration: 14 Apr 2024 → 20 Apr 2024 https://dl.acm.org/doi/proceedings/10.1145/3597503 |
Publication series
Name | Proceedings of the IEEE/ACM International Conference on Software Engineering |
---|
Conference
Conference | IEEE/ACM 46th International Conference on Software Engineering |
---|---|
Country/Territory | Portugal |
City | Lisbon |
Period | 14/04/24 → 20/04/24 |
Internet address |
Scopus Subject Areas
- Software
User-Defined Keywords
- Permission Control
- Smart Contract
- Vulnerability Detection