Security Analysis Methods for Detection and Repair of DoS Vulnerabilities in Smart Contracts
MetadataShow full item record
In recent years we have witnessed a dramatic increase in the applications of blockchain and smart contracts in a variety of contexts, including supply-chain, decentralized finance, and international money transfers. However, a critical stumbling block to their further adoption is smart contract security (or more precisely, the lack thereof). Smart contracts, once deployed on a blockchain, are immutable. Hence, unlike traditional software systems, smart contracts are particularly vulnerable to latent security issues. It is therefore imperative that security analysis tools be developed that help improve smart contract security if they are to have continued adoption and impact. A particularly widespread class of security vulnerabilities that afflicts Ethereum smart contracts is the gas-based denial of service (DoS). Briefly, these vulnerabilities generally present in contracts containing unbounded loops. To address the described problem, we present Gas Gauge, a tool aimed at detecting gas-based DoS vulnerabilities in Ethereum smart contracts. Gas Gauge consists of three major components: the Detection Phase, Identification Phase, and Correction Phase. First, we describe a highly accurate static analysis approach that finds all the loops in a smart contract (the Detection Phase). Then, a set of inputs that causes the contract to run out of gas is generated using a fuzzing approach. The last component uses static analysis and run-time verification to predict the maximum loop bounds consistent with allowable gas usage automatically. This component uses a binary search approach and an independent parallel processing design to speed up the process. Each part of the tool can be used separately for different purposes or all together to detect, identify and help repair the contracts vulnerable to out-of-gas behaviors. Gas Gauge was tested on 2,000 real-world solidity smart contracts. The results were compared to seven state-of-the-art tools, and it was empirically demonstrated that Gas Gauge is highly effective and useful.
Cite this version of the work
Behkish Nassirzadeh (2021). Security Analysis Methods for Detection and Repair of DoS Vulnerabilities in Smart Contracts. UWSpace. http://hdl.handle.net/10012/16885