Towards the Evolution of Tools for Detecting Vulnerabilities in Smart Contracts: A Case Study of Mythril and Slither
Resumo
A Blockchain é uma tecnologia inovadora aplicada em diversas áreas como finanças, gestão de registros, votação eletrônica e jogos. As transações em blockchain são frequentemente executadas por smart contracts, código considerado crítico em termos de segurança. Existem diversas ferramentas que se propõe a identificar vulnerabilidades de forma automatizada em smart contracts, contudo, conforme estudos anteriores mostram, a eficácia nesta tarefa é normalmente baixa. Desse modo, identificar vulnerabilidades de forma automatizada em smart contracts continua sendo um grande desafio. Neste estudo investigamos a evolução de duas importantes ferramentas para detecção de vulnerabilidades em smart contracts: Mythril e Slither, avaliando sua eficácia na identificação de vulnerabilidades e se evoluíram comparadas a uma versão anterior. Para isto, executamos as ferramentas com versões mais rescentes em um conjunto de 69 smart contracts previamente analisados em um estudo anterior. Os resultados foram comparados com as vulnerabilidades já classificadas e submetidos a uma validação manual para aferir sua precisão. Os experimentos demonstram que Mythril apresentou melhorias na redução de falsos positivos, enquanto Slither aprimorou a detecção de falhas relacionadas a Access Control. Contudo, as ferramentas apresentaram limitações na sua evolução para alguns tipos de vulnerabilidades. Esses achados reforçam a necessidade contínua de aprimoramento e avaliação das ferramentas de análise automatizada de segurança em smart contracts.
Referências
Belotti, M., Božić, N., Pujolle, G., and Secci, S. (2019). A vademecum on blockchain technologies: When, which, and how. IEEE Communications Surveys & Tutorials, 21(4):3796–3838.
Bhushan, B., Sinha, P., Sagayam, K. M., et al. (2021). Untangling blockchain technology: A survey on state of the art, security threats, privacy services, applications and future research directions. Computers & Electrical Engineering, 90:106897.
Buterin, V. et al. (2014). A next-generation smart contract and decentralized application platform. White paper, 3(37).
Chess, B. and McGraw, G. (2004). Static analysis for security. IEEE Security & Privacy, 2(6):76–79.
Chess, B. and West, J. (2007). Secure programming with static analysis. Pearson Education.
Di Angelo, M. and Salzer, G. (2019). A survey of tools for analyzing Ethereum smart contracts. In 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), pages 69–78. IEEE.
Di Pierro, M. (2017). What is the blockchain? Computing in Science & Engineering, 19(5):92–95.
Durieux, T., Ferreira, J. F., Abreu, R., and Cruz, P. (2020). Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pages 530–541.
Eshghie, M., Artho, C., and Gurov, D. (2021). Dynamic vulnerability detection on smart contracts using machine learning. In Proceedings of the 25th International Conference on Evaluation and Assessment in Software Engineering, pages 305–312.
Feist, J., Grieco, G., and Groce, A. (2019). Slither: A static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pages 8–15. IEEE.
Ferreira, J. F., Cruz, P., Durieux, T., and Abreu, R. (2020). SmartBugs: A framework to analyze Solidity smart contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, pages 1349–1352.
Guo, Y. and Liang, C. (2016). Blockchain application and outlook in the banking industry. Financial Innovation, 2:1–12.
Ibba, G., Aufiero, S., Neykova, R., Bartolucci, S., Ortu, M., Tonelli, R., and Destefanis, G. (2024). A curated Solidity smart contracts repository of metrics and vulnerability. In Proceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering, pages 32–41.
Liao, J.-W., Tsai, T.-T., He, C.-K., and Tien, C.-W. (2019). SoliAudit: Smart contract vulnerability assessment based on machine learning and fuzz testing. In 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pages 458–465. IEEE.
Maesa, D. D. F. and Mori, P. (2020). Blockchain 3.0 applications survey. Journal of Parallel and Distributed Computing, 138:99–114.
Munir, S. and Reichenbach, C. (2023). TODLER: A transaction ordering dependency analyzer for Ethereum smart contracts. In 2023 IEEE/ACM 6th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pages 9–16. IEEE.
Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. Decentralized Business Review, page 21260.
Prechtel, D., Groß, T., and Müller, T. (2019). Evaluating spread of ‘gasless send’ in Ethereum smart contracts. In 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pages 1–6. IEEE.
Qian, P., Liu, Z., He, Q., Zimmermann, R., and Wang, X. (2020). Towards automated reentrancy detection for smart contracts based on sequential models. IEEE Access, 8:19685–19695.
Singh, S., Hosen, A. S., and Yoon, B. (2021). Blockchain security attacks, challenges, and solutions for the future distributed IoT network. IEEE Access, 9:13938–13959.
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., and Vechev, M. (2018). Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 67–82.
Ye, J., Ma, M., Peng, T., Peng, Y., and Xue, Y. (2019). Towards automated generation of bug benchmark for smart contracts. In 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pages 184–187. IEEE.
Zheng, Z., Zhang, N., Su, J., Zhong, Z., Ye, M., and Chen, J. (2023). Turn the rudder: A beacon of reentrancy detection for smart contracts on Ethereum. arXiv preprint arXiv:2303.13770.
