[MA] Vulnerability Discovery in Solidity Code

  • Tagung:

    Vulnerability Discovery in Solidity Code

  • Tagungsort:

    https://conf.intellisec.de/b/max-29w-rxu (148354)

  • Datum:

    2021-05-11

  • Zeit:

    14:00

  • With smart contracts routinely managing millions and sometimes billions of dollars worth of digital assets, their security is of growing concern.
    Because smart contracts are immutable, finding the security vulnerabilities in them prior to their use is crucial.

    This thesis explores the applicability of two previously established methods of finding vulnerabilities to smart contracts:
    Performing graph traversals on the smart contract's code property graph as well as finding missing checks via anomaly detection by comparing the contract's functions to similar functions from both the same and different smart contracts.

    Both methods were found to work on smart contracts.
    6 types of security vulnerabilities were considered.
    Regarding 4 of them, security vulnerabilities were detected in actively used smart contracts.
    With vulnerability discovery via graph traversals, signature replay vulnerabilities were to the best of my knowledge detected in an automated fashion in smart contracts for the first time.
    The traversal for this specific security vulnerability yielded 198 actively used smart contracts.
    23 out of 50 inspected contracts from the result set were found to be vulnerable to signature replay attacks.