Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
7-2023
Abstract
A smart contract is a piece of application-layer code running on blockchain ledgers and it provides programmatic logic via transaction-based execution of pre-defined functions. Smart contract functions are by default invokable by any party. To safeguard them, the mainstream smart contract language, i.e., Solidity of the popular Ethereum blockchain, proposed a unique language-level keyword called “modifier,” which allows developers to define custom function access control policies beyond the traditional “protected” and “private” modifiers in classic programming languages.In this paper, we aim to conduct a large-scale security analysis of the modifiers used in real-world Ethereum smart contracts. To achieve this, we design and implement a novel smart contract analysis tool called SoMo. Its main objective is to identify insecure modifiers that can be bypassed from one or more unprotected smart contract functions. This is challenging because of the complicated relationship between modifiers and their variables/functions and the ambiguity of attacker-accessible entry functions. To overcome them, we first propose a new structure, the Modifier Dependency Graph (MDG), to connect all the modifier-related control/data flows. Over MDGs, we then model system variables, generate symbolic path constraints, and iteratively test each candidate entry function. Our extensive evaluation shows that SoMo outperforms the state-of-the-art SPCon tool by detecting all its true positives and correctly avoiding 9 out of 11 false positives. It also achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts, over 400 of which were identified with bypassable modifiers. Our analysis further reveals three interesting security findings about modifiers and nine major types of modifier usage in the wild. SoMo has been integrated into an online security scanning service, MetaScan.
Keywords
Smart Contract Security, Taint Analysis, Access Control, Modifiers
Discipline
Finance and Financial Management | Information Security | Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
ISSTA '23: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Seattle, July 17-21
First Page
1157
Last Page
1168
ISBN
9798400702211
Identifier
10.1145/3597926.3598125
Publisher
ACM
City or Country
New York
Citation
FANG, Yuzhou; WU, Daoyuan; YI, Xiao; WANG, Shuai; CHEN, Yufan; CHEN, Mengjie; LIU, Yang; and JIANG, Lingxiao.
Beyond "protected" and "private": An empirical security analysis of custom function modifiers in smart contracts. (2023). ISSTA '23: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Seattle, July 17-21. 1157-1168.
Available at: https://ink.library.smu.edu.sg/sis_research/8545
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3597926.3598125
Included in
Finance and Financial Management Commons, Information Security Commons, Software Engineering Commons