VULPEDIA: Detecting vulnerable ethereum smart contracts via abstracted vulnerability signatures

Jiaming Ye, Mingliang Ma, Yun Lin, Lei Ma, Yinxing Xue, Jianjun Zhao

Research output: Contribution to journalArticlepeer-review

Abstract

Recent years have seen smart contracts are getting increasingly popular in building trustworthy decentralized applications. Previous research has proposed static and dynamic techniques to detect vulnerabilities in smart contracts. These tools check vulnerable contracts against several predefined rules. However, the emerging new vulnerable types and programming skills to prevent possible vulnerabilities emerging lead to a large number of false positive and false negative reports of tools. To address this, we propose VULPEDIA, which mines expressive vulnerability signatures from contracts. VULPEDIA is based on the relaxed assumption that the owner of contract is not malicious. Specifically, we extract structural program features from vulnerable and benign contracts as vulnerability signatures, and construct a systematic detection method based on detection rules composed of vulnerability signatures. Compared with the rules defined by state-of-the-arts, our approach can extract more expressive rules to achieve better completeness (i.e., detection recall) and soundness (i.e., precision). We further evaluate VULPEDIA with four baselines (i.e., Slither, Securify, SmartCheck and Oyente) on the testing dataset consisting of 17,770 contracts. The experiment results show that VULPEDIA achieves best performance of precision on 4 types of vulnerabilities and leading recall on 3 types of vulnerabilities meanwhile exhibiting the great efficiency performance.

Original languageEnglish
Article number111410
JournalJournal of Systems and Software
Volume192
DOIs
Publication statusPublished - Oct 2022

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture

Fingerprint

Dive into the research topics of 'VULPEDIA: Detecting vulnerable ethereum smart contracts via abstracted vulnerability signatures'. Together they form a unique fingerprint.

Cite this