DOCSLIB.ORG

Securify: Practical Security Analysis of Smart Contracts

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securify: Practical Security Analysis of Smart Contracts Securify: Practical Security Analysis of Smart Contracts Petar Tsankov Andrei Dan Dana Drachsler-Cohen ETH Zurich ETH Zurich ETH Zurich [email protected] [email protected] [email protected] Arthur Gervais∗ Florian Bünzli Martin Vechev Imperial College London ETH Zurich ETH Zurich [email protected] [email protected] [email protected] ABSTRACT July 2017 [10], and few months later 280M were frozen due to a bug Permissionless blockchains allow the execution of arbitrary pro- in the very same wallet [13]. It is apparent that effective security grams (called smart contracts), enabling mutually untrusted entities checkers for smart contracts are urgently needed. to interact without relying on trusted third parties. Despite their Key Challenges. The main challenge in creating an effective secu- potential, repeated security concerns have shaken the trust in han- rity analyzer for smart contracts is the Turing-completeness of the dling billions of USD by smart contracts. programming language, which renders automated verification of To address this problem, we present Securify, a security ana- arbitrary properties undecidable. To address this issue, current auto- lyzer for Ethereum smart contracts that is scalable, fully automated, mated solutions tend to rely on fairly generic testing and symbolic and able to prove contract behaviors as safe/unsafe with respect to execution methods (e.g., Oyente [39] and Mythril [16]). While use- a given property. Securify’s analysis consists of two steps. First, it ful in some settings, these approaches come with several drawbacks: symbolically analyzes the contract’s dependency graph to extract (i) they can miss critical violations (due to under-approximation), precise semantic information from the code. Then, it checks com- (ii) yet, can also produce false positives (due to imprecise modeling pliance and violation patterns that capture sufficient conditions of domain-specific elements [30]), and (iii) they can fail to achieve for proving if a property holds or not. To enable extensibility, all sufficient code coverage on realistic contracts (Oyente achieves patterns are specified in a designated domain-specific language. only 20:2% coverage on the popular Parity wallet [17]). Overall, Securify is publicly released, it has analyzed > 18K contracts these drawbacks place a significant burden on their users, who must submitted by its users, and is regularly used to conduct security inspect all reports for false alarms and worry about unreported vul- audits by experts. We present an extensive evaluation of Securify nerabilities. Indeed, many security properties for smart contracts over real-world Ethereum smart contracts and demonstrate that it are inherently difficult to reason about directly. A viable pathto can effectively prove the correctness of smart contracts and discover addressing these challenges is building an automated verifier that critical violations. targets important domain-specific properties [15]. For example, re- cent work [31] focuses solely on identifying reentrancy issues in KEYWORDS smart contracts [5]. Smart contracts; Security analysis; Stratified Datalog Domain-Specific Insight. A key observation of this work is that 1 INTRODUCTION it is often possible to devise precise patterns expressed on the contract’s data-flow graph in a way where a match of the pattern Blockchain platforms, such as Nakamoto’s Bitcoin [43], enable the implies either a violation or satisfaction of the original security trade of crypto-currencies between mutually mistrusting parties. property. For example, 90:9% of all calls in Ethereum smart contracts To eliminate the need for trust, Nakomoto designed a peer-to-peer can be proved free of the infamous DAO bug [6] by matching a network that enables its peers to agree on the trading transactions. pattern stating that calls are not followed by writes to storage. Buterin [24] identified the applicability of decentralized computa- The reason why it is possible to establish such a correspondence arXiv:1806.01143v2 [cs.CR] 24 Aug 2018 tion beyond trading, and designed the Ethereum blockchain which is that violations of the original property in real-world contracts supports the execution of programs, called smart contracts, written tend to often violate a much simpler property (captured by the in Turing-complete languages. Smart contracts have shown to be pattern). Indeed, in terms of verification, a key benefit in working applicable in many domains including financial industry [8], public with patterns, instead of with their corresponding property, is that sector [11] and cross-industry [9]. patterns are substantially more amenable to automated reasoning. The increased adoption of smart contracts demands strong se- curity guarantees. Unfortunately, it is challenging to create smart Securify: Domain-specific Verifier. Based on the above in- contracts that are free of security bugs. As a consequence, critical sight, we developed Securify, a lightweight and scalable security vulnerabilities in smart contracts are discovered and exploited ev- verifier for Ethereum smart contracts. The key technical idea isto ery few months [2, 3, 6, 7, 10, 26]. In turn, these exploits have led to define two kinds of patterns that mirror a given security property: losses reaching millions worth of USD in the past few years: 150M (i) compliance patterns, which imply the satisfaction of the property, were stolen from the popular DAO contract in June 2016 [6], 30M and (ii) violation patterns, which imply its negation. To check these were stolen from the widely-used Parity multi-signature wallet in patterns, Securify symbolically encodes the dependence graph of the contract in stratified Datalog [50] and leverages off-the-shelf ∗Work done while at ETH Zurich 1 exists Call(_, _, y) unsafe behaviors safe behaviors 00:60 MemTag(0x20,Const) violation compliance 01:07 MemVal(0x40,Caller) !MayDep(y,Gas) 02:5b pattern pattern Eq(x, MLoad(0x40)) all SStore(_, x, _) 03:56 SStore(02, Gas, y) DetBy(x,Caller) 04:10 Call(04, x, y) ... ... ... violation contract semantic facts (§4) compliance and security no violation bytecode violation patterns (§5) report all behaviors warning Figure 1: Securify’s approach is based on automatic infer- Figure 2: Securify uses compliance and violation patterns ence of semantic program facts followed by checking of to guarantee that certain behaviors are safe and, respec- compliance and violation security patterns over these facts. tively, unsafe. The remaining behaviors are reported as warnings (to avoid missing errors). scalable Datalog solvers to efficiently (typically within seconds) analyze the code. To ensure extensibility, all patterns are expressed in a designated domain-specific language (DSL). execution tools have better support for numerical properties (e.g., In Fig. 1, we illustrate the analysis flow of Securify. Starting overflow). Our finding was that Securify was particularly help- with the contract’s bytecode (or source code, which can be compiled ful in auditing larger contracts, which are challenging to inspect to bytecode), Securify derives semantic facts inferred by analyzing with existing solutions for the reasons listed earlier. Overall, we the contract’s dependency graph and uses these facts to check a set believe Securify is a pragmatic and valuable point in the space of of compliance and violation patterns. Based on the outcome of these analyzing smart contracts due to its careful balance of scalability, checks, Securify classifies all contract behaviors into violations (_), guarantees, and precision. warnings (N), and compliant (■), as abstractly illustrated in Fig. 2. To summarize, our main contributions are: Here, the large box depicts all contract behaviors, partitioned into Main Contributions. – A decompiler that symbolically encodes the dependency safe (which satisfy the property) and unsafe ones (which violate graph of Ethereum contracts in Datalog (Section 4). it). Securify reports as violations (_) all behaviors matching the – A set of compliance and violation security patterns that violation pattern, and as warnings (N) all remaining behaviors not capture sufficient conditions to prove and disprove practical matched by the compliance pattern. security properties (Section 5). Reduced Manual Effort. Compared to existing symbolic ana- – An end-to-end implementation, called Securify, which fully lyzers for smart contracts, Securify reduces the required effort to automates the analysis of contracts (Section 6). inspect reports in two ways. First, existing analyzers do not report – An extensive evaluation over existing Ethereum smart con- definite violations (they conflate _ and N), and thus require users tracts showing that Securify can effectively prove the cor- to manually classify all reported vulnerabilities into true positives rectness of contracts and discover violations (Section 7). (found in the red box ) or false positives (found in the green box ). In contrast, Securify automatically classifies behaviors guaranteed 2 MOTIVATING EXAMPLES to be violations (marked with _). Hence, the user only needs to In this section, we motivate the problem we address through two manually classify the warnings (N) as true or false positives. real-world security issues that affected ≈ 200 millions worth of USD As we show in our evaluation, the approach of using both viola- in 2017. We describe the underlying security properties and the tion and compliance patterns reduces the warnings a user needs challenges
Load more

Recommended publications
  • How Goldsmiths Created Money Page 1 of 2
    Money: Banking, Spending, Saving, and Investing The Creation of Money How Goldsmiths Created Money Page 1 of 2 If you want to understand money, you have got to start with its history, and that means gold. Have you ever wondered why gold is so valuable? I mean, it is a really weak metal that does not have a lot of really practical uses. Maybe it is because it reminded people of the sun, which was worshipped in ancient times, that everyone decided they wanted it. Once everyone wants it, it is capable as serving as a medium of exchange. That is, gold can be used as money, and it is an ideal commodity to serve as a medium of exchange because it’s portable, it’s durable, it’s divisible, and it’s standardizable. Everybody recognizes what they want, it can be broken into little pieces, carried around, it doesn’t rot, and it is a great thing to serve as money. So, before long, gold is circulating in the form of coins. When gold circulates as coins, it is called commodity money, that is, money that has intrinsic value made out of something people want. Now, once gold coins begin to circulate as the medium of exchange, we have got another problem. That problem is security. Imagine that you are in the ancient world, lugging around bags and bags of gold. You are going to be pretty vulnerable to bandits. So what you want to do is make sure that there is a safe place to store your gold because you can store all of your wealth in the form of this valuable commodity, but you do not want it all lying around somewhere that it is easy for somebody else to pick off.
    [Show full text]
  • Deterioration and Conservation of Unstable Glass Beads on Native
    Issue 63 Autumn 2013 Deterioration and Conservation of Unstable Glass Beads on Native American Objects Robin Ohern and Kelly McHugh lass disease is an important issue for (MAI), established in 1961 by financier George museums with Native American col- Gustav Heye. Heye’s personal collecting began in G lections, and at the National Museum 1903 and continued over a fifty-four year period, of the American Indian (NMAI) it is one of the resulting in one of the largest Native American most pervasive preservation problems. Of 108,338 collections in the world. The Smithsonian Insti- non-archaeological object records in NMAI’s col- tution took over the extensive MAI holdings in lection database, 9,687 (9%) contain glass beads. 1989, establishing the National Museum of the Of these, 200 object records (22%) mention the American Indian. While the collection originally presence of glass disease on the objects. Determin- served Heye’s mission, “The preservation of every- ing how quickly the unstable glass is deteriorating thing pertaining to our American tribes”, NMAI will help with long term collection preservation places its emphasis on partnerships with Native (Figure 1). Additionally, evaluating the effective- peoples and on their contemporary lives. ness of different cleaning techniques over several When the museum joined the Smithsonian years may help to develop better protocols for Institution, the decision was made to construct treating glass beads. This ongoing research project a new building on the National Mall and move will focus on continuing research on glass disease the collection from New York to a storage facil- on ethnographic beadwork in the collection of the ity near Washington, D.C.
    [Show full text]
  • New Monetarist Economics: Methods∗
    Federal Reserve Bank of Minneapolis Research Department Staff Report 442 April 2010 New Monetarist Economics: Methods∗ Stephen Williamson Washington University in St. Louis and Federal Reserve Banks of Richmond and St. Louis Randall Wright University of Wisconsin — Madison and Federal Reserve Banks of Minneapolis and Philadelphia ABSTRACT This essay articulates the principles and practices of New Monetarism, our label for a recent body of work on money, banking, payments, and asset markets. We first discuss methodological issues distinguishing our approach from others: New Monetarism has something in common with Old Monetarism, but there are also important differences; it has little in common with Keynesianism. We describe the principles of these schools and contrast them with our approach. To show how it works, in practice, we build a benchmark New Monetarist model, and use it to study several issues, including the cost of inflation, liquidity and asset trading. We also develop a new model of banking. ∗We thank many friends and colleagues for useful discussions and comments, including Neil Wallace, Fernando Alvarez, Robert Lucas, Guillaume Rocheteau, and Lucy Liu. We thank the NSF for financial support. Wright also thanks for support the Ray Zemon Chair in Liquid Assets at the Wisconsin Business School. The views expressed herein are those of the authors and not necessarily those of the Federal Reserve Banks of Richmond, St. Louis, Philadelphia, and Minneapolis, or the Federal Reserve System. 1Introduction The purpose of this essay is to articulate the principles and practices of a school of thought we call New Monetarist Economics. It is a companion piece to Williamson and Wright (2010), which provides more of a survey of the models used in this literature, and focuses on technical issues to the neglect of methodology or history of thought.
    [Show full text]
  • Federal Reserve Bank of Chicago
    Estimating the Volume of Counterfeit U.S. Currency in Circulation Worldwide: Data and Extrapolation Ruth Judson and Richard Porter Abstract The incidence of currency counterfeiting and the possible total stock of counterfeits in circulation are popular topics of speculation and discussion in the press and are of substantial practical interest to the U.S. Treasury and the U.S. Secret Service. This paper assembles data from Federal Reserve and U.S. Secret Service sources and presents a range of estimates for the number of counterfeits in circulation. In addition, the paper presents figures on counterfeit passing activity by denomination, location, and method of production. The paper has two main conclusions: first, the stock of counterfeits in the world as a whole is likely on the order of 1 or fewer per 10,000 genuine notes in both piece and value terms; second, losses to the U.S. public from the most commonly used note, the $20, are relatively small, and are miniscule when counterfeit notes of reasonable quality are considered. Introduction In a series of earlier papers and reports, we estimated that the majority of U.S. currency is in circulation outside the United States and that that share abroad has been generally increasing over the past few decades.1 Numerous news reports in the mid-1990s suggested that vast quantities of 1 Judson and Porter (2001), Porter (1993), Porter and Judson (1996), U.S. Treasury (2000, 2003, 2006), Porter and Weinbach (1999), Judson and Porter (2004). Portions of the material here, which were written by the authors, appear in U.S.
    [Show full text]
  • Three Revolutions in Macroeconomics: Their Nature and Influence
    A Service of Leibniz-Informationszentrum econstor Wirtschaft Leibniz Information Centre Make Your Publications Visible. zbw for Economics Laidler, David Working Paper Three revolutions in macroeconomics: Their nature and influence EPRI Working Paper, No. 2013-4 Provided in Cooperation with: Economic Policy Research Institute (EPRI), Department of Economics, University of Western Ontario Suggested Citation: Laidler, David (2013) : Three revolutions in macroeconomics: Their nature and influence, EPRI Working Paper, No. 2013-4, The University of Western Ontario, Economic Policy Research Institute (EPRI), London (Ontario) This Version is available at: http://hdl.handle.net/10419/123484 Standard-Nutzungsbedingungen: Terms of use: Die Dokumente auf EconStor dürfen zu eigenen wissenschaftlichen Documents in EconStor may be saved and copied for your Zwecken und zum Privatgebrauch gespeichert und kopiert werden. personal and scholarly purposes. Sie dürfen die Dokumente nicht für öffentliche oder kommerzielle You are not to copy documents for public or commercial Zwecke vervielfältigen, öffentlich ausstellen, öffentlich zugänglich purposes, to exhibit the documents publicly, to make them machen, vertreiben oder anderweitig nutzen. publicly available on the internet, or to distribute or otherwise use the documents in public. Sofern die Verfasser die Dokumente unter Open-Content-Lizenzen (insbesondere CC-Lizenzen) zur Verfügung gestellt haben sollten, If the documents have been made available under an Open gelten abweichend von diesen Nutzungsbedingungen
    [Show full text]
  • Helicopter Ben, Monetarism, the New Keynesian Credit View and Loanable Funds
    A Service of Leibniz-Informationszentrum econstor Wirtschaft Leibniz Information Centre Make Your Publications Visible. zbw for Economics Fiebinger, Brett; Lavoie, Marc Working Paper Helicopter Ben, monetarism, the New Keynesian credit view and loanable funds FMM Working Paper, No. 20 Provided in Cooperation with: Macroeconomic Policy Institute (IMK) at the Hans Boeckler Foundation Suggested Citation: Fiebinger, Brett; Lavoie, Marc (2018) : Helicopter Ben, monetarism, the New Keynesian credit view and loanable funds, FMM Working Paper, No. 20, Hans-Böckler- Stiftung, Macroeconomic Policy Institute (IMK), Forum for Macroeconomics and Macroeconomic Policies (FFM), Düsseldorf This Version is available at: http://hdl.handle.net/10419/181478 Standard-Nutzungsbedingungen: Terms of use: Die Dokumente auf EconStor dürfen zu eigenen wissenschaftlichen Documents in EconStor may be saved and copied for your Zwecken und zum Privatgebrauch gespeichert und kopiert werden. personal and scholarly purposes. Sie dürfen die Dokumente nicht für öffentliche oder kommerzielle You are not to copy documents for public or commercial Zwecke vervielfältigen, öffentlich ausstellen, öffentlich zugänglich purposes, to exhibit the documents publicly, to make them machen, vertreiben oder anderweitig nutzen. publicly available on the internet, or to distribute or otherwise use the documents in public. Sofern die Verfasser die Dokumente unter Open-Content-Lizenzen (insbesondere CC-Lizenzen) zur Verfügung gestellt haben sollten, If the documents have been made available
    [Show full text]
  • The Natural Law of Money
    THE NATURAL LAW OF MONEY THE SUCCESSIVESTEPS IN THEGROWTH OF MONEYTRACED FROM THE DAYS OF BARTER TO THE INTRODUCTION OF THEMODERN CLEARING-HOUSE, AND MONETARY PRINCIPLESEXAMINED IN THEIRRELATION TOPAST AND PRESENT LEGISLATION BY WILLIAM BROUGH ,*\ Idividuality is left out of their scheme of government. The State is all in aIl."BURKE. G. B. PUTNAM'S SONS NEW YORR LONDON 27 WEST TWENTY-THIRD STREET a4 BEDFORD STREET, STRAND %be snickerbotkrr @reas COPYRIGHT,1894 BY WILLIAM BROUGH Entered at Stationers’ Hall, London BY G. P. PUTNAM’SSONS %be Vznickerbocker preee, mew ‘Rocbelle, rP. 10. CONTENTS. CHAPTER I. PAGB THE BEGINNINGOF MONEY . 1-19 What is meant by the " natural law of money ""The need of a medium of exchange-Barter the first method of ex- changeprofit a stimulus to trade-Money as a measure of values-Various forms of money-Qualities requisite to an efficient money-On the coinage of metals-" King's money " -Monetary struggles between kings and their subjects. CHAPTER 11. BI-METALLISMAND MONO-METALLISM. 2-57 Silver and gold as an equivalent tender-The Gresham law "Mutilation of the coinage in England-Why cheap money expels money of higher value from the circulation-Influ- ence of Jew money-changers in raising the monetary stand- ard-Clipping and sweating-Severe punishment of these offences-Value of the guinea-Mono-metallism succeeds bi-metallism-The mandatory theory of money-The law of natural displacement-A government's legitimate service in ~ regard to money-Monetary principles applied to bi-metal- lism-Effects of the demonetization of silver in 1873"The Latin Union-Effect of legislative interference with money -The per-capita plan-The Bland Act-The Sherman Act "Present difference in value between a gold and a silver dollar-Effects of a change to the silver standard-No levelling of fortunes, but an increased disparity.
    [Show full text]
  • Central Bank Digital Currencies: Foundational Principles and Core Features
    Central bank digital currencies: foundational principles and core features Bank of Canada European Central Bank Bank of Japan Report no 1 Sveriges Riksbank in a series of collaborations Swiss National Bank from a group of central banks Bank of England Board of Governors Federal Reserve System Bank for International Settlements This publication is available on the BIS website (www.bis.org). © Bank for International Settlements 2020. All rights reserved. Brief excerpts may be reproduced or translated provided the source is stated. ISBN: 978-92-9259-427-5 (online) Contents Executive summary ........................................................................................................................................................................... 1 1. Introduction ...................................................................................................................................................................... 2 1.1 The report ................................................................................................................................................................. 3 1.2 CBDC explained ...................................................................................................................................................... 3 “Synthetic CBDC” is not a CBDC .................................................................................................................................................. 4 2. Motivations, challenges and risks ............................................................................................................................
    [Show full text]
  • Sveriges Riksbank Economic Review 2018:3 Special Issue on the E-Krona
    Sveriges Riksbank Economic Review Special issue on the e-krona 2018:3 SVERIGES RIKSBANK SVERIGES RIKSBANK ECONOMIC REVIEW is issued by Sveriges Riksbank. Editors: JESPER LINDÉ AND MARIANNE NESSÉN Advisory editorial committee: MIKAEL APEL, DILAN OLCER, AND THE COMMUNICATIONS DIVISION Sveriges Riksbank, SE-103 37 Stockholm, Sweden Telephone +46 8 787 00 00 The opinions expressed in signed articles are the sole responsibility of the authors and should not be interpreted as reflecting the views of Sveriges Riksbank. The Review is published on the Riksbank’s website www.riksbank.se/Economic-Review Order a link to download new issues of Sveriges Riksbank Economic Review by sending an e-mail to: [email protected] ISSN 2001-029X SVERIGES RIKSBANK ECONOMIC REVIEW 2018:3 3 Dear readers, The Riksbank has for almost two years been conducting a review into the possibility and consequences of introducing a Swedish central bank digital currency, a so-called e-krona. This third issue of Sveriges Riksbank Economic Review in 2018 is a special theme issue discussing the e-krona from different perspectives. Cash is becoming increasingly marginalised in Sweden and the Riksbank needs to consider the role public and private actors should play on the payments market in a digital world. The Riksbank has drawn the conclusion that a digital complement to cash, an e-krona, could be one of several ways for the bank to pro-actively meet the new digital payment market. The Riksbank has published two interim reports (The Riksbank’s e-krona project, Reports 1 and 2, available at riksbank.se) which summarise the conclusions of the project.
    [Show full text]
  • A Safe-Asset Perspective for an Integrated Policy Framework*
    A Safe-Asset Perspective for an Integrated Policy Framework* Markus K. Brunnermeier† Sebastian Merkel‡ Princeton University Princeton University Yuliy Sannikov§ Stanford University May 29, 2020 Latest Version: [Click Here] Abstract Borrowing from Brunnermeier and Sannikov(2016a, 2019) this policy paper sketches a policy framework for emerging market economies by mapping out the roles and interactions of monetary policy, macroprudential policies, foreign ex- change interventions, and capital controls. Safe assets are central in a world in which financial frictions, distribution of risk, and risk premia are important ele- ments. The paper also proposes a global safe asset for a more self-stabilizing global financial architecture. Keywords: Safe asset, bubbles, international capital flows, capital controls, mon- etary policy, macroprudential policy, FX interventions, capital controls *This paper was prepared for the 7th Asian Monetary Policy Forum. We especially thank Joseph Abadi. †Email: [email protected]. ‡Email: [email protected]. §Email: [email protected]. 1 1 Introduction International monetary and financial systems have become inextricably entwined over the past decades, leading to strong and volatile cross-border capital flows as well as powerful monetary policy spillovers. The Integrated Policy Framework (IPF) pro- posed by the IMF seeks to address these issues by developing a unified framework to study optimal monetary policy, macroprudential policies, foreign exchange interven- tions, and capital controls in an interconnected global financial system. In that framework, the key friction that gives rise to a role for monetary policy is price stickiness: monetary policy primarily serves to stabilize demand, and interna- tional capital market imperfections force central banks to trade off domestic demand against financial stability.
    [Show full text]
  • IS CASH STILL KING? Despite New Technologies for Electronic Payments, Cash Has Never Been More Popular
    IS CASH STILL KING? Despite new technologies for electronic payments, cash has never been more popular. What’s driving the demand? By Tim Sablik n Sweden, signs declaring “no cash accepted” or “cash free” are becoming commonplace. In 2018, more than half of households surveyed by the Riksbank (Sweden’s central bank) reported having encountered a business that refused to accept cash, compared with just I30 percent four years earlier. Many banks in Sweden no longer accept cash at the counter. Customers can still rely on ATMs for their cash needs, but those are becoming increasingly scarce as well, falling from 3,416 in 2012 to 2,850 in 2016. In part, the country’s banks and businesses are States and a handful of other countries going back responding to changing consumer preferences. Use to 1875. They found that while currency in circula- of debit cards and Swish, Sweden’s real-time elec- tion as a share of GDP has fallen over the last 150 tronic payment system that launched in 2012, has years, that decline has not been very large given the surged in recent years while cash usage has steadily evolution in payment technologies over the same declined. Swedish law allows businesses to refuse period. Moreover, starting in the 1980s, currency to accept cash, and many firms have championed demand in the United States actually began rising noncash payments as cheaper and safer than cash. again. (Thieves have also responded to Sweden’s shift Over the last decade, dollars in circulation as a toward a cashless society. According to a recent share of GDP have nearly doubled from 5 percent article in The Atlantic, the country had only two to 9 percent.
    [Show full text]
  • ZEUS: Analyzing Safety of Smart Contracts
    ZEUS: Analyzing Safety of Smart Contracts Sukrit Kalra Seep Goel Mohan Dhawan Subodh Sharma IBM Research IBM Research IBM Research IIT Delhi [email protected] [email protected] [email protected] [email protected] (1) while (Balance > (depositors[index].Amount * 115/100) Abstract—A smart contract is hard to patch for bugs once it is && index<Total Investors) f deployed, irrespective of the money it holds. A recent bug caused (2) if(depositors[index].Amount!=0)) f losses worth around $50 million of cryptocurrency. We present (3) payment = depositors[index].Amount * 115/100; (4) depositors[index].EtherAddress.send(payment); ZEUS—a framework to verify the correctness and validate the (5) Balance -= payment; fairness of smart contracts. We consider correctness as adherence (6) Total Paid Out += payment; to safe programming practices, while fairness is adherence to (7) depositors[index].Amount=0; //remove investor agreed upon higher-level business logic. ZEUS leverages both (8) g break; abstract interpretation and symbolic model checking, along with (9) g the power of constrained horn clauses to quickly verify contracts Fig. 1: An unfair contract (adapted from [31]). for safety. We have built a prototype of ZEUS for Ethereum and Fabric blockchain platforms, and evaluated it with over 22.4K smart contracts. Our evaluation indicates that about 94.6% the money they hold. For example, investors in TheDAO [43] of contracts (containing cryptocurrency worth more than $0.5 lost cryptocurrency worth around $50 million because of a bug billion) are vulnerable. ZEUS is sound with zero false negatives and has a low false positive rate, with an order of magnitude in the code that allowed an attacker to repeatedly siphon off improvement in analysis time as compared to prior art.
    [Show full text]