A group of researchers from the University of California, Santa Barbara, has developed a “scalable technique” for vetting smart contracts and mitigating state-inconsistency issues on the Ethereum blockchain, uncovering 47 zero-day vulnerabilities in the process.
Smart contracts are blockchain-based programmes that are automatically executed when preset conditions are satisfied based on the agreement’s encoded provisions. They enable anonymous parties to carry out trustworthy transactions and agreements without the necessity for a central authority.
In other words, the code is intended to be the last judge of “the contract” it represents, with the programme managing all aspects of execution and providing an immutable evidentiary audit trail of both trackable and irreversible transactions.
As illustrated by attacks directed at the DAO and, more recently, MonoX, adversaries exploited weaknesses to illicitly syphon funds, a situation that might have disastrous effects given the rising usage of smart contracts in recent years.
“Because smart contracts are not easily upgradeable, pre-deployment auditing of the contract’s source code and deploying a bug-free contract is much more crucial than in the case of traditional software,” the researchers wrote in a report.
With Sailfish, an attacker can tamper with the execution order of transactions or take control of the control flow within a single transaction due to state inconsistency vulnerabilities in smart contracts (i.e., reentrancy).
This is how the tool works. Sailfish converts a smart contract into a dependency graph, which captures the control and data flow relations between storage variables and state-changing instructions of a smart contract. It then uses this graph to identify potential flaws by defining hazardous access, which are graph queries that determine whether two different execution paths, at least one of which is a write operation, operate on the same storage variable.
The researchers tested Sailfish against 89,853 contracts collected from Etherscan and discovered 47 zero-day weaknesses that might be used to drain Ether and even change application-specific metadata. A susceptible contract incorporating a housing tracker that might be misused to allow a home owner to have many active listings is also included.
The study’s findings will be presented at the IEEE Symposium on Security and Privacy (S&P), which will take place in May 2022.
This isn’t the first time that academics have been drawn to faulty smart contracts. Chinese academics created a system for categorising known weaknesses in smart contracts in September 2020, with the goal of developing a detection threshold for each bug.