Open Access

ARTICLE

Analyzing Ethereum Smart Contract Vulnerabilities at Scale Based on Inter-Contract Dependency

Qiuyun Lyu¹, Chenhao Ma¹, Yanzhao Shen², Shaopeng Jiao³, Yipeng Sun¹, Liqin Hu^1,*

1 School of Cyberspace, Hangzhou Dianzi University, Hangzhou, 310018, China
2 Research and Development Department, Shandong Institute of Blockchain, Jinan, 250102, China
3 Security Team, Shanghai Anshi Network Technology, Ltd., Shanghai, 200233, China

* Corresponding Author: Liqin Hu. Email:

(This article belongs to the Special Issue: Emerging Trends on Blockchain: Architecture and Dapp Ecosystem)

Computer Modeling in Engineering & Sciences 2023, 135(2), 1625-1647. https://doi.org/10.32604/cmes.2022.021562

Received 21 January 2022; Accepted 09 June 2022; Issue published 27 October 2022

Abstract

Smart contracts running on public blockchains are permissionless and decentralized, attracting both developers and malicious participants. Ethereum, the world’s largest decentralized application platform on which more than 40 million smart contracts are running, is frequently challenged by smart contract vulnerabilities. What’s worse, since the homogeneity of a wide range of smart contracts and the increase in inter-contract dependencies, a vulnerability in a certain smart contract could affect a large number of other contracts in Ethereum. However, little is known about how vulnerable contracts affect other on-chain contracts and which contracts can be affected. Thus, we first present the contract dependency graph (CDG) to perform a vulnerability analysis for Ethereum smart contracts, where CDG characterizes inter-contract dependencies formed by DELEGATECALL-type internal transaction in Ethereum. Then, three generic definitions of security violations against CDG are given for finding respective potential victim contracts affected by different types of vulnerable contracts. Further, we construct the CDG with 195,247 smart contracts active in the latest blocks of the Ethereum and verify the above security violations against CDG by detecting three representative known vulnerabilities. Compared to previous large-scale vulnerability analysis, our analysis scheme marks potential victim contracts that can be affected by different types of vulnerable contracts, and identify their possible risks based on the type of security violation actually occurring. The analysis results show that the proportion of potential victim contracts reaches 14.7%, far more than that of corresponding vulnerable contracts (less than 0.02%) in CDG.

---

Keywords

---