区块链论文速读A会-SECURITY 2024 OpenZeppelin中的漏洞检测 附ppt

Conference:33rd USENIX Security Symposium

CCF level:CCF A

Categories:network and information security

Year:2024

Conference time:August 14--16, 2024 Philadelphia, PA, USA

Title:

Using My Functions Should Follow My Checks: Understanding and Detecting Insecure OpenZeppelin Code in Smart Contracts

使用我的功能应遵循我的检查:理解和检测智能合约中不安全的 OpenZeppelin 代码

Authors:****

Abstract:****

Sharding is a prominent technique for scaling blockchains.

OpenZeppelin is a popular framework for building smart contracts. It provides common libraries (e.g., SafeMath), implementations of Ethereum standards (e.g., ERC20), and reusable components for access control and upgradability. However, unlike traditional software libraries, which are typically imported as static linking libraries or dynamic loading libraries, OpenZeppelin is utilized by Solidity contracts in the form of source code. As a result, developers often make custom modifications to their copies of OpenZeppelin code, which may lead to unintended security consequences.

In this paper, we conduct the first systematic study on the security of OpenZeppelin code used in real-world contracts. Specifically, we focus on the security checks in the official OpenZeppelin library and examine whether they are faithfully enforced in the relevant OpenZeppelin functions of real contracts. To this end, we propose a novel tool named ZepScope that comprises two components: MINER and CHECKER. First, MINER analyzes the official OpenZeppelin functions to extract the facts of explicit checks (i.e., the checks defined within the functions) and implicit checks (i.e., the conditions of calling the functions). Second, based on the facts extracted by MINER, CHECKER examines real contracts to identify their OpenZeppelin functions, match their checks with those in the facts, and validate the consequences for those inconsistent checks. By overcoming multiple challenges in developing ZepScope, we obtain not only the first taxonomy of OpenZeppelin checks but also the comprehensive results of checking the top 35,882 contracts from three mainstream blockchains.

OpenZeppelin 是一种流行的智能合约构建框架。它提供了通用库(例如 SafeMath)、以太坊标准的实现(例如 ERC20)以及用于访问控制和可升级性的可重用组件。然而,与通常作为静态链接库或动态加载库导入的传统软件库不同,OpenZeppelin 以源代码的形式被 Solidity 合约使用。因此,开发人员经常对其 OpenZeppelin 代码副本进行自定义修改,这可能会导致意想不到的安全后果。

在本文中,我们对实际合约中使用的 OpenZeppelin 代码的安全性进行了首次系统研究。具体来说,我们重点关注官方 OpenZeppelin 库中的安全检查,并检查它们是否在实际合约的相关 OpenZeppelin 函数中得到忠实执行。为此,我们提出了一个名为 ZepScope 的新工具,它由两个组件组成:MINER 和 CHECKER。首先,MINER 分析 OpenZeppelin 官方函数,提取显式检查(即函数内部定义的检查)和隐式检查(即调用函数的条件)的事实。其次,基于 MINER 提取的事实,CHECKER 检查真实合约,识别其 OpenZeppelin 函数,将其检查与事实中的检查进行匹配,并验证不一致检查的后果。通过克服 ZepScope 开发过程中的多重挑战,我们不仅获得了 OpenZeppelin 检查的第一个分类法,还获得了对来自三个主流区块链的前 35,882 个合约进行检查的综合结果。

相关推荐
IvorySQL10 小时前
PG 日报|SQL/PGQ 图查询基于联接重写机制实现
数据库·人工智能·sql·postgresql·区块链·ivorysql
磐链科技2 天前
技术服务:交易所从流量竞争到生态竞争的核心变量
区块链
Web3李李2 天前
DApp核心安全漏洞与项目方全方位防护指南
web3·区块链·智能合约·软件开发·dapp开发·安全审计
双缝观察者2 天前
消费场景中,多层级资金流转异常模式识别与溯源方法
区块链
磐链科技3 天前
从性能到智能:区块链交易所前沿技术全景洞察
区块链
汇策研习社3 天前
改良版ADX指标实战指南:告别传统ADX滞后、震荡误判难题
大数据·经验分享·金融·区块链·fastbull
酿情师3 天前
区块链共识算法深度拆解:PoW、PoS、PBFT、Raft 原理解析
算法·区块链·共识算法
磐链科技3 天前
区块链链游安全警示:常见漏洞与攻击手段
安全·区块链
I-NullMoneyException3 天前
0713|油价飙升、蓝牙致癌辟谣、AI推理成本、曼谷火灾、世界杯超清
人工智能·区块链
北冥you鱼3 天前
Go语言与默克尔树:区块链数据完整性的基石
开发语言·golang·区块链