区块链论文速读A会-SECURITY 2024 OpenZeppelin中的漏洞检测 附ppt

Conference:33rd USENIX Security Symposium

CCF level:CCF A

Categories:network and information security

Year:2024

Conference time:August 14--16, 2024 Philadelphia, PA, USA

Title:

Using My Functions Should Follow My Checks: Understanding and Detecting Insecure OpenZeppelin Code in Smart Contracts

使用我的功能应遵循我的检查:理解和检测智能合约中不安全的 OpenZeppelin 代码

Authors:****

Abstract:****

Sharding is a prominent technique for scaling blockchains.

OpenZeppelin is a popular framework for building smart contracts. It provides common libraries (e.g., SafeMath), implementations of Ethereum standards (e.g., ERC20), and reusable components for access control and upgradability. However, unlike traditional software libraries, which are typically imported as static linking libraries or dynamic loading libraries, OpenZeppelin is utilized by Solidity contracts in the form of source code. As a result, developers often make custom modifications to their copies of OpenZeppelin code, which may lead to unintended security consequences.

In this paper, we conduct the first systematic study on the security of OpenZeppelin code used in real-world contracts. Specifically, we focus on the security checks in the official OpenZeppelin library and examine whether they are faithfully enforced in the relevant OpenZeppelin functions of real contracts. To this end, we propose a novel tool named ZepScope that comprises two components: MINER and CHECKER. First, MINER analyzes the official OpenZeppelin functions to extract the facts of explicit checks (i.e., the checks defined within the functions) and implicit checks (i.e., the conditions of calling the functions). Second, based on the facts extracted by MINER, CHECKER examines real contracts to identify their OpenZeppelin functions, match their checks with those in the facts, and validate the consequences for those inconsistent checks. By overcoming multiple challenges in developing ZepScope, we obtain not only the first taxonomy of OpenZeppelin checks but also the comprehensive results of checking the top 35,882 contracts from three mainstream blockchains.

OpenZeppelin 是一种流行的智能合约构建框架。它提供了通用库(例如 SafeMath)、以太坊标准的实现(例如 ERC20)以及用于访问控制和可升级性的可重用组件。然而,与通常作为静态链接库或动态加载库导入的传统软件库不同,OpenZeppelin 以源代码的形式被 Solidity 合约使用。因此,开发人员经常对其 OpenZeppelin 代码副本进行自定义修改,这可能会导致意想不到的安全后果。

在本文中,我们对实际合约中使用的 OpenZeppelin 代码的安全性进行了首次系统研究。具体来说,我们重点关注官方 OpenZeppelin 库中的安全检查,并检查它们是否在实际合约的相关 OpenZeppelin 函数中得到忠实执行。为此,我们提出了一个名为 ZepScope 的新工具,它由两个组件组成:MINER 和 CHECKER。首先,MINER 分析 OpenZeppelin 官方函数,提取显式检查(即函数内部定义的检查)和隐式检查(即调用函数的条件)的事实。其次,基于 MINER 提取的事实,CHECKER 检查真实合约,识别其 OpenZeppelin 函数,将其检查与事实中的检查进行匹配,并验证不一致检查的后果。通过克服 ZepScope 开发过程中的多重挑战,我们不仅获得了 OpenZeppelin 检查的第一个分类法,还获得了对来自三个主流区块链的前 35,882 个合约进行检查的综合结果。

相关推荐
Joy T1 天前
Solidity智能合约开发入门攻略
web3·区块链·智能合约·solidity·以太坊·共识算法
麻辣兔变形记1 天前
Solidity 合约超限问题及优化策略:以 FHEFactory 为例
人工智能·区块链
Joy T1 天前
Solidity智能合约存储与数据结构精要
数据结构·区块链·密码学·智能合约·solidity·合约function
taxunjishu2 天前
DeviceNet 转 MODBUS TCP罗克韦尔 ControlLogix PLC 与上位机在汽车零部件涂装生产线漆膜厚度精准控制的通讯配置案例
人工智能·区块链·工业物联网·工业自动化·总线协议
终端域名2 天前
什么是区块链?如何读懂区块链技术?
区块链
0132 天前
013的加密世界权威指南_第一部分
区块链·虚拟币
CryptoRzz5 天前
越南k线历史数据、IPO新股股票数据接口文档
java·数据库·后端·python·区块链
CryptoPP5 天前
获取越南股票市场列表(包含VN30成分股)实战指南
大数据·服务器·数据库·区块链
链上日记6 天前
OKZOO亮相欧洲区块链大会:HealthFi全球化进程加速
区块链