区块链论文速读A会-SECURITY 2024 OpenZeppelin中的漏洞检测 附ppt

Conference:33rd USENIX Security Symposium

CCF level:CCF A

Categories:network and information security

Year:2024

Conference time:August 14--16, 2024 Philadelphia, PA, USA

Title:

Using My Functions Should Follow My Checks: Understanding and Detecting Insecure OpenZeppelin Code in Smart Contracts

使用我的功能应遵循我的检查:理解和检测智能合约中不安全的 OpenZeppelin 代码

Authors:****

Abstract:****

Sharding is a prominent technique for scaling blockchains.

OpenZeppelin is a popular framework for building smart contracts. It provides common libraries (e.g., SafeMath), implementations of Ethereum standards (e.g., ERC20), and reusable components for access control and upgradability. However, unlike traditional software libraries, which are typically imported as static linking libraries or dynamic loading libraries, OpenZeppelin is utilized by Solidity contracts in the form of source code. As a result, developers often make custom modifications to their copies of OpenZeppelin code, which may lead to unintended security consequences.

In this paper, we conduct the first systematic study on the security of OpenZeppelin code used in real-world contracts. Specifically, we focus on the security checks in the official OpenZeppelin library and examine whether they are faithfully enforced in the relevant OpenZeppelin functions of real contracts. To this end, we propose a novel tool named ZepScope that comprises two components: MINER and CHECKER. First, MINER analyzes the official OpenZeppelin functions to extract the facts of explicit checks (i.e., the checks defined within the functions) and implicit checks (i.e., the conditions of calling the functions). Second, based on the facts extracted by MINER, CHECKER examines real contracts to identify their OpenZeppelin functions, match their checks with those in the facts, and validate the consequences for those inconsistent checks. By overcoming multiple challenges in developing ZepScope, we obtain not only the first taxonomy of OpenZeppelin checks but also the comprehensive results of checking the top 35,882 contracts from three mainstream blockchains.

OpenZeppelin 是一种流行的智能合约构建框架。它提供了通用库(例如 SafeMath)、以太坊标准的实现(例如 ERC20)以及用于访问控制和可升级性的可重用组件。然而,与通常作为静态链接库或动态加载库导入的传统软件库不同,OpenZeppelin 以源代码的形式被 Solidity 合约使用。因此,开发人员经常对其 OpenZeppelin 代码副本进行自定义修改,这可能会导致意想不到的安全后果。

在本文中,我们对实际合约中使用的 OpenZeppelin 代码的安全性进行了首次系统研究。具体来说,我们重点关注官方 OpenZeppelin 库中的安全检查,并检查它们是否在实际合约的相关 OpenZeppelin 函数中得到忠实执行。为此,我们提出了一个名为 ZepScope 的新工具,它由两个组件组成:MINER 和 CHECKER。首先,MINER 分析 OpenZeppelin 官方函数,提取显式检查(即函数内部定义的检查)和隐式检查(即调用函数的条件)的事实。其次,基于 MINER 提取的事实,CHECKER 检查真实合约,识别其 OpenZeppelin 函数,将其检查与事实中的检查进行匹配,并验证不一致检查的后果。通过克服 ZepScope 开发过程中的多重挑战,我们不仅获得了 OpenZeppelin 检查的第一个分类法,还获得了对来自三个主流区块链的前 35,882 个合约进行检查的综合结果。

相关推荐
晓宜1 小时前
区块链—NFT介绍及发行
区块链
劲驰2 小时前
基于智能合约实现非托管支付
区块链·智能合约
孙叫兽12 小时前
区块链论坛社区
区块链
LHminer 凡1 天前
神马 M21 31T 矿机解析:性能、规格与市场应用
区块链
空中湖1 天前
去中心化投票系统开发教程
去中心化·区块链
MicroTech20252 天前
微算法科技 (NASDAQ:MLGO)利用量子密钥分发QKD技术,增强区块链系统的抗攻击能力
区块链·量子计算
dingzd952 天前
去中心化金融(DeFi)入门必看
金融·web3·去中心化·区块链·facebook·tiktok·instagram
miner.Fan2 天前
蚂蚁 S21e XP Hyd 3U 860T矿机性能分析与技术特点
区块链
Sui_Network2 天前
凭借 Seal,Walrus 成为首个具备访问控制的去中心化数据平台
大数据·人工智能·科技·web3·去中心化·区块链
TechubNews2 天前
Webus 与中国国际航空合作实现 XRP 支付
大数据·网络·人工智能·web3·区块链