区块链论文速读A会-SECURITY 2024 OpenZeppelin中的漏洞检测 附ppt

Conference:33rd USENIX Security Symposium

CCF level:CCF A

Categories:network and information security

Year:2024

Conference time:August 14--16, 2024 Philadelphia, PA, USA

Title:

Using My Functions Should Follow My Checks: Understanding and Detecting Insecure OpenZeppelin Code in Smart Contracts

使用我的功能应遵循我的检查:理解和检测智能合约中不安全的 OpenZeppelin 代码

Authors:****

Abstract:****

Sharding is a prominent technique for scaling blockchains.

OpenZeppelin is a popular framework for building smart contracts. It provides common libraries (e.g., SafeMath), implementations of Ethereum standards (e.g., ERC20), and reusable components for access control and upgradability. However, unlike traditional software libraries, which are typically imported as static linking libraries or dynamic loading libraries, OpenZeppelin is utilized by Solidity contracts in the form of source code. As a result, developers often make custom modifications to their copies of OpenZeppelin code, which may lead to unintended security consequences.

In this paper, we conduct the first systematic study on the security of OpenZeppelin code used in real-world contracts. Specifically, we focus on the security checks in the official OpenZeppelin library and examine whether they are faithfully enforced in the relevant OpenZeppelin functions of real contracts. To this end, we propose a novel tool named ZepScope that comprises two components: MINER and CHECKER. First, MINER analyzes the official OpenZeppelin functions to extract the facts of explicit checks (i.e., the checks defined within the functions) and implicit checks (i.e., the conditions of calling the functions). Second, based on the facts extracted by MINER, CHECKER examines real contracts to identify their OpenZeppelin functions, match their checks with those in the facts, and validate the consequences for those inconsistent checks. By overcoming multiple challenges in developing ZepScope, we obtain not only the first taxonomy of OpenZeppelin checks but also the comprehensive results of checking the top 35,882 contracts from three mainstream blockchains.

OpenZeppelin 是一种流行的智能合约构建框架。它提供了通用库(例如 SafeMath)、以太坊标准的实现(例如 ERC20)以及用于访问控制和可升级性的可重用组件。然而,与通常作为静态链接库或动态加载库导入的传统软件库不同,OpenZeppelin 以源代码的形式被 Solidity 合约使用。因此,开发人员经常对其 OpenZeppelin 代码副本进行自定义修改,这可能会导致意想不到的安全后果。

在本文中,我们对实际合约中使用的 OpenZeppelin 代码的安全性进行了首次系统研究。具体来说,我们重点关注官方 OpenZeppelin 库中的安全检查,并检查它们是否在实际合约的相关 OpenZeppelin 函数中得到忠实执行。为此,我们提出了一个名为 ZepScope 的新工具,它由两个组件组成:MINER 和 CHECKER。首先,MINER 分析 OpenZeppelin 官方函数,提取显式检查(即函数内部定义的检查)和隐式检查(即调用函数的条件)的事实。其次,基于 MINER 提取的事实,CHECKER 检查真实合约,识别其 OpenZeppelin 函数,将其检查与事实中的检查进行匹配,并验证不一致检查的后果。通过克服 ZepScope 开发过程中的多重挑战,我们不仅获得了 OpenZeppelin 检查的第一个分类法,还获得了对来自三个主流区块链的前 35,882 个合约进行检查的综合结果。

相关推荐
数据与人工智能律师4 分钟前
数字迷雾中的安全锚点:解码匿名化与假名化的法律边界与商业价值
大数据·网络·人工智能·云计算·区块链
sheep88883 小时前
Web3与区块链深度融合:重塑互联网基础设施的2025革命
区块链
YSGZJJ5 小时前
上证50指数分红和股指期货有什么关系?
区块链
Sui_Network6 小时前
探索 Sui 上 BTCfi 的各类资产
大数据·人工智能·科技·游戏·区块链
软件工程小施同学8 小时前
计算机学报 2025年 区块链论文 录用汇总 附pdf下载
pdf·区块链
AIMercs12 小时前
零知识证明
区块链·零知识证明
好学且牛逼的马12 小时前
学习随想录-- web3学习入门计划
区块链
太阳上的雨天1 天前
与 TRON (波场) 区块链进行交互的命令行工具 (CLI): tstroncli
typescript·区块链·交互·tron·trx·trc20
dingzd951 天前
通过 Web3 区块链安全评估,领先应对网络威胁
安全·web3·区块链·facebook·tiktok·instagram·clonbrowser
MicroTech20251 天前
微算法科技(NASDAQ:MLGO)采用分布式哈希表优化区块链索引结构,提高区块链检索效率
区块链