Enhancing Smart Contract Security Analysis with Execution Property Graphs

TL;DR

This work presents Clue, a dynamic analysis framework for the Ethereum Virtual Machine that uses the Execution Property Graph (EPG) to unify runtime information from contract executions. By merging a Call Trace Graph, a Dynamic Control-Flow Graph, and a Dynamic Dependence Graph, Clue enables efficient graph-traversal based detection of security incidents such as reentrancy and price manipulation, achieving high true positive rates with low false positives and real-time performance. The paper demonstrates strong results across reentrancy and price manipulation datasets, including discovery of previously unreported vulnerabilities (e.g., imBTC reentrancy) and a read-only reentrancy case study, and shows favorable comparisons to state-of-the-art tools. It also provides an ablation study confirming the necessity of the full EPG structure and discusses generalizability to new attack types via traversal refinements. Overall, Clue offers a scalable, extensible framework for forensic analysis and real-time intrusion detection in DeFi ecosystems, with potential to adapt to evolving threats with minimal graph-structural changes.

Abstract

Smart contract vulnerabilities have led to significant financial losses, with their increasing complexity rendering outright prevention of hacks increasingly challenging. This trend highlights the crucial need for advanced forensic analysis and real-time intrusion detection, where dynamic analysis plays a key role in dissecting smart contract executions. Therefore, there is a pressing need for a unified and generic representation of smart contract executions, complemented by an efficient methodology that enables the modeling and identification of a broad spectrum of emerging attacks. We introduce Clue, a dynamic analysis framework specifically designed for the Ethereum virtual machine. Central to Clue is its ability to capture critical runtime information during contract executions, employing a novel graph-based representation, the Execution Property Graph. A key feature of Clue is its innovative graph traversal technique, which is adept at detecting complex attacks, including (read-only) reentrancy and price manipulation. Evaluation results reveal Clue's superior performance with high true positive rates and low false positive rates, outperforming state-of-the-art tools. Furthermore, Clue's efficiency positions it as a valuable tool for both forensic analysis and real-time intrusion detection.

Figures (5)

• Figure 1: High-level architecture of Clue. Clue supports both real-time (online) detection of unconfirmed transactions and postmortem (offline) analysis of historical traces. At its core, an EVM emulator instruments the runtime to capture detailed execution data, control flow, and asset flow, which are then combined into our unified EPG (cf. Section \ref{['sec:contract-execution-representation']}). A graph traversal engine (cf. Section \ref{['sec:traversal']}) then identifies potential attacks from the constructed EPG. Notably, the transaction trace simulator replays each execution trace so that it appears indistinguishable from a real-time EVM run, allowing the emulator interface to remain consistent across both online and offline modes (cf. Section \ref{['sec:impl']} for details).
• Figure 2: Contract execution representations for the reentrancy example in Listing \ref{['lst:reentrancy']}. In Figure \ref{['fig:ddg-example']}, $C$ and $D$ indicate control and data dependency respectively.
• Figure 3: Partial EPG of the reentrancy attack transaction (cf. Section \ref{['sec:running-example']}). The EPG is a composite structure formed by merging three fundamental property graphs: CTG, DCFG, and DDG. The CTG comprises contract vertices interconnected by CALL edges, which may be assigned with asset flow properties. A DCFG is initialized with a contract vertex, followed by basic block vertices linked via JUMPI edges. Building upon the DCFG, the DDG introduces data source vertices (e.g., storage) and incorporates edges (e.g., CONTROL) to represent data and control dependencies.
• Figure 4: Three traversal rules of the reentrancy attack detection. CALL* represents all edge labels of $E_T$ and $\mathbf{T}(E_T)$, JUMP* represents all edges of $E_C$. Except TRAVERSAL, dotted edges represent one or more edges with internal vertices omitted. TRAVERSAL edges represent the result of traversal execution. $\textsc{R}_{{\textsc{Out}_{C, CT}}}$ denotes a recursive traversal following outgoing edges of $E_C$ and $\mathbf{T}(E_T)$.
• Figure 5: Overview of WriteControl traversal used in price manipulation detection. WriteControl identifies asset flows (denoted by the basic block b in the figure) that depend on some data sources manipulated without authentication. $v_{\texttt{ORIGIN}}?$ checks if the sender address is the data source of the storage variables.

Theorems & Definitions (2)

• definition 1: Property Graph
• definition 2: Execution Property Graph