Demystifying Invariant Effectiveness for Securing Smart Contracts
Zhiyang Chen, Ye Liu, Sidi Mohamed Beillahi, Yi Li, Fan Long
TL;DR
The paper presents Trace2Inv, a trace-driven invariant synthesis framework that dynamically generates smart-contract invariants from historical transaction data and classifies them into eight categories (e.g., Access Control, Time Lock, Gas Control, Money Flow, Data Flow). Through large-scale experiments on 42 victim contracts across 27 real-world exploits, it demonstrates that well-chosen invariant guards can block a majority of attacks with minimal gas overhead, and that combining invariants further improves protection while keeping false positives low. It further shows that certain invariants remain effective even when attackers adapt, and that Trace2Inv can reveal new exploits earlier than prior reports. Compared to state-of-the-art invariant mining and transaction-detection tools, Trace2Inv achieves higher practical effectiveness and lower false positives, with the added benefit of discovering previously unreported exploit transactions.
Abstract
Smart contract transactions associated with security attacks often exhibit distinct behavioral patterns compared with historical benign transactions before the attacking events. While many runtime monitoring and guarding mechanisms have been proposed to validate invariants and stop anomalous transactions on the fly, the empirical effectiveness of the invariants used remains largely unexplored. In this paper, we studied 23 prevalent invariants of 8 categories, which are either deployed in high-profile protocols or endorsed by leading auditing firms and security experts. Using these well-established invariants as templates, we developed a tool Trace2Inv which dynamically generates new invariants customized for a given contract based on its historical transaction data. We evaluated Trace2Inv on 42 smart contracts that fell victim to 27 distinct exploits on the Ethereum blockchain. Our findings reveal that the most effective invariant guard alone can successfully block 18 of the 27 identified exploits with minimal gas overhead. Our analysis also shows that most of the invariants remain effective even when the experienced attackers attempt to bypass them. Additionally, we studied the possibility of combining multiple invariant guards, resulting in blocking up to 23 of the 27 benchmark exploits and achieving false positive rates as low as 0.32%. Trace2Inv outperforms current state-of-the-art works on smart contract invariant mining and transaction attack detection in terms of both practicality and accuracy. Though Trace2Inv is not primarily designed for transaction attack detection, it surprisingly found two previously unreported exploit transactions, earlier than any reported exploit transactions against the same victim contracts.