Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts

Tianle Sun, Ningyu He, Jiang Xiao, Yinliang Yue, Xiapu Luo, Haoyu Wang

TL;DR

AVVerifier tackles address verification vulnerabilities in Ethereum smart contracts by static EVM-bytecode taint analysis, achieving a three-phase detector that reduces false positives/negatives. It processes bytecode via a Code Grapher, EVM Simulator, and Vulnerability Detector to detect vulnerabilities without dynamic analysis. On benchmarks, AVVerifier is about $2$ to $5$ times more efficient than state-of-the-art tools and achieves approximately 94 percent precision and 100 percent recall; on real-world data it identifies 812 vulnerable contracts across over five million analyzed. It also demonstrates real-time detection on Ethereum and BSC, raising early warnings prior to exploitation in at least one case, underscoring practical security impact.

Abstract

In Ethereum, the practice of verifying the validity of the passed addresses is a common practice, which is a crucial step to ensure the secure execution of smart contracts. Vulnerabilities in the process of address verification can lead to great security issues, and anecdotal evidence has been reported by our community. However, this type of vulnerability has not been well studied. To fill the void, in this paper, we aim to characterize and detect this kind of emerging vulnerability. We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation. Its three-phase detector can progressively rule out false positives and false negatives based on the intrinsic characteristics. Upon a well-established and unbiased benchmark, AVVERIFIER can improve efficiency 2 to 5 times than the SOTA while maintaining a 94.3% precision and 100% recall. After a large-scale evaluation of over 5 million Ethereum smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community before this work, and 348 open source smart contracts were further verified, whose largest total value locked is over $11.2 billion. We further deploy AVVERIFIER as a real-time detector on Ethereum and Binance Smart Chain, and the results suggest that AVVERIFIER can raise timely warnings once contracts are deployed.

All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts

TL;DR

AVVerifier tackles address verification vulnerabilities in Ethereum smart contracts by static EVM-bytecode taint analysis, achieving a three-phase detector that reduces false positives/negatives. It processes bytecode via a Code Grapher, EVM Simulator, and Vulnerability Detector to detect vulnerabilities without dynamic analysis. On benchmarks, AVVerifier is about to times more efficient than state-of-the-art tools and achieves approximately 94 percent precision and 100 percent recall; on real-world data it identifies 812 vulnerable contracts across over five million analyzed. It also demonstrates real-time detection on Ethereum and BSC, raising early warnings prior to exploitation in at least one case, underscoring practical security impact.

Abstract

In Ethereum, the practice of verifying the validity of the passed addresses is a common practice, which is a crucial step to ensure the secure execution of smart contracts. Vulnerabilities in the process of address verification can lead to great security issues, and anecdotal evidence has been reported by our community. However, this type of vulnerability has not been well studied. To fill the void, in this paper, we aim to characterize and detect this kind of emerging vulnerability. We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation. Its three-phase detector can progressively rule out false positives and false negatives based on the intrinsic characteristics. Upon a well-established and unbiased benchmark, AVVERIFIER can improve efficiency 2 to 5 times than the SOTA while maintaining a 94.3% precision and 100% recall. After a large-scale evaluation of over 5 million Ethereum smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community before this work, and 348 open source smart contracts were further verified, whose largest total value locked is over $11.2 billion. We further deploy AVVERIFIER as a real-time detector on Ethereum and Binance Smart Chain, and the results suggest that AVVERIFIER can raise timely warnings once contracts are deployed.
Paper Structure (42 sections, 9 equations, 6 figures, 4 tables)

This paper contains 42 sections, 9 equations, 6 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Ethereum Primer
  4. Whitelisted Address Verification
  5. Taint Analysis on Smart Contracts
  6. Threat Model
  7. Motivating Example and Challenges
  8. Motivating Example
  9. Challenges
  10. Limitations of Existing Tools
  11. Design of AVVerifier
  12. Overview
  13. Notations
  14. Component#1: Code Grapher
  15. Component#2: EVM Simulator
  16. ...and 27 more sections

Figures (6)

  • Figure 1: The workflow and architecture of AVVerifier.
  • Figure 2: The CFG of foo.
  • Figure 3: Distribution of vulnerable ones by creation time.
  • Figure 4: Relations between creation time and lifespan for vulnerable contracts.
  • Figure 5: Distribution of the number of transactions involved in vulnerable contracts.
  • ...and 1 more figures