Automated detection of smart contract vulnerabilities

Blockchain smart contracts automate various electronic contract processes such as interpersonal financial transactions, tokenized real estate deals and notarizations without an intermediary, and have the advantage of offering inexpensive and easy online contracting by multiple participants. This field is expected to grow rapidly within the next five years.

Smart contracts are at the heart of blockchain technology, but they are also the cause of catastrophic security incidents. Smart contracts usually enable monetary transactions and due to the public nature of blockchains, through which anyone can view contracts online, they can become easy targets for hackers because blockchain's vulnerabilities are inherent to it and cannot be avoided. Consequently, incidents resulting from the security vulnerabilities of smart contracts have continued until the present time. These security incidents have occurred several times every year since 2016, and financial losses of tens to hundreds of billions of won have occurred.

A team, led by Korea University Professor Oh Hak-joo of the Department of Computer Science and Engineering at the College of Informatics, has developed 'SmarTest', a technology that automatically detects security vulnerabilities in smart contracts, which they presented at the USENIX Security Symposium 2021, the top academic conference in the field of computer security, which was held online from August 11 to 13. The Symposium is an event where the most significant research achievements in the field of computer security are presented. (*2021 Acceptance Rate: 19%)

The team's findings were published on GitHub and on the Security Vulnerability Automatic Analysis Platform (iotcube.net) of the Korea University Center for Software Security and Assurance (CSSA), and included open source software.

* Author: 소순범(1저자), 홍성준, 오학주(교신저자)
* SmarTest : IoTcube (https://iotcube.net/veris)
* Open Source: GitHub (http://prl.korea.ac.kr/smartest)

Existing smart contract vulnerability detectors have all had limitations, and have fallen into two categories. The first category consists of tools that simply report the location of security vulnerabilities. Although these tools can detect many vulnerabilities, they cannot identify the paths along which the vulnerabilities manifested, so even if such vulnerabilities are actually found, the usefulness of these tools leaves a lot to be desired. The second category consists of tools that identify not only vulnerabilities but also the paths along which they manifest. However, their vulnerability detection capacities are limited. Unlike these existing technologies, SmarTest not only automatically detects many vulnerabilities, but also efficiently locates the paths along which they have manifested.

Professor Oh Hak-joo, who was in charge of the research, explained the significance of this study, saying, “We have overcome the existing limitations of automatic smart contract security vulnerability detection technologies. I have great expectations that our technology will contribute to the safe use of blockchain technology in the future.”

The research was carried out with the support of the Information Protection Core Technology Development Project of the Korea Ministry of Science and ICT (MSIT), and the SW Computing Industry Core Technology Development Project (SWSTAR LAB).