Home

Awesome

Demystifying Exploitable Bugs in Smart Contracts <a href="https://openai.com/product/dall-e-2"><img src="resources/logo.png" alt="Logo" align="right" width="82"/></a>

integrity validation

<p> <a href="papers/icse23.pdf"> <img title="" src="resources/paper.jpg" alt="loading-ag-167" align="right" width="200"></a>

This project aims to provide a valuable resource for Web3 developers and security analysts by facilitating their understanding of exploitable bugs in smart contracts. We conduct a thorough analysis of exploitable bugs extracted from code4rena and classify each bug according to its nature.

Our initial research suggests that a notable proportion of exploitable bugs in smart contracts are functional bugs, which cannot be detected using simple and general oracles like reentrancy. We aim to raise awareness about the significance of such bugs and encourage practitioners to develop more sophisticated and nuanced automatic semantical oracles to detect them.

</p> <br>

𝙰 𝚜𝚒𝚐𝚗𝚒𝚏𝚒𝚌𝚊𝚗𝚝 𝚗𝚞𝚖𝚋𝚎𝚛 𝚘𝚏 𝚎𝚡𝚙𝚕𝚘𝚒𝚝𝚊𝚋𝚕𝚎 𝚋𝚞𝚐𝚜 𝚒𝚗 𝚜𝚖𝚊𝚛𝚝 𝚌𝚘𝚗𝚝𝚛𝚊𝚌𝚝𝚜 𝚏𝚊𝚕𝚕 𝚞𝚗𝚍𝚎𝚛 𝚝𝚑𝚎 𝚌𝚊𝚝𝚎𝚐𝚘𝚛𝚢 𝚘𝚏 𝚏𝚞𝚗𝚌𝚝𝚒𝚘𝚗𝚊𝚕 𝚋𝚞𝚐𝚜, 𝚠𝚑𝚒𝚌𝚑 𝚌𝚊𝚗𝚗𝚘𝚝 𝚋𝚎 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍 𝚞𝚜𝚒𝚗𝚐 𝚜𝚒𝚖𝚙𝚕𝚎 𝚊𝚗𝚍 𝚐𝚎𝚗𝚎𝚛𝚊𝚕 𝚘𝚛𝚊𝚌𝚕𝚎𝚜.

<br>

Please be aware that this repository is currently undergoing active development, and the data may change over time due to ongoing code4rena contests.

Dataset Description

Folder Structure

The dataset is organized into four folders:

Bug Labels

We classify the surveyed bugs into three main categories based on their nature:

As classifying functional bugs can be ambiguous, we welcome suggestions to improve our classification standards. You can find more detailed label information in our documentation, and we encourage you to refer to our current classification guidelines for more information.

Recommended Security Analysis Tools

Our goal is to create a comprehensive list of vulnerability detection techniques that will be a valuable resource for Web3 developers and security analysts. We will focus on two main categories:

<span style="color:red"><strong>We warmly welcome any additional suggestions or contributions from the community to help expand and improve the list. </strong></span>

Vulnerability Detection with Automatic Semantical Oracles

We believe that future web3 security efforts will prioritize identifying functional bugs and developing corresponding oracles. To this end, we intend to compile a list of techniques that provide guidance in the creation of automatic semantic oracles. These techniques will be sourced from various materials, such as peer-reviewed research papers, pre-prints, industry tools, and online resources.

TechniqueBug Category
Finding Permission Bugs in Smart Contracts with Role MiningAccess Control
AChecker: Statically Detecting Smart Contract Access Control VulnerabilitiesAccess Control
Towards Automated Verification of Smart Contract FairnessFairness Property
Clockwork Finance: Automated Analysis of Economic Security in Smart ContractsTBD
Confusum Contractum: Confused Deputy Vulnerabilities in Ethereum Smart ContractsConfused Deputy
Not your Type! Detecting Storage Collision Vulnerabilities in Ethereum Smart ContractsStorage Collision

Publicly Available Security Analysis Techniques

This section will include open-source techniques that are publicly available and currently in active development. These techniques can be used either directly by Web3 developers and security analysts or as building blocks for other tools. We give priority to source-code level techniques, which are better suited for Web3 development and auditing contexts.

TechniqueDeveloper(s)DescriptionSecurity-related Keywords
SlitherTrail of BitsStatic Analysis FrameworkVulnerability Detectors, SlithIR
AderynCyfrinStatic Analysis FrameworkStatic Analyzer, Custom Detectors, Markdown Reports
FoundryParadigmDevelopment ToolchainFuzzing, Stateful Fuzzing (Invariant Testing), Differential Testing
EchidnaTrail of BitsFuzzerFuzzing , Stateful Fuzzing (Invariant Testing), CI/CD
OptikTrail of BitsHybrid Fuzzer (Symbolic Execution + Fuzzing)Fuzzing, Stateful Fuzzing, Symbolic Execution
WokeAckee BlockchainDevelopment ToolchainCross-chain Testing, Invariant Testing, Vulnerability Detectors, IR
4naly3erPicodesStatic ScannerCode4rena Pre-content Testing
ManticoreTrail of BitsSymbolic Execution ToolSymbolic Execution, Property Testing
Halmosa16zSymbolic Bounded Model CheckerSymbolic Execution, Bound Checker
Solidity SMTCheckerEthereum FoundationFormal Verification by Symbolic ExecutionSolidity, Formal Verification, Symbolic Execution
MythrilConsensysSymbolic Execution ToolSymbolic Execution, On-Chain Analysis, Vulnerability Detectors, Taint Analysis
Pyrometer [WIP]NascentSymbolic Execution ToolSymbolic Execution, Abstract Interpretation
greedUCSB SeclabStatic/Symbolic Analysis FrameworkSymbolic Execution, Bound Checker, Static Analyses, Property Testing
ethpwnethpwnDynamic analysis/DebuggingEVM simulations, EVM debugging
<details> <summary>In addition, we curate a catalogue of security utilities applicable to smart contract programming languages beyond Solidity.</summary></br>
TechniqueLanguageDescriptionSecurity-related Keywords
Move ProverMoveFormal Specification and VerificationFormal Verification
</details>

Valuable Resources for Web3 Security

<details> <summary>This section comprises a compilation of resources that pertain to web3 security.</summary></br>
ResourceKeywords
Academic Smart Contract PapersAcademic Paper List
DeFi Hacks Reproduce - FoundryAttack Replication
Smart Contract Security Verification StandardSecurity Checklist
Awesome MythX Smart Contract Security ToolsSecurity Analysis Service
Common Security Properties of Smart ContractsSecurity Compliance Suite
Immunefi PoC TemplatesPoC Templates
Awesome MEV ResourcesMEV Resources
Front-Running Attack Benchmark Construction and Vulnerability Detection Technique EvaluationFront-Running Dataset
Ultimate DeFi & Blockchain Research BaseBlockchain Security All-in-One
Common Fork BugsExploit Dataset
</details>

Contributing

We welcome all types of contributions to our project, including but not limited to:

Further details can be found in our contribution guidelines.

Cite

If you are using our dataset for an academic publication, we would really appreciate a citation to the following work:

@inproceedings{DBLP:conf/icse/ZhangZXL23,
  author       = {Zhuo Zhang and
                  Brian Zhang and
                  Wen Xu and
                  Zhiqiang Lin},
  title        = {Demystifying Exploitable Bugs in Smart Contracts},
  booktitle    = {{ICSE}},
  pages        = {615--627},
  publisher    = {{IEEE}},
  year         = {2023}
}

Clarification

Please refer to our classification documentation.

Acknowledgments

We would like to extend our sincere thanks to code4rena for making this valuable information publicly available.

<details> <summary>Our appreciation also goes out to the following contributors for their valuable input.</summary></br> </details>