Advertisement

Detecting Token Systems on Ethereum

  • Michael FröwisEmail author
  • Andreas Fuchs
  • Rainer Böhme
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)

Abstract

We propose and compare two approaches to identify smart contracts as token systems by analyzing their public bytecode. The first approach symbolically executes the code in order to detect token systems by their characteristic behavior of updating internal accounts. The second approach serves as a comparison base and exploits the common interface of ERC-20 , the most popular token standard. We present quantitative results for the Ethereum blockchain, and validate the effectiveness of both approaches using a set of curated token systems as ground truth. We observe 100% recall for the second approach. Recall rates of 89% (with well explainable missed detections) indicate that the first approach may also be able to identify “hidden” or undocumented token systems that intentionally do not implement the standard. One possible application of the proposed methods is to facilitate regulators’ tasks of monitoring and policing the use of token systems and their underlying platforms.

Keywords

Smart contract Symbolic execution ERC-20 Token systems Ethereum 

Notes

Acknowledgments

We like to thank ConsenSys for the work on mythril. This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 740558.

Supplementary material

References

  1. 1.
    Contract ABI Specification. https://solidity.readthedocs.io/en/develop/abi-spec.html. Accessed 5 Sept 2018
  2. 2.
    EIP 777: A New Advanced Token Standard. https://eips.ethereum.org/EIPS/eip-777. Accessed 18 Sept 2018
  3. 3.
    ERC-20 Token Standard. https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md. Accessed 5 Sept 2018
  4. 4.
    Manage several contracts with factories. https://ethereumdev.io/manage-several-contracts-with-factories/. Accessed 5 Sept 2018
  5. 5.
    Minime Token. ERC20 compatible clonable token. https://github.com/Giveth/minime. Accessed 5 Sept 2018
  6. 6.
    Mythril: Security analysis tool for Ethereum smart contracts. https://github.com/ConsenSys/mythril. Accessed 31 July 2017
  7. 7.
    Proxy Patterns. https://blog.zeppelinos.org/proxy-patterns/. Accessed 13 Sept 2018
  8. 8.
    The Parity Wallet Hack Explained. https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7. Accessed 13 Sept 2018
  9. 9.
  10. 10.
    Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO. No. 81207, Securities and Exchange Commission, July 2017Google Scholar
  11. 11.
    Crypto-assets: Report to the G20 on work by the FSB and standard-setting bodies. Financial Stability Board, July 2018Google Scholar
  12. 12.
    Baldoni, R., Coppa, E., D’elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 50 (2018)CrossRefGoogle Scholar
  13. 13.
    Bartoletti, M., Pompianu, L.: An empirical analysis of smart contracts: platforms, applications, and design patterns. arXiv preprint arXiv:1703.06322 (2017)
  14. 14.
    Brent, L., et al.: Vandal: A Scalable Security Analysis Framework for Smart Contracts. arXiv preprint arXiv:1809.03981 (2018)
  15. 15.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (SP 2005), pp. 32–46, May 2005.  https://doi.org/10.1109/SP.2005.20
  16. 16.
    Fröwis, M., Böhme, R.: In code we trust? In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., Herrera-Joancomartí, J. (eds.) ESORICS/DPM/CBT -2017. LNCS, vol. 10436, pp. 357–372. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-67816-0_20CrossRefGoogle Scholar
  17. 17.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Luo, L., Ming, J., Wu, D., Liu, P., Zhu, S.: Semantics-based obfuscation-resilient binary code similarity comparison with applications to software and algorithm plagiarism detection. IEEE Trans. Softw. Eng. 43(12), 1157–1177 (2017).  https://doi.org/10.1109/TSE.2017.2655046CrossRefGoogle Scholar
  19. 19.
    Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)Google Scholar
  20. 20.
    Nikolic, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. arXiv preprint arXiv:1802.06038 (2018)
  21. 21.
    Norvill, R., Awan, I.U., Pontiveros, B., Cullen, A.J., et al.: Automated labeling of unknown contracts in Ethereum (2017)Google Scholar
  22. 22.
    Parizi, R.M., Dehghantanha, A., Choo, K.K.R., Singh, A.: Empirical Vulnerability Analysis of Automated Smart Contracts Security Testing on Blockchains. arXiv preprint arXiv:1809.02702 (2018)
  23. 23.
    Păsăreanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. Int. J. Softw. Tools Technol. Transf. 11(4), 339 (2009)CrossRefGoogle Scholar
  24. 24.
    Person, S., Dwyer, M.B., Elbaum, S., Păsăreanu, C.S.: Differential symbolic execution. In: Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, pp. 226–237. ACM (2008)Google Scholar
  25. 25.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE symposium on Security and privacy (SP), pp. 317–331. IEEE (2010)Google Scholar
  26. 26.
    Somin, S., Gordon, G., Altshuler, Y.: Social Signals in the Ethereum Trading Network. arXiv preprint arXiv:1805.12097 (2018)
  27. 27.
    Tsankov, P., Dan, A., Cohen, D.D., Gervais, A., Buenzli, F., Vechev, M.: Securify: Practical Security Analysis of Smart Contracts, August 2018. https://arxiv.org/pdf/1806.01143.pdf. Accessed 5 Sept 2018
  28. 28.
    Underwood, B.: Virtual Markets Integrity Initiative. Office of the New York State Attorney General, September 2018Google Scholar
  29. 29.
    Wood, G.: Ethereum: A secure decentralised generalised transaction ledger (EIP-150 revision) (2017). http://gavwood.com/paper.pdf. Accessed 18 June 2017
  30. 30.
    Zhou, Y., Kumar, D., Bakshi, S., Mason, J., Miller, A., Bailey, M.: Erays: reverse engineering ethereum’s opaque smart contracts. In: USENIX SecurityGoogle Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  • Michael Fröwis
    • 1
    Email author
  • Andreas Fuchs
    • 2
  • Rainer Böhme
    • 1
    • 2
  1. 1.Department of Computer ScienceUniversität InnsbruckInnsbruckAustria
  2. 2.Department of Information SystemsUniversity of MünsterMünsterGermany

Personalised recommendations