Figure - available from: Journal of Cloud Computing
This content is subject to copyright. Terms and conditions apply.
Reentrancy, Timestamp, Integer Overflow and Integer Underflow vulnerabilities Detection Accuracy and Loss Curve
Source publication
With the widespread use of blockchain, more and more smart contracts are being deployed, and their internal logic is getting more and more sophisticated. Due to the large false positive rate and low detection accuracy of most current detection methods, which heavily rely on already established detection criteria, certain smart contracts additionall...
Similar publications
The detection of vulnerabilities in smart contracts remains a significant challenge. While numerous tools are available for analyzing smart contracts in source code, only about 1.79% of smart contracts on Ethereum are open-source. For existing tools that target bytecodes, most of them only consider the semantic logic context and disregard function...
Decentralized Exchanges (DEXs), leveraging blockchain technology and smart contracts, have emerged in decentralized finance. However, the DEX project with multi-contract interaction is accompanied by complex state logic, which makes it challenging to solve state defects. In this paper, we conduct the first systematic study on state derailment defec...
With the continuous advancement of blockchain technology, smart contracts have found widespread application across various domains. However, their security vulnerabilities have increasingly attracted attention. To overcome the limitations present in current detection methods, particularly in terms of semantic representation and structural comprehen...
Citations
... There are already several examples of defect detection in AI-based smart contracts,rocessing (NLP) and machine learning algorithms to perform static analysis and vulnerability detection on smart contract code [2], identifying potential security risks and providing improvement suggestions, offering reliable security assurance for blockchain developers; [31] Li Tao and others proposed a public audit of smart contracts based on game theory; Chuang Ma1 proposed HGAT, [28] a hierarchical graph attention network-based detection model. Internationally, the Harvard University Blockchain Security Laboratory has developed a static analysis tool for smart contracts using artificial intelligence technology, which can automatically detect vulnerabilities and security risks in smart contracts; and Anzhelika Mezina [29] and others proposed a method combining binary classification and multiclassification to detect vulnerability in smart contracts in their paper. ...
In the research experiment of this article, our research work is divided into several stages. Firstly, we collected a large number of smart contract codes and classified them, identifying several common defects, including Risky Mutably Porxy, ERC-721 Recentrancy, Unlimited Mining, Missing Requirements, and Public Burns. Secondly, we used Python to process the smart contracts. On the one hand, we modified the file names, and on the other hand, we batched the process of the content for analysis and application. Next, we built a model of the decision tree. Firstly, we carried out the feature extraction. We selected the algorithm and divided the data. After comparing and processing, we chose the CART classification tree to process. By gene coefficient, we analyzed and sorted the data, and got the initial model of the decision tree. Then, we introduced the random forest model on the basis of the decision tree. From abstracting the same amount of samples to selecting features randomly.From adjusting and optimizing parameters to completing the construction of the forest model. Finally, we compared and analyzed the decision tree, random forest, and self-built model in the paper and drew general conclusions.
... Table V, models from the reviewed studies will be mapped to each NIST CSF 2.0 function and grouped by its process. [20], BSMD [11] Identify GPTScan [21], VulnHunt-GPT [10], HGAT [22], BLSTM-ATT [23], Eth2Vec [16], DM [24], SCsVulLyzer [25], SCSVM and SVMLF [26] Protect SolaSim [13], Eclone[27], SMARTSHIELD [28], SCScan [29], S-gram [30], Asparagus [31], SHAP [32], MichelsonLiSA [33], Ethainter [34], VERISMART [35], STV [36], SliSE [37], RA [38], Critical-Path-Coverage [19], SmartAxe [12], NPChecker [17], Trace2Inv [39], CrossFuzz [40] , Pied-piper [15], V-Gas [14], SolGuard [41] Curation Detect SRP [42], CEP [43], SecSEC [44], Dynamit [45] Respond Aroc [46], emergencyStop [47] Recover Tx2TXT [48] (RQ3) Based on NIST CSF 2.0 function mapping in Table V, the models will be presented for each function, along with their evaluations, to illustrate how they enhance the security stance of smart contracts in real-world cases. ...
... The evaluation of VulnHunt-GPT outperformed the existing tools in identifying vulnerabilities most efficiently and precisely within 16 minutes and 28 seconds from 69 vulnerable contracts [10]. [22] utilized graphs in hierarchical relationships to interpret information. HGAT processes the vectorized nodes from the source code and sends their features to the SoftMax layer to predict the result. ...
... HGAT processes the vectorized nodes from the source code and sends their features to the SoftMax layer to predict the result. The performance of the HGAT model resulted in over 83% on the evaluation, which is considered very effective [22]. The efficiency has also been proven by having a 1.04s average detection time [22]. ...
... Ma et al. [14] proposed vulnerability detection on transactions using a hierarchical graph attention network. They utilized the Abstract Syntax Tree (AST) and control flow graph to analyze the smart contract functions. ...
... Thus, it is vital to monitor transaction throughput, typically calculated as the rate at which the blockchain network conducts legitimate transactions during a certain period. The throughput shows the number of transactions completed per second, which is calculated using equation (14) [51]. ...
Pharmaceutical supply chain management (PSCM) aims to alleviate logistical challenges. However, traditional online pharma systems face issues during implementation, particularly regarding transparency and fostering mutual trust among stakeholders. The primary security goals for a supply chain management (SCM) solution are ensuring authentication, confidentiality, data provenance, and auditability. The proposed blockchain-based solution (BPSCM) is implemented in three phases: registration, pharmaceutical product circulation, and secure payment. The registration phase computes the identification number upon the hashed private key along with the Edwards-curve digital signature algorithm (EdDSA) for all the stakeholders. The pharm product circulation phase implements the transactions among the participants by developing smart contracts where cryptographic operators ensure data provenance. The security analysis demonstrates that the framework effectively mitigates impersonation and collusion attacks. Performance metrics, including gas consumption, throughput, latency, and computational cost, were examined and compared to standard PSCM frameworks to evaluate the BPSCM's effectiveness.
... [43] Lightening Cat, uses slither for labeling Code Bert [44] Builds a graph from smart contract code by extracting Node features, Semantic features, and Grammatical features. Uses [45] dataset to evaluate the approach. ...
... This vulnerability can lead to unauthorized users gaining control over the contract and its assets, resulting in significant security risks. Many different names have been given to this, among which Tainted Owner Variable [10], Freeze Account [71] and Vulnerable Access Control [116]. In our classification, the name Self-Destruct underpins a number of vulnerable scenarios that go under different names in the literature. ...
... The authors test their method on two other different datasets, but they do not specify which vulnerability they can detect, as their method is a simple binary classifier. A similar technique is proposed in HGAT [71]. First, using Abstract Syntax Tree (AST) and Control Flow Graph, the functions in the smart contract are abstracted into code graphs (CFG). ...
... The attention mechanism is exploited in many of the proposed methods [12,71,88,111]. Zhang et al. [111] (who are the same group from [110]) propose SPCBIG-EC, an ensemble of models including GRU and CNN, which automatically pick the best detector according to the examined vulnerability thanks to the attention mechanism. Similarly to their other work, they study a hybrid method, and they also design a serial-parallel convolutional layer (SPC) for feature extraction. ...
Smart contracts are central to a myriad of critical blockchain applications, from financial transactions to supply chain management. However, their adoption is hindered by security vulnerabilities that can result in significant financial losses. Most vulnerability detection tools and methods available nowadays leverage either static analysis methods or machine learning. Unfortunately, as valuable as they are, both approaches suffer from limitations that make them only partially effective. In this survey, we analyze the state of the art in machine-learning vulnerability detection for Ethereum smart contracts, by categorizing existing tools and methodologies, evaluating them, and highlighting their limitations. Our critical assessment unveils issues such as restricted vulnerability coverage and dataset construction flaws, providing us with new metrics to overcome the difficulties that restrain a sound comparison of existing solutions. Driven by our findings, we discuss best practices to enhance the accuracy, scope, and efficiency of vulnerability detection in smart contracts. Our guidelines address the known flaws while at the same time opening new avenues for research and development. By shedding light on current challenges and offering novel directions for improvement, we contribute to the advancement of secure smart contract development and blockchain technology as a whole.
... Wang et al. [24], JJ et al. [87], Ma et al. [88], and Huang et al. [89] develop ensemble learning models to detect vulnerabilities in SCs. ContractWard [24] is a model for effectively and efficiently detecting six types of vulnerabilities based on extracted static characteristics. ...
... It can be applied to detect vulnerabilities in SCs written in all high-level languages, such as Solidity, Serpent, and LLL. JJ et al.'s [87] model includes Bagging, AdaBoost, and Gradient Boost classifiers, while the HGAT scheme [88] uses functions based on AST and CFG. The CDRF [89] is a time-saving vulnerability detection method that processes the opcode fragments by word2vec and PCA to obtain one-dimensional binary features. ...
In recent years, emerging trends like smart contracts (SCs) and blockchain have promised to bolster data security. However, SCs deployed on Ethereum are vulnerable to malicious attacks. Adopting machine learning methods is proving to be a satisfactory alternative to conventional vulnerability detection techniques. Nevertheless, most current machine learning techniques depend on sufficient expert knowledge and solely focus on addressing well-known vulnerabilities. This paper puts forward a systematic literature review (SLR) of existing machine learning-based frameworks to address the problem of vulnerability detection. This SLR follows the PRISMA statement, involving a detailed review of 55 papers. In this context, we classify recently published algorithms under three different machine learning perspectives. We explore state-of-the-art machine learning-driven solutions that deal with the class imbalance issue and unknown vulnerabilities. We believe that algorithmic-level approaches have the potential to provide a clear edge over data-level methods in addressing the class imbalance issue. By emphasizing the importance of the positive class and correcting the bias towards the negative class, these approaches offer a unique advantage. This unique feature can improve the efficiency of machine learning-based solutions in identifying various vulnerabilities in SCs. We argue that the detection of unknown vulnerabilities suffers from the absence of a unique definition. Moreover, current frameworks for detecting unknown vulnerabilities are structured to tackle vulnerabilities that exist objectively.
Smart contracts serve as decentralized applications essential for extensive utilization of blockchain technology across various contexts that have transitioned from the blockchain, characterized primarily by digital currency systems that emphasize the financial systems. Blockchain operates as a distributed ledger that securely records transactions using cryptographic techniques to establish a unique, chain‐like data structure managed collectively by miners within the network. However, current methods for analyzing smart contracts often demand substantial processing time and face challenges in accurately detecting vulnerabilities in complex contracts. To address these limitations, this research introduces the Updated Wave search Graph Bidirectional Convolutional Neural Network (UWGBCNN), a novel approach designed to enhance smart contract security. UWGBCNN integrates a multilabel vulnerability classification mechanism, utilizing the Updated Wave Search Algorithm (UWSA) to efficiently analyze and identify patterns in smart contracts by adapting network parameters to detect vulnerabilities with speed and precision. Additionally, feature extraction is enhanced through the Bidirectional Encoder Representations from Transformer (BERT) language model, incorporating supplementary word embedding features. The proposed technique achieves superior performance, reaching a precision of 98.5%, recall of 98.6%, and an F1‐score of 99.6%, surpassing current methods. This approach contributes significantly to blockchain security by minimizing financial risks associated with vulnerabilities in decentralized applications.
Smart contracts on blockchain networks autonomously execute applications based on predefined conditions, making their security-critical due to the potential for significant financial losses from vulnerabilities. Current vulnerability detection algorithms commonly rely on expert-defined rules, which are prone to errors and insufficient for identifying complex vulnerability patterns. Given the immutability of smart contracts post-deployment, ensuring security before deployment is essential. This research presents Block-wise Abstract Syntax Tree based Federated Graph Neural Networks (BAST-FeGNN), a novel approach combining block-wise abstract syntax tree and Federated Graph Neural Networks (FeGNN) to detect code clones and multiclass vulnerabilities in Ethereum smart contracts. The BAST-FeGNN method operates in three stages: it first extracts security-related patterns from the base code using an abstract syntax tree; then, it constructs and normalizes a contract graph using FeGNN to capture critical nodes, analyze data and control flows. This integration of graph-based feature extraction with pattern matching allows precise detection of vulnerabilities like access control issues, reentrancy, and unchecked calls, as well as identifying code clones. Finally, the method pools these features for comprehensive vulnerability detection. BAST-FeGNN significantly enhances vulnerability detection accuracy and scalability, outperforming existing models with an accuracy of 95.35%, recall of 95.58%, F1-score of 95.80%, and precision of 96.10%, making it a robust solution for securing blockchain applications.
