Automated Formal Verification of Smart Contracts Florian Hubert - - PowerPoint PPT Presentation

▶

Oct 16, 2022 20 likes •180 views

Automated Formal Verification of Smart Contracts Florian Hubert Dana Drachsler- Andrei Arthur Quentin Petar Martin Buenzli Ritzdorf Cohen Dan Gervais Hibon Tsankov Vechev Growth of the Ethereum Ecosystem $27B Billions of USD are

SLIDE 1

Automated Formal Verification of Smart Contracts

Florian Buenzli Dana Drachsler- Cohen Andrei Dan Arthur Gervais Hubert Ritzdorf Petar Tsankov Martin Vechev Quentin Hibon

SLIDE 2

Growth of the Ethereum Ecosystem

$1B $27B $50M Oct 2015 Jul 2016 Aug 2017

Billions of USD are traded by Ethereum smart contracts

Emerging businesses are built on top of Ethereum smart contracts

SLIDE 3

Smart Contract Secu curi rity ty Bugs in the News

SLIDE 4

What are Ethereum Smart Contracts?

§ Small programs that handle money (ether) § Executed on the Ethereum blockchain § Written in high-level languages (e.g., Solidity) § No patching after release

contract Wallet { uint balance = 10; function withdraw(){ if(balance > 0) msg.sender.call.value(balance)(); balance = 0; } }

What can go wrong when programs handle billions of USD?

Transfer $$$ to the caller

SLIDE 5

Security Bugs in Ethereum Smart Contracts

SLIDE 6

uint balance = 10; function withdraw() { if(balance > 0) msg.sender.call.value(balance)(); balance = 0; } function moveBalance() { wallet.withdraw(); } ...

Security Bug #1: Reentrancy

Wallet Contract User Contract calls withdraw() before balance is set to 0 balance is set to 0 after ether transfer

An attacker used this bug to steal 3.6M ether (equivalent of $1B today)

function () payable { wallet.withdraw(); }

withdraw() 10 ether withdraw() 10 ether

...

SLIDE 7

Security Bug #2: Un Unpriv rivile ileged wr write e to storage

address owner = ...; function initWallet(address _owner) {

wner = _owner;

} function withdraw(uint amount) { if (msg.sender == owner) {

wner.send(amount);

} }

Wallet Contract Any user may change the wallet’s owner Only owner can send ether

An attacker used a similar bug to steal $32M few weeks ago

SLIDE 8

More Security Bugs…

Transaction reordering Reentrant method calls (e.g., DAO bug) Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug) Unexpected ether flows Use of unsafe inputs (e.g., reflection, hashing, …)

SLIDE 9

Au Automated Security An Analysis

SLIDE 10

Automated Security Analysis: Existing Solutions

All possible contract behaviors Security Bugs

Problem: Cannot enumerate all possible contract behaviors…

SLIDE 11

Automated Security Analysis: Existing Solutions

§ Testing § Dynamic analysis § Symbolic execution § Static analysis § Formal verification

Very limited guarantees Better than testing, but can still miss vulnerabilities Strong guarantees

SLIDE 12

Very limited guarantees Better than testing, but can still miss vulnerabilities Strong guarantees

Automated Security Analysis: Existing Solutions

§ Testing § Dynamic analysis § Symbolic execution § Static analysis § Formal verification

Existing Solutions

Automated Strong Guarantees Oyente ITP-based

SLIDE 13

The first fully automated, one-click, formal verification system for Ethereum smart contracts Provides trust towards both contract users and developers

www.securify.ch

SLIDE 14

Demo

SLIDE 15

www.securify.ch

Released last month, so far:

95% positive feedback >150 users signed up for updates >1K uploaded smart contracts

Interesting discussions on Reddit

SLIDE 16

Join us!

Cha ChainSecur curity ty

Cutting-edge research in the area of:

§ Program analysis and synthesis § Machine learning § Blockchain / network security http://www.srl.inf.ethz.ch http://jsnice.org http://apk-deguard.com http://securify.ch http://psisolver.org http://eventracer.org

Enabling Trust in Blockchains

contact@chainsecurity.com @chain_security

Join our team of security / blockchain / program analysis experts