Papers
Topics
Authors
Recent
Search
2000 character limit reached

Characterizing Ethereum Upgradable Smart Contracts and Their Security Implications

Published 2 Mar 2024 in cs.CR and cs.CE | (2403.01290v1)

Abstract: Upgradeable smart contracts (USCs) have been widely adopted to enable modifying deployed smart contracts. While USCs bring great flexibility to developers, improper usage might introduce new security issues, potentially allowing attackers to hijack USCs and their users. In this paper, we conduct a large-scale measurement study to characterize USCs and their security implications in the wild. We summarize six commonly used USC patterns and develop a tool, USCDetector, to identify USCs without needing source code. Particularly, USCDetector collects various information such as bytecode and transaction information to construct upgrade chains for USCs and disclose potentially vulnerable ones. We evaluate USCDetector using verified smart contracts (i.e., with source code) as ground truth and show that USCDetector can achieve high accuracy with a precision of 96.26%. We then use USCDetector to conduct a large-scale study on Ethereum, covering a total of 60,251,064 smart contracts. USCDetecor constructs 10,218 upgrade chains and discloses multiple real-world USCs with potential security issues.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (90)
  1. 2022. A Real-World UUPS USC Was Destroyed by Delegating a Call to a Pre-defined Destroy Function. https://etherscan.io/address/0xa0e377d9cb4fcc014b634d74de07a428d3896eff
  2. Abi-decoder. 2018. Abi-decode-functions. https://www.npmjs.com/package/abi-decode-functions
  3. Solidity Academy. 2023. Demystifying the Factory Pattern in Solidity: Efficient Contract Deployment with Factory Pattern. https://medium.com/@solidity101/demystifying-the-factory-pattern-in-solidity-efficient-contract-deployment-with-factory-pattern-e233ea6d1ec0
  4. Specification is Law: Safe Creation and Upgrade of Ethereum Smart Contracts. In International Conference on Software Engineering and Formal Methods.
  5. Patterns for Blockchain Data Migration. In Proceedings of the European Conference on Pattern Languages of Programs 2020.
  6. Gabriel Barros. 2019. Universal Upgradeable Proxy Standard (UUPS). https://eips.ethereum.org/EIPS/eip-1822
  7. Michael Blau. 2022. A Tool for Detecting Metamorphic Smart Contracts. https://a16zcrypto.com/posts/article/metamorphic-smart-contract-detector-tool/
  8. Proxy Hunting: Understanding and Characterizing Proxy-Based Upgradeable Smart Contracts in Blockchains. In 32nd USENIX Security Symposium.
  9. Sailfish: Vetting Smart Contract State-Inconsistency Bugs in Seconds. In 2022 IEEE Symposium on Security and Privacy.
  10. Vitalik Buterin. 2018. Skinny CREATE2. https://eips.ethereum.org/EIPS/eip-1014
  11. Etherscan Information Center. 2023. Token Migration. https://info.etherscan.com/token-migration/
  12. ChainList. 2023. Ethereum Mainnet RPC and Chain Settings — Chainlist. https://chainlist.org/chain/1
  13. Jiachi Chen. 2020. Finding Ethereum Smart Contracts Security Issues by Comparing History Versions. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering.
  14. Defectchecker: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode. IEEE Transactions on Software Engineering (2021).
  15. SigRec: Automatic Recovery of Function Signatures in Smart Contracts. IEEE Transactions on Software Engineering (2021).
  16. Smartian: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering.
  17. Google Cloud. 2018. Ethereum in BigQuery: A Public Dataset for Smart Contract Analytics. https://cloud.google.com/blog/products/data-analytics/ethereum-bigquery-public-dataset-smart-contract-analytics
  18. Google Cloud. 2023. Bigquery. https://console.cloud.google.com/bigquery?ws=!1m4!1m3!3m2!1sbigquery-public-data!2scrypto_ethereum
  19. CoinMarketCap. 2023. Cryptocurrency Prices, Charts and Market Capitalizations. https://coinmarketcap.com/
  20. ConsenSys. 2023. Mythril: Security analysis tool for EVM bytecode. https://github.com/ConsenSys/mythril/
  21. CoreLibrary. 2021. CoreLibrary. https://etherscan.io/address/0x57ff2cbf0d1dfd79b497795b2edd3b56f1a30397
  22. Understanding Security Issues in the NFT Ecosystem. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.
  23. Ethereum Signature Database. 2023. Ethereum Signature Database. https://www.4byte.directory/
  24. Decentraland. 2023. Decentraland. https://decentraland.org/
  25. Panoramix decompiler. 2023. Panoramix Decompiler. https://oko.palkeo.com/
  26. Ethereum Docs. 2023a. Anatomy of Smart Contracts. https://ethereum.org/en/developers/docs/smart-contracts/anatomy/
  27. Ethereum Docs. 2023b. ERC-20 Token Standard. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
  28. Ethereum Docs. 2023c. Ethereum Accounts. https://ethereum.org/en/developers/docs/accounts/
  29. Ethereum Docs. 2023d. Ethereum Virtual Machine. https://ethereum.org/en/developers/docs/evm/
  30. Ethereum Docs. 2023e. Introduction to Dapps. https://ethereum.org/en/developers/docs/dapps/
  31. Ethereum Docs. 2023f. Upgrading Smart Contracts. https://ethereum.org/en/developers/docs/smart-contracts/upgrading/
  32. Solidity Docs. 2023g. List of Known Bugs. https://docs.soliditylang.org/en/latest/bugs.html
  33. Towards Automated Safety Vetting of Smart Contracts in Decentralized Applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.
  34. Ethereum. 2023. Decentralized Exchanges (DEXs). https://ethereum.org/en/get-eth/#dex
  35. Etherscan. 2023a. Etherscan Contracts API. https://docs.etherscan.io/api-endpoints/contracts
  36. Etherscan. 2023b. Etherscan (ETH) Blockchain Explorer. https://etherscan.io/
  37. ETHMail. 2023. Email Services for Ethereum Community. https://ethmail.cc/
  38. Blockchain ETL. 2023. Ethereum-Etl. https://github.com/blockchain-etl/ethereum-etl
  39. Elysium: Context-Aware Bytecode-Level Patching to Automatically Heal Vulnerable Smart Contracts. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses.
  40. Safe Ecosystem Foundation. 2023. ModuleManager. https://github.com/safe-global/safe-contracts/blob/v1.4.1/contracts/base/ModuleManager.sol
  41. ETHBMC: A Bounded Model Checker for Smart Contracts. In 29th USENIX Security Symposium.
  42. Michael Fröwis and Rainer Böhme. 2022. Not All Code Are Create2 Equal. In 6th Workshop on Trusted Smart Contracts.
  43. MadMax: Surviving Out-of-Gas Conditions in Ethereum Smart Contracts. Proceedings of the ACM on Programming Languages (2018).
  44. Online Detection of Effectively Callback Free Objects with Applications to Smart Contracts. Proceedings of the ACM on Programming Languages (2017).
  45. Ethereum History. 2019. Constantinople. https://ethereum.org/en/history/#constantinople
  46. Ethereum input-data decoder. 2022. Ethereum-input-data-decoder. https://www.npmjs.com/package/ethereum-input-data-decoder
  47. Iosiro. 2021. Perma-Brick UUPS Proxies with This One Trick. https://www.iosiro.com/blog/openzeppelin-uups-proxy-vulnerability-disclosure
  48. Contractfuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering.
  49. Josselinfeist. 2018. Contract Upgrade Anti-Patterns. https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns
  50. Johannes Krupp and Christian Rossow. 2018. TEEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In 27th USENIX Security Symposium.
  51. Reguard: Finding Reentrancy Bugs in Smart Contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings.
  52. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.
  53. Sajad Meisami and William Edward Bodell III. 2023. A Comprehensive Survey of Upgradeable Smart Contract Patterns. arXiv preprint arXiv:2304.03405 (2023).
  54. Nick Mudge. 2018. Transparent Contract Standard. https://eips.ethereum.org/EIPS/eip-1538
  55. Nick Mudge. 2020a. Diamonds, Multi-Facet Proxy. https://eips.ethereum.org/EIPS/eip-2535
  56. Nick Mudge. 2020b. Proxy Storage Slots. https://eips.ethereum.org/EIPS/eip-1967
  57. MVHQ. 2022. A Proxy-Based USC Upgrades Four Times in a Row. https://etherscan.io/txs?a=0x2809a8737477a534df65c4b4cae43d0365e52035&p=36
  58. sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering.
  59. Finding the Greedy, Prodigal, and Suicidal Contracts at Scale. In Proceedings of the 34th Annual Computer Security Applications Conference.
  60. Openchain. 2023. Transaction Tracer. https://openchain.xyz/trace
  61. OpenSea. 2018. WyvernProxyRegistry. https://etherscan.io/address/0xa5409ec958c83c3f309868babaca7c86dcb077c1
  62. OpenSea. 2023. OpenSea. https://opensea.io/
  63. OpenZeppelin. 2021. UUPSUpgradeable Vulnerability in OpenZeppelin Contracts. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-q4h9-46xg-m3x9
  64. OpenZeppelin. 2023a. Openzeppelin Contracts Upgradeable. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
  65. OpenZeppelin. 2023b. OwnableUpgradeable. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/access/OwnableUpgradeable.sol
  66. OpenZeppelin. 2023c. UUPSUpgradeable. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/proxy/utils/UUPSUpgradeable.sol
  67. Martin Ortner and Shayan Eskandari. 2023. Smart Contract Sanctuary. (2023). https://github.com/tintinweb/smart-contract-sanctuary
  68. OwnableDelegateProxy. 2018. OwnableDelegateProxy. https://etherscan.io/address/0x9b9c9daea6d5bf242fb1885b57d99a5a74433176
  69. Santiago Palladino. 2020. The State of Smart Contract Upgrades. https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades
  70. Verx: Safety Verification of Smart Contracts. In 2020 IEEE Symposium on Security and Privacy.
  71. Quantifying Blockchain Extractable Value: How Dark Is the Forest?. In 2022 IEEE Symposium on Security and Privacy.
  72. Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In 26th Annual Network and Distributed System Security Symposium.
  73. EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In 30th USENIX Security Symposium.
  74. A Bytecode-Based Approach for Smart Contract Classification. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering.
  75. VeriSmart: A Highly Precise Safety Verifier for Ethereum Smart Contracts. In 2020 IEEE Symposium on Security and Privacy.
  76. Solidity. 2023. Solidity Programming Language. https://soliditylang.org/
  77. SmartPulse: Automated Checking of Temporal Properties in Smart Contracts. In 2021 IEEE Symposium on Security and Privacy.
  78. Smartcheck: Static Analysis of Ethereum Smart Contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.
  79. Confuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts. In 2021 IEEE European Symposium on Security and Privacy.
  80. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In Proceedings of the 34th Annual Computer Security Applications Conference.
  81. Truffle. 2018. Truffle-code-utils. https://www.npmjs.com/package/truffle-code-utils
  82. Uniswap. 2020. Introducing Token Lists. https://blog.uniswap.org/token-lists
  83. Uniswap. 2023. Uniswap. https://uniswap.org/
  84. Fabian Vogelsteller. 2015. Token Standard. https://eips.ethereum.org/EIPS/eip-20
  85. Detecting Nondeterministic Payment Bugs in Ethereum Smart Contracts. Proceedings of the ACM on Programming Languages.
  86. Web3. 2023. getCode. https://web3js.readthedocs.io/en/v1.2.11/web3-eth.html#getcode
  87. Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering.
  88. xFuzz: Machine Learning Guided Cross-Contract Fuzzing. IEEE Transactions on Dependable and Secure Computing (2022).
  89. YAcademy. 2022. Security Guide to Proxies. https://proxies.yacademy.dev/pages/security-guide/
  90. Smartshield: Automatic Smart Contract Protection Made Easy. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering.
Citations (4)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up