Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

Yuzhou FANG; Daoyuan WU; Xiao YI; Shuai WANG; Yufan CHEN; Mengjie CHEN; Yang LIU; Lingxiao JIANG

doi:10.1145/3597926.3598125

Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

Yuzhou FANG, Daoyuan WU^*, Xiao YI, Shuai WANG^*, Yufan CHEN, Mengjie CHEN, Yang LIU, Lingxiao JIANG

^*Corresponding author for this work

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

14 Citations (Scopus)

Abstract

A smart contract is a piece of application-layer code running on blockchain ledgers and it provides programmatic logic via transaction-based execution of pre-defined functions. Smart contract functions are by default invokable by any party. To safeguard them, the mainstream smart contract language, i.e., Solidity of the popular Ethereum blockchain, proposed a unique language-level keyword called "modifier,"which allows developers to define custom function access control policies beyond the traditional "protected"and "private"modifiers in classic programming languages. In this paper, we aim to conduct a large-scale security analysis of the modifiers used in real-world Ethereum smart contracts. To achieve this, we design and implement a novel smart contract analysis tool called SoMo. Its main objective is to identify insecure modifiers that can be bypassed from one or more unprotected smart contract functions. This is challenging because of the complicated relationship between modifiers and their variables/functions and the ambiguity of attacker-accessible entry functions. To overcome them, we first propose a new structure, the Modifier Dependency Graph (MDG), to connect all the modifier-related control/data flows. Over MDGs, we then model system variables, generate symbolic path constraints, and iteratively test each candidate entry function. Our extensive evaluation shows that SoMo outperforms the state-of-the-art SPCon tool by detecting all its true positives and correctly avoiding 9 out of 11 false positives. It also achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts, over 400 of which were identified with bypassable modifiers. Our analysis further reveals three interesting security findings about modifiers and nine major types of modifier usage in the wild. SoMo has been integrated into an online security scanning service, MetaScan.

Original language	English
Title of host publication	ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
Editors	René JUST, Gordon FRASER
Publisher	Association for Computing Machinery, Inc
Pages	1157-1168
Number of pages	12
ISBN (Electronic)	9798400702211
DOIs	https://doi.org/10.1145/3597926.3598125
Publication status	Published - 13 Jul 2023
Externally published	Yes
Event	32nd ACM SIGSOFT International Symposium on Software Testing and Analysis - Seattle, United States Duration: 17 Jul 2023 → 21 Jul 2023

Conference

Conference	32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
Abbreviated title	ISSTA 2023
Country/Territory	United States
City	Seattle
Period	17/07/23 → 21/07/23

Bibliographical note

Acknowledgements:
We thank all the reviewers for their detailed and constructive comments. We thank Yue Xue of MetaTrust Labs for helping integrate SoMo into MetaScan.

Publisher Copyright:
© 2023 ACM.

Funding

This work was partially supported by a direct grant (ref. no. 4055127) and a TDLEG grant (ref. no. 4170890) from The Chinese University of Hong Kong, and the Cyber Security Agency under its National Cybersecurity R&D Programme (NCRP25-P04-TAICeN). The HKUST authors were supported in part by RGC RMGS under the contract RMGS22EG02.

Keywords

Smart Contract Security
Taint Analysis
Access Control
Modifiers

Access to Document

10.1145/3597926.3598125

Cite this

FANG, Y., WU, D., YI, X., WANG, S., CHEN, Y., CHEN, M., LIU, Y., & JIANG, L. (2023). Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. In R. JUST, & G. FRASER (Eds.), ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 1157-1168). Association for Computing Machinery, Inc. https://doi.org/10.1145/3597926.3598125

FANG, Yuzhou ; WU, Daoyuan ; YI, Xiao et al. / Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. editor / René JUST ; Gordon FRASER. Association for Computing Machinery, Inc, 2023. pp. 1157-1168

@inproceedings{87a05105017b42cbbcae43afdd63ce08,

title = "Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts",

abstract = "A smart contract is a piece of application-layer code running on blockchain ledgers and it provides programmatic logic via transaction-based execution of pre-defined functions. Smart contract functions are by default invokable by any party. To safeguard them, the mainstream smart contract language, i.e., Solidity of the popular Ethereum blockchain, proposed a unique language-level keyword called {"}modifier,{"}which allows developers to define custom function access control policies beyond the traditional {"}protected{"}and {"}private{"}modifiers in classic programming languages. In this paper, we aim to conduct a large-scale security analysis of the modifiers used in real-world Ethereum smart contracts. To achieve this, we design and implement a novel smart contract analysis tool called SoMo. Its main objective is to identify insecure modifiers that can be bypassed from one or more unprotected smart contract functions. This is challenging because of the complicated relationship between modifiers and their variables/functions and the ambiguity of attacker-accessible entry functions. To overcome them, we first propose a new structure, the Modifier Dependency Graph (MDG), to connect all the modifier-related control/data flows. Over MDGs, we then model system variables, generate symbolic path constraints, and iteratively test each candidate entry function. Our extensive evaluation shows that SoMo outperforms the state-of-the-art SPCon tool by detecting all its true positives and correctly avoiding 9 out of 11 false positives. It also achieves high precision of 91.2\% when analyzing a large dataset of 62,464 contracts, over 400 of which were identified with bypassable modifiers. Our analysis further reveals three interesting security findings about modifiers and nine major types of modifier usage in the wild. SoMo has been integrated into an online security scanning service, MetaScan.",

keywords = "Smart Contract Security, Taint Analysis, Access Control, Modifiers",

author = "Yuzhou FANG and Daoyuan WU and Xiao YI and Shuai WANG and Yufan CHEN and Mengjie CHEN and Yang LIU and Lingxiao JIANG",

note = "Acknowledgements: We thank all the reviewers for their detailed and constructive comments. We thank Yue Xue of MetaTrust Labs for helping integrate SoMo into MetaScan. Publisher Copyright: {\textcopyright} 2023 ACM.; 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023 ; Conference date: 17-07-2023 Through 21-07-2023",

year = "2023",

month = jul,

day = "13",

doi = "10.1145/3597926.3598125",

language = "English",

pages = "1157--1168",

editor = "Ren{\'e} JUST and Gordon FRASER",

booktitle = "ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis",

publisher = "Association for Computing Machinery, Inc",

}

FANG, Y, WU, D, YI, X, WANG, S, CHEN, Y, CHEN, M, LIU, Y & JIANG, L 2023, Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. in R JUST & G FRASER (eds), ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, Inc, pp. 1157-1168, 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Seattle, United States, 17/07/23. https://doi.org/10.1145/3597926.3598125

Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. / FANG, Yuzhou; WU, Daoyuan; YI, Xiao et al.
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. ed. / René JUST; Gordon FRASER. Association for Computing Machinery, Inc, 2023. p. 1157-1168.

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

AU - FANG, Yuzhou

AU - WU, Daoyuan

AU - YI, Xiao

AU - WANG, Shuai

AU - CHEN, Yufan

AU - CHEN, Mengjie

AU - LIU, Yang

AU - JIANG, Lingxiao

N1 - Acknowledgements: We thank all the reviewers for their detailed and constructive comments. We thank Yue Xue of MetaTrust Labs for helping integrate SoMo into MetaScan. Publisher Copyright: © 2023 ACM.

PY - 2023/7/13

Y1 - 2023/7/13

N2 - A smart contract is a piece of application-layer code running on blockchain ledgers and it provides programmatic logic via transaction-based execution of pre-defined functions. Smart contract functions are by default invokable by any party. To safeguard them, the mainstream smart contract language, i.e., Solidity of the popular Ethereum blockchain, proposed a unique language-level keyword called "modifier,"which allows developers to define custom function access control policies beyond the traditional "protected"and "private"modifiers in classic programming languages. In this paper, we aim to conduct a large-scale security analysis of the modifiers used in real-world Ethereum smart contracts. To achieve this, we design and implement a novel smart contract analysis tool called SoMo. Its main objective is to identify insecure modifiers that can be bypassed from one or more unprotected smart contract functions. This is challenging because of the complicated relationship between modifiers and their variables/functions and the ambiguity of attacker-accessible entry functions. To overcome them, we first propose a new structure, the Modifier Dependency Graph (MDG), to connect all the modifier-related control/data flows. Over MDGs, we then model system variables, generate symbolic path constraints, and iteratively test each candidate entry function. Our extensive evaluation shows that SoMo outperforms the state-of-the-art SPCon tool by detecting all its true positives and correctly avoiding 9 out of 11 false positives. It also achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts, over 400 of which were identified with bypassable modifiers. Our analysis further reveals three interesting security findings about modifiers and nine major types of modifier usage in the wild. SoMo has been integrated into an online security scanning service, MetaScan.

AB - A smart contract is a piece of application-layer code running on blockchain ledgers and it provides programmatic logic via transaction-based execution of pre-defined functions. Smart contract functions are by default invokable by any party. To safeguard them, the mainstream smart contract language, i.e., Solidity of the popular Ethereum blockchain, proposed a unique language-level keyword called "modifier,"which allows developers to define custom function access control policies beyond the traditional "protected"and "private"modifiers in classic programming languages. In this paper, we aim to conduct a large-scale security analysis of the modifiers used in real-world Ethereum smart contracts. To achieve this, we design and implement a novel smart contract analysis tool called SoMo. Its main objective is to identify insecure modifiers that can be bypassed from one or more unprotected smart contract functions. This is challenging because of the complicated relationship between modifiers and their variables/functions and the ambiguity of attacker-accessible entry functions. To overcome them, we first propose a new structure, the Modifier Dependency Graph (MDG), to connect all the modifier-related control/data flows. Over MDGs, we then model system variables, generate symbolic path constraints, and iteratively test each candidate entry function. Our extensive evaluation shows that SoMo outperforms the state-of-the-art SPCon tool by detecting all its true positives and correctly avoiding 9 out of 11 false positives. It also achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts, over 400 of which were identified with bypassable modifiers. Our analysis further reveals three interesting security findings about modifiers and nine major types of modifier usage in the wild. SoMo has been integrated into an online security scanning service, MetaScan.

KW - Smart Contract Security

KW - Taint Analysis

KW - Access Control

KW - Modifiers

UR - https://www.scopus.com/pages/publications/85167681699

U2 - 10.1145/3597926.3598125

DO - 10.1145/3597926.3598125

M3 - Conference paper (refereed)

AN - SCOPUS:85167681699

SP - 1157

EP - 1168

BT - ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

A2 - JUST, René

A2 - FRASER, Gordon

PB - Association for Computing Machinery, Inc

T2 - 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Y2 - 17 July 2023 through 21 July 2023

ER -

FANG Y, WU D, YI X, WANG S, CHEN Y, CHEN M et al. Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. In JUST R, FRASER G, editors, ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, Inc. 2023. p. 1157-1168 doi: 10.1145/3597926.3598125

Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

Abstract

Conference

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this