Security News > 2022 > January > SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

A group of academics from the University of California, Santa Barbara, has demonstrated what it calls a "Scalable technique" to vet smart contracts and mitigate state-inconsistency bugs, discovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process.

Smart contracts are programs stored on the blockchain that are automatically executed when predetermined conditions are met based on the encoded terms of the agreement.

"Since smart contracts are not easily upgradable, auditing the contract's source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software," the researchers detailed in a paper.

Enter Sailfish, which aims to catch state inconsistency vulnerabilities in smart contracts that allow an attacker to tamper with the execution order of the transactions or take over the control flow within a single transaction.

Given a smart contract, Sailfish converts the contract into a dependency graph, which captures the control and data flow relations between the storage variables and the state-changing instructions of a smart contract, using it identify potential flaws by defining hazardous access, which are implemented as graph queries to determine whether two different execution paths, at least one being a write operation, operate on the same storage variable.

In September 2020, Chinese researchers designed a framework for categorizing known weaknesses in smart contracts with the goal of providing a detection criterion for each of the bugs.

News URL

https://thehackernews.com/2022/01/sailfish-system-to-find-state.html