ReJection: A AST-Based Reentrancy Vulnerability Detection Method

Rui Ma; Zefeng Jian; Guangyuan Chen; Ke Ma; Yujia Chen

doi:10.1007/978-981-15-3418-8_5

ReJection: A AST-Based Reentrancy Vulnerability Detection Method

Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma^*, Yujia Chen

^*Corresponding author for this work

School of Computer Science and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Citations (Scopus)

Abstract

Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.

Original language	English
Title of host publication	Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers
Editors	Weili Han, Liehuang Zhu, Fei Yan
Publisher	Springer
Pages	58-71
Number of pages	14
ISBN (Print)	9789811534171
DOIs	https://doi.org/10.1007/978-981-15-3418-8_5
Publication status	Published - 2020
Event	13th Chinese Conference on Trusted Computing and Information Security, CTCIS 2019 - Shanghai, China Duration: 24 Oct 2019 → 27 Oct 2019

Publication series

Name	Communications in Computer and Information Science
Volume	1149 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	13th Chinese Conference on Trusted Computing and Information Security, CTCIS 2019
Country/Territory	China
City	Shanghai
Period	24/10/19 → 27/10/19

Keywords

Abstract syntax tree
Reentrancy vulnerability
Smart contract
Vulnerability detection

Access to Document

10.1007/978-981-15-3418-8_5

Cite this

Ma, R., Jian, Z., Chen, G., Ma, K., & Chen, Y. (2020). ReJection: A AST-Based Reentrancy Vulnerability Detection Method. In W. Han, L. Zhu, & F. Yan (Eds.), Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers (pp. 58-71). (Communications in Computer and Information Science; Vol. 1149 CCIS). Springer. https://doi.org/10.1007/978-981-15-3418-8_5

@inproceedings{e3714a3b32d246f0b781dd55b7d6eec7,

title = "ReJection: A AST-Based Reentrancy Vulnerability Detection Method",

abstract = "Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.",

keywords = "Abstract syntax tree, Reentrancy vulnerability, Smart contract, Vulnerability detection",

author = "Rui Ma and Zefeng Jian and Guangyuan Chen and Ke Ma and Yujia Chen",

note = "Publisher Copyright: {\textcopyright} Springer Nature Singapore Pte Ltd 2020.; 13th Chinese Conference on Trusted Computing and Information Security, CTCIS 2019 ; Conference date: 24-10-2019 Through 27-10-2019",

year = "2020",

doi = "10.1007/978-981-15-3418-8_5",

language = "English",

isbn = "9789811534171",

series = "Communications in Computer and Information Science",

publisher = "Springer",

pages = "58--71",

editor = "Weili Han and Liehuang Zhu and Fei Yan",

booktitle = "Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers",

address = "Germany",

}

Ma, R, Jian, Z, Chen, G, Ma, K & Chen, Y 2020, ReJection: A AST-Based Reentrancy Vulnerability Detection Method. in W Han, L Zhu & F Yan (eds), Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers. Communications in Computer and Information Science, vol. 1149 CCIS, Springer, pp. 58-71, 13th Chinese Conference on Trusted Computing and Information Security, CTCIS 2019, Shanghai, China, 24/10/19. https://doi.org/10.1007/978-981-15-3418-8_5

ReJection: A AST-Based Reentrancy Vulnerability Detection Method. / Ma, Rui; Jian, Zefeng; Chen, Guangyuan et al.
Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers. ed. / Weili Han; Liehuang Zhu; Fei Yan. Springer, 2020. p. 58-71 (Communications in Computer and Information Science; Vol. 1149 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - ReJection

T2 - 13th Chinese Conference on Trusted Computing and Information Security, CTCIS 2019

AU - Ma, Rui

AU - Jian, Zefeng

AU - Chen, Guangyuan

AU - Ma, Ke

AU - Chen, Yujia

N1 - Publisher Copyright: © Springer Nature Singapore Pte Ltd 2020.

PY - 2020

Y1 - 2020

N2 - Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.

AB - Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.

KW - Abstract syntax tree

KW - Reentrancy vulnerability

KW - Smart contract

KW - Vulnerability detection

UR - http://www.scopus.com/inward/record.url?scp=85081622248&partnerID=8YFLogxK

U2 - 10.1007/978-981-15-3418-8_5

DO - 10.1007/978-981-15-3418-8_5

M3 - Conference contribution

AN - SCOPUS:85081622248

SN - 9789811534171

T3 - Communications in Computer and Information Science

SP - 58

EP - 71

BT - Trusted Computing and Information Security - 13th Chinese Conference, CTCIS 2019, Revised Selected Papers

A2 - Han, Weili

A2 - Zhu, Liehuang

A2 - Yan, Fei

PB - Springer

Y2 - 24 October 2019 through 27 October 2019

ER -

ReJection: A AST-Based Reentrancy Vulnerability Detection Method

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this