not your grandma’s smart contract verificationsecurify: under the hood securify report static...
TRANSCRIPT
![Page 1: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/1.jpg)
Not Your Grandma’s Smart Contract Verification
FlorianBuenzli
Dana Drachsler-Cohen
AndreiDan
ArthurGervais
HubertRitzdorf
PetarTsankov
MartinVechev
QuentinHibon
http://blockchainsecurity.ethz.ch
![Page 2: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/2.jpg)
Smart Contract Security Bugs in the News
![Page 3: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/3.jpg)
Unprivileged write to storage
address owner = ...;
function initWallet(address _owner) {
owner = _owner;
}
function withdraw(uint amount) {
if (msg.sender == owner) {
owner.transfer(amount);
}
}
Wallet Contract
Any user may change the
wallet’s owner
Only owner can send ether
An attacker used a similar bug to steal $30M in July
![Page 4: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/4.jpg)
More Security Bugs…
Unexpected ether flows
![Page 5: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/5.jpg)
More Security Bugs…
Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)
Unexpected ether flows
![Page 6: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/6.jpg)
More Security Bugs…
Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)
Unexpected ether flows
Use of unsafe inputs (e.g., reflection, hashing, …)
![Page 7: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/7.jpg)
More Security Bugs…
Reentrant method calls (e.g., DAO bug)
Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)
Unexpected ether flows
Use of unsafe inputs (e.g., reflection, hashing, …)
![Page 8: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/8.jpg)
More Security Bugs…
Manipulating ether flows via transaction reordering
Reentrant method calls (e.g., DAO bug)
Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)
Unexpected ether flows
Use of unsafe inputs (e.g., reflection, hashing, …)
![Page 9: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/9.jpg)
Transaction reordering
uint price = 10;
address owner;
function setPrice(uint newPrice) {
if (msg.sender == owner)
price = newPrice;
}
function sellToken() {
msg.sender.transfer(price);
}
Token Contract
The owner can change the price
A user can buy with the current price
The two operations do not commute
![Page 10: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/10.jpg)
Automated Security Analysis
![Page 11: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/11.jpg)
Automated Security Analysis Approaches
All possible contract
behaviorsSecurity
Bugs
Problem: Cannot enumerate all possible contract behaviors…
![Page 12: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/12.jpg)
Security Analysis Approaches
Testing Dynamic (symbolic) analysis Automated verification
Report true bugsCan miss bugs
Can report false alarmsNo missed bugs
Report true bugsCan miss bugs
![Page 13: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/13.jpg)
Current State of Automated Analysis for Ethereum Smart Contracts
![Page 14: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/14.jpg)
Security Analysis Approaches
Testing Dynamic (symbolic) analysis Automated verification
Report true bugsCan miss bugs
Can report false alarmsNo missed bugs
Report true bugsCan miss bugs
Populus Oyente
![Page 15: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/15.jpg)
Fully automated, one-click, formal verification system for Ethereum smart contracts
www.securify.ch
![Page 16: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/16.jpg)
Demo
![Page 17: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/17.jpg)
Securify: Under the Hood
SecurifyReport
StaticAnalysis
Decomp. Infer
Securify Intermediate Representation
00: x = Balance02: y = 0x2004: If (x == 0x00) 06: MStore(y, x)08: z = y0a: goto 0x42
⋮
Securify Semantic Representation
MemTag(0x20, Balance)MemTag(0x40, Const)VarTag(z, Const)VarTag(k, Gas)Assign(s, 0x20)Call(s{0x20}, k{Gas})
⋮
EVM Binary
00: 6002: 5b04: 4206: 8008: 900a: 56
⋮
Security patterns expressed in a
designated security language
Fully automated, easily extensible
Captures key semantic facts about
the contract
![Page 18: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/18.jpg)
ChainSecurity
Swiss-based startup that provides intelligent security solutions for blockchains and smart contracts
https://chainsecurity.com
AutomatedSecurity AnalysisSystems
ComprehensiveSmart ContractAuditing
![Page 19: Not Your Grandma’s Smart Contract VerificationSecurify: Under the Hood Securify Report Static Analysis Decomp. Infer Intermediate Representation 00: x = Balance 02: y = 0x20 04:](https://reader035.vdocument.in/reader035/viewer/2022071109/5fe3a30a5ce7290e1c3b7b0c/html5/thumbnails/19.jpg)
Summary
https://www.securify.ch
@chain_security
Get in touch with our team of security / blockchain / program analysis experts
https://chainsecurity.com
ProductResearch
Fully automated
Strong guarantees
Extensible