|
|
RobinDetect:字节码级的漏洞规则提取工具
|
Abstract:
随着区块链技术的广泛应用,智能合约的安全性问题日益凸显,尤其是跨链交易漏洞的检测成为当前研究的难点。本文提出了一种名为RobinDetect的字节码级漏洞规则提取工具,旨在通过对上链后的问题交易进行分析并快速提取其漏洞规则,实现对跨链桥漏洞的高效识别。RobinDetect通过交易收集器、交易分组器、调用流提取器、数据流提取器和规则提取器等组件协同工作,从交易数据中提取关键指令序列,并生成具有依赖关系的漏洞检测规则。实验表明,该工具比Aegis展现出了更高的检测精度,并且能够有效提取Xscope提供的交易漏洞规则,成功应用于跨链桥漏洞的检测。
With the widespread application of blockchain technology, the security issues of smart contracts have become increasingly prominent, especially the detection of vulnerabilities in cross-chain transactions, which has become a major challenge in current research. This paper proposes a bytecode-level vulnerability rule extraction tool named RobinDetect, which aims to analyze problematic transactions after they are on-chain and rapidly extract their vulnerability rules to achieve efficient identification of cross-chain bridge vulnerabilities. RobinDetect works through the collaborative efforts of several components, including a transaction collector, transaction grouper, call flow extractor, data flow extractor, and rule extractor. These components work together to extract key instruction sequences from transaction data and generate vulnerability detection rules with dependencies. Experiments have shown that this tool demonstrates higher detection accuracy than Aegis and can effectively extract vulnerability rules provided by Xscope, successfully applying to the detection of cross-chain bridge vulnerabilities.
| [1] | Guo, L., Chen, J., Li, S., Li, Y. and Lu, J. (2022) A Blockchain and IoT-Based Lightweight Framework for Enabling Information Transparency in Supply Chain Finance. Digital Communications and Networks, 8, 576-587. https://doi.org/10.1016/j.dcan.2022.03.020 |
| [2] | Rejeb, A., Keogh, J.G. and Treiblmaier, H. (2019) Leveraging the Internet of Things and Blockchain Technology in Supply Chain Management. Future Internet, 11, Article 161. https://doi.org/10.3390/fi11070161 |
| [3] | Ou, W., Huang, S., Zheng, J., Zhang, Q., Zeng, G. and Han, W. (2022) An Overview on Cross-Chain: Mechanism, Platforms, Challenges and Advances. Computer Networks, 218, Article 109378. https://doi.org/10.1016/j.comnet.2022.109378 |
| [4] | Lan, R., Upadhyaya, G., Tse, S., et al. (2021) Horizon: A Gas-Efficient, Trustless Bridge for Cross-Chain Transactions. |
| [5] | (2021) pNetwork. https://medium.com/pnetwork/pnetwork-post-mortem-pbtc-on-bsc-exploit-170890c58d5f |
| [6] | (2021) Thorchain. https://medium.com/thorchain/eth-parsing-error-and-exploit-3b343aa6466f |
| [7] | Tang, Q., Sang, N. and Liu, H. (2020) Learning Nonclassical Receptive Field Modulation for Contour Detection. IEEE Transactions on Image Processing, 29, 1192-1203. https://doi.org/10.1109/tip.2019.2940690 |
| [8] | Wang, S. and Zhao, X. (2024) Contractsentry: A Static Analysis Tool for Smart Contract Vulnerability Detection. Automated Software Engineering, 32, Article No. 1. https://doi.org/10.1007/s10515-024-00471-8 |
| [9] | Liao, Z., Nan, Y., Liang, H., Hao, S., Zhai, J., Wu, J., et al. (2024) Smartaxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis. Proceedings of the ACM on Software Engineering, 1, 249-270. https://doi.org/10.1145/3643738 |
| [10] | Ferreira Torres, C., Baden, M., Norvill, R., Fiz Pontiveros, B.B., Jonker, H. and Mauw, S. (2020) ÆGIS: Shielding Vulnerable Smart Contracts against Attacks. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, Taipei, 5-9 October 2020, 584-597. https://doi.org/10.1145/3320269.3384756 |
| [11] | Zhang, J., Gao, J., Li, Y., Chen, Z., Guan, Z. and Chen, Z. (2022) Xscope: Hunting for Cross-Chain Bridge Attacks. Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, Rochester, 10-14 October 2022, 1-4. https://doi.org/10.1145/3551349.3559520 |
| [12] | (2025) Phalcon Explorer. https://app.blocksec.com/ |
