DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts

Ru Ji; Ningyu He; Lei Wu; Haoyu Wang; Guangdong Bai; Yao Guo

doi:10.1109/ICECCS51672.2020.00022

DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts

Ru Ji (Co-first Author)
, Ningyu He (Co-first Author)
, Lei Wu
, Haoyu Wang^*
, Guangdong Bai
, Yao Guo

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

18 Citations (Scopus)

Abstract

Cryptocurrency has seen an explosive growth in recent years, thanks to the evolvement of blockchain technology and its economic ecosystem. Besides Bitcoin, thousands of cryptocur-rencies have been distributed on blockchains, while hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. At the same time, it also attracts the attentions of attackers. Fake deposit, as one of the most representative attacks (vulnerabilities) related to exchanges and tokens, has been frequently observed in the blockchain ecosystem, causing large financial losses. However, besides a few security reports, our community lacks the understanding of this vulnerability, for example its scale and the impacts. In this paper, we take the first step to demystify the fake deposit vulnerability. Based on the essential patterns we have summarized, we implement DEPOSafe, an automated tool to detect and verify (exploit) the fake deposit vulnerability in ERC-20 smart contracts. DEPOSafe incorporates several key techniques including symbolic execution based static analysis and behavior modeling based dynamic verification. By applying DEPOSafe to 176,000 ERC-20 smart contracts, we have identified over 7,000 vulnerable contracts that may suffer from two types of attacks. Our findings demonstrate the urgency to identify and prevent the fake deposit vulnerability. © 2020 IEEE.

Original language	English
Title of host publication	Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)
Publisher	IEEE
Pages	125-134
Number of pages	10
ISBN (Electronic)	978-1-7281-8558-3
DOIs	https://doi.org/10.1109/ICECCS51672.2020.00022
Publication status	Published - Mar 2021
Externally published	Yes
Event	25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020) - Hybrid, Singapore Duration: 4 Mar 2021 → 6 Mar 2021 https://formal-analysis.com/iceccs/2020/

Publication series

Name	Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS
Volume	2020-October
ISSN (Print)	2770-8527
ISSN (Electronic)	2770-8535

Conference

Conference	25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)
Abbreviated title	ICECCS'20
Place	Singapore
Period	4/03/21 → 6/03/21
Internet address	https://formal-analysis.com/iceccs/2020/

Funding

This work was supported by the National Natural Science Foundation of China (grants No.61702045, No.62072046 and No.61772042).

Access Output

10.1109/ICECCS51672.2020.00022

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Ji, R., He, N., Wu, L., Wang, H., Bai, G., & Guo, Y. (2021). DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts. In Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020) (pp. 125-134). Article 9376204 (Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS; Vol. 2020-October). IEEE. https://doi.org/10.1109/ICECCS51672.2020.00022

@inproceedings{9902f64470374bfc8cdc2c3a6817e256,

title = "DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts",

abstract = "Cryptocurrency has seen an explosive growth in recent years, thanks to the evolvement of blockchain technology and its economic ecosystem. Besides Bitcoin, thousands of cryptocur-rencies have been distributed on blockchains, while hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. At the same time, it also attracts the attentions of attackers. Fake deposit, as one of the most representative attacks (vulnerabilities) related to exchanges and tokens, has been frequently observed in the blockchain ecosystem, causing large financial losses. However, besides a few security reports, our community lacks the understanding of this vulnerability, for example its scale and the impacts. In this paper, we take the first step to demystify the fake deposit vulnerability. Based on the essential patterns we have summarized, we implement DEPOSafe, an automated tool to detect and verify (exploit) the fake deposit vulnerability in ERC-20 smart contracts. DEPOSafe incorporates several key techniques including symbolic execution based static analysis and behavior modeling based dynamic verification. By applying DEPOSafe to 176,000 ERC-20 smart contracts, we have identified over 7,000 vulnerable contracts that may suffer from two types of attacks. Our findings demonstrate the urgency to identify and prevent the fake deposit vulnerability. {\textcopyright} 2020 IEEE.",

author = "Ru Ji and Ningyu He and Lei Wu and Haoyu Wang and Guangdong Bai and Yao Guo",

year = "2021",

month = mar,

doi = "10.1109/ICECCS51672.2020.00022",

language = "English",

series = "Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS",

publisher = "IEEE",

pages = "125--134",

booktitle = "Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)",

address = "United States",

note = "25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020), ICECCS'20 ; Conference date: 04-03-2021 Through 06-03-2021",

url = "https://formal-analysis.com/iceccs/2020/",

}

Ji, R, He, N, Wu, L, Wang, H, Bai, G & Guo, Y 2021, DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts. in Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)., 9376204, Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS, vol. 2020-October, IEEE, pp. 125-134, 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020), Singapore, 4/03/21. https://doi.org/10.1109/ICECCS51672.2020.00022

DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts. / Ji, Ru (Co-first Author); He, Ningyu (Co-first Author); Wu, Lei et al.
Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020). IEEE, 2021. p. 125-134 9376204 (Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS; Vol. 2020-October).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - DEPOSafe

T2 - 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)

AU - Ji, Ru

AU - He, Ningyu

AU - Wu, Lei

AU - Wang, Haoyu

AU - Bai, Guangdong

AU - Guo, Yao

PY - 2021/3

Y1 - 2021/3

N2 - Cryptocurrency has seen an explosive growth in recent years, thanks to the evolvement of blockchain technology and its economic ecosystem. Besides Bitcoin, thousands of cryptocur-rencies have been distributed on blockchains, while hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. At the same time, it also attracts the attentions of attackers. Fake deposit, as one of the most representative attacks (vulnerabilities) related to exchanges and tokens, has been frequently observed in the blockchain ecosystem, causing large financial losses. However, besides a few security reports, our community lacks the understanding of this vulnerability, for example its scale and the impacts. In this paper, we take the first step to demystify the fake deposit vulnerability. Based on the essential patterns we have summarized, we implement DEPOSafe, an automated tool to detect and verify (exploit) the fake deposit vulnerability in ERC-20 smart contracts. DEPOSafe incorporates several key techniques including symbolic execution based static analysis and behavior modeling based dynamic verification. By applying DEPOSafe to 176,000 ERC-20 smart contracts, we have identified over 7,000 vulnerable contracts that may suffer from two types of attacks. Our findings demonstrate the urgency to identify and prevent the fake deposit vulnerability. © 2020 IEEE.

AB - Cryptocurrency has seen an explosive growth in recent years, thanks to the evolvement of blockchain technology and its economic ecosystem. Besides Bitcoin, thousands of cryptocur-rencies have been distributed on blockchains, while hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. At the same time, it also attracts the attentions of attackers. Fake deposit, as one of the most representative attacks (vulnerabilities) related to exchanges and tokens, has been frequently observed in the blockchain ecosystem, causing large financial losses. However, besides a few security reports, our community lacks the understanding of this vulnerability, for example its scale and the impacts. In this paper, we take the first step to demystify the fake deposit vulnerability. Based on the essential patterns we have summarized, we implement DEPOSafe, an automated tool to detect and verify (exploit) the fake deposit vulnerability in ERC-20 smart contracts. DEPOSafe incorporates several key techniques including symbolic execution based static analysis and behavior modeling based dynamic verification. By applying DEPOSafe to 176,000 ERC-20 smart contracts, we have identified over 7,000 vulnerable contracts that may suffer from two types of attacks. Our findings demonstrate the urgency to identify and prevent the fake deposit vulnerability. © 2020 IEEE.

UR - https://www.scopus.com/pages/publications/85103496328

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85103496328&origin=recordpage

U2 - 10.1109/ICECCS51672.2020.00022

DO - 10.1109/ICECCS51672.2020.00022

M3 - RGC 32 - Refereed conference paper (with host publication)

T3 - Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS

SP - 125

EP - 134

BT - Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020)

PB - IEEE

Y2 - 4 March 2021 through 6 March 2021

ER -

Ji R, He N, Wu L, Wang H, Bai G, Guo Y. DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts. In Proceedings - 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS 2020). IEEE. 2021. p. 125-134. 9376204. (Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS). Epub 2021 Mar 19. doi: 10.1109/ICECCS51672.2020.00022

DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts

Abstract

Publication series

Conference

Funding

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this