Cointime

Download App
iOS & Android

SoMo: A Novel Tool for Identifying Insecure Modifiers in Ethereum Smart Contracts

Validated Project

A recent study conducted by MetaTrust Labs has uncovered notable security risks linked to custom function modifiers in Ethereum smart contracts. Published in the ISSTA'23 paper titled "Beyond 'Protected' and 'Private': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts," the research team examined more than 62,000 smart contracts and discovered 411 vulnerable contracts containing bypassable modifiers. To address these issues, MetaTrust has integrated the newly developed tool, SoMo, into their renowned smart contract security scanning service, MetaScan.

The primary goal of this study is to identify insecure modifiers, known as "bypassable modifiers," that can be bypassed in one or more unprotected smart contract functions. For example, the following "onlyOwner" modifier could be bypassed by invoking a public function Mining24(). Consequently, attackers can exploit sensitive functions that are protected by the onlyOwner modifier.

To identify these vulnerabilities, the researchers developed a novel tool called SoMo, which constructs a modifier dependency graph (MDG) to cover all the modifier-related control/data flows, generates symbolic path constraints over MDG, and iteratively tests each candidate entry function. The results showed that SoMo achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts.

This study also revealed the major usage of modifiers in real-world scenarios, including access control, financial-related, contract state, and miscellaneous checks, as demonstrated in the table below. These findings suggest that developers often utilize modifiers for security-sensitive operations but they may not be well protected.

Overall, this study shows that there is still work to be done to make sure blockchain technology is safe and reliable. By using better programming techniques and testing tools, we can help prevent attacks on smart contracts and keep our digital transactions secure. As more businesses and organizations adopt blockchain technology for various applications, it's crucial to ensure that smart contracts are secure and reliable. This study is an important step towards achieving that goal.

In conclusion, while blockchain technology has the potential to revolutionize many industries, it's important to remember that security should always be a top priority. By using tools like MetaScan and following best practices for secure programming, we can help ensure the safety of our digital transactions on the blockchain.

Follow Us

Twitter: @MetaTrustLabs

Website: metatrust.io

Comments

All Comments

Recommended for you

  • AI data collection startup Sapien raises $10.5 million in seed funding

    AI data collection startup Sapien has completed a $10.5 million seed round of funding, led by Variant, with participation from Primitive Ventures, Animoca, Yield Game Guild, and HF0. Sapien's team is led by former co-founder of Coinbase Layer2 network Base, Rowan Stone, and founder of Polymath and author of RWA standard ERC1400, Trevor Koverko. Sapien rewards data providers using USDC stablecoins or a reward points system.

  • Privacy-Focused Blockchain Project Nillion Raises $25M in Funding Round Led by Hack VC

    Privacy-focused blockchain project Nillion has secured $25 million in a funding round led by Hack VC, with participation from Arbitrum, Worldcoin, and Sei. Nillion aims to attract projects at the intersection of blockchain and AI, where secure sharing and storage of large amounts of data are crucial. The company's service is built around the concept of "blind computing," which enables the processing of data without revealing its contents. Nillion's partners include blockchain networks NEAR, Aptos, Arbitrum, and Ritual, among others.

  • BTC falls below $72,000

    the market shows BTC has fallen below $72,000, currently trading at $71,959.7 with a 24-hour increase of 0.69%. The market is volatile, please be prepared for risk control.

  • Spot gold reaches $2,780 for the first time

    spot gold rose and touched $2,780 per ounce, reaching a new historical high, with a cumulative increase of nearly $150 in October. 

  • Are we finally ready for a gas limit increase?

    There has been growing discussion around the possibility of increasing Ethereum’s gas throughput, either by raising the gas limit or reducing slot time. The key argument in favor of this is that the hardware requirements for running a validator have steadily decreased over the past four years.

  • Cointime August 17th News Express

    1.VanEck and 21Shares Solana ETF Form 19b-4 Suspected to be Removed from CBOE Website

  • Ethereum network gas fee falls back below 1 gwei

    According to Etherscan data, the current Ethereum network gas fee has fallen below 1 gwei, currently at 0.937 gwei.

  • Cointime August 10th News Express

    1. The U.S. Internal Revenue Service has released a new draft of the crypto tax form, which no longer requires filling in wallet addresses and transaction IDs

  • Ethereum ACDC #139: Pectra's Devnet 2 upgrade is under debugging, and the release date of Devnet 3 is still to be determined

    Christine Kim, Vice President of Galaxy Research, summarized the main content of the 139th ACDC conference call. The debugging of Pectra's upgraded Devnet 2 is currently underway, and the release date of Devnet 3 is yet to be determined. Developers will hold weekly testing update meetings starting from Monday to better coordinate the release of Pectra's Devnet. The decision to include EIP-7688 in Pectra's upgrade has been postponed again.

  • Ethereum network gas fee drops to 1 gwei

    According to Ether­scan data, the current gas fee on the Ethereum network has dropped to 1 gwei.