A recent study conducted by MetaTrust Labs has uncovered notable security risks linked to custom function modifiers in Ethereum smart contracts. Published in the ISSTA'23 paper titled "Beyond 'Protected' and 'Private': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts," the research team examined more than 62,000 smart contracts and discovered 411 vulnerable contracts containing bypassable modifiers. To address these issues, MetaTrust has integrated the newly developed tool, SoMo, into their renowned smart contract security scanning service, MetaScan.
The primary goal of this study is to identify insecure modifiers, known as "bypassable modifiers," that can be bypassed in one or more unprotected smart contract functions. For example, the following "onlyOwner" modifier could be bypassed by invoking a public function Mining24(). Consequently, attackers can exploit sensitive functions that are protected by the onlyOwner modifier.
To identify these vulnerabilities, the researchers developed a novel tool called SoMo, which constructs a modifier dependency graph (MDG) to cover all the modifier-related control/data flows, generates symbolic path constraints over MDG, and iteratively tests each candidate entry function. The results showed that SoMo achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts.
This study also revealed the major usage of modifiers in real-world scenarios, including access control, financial-related, contract state, and miscellaneous checks, as demonstrated in the table below. These findings suggest that developers often utilize modifiers for security-sensitive operations but they may not be well protected.
Overall, this study shows that there is still work to be done to make sure blockchain technology is safe and reliable. By using better programming techniques and testing tools, we can help prevent attacks on smart contracts and keep our digital transactions secure. As more businesses and organizations adopt blockchain technology for various applications, it's crucial to ensure that smart contracts are secure and reliable. This study is an important step towards achieving that goal.
In conclusion, while blockchain technology has the potential to revolutionize many industries, it's important to remember that security should always be a top priority. By using tools like MetaScan and following best practices for secure programming, we can help ensure the safety of our digital transactions on the blockchain.
Follow Us
Twitter: @MetaTrustLabs
All Comments