I have read through the paper, Demystifying Exploitable Bugs in Smart Contracts (pdf), written by Zhuo Zhang, Brian Zhang, Wen Xu and Zhiqiang Lin. This paper was released late in February of 2023.
Exploitable bugs in smart contracts are a major security concern. Despite the development of many bug finding tools, exploitable bugs and real-world attacks are still trending.
The paper presents a systematic study of 516 unique real-world smart contract vulnerabilities in 2021-2022. Further they categorize these bugs into seven types, and study their root causes, distributions, difficulty to audit, consequences, and repair strategies.
Here are my take away from the findings in this paper.
Smart contract vulnerabilities differ from the ones in traditional software. In many cases it's functional bugs which has the side effect to result money loss. Therefore it's important to have deeper domain knowledge of the contract to find vulnerabilities.
Exploitable bug is a vulnerability in a smart contract that can be exploited by a malicious actor to steal funds.
We can categorize bugs into two bags, machine auditable bugs (MABs), which can be automatically detected by existing tools, and then there are, machine unauditable bugs (MUBs).
Tools and human auditor have not met the demand.
Four kind of categories that automatic tools can find bugs in, Fuzzing, Static Analysis, Verification and Symbolic Execution.
Many techniques rely on simple or hand-coded oracles which may not be good enough to find functional bugs.
A large portion of exploitable bugs in the wild, around 80%, are not machine auditable.
A majority of exploitable bus are difficult to find.
-
Machine unauditable bugs can be divided into 7 groups
- Price oracle manipulation
- Erroneous accounting
- Id uniqueness violations
- Inconsistent state updates
- Privilege escalation
- Atomicity violations
- Implementation specific bugs
About 85% of the MUBs are in the first six groups above.
Accounting error and Price oracle manipulations seems to popular to exploit.
Price oracle manipulation is hardest to find among the MUBs.
Id uniqueness vioaltions are easiest to fin among the MUBS.
Flash loans can enable an attack vector.
An unexpected call sequence can evade the access control.
The examples of showing symptoms and repair strategies for, price oracle manipulation, erroneous accounting, and privilege escalation bugs.
Overall, I found this paper to be very informative and well-written. It is a valuable resource for researchers and practitioners who are interested in securing smart contracts.
Read it and also checkout the Web3Bugs GitHub repository.
Happy reading!