Vulpedia¶

Recent years have seen smart contracts are getting increasingly popular in building trustworthy decentralized applications such as supply chain management, insurance, and charity. Once the contracts are deployed online, any program vulnerabilities can lead to consequential financial loss, jeopardizing the potential growing business. Previous research has proposed static and dynamic techniques such as Slither, Securify, and Oyente to detect vulnerabilities in smart contracts. These tools check vulnerable contracts against several predefined rules. However, the emerging new vulnerable types and programming skills to prevent possible vulnerabilities emerge lead to a large number of false positive and false negative reports of tools. To address this, we propose Vulpedia, which mines expressive vulnerability signatures from contracts. Specifically, we extract structural program features from vulnerable and benign contracts as vulnerability signatures, and construct a systematic detection method based on detection rules composed of vulnerability signatures. Compared with the rules defined by state-of-the-arts, our approach can extract more expressive rules to achieve better completeness (i.e., detection recall) and soundness (i.e., precision). In this study, Vulpedia equips with rules composed of 10 extracted vulnerability signatures from 1219 vulnerable contracts collected from a training set consisting of 76354 contracts. We further evaluate Vulpedia with four baselines (i.e., Slither, Securify, SmartCheck and Oyente) on the testing dataset consisting of 17770 contracts. The experiment shows that Vulpedia achieve best performance of precision on 4 types of vulnerabilities and leading recall on 3 types of vulnerabilities meanwhile exhibiting the great efficiency performance.

In this website, we (1) illustrate the implementation of our tools, (2) provide some exploitation to our found vulnerabilities. Our detection tool will be also published after we finish polishing the program code.