Involuntary Transfer: A Vulnerability Pattern in Smart Contracts

Abstract

Smart Contracts (SCs) communicate with each other using external calls. Their interactions can be malicious, resulting in the loss of Ether. One can blame the reentrancy attack for this exploitation. Several previous endeavors detected the reentrancy vulnerability by creating testing tools using static analysis like Remix. However, these approaches do not execute the programs; hence, we cannot confirm their results. In this paper, we present TechyTech that detects both reentrancy and tx.origin vulnerabilities using a novel dynamic analysis approach of involuntary transfer (i.e., unintended transfer). Henceforth, we use a tree-based categorization string to distinguish the two vulnerabilities and their variations. Further, our research discusses multiple SC-related issues like the hijacked stack, deployed owner, and non-generation of transaction receipts in connection with reentrant calls, which we could not find in previous work. Using an example, we demonstrate how the actual Ether transfer is greater than the intended due to reentrancy.We acknowledge that due to dynamic analysis, TechyTech may suffer from VMExceptions.

Description

Authors cc-by-nc-nd

Keywords

Blockchains, dynamic analysis, Dynamics, Receivers, reentrancy, smart contract, Smart contracts, Software, Solidity, Static analysis, static analysis, Static analysis, Testing, Transfer functions, tx.origin

Citation

Khan, Z.A., & Namin, A.S.. 2024. Involuntary Transfer: A Vulnerability Pattern in Smart Contracts. IEEE Access. https://doi.org/10.1109/ACCESS.2024.3351736

Collections