Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency. While vulnerability detectors can prevent vulnerable contracts from being deployed, this does not mean that such contracts will not be deployed. Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks, the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved. In this work, we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise (IoCs) specially crafted for use in the blockchain. IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain. Therefore, we define a model for smart contract execution, comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain. Subsequently, we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue, a prototype tool for investigating Ethereum security incidents. Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation; however, they are contract-specific and suffer from false negatives. On the other hand, fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation which are nevertheless applicable for practical use.
翻译:Eceenum智能合同的编程错误可能导致被盗加密货币的灾难性财政损失。虽然脆弱性探测器可以防止弱势合同的部署,但这并不意味着这类合同不会被部署。一旦脆弱合同在链条上即刻发生,成为攻击的目标,确定利用交易对于评估其是否实际被利用并查明涉及哪些恶意或扭曲账户至关重要。在这项工作中,我们利用专门为安全链而设计的“和解指标”(Compromise (IoCs))来研究Eceenum袭击的事后调查问题。IoC定义需要捕捉成功利用Etheenum链条的副作用。因此,我们确定一个智能合同执行模式,包括多个抽象级别,反映在链条上的多种代码执行观点。随后,我们通过EtherClue(EtherClue)来比较不同层次的IoC成本定义,这是调查Etheerum安全事件的原型工具。我们的结果表明,在Eceencial-C中成功开发的IoC,但是,在虚拟交易中定义的不那么,在不精确的计算中,在虚拟交易中则会受到不那么精确的计算。