Front-running attacks have been a major concern on the blockchain. Attackers launch front-running attacks by inserting additional transactions before upcoming victim transactions to manipulate victim transaction executions and make profits. Recent studies have shown that front-running attacks are prevalent on the Ethereum blockchain and have caused millions of US dollars loss. Vulnerable smart contracts, blockchain programs invoked by transactions, are held responsible for front-running attacks. Although techniques to detect front-running vulnerabilities have been proposed, their performance on real-world vulnerable contracts is unclear. There is no large-scale benchmark based on real attacks to evaluate their capabilities. This motivates us to build a benchmark consisting of 513 real-world attacks with vulnerable code labeled in 235 distinct smart contracts. We propose automated techniques to effectively collect real-world attacks and localize the corresponding vulnerable code at scale. Our experiments show that our approaches are effective, achieving higher recall in finding real attacks and higher precision in pinpointing vulnerabilities compared to the existing techniques. The evaluation of seven state-of-the-art vulnerability detection techniques on the benchmark reveals their inadequacy in detecting front-running vulnerabilities, with a low recall of at most 6.04%. Our further analysis identifies four common limitations in existing techniques: lack of support for inter-contract analysis, inefficient constraint solving for cryptographic operations, improper vulnerability patterns, and lack of token support.
翻译:攻击者在即将到来的受害人交易之前插入更多的交易,以操纵受害者交易的处决和赚取利润,从而启动前沿攻击。最近的研究显示,前向攻击在Etheyum 街链上很普遍,造成了数百万美元的损失。 脆弱的智能合同、交易所引用的连锁程序对前向攻击负有责任。虽然提出了发现前向弱点的技术,但它们在现实世界脆弱合同上的性能尚不明朗。没有根据实际攻击来评估其能力的大规模弱点探测技术来评估其能力。这促使我们建立一个由513次真实世界攻击组成的基准,其中513次以235个不同的智能合同为标签的脆弱代码为标签。我们提出了收集真实世界攻击的自动化技术,并将相应的脆弱代码在规模上本地化。我们的实验表明,我们的方法是有效的,在发现实际攻击时得到了更高的提醒,比现有技术更精确地确定弱点方面得到了更高的精确度。对7种最先进的弱点探测技术的评估表明,在查明前向前向弱点的不足,在大多数6.04 %的回顾,我们进一步的分析发现现有技术缺乏一种共同的限制。