CRII: SaTC: Discerning the Upgradeability of Smart Contracts in Blockchains From a Security Perspective

CRII：SaTC：从安全角度辨别区块链智能合约的可升级性

• 批准号: 2245627
• 负责人: Binghui Wang
• 金额: $ 17.48万
• 依托单位: Illinois Institute of Technology
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-15 至 2024-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2245627&HistoricalAwards=false
• 关键词: CRII; SaTC; Discerning; Upgradeability; Smart

Smart contracts in blockchains, which store cryptocurrencies and tokens worth billions of USD, have transformed many important aspects of our lives, such as finance and gaming. Smart contracts are widely believed to have strong security guarantees as they are immutable once deployed, not even the owner of the contract can change its code. However, a new type of smart contract, namely upgradeable smart contract (USC), allows developers to upgrade the logic of their smart contracts and practically breaks the security assumption. This special type of smart contract has become increasingly prominent and has been adopted by many major companies (e.g., Compound Finance and Opensea.io). Despite the importance, there exists no comprehensive research that studies the status quo of USCs in the wild and even worse, the emerging security risks that are associated with upgradeability. This project conducts a series of novel studies to discern the upgradeability of smart contracts in the real world. Specifically, it answers three essential research questions regarding the importance of USCs in the current market, different design patterns and their strengths and weaknesses, and more importantly, the real-world security risks with USCs. To do so, this project pioneers a practical static analysis-based approach to effectively detect USCs based on intrinsic characteristics, and perform further automatic behavior and security analyses. To differentiate USC design patterns, this project develops a complete taxonomy that can systematically characterize USCs at both syntactic and semantic levels. Moreover, the investigator conducts the first extensive and large-scale study on USCs to uncover and report unique designs and security risks in the real world. Eventually, this project creates the first comprehensive USC dataset that facilitates future research in this emerging direction.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

区块链中的智能合约存储了价值数十亿美元的加密货币和代币，改变了我们生活的许多重要方面，例如金融和游戏。智能合约被广泛认为具有强大的安全保障，因为它们一旦部署就不可变，即使是合约的所有者也不能更改其代码。然而，一种新型的智能合约，即可扩展智能合约（USC），允许开发人员升级其智能合约的逻辑，实际上打破了安全假设。这种特殊类型的智能合约已经变得越来越突出，并已被许多大公司采用（例如，Compound Finance和Opensea.io）。尽管重要，但目前还没有全面的研究来研究USCs在野外的现状，更糟糕的是，与可移植性相关的新出现的安全风险。该项目进行了一系列新颖的研究，以识别智能合约在真实的世界中的可识别性。具体来说，它回答了三个基本的研究问题，即USCs在当前市场中的重要性，不同的设计模式及其优缺点，更重要的是，USCs的现实安全风险。为此，该项目开创了一种实用的基于静态分析的方法，以有效地检测基于内在特征的USCs，并执行进一步的自动行为和安全分析。为了区分USC设计模式，本项目开发了一个完整的分类法，可以在语法和语义层面系统地描述USC。此外，调查人员还首次对USCs进行了广泛和大规模的研究，以发现和报告真实的世界中的独特设计和安全风险。最终，该项目创建了第一个全面的南加州大学数据集，促进了这一新兴方向的未来研究。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Proxy Hunting: Understanding and Characterizing Proxy-based Upgradeable Smart Contracts in Blockchains

• 发表时间: 2023
• 作者: William Edward Bodell;Sajad Meisami;Yue Duan