Cointime

Download App
iOS & Android

SoMo: A Novel Tool for Identifying Insecure Modifiers in Ethereum Smart Contracts

Validated Project

A recent study conducted by MetaTrust Labs has uncovered notable security risks linked to custom function modifiers in Ethereum smart contracts. Published in the ISSTA'23 paper titled "Beyond 'Protected' and 'Private': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts," the research team examined more than 62,000 smart contracts and discovered 411 vulnerable contracts containing bypassable modifiers. To address these issues, MetaTrust has integrated the newly developed tool, SoMo, into their renowned smart contract security scanning service, MetaScan.

The primary goal of this study is to identify insecure modifiers, known as "bypassable modifiers," that can be bypassed in one or more unprotected smart contract functions. For example, the following "onlyOwner" modifier could be bypassed by invoking a public function Mining24(). Consequently, attackers can exploit sensitive functions that are protected by the onlyOwner modifier.

To identify these vulnerabilities, the researchers developed a novel tool called SoMo, which constructs a modifier dependency graph (MDG) to cover all the modifier-related control/data flows, generates symbolic path constraints over MDG, and iteratively tests each candidate entry function. The results showed that SoMo achieves high precision of 91.2% when analyzing a large dataset of 62,464 contracts.

This study also revealed the major usage of modifiers in real-world scenarios, including access control, financial-related, contract state, and miscellaneous checks, as demonstrated in the table below. These findings suggest that developers often utilize modifiers for security-sensitive operations but they may not be well protected.

Overall, this study shows that there is still work to be done to make sure blockchain technology is safe and reliable. By using better programming techniques and testing tools, we can help prevent attacks on smart contracts and keep our digital transactions secure. As more businesses and organizations adopt blockchain technology for various applications, it's crucial to ensure that smart contracts are secure and reliable. This study is an important step towards achieving that goal.

In conclusion, while blockchain technology has the potential to revolutionize many industries, it's important to remember that security should always be a top priority. By using tools like MetaScan and following best practices for secure programming, we can help ensure the safety of our digital transactions on the blockchain.

Follow Us

Twitter: @MetaTrustLabs

Website: metatrust.io

Comments

All Comments

Recommended for you

  • Survey: 75% of Nigerians Confident in Using Bitcoin for Financial Transactions

    A new survey shows that 75% of Nigerians are confident in using Bitcoin for financial transactions. This survey result comes at a critical time in Nigeria's traditional financial market. In recent months, the Nigerian currency, the Naira, has sharply declined, and the government is trying to maintain the Naira exchange rate while also targeting cryptocurrency. One of the measures recently taken by the Nigerian Securities and Exchange Commission (SEC) regarding the cryptocurrency industry is to propose a significant 400% increase in registration fees for cryptocurrency exchanges.

  • Amaranth Foundation founder spent $24.7 million to buy 7,814 ETH

    According to Spot On Chain, James Fickel, founder of Amaranth Foundation, spent $24.7 million in the past 40 minutes to purchase 7,814 ETH at a price of approximately $3,161 per coin. This giant currently provides Aave with 128,516 ETH ($404 million) and 40.97 million USDC, and has borrowed 2,266 WBTC ($146 million), seemingly trading long on the ETH/BTC pair since December 2023.

  • Vitalik: PoW is also quite centralized. PoW is just a temporary phase before moving to PoS

    Vitalik Buterin, co-founder of Ethereum, stated on social media that PoW is also quite centralized. It just hasn't been discussed too much because everyone knows it's just a temporary stage before transitioning to PoS. This doesn't even involve how to potentially avoid ASICs, simply because the upcoming PoS transition means there's no incentive to build them.

  • If a Hong Kong spot virtual asset ETF is sold at a premium, it can be converted into Hong Kong dollars on the Hong Kong Stock Exchange

    Currently only a few Hong Kong brokers with virtual asset retail licenses can subscribe to the Hong Kong Bitcoin ETF through the new share subscription method (PD/distributor), and after the ETF officially enters the Hong Kong Stock Exchange, all hundreds of Hong Kong brokers and banks can purchase it. The approved virtual asset ETF adopts the performance of the ChiNext CF Bitcoin Index (Asia-Pacific closing price), so the profit and loss risks of cash subscription for Bitcoin ETF are basically the same as those of directly buying Bitcoin. As the exchange ratio between Bitcoin and Bitcoin ETF is fixed, if physical subscription is used in the IOP stage, that is, Bitcoin is used to subscribe to Bitcoin ETF, the relevant ETF can be exchanged for Hong Kong dollars in the exchange if it is sold at a premium after listing, and then buy back Bitcoin at the same time to earn the price difference between on-exchange and off-exchange. (Finance News Agency)

  • SEC sues Bitcoin mining company Geosyn, accusing its founder of $5.6 million fraud

    On April 26th, the US SEC filed a lawsuit against bitcoin mining company Geosyn Mining and its co-founders, accusing them of falsely reporting the number of cryptocurrency mining equipment in operation and using customer funds for personal expenses, resulting in a $5.6 million investment fraud.

  • Hong Kong Stock Exchange to Start Trading Harvest Fund’s Bitcoin and Ethereum Spot ETFs on April 30

    The Hong Kong Stock Exchange will begin trading Harvest's Bitcoin and Ethereum spot ETFs on April 30.

  • The total market value of stablecoins exceeds 158 billion US dollars, and USDT has a market share of 69.8%

    According to DefiLlama data, the total market value of stablecoins has reached 158.197 billion US dollars, with a 7-day growth rate of 0.16%. Among them, the market value of UDST is 110.426 billion US dollars, with a market share of 69.8%.

  • Bitcoin spot ETF has a cumulative net inflow of US$12.082 billion, and Grayscale GBTC has a cumulative net outflow of over US$17.1 billion

    According to Farside Investors, the cumulative net inflow of Bitcoin spot ETF has reached 12.082 billion US dollars since its launch. Among them:

  • Rune DOG•GO•TO•THE•MOON ranked first in transaction volume in the past 24 hours

    According to Ord.io on social media platform, the top 5 trading volumes for runes in the past 24 hours are:

  • CARV announces completion of $10 million Series A financing, with OKX Ventures participating

    CARV announced the completion of a $10 million Series A financing round, led by Tribe Capital and IOSG Ventures. Consensys, OKX Ventures, Fenbushi Capital, No Limit Holdings, Draper Dragon, Arweave, ARPA, MARBLEX, and others participated in the round. The aim is to build the largest modular data layer for gaming and artificial intelligence, and to maximize data innovation while ensuring that individual users can derive value from internet sharing.Jeff Ren, partner at OKX Ventures, said, "CARV's revolutionary approach is reshaping the way we manage decentralized data. Its modular cross-chain protocol and ID aggregation solution cultivate data sovereignty and integrity while emphasizing security and efficiency. We are excited about this collaboration and look forward to seeing how OKX Web3 products can better collaborate with CARV's advanced cross-chain data layer."