Demystifying and Detecting Cryptographic Defects in Ethereum Smart Contracts

Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 10% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signature...

Full description

Saved in:
Bibliographic Details
Published inProceedings / International Conference on Software Engineering pp. 3009 - 3021
Main Authors Zhang, Jiashuo, Shen, Yiming, Chen, Jiachi, Su, Jianzhong, Wang, Yanlin, Chen, Ting, Gao, Jianbo, Chen, Zhong
Format Conference Proceeding
LanguageEnglish
Published IEEE 26.04.2025
Subjects
Blockchains
cryptography
Defect detection
defects detection
Digital signatures
Ethereum
Fuzzing
Semantics
Smart contracts
Software engineering
Online AccessGet full text

Cover

More Information
Summary:Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 10% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted the first study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 2,406 real-world security reports, we defined nine types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed Crysol, a fuzzing-based tool to automate the detection of cryptographic defects in smart contracts. It combines transaction replaying and dynamic taint analysis to extract fine-grained crypto-related semantics and employs crypto-specific strategies to guide the test case generation process. Furthermore, we collected a large-scale dataset containing 25,745 real-world crypto-related smart contracts and evaluated CRYSOL's effectiveness on it. The result demonstrated that CRySOL achieves an overall precision of 95.4% and a recall of 91.2%. Notably, CRySOL revealed that 5,847 (22.7%) out of 25,745 smart contracts contain at least one crvptographic defect" hiahlighting the prevalence of these defects.
ISSN:1558-1225
DOI:10.1109/ICSE55347.2025.00010