SoMo: An Innovative Tool for Identifying Unsafe Function Modifiers in Ethereum Smart Contracts
SoMo achieved an accuracy of 91.2% when analyzing 62,464 contracts in a large dataset.Author: MetaTrust Labs
A recent study by Web3 security service provider MetaTrust Labs has identified significant security risks associated with custom function modifiers in Ethereum smart contracts. In the paper titled "Beyond 'Protected' and 'Private': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts" presented at ISSTA'23, the research team examined over 62,000 smart contracts and found 411 vulnerable contracts that contained bypassable modifiers. To address these issues, MetaTrust has integrated the newly developed tool SoMo into its well-known smart contract security scanning service MetaScan.
The main objective of this study is to identify unsafe modifiers, specifically "bypassable modifiers," which can be circumvented in one or more unprotected smart contract functions. For example, the following "onlyOwner" modifier can be bypassed by calling the public function Mining24(). As a result, attackers can exploit sensitive functions protected by the onlyOwner modifier.
To identify these vulnerabilities, the researchers developed a new tool called SoMo, which constructs a Modifier Dependency Graph (MDG) to cover all control/data flows related to modifiers, generates symbolic path constraints on the MDG, and iteratively tests each candidate entry function. The results indicate that SoMo achieved an accuracy of 91.2% when analyzing 62,464 contracts in a large dataset.
The study also revealed the primary uses of modifiers in real-world scenarios, including access control, financial-related checks, contract state, and miscellaneous checks, as shown in the table below. These findings suggest that developers often utilize modifiers for security-sensitive operations, but they may not be well protected.
Overall, there is still much work to be done to ensure that blockchain technology is secure and reliable. By employing better programming techniques and testing tools, we can help prevent attacks on smart contracts and safeguard our digital transactions. As more businesses and organizations adopt blockchain technology for various applications, ensuring the security and reliability of smart contracts is crucial. This research is an important step toward achieving that goal.
While blockchain technology has the potential to revolutionize many industries, security should always be the top priority. By using tools like MetaScan and following best practices in secure programming, we can help ensure the safety of our digital transactions on the blockchain.
