Special Issue PaperNo Access

OC-Detector: Detecting Smart Contract Vulnerabilities Based on Clustering Opcode Instructions

School of Computer Science, Beijing Information Science and Technology University, Beijing 100101, P. R. China

Key Laboratory of Safety-Critical Software, (Nanjing University of Aeronautics and Astronautics), Ministry of Industry and Information, Nanjing 211106, P. R. China

E-mail Address: xiguo_gu@bistu.edu.cn

Search for more papers by this author

Liwei Zheng

https://orcid.org/0000-0001-7641-6369

School of Computer Science, Beijing Information Science and Technology University, Beijing 100101, P. R. China

E-mail Address: zlw@bistu.edu.cn

Search for more papers by this author

Huiwen Yang

https://orcid.org/0009-0008-5420-7388

School of Computer Science, Beijing Information Science and Technology University, Beijing 100101, P. R. China

E-mail Address: yhw_yagol@bistu.edu.cn

Search for more papers by this author

Shifan Liu

https://orcid.org/0009-0001-1454-934X

School of Computer Science, Beijing Information Science and Technology University, Beijing 100101, P. R. China

E-mail Address: pawn2017@bistu.edu.cn

Search for more papers by this author

, and

Zhanqi Cui

https://orcid.org/0000-0002-5537-9236

School of Computer Science, Beijing Information Science and Technology University, Beijing 100101, P. R. China

Key Laboratory of Safety-Critical Software, (Nanjing University of Aeronautics and Astronautics), Ministry of Industry and Information, Nanjing 211106, P. R. China

E-mail Address: czq@bistu.edu.cn

Corresponding author.

Search for more papers by this author

https://doi.org/10.1142/S0218194023410061Cited by:2 (Source: Crossref)

This article is part of the issue:

Special Issue on Best Papers from SEKE23
Guest Editors: Shi-Kuo Chang and Giuseppe Polese

Abstract

Smart contracts are programs running on blockchain. In recent years, due to the persistent occurrence of security-related accidents in smart contracts, the effective detection of vulnerabilities in smart contracts has received extensive attention from researchers and engineers. Machine learning-based vulnerability detection techniques have the advantage that they do not need expert rules for determining vulnerabilities. However, existing approaches cannot identify vulnerabilities when the versions of smart contract compilers are updated. In this paper, we propose OC-Detector (Opcode Clustering Detector), a smart contract vulnerability detection approach based on clustering opcode instructions. OC-Detector learns the characteristics of opcode instructions to cluster them and replaces opcode instructions belonging to the same cluster with the ID of the cluster. After that, the similarity between the contract under analysis and contracts in the vulnerability database is calculated to identify vulnerabilities. The experimental results demonstrate that OC-Detector improves the F₁ value of detecting vulnerabilities from 0.04 to 0.40 compared to DC-Hunter, Securify, SmartCheck and Osiris. Additionally, compared to DC-Hunter, the F₁ value is improved by 0.27 when detecting vulnerabilities in smart contracts compiled by different versions of compilers.

Keywords:

References

1. S. Benahmed, I. Pidikseev, R. Hussain et al., A comparative analysis of distributed ledger technologies for smart contract development, in 2019 IEEE 30th Annual Int. Symp. Personal, Indoor and Mobile Radio Communications, 2019, pp. 1–6. Crossref, Google Scholar
2. P. Shen, S. Li and M. Huang et al., A survey on safety regulation technology of blockchain application and blockchain ecology, 2022 IEEE Int. Conf. Blockchain, 2022, pp. 494–499. Crossref, Google Scholar
3. W. Wang, J. Song and G. Xu et al., Contractward: Automated vulnerability detection models for ethereum smart contracts, IEEE Trans. Netw. Sci. Eng. 8(2) (2020) 1133–1144. Crossref, Web of Science, Google Scholar
4. S. M. Han, B. Liang and J. J. Huang, DC-Hunter: Detecting dangerous smart contracts via bytecode matching, J. Cyber Secur. 5(3) (2020) 100–112. Google Scholar
5. P. Tsankov, A. Dan and D. Drachsler-Cohen et al., Securify: Practical security analysis of smart contracts, Proc. 2018 ACM SIGSAC Conf. Computer and Communications Security, 2018, pp. 67–82. Crossref, Google Scholar
6. S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy et al., Smartcheck: Static analysis of ethereum smart contracts, Proc. 1st Int. Workshop on Emerging Trends in Software Engineering for Blockchain, 2018, pp. 9–16. Crossref, Google Scholar
7. C. F. Torres, J. Schütte and R. State, Osiris: Hunting for integer bugs in ethereum smart contracts, Proc. 34th Annual Computer Security Applications Conf., 2018, pp. 664–676. Crossref, Google Scholar
8. S. K. Singh, M. M. Salim, M. Cho et al., Smart contract-based pool hopping attack prevention for blockchain networks, Symmetry 11(7) (2019) 941. Crossref, Web of Science, Google Scholar
9. V. Buterin, A next-generation smart contract and decentralized application platform, White Paper 3(37) (2014) 2–1. Google Scholar
10. S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, Decentralized Business Review, 2008. Google Scholar
11. C. Shi, Y. Xiang, J. Yu et al., A bytecode-based approach for smart contract classification, 2022 IEEE Int. Conf. Software Analysis, Evolution and Reengineering, 2022, pp. 1046–1054. Crossref, Google Scholar
12. L. Zhang, W. Chen, W. Wang et al., Cbgru: A detection method of smart contract vulnerability based on a hybrid model, Sensors 22(9) (2022) 3577. Crossref, Web of Science, Google Scholar
13. P. Qian, Z. Liu, Y. Yin et al., Cross-modality mutual learning for enhancing smart contract vulnerability detection on bytecode, Proc. ACM Web Conf., 2023, pp. 2220–2229. Crossref, Google Scholar
14. D. Chen, L. Feng, Y. Fan et al., Smart contract vulnerability detection based on semantic graph and residual graph convolutional networks with edge attention, J. Syst. Softw. 202 (2023) 111705. Crossref, Web of Science, Google Scholar
15. M. Ren, Z. Yin, F. Ma et al., Empirical evaluation of smart contract testing: What is the best choice? Proc. 30th ACM SIGSOFT Int. Symp. Software Testing and Analysis, 2021, pp. 566–579. Crossref, Google Scholar
16. J. F. Ferreira, P. Cruz, T. Durieux et al., Smartbugs: A framework to analyze solidity smart contracts, Proc. 35th IEEE/ACM Int. Conf. Automated Software Engineering, 2020, 1349–1352. Crossref, Google Scholar
17. H. W. Yang, Z. Q. Cui, X. Chen et al., Defect prediction for solidity smart contracts based on software measurement, J Softw. 33(5) (2022) 1587–1611. Google Scholar
18. A. Ghaleb and K. Pattabiraman, How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection, Proc. 29th ACM SIGSOFT Int. Symp. Software Testing and Analysis, 2020, pp. 415–427. Crossref, Google Scholar
19. J. Feist, G. Grieco and A. Groce, Slither: A static analysis framework for smart contracts, 2019 IEEE/ACM 2nd Int. Workshop on Emerging Trends in Software Engineering for Blockchain, 2019, pp. 8–15. Crossref, Google Scholar
20. H. Řzanková, Different approaches to the silhouette coefficient calculation in cluster evaluation, 21st Int. Scientific Conf. AMSE Applications of Mathematics and Statistics in Economics, 2018, pp. 1–10. Google Scholar
21. H. B. Tambunan, D. H. Barus, J. Hartono et al., Electrical peak load clustering analysis using K-means algorithm and silhouette coefficient, 2020 Int. Conf. Technology and Policy in Energy and Electric Power, 2020, pp. 258–262. Crossref, Google Scholar
22. Q. Zeng, J. He, G. Zhao et al., EtherGIS: A vulnerability detection framework for ethereum smart contracts based on graph learning features, 2022 IEEE 46th Annual Computers, Software, and Applications Conf., 2022, pp. 1742–1749. Crossref, Google Scholar
23. A. Ghaleb, J. Rubin and K. Pattabiraman, eTainter: Detecting gas-related vulnerabilities in smart contracts, Proc. 31st ACM SIGSOFT Int. Symp. Software Testing and Analysis, 2022, pp. 728–739. Crossref, Google Scholar
24. A. M. Bagirov, R. M. Aliguliyev and N. Sultanova, Finding compact and well-separated clusters: Clustering using silhouette coefficients, Pattern Recognit. 135 (2023) 109144. Crossref, Web of Science, Google Scholar
25. S. Aranganayagi and K. Thangavel, Clustering categorical data using silhouette coefficient as a relocating measure, Int. Conf. Computational Intelligence and Multimedia Applications, 2007, pp. 13–17. Crossref, Google Scholar
26. R. M. Aziz, R. Mahto, K. Goel et al., Modified genetic algorithm with deep learning for fraud transactions of ethereum smart contract, Appl. Sci. 13(2) (2023) 697. Crossref, Google Scholar
27. Z. Pan, T. Hu, C. Qian et al., Redefender: A tool for detecting reentrancy vulnerabilities in smart contracts effectively, 2021 IEEE 21st Int. Conf. Software Quality, Reliability and Security, 2021, pp. 915–925. Crossref, Google Scholar
28. T. Durieux, J. F. Ferreira, R. Abreu et al., Empirical review of automated analysis tools on 47,587 ethereum smart contracts, Proc. ACM/IEEE 42nd Int. Conf. Software Engineering, 2020, pp. 530–541. Crossref, Google Scholar
29. J. Huang, S. Han, W. You et al., Hunting vulnerable smart contracts via graph embedding based bytecode matching, IEEE Trans. Inf. Forensics Secur. 16 (2021) 2144–2156. Crossref, Web of Science, Google Scholar
30. H. Wang, G. Ye, Z. Tang et al., Combining graph-based learning with automated data collection for code vulnerability detection, IEEE Trans. Inf. Forensics Secur. 16 (2020) 1943–1958. Crossref, Web of Science, Google Scholar
31. P. J. Kaur, Cluster quality based performance evaluation of hierarchical clustering method, 2015 1st Int. Conf. Next Generation Computing Technologies, 2015, pp. 649–653. Google Scholar
32. R. Hidayati, A. Zubair, A. H. Pratama et al., Analisis silhouette coefficient pada 6 perhitungan jarak K-means clustering, Techno.Com 20(2) (2021) 186–197. Crossref, Google Scholar
33. H. Hu, Q. Bai and Y. Xu, Scsguard: Deep scam detection for ethereum smart contracts, EEE INFOCOM 2022-IEEE Conf. Computer Communications Workshops, 2022, pp. 1–6. Crossref, Google Scholar
34. J. W. Liao, T. T. Tsai, C. K. He et al., Soliaudit: Smart contract vulnerability assessment based on machine learning and fuzz testing, 2019 Sixth Int. Conf. Internet of Things: Systems, Management and Security, 2019, pp. 458–465. Crossref, Google Scholar
35. W. Xiong and L. Xiong, Smart contract based data trading mode using blockchain and machine learning, IEEE Access 7 (2019) 102331–102344. Crossref, Web of Science, Google Scholar
36. Y. Xu, G. Hu, L. You et al., A novel machine learning-based analysis model for smart contract vulnerability, Secur. Commun. Netw. 2021 (2021) 1–12. Web of Science, Google Scholar
37. A. K. Gogineni, S. Swayamjyoti, D. Sahoo et al., Multi-Class classification of vulnerabilities in Smart Contracts using AWD-LSTM, with pre-trained encoder inspired from natural language processing, IOP SciNotes 1(3) (2020) 035002. Crossref, Google Scholar
38. W. Wang, J. Song, G. Xu et al., Contractward: Automated vulnerability detection models for ethereum smart contracts, IEEE Trans. Netw. Sci. Eng. 8(2) (2020) 1133–1144. Crossref, Web of Science, Google Scholar
39. Z. Gao, V. Jayasundara, L. Jiang et al., Smartembed: A tool for clone and bug detection in smart contracts through structural code embedding, 2019 IEEE Int. Conf. Software Maintenance and Evolution, 2019, pp. 394–397. Crossref, Google Scholar
40. X. Yu, H. Zhao, B. Hou et al., Deescvhunter: A deep learning-based framework for smart contract vulnerability detection, 2021 Int. Joint Conf. Neural Networks, 2021, pp. 1–8. Crossref, Google Scholar
41. S. Yang, X. Yang and B. Shen, Self-supervised learning of smart contract representations, Proc. 30th IEEE/ACM Int. Conf. Program Comprehension, 2022, pp. 82–93. Crossref, Google Scholar
42. J. Cai, B. Li, J. Zhang et al., Combine sliced joint graph with graph neural networks for smart contract vulnerability detection, J. Syst. Softw. 195 (2023) 111550. Crossref, Web of Science, Google Scholar