HoRStify is a smart contract analyis tool for dependency based 2-safety security properties. The research was conducted at Max Planck Institute for Security and Privacy and Saarland University.
Paper Abstract
The cryptocurrency Ethereum is the most widely used execution platform for smart contracts. Smart contracts are distributed applications, which govern financial assets and, hence, can implement advanced financial instruments, such as decentralized exchanges or autonomous organizations (DAOs). Their financial nature makes smart contracts an attractive attack target, as demonstrated by numerous exploits on popular contracts resulting in financial damage of millions of dollars. This omnipresent attack hazard motivates the need for sound static analysis tools, which assist smart contract developers in eliminating contract vulnerabilities a priori to deployment. Vulnerability assessment that is sound and insightful for EVM contracts is a formidable challenge because contracts execute low-level bytecode in a largely unknown and potentially hostile execution environment. So far, there exists no provably sound automated analyzer that allows for the verification of security properties based on program dependencies, even though prevalent attack classes fall into this category. In this work, we present HoRStify, the first automated analyzer for dependency properties of Ethereum smart contracts based on sound static analysis. HoRStify grounds its soundness proof on a formal proof framework for static program slicing that we instantiate to the semantics of EVM bytecode. We demonstrate that HoRStify is flexible enough to soundly verify the absence of famous attack classes such as timestamp dependency and, at the same time, performant enough to analyze real-world smart contracts.
Tool
Now at GitHub!
Publications
- HoRStify Research Paper to be presented at IEEE CSF 2023 in Dubrovnik, Croatia.
- Short version presented at LPAR 2023 in Manizales, Colombia.
- Full Version with technical details at arXiv
Citation
1
2
3
4
5
6
7
8
@inproceedings{holler2023horstify,
title={HoRStify: Sound Security Analysis of Smart Contracts},
author={Holler, Sebastian and Biewer, Sebastian and Schneidewind, Clara},
booktitle={2023 2023 IEEE 36th Computer Security Foundations Symposium (CSF)(CSF)},
pages={347--362},
year={2023},
organization={IEEE Computer Society}
}