CRII: SaTC: Discerning the Upgradeability of Smart Contracts in Blockchains From a Security Perspective

CRII：SaTC：从安全角度辨别区块链智能合约的可升级性

• 批准号: 2245627
• 负责人: Binghui Wang
• 金额: $ 17.48万
• 依托单位: Illinois Institute of Technology
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-15 至 2024-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2245627&HistoricalAwards=false
• 关键词: CRII; SaTC; Discerning; Upgradeability; Smart

Smart contracts in blockchains, which store cryptocurrencies and tokens worth billions of USD, have transformed many important aspects of our lives, such as finance and gaming. Smart contracts are widely believed to have strong security guarantees as they are immutable once deployed, not even the owner of the contract can change its code. However, a new type of smart contract, namely upgradeable smart contract (USC), allows developers to upgrade the logic of their smart contracts and practically breaks the security assumption. This special type of smart contract has become increasingly prominent and has been adopted by many major companies (e.g., Compound Finance and Opensea.io). Despite the importance, there exists no comprehensive research that studies the status quo of USCs in the wild and even worse, the emerging security risks that are associated with upgradeability. This project conducts a series of novel studies to discern the upgradeability of smart contracts in the real world. Specifically, it answers three essential research questions regarding the importance of USCs in the current market, different design patterns and their strengths and weaknesses, and more importantly, the real-world security risks with USCs. To do so, this project pioneers a practical static analysis-based approach to effectively detect USCs based on intrinsic characteristics, and perform further automatic behavior and security analyses. To differentiate USC design patterns, this project develops a complete taxonomy that can systematically characterize USCs at both syntactic and semantic levels. Moreover, the investigator conducts the first extensive and large-scale study on USCs to uncover and report unique designs and security risks in the real world. Eventually, this project creates the first comprehensive USC dataset that facilitates future research in this emerging direction.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

区块链中的智能合约存储了价值数十亿美元的加密货币和代币，已经改变了我们生活的许多重要方面，例如金融和游戏。人们普遍认为智能合约具有强大的安全保证，因为它们一旦部署就不可更改，即使是合约的所有者也无法更改其代码。然而，一种新型智能合约，即可升级智能合约（USC），允许开发人员升级其智能合约的逻辑，实际上打破了安全假设。这种特殊类型的智能合约变得越来越突出，并已被许多大公司采用（例如，Compound Finance 和 Opensea.io）。尽管很重要，但目前还没有全面的研究来研究 USC 的现状，更糟糕的是，还没有研究与可升级性相关的新兴安全风险。该项目进行了一系列新颖的研究，以辨别现实世界中智能合约的可升级性。具体来说，它回答了三个基本研究问题：USC 在当前市场中的重要性、不同的设计模式及其优缺点，更重要的是 USC 的现实安全风险。为此，该项目开创了一种基于静态分析的实用方法，可以根据内在特征有效检测 USC，并执行进一步的自动行为和安全分析。为了区分 USC 设计模式，该项目开发了一个完整的分类法，可以在句法和语义层面系统地表征 USC。此外，研究人员对 USC 进行了首次广泛和大规模的研究，以发现和报告现实世界中的独特设计和安全风险。最终，该项目创建了第一个综合的南加州大学数据集，促进了这一新兴方向的未来研究。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Proxy Hunting: Understanding and Characterizing Proxy-based Upgradeable Smart Contracts in Blockchains

代理狩猎：理解和表征区块链中基于代理的可升级智能合约

• DOI: 10.48550/arxiv.2310.20212
• 发表时间: 2024-09-14
• 期刊: ArXiv
• 作者: William Edward Bodell;Sajad Meisami;Yue Duan
• 通讯作者: Yue Duan