DOI QR코드

DOI QR Code

A De Facto Standard for ERC-20 API Functional Specifications and Its Conformance Review Method for Ethereum Smart Contracts

이더리움 스마트 계약 프로그램의 ERC-20 API 기능 명세의 관례상 표준과 적합성 리뷰 방법

  • Received : 2022.05.02
  • Accepted : 2022.06.24
  • Published : 2022.10.31

Abstract

ERC-20, the standard API for Ethereum token smart contracts, was introduced to ensure compatibility among applications such as wallets and decentralized exchanges. However, many compatibility vulnerability problems have existed because there is no rigorous functional specifications for each API nor conformance review tools for the standard. In this paper, we proposed a new review procedure and a tool to perform the procedure to review if ERC-20 token smart contract programs for the Ethereum blockchain conform to the de facto standards. Based on the knowledge from an analysis on the ERC-20 API functional behavior of the top 100 token smart contract programs in the existing Ethereum blockchain, a new specification for the de facto standard for ERC-20 API was explicitly defined. The new specification enabled us to design a systematic review method for Ethereum smart contract programs. We developed a tool to support this review method and we evaluated a few benchmark programs with the tool.

이더리움 토큰 스마트 계약의 표준 API인 ERC-20은 지갑이나 분산 거래소같은 응용 프로그램들에서 호환성을 보장하기 위해 도입되었다. 그러나 API의 동작에 대한 엄밀한 기능 명세와 표준 적합성 리뷰 도구는 지원되고 있지 않아 호환성 취약점 문제가 발생할 수 있다. 본 논문에서는 이더리움 블록체인의 ERC-20 토큰 스마트 계약 프로그램들의 관례상 표준에 부합하는지 검사하는 새로운 리뷰 절차와 이를 지원하는 도구를 제안하였다. 기존 이더리움 블록체인 시장 상위 100개의 토큰 스마트 계약 프로그램들을 ERC-20 API 기능 동작면에서 분석한 지식을 바탕으로 관례상 표준을 명시적으로 정의하였고, 이렇게 정의된 관례상 표준으로 새로운 ERC-20 스마트 계약 프로그램을 체계적으로 리뷰할 수 있는 방법을 설계할 수 있었다. 이 리뷰 방법을 지원하는 도구를 개발하고 벤치마크 프로그램에 대해 실험 평가하였다.

Keywords

Acknowledgement

이 논문은 과학기술정보통신부 및 정보통신기획평가원의 대학ICT연구센터 지원사업의 연구결과로 수행되었음(IITP-2022-2017-0-01628).

References

  1. G. Wood, "Ethereum: A secure decentralised generalised transaction ledger," Ethereum Yellow Paper, [Internet], https://ethereum.github.io/yellowpaper/paper.pdf, 2018, Accessed May 2022.
  2. V. Buterin, "A next-generation smart contract and decentralized application platform," Ethereum White Paper, [Internet], https://ethereum.org/en/whitepaper/, Accessed May 2022.
  3. N. Szabo, "Smart contracts: Formalizing and securing relationships on public networks," First Monday, Vol.2, No.9, 1997.
  4. F. Vogelsteller, and V. Buterin, "EIP-20: ERC-20 Token Standard," [Internet], https://eips.ethereum.org/EIPS/eip-20, 2015, Accessed May 2022.
  5. Etherscan [Internet], https://etherscan.io, Accessed May 2022.
  6. H. Moon, and S. Park, "Conformance evaluation of the top100 Ethereum relationships on public token smart contracts with Ethereum Request for Comment-20 functional specifications," IET Software, Vol.16, No.2, pp.233-249, 2022. https://doi.org/10.1049/sfw2.12056
  7. CVE-2021-33403, Integer overflow in LNC token [Internet], https://github.com/MRdoulestar/SC-RCVD/blob/main/Vulnerabilities/LNCToken.md, Accessed May 2022.
  8. CVE-2018-11239, burnOverflow in Hexagon token [Internet], https://peckshield.medium.com/new-burnoverflow-bug-identified-in-multiple-erc20-smart-contracts-cve-2018-11239-52cc4f821694, Accessed May 2022.
  9. EtherDelta. 2018. [Internet], https://etherdelta.com/, Accessed May 2022.
  10. T. Chen et al., "TokenScope: Automatically detecting inconsistent behaviors of cryptocurrency tokens in ethereum," in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, pp.1503-1520, 2019.
  11. J. Feist, G. Greico, and A. Groce, "Slither: A static analysis framework for smart contracts," in Proceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB '19), IEEE Press, pp.8-15, 2019.
  12. E. Hildenbrandt et al., "KEVM: A complete formal semantics of the ethereum virtual machine," in Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp.204-217, 2018.
  13. J. Liu and Z. Liu, "A survey on security verification of blockchain smart contracts," IEEE Access, Vol.7, pp.77894-77904, 2019. https://doi.org/10.1109/ACCESS.2019.2921624
  14. S. Tikhomirov et al., "SmartCheck: Static analysis of ethereum smart contracts," in Proceedings of 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp.9-16, 2018.
  15. B. Jiang, Y. Liu, and W. K. Chan, "ContractFuzzer: Fuzzing smart contracts for vulnerability detection," in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE'18, pp.259-269, 2018.
  16. S. So, M. Lee, J. Park, H. Lee, and H. Oh, "VERISMART: A highly precise safety verifier for ethereum smart contracts," in Proceedings of IEEE Symposium on Security and Privacy (SP), IEEE, pp.1678-1694, May 2020.
  17. S. So, S. Hong, and H. Oh, "SmarTest: Effectively hunting vulnerable transaction sequences in smart contracts through language model-guided symbolic execution," in Proceedings of 30th USENIX Security Symposium, pp.1361-1378, 2021.
  18. J. Frank, C. Aschermann, and T. Holz, "ETHBMC: A bounded model checker for smart contracts," in Proceedings of the 29th USENIX Security Symposium, pp.1-18, 2020.
  19. L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor, "Making smart contracts smarter," in Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS'16). pp.254-269, 2016.
  20. S. Kalra, S. Goel, M. Dhawan, and S. Sharma, "ZEUS: Analyzing safety of smart contracts," in Proceedings of 25th Annual Network and Distributed System Security Symposium, pp.1-15, 2018.
  21. L. Alt, and C. Reitwiessner, "SMT-Based verification of solidity smart contracts," in Proceedings of Leveraging Applications of Formal Methods, Verification and Validation. Industrial Practice: 8th International Symposium, pp.376-388, 2018.
  22. P. Tsankov, A. Dan, D. Cohen, A. Gervais, F. Buenzli, and M. Vechev, "Securify: Practical security analysis of smart contracts," in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp.67-82.
  23. OpenZeppelin, "An ERC-20 test suite," [Internet], https://github.com/OpenZeppelin/openzeppelin-contracts, Accessed May 2022.
  24. Google, "Compatibility Test Suite", 2020 [Internet], https://source.android.com/compatibility/cts, Accessed May 2022.
  25. W3C, "Markup Validation Service," [Internet], https://validator.w3.org/, Accessed May 2022.
  26. IEEE and The Open Group, "PosixTM Certification", [Internet], http://get.posixcertified.ieee.org/, 2020, Accessed May 2022.
  27. J. Tretmans, "An Overview of OSI Conformance Testing", 2001.
  28. G. Ye et al., "Automated conformance testing for JavaScript engines via deep compiler fuzzing," in Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2021), pp.435-450, 2021.
  29. B. Loring and J. Kinder, "Systematic generation of conformance tests for JavaScript", 2021 [Internet], https://doi.org/10.48550/arXiv.2108.07075, Accessed May 2022.
  30. N. Atzei, M. Bartoletti, and T. Cimoli, "A survey of attacks on ethereum smart contracts," in Proceedings of the 6th International Conference on Principles of Security and Trust, Vol.10204, pp.164-186, 2017.
  31. WBTC token smart contract [Internet], https://etherscan.io/token/0x2260fac5e5542a773aa44fbcfedf7c193bc2c599, Accessed May 2022.