Demystifying and Detecting Cryptographic Defects in Ethereum Smart Contracts

Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 10% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signature...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings / International Conference on Software Engineering pp. 3009 - 3021
Main Authors: Zhang, Jiashuo, Shen, Yiming, Chen, Jiachi, Su, Jianzhong, Wang, Yanlin, Chen, Ting, Gao, Jianbo, Chen, Zhong
Format: Conference Proceeding
Language:English
Published: IEEE 26.04.2025
Subjects:
Blockchains
cryptography
Defect detection
defects detection
Digital signatures
Ethereum
Fuzzing
Semantics
Smart contracts
Software engineering
ISSN:1558-1225
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 10% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted the first study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 2,406 real-world security reports, we defined nine types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed Crysol, a fuzzing-based tool to automate the detection of cryptographic defects in smart contracts. It combines transaction replaying and dynamic taint analysis to extract fine-grained crypto-related semantics and employs crypto-specific strategies to guide the test case generation process. Furthermore, we collected a large-scale dataset containing 25,745 real-world crypto-related smart contracts and evaluated CRYSOL's effectiveness on it. The result demonstrated that CRySOL achieves an overall precision of 95.4% and a recall of 91.2%. Notably, CRySOL revealed that 5,847 (22.7%) out of 25,745 smart contracts contain at least one crvptographic defect" hiahlighting the prevalence of these defects.
ISSN:1558-1225
DOI:10.1109/ICSE55347.2025.00010