Smart Contract Vulnerability Detection Method Based On Symbolic Execution And Dynamic Testing

Blockchain is an open-source distributed database management system that provides users with access to resources and information privacy mechanisms when interacting with users,and allows third parties to participate in the system development process.Smart contracts are an important application of blockchain,enabling specific functions such as data encryption and transaction processing to be implemented while ensuring security.However,due to lack of rigorous verification and weak support from development tools,multiple vulnerabilities have been detected on smart contracts,resulting in multiple contract vulnerabilities being attacked and tens of millions of dollars being lost.Because smart contracts are inherently open and tamper-proof,a breach could lead to a large number of system failures or even crashes.In conclusion,it is of great significance to enhance the security of intelligent contract and realize efficient detection of intelligent contract vulnerability.There are a few methods to detect the vulnerability of smart contracts,most of them are static source code detection and few of them are tested on deployed smart contracts.With the increasing application of blockchain technology in the Internet,higher requirements are put forward for the existing intelligent contract vulnerability detection tools.This paper aims to solve the four most common types of contract vulnerability: reentry vulnerability,ethereum lock vulnerability,restricted write vulnerability and delegate invocation vulnerability,and proposes a smart contract vulnerability detection method based on combination of symbol execution and dynamic fuzzy testing.In this paper,the method of generating key instructions by means of symbol execution is proposed to detect the vulnerability of intelligent contract.At first,the control flow diagram CFG is constructed by decompiling contract byte code.Hidden vulnerabilities or potential flaws within the code can be identified based on the control flow diagram.Secondly,according to the analysis of vulnerability characteristics,the key instructions and vulnerability detection rules are defined,and the key path is extracted according to the control flow diagram and the key instructions.At last,according to the rules of vulnerability detection,the critical path is detected,the path constraint is generated,and the constraint is solved by the constraint solution algorithm,.For dynamic fuzzy test detection,we use binary interface to analyze the characteristics of input data,generate different input candidate sets for different kinds of data,and combine the solution results of symbol execution constraint to generate fuzzy test cases with higher coverage.By analyzing contract context records and in-path coding,we can realize control flow observation and monitoring during contract deployment to identify potential defects.Internal embedded IDS can be invoked when an abnormal control flow occurs,the smart contract status can be rolled back to reduce losses,and finally vulnerability collection and log analysis can be carried out.In this paper,a dynamic and static detection method is proposed to improve the coverage of fuzzy testing by using the solution of constraint in the process of symbol execution to generate input data not triggered by fuzzy testing.In addition,based on the analysis and research of the existing vulnerability detection tools based on the static symbol test case set,Experiments on the ethercan smart contract trading site show that the combination of static semaphore execution and dynamic fuzzy testing improves the efficiency of smart contract vulnerability detection and increases deployment consumption by an average of 26%,an acceptable range.