漏洞分类采用 securify2 总结的。

TEETHER

由于它的攻击者模型是: 偷以太币,所以将有关转账必用的指令: 凡是合约中包含指令集 CALL、SELFDESTRUCT、CALLCODE、DELEGATECALL 都被认为是脆弱的合约

TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts

SmartCheck

  1. Security issues lead to exploits by a malicious user account or contract

    Balance equality(2.1.1) Unchecked external call(2. 1.2) DoS by external contract(2.1.3 send instead of transfer(2.1.4) Reentrancy(2.1.5) Malicious libraries(2.1.6) USing tx origin(2.1.7) Transfer for wards gas(21.8)

  2. Functional issues cause the violation of the intended func tonality

    Integer divIsion(2.2.1) Locked money(2.2.2) Unchecked math(2.2.3) ---溢出 Timestamp dependence(2.2. 4) Unsafe type inference(2.2.5) --编码规范

  3. Operational issues lead to run-time problems, e. g, bad per formance

    Byte array Costly loop -- dos loop gas limit

  4. Developmental issues make code difficult to understand Improve

    Token api violation Compiler version not fixed private modIfier Redundant fallback function Style guide violation Implicit visibility level

We differentiate between functional and security issues: the former pose problems even without an adversary(though an external malicious actor can aggravate the situation), while the latter do not.

论文 第五页 table 1

sFUZZ

检测的漏洞:

Gasless send Exception Disorder Reentrancy Timestamp Dependency Block Number Dependency Dangerous Delegate call Integer Overflow Integer Underflow Freezing ether

ETHPLOIT

p2 页

Vulnerabilities of smart contract platforms could happen at the blockchain level, EVM level, and contract level We focus the contract-level vulnerabilities.

  1. Balance Increment(合约可以向任意账户发送 ether)
  2. Self-destruction.
  3. Code Injection(从外部合约引入恶意代码)
  1. Unchecked Transfer Value
  2. Vulnerable Access Control
  3. Exposed Secret(论文新提出的)

GasFuzz

DoS With Block Gas Limit/ Out-of-Gas Vulnerability

GASPER

GAS-costly Patterns checker

3 representative patterns in 2 categories

Two categories: useless-code related patterns and loop-related patterns. 一、Category 1: Useless-code related Patterns

  1. Dead code
  2. Opaque predicate

二、Category 2: Loop-related Patterns

  1. Expensive operations in a loop
  2. Constant outcome of a loop
  3. Loop fusion
  4. Repeated computations in a loop
  5. Comparison with unilateral outcome in a loop

MadMax

gas-focused vulnerabilities:

  1. Unbounded Mass Operations(in loops)

    由用户输入决定行为的循环,可能会迭代过多次,消耗 gas

  2. Non-Isolated External Calls (Wallet Griefing)

    invoking external functionality: implicit code invocation at an Ether transfer, handling multiple clients without isolation, and standard practices for aborting on a send failure.

  3. Integer Overflows

    特定情况下的整形溢出,例如: 循环,边界溢出导致无终止,gas 消耗

1 和 2 是 DoS With Block Gas Limit/ Out-of-Gas Vulnerability 的 2 种具体分类

Vandal

  1. Unchecked Send

  2. Reentrancy

  3. Unsecured Balance / Incorrect Constructor Name

    Solidity version 0.4.22 以上,如果正确编码,可以杜绝。

  4. Destroyable contracts

    selfdestruct 函数,认证不足,可被任意调用

  5. Origin vulnerabilities

    使用 tx.origin 认证

Ethainter

  1. accessible selfdestruct
  2. tainted selfdestruct
  3. tainted owner variable
  4. unchecked tainted staticcall
  5. tainted delegatecall

目前看到的几种分类

  1. SmartCheck 的分类
  2. 最全整理|智能合约审计工具检测内容有哪些?
  3. consensys Known Attacks
  4. MythX detectors
  5. Classification of smart contract vulnerabilities
  6. solidity-security-blog
  7. A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses

smartcheck 漏洞列表