DeFiTainter: Detecting Price Manipulation Vulnerabilities in DeFi Protocols
DeFi protocols are programs that manage high-value digital assets on blockchain. The price manipulation vulnerability is one of the common vulnerabilities in DeFi protocols, which allows attackers to gain excessive profits by manipulating token prices. In this paper, we propose DeFiTainter, an inter-contract taint analysis framework for detecting price manipulation vulnerabilities. DeFiTainter features two innovative mechanisms to ensure its effectiveness. The first mechanism is to construct a call graph for inter-contract taint analysis by restoring call information, not only from code constants but also from contract storage and function parameters. The second mechanism is a high-level semantic induction tailored for detecting price manipulation vulnerabilities, which accurately identifies taint sources and sinks and tracks taint data across contracts. Extensive evaluation of real-world incidents and high-value DeFi protocols shows that DeFiTainter outperforms existing approaches and achieves state-of-the-art performance with a precision of 96% and a recall of 91.3% in detecting price manipulation vulnerabilities. Furthermore, DeFiTainter uncovers three previously undisclosed price manipulation vulnerabilities.
Wed 19 JulDisplayed time zone: Pacific Time (US & Canada) change
15:30 - 17:00 | ISSTA Online 6: Smart Contracts and AutomotiveTechnical Papers at Bezos Seminar Room (Gates G04) Chair(s): Alex Groce Northern Arizona University | ||
15:30 10mTalk | SmartState: Detecting State-Reverting Vulnerabilities in Smart Contracts via Fine-Grained State-Dependency Analysis Technical Papers Zeqin Liao Sun Yat-sen University, Sicheng Hao Sun Yat-sen University, Yuhong Nan Sun Yat-sen University, Zibin Zheng Sun Yat-sen University DOI | ||
15:40 10mTalk | DeFiTainter: Detecting Price Manipulation Vulnerabilities in DeFi Protocols Technical Papers Queping Kong Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Yanlin Wang Sun Yat-sen University, Zigui Jiang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University DOI | ||
15:50 10mTalk | Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts Technical Papers Yuzhou Fang Hong Kong University of Science and Technology, Daoyuan Wu Chinese University of Hong Kong, Xiao Yi Chinese University of Hong Kong, Shuai Wang Hong Kong University of Science and Technology, Yufan Chen Xidian University, Mengjie Chen Mask Network, Yang Liu Nanyang Technological University, Lingxiao Jiang Singapore Management University DOI | ||
16:00 10mTalk | Testing Automated Driving Systems by Breaking Many Laws Efficiently Technical Papers Xiaodong Zhang Xidian University, Zhao Wei Tencent, Yang Sun Singapore Management University, Jun Sun Singapore Management University, Yulong Shen Xidian University, Xuewen Dong Xidian University, Zijiang Yang GuardStrike DOI | ||
16:10 10mTalk | Simulation-Based Validation for Autonomous Driving Systems Technical Papers Changwen Li Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Joseph Sifakis University Grenoble Alpes; CNRS; Grenoble INP; VERIMAG, Qiang Wang Academy of Military Sciences, Rongjie Yan Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jian Zhang Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
16:20 10mTalk | Data Constraint Mining for Automatic Reconciliation Scripts Generation Technical Papers Tianxiao Wang Zhejiang University; Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Chen Zhi Zhejiang University; Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Xiaoqun Zhou Alibaba Group, Jinjie Wu Alibaba Group, Jianwei Yin Zhejiang University, Shuiguang Deng Zhejiang University; Alibaba-Zhejiang University Joint Institute of Frontier Technologies DOI | ||