Toward Automated Detecting Unanticipated Price Feed in Smart Contract
Decentralized finance (DeFi) based on smart contracts has reached a total value locked (TVL) of over USD 200 billion in 2022. In DeFi ecosystems, price oracles play a critical role in providing real-time price feeds for cryptocurrencies to ensure accurate asset pricing in smart contracts. However, the price oracle also faces security issues, including the possibility of unanticipated price feeds, which can lead to imbalances in debt and assets in the DeFi protocol. However, existing solutions cannot effectively combine transactions and code for real-time monitoring of price oracles.
To address this limitation, we first categorize price oracles as either DON oracles, DEX oracles, or internal oracles based on trusted parties, and analyze their security risks, data sources, price duration, and query fees. Then, we propose VeriOracle, a formal verification framework for the automated detection of unanticipated price feeds in smart contracts. VeriOracle can deploy a formal semantic model of the price oracle on the blockchain to detect the status of smart contracts and identify unanticipated price feed transactions in real time. We apply VeriOracle to verify over 500,000 transactions of 13 vulnerable DeFi protocols in the real world. The experimental results show that (1) VeriOracle is effective and it can detect unanticipated price feeds before DeFi attacks (33,714 blocks ahead of the attacker in the best case); (2) VeriOracle is efficient in that its verification time (about 4s) is less than the block time of Ethereum (about 14s), which means VeriOracle can detect unsafe transactions in real time; and (3) VeriOracle is extendable for verifying defense strategies. Attacks using unanticipated price feeds can only succeed in particular smart contract states. VeriOracle can verify which smart contract states can defend against attacks.
Thu 20 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00
|Dependency-Aware Metamorphic Testing of Datalog Engines
|GDsmith: Detecting Bugs in Cypher Graph Database Engines
Ziyue Hua Peking University, Wei Lin Peking University, Luyao Ren Peking University, Zongyang Li Peking University, Lu Zhang Peking University, Wenpin Jiao Peking University, Tao Xie Peking UniversityDOI
|Testing Graph Database Engines via Query Partitioning
Matteo Kamm ETH Zurich, Manuel Rigger National University of Singapore, Chengyu Zhang ETH Zurich, Zhendong Su ETH ZurichDOI
|Toward Automated Detecting Unanticipated Price Feed in Smart Contract
Yifan Mo Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Yanlin Wang Sun Yat-sen University, Zibin Zheng Sun Yat-sen UniversityDOI
|Definition and Detection of Defects in NFT Smart Contracts
Shuo Yang Sun Yat-sen University, Jiachi Chen Sun Yat-sen University, Zibin Zheng Sun Yat-sen UniversityDOI