DEALS——Track Token Transfer Information Inconsistency

Jiang Renkai; Song Shuwei; Luo Xiapu; Chen Ting; Luo Ruijie; Wang Bingsen; Qiao Ao

doi:10.7544/issn1000-1239.202330613

Journal of Computer Research and Development > 2024 > 61(2): 274-288. > DOI: 10.7544/issn1000-1239.202330613 CSTR: 32373.14.issn1000-1239.202330613

Jiang Renkai, Song Shuwei, Luo Xiapu, Chen Ting, Luo Ruijie, Wang Bingsen, Qiao Ao. DEALS——Track Token Transfer Information Inconsistency[J]. Journal of Computer Research and Development, 2024, 61(2): 274-288. DOI: 10.7544/issn1000-1239.202330613

Citation:

PDF (1727 KB)

DEALS——Track Token Transfer Information Inconsistency

1.
Cyberspace Security Research Institute, University of Electronic Science and Technology of China, Chengdu 611731
2.
Department of Computing, the Hong Kong Polytechnic University, Hong Kong SAR 999077

More Information

Author Bio:
Jiang Renkai: born in 1999. Master candidate. His main research interest includes blockchain security

Song Shuwei: born in 1999. PhD candidate. His main research interest includes blockchain security

Luo Xiapu: born in 1977. PhD, professor. His main research interest includes blockchain security

Chen Ting: born in 1987. PhD, professor. His research interests include blockchain, smart contract, and software security

Luo Ruijie: born in 1998. Master. His main research interest includes blockchain security

Wang Bingsen: born in 1998. Master. His main research interest includes blockchain security

Qiao Ao: born in 1999. Master candidate. His main research interest includes blockchain security
Received Date: July 25, 2023
Revised Date: September 20, 2023
Available Online: October 08, 2023

Graphical Abstract

Abstract

Abstract

Blockchain enables traditional exchanges and lending houses to be extended to Depl (decentralized platforms), which allows anyone to access exchange and lending without the help of intermediaries. Most Depls are implemented as smart contracts running on Ethereum and interact with another smart contract, cryptocurrency (i.e. token), to achieve various functions. Although Depl involves more than 35 billion worth of tokens, little is known about whether the actual transfer of tokens is as consistent as Depl expects. The inconsistency between the actual transfer of tokens and what the decentralized platform expects is known as behavioral inconsistency, resulting in property damage and user confusion. In this work, we take the first step to investigate such inconsistency between Depl and tokens. We propose to automatically detect inconsistency by comparing the actual token transfer behavior with the behavior indicated by the internal records of Depl by monitoring the core data structure changes of Depl and token.The experimental results show that inconsistent behavior exists in 1012749 transactions with an accuracy of 98.0%, which involves 2871 pairs of Depl and tokens, and is related to 110 Depl and 2544 tokens.In addition, 10 main reasons behind the inconsistency are summarized, e.g., cheater Depl, inconsistent scale, unclear coin lock rules, etc.
- block chain,
- decentralized platform (Depl),
- token,
- inconsistent behavior,
- automatic detection

FullText(HTML)

References (36)

References

[1]	Junsang K, Seyong K. A survey of decentralized finance (DeFi) based on blockchain[J]. Journal of the Korea Society of Computer and Information, 2021, 26(3): 59−67
[2]	DefiLlama. Total value locked rankings[DB/OL]. [2022-09-12]. //https://defillama.com/
[3]	Ethereum. Smart contract[EB/OL]. [2022-09-12].https://ethereum.org/en/developers/docs/smar t-contracts/
[4]	Ethereum. Ethereum eips[EB/OL]. [2022-09-12].https://github.com/ethereum/EIPs
[5]	Etherscan. Token tracker[EB/OL]. [2022-09-13].https://etherscan.io/tokens
[6]	DefiLlama. Total value locked rankings of Ethereum[DB/OL]. [2022-09-14].https://defillama .com/chain/Ethereum
[7]	Chen Ting, Zhang Yufei, Li Zihao, et al. TokenScope: Automatically detecting inconsistent behaviors of cryptocurrency tokens in Ethereum[C]// Proc of the 2019 ACM SIGSAC Conf on Computer and Communications Security. New York: Association for Computing Machinery, 2019: 1503−1520
[8]	Enzyme Finance. Oyente[EB/OL]. [2022-09-15].https://github.com/enzymefinance/oyente
[9]	Trail of Bits. Manticore[EB/OL]. [2022-09-16].https://github.com/trailofbits
[10]	So S, Lee M, Park J, et al. VeriSmart: A highly precise safety verifier for Ethereum smart contracts[C]//Proc of 2020 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2020: 1678-1694
[11]	MythX. MythX[EB/OL]. [2022-09-17].https://mythx.io/
[12]	Rodler M, Li Wenting, Karame G O, et al. Sereum: Protecting existing smart contracts against re-entrancy attacks[C] // Proc of ISOC Network and Distributed System Security Symp. San Diego, CA: The Internet Society, 2019
[13]	Chen Ting, Cao Rong, Li Ting, et al. SODA: A generic online detection framework for smart contracts[C]// Proc of ISOC Network and Distributed System Security Symp. San Diego, CA: the Internet Society, 2020: 23-26
[14]	Zhang Mengya, Zhang Xiaokuan, Zhang Yinqian, et al. TXSPECTOR: Uncovering attacks in Ethereum from transactions[C]//Proc of 29th USENIX Security Symp (USENIX Security’20). Berkeley, CA: USENIX Association, 2020: 2775-2792
[15]	Nguyen T D, Pham L H, Sun Jun. SGUARD: Towards fixing vulnerable smart contracts automatically[C]//Proc of 2021 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2021: 1215-1229
[16]	Stephens J, Ferles K, Mariano B, et al. SMARTPULSE: Automated checking of temporal properties in smart contracts[C]//Proc of 2021 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2021: 555-571
[17]	He Ningyu, Zhang Ruiyi, Wang Haoyu, et al. {EOSAFE}: Security analysis of EOSIO smart contracts[C]//Proc of 30th USENIX Security Symp (USENIX Security’21). Berkeley, CA: USENIX Association, 2021: 1271-1288
[18]	So S, Hong S, Oh H. SMARTEST: Effectively hunting vulnerable transaction sequences in smart contracts through language Model-Guided symbolic execution[C]//Proc of 30th USENIX Security Symp (USENIX Security’21). Berkeley, CA: USENIX Association, 2021: 1361-1378
[19]	Wüst K, Matetic S, Egli S, et al. ACE: Asynchronous and concurrent execution of complex smart contracts[C]// Proc of the 2020 ACM SIGSAC Conf on Computer and Communications Security. New York: Association for Computing Machinery, 2020: 587-600
[20]	Feist J, Grieco G, Groce A. Slither: A static analysis framework for smart contracts[C]//Proc of 2019 IEEE/ACM 2nd Int Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). Piscatway, NJ: IEEE, 2019: 8-15
[21]	Zetzsche D A, Arner D W, Buckley R P. Decentralized finance[J]. Journal of Financial Regulation, 2020, 6: 172−203 doi: 10.1093/jfr/fjaa010
[22]	Chen Yan, Bellavitis C. Blockchain disruption and decentralized finance: The rise of decentralized business models[J]. Journal of Business Venturing Insights, 2020, 13: e00151 doi: 10.1016/j.jbvi.2019.e00151
[23]	Werner S, Perez D, Gudgeon L, et al. Sok: Decentralized finance (defi)[C]// Proc of the 4th ACM Conf on Advances in Financial Technologies. New York: Association for Computing Machinery, 2022: 30-46
[24]	Qin Kaihua, Zhou Liyi, Afonin Y, et al. CeFi vs. DeFi--Comparing centralized to decentralized finance[J]. arXiv preprint, arXiv: 2106.08157, 2021
[25]	Jensen J R, von Wachter V, Ross O. An introduction to decentralized finance[J]. Complex Systems Informatics and Modeling Quarterly, 2021(26): 46−54 doi: 10.7250/csimq.2021-26.03
[26]	Popescu A D. Decentralized finance–the lego of finance[J]. Social Sciences and Education Research Review, 2020, 7(1): 321−349
[27]	Meier M, Mattke J, Maier C. Decentralized finance: A configurational perspective on UTAUT[J]. European Conference on Information Systems, 2022(102): 1577−1589
[28]	Burda M, Locca M, Staykova K. Decision rights decentralization in DeFi platforms[J]. European Conference on Information Systems, 2022(145): 1826−1839
[29]	He Zheyuan, Song Shuwei, Bai Yang, et al. TokenAware: Accurate and efficient bookkeeping recognition for token smart contracts[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(1): 1−35
[30]	IERC-20. OpenZeppelin[EB/OL]. [2022-09-22].https://github.com/OpenZeppelin/openzeppelincontracts/blob/master/contracts/token/ERC20/IERC20.sol
[31]	Ethereum. Account types[EB/OL]. [2022-09-20].https://ethereum.org/en/developers/docs/acco unts/
[32]	Ethereum. Full node[EB/OL]. [2022-09-19].https://ethereum.org/en/developers/docs/nodes-and-clients/#full-node
[33]	GAVIN WOOD. Ethereum: A secure decentralised generalised transac- tion ledger[DB/OL]. [2022-09-12].https://ethereum.github.io/yellowpaper/paper.pdf
[34]	Ethereum. SHA-3[EB/OL]. [2022-09-15].https://ethereum.org/zh/developers/docs/consensus-mechanisms/pow/mining/mining-algorithms/ethash/#sha3
[35]	Google. BigQuery[EB/OL]. [2022-09-15].https://cloud.google.com/bigquery
[36]	MetaMask. The crypto wallet for defi, web3 dapps and nfts — metamask[EB/OL]. [2022-09-19].https://metamask.io/