SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

A group of academics from the University of California, Santa
Barbara, has demonstrated what it calls a “scalable technique” to
vet smart contracts and mitigate state-inconsistency bugs,
discovering 47 zero-day vulnerabilities on the Ethereum blockchain
in the process.

Smart contracts are programs^[1]
stored on the blockchain that are automatically executed when
predetermined conditions are met based on the encoded terms of the
agreement. They allow trusted transactions and agreements to be
carried out between anonymous parties without the need for a
central authority.

In other words, the code itself is meant to be the final arbiter
of “the deal” it represents, with the program controlling all
aspects of the execution, and providing an immutable evidentiary
audit trail of transactions that are both trackable and
irreversible.

This also means that vulnerabilities in the code could result in
hefty losses, as evidenced by hacks aimed at the DAO^[2]
and more recently, MonoX^[3], where adversaries
exploited loopholes to illicitly siphon funds, a scenario that
could have catastrophic consequences given the burgeoning adoption
of smart contracts over the past few years.

“Since smart contracts are not easily upgradable, auditing the
contract’s source pre-deployment, and deploying a bug-free contract
is even more important than in the case of traditional software,”
the researchers detailed in a paper^[4].

Enter Sailfish, which aims to catch state inconsistency
vulnerabilities in smart contracts that allow an attacker to tamper
with the execution order of the transactions or take over the
control flow^[5]
within a single transaction (i.e., reentrancy^[6]).

The tool works as follows. Given a smart contract, Sailfish
converts the contract into a dependency graph^[7], which captures the
control and data flow relations between the storage variables^[8]
and the state-changing instructions of a smart contract, using it
identify potential flaws by defining hazardous access, which are
implemented as graph queries to determine whether two different
execution paths, at least one being a write operation, operate on
the same storage variable.

The researchers evaluated Sailfish on 89,853 contracts obtained
from Etherscan^[9], identifying 47 zero-day
flaws that could be leveraged to drain Ether and even corrupt
application-specific metadata. This also includes a vulnerable
contract implementing a housing tracker that could be abused in a
manner such that a house owner can have more than one active
listing.

The findings of the study will be shared at the IEEE Symposium
on Security and Privacy (S&P^[10]) to be held in May
2022.

This is not the first time problematic smart contracts have
attracted attention from academia. In September 2020, Chinese
researchers designed^[11] a framework for
categorizing known weaknesses in smart contracts with the goal of
providing a detection criterion for each of the bugs.