Clairvoyance

Solidity logo

Static program analysis still plays a key role in detecting and fixing vulnerabilities (e.g., reentrancy) in smart contracts. However, the existing static analyzers still suffer from two major limitations:

  • lack of inter-contract analysis
  • lack of path feasibility due to the techniques used by programmers to prevent reentrancy (e.g.,permission controls, hard-coded addresses and execution locks).

In this work, we present Clairvoyance, a cross-function and cross-contract static analysis by identifying infeasible paths for detecting reentrancy vulnerabilities in smart contracts.

Note

To reduce FNs, we enable, for the first time, a cross-contract call chain analysis by tracking possibly tainted paths. To reduce FPs, we have conducted extensive empirical studies and summarized five major path protective techniques (PPTs) to support fast yet precise path feasibility checking.

We have implemented our approach and compared Clairvoyance with three state-of-the-art approaches on 17770 real-worlds contracts. Results show that Clairvoyance yields the best detection accuracy among all tools and also finds 76 unknown reentrancy vulnerabilities. In addition, Clairvoyance is comparable to the fastest rule-based tool (i.e., Slither) in analysis time, but significantly faster than verification-based tools Oyente and Securify.

In this website, we sample some vulnerable smart contract code which are pointed out by Clairvoyance and show our exploits. Each exploit consists of the metadata of contract (e.g. transaction count, ethers it involved), the exploit code and concise explanations. Exploits will be continuously updated in the future.

Supplementary Materials:

  1. FPs Overlapping

Please see FP Venn Diagram

  1. Our Dataset

We publish the dataset which has been used in our empirical study and evaluations in empirical study data (11714 contracts) and evaluation data (17770 contracts). Paricularly, the dataset used in our empirical study is directly crawled from Ethereum block chain. To differ from empirical study dataset, in evaluations, we firstly obtain smart contract deployment addresses from Google BigQuery public dataset, introduced in https://cloud.google.com/blog/products/data-analytics/ethereum-bigquery-public-dataset-smart-contract-analytics. Then we download contracts by accessing the Etherscan API with smart contract deployment addresses.

  1. F1 Score of Tools

To compare the tools used in experiment and assess their effectiveness intuitively, we calculate the f1 scores and list them in the following table.

  Slither Oyente Securify Clairvoyance
Precision 1.85% 14.28% 0.49% 73.80%
Recall 2.45% 3.27% 2.45% 100.0%
F1 Score 2.10% 5.32% 0.81% 84.92%

Online Service:

We provide online detection service in http://47.100.164.141:8080/. For detection usage, please paste your suspicious smart contract code into the edit area. The detection process will start if you press the “go” button. The report of vulnerabilities will be listed.