Towards a Solider Solidity
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2023 |
| Tipo de documento: | Dissertação |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/10362/167656 |
Resumo: | Blockchains are being widely adopted since its inception. Since Ethereum popularized smart contracts and introduced its platform for developing and deploying these programs on the blockchain, there has been an unprecedented boom in decentralized applications (dApps). Smart contracts bring a new flexibility which we didn’t see in the beginning with the first generation blockchains. These programs rule important agreements between two parties involving transacting valuable assets between them. Recently we have seen a record of stealing assets from the blockchain , as they exploded and became more popular in 2020. Many known vulnerabilities include: Re-entrancy, Gasless Send, Phishing with tx.origin and Type Casts. This reinforces the importance to ensure that these programs are correct. However this is still a hard task, as the programming languages used to developed them often do not really help and smart contracts are still being exploited. Static analysis tools can prevent these bugs, if they are robust enough to detect most of the vulnerabilities which are known and not known, and ensure that these contracts are developed with the best design practices. Many of those existing tools and programming languages are still in a very early stage and not yet prepared to be used in production environments. The development of smart contracts can be done in two types of languages: domain- specific and general-purpose languages. Domain-specific languages, specifically designed for writing smart contracts, are generally considered safer than their general-purpose counterparts. Solidity, created by the Ethereum Foundation, is a DSL and stands out as the most popular language to date. However, it is not without its flaws, primarily stemming from its complexity and Turing completeness. While recent academic efforts have introduced languages aimed at addressing known vulnerabilities in Solidity, the language’s widespread adoption needs continuous improvements to improve its safety. Our contribution targets a vulnerability in Solidity related to Type Casts. We introduce a proof-of-concept language inspired by Featherweight Solidity, a formalization of Solidity as a subset with an improved type system. Specifically, our language features an extended typing address to mitigate this vulnerability. |
| id |
RCAP_b10e0244c9ed7867c1fd38341193e348 |
|---|---|
| oai_identifier_str |
oai:run.unl.pt:10362/167656 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
Towards a Solider SolidityDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaBlockchains are being widely adopted since its inception. Since Ethereum popularized smart contracts and introduced its platform for developing and deploying these programs on the blockchain, there has been an unprecedented boom in decentralized applications (dApps). Smart contracts bring a new flexibility which we didn’t see in the beginning with the first generation blockchains. These programs rule important agreements between two parties involving transacting valuable assets between them. Recently we have seen a record of stealing assets from the blockchain , as they exploded and became more popular in 2020. Many known vulnerabilities include: Re-entrancy, Gasless Send, Phishing with tx.origin and Type Casts. This reinforces the importance to ensure that these programs are correct. However this is still a hard task, as the programming languages used to developed them often do not really help and smart contracts are still being exploited. Static analysis tools can prevent these bugs, if they are robust enough to detect most of the vulnerabilities which are known and not known, and ensure that these contracts are developed with the best design practices. Many of those existing tools and programming languages are still in a very early stage and not yet prepared to be used in production environments. The development of smart contracts can be done in two types of languages: domain- specific and general-purpose languages. Domain-specific languages, specifically designed for writing smart contracts, are generally considered safer than their general-purpose counterparts. Solidity, created by the Ethereum Foundation, is a DSL and stands out as the most popular language to date. However, it is not without its flaws, primarily stemming from its complexity and Turing completeness. While recent academic efforts have introduced languages aimed at addressing known vulnerabilities in Solidity, the language’s widespread adoption needs continuous improvements to improve its safety. Our contribution targets a vulnerability in Solidity related to Type Casts. We introduce a proof-of-concept language inspired by Featherweight Solidity, a formalization of Solidity as a subset with an improved type system. Specifically, our language features an extended typing address to mitigate this vulnerability.As blockchains ganharam ampla adoção desde sua criação. Desde que a Ethereum popu- larizou os smart contracts e introduziu sua plataforma para desenvolver e implantar esses programas na blockchain, houve um crescimento sem precedentes nas aplicações descen- tralizadas (dApps). Smart contracts trazem uma nova flexibilidade que não vimos no início com as blockchains de primeira geração. Esses programas regem acordos importantes entre duas partes envolvendo a transação de ativos valiosos entre elas. Recentemente, observamos um aumento no roubo de ativos da blockchain. Muitas vulnerabilidades conhecidas incluem Re-entrancy, Gasless Send, Phishing com tx.origin e Type Casts. Isso reforça a importância de garantir que esses programas estejam corretos. No entanto, ainda é uma tarefa difícil, pois as linguagens de programação usadas para desenvolvê- los muitas vezes não ajudam realmente, e smart contracts continuam sendo explorados. Ferramentas de análise estática podem prevenir esses bugs se forem robustas o suficiente para detectar a maioria das vulnerabilidades conhecidas e desconhecidas, e garantir que esses contratos sejam desenvolvidos com as melhores práticas de design. Muitas dessas ferramentas e linguagens de programação existentes ainda estão numa fase inicial e ainda não estão preparadas para serem usadas em ambientes de produção. O desenvolvimento de smart contracts pode ser feito em dois tipos de linguagens: linguagens de domínio específico e linguagens de propósito geral. As primeiras são desen- volvidas especificamente para escrever smart contracts, sendo geralmente consideradas mais seguras do as segundas. O Solidity, criado pela Ethereum Foundation, destaca-se como a linguagem mais popular até o momento. No entanto, não está isento de falhas, principalmente devido à sua complexidade e ser Turing complete. Recentemente têm sur- gido linguagens académicas a abordar vulnerabilidades conhecidas no Solidity. Contudo a já ampla adoção da linguagem aprimorar sua segurança nas áreas em que atualmente apresenta deficiências. A nossa contribuição visa uma vulnerabilidade no Solidity: Type Casts. Introduzimos uma linguagem de prova de conceito inspirada no Featherweight Solidity, uma formaliza- ção do Solidity como um subconjunto com um sistema de tipos estendido. Especificamente, a nossa linguagem apresenta um tipo address estendido mitigando essa vulnerabilidade.Ravara, AntónioPereira, MárioRUNReis, João Carlos Raposo dos2024-05-22T10:28:54Z2023-122023-12-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10362/167656enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-05-27T01:41:39Zoai:run.unl.pt:10362/167656Portal AgregadorONGhttps://www.rcaap.pt/oai/openairemluisa.alvim@gmail.comopendoar:71602024-05-27T01:41:39Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
Towards a Solider Solidity |
| title |
Towards a Solider Solidity |
| spellingShingle |
Towards a Solider Solidity Reis, João Carlos Raposo dos Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| title_short |
Towards a Solider Solidity |
| title_full |
Towards a Solider Solidity |
| title_fullStr |
Towards a Solider Solidity |
| title_full_unstemmed |
Towards a Solider Solidity |
| title_sort |
Towards a Solider Solidity |
| author |
Reis, João Carlos Raposo dos |
| author_facet |
Reis, João Carlos Raposo dos |
| author_role |
author |
| dc.contributor.none.fl_str_mv |
Ravara, António Pereira, Mário RUN |
| dc.contributor.author.fl_str_mv |
Reis, João Carlos Raposo dos |
| dc.subject.por.fl_str_mv |
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| topic |
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| description |
Blockchains are being widely adopted since its inception. Since Ethereum popularized smart contracts and introduced its platform for developing and deploying these programs on the blockchain, there has been an unprecedented boom in decentralized applications (dApps). Smart contracts bring a new flexibility which we didn’t see in the beginning with the first generation blockchains. These programs rule important agreements between two parties involving transacting valuable assets between them. Recently we have seen a record of stealing assets from the blockchain , as they exploded and became more popular in 2020. Many known vulnerabilities include: Re-entrancy, Gasless Send, Phishing with tx.origin and Type Casts. This reinforces the importance to ensure that these programs are correct. However this is still a hard task, as the programming languages used to developed them often do not really help and smart contracts are still being exploited. Static analysis tools can prevent these bugs, if they are robust enough to detect most of the vulnerabilities which are known and not known, and ensure that these contracts are developed with the best design practices. Many of those existing tools and programming languages are still in a very early stage and not yet prepared to be used in production environments. The development of smart contracts can be done in two types of languages: domain- specific and general-purpose languages. Domain-specific languages, specifically designed for writing smart contracts, are generally considered safer than their general-purpose counterparts. Solidity, created by the Ethereum Foundation, is a DSL and stands out as the most popular language to date. However, it is not without its flaws, primarily stemming from its complexity and Turing completeness. While recent academic efforts have introduced languages aimed at addressing known vulnerabilities in Solidity, the language’s widespread adoption needs continuous improvements to improve its safety. Our contribution targets a vulnerability in Solidity related to Type Casts. We introduce a proof-of-concept language inspired by Featherweight Solidity, a formalization of Solidity as a subset with an improved type system. Specifically, our language features an extended typing address to mitigate this vulnerability. |
| publishDate |
2023 |
| dc.date.none.fl_str_mv |
2023-12 2023-12-01T00:00:00Z 2024-05-22T10:28:54Z |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10362/167656 |
| url |
http://hdl.handle.net/10362/167656 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
mluisa.alvim@gmail.com |
| _version_ |
1817546016863289344 |