This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm. We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies. Initially, smart contracts are compiled into an abstract syntax tree to analyze relationships between contracts and functions, including calls, inheritance, and data flow. These analyses are transformed into static evaluations and intermediate representations that reveal internal relations. Based on these representations, we examine contract's functions, variables, and data dependencies to detect the specified vulnerabilities. To enhance detection accuracy and coverage, we apply a multi-objective optimization algorithm to the static analysis process. This involves assigning initial numeric values to input data and monitoring changes in statement coverage and detection accuracy. Using coverage and accuracy as fitness values, we calculate Pareto front and crowding distance values to select the best individuals for the new parent population, iterating until optimization criteria are met. We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts. Experimental results show that our method outperforms state-of-the-art tools in terms of coverage, accuracy, efficiency, and effectiveness in detecting the targeted vulnerabilities.
翻译:本文提出了一种利用静态分析和多目标优化算法检测智能合约漏洞的方法。我们重点关注四类漏洞:重入攻击、调用栈溢出、整数溢出和时间戳依赖。首先,将智能合约编译为抽象语法树,以分析合约与函数之间的关系,包括调用、继承和数据流。这些分析被转化为静态评估和中间表示,从而揭示内部关联。基于这些表示,我们检查合约的函数、变量和数据依赖关系以检测特定漏洞。为提高检测精度与覆盖率,我们在静态分析过程中引入了多目标优化算法。该方法涉及为输入数据分配初始数值,并监测语句覆盖率和检测精度的变化。以覆盖率和精度作为适应度值,我们计算帕累托前沿和拥挤距离值,以筛选最优个体构成新的父代种群,迭代直至满足优化标准。我们使用从Etherscan收集的开源数据集(包含6,693个智能合约)验证了本方法。实验结果表明,在检测目标漏洞时,我们的方法在覆盖率、精度、效率和有效性方面均优于现有先进工具。