Most blockchains cannot hide the binary code of programs (i.e., smart contracts) running on them. To conceal proprietary business logic and to potentially deter attacks, many smart contracts are closed-source and in many cases exhibit code obfuscation, either intentionally introduced to hide internal logic or unintentionally produced by optimizations. However, we demonstrate that such obfuscation can obscure critical vulnerabilities rather than enhance security, a phenomenon known as insecurity through obscurity. To systematically analyze these risks on a large scale, we present SKANF, a novel EVM bytecode analysis tool tailored for closed-source and obfuscated contracts. SKANF combines control-flow deobfuscation, symbolic execution based on historical transactions to identify and exploit asset management vulnerabilities. Our evaluation on real-world Maximal Extractable Value (MEV) bots reveals that SKANF detects vulnerabilities in 1,030 contracts and successfully generates exploits for 394 of them, with potential losses of \$10.6M. Additionally, we uncover 104 real-world MEV bot attacks that collectively resulted in \$2.76M in losses.

翻译：大多数区块链无法隐藏其上运行的程序（即智能合约）的二进制代码。为保护专有业务逻辑并潜在阻止攻击，许多智能合约采用闭源形式，且常常呈现代码混淆——这种混淆可能是有意引入以隐藏内部逻辑，也可能是优化过程无意产生的。然而，我们证明此类混淆虽旨在增强安全性，却可能掩盖关键脆弱性，这一现象被称为"通过模糊性实现不安全"。为系统化大规模分析此类风险，我们提出了SKANF——一种专为闭源及混淆合约设计的新型EVM字节码分析工具。SKANF结合控制流去混淆与基于历史交易的符号执行，以识别并利用资产管理漏洞。我们对现实世界最大可提取价值（MEV）机器人的评估表明：SKANF在1,030个合约中检测到脆弱性，并成功为其中394个合约生成利用代码，潜在损失金额达1,060万美元。此外，我们还发现了104起真实世界的MEV机器人攻击事件，这些攻击累计造成276万美元损失。