Front-running attacks have been a major concern on the blockchain. Attackers launch front-running attacks by inserting additional transactions before upcoming victim transactions to manipulate victim transaction executions and make profits. Recent studies have shown that front-running attacks are prevalent on the Ethereum blockchain and have caused millions of US dollars loss. Vulnerable smart contracts, blockchain programs invoked by transactions, are held responsible for front-running attacks. Although techniques to detect front-running vulnerabilities have been proposed, their performance on real-world vulnerable contracts is unclear. There is no large-scale benchmark based on real attacks to evaluate their capabilities. This motivates us to build a benchmark consisting of 513 real-world attacks with vulnerable code labeled in 235 distinct smart contracts. We propose automated techniques to effectively collect real-world attacks and localize the corresponding vulnerable code at scale. Our experiments show that our approaches are effective, achieving higher recall in finding real attacks and higher precision in pinpointing vulnerabilities compared to the existing techniques. The evaluation of seven state-of-the-art vulnerability detection techniques on the benchmark reveals their inadequacy in detecting front-running vulnerabilities, with a low recall of at most 6.04%. Our further analysis identifies four common limitations in existing techniques: lack of support for inter-contract analysis, inefficient constraint solving for cryptographic operations, improper vulnerability patterns, and lack of token support.

翻译：抢先交易攻击一直是区块链领域的主要隐患。攻击者通过在即将发生的受害者交易之前插入额外交易，操纵受害者交易的执行并从中获利。近期研究表明，这类攻击在以太坊区块链上普遍存在，已造成数百万美元的损失。被交易调用的区块链程序——即智能合约中的漏洞，是导致抢先交易攻击的根源。尽管已有检测抢先交易漏洞的技术被提出，但其在真实世界存在漏洞的合约上的表现尚不明确。目前尚缺乏基于真实攻击的大规模基准来评估这些技术的能力。为此，我们构建了一个包含513个真实攻击实例的基准，其中235个不同智能合约中标注了易受攻击的代码。我们提出了自动化技术，能够有效收集真实攻击案例并规模化定位对应漏洞代码。实验表明，与现有技术相比，我们的方法在发现真实攻击方面实现了更高的召回率，在精准定位漏洞方面也取得更高精确率。使用该基准对七种最先进的漏洞检测技术进行评估发现，它们在检测抢先交易漏洞方面表现不足，最高召回率仅为6.04%。进一步分析揭示了现有技术存在的四个共性缺陷：缺乏对跨合约分析的支持、密码学操作约束求解效率低下、漏洞模式不恰当以及缺乏代币支持。