Blockchains require deterministic execution in order to reach consensus. This is often guaranteed in languages designed to write smart contracts, such as Solidity. Application-specific blockchains or ``appchains'' allow the blockchain application logic to be written using general-purpose programming languages, giving developers more flexibility but also additional responsibilities. In particular, developers must ensure that their blockchain application logic does not contain any sources of non-determinism. Any source of non-determinism may be a potential source of vulnerabilities. This paper focuses on the use of Static Application Security Testing (SAST) tools to detect such sources of non-determinism at development time. We focus on Cosmos, a prominent open-source project that lets developers build interconnected networks of application-specific blockchains. Cosmos provides a Software Development Kit (SDK) that allows these chains to be implemented in the Go programming language. We create a corpus of 11 representative Cosmos-based appchains to analyze for sources of non-determinism in Go. As part of our study, we identified cosmos-sdk-codeql, a set of CodeQL code analysis rules for Cosmos applications. We find that these rules generate many false positives and propose a refactored set of rules that more precisely detects sources of non-determinism only in code that runs as part of the blockchain logic. We demonstrate a significant increase in the precision of the rules, making the SAST tool more effective and hence potentially contributing to enhanced security for Cosmos-based blockchains.

翻译：区块链需要确定性执行以达成共识。这一特性通常在专为编写智能合约设计的语言（如Solidity）中得到保障。应用特定区块链（"appchains"）允许使用通用编程语言编写区块链应用逻辑，这为开发者提供了更高的灵活性，但也带来了额外责任。具体而言，开发者必须确保其区块链应用逻辑不包含任何非确定性来源——任何非确定性因素都可能导致潜在的安全漏洞。本文聚焦于在开发阶段使用静态应用安全测试（SAST）工具检测此类非确定性来源。我们以Cosmos为研究对象——这是一个允许开发者构建互联应用特定区块链网络的知名开源项目。Cosmos提供了软件开发工具包（SDK），支持用Go语言实现这些区块链。我们创建了包含11个代表性Cosmos应用链的语料库，用于分析Go语言中的非确定性来源。在研究过程中，我们识别出cosmos-sdk-codeql——一套针对Cosmos应用的CodeQL代码分析规则。实验发现这些规则会产生大量误报，为此我们提出了一组重构后的规则，能更精确地仅检测作为区块链逻辑运行代码中的非确定性来源。实验证明，规则精度显著提升，使SAST工具更具效能，从而可能为Cosmos区块链的安全增强做出贡献。