An empirical study of blockchain system vulnerabilities: modules, types, and patterns
Blockchain, as a distributed ledger technology, becomes increasingly popular, especially for enabling valuable cryptocurrencies and smart contracts. However, the blockchain software systems inevitably have many bugs. Although bugs in smart contracts have been extensively investigated, security bugs...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7643 https://ink.library.smu.edu.sg/context/sis_research/article/8646/viewcontent/fse22BlkVuln.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8646 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-86462023-01-10T03:51:51Z An empirical study of blockchain system vulnerabilities: modules, types, and patterns YI, Xiao WU, Daoyuan JIANG, Lingxiao FANG, Yuzhou ZHANG, Kehuan ZHANG, Wei Blockchain, as a distributed ledger technology, becomes increasingly popular, especially for enabling valuable cryptocurrencies and smart contracts. However, the blockchain software systems inevitably have many bugs. Although bugs in smart contracts have been extensively investigated, security bugs of the underlying blockchain systems are much less explored. In this paper, we conduct an empirical study on blockchain’s system vulnerabilities from four representative blockchains, Bitcoin, Ethereum, Monero, and Stellar. Specifically, we first design a systematic filtering process to effectively identify 1,037 vulnerabilities and their 2,317 patches from 34,245 issues/PRs (pull requests) and 85,164 commits on GitHub. We thus build the first blockchain vulnerability dataset, which is available at https://github.com/VPRLab/BlkVulnDataset. We then perform unique analyses of this dataset at three levels, including (i) file-level vulnerable module categorization by identifying and correlating module paths across projects, (ii) text-level vulnerability type clustering by natural language processing and similarity-based sentence clustering, and (iii) code-level vulnerability pattern analysis by generating and clustering code change signatures that capture both syntactic and semantic information of patch code fragments. Our analyses reveal three key findings: (i) some blockchain modules are more susceptible than the others; notably, each of the modules related to consensus, wallet, and networking has over 200 issues; (ii) about 70% of blockchain vulnerabilities are of traditional types, but we also identify four new types specific to blockchains; and (iii) we obtain 21 blockchain-specific vulnerability patterns that capture unique blockchain attributes and statuses, and demonstrate that they can be used to detect similar vulnerabilities in other popular blockchains, such as Dogecoin, Bitcoin SV, and Zcash. 2022-11-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7643 info:doi/10.1145/3540250.3549105 https://ink.library.smu.edu.sg/context/sis_research/article/8646/viewcontent/fse22BlkVuln.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Blockchain security System vulnerability Data mining Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Blockchain security System vulnerability Data mining Software Engineering |
| spellingShingle |
Blockchain security System vulnerability Data mining Software Engineering YI, Xiao WU, Daoyuan JIANG, Lingxiao FANG, Yuzhou ZHANG, Kehuan ZHANG, Wei An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| description |
Blockchain, as a distributed ledger technology, becomes increasingly popular, especially for enabling valuable cryptocurrencies and smart contracts. However, the blockchain software systems inevitably have many bugs. Although bugs in smart contracts have been extensively investigated, security bugs of the underlying blockchain systems are much less explored. In this paper, we conduct an empirical study on blockchain’s system vulnerabilities from four representative blockchains, Bitcoin, Ethereum, Monero, and Stellar. Specifically, we first design a systematic filtering process to effectively identify 1,037 vulnerabilities and their 2,317 patches from 34,245 issues/PRs (pull requests) and 85,164 commits on GitHub. We thus build the first blockchain vulnerability dataset, which is available at https://github.com/VPRLab/BlkVulnDataset. We then perform unique analyses of this dataset at three levels, including (i) file-level vulnerable module categorization by identifying and correlating module paths across projects, (ii) text-level vulnerability type clustering by natural language processing and similarity-based sentence clustering, and (iii) code-level vulnerability pattern analysis by generating and clustering code change signatures that capture both syntactic and semantic information of patch code fragments. Our analyses reveal three key findings: (i) some blockchain modules are more susceptible than the others; notably, each of the modules related to consensus, wallet, and networking has over 200 issues; (ii) about 70% of blockchain vulnerabilities are of traditional types, but we also identify four new types specific to blockchains; and (iii) we obtain 21 blockchain-specific vulnerability patterns that capture unique blockchain attributes and statuses, and demonstrate that they can be used to detect similar vulnerabilities in other popular blockchains, such as Dogecoin, Bitcoin SV, and Zcash. |
| format |
text |
| author |
YI, Xiao WU, Daoyuan JIANG, Lingxiao FANG, Yuzhou ZHANG, Kehuan ZHANG, Wei |
| author_facet |
YI, Xiao WU, Daoyuan JIANG, Lingxiao FANG, Yuzhou ZHANG, Kehuan ZHANG, Wei |
| author_sort |
YI, Xiao |
| title |
An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| title_short |
An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| title_full |
An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| title_fullStr |
An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| title_full_unstemmed |
An empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| title_sort |
empirical study of blockchain system vulnerabilities: modules, types, and patterns |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7643 https://ink.library.smu.edu.sg/context/sis_research/article/8646/viewcontent/fse22BlkVuln.pdf |
| _version_ |
1770576408187240448 |