BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects
Due to the open-source nature of the blockchain ecosystem, it is common for new blockchains to fork or partially reuse the code of classic blockchains. For example, the popular Dogecoin, Litecoin, Binance BSC, and Polygon are all variants of Bitcoin/Ethereum. These “forked” blockchains thus could en...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2023
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7818 https://ink.library.smu.edu.sg/context/sis_research/article/8821/viewcontent/ndss23blockscope.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8821 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-88212023-04-25T06:12:00Z BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects YI, Xiao FANG, Yuzhou WU, Daoyuan JIANG, Lingxiao Due to the open-source nature of the blockchain ecosystem, it is common for new blockchains to fork or partially reuse the code of classic blockchains. For example, the popular Dogecoin, Litecoin, Binance BSC, and Polygon are all variants of Bitcoin/Ethereum. These “forked” blockchains thus could encounter similar vulnerabilities that are propagated from Bitcoin/Ethereum during forking or subsequently commit fetching. In this paper, we conduct a systematic study of detecting and investigating the propagated vulnerabilities in forked blockchain projects. To facilitate this study, we propose BlockScope, a novel tool that can effectively and efficiently detect multiple types of cloned vulnerabilities given an input of existing Bitcoin/Ethereum security patches. Specifically, BlockScope adopts similarity-based code match and designs a new way of calculating code similarity to cover all the syntax-wide variant (i.e., Type-1, Type-2, and Type-3) clones. Moreover, BlockScope automatically extracts and leverages the contexts of patch code to narrow down the search scope and locate only potentially relevant code for comparison.Our evaluation shows that BlockScope achieves good precision and high recall both at 91.8% (1.8 times higher recall than that in the state-of-the-art ReDeBug while with close precision). BlockScope allows us to discover 101 previously unknown vulnerabilities in 13 out of the 16 forked projects of Bitcoin and Ethereum, including 16 from Dogecoin, 6 from Litecoin, 1 from Binance BSC, and 4 from Optimism. We have reported all the vulnerabilities to their developers; 40 of them have been patched or accepted, 66 were acknowledged or under pending, and only 4 were rejected. We further investigate the propagation and patching processes of discovered vulnerabilities, and reveal three types of vulnerability propagation from source to forked projects, as well as the long delay (mostly over 200 days) for releasing patches in Bitcoin forks (vs. ∼100 days for Ethereum forks). 2023-03-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7818 info:doi/10.14722/ndss.2023.24222 https://ink.library.smu.edu.sg/context/sis_research/article/8821/viewcontent/ndss23blockscope.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Software Engineering |
| spellingShingle |
Software Engineering YI, Xiao FANG, Yuzhou WU, Daoyuan JIANG, Lingxiao BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| description |
Due to the open-source nature of the blockchain ecosystem, it is common for new blockchains to fork or partially reuse the code of classic blockchains. For example, the popular Dogecoin, Litecoin, Binance BSC, and Polygon are all variants of Bitcoin/Ethereum. These “forked” blockchains thus could encounter similar vulnerabilities that are propagated from Bitcoin/Ethereum during forking or subsequently commit fetching. In this paper, we conduct a systematic study of detecting and investigating the propagated vulnerabilities in forked blockchain projects. To facilitate this study, we propose BlockScope, a novel tool that can effectively and efficiently detect multiple types of cloned vulnerabilities given an input of existing Bitcoin/Ethereum security patches. Specifically, BlockScope adopts similarity-based code match and designs a new way of calculating code similarity to cover all the syntax-wide variant (i.e., Type-1, Type-2, and Type-3) clones. Moreover, BlockScope automatically extracts and leverages the contexts of patch code to narrow down the search scope and locate only potentially relevant code for comparison.Our evaluation shows that BlockScope achieves good precision and high recall both at 91.8% (1.8 times higher recall than that in the state-of-the-art ReDeBug while with close precision). BlockScope allows us to discover 101 previously unknown vulnerabilities in 13 out of the 16 forked projects of Bitcoin and Ethereum, including 16 from Dogecoin, 6 from Litecoin, 1 from Binance BSC, and 4 from Optimism. We have reported all the vulnerabilities to their developers; 40 of them have been patched or accepted, 66 were acknowledged or under pending, and only 4 were rejected. We further investigate the propagation and patching processes of discovered vulnerabilities, and reveal three types of vulnerability propagation from source to forked projects, as well as the long delay (mostly over 200 days) for releasing patches in Bitcoin forks (vs. ∼100 days for Ethereum forks). |
| format |
text |
| author |
YI, Xiao FANG, Yuzhou WU, Daoyuan JIANG, Lingxiao |
| author_facet |
YI, Xiao FANG, Yuzhou WU, Daoyuan JIANG, Lingxiao |
| author_sort |
YI, Xiao |
| title |
BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| title_short |
BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| title_full |
BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| title_fullStr |
BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| title_full_unstemmed |
BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects |
| title_sort |
blockscope: detecting and investigating propagated vulnerabilities in forked blockchain projects |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2023 |
| url |
https://ink.library.smu.edu.sg/sis_research/7818 https://ink.library.smu.edu.sg/context/sis_research/article/8821/viewcontent/ndss23blockscope.pdf |
| _version_ |
1770576519184252928 |