To improve the maintainability and upgradeability of smart contracts, many developers use upgradeable contracts. However, this introduces new security risks, as the complex implementation mechanisms can become targets for attackers. Typically, the logical contract linked to a proxy contract is verified via Etherscan, requiring public source code. In this paper, we propose a method for identifying the logical contract of a proxy through historical transaction records, eliminating the need for source code. Additionally, we developed USCSafe, a tool that detects upgradeable permission vulnerabilities by combining taint analysis with permission constraint analysis. We evaluated USCSafe on a public real-world proxy contract dataset and found that it outperformed existing detection tools by detecting more upgradeable smart contract permission vulnerabilities.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

USCSafe: Identifying Permission Vulnerabilities in Upgradeable Smart Contracts

  • Junjia Chen,
  • Zhijie Zhong,
  • Yuren Zhou

摘要

To improve the maintainability and upgradeability of smart contracts, many developers use upgradeable contracts. However, this introduces new security risks, as the complex implementation mechanisms can become targets for attackers. Typically, the logical contract linked to a proxy contract is verified via Etherscan, requiring public source code. In this paper, we propose a method for identifying the logical contract of a proxy through historical transaction records, eliminating the need for source code. Additionally, we developed USCSafe, a tool that detects upgradeable permission vulnerabilities by combining taint analysis with permission constraint analysis. We evaluated USCSafe on a public real-world proxy contract dataset and found that it outperformed existing detection tools by detecting more upgradeable smart contract permission vulnerabilities.