Smart contracts hold a vital role in the blockchain era, smart contracts have the potential of holding millions of worth assets. Even though smart contract code has gone through multiple audits and testing still the security of smart contracts is questionable?
As a responsible security firm, we at QuillAudits has defined some security standards for smart contracts audit.
In this article, we are going to differentiate between different type of analysis (static and dynamic), the science behind the analysis technique and which type of analysis is more helpful in order to secure smart contracts against known attacks and to validate business logic.
What is Static analysis?
Static analysis, also called static code analysis, is a method of smart contracts debugging that is done by examining the code without running on a blockchain. The static analysis must be done just after development and before dynamic analysis.
The process provides an understanding of the code structure and can help to ensure that the code adheres to smart contracts standards. The process of scrutinizing code by visual inspection is very helpful in determining those errors or bugs that can’t be highlighted in dynamic analysis or there may not be an error or suspicious code according to EVM that throws an error.
Process of static analysis
1. Smart contract source code is passed to a solidity compiler (solc).
2. The output of solidity compiler, AST of all source files in JSON format.
3. Recovery of information takes place.
4. — ast-json file is filtered to meaningful information.
5. According to the requirement or fundamentals of tools, information is filtered and used to perform a predefined test.
6. Query on the output is taken place to find the loopholes in smart contracts.
Let’s discuss all the steps in detail.
Step 1 source code is provided to static analyzer .sol file is passes and solidity compiler will generate an output based on the command used to get an output.
Step 2 solidity compiler (solc) run on source code to get — ast-json file.
Command solc file.sol — ast-json.
You can use other outputs as well, to analyze smart contract use command solc — help to know solc features that can be used in analyzing smart contract statically.
Step 3 above — ast-json file is filtered to meaningful information, ast-json file enriches of multiple details that may not be in use for analyzing the smart contract.
However, the compiler can continue to enrich this tree with information, such as taint information, source location, and other items that could have impacted an item from control flow. the filter could linearize these methods, allowing additional transformations and processing of the contract’s source code.
Step 4 meaningful information that has been derived from the ast tree will be linearised and functions, modifiers, events, details such as function type, data type are taken as an output.
The above picture is a sample output of solc compiler which can be used to transform contract details, such as function type, return type, modifiers, etc.
Step 5 In this step, predefined tests will be run on filter output, basically, tests will read the code and analysis take place.
Tests are defined according to the best practices of solidity, known attacks, optimizing smart contracts.
Scenarios that can be considered while developing a static analyzer test cases.
Reentrancy, uninitialized states, unused internal functions, Functions Transferring ethers (check modifiers/authenticity), Ether lock Gas optimization etc.
Every scenario must be defined with level of severity,
High Medium Low Informational
also point out the exact location of the line of code in the contract and possible general solution to rectify. The static analyzer should be used just after the development phase so that all the issues should be solved before going to dynamic testing.
Advantages of static analysis?
Static tools are helpful in analyzing details of smart contracts, the predefined test will be run on source code of smart contract to statically analyze source code as discussed above, known bugs and loopholes can be found in smart contracts easily.
The main advantage of static analysis is that it finds issues with the code before it is ready for integration and further dynamic testing.
It allows a quicker turnaround for fixes.
It can find weaknesses in the code at the exact location.
limitations of static analysis?
Static analysis is not a complete security tool.
Only known attacks or predefined rules can be scanned.
What is Dynamic analysis?
A dynamic analysis is a process of testing smart contracts in a run-time environment, basically, a smart contract code deployed on blockchain and dummy values (boundary values) are taken as input according to the conditions of function.
Most of the dynamic analysis tools use symbolic analysis, fuzzers, formal verification to secure smart contract.
Let’s discuss symbolic analysis in detail.
Symbolic analysis :
Symbolic analysis is a means of analyzing a program to determine what inputs cause each part of a program to execute. Symbolic testing is different from traditional testing in a way wherein traditional testing, normal input values are used to test function i.e ‘123’, ‘Hello’ concrete values, but in symbolic analysis not specific input is taken at present but a default value is taken let’s say ƛ is taken as an input after reaching at conditional statement it fork the state and two different values are taken.
Now we are going to learn about symbolic analysis by taking an example, and step by step process how symbolic analysis work.
As discussed above, Symbolic analysis is a means of analyzing a smart contract to determine what inputs cause each part of a program or a function to execute.
Our goal will be to see if we can use symbolic analysis to show that it is possible to get the result of the function to be 100.
Let’s first see how normal testing take place: During normal dynamic testing concrete inputs of a function taken to execute Function.
As you can see in below steps how concrete analysis takes place.
In this way, we will try again and again until we get the result 100.
Now let’s discuss symbolic analysis in detail using the same examples.
In the above example, we will not use any concrete value directly instead we will use symbol let’s say ƛ (lambda).
ƛ will take any possible value that the data type has.
First three steps are same, as concrete testing but after that at line 3, the symbolic value will have two possible paths where ƛ > 100 or ƛ < 100 as shown in above state graph.
The result value is 100.
Now at differentiating step we can see result is 100 and ƛ > 100, as discussed before we use symbolic analysis to find the input values to execute function, so from above discussion and taking same example, we can conclude that It is possible from symbolic analysis that results or output is achieved, and input(value) can be 101 or above to reach the output.
Fuzzing Smart contract :
Fuzz Testing is a type of testing in which seed inputs or set of inputs are taken to discover new inputs automatically, that might highlight coding errors or security loopholes in smart contracts, by inputting invalid or random data called FUZZ to the smart contract. After which the smart contracts are monitored for various path generated or error handling.
Process of Fuzzers
Step 1 smart contract fuzzer will analyze ABI and bytecode of smart contracts. Data type and other useful information like signatures of function is extracted.
Step 2 In second step fuzzer will analyze extracted signature(output of first step) and generate valid fuzzing inputs conforming to ABI specification as well as mutated(multiple nearby values) inputs across the border of validity (also called boundary value testing).
Step 3 The indexed smart contracts returned from step 2 are used to generate inputs for ABIs with contract address as arguments.
Step 4 the tool will start the fuzzing process to bombard the generated inputs against the ABI interfaces with random function invocations.
Step 5 the tool begins to detect security vulnerabilities by analyzing the execution logs generated during fuzzing. The fuzzing process continues until the available testing time is used up.
The whole fuzzing campaign ends when the tool has finished fuzzing on all smart contracts under test.
Basically, fuzzer can be classified into three categories based on testing techniques:
- Black box testing
- White box testing
- Grey box testing
Let’s discuss all these types of testing in detail
Black box fuzzer:
Generally, a black box fuzzer is a type of fuzzer in a smart contract where fuzzer didn’t get any information about the contract, they perform millions of mutants( inputs ) while testing a smart contract.
Advantage of black box fuzzers:
Millions of input values in few seconds is used to find loopholes in smart contracts.
Disadvantage of black box fuzzers:
Even after using millions of input values, statement or code coverage is less in black box fuzzers.
White box fuzzer:
Generally, a White box fuzzer is a type of fuzzer in a smart contract where fuzzer’s have information about smart contracts input values.
White box fuzzers use symbolic analysis to test smart contracts, symbolic analysis as discussed above doesn’t define concrete input values, rather symbolically execute and use SMT (Z3)/SAT solvers to generate new paths, this type of fuzzers cover most of the paths, also fuzzers use multiple searching techniques to generate new paths like heuristic searching technique, At each branching step, it evaluates the available information and makes a decision on which branch to follow. It does so by ranking alternatives.
Advantage of White box fuzzers :
Testing is more thorough, with the possibility of covering most paths.
Grey box fuzzer :
Basically, a grey box fuzzer has partial knowledge of smart contracts, grey box fuzzers are most popular fuzzers in finding the vulnerability of smart contracts.
Grey box fuzzing is a lightweight testing approach that effectively detects bugs and security vulnerabilities. However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by complex checks
Grey box fuzzers record each path so that it will avoid fuzz on the same path, again and again, they cover more paths as compared to black box fuzzer.
Advantage of Grey box fuzzers :
Grey box fuzzers cover most of the paths, as well as does not allow multiple fuzzing on same path by recording already executed paths.
So far we have discussed static and dynamic analysis in detail and have adequate knowledge of both type of analysis also we have discussed advantages and disadvantages of both analyses.
Static analysis is helpful in analyzing smart contract just after the development phase so that code structure and no run-time errors or loopholes can be identified and dynamic analysis must be done after manual or unit testing and before deployment of smart contracts on main-net, dynamic analysis has major role in security of smart contracts as they perform transaction in run time, also different type of dynamic analysis help in achieving those bugs that cannot be found by static analyzer.
Grey box Fuzzing and formal verification are a very popular way to secure smart contracts these days but didn’t get the edge yet, tools under these techniques are still under development or not production-ready.
In upcoming articles, we will discuss what is formal verification? and how formal verification can help in securing smart contracts.