Skip to content

VPRLab/SoMo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
example
example
 
 
somo
somo
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

SoMo: Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

For the dataset used in the paper, please refer to the dataset repository at VPRLab/ModifierDataset.

Overview

SoMo is the implementation of the paper titled "SoMo: Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts" published on "ISSTA'23", which has been integrated into MetaScan services hosted at MetaTrustLab. SoMo is a static analyzer designed for detecting bypassable modifier in Solidity smart contracts based on taint analysis and Slither.

Usage

You can find the ISSTA paper via this link and please consider citing our paper if it's useful to you.

@INPROCEEDINGS{SoMo2023,
  author = {Fang, Yuzhou and Wu, Daoyuan and Yi, Xiao and Wang, Shuai and Chen, Yufan and Chen, Mengjie and Liu, Yang and Jiang, Lingxiao},
  booktitle = {Proc. ACM ISSTA},
  title = {Beyond ``Protected'' and ``Private'': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts},
  year = {2023}
}

MetaTrustLab hosts another version of SoMo running on MetaScan, and the code is available in falcon.

Get Started

Prerequisites

  • We ran our experiments on Ubuntu 20.04 LST OS.
  • We used Python 3.10 to develop SoMo.
  • SoMo relies on slither, sold-select, networks, and z3-solver. All the essential packages are listed in requirements.txt.

There are steps to locally build SoMo.

git clone git@github.com:VPRLab/SoMo.git && cd SoMo
pip install -r requirements.txt

Quick Start

SoMo takes two arguments, including the contract source code and contract setting.

  • Contract source code is usually a file with a .sol suffix.
  • Contract setting is a json file, which contains two essential fields, namely:
    • ContractName: which contracts were actually deployed to Ethereum mainnet.
    • CompilerVersion: which compilers were used to compile the source code.

Users can specify paths of the source code and setting files by -c, --code and -s, --setting, respectively.

For instance, there is a vulnerable contract under the example folder with its settings.

To detect the bypassable modifiers, users can invoke SoMo in the following instruction.

python somo -c example/contract.sol -s example/contract.json

For more information, please refer to our paper or get help from python somo -h.

About

A specialized tool for smart contract modifier analysis based on the Modifier Dependency Graph (MDG)

dl.acm.org/doi/abs/10.1145/3597926.3598125

Topics

smart-contracts solidity static-analyzer program-analysis taint-analysis security-tools slither modifier

Resources

Readme
Activity
Custom properties

Stars

9 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages