Skip to content

[QRS'22] TokenAuditor: Detecting Manipulation Risk in Token Smart Contract by Fuzzing

License

Notifications You must be signed in to change notification settings

caomingpei/TokenAuditor

Repository files navigation

Project logo

TokenAuditor: Detecting Manipulation Risk in Token Smart Contract by Fuzzing

License Platform Last Commit


📝 Table of Contents

🧐 About

This project implements a fuzz testing method for detecting manipulation risk in token smart contracts. There are four common kinds of manipulation risk which could be detected by our project: Compatibility,Preallocation,Authority Management and Freezing Backdoor.

The main idea and related details is in the research paper: TokenAuditor: Detecting Manipulation Risk in Token Smart Contract by Fuzzing, which is accepted in QRS'23.

🏁 Getting Started

The project needs prepared work to make it run correctly.

Prerequisites

The dependency frameworks of this project are as follows:

  • Ganache - A tool for creating a local blockchain for fast Ethereum development, please refer to the guide for installation and usage, our project requrie the version is newer than 7.2.0
  • Web3.py - A Python library for interacting with Ethereum. You can install it with pip and requirements.txt

In addition, there are other dependency packages that need to be installed. If your python version is 3.9.12, you can install them directly by executing the following command:

pip install -r requirements.txt

If you are using another python version, please modify the requirements.txt to make it compatible.

Contract Under Test

For this project, the contract under test should be processed before running. The ABI, Creation Bytecode, Constructor Parameter of the cotract is necessary for running. The solity source code is not necessary. You can refer to the format in contracts/ folder.

As for our paper, we use the dataset awesome-buggy-erc20-tokens for evaluation, and this dataset could be also helpful for you!

🎈 Usage

Quick Start

After completing the preparations, use the following command for quick start!

python main.py

When the comman shows Finished! Please check in result/ folder!, you can check the detection result in that folder, and the name of contract is example.

Details

Our project provides parameter settings for better use, a complete example of the command is as follows:

python main.py -c example -l 3600 -b 10 -e 50

The meanings of the command parameters are shown below:

  • -c: set contracts under the fuzzing test,example means the file name is "example". If you want to test multiple contracts, separate them with commas. (example1,example2,example3)
  • -l: set the executing limit time, the unit is seconds. 3600 means the program will stop after 3600s.
  • -b: set the number of generating test samples per epoch, 10 means each epoch generate 10 test samples for test.
  • -e: set the executing epoch.

⛏️ Contributing

If you find problem(s) in this repo, please make issues.

If you want to contribute to this repo, please fork and create a new pull request.

The commit style should follow the following convention:

[!TYPE:] message

The [!TYPE:] includes the following types:

  • !F: create new function
  • !B: bug fix
  • !D: update about the document
  • !S: change code style or fix typo
  • !R: refactor the code
  • !O: optimize the performance
  • !T: add test
  • !C: chores of update the dependency
  • !A: archive related files

Example:

!D: configuring the git style

This example means this commit [!D:] is about update a document and the commit is used for configuring git style.

🎉 Acknowledgements

If this work is helpful for you, thanks for your citation.

@inproceedings{QRS22CaoTA,
  author       = {Mingpei Cao and
                  Yueze Zhang and
                  Zhenxuan Feng and
                  Jiahao Hu and
                  Yuesheng Zhu},
  title        = {TokenAuditor: Detecting Manipulation Risk in Token Smart Contract by Fuzzing},
  booktitle    = {Proceeding of the 22nd {IEEE} International Conference on Software Quality, Reliability
                  and Security (QRS'22), Guangzhou, China, December 5-9, 2022},
  pages        = {651--662},
  publisher    = {{IEEE}},
  year         = {2022},
  url          = {https://doi.org/10.1109/QRS57517.2022.00071},
  doi          = {10.1109/QRS57517.2022.00071},
}

Releases

No releases published

Packages

No packages published