基于静态分析的价格预言机操纵源代码检测方法研究

doi:10.3969/j.issn.1671-1122.2025.05.006

摘要/Abstract

摘要：

针对智能合约的价格预言机操纵攻击问题，文章提出一种基于静态分析的价格预言机操纵源代码检测方法。该方法首先根据用户输入的函数调用关系，建立调用者函数的变量和被调函数的参数之间的对应关系，以及被调函数返回值和调用者函数的变量之间的对应关系。其次，对被测函数的源代码及其实际运行时涉及的其他合约源代码进行静态分析，获取每个合约的数据流和控制流信息。然后，通过整合单个合约的数据流信息、控制流信息以及函数调用关系，构建跨合约的数据流图和控制流图，从而获取变量的数据依赖和控制依赖关系。最后，通过检测转账操作中的转账金额以及转账操作中存在控制依赖的控制语句是否使用少量容易被操纵的信息，来判断被测合约是否存在价格预言机操纵风险。实验结果表明，该方法能有效检测智能合约中的价格预言机操纵攻击，具有较高的精确率和召回率。

关键词: 智能合约, 静态分析, 价格预言机操纵攻击, 区块链安全

Abstract:

Aiming at the problem of price oracle manipulation attacks on smart contracts, this paper proposed a price oracle manipulation source code detection method based on static analysis. This approach first established correspondences between caller function variables and called function parameters, as well as between callee function return values and caller variables based on user-input function call relationships. Subsequently, static analysis was applied to the source code of the tested function and other contracts involved during runtime to obtain data flow and controled flow information for each contract. Then, utilized the data flow and controled flow information for individual contracts, along with function call relationships, cross-contract data flow graphs and control flow graphs were constructed to ascertain variable data dependencies and controled dependencies. Finally, the method detected whether the transfer amount in transfer operations and controled statements which the transfer operations controled depend involve manipulation-prone information to determine the existence of price oracle manipulation risk in the tested contract. Experimental results demonstrate that this method effectively detects price oracle manipulation attacks in smart contracts with high precision and recall rates.

Key words: smart contract, static analysis, price oracle manipulation attack, blockchain security

中图分类号:

TP309

叶佳骏, 高翠凤, 薛吟兴. 基于静态分析的价格预言机操纵源代码检测方法研究[J]. 信息网络安全, 2025, 25(5): 732-746.

YE Jiajun, GAO Cuifeng, XUE Yinxing. Research on Price Oracle Manipulation Source Code Detection Method Based on Static Analysis[J]. Netinfo Security, 2025, 25(5): 732-746.

图/表 17

图1

图2

图3

表1

图4

图5

图6

图7

表2

图8

图9

表3

表4

表5

表6

表7

表8

参考文献 25

[1]	BUTERIN V. A Next-Generation Smart Contract and Decentralized Application Platform[J]. White Paper, 2014, 3(37): 1-36.
[2]	NAKAMOTO S. Bitcoin: A Peer-to-Peer Electronic Cash System[EB/OL]. [2024-04-10]. https://bitcoin.org/en/bitcoin-paper.
[3]	DefiLlama. DeFi Dashboard[EB/OL]. (2024-03-20)[2024-04-10]. https://defillama.com/.
[4]	SZABO N. Formalizing and Securing Relationships on Public Networks[J]. First Monday, 1997, 2(9): 1-25.
[5]	BARTOLETTI M, POMPIANU L. An Empirical Analysis of Smart Contracts:Platforms, Applications, and Design Patterns[C]// Springer. Financial Cryptography and Data Security. Heidelberg: Springer, 2017: 494-509.
[6]	MEHAR M I, SHIER C L, GIAMBATTISTA A, et al. Understanding a Revolutionary and Flawed Grand Experiment in Blockchain[J]. Journal of Cases on Information Technology, 2019, 21(1): 19-32.
[7]	QIAN Peng, LIU Zhenguang, HE Qinming, et al. Smart Contract Vulnerability Detection Technique: A Survey[J]. Journal of Software, 2022, 33(8): 3059-3085.
	钱鹏, 刘振广, 何钦铭, 等. 智能合约安全漏洞检测技术研究综述[J]. 软件学报, 2022, 33(8):3059-3085.
[8]	ZHANG Zhuo, ZHANG B, XU Wen, et al. Demystifying Exploitable Bugs in Smart Contracts[C]// IEEE. 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). New York: IEEE, 2023: 615-627.
[9]	WU Siwei, WANG Dabao, HE Jianting, et al. DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications[EB/OL]. (2021-04-30)[2024-04-10]. https://arxiv.org/abs/2104.15068v1.
[10]	ZHANG Wuqi, WEI Lili, CHEUNG S C, et al. Combatting Front-Running in Smart Contracts: Attack Mining, Benchmark Construction and Vulnerability Detector Evaluation[J]. IEEE Transactions on Software Engineering, 2023, 49(6): 3630-3646.
[11]	QIN Kaihua, ZHOU Liyi, LIVSHITS B, et al. Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit[C]// Springer. Financial Cryptography and Data Security. Heidelberg: Springer, 2021: 3-32.
[12]	DONG Weiliang, LIU Zhe, LIU Kui, et al. Survey on Vulnerability Detection Technology of Smart Contracts[J]. Journal of Software, 2024, 35(1): 38-62.
	董伟良, 刘哲, 刘逵, 等. 智能合约漏洞检测技术综述[J]. 软件学报, 2024, 35(1): 38-62.
[13]	ALMAKHOUR M, SLIMAN L, SAMHAT A E, et al. Verification of Smart Contracts: A Survey[EB/OL]. (2019-06-10)[2024-04-10]. https://doi.org/10.1016/j.pmcj.2020.101227.
[14]	LUU L, CHU D H, OLICKEL H, et al. Making Smart Contracts Smarter[C]// ACM. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 254-269.
[15]	GRIECO G, SONG W, CYGAN A, et al. Echidna:Effective, Usable, and Fast Fuzzing for Smart Contracts[C]// ACM. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2020: 557-560.
[16]	CHESS B, MCGRAW G. Static Analysis for Security[J]. IEEE Security & Privacy, 2004, 2(6): 76-79.
[17]	SCHNEIDEWIND C, GRISHCHENKO I, SCHERER M, et al. EThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts[C]// ACM. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 621-640.
[18]	TIKHOMIROV S, VOSKRESENSKAYA E, IVANITSKIY I, et al. SmartCheck: Static Analysis of Ethereum Smart Contracts[C]// IEEE. 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). New York: IEEE, 2018: 9-16.
[19]	FEIST J, GRIECO G, GROCE A. Slither: A Static Analysis Framework for Smart Contracts[C]// IEEE. 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). New York: IEEE, 2019: 8-15.
[20]	CYTRON R, FERRANTE J, ROSEN B K, et al. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph[J]. ACM Transactions on Programming Languages and Systems, 1991, 13(4): 451-490.
[21]	ABDELAZIZ T, HOBOR A. Smart Learning to Find Dumb Contracts (Extended Version)[EB/OL]. (2023-06-27)[2024-04-10]. https://arxiv.org/abs/2304.10726v2.
[22]	TJIAM K, WANG Rui, CHEN Huanhuan, et al. Your Smart Contracts are Not Secure: Investigating Arbitrageurs and Oracle Manipulators in Ethereum[C]// ACM. Proceedings of the 3rd Workshop on Cyber-Security Arms Race. New York: ACM, 2021: 25-35.
[23]	WANG S H, WU C C, LIANG Yuchuan, et al. ProMutator: Detecting Vulnerable Price Oracles in DeFi by Mutated Transactions[C]// IEEE. 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). New York: IEEE, 2021: 380-385.
[24]	DENG Xun, BEILLAHI S M, MINWALLA C, et al. Safeguarding DeFi Smart Contracts against Oracle Deviations[C]// ACM. Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. New York: ACM, 2024: 1-12.
[25]	Tintinweb. Smart Contract Sanctuary[EB/OL]. (2024-03-20)[2024-04-10]. https://github.com/tintinweb/smart-contract-sanctuary.git/.

符号	定义
A_x	用户转出或接收类型为x的token数量
O_i	价格预言机i
Manipulate(O_i)	对价格预言机i进行操纵
Value(A_x)	A_x的实际价值
Exchange(A_a, A_b,O_i)	用户进行货币交换，将A_a个token a交换为A_b个token b，A_b的数量计算依赖于O_i
Borrow(A_a, A_b,O_i)	用户将A_a个token a作为抵押，借贷A_b个token b，借贷是否成功的依据为O_i

符号	描述
DataDependentcy(a,b)	变量b数据依赖于变量a
DataFlow_Edge(a,b)	在数据流图中变量a和变量b之间存在一条从a到b的有向边
ControlDependency(c,d)	语句d的执行受到控制语句c的控制
PostDominate(c,d)	语句c被语句d后支配
ControlStmt(c)	语句c是一个控制语句
ControlFlow_Path(c,d)	在控制流图中语句c到语句d的路径

名称	配置信息
操作系统	Ubuntu 18.04
CPU	Intel(R) Xeon(R) Platinum 8160 CPU @2.10 GHz
内存	376 GB

合约名称	合约地址
Comptroller	0xbd193db8a909cAC57Cdb981Ea81B5dc270287F19
Comptroller	0xEA4b8dDb3aE257224dFD8C6aFc035204Eea75539

代码行数/行	合约数量/个	平均检测时间/s
小于6000	63	1693/63=26.87
大于6000	29	1434/29=49.44