Demystifying OpenZeppelin's Own Vulnerabilities and Analyzing Their Propagation in Smart Contracts

Code reuse is a common practice in software engineering. Developers of smart contracts pervasively reuse subcontracts to improve development efficiency. Like any program language, such subcontract reuse may unexpectedly include, or introduce vulnerabilities to the end-point smart contract. Indeed, prior empirical studies have identified a number of issues caused by code reuse in smart contracts. Unfortunately, automatically detecting such issues poses several unique challenges. Particularly, in most cases, smart contracts are compiled as bytecode, whose class-level information (e.g., inheritance, virtual function table), and even semantics (e.g., control flow and data flow) are fully obscured as a single smart contract after compilation. Therefore, it is rather difficult to identify the reused parts of subcontract from a given smart contract, not to mention finding potential vulnerabilities caused by subcontract misuse. In this paper, we propose Satellite, a new bytecode-level static analysis framework for subcontract misuse vulnerability (SMV) detection in smart contracts. Satellite incorporates a series of novel designs to enhance its overall effectiveness.. Particularly, Satellite utilizes a transfer learning method to recover the inherited methods, which are critical for identifying subcontract reuse in smart contracts. Further, Satellite extracts a set of fine-grained method-level features and performs a method-level comparison, for identifying the reuse part of subcontract in smart contracts. Finally, Satellite summarizes a set of SMV indicators according to their types, and hence effectively identifies SMVs. To evaluate Satellite, we construct a dataset consisting of 58 SMVs derived from real-world attacks and collect additional 56 SMV patterns from SOTA studies. Experiment results indicate that Satellite exhibits good performance in identifying SMV, with a precision rate of 84.68% and a recall rate of 92.11%. In addition, Satellite successfully identifies 14 new/unknown SMV over 10,011 realworld smart contracts, affecting a total amount of digital assets worth 201,358 USD.