首页|When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts

When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts

扫码查看
原文链接
  • NETL
  • NSTL
  • IEEE
Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 13.8% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted a comprehensive study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 3,762 real-world security reports, we defined 12 types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed CryptoScan, the first static analyzer to automate the pre-deployment detection of cryptographic defects in smart contracts. CryptoScan utilizes cross-contract and inter-procedure static analysis to identify crypto-related execution paths and employs taint analysis to extract fine-grained crypto-specific semantics for defect detection. Furthermore, we collected a large-scale dataset containing 79,598 real-world crypto-related smart contracts and evaluated CryptoScan's effectiveness on it. The results demonstrated that CryptoScan achieves an overall precision of 96.1% and a recall of 93.3%. Notably, CryptoScan revealed that 19,707 (24.8%) out of 79,598 smart contracts contain at least one cryptographic defect. Although not all defects directly cause financial losses, they indicate prevalent non-standard cryptographic implementations that should be addressed in real-world practices.

Smart contractsSecurityBlockchainsDefect detectionDigital signaturesStatic analysisGeneratorsVectorsFilteringElliptic curves

Jiashuo Zhang、Jiachi Chen、Yiming Shen、Tao Zhang、Yanlin Wang、Ting Chen、Jianbo Gao、Zhong Chen

展开 >

School of Computer Science, Peking University, Beijing, China

School of Software Engineering, Sun Yat-sen University, Zhuhai, China

School of Computer Science and Engineering, Macau University of Science and Technology, Macau, China

School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China|Kashi Institute of Electronics and Information Industry, Kashi, China

Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing, China

展开 >

2025

10.1109/TSE.2025.3551776

IEEE transactions on software engineering

IEEE transactions on software engineering

ISSN:
年,卷(期):2025.51(5)
  • 86