| 摘要: |
| 自2016年The DAO事件以来,重入攻击事件频发,数量呈逐年上升趋势,已造成高达数十亿美元的经济损失,成为智能合约安全的重大威胁。尽管研究人员和开发人员提出了许多应对方法,但重入攻击的危害仍在持续加剧。作为一种复杂且危险的智能合约攻击类型,重入攻击有多种表现形式,从复杂多变的表现形式中提炼其关键特征是一项有价值但具有挑战性的工作。然而,现有重入漏洞和攻击相关研究普遍存在对重入攻击认识片面以及所使用的重入漏洞合约数据集数据量较小且可信度存疑的问题,难以有效应对实际威胁。鉴于此,本文对2016年至2024年7月期间真实发生的重入攻击案例进行了系统性研究。通过全面剖析真实案例,本文从路径、控制权转移方式、读写行为和被攻击合约数四个关键维度对重入攻击行为模式进行了细致分类,并探讨了各分类维度的意义。进一步地,本文对大部分重入攻击真实案例进行了分类整理与宏观分析,旨在揭示真实发生的重入攻击在各分类维度上的表现及其变化趋势。基于分类研究,本文总结了重入攻击的关键特征,以期更全面地描述重入攻击。最后,本文对当前用于合约开发阶段的重入攻击防范方法进行了深入探讨,分析了其适用性与局限性并提出了改进建议。本文基于真实案例,以攻击行为为切入点,对重入攻击进行了全面深入的分析,以期在智能合约重入漏洞的分析、检测和预防方面为相关研究人员和开发人员提供理论支持与实践指导。 |
| 关键词: 区块链 智能合约 重入攻击 行为模式 分类 |
| DOI: |
| 投稿时间:2024-10-11修订日期:2025-03-17 |
| 基金项目: |
|
| A Survey on Behavior Patterns of Reentrancy Attacks in Smart Contracts |
|
LU YI HAN1, ZHU Xueyang2, ZHANG Wenhui2
|
| (1.Hangzhou Institute for Advanced Study, UCAS;2.Institute of Software Chinese Academy of Sciences) |
| Abstract: |
| Since The DAO attack in 2016, reentrancy attacks have occurred frequently, with their frequency increasing year by year, leading to economic losses amounting to billions of dollars, thus posing a significant threat to the security of smart contracts. Despite various countermeasures proposed by researchers and developers, the dangers of reentrancy attacks continue to escalate. As a complex and dangerous type of smart contract vulnerability, reentrancy attacks can manifest in various forms. Extracting the key features of these attacks from their complex and diverse patterns is is a valuable but challenging task. However, existing research on reentrancy vulnerability and attacks generally suffers from a limited understanding of reentrancy attacks and issues related to the small size and questionable credibility of datasets containing vulnerable contracts, making it difficult to effectively address real-world threats. In this paper, we conduct a systematic study of reentrancy attacks that occurred between 2016 and July 2024. By thoroughly analyzing real-world attacks, we categorize reentrancy attack behaviors into four key dimensions: attack paths, ways of control flow transfer, read-write behaviors, and the number of affected contracts, and we explore the significance of each dimension. Furthermore, we classify and analyze the majority of real-world reentrancy attack cases from a macro perspective, aiming to reveal the performance and evolving trends of reentrancy attacks across these dimensions. Based on this classification, we summarize the key characteristics of reentrancy attacks, providing a more comprehensive description of reentrancy attacks. Finally, we delve into the current reentrancy prevention methods employed during the contract development phase, analyze their applicability and limitations, and propose suggestions for improvement. This paper, based on real-world case studies and focusing on attack behaviors, provides a comprehensive and in-depth analysis of reentrancy attacks, aiming to offer theoretical support and practical guidance for researchers and developers in the analysis, detection, and prevention of reentrancy vulnerabilities in smart contracts. |
| Key words: blockchain smart contract reentrancy attack behavior pattern classification |
