Skip to content
/ SoMo Public

A specialized tool for smart contract modifier analysis based on the Modifier Dependency Graph (MDG)

Notifications You must be signed in to change notification settings

VPRLab/SoMo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SoMo: Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts

For the dataset used in the paper, please refer to the dataset repository at VPRLab/ModifierDataset.

Overview

SoMo is the implementation of the paper titled "SoMo: Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts" published on "ISSTA'23", which has been integrated into MetaScan services hosted at MetaTrustLab. SoMo is a static analyzer designed for detecting bypassable modifier in Solidity smart contracts based on taint analysis and Slither.

Usage

You can find the ISSTA paper via this link and please consider citing our paper if it's useful to you.

@INPROCEEDINGS{SoMo2023,
  author = {Fang, Yuzhou and Wu, Daoyuan and Yi, Xiao and Wang, Shuai and Chen, Yufan and Chen, Mengjie and Liu, Yang and Jiang, Lingxiao},
  booktitle = {Proc. ACM ISSTA},
  title = {Beyond ``Protected'' and ``Private'': An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts},
  year = {2023}
}

MetaTrustLab hosts another version of SoMo running on MetaScan, and the code is available in falcon.

Get Started

Prerequisites

  • We ran our experiments on Ubuntu 20.04 LST OS.
  • We used Python 3.10 to develop SoMo.
  • SoMo relies on slither, sold-select, networks, and z3-solver. All the essential packages are listed in requirements.txt.

There are steps to locally build SoMo.

git clone git@github.com:VPRLab/SoMo.git && cd SoMo
pip install -r requirements.txt

Quick Start

SoMo takes two arguments, including the contract source code and contract setting.

  • Contract source code is usually a file with a .sol suffix.
  • Contract setting is a json file, which contains two essential fields, namely:
    • ContractName: which contracts were actually deployed to Ethereum mainnet.
    • CompilerVersion: which compilers were used to compile the source code.

Users can specify paths of the source code and setting files by -c, --code and -s, --setting, respectively.

For instance, there is a vulnerable contract under the example folder with its settings.

To detect the bypassable modifiers, users can invoke SoMo in the following instruction.

python somo -c example/contract.sol -s example/contract.json

For more information, please refer to our paper or get help from python somo -h.