DecentralCVE: An authoritative smart contract-CVE system

Files
AHN-THESIS-2024.pdf (1.46 MB)
Author(s)
Ahn, Jihae
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Collections
Theses and Dissertations
Supplementary to:
Permanent Link
https://hdl.handle.net/1853/78616
Abstract
Smart contracts have become a cornerstone of Decentralized Finance (DeFi). They are widely used to store cryptocurrencies, regulate prices, mediate balances, and ensure the automatic execution of agreements among parties without the need for intermediaries. However, smart contracts may have vulnerabilities, leading to frustrating hacking incidents in DeFi. The lack of a reliable and public vulnerability management system further reduces the availability of vulnerability information to DeFi users. Motivated by these challenges, we propose DecentralCommon Vulnerability Exposures (CVE), an authoritative smart contract vulnerability management system that provides methods for reporting, verifying, and publicizing vulnerabilities. DecentralCVE consists of several primary components, including a workflow to incentivize users to report and verify vulnerabilities. A vulnerability report should contain a Proof-of-Exploit (PoE), precondi- tion, and postcondition, differentiating the system from other bug bounty programs. Additionally, DecentralCVE combines both on-chain and off-chain implementations. We adopted a Trusted Execution Environment (TEE) to facilitate automatic vulnerability verification within a safe environment where a malicious user cannot execute a suspicious transaction. The verification program requires a forked blockchain to test a PoE within a TEE, which has been the main focus of our work. Among several possibilities, we imple- mented our verification program on Gramine in Intel Software Guard Extension (SGX). This system represents a significant advancement in the field of smart contract security, pro- viding a robust, trustworthy, and decentralized approach to vulnerability management. By ensuring both the confidentiality and integrity of the verification process through the use of TEE, DecentralCVE provides a robust framework for enhancing the security of DeFi ecosystems.
Sponsor
Date
2024-07-30
Extent
Resource Type
Text
Resource Subtype
Thesis
Rights Statement
Rights URI