Smart contracts are more sensitive from a security perspective than other software due to several reasons. First, smart contracts are immutable thus cannot be easily patched once deployed. Second, smart contracts are directly tied to payments and can hold millions of dollars’ worth of digital currencies. Third, smart contracts are still a new practice thus do not have best coding practices and development lifecycles tailored for decentralized apps yet. Even though several testing and verification tools have been developed, smart contract vulnerabilities remain a clear and present danger. In this paper, we present an approach that is different from existing ones that attempt to eliminate vulnerabilities from smart contracts. Instead, we fortify Ethereum virtual machines (EVM) to stop dangerous transactions once vulnerabilities are detected in real-time. Since proving programs written in Turing-complete languages is undecidable, our approach complements current approaches by catching vulnerabilities and interrupts their executions during runtime. We have implemented our reinforcement on two widely used EVMs (js-evm and FISCO-BCOS-evm). The reinforced EVMs detects and interrupts all the vulnerabilities, 20% of them missed by testing tools, in 100 real smart contracts. Our approach is practical with less than 34% overhead. In fact, the reinforced FISCO-BCOS-evm has been integrated into the official release of FISCO-BCOS adopted by a large Chinese bank — WeBank.

由于多种原因，从安全角度来看，智能合约比其他软件更敏感。首先，智能合约是一成不变的，因此一旦部署便无法轻松打补丁。其次，智能合约与付款直接相关，可以保存价值数百万美元的数字货币。第三，智能合约仍然是一种新兴的实践，因此还没有针对分散式应用程序量身定制的最佳编码实践和开发生命周期。尽管已经开发了多种测试和验证工具，但智能合约漏洞仍然是显而易见的危险。在本文中，我们提出了一种不同于现有方法的方法，该方法试图消除智能合约中的漏洞。反而，一旦实时检测到漏洞，我们将加强以太坊虚拟机（EVM）来阻止危险交易。由于无法证明用图灵完备的语言编写的程序是无法确定的，因此我们的方法通过捕获漏洞并在运行时中断其执行来补充当前的方法。我们已经在两个广泛使用的EVM（js-evm和FISCO-BCOS-evm）上实现了增强。增强的EVM在100个真实的智能合约中检测并中断所有漏洞，其中20％被测试工具遗漏。我们的方法实用，开销不到34％。实际上，增强的FISCO-BCOS-evm已集成到一家大型中资银行WeBank采用的FISCO-BCOS的正式版本中。我们的方法通过捕获漏洞并在运行时中断其执行来补充当前的方法。我们已经在两个广泛使用的EVM（js-evm和FISCO-BCOS-evm）上实现了增强。增强的EVM在100个真实的智能合约中检测并中断所有漏洞，其中20％被测试工具遗漏。我们的方法实用，开销不到34％。实际上，增强的FISCO-BCOS-evm已集成到一家大型中资银行WeBank采用的FISCO-BCOS的正式版本中。我们的方法通过捕获漏洞并在运行时中断其执行来补充当前的方法。我们已经在两个广泛使用的EVM（js-evm和FISCO-BCOS-evm）上实现了增强。增强的EVM在100个真实的智能合约中检测并中断所有漏洞，其中20％被测试工具遗漏。我们的方法实用，开销不到34％。实际上，增强的FISCO-BCOS-evm已集成到一家大型中资银行WeBank采用的FISCO-BCOS的正式版本中。我们的方法实用，开销不到34％。实际上，增强的FISCO-BCOS-evm已集成到一家大型中资银行WeBank采用的FISCO-BCOS的正式版本中。我们的方法很实用，开销不到34％。实际上，增强的FISCO-BCOS-evm已集成到一家大型中资银行WeBank采用的FISCO-BCOS的正式版本中。