DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts

TL;DR

This paper introduces DEPOSafe, an automated tool that detects fake deposit vulnerabilities in Ethereum ERC-20 smart contracts, revealing over 7,000 vulnerable contracts among 176,000 analyzed, highlighting the need for improved security.

Contribution

The paper presents the first comprehensive analysis and detection tool for fake deposit vulnerabilities in Ethereum smart contracts, combining static and dynamic verification techniques.

Findings

Over 7,000 vulnerable contracts identified

Fake deposit attacks pose significant financial risks

DEPOSafe effectively detects vulnerabilities at scale

Abstract

Cryptocurrency has seen an explosive growth in recent years, thanks to the evolvement of blockchain technology and its economic ecosystem. Besides Bitcoin, thousands of cryptocurrencies have been distributed on blockchains, while hundreds of cryptocurrency exchanges are emerging to facilitate the trading of digital assets. At the same time, it also attracts the attentions of attackers. Fake deposit, as one of the most representative attacks (vulnerabilities) related to exchanges and tokens, has been frequently observed in the blockchain ecosystem, causing large financial losses. However, besides a few security reports, our community lacks of the understanding of this vulnerability, for example its scale and the impacts. In this paper, we take the first step to demystify the fake deposit vulnerability. Based on the essential patterns we have summarized, we implement DEPOSafe, an automated tool to detect and verify (exploit) the fake deposit vulnerability in ERC-20 smart contracts. DEPOSafe incorporates several key techniques including symbolic execution based static analysis and behavior modeling based dynamic verification. By applying DEPOSafe to 176,000 ERC-20 smart contracts, we have identified over 7,000 vulnerable contracts that may suffer from two types of attacks. Our findings demonstrate the urgency to identify and prevent the fake deposit vulnerability.