SmartReco: Detecting Read-Only Reentrancy via Fine-Grained Cross-DApp Analysis

TL;DR

SmartReco is a novel framework combining static and dynamic analysis to detect Read-Only Reentrancy vulnerabilities across multiple DApps, addressing limitations of existing tools and uncovering new security risks.

Contribution

It introduces a new method for detecting cross-DApp Read-Only Reentrancy attacks using static analysis and multi-function fuzzing, improving detection accuracy and uncovering previously unknown vulnerabilities.

Findings

Achieves 88.63% precision and 86.36% recall in ROR detection.

Successfully identified 43 new RORs affecting around 520,000 USD.

Detects RORs across 123 popular DApps.

Abstract

Despite the increasing popularity of Decentralized Applications (DApps), they are suffering from various vulnerabilities that can be exploited by adversaries for profits. Among such vulnerabilities, Read-Only Reentrancy (called ROR in this paper), is an emerging type of vulnerability that arises from the complex interactions between DApps. In the recent three years, attack incidents of ROR have already caused around 30M USD losses to the DApp ecosystem. Existing techniques for vulnerability detection in smart contracts can hardly detect Read-Only Reentrancy attacks, due to the lack of tracking and analyzing the complex interactions between multiple DApps. In this paper, we propose SmartReco, a new framework for detecting Read-Only Reentrancy vulnerability in DApps through a novel combination of static and dynamic analysis (i.e., fuzzing) over smart contracts. The key design behind SmartReco is threefold: (1) SmartReco identifies the boundary between different DApps from the heavy-coupled cross-contract interactions. (2) SmartReco performs fine-grained static analysis to locate points of interest (i.e., entry functions) that may lead to ROR. (3) SmartReco utilizes the on-chain transaction data and performs multi-function fuzzing (i.e., the entry function and victim function) across different DApps to verify the existence of ROR. Our evaluation of a manual-labeled dataset with 45 RORs shows that SmartReco achieves a precision of 88.63% and a recall of 86.36%. In addition, SmartReco successfully detects 43 new RORs from 123 popular DApps. The total assets affected by such RORs reach around 520,000 USD.