Open-World Assertion Checking for Smart Contracts via Game Semantics

TL;DR

This paper introduces a game semantics framework for open-world safety analysis of Ethereum smart contracts, providing formal guarantees and a practical tool that achieves high precision in vulnerability detection.

Contribution

It presents the first formal open-world interaction semantics for Ethereum smart contracts with soundness and completeness guarantees, and implements a precise assertion reachability tool.

Findings

YulTracer achieves 100% recall and precision on reentrancy benchmarks.

YulTracer detects known vulnerabilities in real-world exploits without false positives.

The approach is general and applicable to access control benchmarks.

Abstract

We present a game semantics framework for open-world safety analysis of Ethereum smart contracts. We model the interaction between a contract and its environment as a two-player game between the contract and the environment, and prove up to gas model approximations soundness: every assertion violation found corresponds to a real execution; and completeness: every open-world execution is captured. To our knowledge, this provides the first formal open-world interaction semantics for Ethereum smart contracts with mathematical guarantees of soundness and completeness. We implement this framework in YulTracer, an assertion reachability tool for real-world Solidity contracts, built on Yul, the intermediate language of the Solidity compiler. YulTracer uses concrete execution and exhaustively explores game traces within user-specified bounds. We evaluate it on reentrancy benchmarks, where YulTracer achieves 100% recall and precision -- the only tool to do so from those we examined -- and on two large real-world exploits (the DAO and PredyPool), where it detects the known vulnerabilities and produces no false positives on fixed versions. To our knowledge, YulTracer is the first tool to achieve this level of precision on real-world contracts without false positives. We additionally demonstrate generality of the approach via the examination of access control benchmarks.