A blockchain is a trustless system in an environment populated by untrusted peers. Code deployed in blockchain as a smart contract should be cautious when invoking contracts of other peers as they might introduce several risks and unexpected issues. This paper presents an information flow-based approach for detecting cross-contract invocations to untrusted contracts, written in general-purpose languages, that could lead to arbitrary code executions and store any results coming from them. The analysis is implemented in GoLiSA, a static analyzer for Go. Our experimental results show that GoLiSA is able to detect all vulnerabilities related to untrusted cross-contract invocations on a significant benchmark suite of smart contracts written in Go for Hyperledger Fabric, an enterprise framework for blockchain solutions.
Static Detection of Untrusted Cross-Contract Invocations in Go Smart Contracts / Olivieri, L.; Negrini, L.; Arceri, V.; Ferrara, P.; Cortesi, A.; Spoto, F.. - (2025), pp. 338-347. ( 40th Annual ACM Symposium on Applied Computing, SAC 2025 ita 2025) [10.1145/3672608.3707728].
Static Detection of Untrusted Cross-Contract Invocations in Go Smart Contracts
Arceri V.;
2025-01-01
Abstract
A blockchain is a trustless system in an environment populated by untrusted peers. Code deployed in blockchain as a smart contract should be cautious when invoking contracts of other peers as they might introduce several risks and unexpected issues. This paper presents an information flow-based approach for detecting cross-contract invocations to untrusted contracts, written in general-purpose languages, that could lead to arbitrary code executions and store any results coming from them. The analysis is implemented in GoLiSA, a static analyzer for Go. Our experimental results show that GoLiSA is able to detect all vulnerabilities related to untrusted cross-contract invocations on a significant benchmark suite of smart contracts written in Go for Hyperledger Fabric, an enterprise framework for blockchain solutions.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
