BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects

Abstract: Due to the open-source nature of the blockchain ecosystem, it is common for new blockchains to fork or partially reuse the code of classic blockchains. For example, the popular Dogecoin, Litecoin, Binance BSC, and Polygon are all variants of Bitcoin/Ethereum. These "forked" blockchains thus could encounter similar vulnerabilities that are propagated from Bitcoin/Ethereum during forking or subsequently commit fetching. In this paper, we conduct a systematic study of detecting and investigating the propagated vu… Show more

“…On the other hand, similarity scores can be computed at the code-level or path-level, as explored in the work by Wang et al [129], where they tackled the tracking problem among devices and calculated similarity scores between devices for tracking purposes. Similarly, Yi et al [62] compared code in forked projects with their original counterparts to identify the spread of vulnerabilities using similarity score computation.…”

“…In [62], the authors present an alternative approach to identifying propagated vulnerabilities in forked blockchain programs through the development of a tool called BlockScope. The analysis is based on patched code in original projects.…”

“…An "unofficial fork" refers to forks that are not built from official authority and may contain unauthorized changes introduced by attackers. The work by Yi [62] provides comprehensive research regarding forked projects. To mitigate this threat, the verifier side can match the provenance's source location.…”

“…The introduction of this injected code to the target system depends on user actions. Various scenarios, such as library dependencies, updates, and downloads, exist [5], [13], [52], [54], [62]. For example, users may inadvertently introduce infected versions of Python libraries as dependencies, and unverified updates might automatically install malicious code.…”

Advanced Persistent Threats based on Supply Chain Vulnerabilities: Challenges, Solutions and Future Directions

“…On the other hand, similarity scores can be computed at the code-level or path-level, as explored in the work by Wang et al [129], where they tackled the tracking problem among devices and calculated similarity scores between devices for tracking purposes. Similarly, Yi et al [62] compared code in forked projects with their original counterparts to identify the spread of vulnerabilities using similarity score computation.…”

“…In [62], the authors present an alternative approach to identifying propagated vulnerabilities in forked blockchain programs through the development of a tool called BlockScope. The analysis is based on patched code in original projects.…”

“…An "unofficial fork" refers to forks that are not built from official authority and may contain unauthorized changes introduced by attackers. The work by Yi [62] provides comprehensive research regarding forked projects. To mitigate this threat, the verifier side can match the provenance's source location.…”

“…The introduction of this injected code to the target system depends on user actions. Various scenarios, such as library dependencies, updates, and downloads, exist [5], [13], [52], [54], [62]. For example, users may inadvertently introduce infected versions of Python libraries as dependencies, and unverified updates might automatically install malicious code.…”

Advanced Persistent Threats based on Supply Chain Vulnerabilities: Challenges, Solutions and Future Directions

GPTScan: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis