CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies

Hum, Qingze; Tan, Wei Jin; Tey, Shi Ying; Lenus, Latasha; Homoliak, Ivan; Lin, Yun; Sun, Jun

doi:10.1109/blockchain50366.2020.00011

Cited by 8 publications

(3 citation statements)

References 33 publications

(30 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides these works, three recent studies focused on the Bitcoin patch delay analysis that is most related to BlockScope's Calculator component. Specifically, CoinWatch [42] used four CVEs of Bitcoin to test and analyze the delay of many old Bitcoin's forked projects that are no longer maintained. It used the Simian the clone detector [1], i.e., simple string match, to detect only Type-1 clones.…”

Section: Related Workmentioning

confidence: 99%

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects

Yi¹,

Fang²,

Wu³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Due to the open-source nature of the blockchain ecosystem, it is common for new blockchains to fork or partially reuse the code of classic blockchains. For example, the popular Dogecoin, Litecoin, Binance BSC, and Polygon are all variants of Bitcoin/Ethereum. These "forked" blockchains thus could encounter similar vulnerabilities that are propagated from Bitcoin/Ethereum during forking or subsequently commit fetching. In this paper, we conduct a systematic study of detecting and investigating the propagated vulnerabilities in forked blockchain projects. To facilitate this study, we propose BlockScope, a novel tool that can effectively and efficiently detect multiple types of cloned vulnerabilities given an input of existing Bitcoin/Ethereum security patches. Specifically, BlockScope adopts similarity-based code match and designs a new way of calculating code similarity to cover all the syntax-wide variant (i.e., Type-1, Type-2, and Type-3) clones. Moreover, BlockScope automatically extracts and leverages the contexts of patch code to narrow down the search scope and locate only potentially relevant code for comparison.Our evaluation shows that BlockScope achieves good precision and high recall both at 91.8% (1.8 times higher recall than that in the state-of-the-art ReDeBug while with close precision). BlockScope allows us to discover 101 previously unknown vulnerabilities in 13 out of the 16 forked projects of Bitcoin and Ethereum, including 16 from Dogecoin, 6 from Litecoin, 1 from Binance BSC, and 4 from Optimism. We have reported all the vulnerabilities to their developers; 40 of them have been patched or accepted, 66 were acknowledged or under pending, and only 4 were rejected. We further investigate the propagation and patching processes of discovered vulnerabilities, and reveal three types of vulnerability propagation from source to forked projects, as well as the long delay (mostly over 200 days) for releasing patches in Bitcoin forks (vs. ∼100 days for Ethereum forks).

show abstract

Section: Related Workmentioning

confidence: 99%

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects

Yi¹,

Fang²,

Wu³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…However, unlike Li et al's work [19], we identified the locations of those vulnerabilities and patches in Bitcoin derivatives using their source code as well as Git commits because we wanted to also cover the cases where patch information is not reported through Git commits. Hum et al [14] used clone-code detection to find vulnerable crypto projects, and discovered 786 vulnerabilities from 384 projects using 4 CVEs (CVE-2018-17144, CVE-2016-10724, CVE-2016-10725, and CVE-2019-7167). In this paper, we report a much more efficient vulnerable code detection method: we use code commits to inspect code changes only, rather than examining the full source code.…”

Section: Related Workmentioning

confidence: 99%

Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild

Choi¹,

Choi²,

Aiken³

et al. 2022

Preprint

View full text Add to dashboard Cite

Since Bitcoin appeared in 2009, over 6,000 different cryptocurrency projects have followed. The cryptocurrency world may be the only technology where a massive number of competitors offer similar services yet claim unique benefits, including scalability, fast transactions, and security. But are these projects really offering unique features and significant enhancements over their competitors? To answer this question, we conducted a large-scale empirical analysis of code maintenance activities, originality and security across 592 crypto projects. We found that about half of these projects have not been updated for the last six months; over two years, about three-quarters of them disappeared, or were reported as scams or inactive. We also investigated whether 11 security vulnerabilities patched in Bitcoin were also patched in other projects. We found that about 80% of 510 C-language-based cryptocurrency projects have at least one unpatched vulnerability, and the mean time taken to fix the vulnerability is 237.8 days. Among those 510 altcoins, we found that at least 157 altcoins are likely to have been forked from Bitcoin, about a third of them containing only slight changes from the Bitcoin version from which they were forked. As case studies, we did a deep dive into 20 altcoins (e.g., Litecoin, FujiCoin, and Feathercoin) similar to the version of Bitcoin used for the fork. About half of them did not make any technically meaningful change -failing to comply with the promises (e.g., about using Proof of Stake) made in their whitepapers.

show abstract

“…Despite focusing on different aspects than security, the authors suggest that code similarity might indicate inherited vulnerabilities. In [23], Hum et al propose a code evolution technique and a clone detection technique to indicate which cryptocurrencies are vulnerable once a vulnerability has been discovered. However, similar to all GitHub parsers, these techniques cannot infer when a given patch has been ported onto an altcoin in case of rebase operations since such timestamps are overwritten by rebase.…”

Section: Related Workmentioning

confidence: 99%

Estimating Patch Propagation Times across (Blockchain) Forks

Andreina¹,

Alluminio²,

Marson³

et al. 2022

Preprint

View full text Add to dashboard Cite

The wide success of Bitcoin has led to a huge surge of alternative cryptocurrencies (altcoins). Most altcoins essentially fork Bitcoin's code with minor modifications, such as the number of coins to be minted, the block size, and the block generation time. As such, they are often deemed identical to Bitcoin in terms of security, robustness, and maturity.In this paper, we show that this common conception is misleading. By mining data retrieved from the GitHub repositories of various altcoin projects, we estimate the time it took to propagate relevant patches from Bitcoin to the altcoins. We find that, while the Bitcoin development community is quite active in fixing security flaws of Bitcoin's code base, forked cryptocurrencies are not as rigorous in patching the same vulnerabilities (inherited from Bitcoin). In some cases, we observe that even critical vulnerabilities, discovered and fixed within the Bitcoin community, have been addressed by the altcoins tens of months after disclosure. Besides raising awareness of this problem, our work aims to motivate the need for a proper responsible disclosure of vulnerabilities to all forked chains prior to reporting them publicly.

show abstract

CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies

Cited by 8 publications

References 33 publications

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects

Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild

Estimating Patch Propagation Times across (Blockchain) Forks

Contact Info

Product

Resources

About