Mu Zhang, an assistant professor at the Kahlert School of Computing, and his research team have received a grant of US $65,421 from Cisco Research to look into safety issues surrounding smart contracts. Zhang’s research aims to develop new techniques to automatically and robustly understand the logic and risks of smart contracts. “It is very exciting to collaborate with industrial partners on solving real-world security problems in Fintech,” said Zhang.

Smart contracts are autonomous computer programs running on top of blockchain technology. Because smart contracts offer the unique ability to enable trustworthy and decentralized transactions, they are used in popular decentralized applications (DApps), such as NFT (Non-Fungible Token) marketplaces, emerging decentralized finance (DeFi) and digital games (e.g. CryptoKitties). Monthly transaction volumes for DApps alone are in billions of US dollars. 

Since the use of smart contracts is booming, it is critical to ensure that they are implemented correctly and securely. Yet, current smart contracts can sometimes go wrong. Academic research as well as real-world attacks have shown that flawed logic in smart contracts may lead to severe financial losses. For example, US $60 million was stolen in the infamous DAO attack because of a bug in a smart contract. 

Although many researchers have begun looking into the vulnerabilities in smart contracts, identifying faulty logic in them remains difficult. Take auction contracts for example. A “no-reserve” auction is an auction in which the item for sale will be sold regardless of price. As a result, the seller must not be allowed to participate, as the seller can reject an offer simply by placing a higher bid. If it is known that a smart contract is used to implement the auction logic, it can be verified whether it follows the “no-reserve” rule. But how can one tell if the auction is implemented with a smart contract?

Zhang’s insight is that the intrinsic logic of financial applications lies in the robust control and data dependencies of smart contract code. For instance, an English auction requires identifying the highest bidder and comparing every new bid with the current highest bid. This means that there is a data dependency between the input (new bid) and the comparison. If a new bid is higher than the previous highest bid, the auction will accept the new bid price as the highest bid. This highlights a control dependency between the comparison result and the following actions.

To capture such dependencies, Zhang plans to perform static control flow and data flow analyses on the code for smart contracts and represent the extracted information as a novel graph. If two graphs are similar, they are likely to be based on the implementation of the same logic. Simply comparing the graph of a program with that of an auction contract can indicate if the auction is implemented via a smart contract program.

Nevertheless, comparing graphs is not trivial. It can be computationally expensive due to the graph isomorphism problem. To solve this problem, Zhang will employ a machine learning technique called graph representation learning. This technique can train a machine learning model to encode only the necessary graph information as a vector. Then, instead of comparing complex graphs, the similarity can be checked quickly check by comparing simple vectors.

Related to this project, Zhang has recently published the paper “Towards Automated Safety Vetting of Smart Contracts in Decentralized Applications,” one of 15 papers that won Best Paper Honorable Mention award at the 2022 ACM Conference on Computers and Communication Security (CCS 2022) in Los Angeles, CA. His research interests more broadly include developing tools to detect, diagnose and address security problems of software systems in different domains.