Go to OpenReview Public Article ORCID homepageWhen Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts
Abstract: Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 13.8% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted a comprehensive study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 3,762 real-world security reports, we defined 12 types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed CryptoScan, the first static analyzer to automate the pre-deployment detection of cryptographic defects in smart contracts. CryptoScan utilizes cross-contract and inter-procedure static analysis to identify crypto-related execution paths and employs taint analysis to extract fine-grained crypto-specific semantics for defect detection. Furthermore, we collected a large-scale dataset containing 79,598 real-world crypto-related smart contracts and evaluated CryptoScan's effectiveness on it. The results demonstrated that CryptoScan achieves an overall precision of 96.1% and a recall of 93.3%. Notably, CryptoScan revealed that 19,707 (24.8%) out of 79,598 smart contracts contain at least one cryptographic defect. Although not all defects directly cause financial losses, they indicate prevalent non-standard cryptographic implementations that should be addressed in real-world practices.
External IDs:doi:10.1109/tse.2025.3551776
Loading