When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts

doi:10.1109/TSE.2025.3551776

科研成果详情

题名	When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts
作者	Zhang，Jiashuo 1; Chen，Jiachi 2; Shen，Yiming 2; Zhang，Tao 3; Wang，Yanlin 2; Chen，Ting 4,5; Gao，Jianbo 6; Chen，Zhong 1
发表日期	2025
发表期刊	IEEE Transactions on Software Engineering
ISSN/eISSN	0098-5589
卷号	51 期号:5 页码:1381-1398
摘要	Ethereum has officially provided a set of system-level cryptographic APIs to enhance smart contracts with cryptographic capabilities. These APIs have been utilized in over 13.8% of Ethereum transactions, motivating developers to implement various on-chain cryptographic tasks, such as digital signatures. However, since developers may not always be cryptographic experts, their ad-hoc and potentially defective implementations could compromise the theoretical guarantees of cryptography, leading to real-world security issues. To mitigate this threat, we conducted a comprehensive study aimed at demystifying and detecting cryptographic defects in smart contracts. Through the analysis of 3,762 real-world security reports, we defined 12 types of cryptographic defects in smart contracts with detailed descriptions and practical detection patterns. Based on this categorization, we proposed CryptoScan, the first static analyzer to automate the pre-deployment detection of cryptographic defects in smart contracts. CryptoScan utilizes cross-contract and inter-procedure static analysis to identify crypto-related execution paths and employs taint analysis to extract fine-grained crypto-specific semantics for defect detection. Furthermore, we collected a large-scale dataset containing 79,598 real-world crypto-related smart contracts and evaluated CryptoScan's effectiveness on it. The results demonstrated that CryptoScan achieves an overall precision of 96.1% and a recall of 93.3%. Notably, CryptoScan revealed that 19,707 (24.8%) out of 79,598 smart contracts contain at least one cryptographic defect. Although not all defects directly cause financial losses, they indicate prevalent non-standard cryptographic implementations that should be addressed in real-world practices.
关键词	cryptography defect detection Ethereum smart contract static analysis
DOI	10.1109/TSE.2025.3551776
URL	查看来源
语种	英语English
Scopus入藏号	2-s2.0-105000768248
引用统计
文献类型	期刊论文
条目标识符	https://repository.uic.edu.cn/handle/39GCC9TT/13438
专题	个人在本单位外知识产出
通讯作者	Chen，Jiachi
作者单位	1.Peking University,School of Computer Science,Beijing,100871,China 2.Sun Yat-sen University,School of Software Engineering,Zhuhai,510275,China 3.Macau University of Science and Technology,School of Computer Science and Engineering,999078,Macao 4.University of Electronic Science and Technology of China,School of Computer Science and Engineering,Chengdu,611731,China 5.Kashi Institute of Electronics and Information Industry,Kashi,844000,China 6.Beijing Jiaotong University,Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing,100044,China
推荐引用方式 GB/T 7714	Zhang，Jiashuo,Chen，Jiachi,Shen，Yiminget al. When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts[J]. IEEE Transactions on Software Engineering, 2025, 51(5): 1381-1398.
APA	Zhang，Jiashuo., Chen，Jiachi., Shen，Yiming., Zhang，Tao., Wang，Yanlin., .. & Chen，Zhong. (2025). When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts. IEEE Transactions on Software Engineering, 51(5), 1381-1398.
MLA	Zhang，Jiashuo,et al."When Crypto Fails: Demystifying Cryptographic Defects in Ethereum Smart Contracts". IEEE Transactions on Software Engineering 51.5(2025): 1381-1398.