Blockchain is a distributed ledger technology that allows users to record and share information safely and transparently. A smart contract is a contract decided based on a blockchain and is a program that automatically executes or executes contract terms. Smart contracts improve the transparency and reliability of transactions by utilizing the tampering prevention function of blockchain technology. Software security vulnerability refers to the fundamental cause of vulnerabilities caused by logical errors, bugs, and mistakes that can be defective in software development. To prevent software security accidents, security weaknesses must be analyzed before the program is distributed. Smart contract codes that operate on ethereum, a blockchain-based framework, can have security vulnerabilities inside the code. When the contract is completed and the block is created, the chaincode cannot be arbitrarily modified, so the security weakness must be analyzed before execution. In this paper, we used deep learning's graph neural network (GNN) to detect security vulnerabilities in solidity codes. To analyze security vulnerabilities in solidity code, we defined eight types of security weakness items, converted the solidity code into graph data. In order to represent both the structural elements of the program, the control flow, and the data flow, the solidity code was converted into an abstract syntax tree (AST) and the graph information required for GNN learning was extracted from AST to convert the solidity code into a graph. Next, after generating several datasets for training GNN models by integrating these graph data and their properties with labels, it is possible to detect whether security vulnerabilities exist in the solidity code through GNN learning. This method performs security weakness detection more effectively than conventional rule-based methods.
I.C. Lin and T.C. Liao, “A Survey of Blockchain Security Issues and Challenges”, International Journal of Network Security, Vol. 19, No. 5, pp. 653–659, 2017.
Z. Zheng, S. Xie, H. N. Dai, X. Chen, and H. Wang, “Blockchain challenges and opportunities: a survey,” International Journal of Web and Grid Services, vol. 14, no. 4, p. 352, 2018, doi: 10.1504/ijwgs.2018.095647.
S. Wang, Y. Yuan, X. Wang, J. Li, R. Qin, and F.-Y. Wang, “An Overview of Smart Contract: Architecture, Applications, and Future Trends,” 2018 IEEE Intelligent Vehicles Symposium (IV), pp. 108–113, Jun. 2018, doi: 10.1109/ivs.2018.8500488.
S.-Y. Lin, L. Zhang, J. Li, L. Ji, and Y. Sun, “A survey of application research based on blockchain smart contract,” Wireless Networks, vol. 28, no. 2, pp. 635–690, Jan. 2022, doi: 10.1007/s11276-021-02874-x.
S. N. Khan, F. Loukil, C. Ghedira-Guegan, E. Benkhelifa, and A. Bani-Hani, “Blockchain smart contracts: Applications, challenges, and future trends,” Peer-to-Peer Networking and Applications, vol. 14, no. 5, pp. 2901–2925, Apr. 2021, doi: 10.1007/s12083-021-01127-0.
S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H.-N. Lee, “Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract,” IEEE Access, vol. 10, pp. 6605–6621, 2022, doi: 10.1109/access.2021.3140091.
M. E. Fagan, “Design and code inspections to reduce errors in program development,” IBM Systems Journal, vol. 38, no. 2.3, pp. 258–287, 1999, doi: 10.1147/sj.382.0258.
Y. Son, Y. Lee and S. Oh, “A Software Weakness Analysis Methods for the Secured Software”, The Asian International Journal of Life Sciences, Vol. 12, pp. 423-434, 2015.
“A Smart Contract Weakness and Security Hole Analyzer Using Virtual Machine Based Dynamic Monitor,” Journal of Logistics, Informatics and Service Science, Jan. 2022, doi: 10.33168/liss.2022.0104.
“A Study on Intermediate Code Generation for Security Weakness Analysis of Smart Contract Chaincode,” Journal of Logistics, Informatics and Service Science, Jan. 2022, doi: 10.33168/liss.2022.0105.
S. Kim, Y. Son, Y. Lee, "A Study on Chaincode Security Weakness Detector in Hyperledger Fabric Blockchain Framework for IT Development," Journal of Green Engineering, Alpha Publishers, Vol. 10, No. 10, pp. 7820-7844, Oct 2020.
F. Scarselli, M. Gori, Ah Chung Tsoi, M. Hagenbuchner, and G. Monfardini, “The Graph Neural Network Model,” IEEE Transactions on Neural Networks, vol. 20, no. 1, pp. 61–80, Jan. 2009, doi: 10.1109/tnn.2008.2005605.
L. Wu, P. Cui, J. Pei, and L. Zhao, Eds., Graph Neural Networks: Foundations, Frontiers, and Applications. Springer Nature Singapore, 2022. doi: 10.1007/978-981-16-6054-2.
D. Zheng, M. Wang, Q. Gan, Z. Zhang, and G. Karypis, “Learning Graph Neural Networks with Deep Graph Library,” Companion Proceedings of the Web Conference 2020, pp. 305–306, Apr. 2020, doi: 10.1145/3366424.3383111.
S. Kim, R. Y. C. Kim, and Y. B. Park, “Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis,” Wireless Personal Communications, vol. 89, no. 3, pp. 777–793, Dec. 2015, doi: 10.1007/s11277-015-3152-1.
B. Chess and G. McGraw, “Static analysis for security,” IEEE Security and Privacy Magazine, vol. 2, no. 6, pp. 76–79, Nov. 2004, doi: 10.1109/msp.2004.111.
A. Petukhov, et al., "Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing." online Proceedings of the Application Security Conference, (2008).
S. Peyrott, An Introduction to Ethereum and Smart Contracts, Auth0, 2017.
https://www.ethereum.org/
Deep Graph Library (DGL), https://www.dgl.ai/
Y. Lee, J. Jeong, and Y. Son, “Design and implementation of the secure compiler and virtual machine for developing secure IoT services,” Future Generation Computer Systems, vol. 76, pp. 350–357, Nov. 2017, doi: 10.1016/j.future.2016.03.014.
Acknowledgements
Authors thank Reviewers for taking the time and effort necessary to review the manuscript.
Funding
No funding was received to assist with the preparation of this manuscript.
Ethics declarations
Conflict of interest
The authors have no conflicts of interest to declare that are relevant to the content of this article.
Availability of data and materials
Data sharing is not applicable to this article as no new data were created or analysed in this study.
Author information
Contributions
All authors have equal contribution in the paper and all authors have read and agreed to the published version of the manuscript.
Corresponding author
Yunsik Son
Department of Computer Science and Engineering, Dongguk University, Pil-dong, Jung-gu, Seoul, Korea.
Open Access This article is licensed under a Creative Commons Attribution NoDerivs is a more restrictive license. It allows you to redistribute the material commercially or non-commercially but the user cannot make any changes whatsoever to the original, i.e. no derivatives of the original work. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/4.0/
Cite this article
Sunghyun Kim, Seunggi Jung, Yunsik Son and Yangsun Lee, “A Study on the Security Weakness Detection of Solidity Smart Contracts using Graph Neural Networks on Blockchain Platforms”, Journal of Machine and Computing. doi: 10.53759/7669/jmc202505019.
