Constructing a Precise Dynamic Control-flow Graph for EVM based Smart Contracts

The presentation discusses the importance of smart contract security in blockchain technology and the need for reverse engineering and control flow graph construction to ensure correct executing logics.

• Blockchain technology allows developers to define rules and create applications with automatic verification through smart contracts.
• Front-end security issues in web3 can affect back-end security.
• Reverse engineering and control flow graph construction are necessary for smart contract security.
• Tools such as the Third Eye, Truffle, and ConsenSys can aid in auditing smart contract code.
• Constructing a control flow graph helps to understand program flow and ensure correct executing logics.

The speaker provides an example of a vulnerability in a code snippet where the price doesn't get updated by the quantity, allowing users to purchase multiple items for the price of one.

Blockchain Technology is trending in recent years. financial losses and impacts increase rapidly, however. By reviewing and investigating past incidents, it's obvious that "Security" is mostly neglected or underestimated for projects of DeFi and NFT fields. Though we have several auditing companies nowadays, it's still important for the industry to have ways of generating precise dynamic CFGs, which is the fundamental component of static analysis. Due to the nature of the limitation of EVM's available computing resource (gas), we're able to do a full simulation in EVM and get all possible paths to construct a CFG and refine it iteratively. In this talk, I'll demonstrate how we can leverage the full-functional, working EVM implementation to construct a precise CFG, and use it to do reverse engineering upon EVM-based smart contracts step by step.