Abstract

The frequent security incidents of contracts indicate a pressing need to ensure contract security from deployment to running stages, but the state-of-the-art (SOTA) analysis methods cannot work well for three requirements. (i) Identify contract defective code snippets, while generating exploit call sequences to help developers fix them. (ii) Monitor abnormal call behaviors, especially for multiple continuous transactions. (iii) Validate numerous unexploitable detection results automatically because manual verification is labor-intensive. (iv) To tackle these problems, we propose SymX, a symbolic execution-based security analysis art accounting for contract development and running stages. The experiment results demonstrate that it can accurately identify 90.22% of contracts and 98.04% of call transactions, as well as validate misreports as intended, which is superior to SOTAs, thereby protecting contracts better during the contract lifecycle. Currently, SymX is available at https://github.com/Secbrain/SymX.