Smart
contracts on permissionless blockchains are exposedto inherent security
risks due to interactions with untrusted entities. Static analyzers are
essential for identifying security risks and avoiding millions of
dollars worth of damage.
We introduce Ethainter, a security analyzer
checking information flow with data sanitization in smart contracts.
Ethainter identifies composite attacks that involve an escalation of
tainted information, through multiple transactions, leading to severe
violations. The analysis scales to the entire blockchain, consisting of
hundreds of thousands of unique smart contracts, deployed over millions
of accounts. Ethainter is more precise than previous approaches, as we
confirm by automatic exploit generation (e.g., destroying over 800
contracts on the Ropsten network) and by manual inspection, showing a
very high precision of 82.5% valid warnings for end-to-end
vulnerabilities. Ethainter’s balance of precision and completeness
offers significant advantages over other tools such as Securify,
Securify2, and teEther.