@INPROCEEDINGS{ccs24-foray,
  title = "{FORAY}: Towards Effective Attack Synthesis against Deep Logical Vulnerabilities in {DeFi} Protocols",
  author = "Wen, Hongbo and Liu, Hanzhi and Song, Jiaxin and Chen, Yanju and Guo, Wenbo and Feng, Yu",
  booktitle = "Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security",
  publisher = "Association for Computing Machinery",
  address = "New York, NY, USA",
  pages = "1001–1015",
  abstract = "Blockchain adoption has surged with the rise of Decentralized Finance (DeFi) applications. However, the significant value of digital assets managed by DeFi protocols makes them prime targets for attacks. Current smart contract vulnerability detection tools struggle with DeFi protocols due to deep logical bugs arising from complex financial interactions between multiple smart contracts. These tools primarily analyze individual contracts and resort to brute-force methods for DeFi protocols crossing numerous smart contracts, leading to inefficiency.We introduce FORAY, a highly effective attack synthesis framework against deep logical bugs in DeFi protocols. FORAY proposes a novel attack sketch generation and completion framework. Specifically, instead of treating DeFis as regular programs, we design a domain-specific language (DSL) to lift the low-level smart contracts into their high-level financial operations. Based on our DSL, we first compile a given DeFi protocol into a token flow graph, our graphical representation of DeFi protocols. Then, we design an efficient sketch generation method to synthesize attack sketches for a certain attack goal (e.g., price manipulation, arbitrage, etc.). This algorithm strategically identifies candidate sketches by finding reachable paths in Token Flow Graph (TFG), which is much more efficient than random enumeration. For each candidate sketch written in our DSL, FORAY designs a domain-specific symbolic compilation to compile it into SMT constraints. Our compilation simplifies the constraints by removing redundant smart contract semantics. It maintains the usability of symbolic compilation, yet scales to problems orders of magnitude larger. Finally, the candidates are completed via existing solvers and are transformed into concrete attacks via direct syntax transformation. Through extensive experiments on real-world security incidents, we demonstrate that FORAY significantly outperforms Halmos and ItyFuzz, the state-of-the-art (SOTA) tools for smart contract vulnerability detection, in both effectiveness and efficiency. Specifically, out of 34 benchmark DeFi logical bugs that happened in the last two years, FORAY synthesizes 27 attacks, whereas ItyFuzz and Halmos only synthesize 11 and 3, respectively. Furthermore, FORAY also finds ten zero-day vulnerabilities in the BNB chain. Finally, we demonstrate the effectiveness of our key components and FORAY's capability of avoiding false positives.",
  series = "CCS '24",
  year =  2024,
  keywords = "attack synthesis, blockchain, defi, smart contract"
}