Static Detection of Untrusted Cross-Contract Invocations in Go Smart Contracts

Luca Olivieri; Luca Negrini; Vincenzo Arceri; Pietro Ferrara; Agostino Cortesi; Fausto Spoto

blockchain static-analysis abstract-interpretation

Static Detection of Untrusted Cross-Contract Invocations in Go Smart Contracts

Authors: Luca Olivieri, Luca Negrini, Vincenzo Arceri, Pietro Ferrara, Agostino Cortesi, Fausto Spoto
Proceedings of the 40th ACM/SIGAPP Symposium on Applied Computing (SAC 2025)
March 31, 2025
Conference paper

Abstract

A blockchain is a trustless system in an environment populated by untrusted peers. Code deployed in blockchain as a smart contract should be cautious when invoking contracts of other peers as they might introduce several risks and unexpected issues. This paper presents an information flow-based approach for detecting cross-contract invocations to untrusted contracts, written in general-purpose languages, that could lead to arbitrary code executions and store any results coming from them. The analysis is implemented in GoLiSA, a static analyzer for Go. Our experimental results show that GoLiSA is able to detect all vulnerabilities related to untrusted cross-contract invocations on a significant benchmark suite of smart contracts written in Go for Hyperledger Fabric, an enterprise framework for blockchain solutions.

Manuscript:	PDF
Associated project:	LiSA
Conference page:	Link
ACM page:	Link