VETEOS: Statically Vetting EOSIO Contracts for the “Groundhog Day” Vulnerabilities

Levi Taiji Li

Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · Blockchain & Smart Contracts

This article delves into VETEOS, a groundbreaking static analysis tool designed to uncover a unique and insidious class of vulnerabilities dubbed "Groundhog Day" attacks within EOSIO smart contracts. Presented by Levi Taiji Li at the NDSS Symposium, this research addresses a critical gap in smart contract security: the ability of malicious actors to repeatedly execute contract code without financial cost, gleaning information from reverted transactions to ultimately achieve deterministic, unauthorized profits. These vulnerabilities pose a severe threat to the integrity of financial applications built on the EOSIO blockchain, including sealed-bid auctions, exchanges, and gaming platforms, where the confidentiality of internal contract states is paramount.