The essence of reentrancy is that due to the participation of attack behavior, the data state of the entire transaction process is inconsistent, violating the relevant properties of the transaction, such as transaction integrity and fund consistency. Therefore, we exploit set D to describe the data elements used in the transaction process. It is also a collection of token types. For some data elements that play a key role in the attack process like user’s contract balance, public wallet balance, etc., a key token type is established in the model, which is recorded as S. Predicates are assigned to transitions that characterize validation conditions in a transaction.
In this section, we establish the property specification according to the simplified TheDAO contract, and exploit CPN Tools to conduct top-down hierarchical modeling, including the overall model and attack-free model, as well as the attacker model based on the transaction attack behavior.
3.2 Top-lever model
In order to describe the execution process of the overall model and explain the related results, we list the relevant definitions in Table 1.
Table 1
Type
|
Annotation
|
P[place]
|
Refer to input data flow places
|
T[transition]
|
Refer to input control flow transitions
|
CS[colerset]
|
Refer to“colerset”as 名称
|
IM[place]
|
Initial place value
|
M[place]
|
Local place marking value
|
ARC[node1,node2]
|
Binded transmission value on the arc, node1,node2 as input and output node
|
Based on CPN Tools, the top-level model of TheDAO is shown in Fig. 3, which includes 3 places and 2 alternative transitions. It should be noted that the conversion between Ether and DAO coins is not considered in the model construction process, and only simple The numbers are blurred to represent Ether and DAO coins.
In Fig. 3, Account represents the investor account involved in crowdfunding, Bank represents the investor contract account, and Cfd represents the total contract account of crowdfunding project.
T[Deposit] and T[WithDraw] both are substitution transition, which represents the deposit operation and withdrawal operation respectively. IM[Account]={account = 6}, IM[Bank]={bank = 0}, IM[Cfd]={Cfd = 25}.
3.3 Attack-free Model
The model without attack is shown in Figs. 4 and 5. They are the lower implementations of the top-level model that replace the transitions deposit and withdraw. In the Deposit layer, the model contains 8 places and 3 transitions, while in the WithDraw layer, it contains 14 banks and 3 transitions. The relevant information of data stored by nodes in Fig. 4 of the underlying model is explained as follows. The names of transitions and places in Fig. 5 are similar to those in Table 2. To save space, we will not explain them one by one here.
Type
|
Annotation
|
Table 2
P[Account]
|
Investor Account
|
P[Gas _Need]
|
Consumed gas
|
P[Deposit_To]
|
Plan to deposit balance
|
P[deposit]
|
Deposit balance
|
P[Old_bal0]
|
Investor account origial balance
|
P[Bank]
|
Investor account balance
|
P[Cfd]:
|
Crowdfunding balance
|
In CPN Tools, we assign initial values to the model, such that P[Account]:1`6、P[Bank]:1`0、P[Cfd]:1`25, i.e. IM[Account]={account = 6}, IM[Bank]={bank = 0}, IM[Cfd]={Cfd = 25}, IM[Gas_Need] ={gas = 1}. Since the data in the place is single, it can be abbreviated as IM[Account] = 6, IM[Bank] = 0, IM[Cfd] = 25. which are similar below. From the initial value, we observe the execution process of the DAO model without attack. The state sequence in the running process of the model is represented by Sn(n = 1,2,3…).Firstly, the running process of Deposit layer of simulation model is as follows.
① S1[Start > S2.
ARC < Account,Start>={userbal = 6},T[Start] is enabled. The investor sends a transaction request, and the state of the model changes from S1 to S2 after T[Start] occurs, and M[Old_bal] = 6, M[Account] = 0.
② S
2[D_Judge > S
3.
ARC < Old_bal,D_judge>={userbal = 10},ARC < Gas_Need,D_judge>={g = 1},ARC < Deposit_To, D_Judge> ={deposit = 4}, T[D_judge] is fired. Now the state of the model is transformed from S2 to S3. Then, M[deposit] = 5,M[Old_bal0] = 6,M[Gas_Need] = 1,M[Deposit_To] = 5, M[Old_bal] = 0.
③ S3[Deposit > S4.
ARC < deposit,Deposit>={m = 5}, ARC < Old_bal0,Deposit>={userball = 6}, ARC < Bank,Deposit>={b = 0}, ARC < Cfd,Deposit>={c = 25}. T[Deposit] is enabled. At this time, M[Account] = 1,M[Bank] is binded to 5 and M[Cfd] = 30. After that, no transition can be triggered and the model finishes running.
Next, the WithDarw layer is executed by the simulation tool, and the initial state of the model is IM[Account] = 6, IM[Bank] = 0, IM[Cfd] = 25, IM[T_Gas] = 1. The execution process is as follows.
① S1[Sart > S5.
ARC < Account,Sart>={account = 6},T[Take] is fired. The investor sends a transaction request, and the state of the model changes from S1 to S5, and M[Old_bal1] = 10.
② S5[T_Judge > S6.
ARC < Old_bal1,T_judge>={oldbal = 1},ARC < T_Gas,T_judge>={g = 1},ARC < T_Take,T_Judge>={m = 4}, ARC < Bank,T_Judge>={b = 5}, ARC < Cfd,T_Judge>={c = 25}. When the transition condition is satisfied, T[D_judge] is triggered to fire, and the state of the model is converted from S5 to S6. At this time, M[T_Gas] = 1,M[T_Take] = 5.M[T_Old] = 1,M[T_bank] = 5,M[T_take],M[T_cft] = 30.
③ S6[Fallback > S7.
ARC < T_Old,Fallback>={oldbal = 1},ARC < T_bank,Fallback>={b = 5},ARC < T_Take,Fallback>={m = 5}, ARC < T_cft, Fallback >={c = 30}. T[Fallback] is enabled, then the state changes fromS7 to S8. In addition,M[T_Old0] = 1,M[T_bank0] = 5,M[T_Take0] = 5,M[T_cft0] = 30.
④ S7[withdraw > S8.
ARC < T_Old0,withdraw>={oldbal = 1},ARC < T_bank0, withdraw >={b = 5},ARC < T_Take0, withdraw>={m = 5}, ARC < T_cft0, withdraw>={c = 25}. At this point, T[withdraw] is triggered and the model state is converted from S8 to S9. M[Account] is bound to 6,M[Bank] is bound to 0 and M[Cfd] is bound to 25.At this time, the currency withdrawal operation is normal, and the model operation runs to completion..
3.4 Attacker Model
Since the attack mainly targets the WithDraw layer, we simulate the attacker's behavior to model the attack in Section 3.4, which is used to analyze whether the model can have reentrant vulnerabilities. Figure 6 shows the attack layer. Based on the WithDraw layer model above, the behavior of the attacker is added to the WithDraw layer of the original model (Fig. 5). Given the concurrency of the Petri net model, by adding the suppression arc and the place P[Hacker], we only consider the execution of the model after adding the Attack entity transition. The obtained one is the WithDraw layer of the attack model (Fig. 7). The attack layer model is merged with the new WithDraw layer to form theDAO attack model. When the initial state value is assigned, the malicious trading behavior of the attacker can be simulated. In the simulation tool, the initial state of the contract is as follows.
-
P[Account]:1`6
-
P[Bank]:1`0
-
P[Cfd]:1`25
-
P[Gas_Need]: 1`1
-
P[Deposit_To]:1`5
-
P[T_Gas]:1`1
-
P[T_Take]:1`5
The attack process of the new model is simulated as follows.
① S6[Attack > S7'
ARC < T_Old, Attack>={oldbal = 1},ARC < T_bank, Attack >={b = 5},ARC < T_Take, Attack >={m = 5}, ARC < T_cft, Attack >={c = 30}. At this point, T[Attack] is fired, and and the state of the model is changed from S6 to S7'. The Attack transition is set to be executed twice to simplify simulation execution. M[Account] is binded to 11 and M[T_Cfd] to 20.
② S7' [withdraw > S8'
When the number of attacks is reduced to 0, the contract returns to WithDarw layer for normal operation. At this time, T[withdraw] is executed, and M[Account] is finally updated to 16,M[Bank] = 0,M[Cft] = 15.