CN114491508B - Intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage - Google Patents

Abstract

The invention provides an intelligent contract malicious transaction detection analysis system and method based on data dynamic storage, wherein the system comprises a transaction information acquisition module for crawling and managing all historical transactions and execution information of an Ethernet; a simulation execution module for performing stack construction according to the byte code level execution process of the obtained transaction and simulating the transaction execution; and the attack recognition module is used for analyzing the stack data, detecting and recognizing malicious transaction behaviors and vulnerabilities of the fragile intelligent contracts, and giving a recognition result report. The detection system performs comprehensive analysis and detection by calling the interfaces provided by the three modules. The invention provides a detection idea of data reverse push logic, and the method has good practicability and expandability.

Description

Intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage

Technical Field

The invention relates to the technical field of cloud computing, in particular to an intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage.

Background

The blockchain is a shared distributed account book technology and is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. A smart contract is a special application running on a blockchain that allows irreversible trusted transactions to be made without third party monitoring, for which transactions typically result from function calls to it.

The smart contracts on the ethernet chain currently hold hundreds of billions of dollars in digital currency, but smart contracts also present serious security threats. According to statistics, by 12 months in 2019, the number of DApp running on public chains such as ETH, EOS, wave fields and the like exceeds 3000, and intelligent contract vulnerability events are hundreds. The internationally well known Anbi laboratories, through deep scanning, detected 2335intelligent contract source codes currently running, and found that the common 405882 of them did not meet the security development specifications. The intelligent contract loopholes not only cause huge economic loss for users, but also destroy the trust foundation of the public for intelligent contracts and the application ecological environment based on the Ethernet. It follows that it is necessary to develop an accurate and deep intelligent contract vulnerability detection tool.

Although existing smart contract vulnerability dynamic detection methods can be implemented and cover deeper execution paths and larger vulnerability detection ranges. However, the defects of huge data storage, insufficient utilization of transaction data, embedded Ethernet clients and the like still exist. In addition, in the prior art, in order to solve the security problem caused by the unpredictability of the attack behavior of the intelligent contract, a blockchain-based intelligent contract intrusion detection method is proposed, but through research, the applicant finds that the high correlation between attack features and honeypot contracts and the deployment and operation cost of additional codes such as a contract built-in probe program are not considered, so that the technical problems of insufficient detection effectiveness and large occupied space exist.

Disclosure of Invention

The invention provides an intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage, which are used for solving the technical problems of insufficient detection effectiveness and large occupied space in the prior art.

In order to solve the technical problem, the first aspect of the invention discloses an intelligent contract malicious transaction detection and analysis system based on data dynamic storage, which comprises:

the transaction data acquisition module is used for acquiring detailed information of the transaction, including transaction hash and executed byte codes;

the simulation execution module is used for simulating and replaying historical transaction byte code level execution process information according to the acquired detailed information of the transaction, carrying out stack construction, generating intermediate data and logic, dynamically storing the generated intermediate data, and mapping the generated logic setting data index;

and the attack identification module is used for analyzing and detecting transaction execution information according to the generated intermediate data and logic, and identifying and reporting malicious transaction behaviors and intelligent contract vulnerabilities.

In one embodiment, the transaction data acquisition module is specifically configured to:

the block information is obtained from the ethernet house,

And acquiring the execution byte codes contained in the transaction from the Ethernet according to the transaction hash recorded in the block.

In one embodiment, the simulation execution module comprises a virtual machine simulation execution unit and a dynamic data storage unit, wherein the virtual machine simulation execution unit is used for performing byte code level fine granularity replay of historical transactions, and the dynamic data storage unit is used for performing stack construction and dynamically storing intermediate data generated in the simulation playing process, and the intermediate data is released after being used up.

In one embodiment, the basic attributes of the virtual machine emulation execution unit include virtual memory, virtual registers, instruction interpretation system, and execution engine, and the dynamic data storage unit contains a structured store of intermediate data in virtual memory and a logical data mapping index.

In one embodiment, the attack recognition module includes an attack feature definition unit and an attack behavior matching detection unit, which are respectively used for defining malicious behaviors and analyzing and detecting contract calling processes.

In one embodiment, the attack characteristic definition unit comprises a reentrant attack, and the attack behavior matching detection subunit is specifically configured to define a malicious behavior in combination with dynamic data storage and attack.

Based on the same inventive concept, the second aspect of the invention provides an intelligent contract malicious transaction detection and analysis method based on data dynamic storage, which comprises the following steps:

The system is started, and detailed information of the transaction is acquired through a transaction data acquisition module, wherein the detailed information comprises transaction hash and executed byte codes;

Loading real-time transaction through a simulation execution module, simulating and replaying transaction byte codes, and generating register real-time data based on calling relations among contracts;

the transaction information acquisition module starts a storage management subunit to store dynamic data generated by the simulation execution virtual machine in a stack and memory data form, wherein the dynamic data is intermediate data;

The attack behavior matching detection subunit performs data analysis according to a preset data index mode and the attack characteristic definition;

And the attack identification module analyzes and detects transaction execution information according to the generated intermediate data and logic, and identifies and reports malicious transaction behaviors and intelligent contract vulnerabilities.

The above technical solutions in the embodiments of the present application at least have one or more of the following technical effects:

According to the intelligent contract malicious transaction detection and analysis system based on data dynamic storage, the simulation execution module can simulate and replay historical transaction byte code level execution process information according to the acquired detailed information of the transaction, stack construction is carried out, intermediate data and logic are generated, the generated intermediate data are stored dynamically, and the generated logic setting data index is mapped. The transaction logic process can be reversely pushed from the intermediate data on the virtual storage such as the virtual stack, the memory and the like for executing the generation of the byte codes, and a data dynamic storage and logic indexable mode is provided, namely: only data generated during virtual machine analysis is stored, and the data is released after being used up; the logic can index with corresponding data in a mapping form, and the method ensures that the detection process only occupies small space and can have a fast speed.

In one aspect, dependencies of data and logic may be stored in a new manner, where relevant logic may be collected for detection. On the other hand, when data is no longer needed, the memory space of the associated logic may be freed up to save space. Simulating the virtual machine to rerun the transaction generated by the intelligent contract, storing the logic and data of the intelligent contract generated during the running process in a special data structure, and finally analyzing the logic and data characteristics through preset detection rules to determine the loopholes and attacks in the intelligent contract.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is an architecture of an intelligent contract malicious transaction detection system for dynamic storage of data provided in an embodiment of the present invention;

FIG. 2 is a functional class diagram of an intelligent contract malicious transaction detection system according to an embodiment of the present invention;

Fig. 3 is a flowchart of a method for detecting an intelligent contract malicious transaction according to an embodiment of the present invention.

Detailed Description

The technical problems to be solved by the invention are as follows: according to the attack characteristics and the attribute of specific vulnerabilities, the system performs simulated replay execution on the byte code level of the transaction to obtain dynamic data and call relations in the transaction execution process, refines contract interaction logic relations of the transaction, and gives warning and vulnerability positioning information when analysis detects that the transaction has malicious behaviors.

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

The embodiment of the invention provides an intelligent contract malicious transaction detection and analysis system based on data dynamic storage, which comprises the following steps:

the transaction data acquisition module is used for acquiring detailed information of the transaction, including transaction hash and executed byte codes;

the simulation execution module is used for simulating and replaying historical transaction byte code level execution process information according to the acquired detailed information of the transaction, carrying out stack construction, generating intermediate data and logic, dynamically storing the generated intermediate data, and mapping the generated logic setting data index;

and the attack identification module is used for analyzing and detecting transaction execution information according to the generated intermediate data and logic, and identifying and reporting malicious transaction behaviors and intelligent contract vulnerabilities.

Specifically, the transaction information acquisition module is used as a data acquisition subsystem of the whole detection system and is used for synchronizing transaction and block information from the Ethernet, and the simulation execution module is used for simulating replay history transaction byte code level execution process information to carry out stack construction; and the attack identification module is used for analyzing and detecting transaction execution information, and identifying and reporting malicious transaction behaviors and intelligent contract vulnerabilities.

Intermediate data refers to data generated on a stack, memory storage, and memory when executing bytecodes.

In one embodiment, the transaction data acquisition module is specifically configured to:

the block information is obtained from the ethernet house,

And acquiring the execution byte codes contained in the transaction from the Ethernet according to the transaction hash recorded in the block.

In one embodiment, the simulation execution module comprises a virtual machine simulation execution unit and a dynamic data storage unit, wherein the virtual machine simulation execution unit is used for performing byte code level fine granularity replay of historical transactions, and the dynamic data storage unit is used for performing stack construction and dynamically storing intermediate data generated in the simulation playing process, and the intermediate data is released after being used up.

In one embodiment, the basic attributes of the virtual machine emulation execution unit include virtual memory, virtual registers, instruction interpretation system, and execution engine, and the dynamic data storage unit contains a structured store of intermediate data in virtual memory and a logical data mapping index.

In one embodiment, the attack recognition module includes an attack feature definition unit and an attack behavior matching detection unit, which are respectively used for defining malicious behaviors and analyzing and detecting contract calling processes.

In one embodiment, the attack characteristic definition unit comprises a reentrant attack, and the attack behavior matching detection subunit is specifically configured to define a malicious behavior in combination with dynamic data storage and attack.

The attack characteristic definition unit comprises reentrant attack disfavored and can also comprise other various vulnerability attack characteristic attributes of a contract layer.

In the prior art, the CN111683084A is an intelligent contract intrusion detection method, an intelligent contract intrusion detection device, a terminal device and a storage medium, and the scheme does not consider the high correlation between attack characteristics and honey contracts, the deployment and operation cost of additional codes such as a contract built-in probe program and the like, and the characteristic capturing range is not high, so that the problems of low detection effectiveness and high operation cost are caused.

In general, the main innovation point of the system and method provided by the present invention is that a data dynamic storage and logical indexable manner is provided from the middle data push-back transaction logic process on the virtual stack, the memory and other virtual memories generated by executing the byte codes, namely: only data generated during virtual machine analysis is stored, and the data is released after being used up; the logic can index with corresponding data in a mapping form, and the method ensures that the detection process only occupies small space and can have a fast speed.

In one aspect, dependencies of data and logic may be stored in a new manner, where relevant logic may be collected for detection. On the other hand, when data is no longer needed, the memory space of the associated logic may be freed up to save space. Simulating the virtual machine to rerun the transaction generated by the intelligent contract, storing the logic and data of the intelligent contract generated during the running process in a special data structure, and finally analyzing the logic and data characteristics through preset detection rules to determine the loopholes and attacks in the intelligent contract.

Compared with the prior art, the method provided by the invention has the following main advantages:

First, transaction analysis from the data push-back logic is realized by indexing corresponding logic (the logic can index with corresponding data in a mapping form) through the data, and the storage requirement of a large amount of data is avoided.

Second, in terms of byte code data type recovery, due to the complexity of smart contract compilation, it is not possible to determine whether the data in the stack has practical significance, nor is it possible to determine the data type of each data. Aiming at the problem, the work researches the compiling process of the intelligent contract, finds the objective rule of processing different data types by the bottom layer of the intelligent contract, provides a data type prediction scheme based on the byte code context, and detects the integer overflow attack in the transaction process.

Thirdly, unlike the traditional intelligent contract dynamic detection tool, the tool for realizing the work does not change the source code of the Ethernet, but can operate independently of the Ethernet, and meanwhile, normal interaction with the Ethernet is realized, so that the use of a user is greatly facilitated.

Fourth, the visualization of the knowledge graph facilitates the more in-depth and more targeted study and analysis of certain specific problems by professionals.

Example two

Based on the same inventive concept, the embodiment provides an intelligent contract malicious transaction detection and analysis method based on data dynamic storage, which comprises the following steps:

The system is started, and detailed information of the transaction is acquired through a transaction data acquisition module, wherein the detailed information comprises transaction hash and executed byte codes;

Loading real-time transaction through a simulation execution module, simulating and replaying transaction byte codes, and generating register real-time data based on calling relations among contracts;

the transaction information acquisition module starts a storage management subunit to store dynamic data generated by the simulation execution virtual machine in a stack and memory data form, wherein the dynamic data is intermediate data;

The attack behavior matching detection subunit performs data analysis according to a preset data index mode and the attack characteristic definition;

And the attack identification module analyzes and detects transaction execution information according to the generated intermediate data and logic, and identifies and reports malicious transaction behaviors and intelligent contract vulnerabilities.

Referring to fig. 3, a flowchart of a method for detecting malicious transactions of an intelligent contract according to an embodiment of the present invention is shown.

Specifically, the detection system and the detection method provided by the invention have the design ideas that: as shown in fig. 1, in combination with the general process of dynamic detection of the intelligent contracts of the ethernet, the transaction data acquisition module is used as the bottommost layer of the whole system, and is the source of the original data for subsequent analysis; the simulation execution module is responsible for executing replay from the instruction of the transaction, and constructing the execution flow and intermediate data of the whole transaction; and the attack identification module gives warning and vulnerability information reports in real time according to the output of simulation execution and combining with vulnerability attack characteristic attributes. As shown in fig. 2, on the basis of the basic function, three aspects of management of a blockchain, an account and an intelligent contract are respectively expanded, so that a user can conveniently and independently use a tool to carry out blockchain, basic operation is to connect the blockchain as a starting basis and connect the tool into an ethernet open detection basis, account management can realize application of a new account and checking of an existing account, and contract management can realize compiling of a source code contract, disassembling of a contract byte code on the chain, contract deployment and operation.

In a specific implementation process, the malicious transaction detection comprises the following steps:

(1) The method comprises the steps that an Ethernet is connected, and a transaction data acquisition module acquires a real-time transaction json form from a chain;

(2) The simulation execution module (simulation execution virtual machine) replays the transaction according to the transaction byte codes to construct intermediate data of the virtual memory and the register;

(3) And the attack recognition module is used for analyzing and detecting the intermediate data by combining the intermediate data and the attack detection strategy to generate a transaction detection report. Transaction warning information and vulnerability localization can be automatically given if necessary.

A set of detectable attack types:

(1) origin fishing: when the non-repeated calling depth is greater than 2 in the transaction and the bytecode contains an instruction or a logic relation for comparing the ORIGIN instruction, the transaction can be considered to have the danger of triggering ORIGIN phishing loopholes;

(2) Reentrant vulnerability: the most obvious feature of reentrant vulnerabilities is multiple iterative interactions between two contracts. The invention takes the malicious behavior as the detection characteristic of the malicious behavior;

(3) Integer overflow: the byte code type-free number recovery algorithm provided by the invention is combined, integer type and value recovery is carried out when the virtual machine simulates and executes transaction, and overflow possibly generated by operation is checked by combining with mathematical operation rules;

(4) Stack overflow: the number of EVM stack frames is 1024, so that in the same transaction, the virtual stack pointer ebp and the map address difference are larger than the upper limit of the stack frames, and the stack overflow attack is necessarily generated;

(5) Timestamp dependency: when Unix timestamp instructions TIMESTAMP are compared in the execution process of the byte code, the risk of timestamp dependence attack exists in the transaction;

(6) Unchecked call: not checking the returned results of the external call may create various unexpected situations. Therefore, when the comparison return value does not exist after the class instruction { CALL, CALLCODE, DELEGATECALL } is called in the virtual stack, the unexpected situation caused by the unchecked call can be triggered;

(7) Suicide hole: the suicide vulnerability can take whether the CALLER legal check is taken as a judging basis;

(8) Abnormal disorders: exception disturbances refer to exceptions that occur during execution of the contract code, but do not occur in any way, ultimately resulting in inconsistent contract states with expectations.

According to the above process, the specific vulnerability detection method comprises the following steps:

1) The user starts a transaction detection system, is connected with an Ethernet main network, acquires real-time transaction on a chain, acquires a transaction byte code execution process and stores the transaction byte code execution process as a json file;

2) The system starts the virtual machine, the execution engine of the virtual machine drives the interpreter to read in the transaction byte codes one by one, and executes the instruction specified action, and the intermediate data is written into or read out from the virtual call stack and the virtual memory. The logical relationship is extracted by data. The system also provides calling stack to check specific step-by-step executing process calling function, and helps user to determine possible vulnerability position or other executing details;

3) The intermediate data and the corresponding logic relation are respectively stored in a data memory and a logic memory;

4) The execution supervisor of the attack recognition module reads transaction intermediate data and logic, and the behavior matching detector performs feature matching one by one in combination with a predefined attack behavior feature strategy;

5) A transaction detection report is returned to the user, including possible warning information and bytecode-level vulnerability localization.

The above process has the characteristic of high automation, and does not need excessive operations of users.

Taking the timestamp dependency vulnerability (TIMESTAMP DEPENDENCE) as an example:

The intelligent contract malicious transaction detection system based on data dynamic storage provided in this embodiment is described with reference to fig. 1 to 3 (the malicious transaction detection platform in fig. 2 is an intelligent contract malicious transaction detection analysis system based on data dynamic storage), and the system includes:

The transaction data acquisition module is used as a data acquisition subsystem of the whole detection system;

The simulation execution module is used for simulating the replay history transaction byte code level execution process and carrying out stack construction;

And the attack identification module is used for analyzing and detecting transaction execution information, and identifying and reporting malicious transaction behaviors and intelligent contract vulnerabilities.

The transaction data acquisition module can acquire transaction and block information from the Ethernet;

the simulation execution module is provided with a virtual machine simulation execution unit and a dynamic data storage unit which are respectively used for replaying byte code level fine granularity of historical transaction and dynamically storing data on a stack and a memory in the execution process. The basic attributes of the virtual machine simulation execution unit comprise a virtual memory, a virtual register, an instruction interpretation system and an execution engine, the dynamic data storage unit comprises a data storage method and a data indexing method, and the dynamic data comprises on-stack data and memory data;

the attack recognition module is provided with an attack characteristic definition unit and an attack behavior matching detection unit which are used for defining malicious behaviors and analyzing and detecting contract calling processes. The attack characteristic definition unit comprises multiple contract layer vulnerability attack characteristic attributes such as reentrant attacks and the like, and the attack behavior matching detection subunit combines dynamic data storage and attack characteristic definition.

The starting and detecting process of the intelligent contract malicious transaction detecting system based on data dynamic storage comprises the following steps:

1) The user starts the system, enters the block chain management and is connected with the Ethernet main network MainNet;

2) Acquiring real-time transaction on a chain, acquiring a byte code execution record of the transaction from an archive node (available specific byte code execution record of the transaction) according to a transaction hash (transactionHash) by a system, and then storing the byte code execution record in a json file;

3) The system loads the transaction byte codes, starts the simulation execution virtual machine and initializes the contents such as stack, memory and pointer. Before executing the byte code simulated replay transaction, the necessary information of gas, block hash BlockHash and the like of the transaction are recorded firstly;

4) The virtual machine starts to simulate and execute the transaction, and the execution engine drives the interpreter to read in the transaction byte code instructions one by one and execute the instruction specified actions, and the intermediate data is written into or read from the virtual call Stack and the virtual Memory. The logical relationship is extracted from the intermediate data. The user can call the call stack to check the specific step-by-step execution process;

5) Storing intermediate data and logical relationships, wherein the logical relationships are stored in a manner indexable by the data;

6) The execution supervisor of the attack identity module reads the transaction intermediate data and logic, and the drive behavior match detector checks if there is an instruction TIMESTAMP for obtaining the current Unix timestamp and an instruction set s= { "LT", "GT", "SLT", "SGT", "EQ", "ISZERO" } for digitally comparing the values that it pushes in the stack at the same time in one instruction segment. We assume that this is the case within the code segment;

7) The system detects the risk of the vulnerability attack depending on the timestamp, sends out a malicious transaction warning to the user, and gives out a vulnerability positioning detection report.

In short, after the system is connected to the Ethernet and complete transaction data is obtained, the virtual machine is initialized to load and set the necessary transaction information and the storage units such as the virtual register, and then the engine is executed to drive the interpreter to execute instructions one by one, and the intermediate data interact with the virtual register and the virtual memory. The logical relationship will be extracted from the intermediate data. And then, the data and the logic are respectively stored in a corresponding memory, the execution supervisor reads the data and the logic is handed to a behavior matching detector, malicious transaction feature matching is carried out by combining with vulnerability behavior features given by an attack feature definition system, and alarm information and a vulnerability detection report are given if necessary. The invention combines the actual requirement of dynamic detection, logically divides the detection process into three layers, and tightly associates each layer, thereby effectively describing the process of establishing dynamic attack detection by the system and facilitating the development and the test of a prototype system; aiming at the problems of tool availability and automation degree, optimization is made in the aspects of user use, actual efficiency and the like compared with the existing tools.

It should be understood that the foregoing description of the preferred embodiments is not intended to limit the scope of the invention, but rather to limit the scope of the claims, and that those skilled in the art can make substitutions or modifications without departing from the scope of the invention as set forth in the appended claims.

Claims (6)

1. An intelligent contract malicious transaction detection and analysis system based on data dynamic storage, which is characterized by comprising:

the transaction data acquisition module is used for acquiring detailed information of the transaction, including transaction hash and executed byte codes;

The simulation execution module is used for simulating and replaying byte code level execution process information of historical transactions according to the acquired detailed information of the transactions, carrying out stack construction, generating intermediate data and logic, dynamically storing the generated intermediate data, mapping the generated logic setting data index, and the simulation execution module comprises a virtual machine simulation execution unit and a dynamic data storage unit, wherein the virtual machine simulation execution unit is used for carrying out byte code level fine granularity replay of the historical transactions, and the dynamic data storage unit is used for carrying out stack construction and dynamically storing the intermediate data generated in the simulation replay process, and releasing after use;

and the attack identification module is used for analyzing and detecting transaction execution information according to the generated intermediate data and logic, and identifying and reporting malicious transaction behaviors and intelligent contract vulnerabilities.

2. The intelligent contract malicious transaction detection and analysis system of claim 1, wherein the transaction data acquisition module is specifically configured to:

the block information is obtained from the ethernet house,

And acquiring the execution byte codes contained in the transaction from the Ethernet according to the transaction hash recorded in the block.

3. The intelligent contract malicious transaction detection and analysis system of claim 1, wherein the basic attributes of the virtual machine emulation execution unit include virtual memory, virtual registers, instruction interpretation systems, and execution engines, and the dynamic data storage unit contains structured storage of intermediate data in virtual memory and a logical data mapping index.

4. The intelligent contract malicious transaction detection and analysis system according to claim 1, wherein the attack identification module comprises an attack characteristic definition unit and an attack behavior matching detection unit, which are respectively used for defining malicious behaviors and analyzing and detecting contract calling processes.

5. The intelligent contract malicious transaction detection and analysis system according to claim 4, wherein the attack characteristic definition unit comprises a reentrant attack, and the attack behavior matching detection subunit is specifically configured to define malicious behaviors in combination with dynamic data storage and attack.

6. The intelligent contract malicious transaction detection and analysis method based on data dynamic storage is characterized by comprising the following steps of:

The system is started, and detailed information of the transaction is acquired through a transaction data acquisition module, wherein the detailed information comprises transaction hash and executed byte codes;

Loading real-time transaction through a simulation execution module, simulating and replaying transaction byte codes, generating register real-time data based on calling relation among contracts, wherein the simulation execution module comprises a virtual machine simulation execution unit and a dynamic data storage unit, the virtual machine simulation execution unit is used for performing byte code level fine granularity replay of historical transaction, and the dynamic data storage unit is used for performing stack construction and dynamically storing intermediate data generated in a simulation replay process, and releasing after use;

the transaction information acquisition module starts a storage management subunit to store dynamic data generated by the simulation execution virtual machine in a stack and memory data form, wherein the dynamic data is intermediate data;

The attack behavior matching detection subunit performs data analysis according to a preset data index mode and the attack characteristic definition;

And the attack identification module analyzes and detects transaction execution information according to the generated intermediate data and logic, and identifies and reports malicious transaction behaviors and intelligent contract vulnerabilities.