Christof Torres

Christof Ferreira Torres

Assistant Professor at Instituto Superior Técnico (IST), University of Lisbon

About Me

I am currently an invited Assistant Professor at the Department of Computer Science and Engineering (DEI) at Instituto Superior Técnico (IST), University of Lisbon and a researcher at INESC-ID, where I am a member of the Distributed, Parallel and Secure Systems (DPSS) group. My research focuses on blockchain security and privacy. Before joing IST, I have been a postdoctoral fellow at ETH Zurich (ETHZ), where I was part of the Secure & Trustworthy Systems (SECTRS) group lead by Prof. Dr. Shweta Shinde. I received my Ph.D. in Computer Science in 2022 from the University of Luxembourg (UL) and the Technical University of Munich (TUM) under the supervision of Prof. Dr. Radu State (UL) and Prof. Dr. Claudia Eckert (TUM). My Ph.D. thesis focuses on the Automated Security Assessment and Improvement of Smart Contracts. Prior to that, I have been working as a security researcher at the Fraunhofer Institute for Applied and Integrated Security (AISEC) near Munich, Germany.

Hiring

I am currently looking for motivated and enthusiastic students interested in pursuing a PhD in the area of blockchain security and privacy. For more details please have a look here. If you are a Bachelor or Master student currently looking for a thesis project, please feel free to reach out to me by sending an email with your CV and recent transcript of records.

Selected Publications

  • Analyzing the Impact of Copying-and-Pasting Vulnerable Solidity Code Snippets from Question-and-Answer Websites
    Konrad Weiss, Christof Ferreira Torres, Florian Wendland
    24th ACM Internet Measurement Conference, Madrid, Spain, November 4-6, 2024. (IMC 2024)
       Paper   PoC

    Ethereum smart contracts are executable programs deployed on a blockchain. Once deployed, they cannot be updated due to their inherent immutability. Moreover, they often manage valuable assets that are worth millions of dollars, making them attractive targets for attackers. The introduction of vulnerabilities in programs due to the reuse of vulnerable code posted on Q&A websites such as Stack Overflow is not a new issue. However, little effort has been made to analyze the extent of this issue on deployed smart contracts. In this paper, we conduct a study on the impact of vulnerable code reuse from Q&A websites during the development of smart contracts and provide tools uniquely fit to detect vulnerable code patterns in complete and incomplete Smart Contract code. This paper proposes a pattern-based vulnerability detection tool that is able to analyze code snippets (i.e., incomplete code) as well as full smart contracts based on the concept of code property graphs. We also propose a methodology that leverages fuzzy hashing to quickly detect code clones of vulnerable snippets among deployed smart contracts. Our results show that our vulnerability search, as well as our code clone detection, are comparable to state-of-the-art while being applicable to code snippets. Our large-scale study on 18,660 code snippets reveals that 4,596 of them are vulnerable, out of which 616 can be found in 7,852 deployed smart contracts. These results highlight that the reuse of vulnerable code snippets is indeed an issue in currently deployed smart contracts.

  • Rolling in the Shadows: Analyzing the Extraction of MEV Across Layer-2 Rollups
    Christof Ferreira Torres, Albin Mamuti, Ben Weintraub, Cristina Nita-Rotaru, Shweta Shinde
    31st ACM Conference on Computer and Communications Security, Salt Lake City, USA, October 14-18, 2024. (CCS 2024)
       Paper   PoC

    The emergence of decentralized finance has transformed asset trading on the blockchain, making traditional financial instruments more accessible while also introducing a series of exploitative economic practices known as Maximal Extractable Value (MEV). Concurrently, decentralized finance has embraced rollup-based Layer-2 solutions to facilitate asset trading at reduced transaction costs compared to Layer-1 solutions such as Ethereum. However, rollups lack a public mempool like Ethereum, making the extraction of MEV more challenging. In this paper, we investigate the prevalence and impact of MEV on Ethereum and prominent rollups such as Arbitrum, Optimism, and zkSync over a nearly three-year period. Our analysis encompasses various metrics including volume, profits, costs, competition, and response time to MEV opportunities. We discover that MEV is widespread on rollups, with trading volume comparable to Ethereum. We also find that, although MEV costs are lower on rollups, profits are also significantly lower compared to Ethereum. Additionally, we examine the prevalence of sandwich attacks on rollups. While our findings did not detect any sandwiching activity on popular rollups, we did identify the potential for cross-layer sandwich attacks facilitated by transactions that are sent across rollups and Ethereum. Consequently, we propose and evaluate the feasibility of three novel attacks that exploit cross-layer transactions, revealing that attackers could have already earned approximately 2 million USD through cross-layer sandwich attacks.

  • Ethereum's Proposer-Builder Separation: Promises and Realities
    Lioba Heimbach, Lucianna Kiffer, Christof Ferreira Torres, Roger Wattenhofer
    23rd ACM Internet Measurement Conference, Montréal, Canada, October 24-26, 2023. (IMC 2023)
       Paper   PoC

    With Ethereum's transition from Proof-of-Work to Proof-of-Stake in September 2022 came another paradigm shift, the Proposer-Builder Separation (PBS) scheme. PBS was introduced to decouple the roles of selecting and ordering transactions in a block (i.e., the builder), from those validating its contents and proposing the block to the network as the new head of the blockchain (i.e., the proposer). In this landscape, proposers are the validators in the Proof-of-Stake consensus protocol who validate and secure the network, while now relying on specialized block builders for creating blocks with the most value (e.g., transaction fees) for the proposer. Additionally, relays play a crucial new role in this ecosystem, acting as mediators between builders and proposers, being entrusted with the responsibility of transmitting the most lucrative blocks from the builders to the proposers. PBS is currently an opt-in protocol (i.e., a proposer can still opt-out and build their own blocks). In this work, we study it's adoption and show that the current PBS landscape exhibits significant centralization amongst the builders and relays. We further explore whether PBS effectively achieves its intended objectives of enabling hobbyist validators to maximize block profitability and preventing censorship. Our findings reveal that although PBS grants all validators the same opportunity to access optimized and competitive blocks, it tends to stimulate censorship rather than reduce it. Additionally, our analysis demonstrates that relays do not consistently uphold their commitments and may prove unreliable. Specifically, there are instances where proposers do not receive the complete value as initially promised, and the censorship or filtering capabilities pledged by the relay exhibit significant gaps.

  • Is Your Wallet Snitching On You? An Analysis on the Privacy Implications of Web3
    Christof Ferreira Torres, Fiona Willi, Shweta Shinde
    32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. (USENIX 2023)
       Paper   Slides   PoC

    With the recent hype around the Metaverse and NFTs, Web3 is getting more and more popular. The goal of Web3 is to decentralize the web via decentralized applications. Wallets play a crucial role as they act as an interface between these applications and the user. Wallets such as MetaMask are being used by millions of users nowadays. Unfortunately, Web3 is often advertised as more secure and private. However, decentralized applications as well as wallets are based on traditional technologies, which are not designed with privacy of users in mind. In this paper, we analyze the privacy implications that Web3 technologies such as decentralized applications and wallets have on users. To this end, we build a framework that measures exposure of wallet information. First, we study whether information about installed wallets is being used to track users online. We analyze the top 100K websites and find evidence of 1,325 websites running scripts that probe whether users have wallets installed in their browser. Second, we measure whether decentralized applications and wallets leak the user's unique wallet address to third-parties. We intercept the traffic of 616 decentralized applications and 100 wallets and find over 2000 leaks across 211 applications and more than 300 leaks across 13 wallets. Our study shows that Web3 poses a threat to users' privacy and requires new designs towards more privacy-aware wallet architectures.

  • A Flash(bot) in the Pan: Measuring Maximal Extractable Value in Private Pools
    Ben Weintraub, Christof Ferreira Torres, Cristina Nita-Rotaru, Radu State
    22nd ACM Internet Measurement Conference, Nice, France, October 25-27, 2022. (IMC 2022)
       Paper   PoC

    The rise of Ethereum has lead to a flourishing decentralized marketplace that has, unfortunately, fallen victim to frontrunning and Maximal Extractable Value (MEV) activities, where savvy participants game transaction orderings within a block for profit. One popular solution to address such behavior is Flashbots, a private pool with infrastructure and design goals aimed at eliminating the negative externalities associated with MEV. While Flashbots has established laudable goals to address MEV behavior, no evidence has been provided to show that these goals are achieved in practice. In this paper, we measure the popularity of Flashbots and evaluate if it is meeting its chartered goals. We find that (1) Flashbots miners account for over 99.9% of the hashing power in the Ethereum network, (2) powerful miners are making more than 2x what they were making prior to using Flashbots, while non-miners' slice of the pie has shrunk commensurately, (3) mining is just as centralized as it was prior to Flashbots with more than 90% of Flashbots blocks coming from just two miners, and (4) while more than 80% of MEV extraction in Ethereum is happening through Flashbots, 13.2% is coming from other private pools.

  • Elysium: Context-Aware Bytecode-Level Patching to Automatically Heal Vulnerable Smart Contracts
    Christof Ferreira Torres, Hugo Jonker, Radu State
    25th International Symposium on Research in Attacks, Intrusions and Defenses, Limassol, Cyprus, October 26-28, 2022. (RAID 2022)
       Paper   PoC

    Fixing bugs is easiest by patching source code. However, source code is not always available: only 0.3% of the ∼49M smart contracts that are currently deployed on Ethereum have their source code publicly available. Moreover, since contracts may call functions from other contracts, security flaws in closed-source contracts may affect open-source contracts as well. However, current state-of-the-art approaches that operate on closed-source contracts (i.e., EVM bytecode), such as EVMPatch and SmartShield, make use of purely hard-coded templates that leverage fix patching patterns. As a result, they cannot dynamically adapt to the bytecode that is being patched, which severely limits their flexibility and scalability. For instance, when patching integer overflows using hard-coded templates, a particular patch template needs to be employed as the bounds to be checked are different for each integer size (i.e., one template for uint256, another template for uint64, etc.). In this paper, we propose Elysium, a scalable approach towards automatic smart contract repair at the bytecode level. Elysium combines template-based and semantic-based patching by inferring context information from bytecode. Elysium is currently able to patch 7 different types of vulnerabilities in smart contracts automatically and can easily be extended with new templates and new bug-finding tools. We evaluate its effectiveness and correctness using 3 different datasets by replaying more than 500K transactions on patched contracts. We find that Elysium outperforms existing tools by patching at least 30% more contracts correctly. Finally, we also compare the overhead of Elysium in terms of deployment and transaction cost. In comparison to other tools, we find that generally Elysium minimizes the runtime cost (i.e., transaction cost) up to a factor of 1.7, for only a marginally higher deployment cost, where deployment cost is a one-time cost as compared to the runtime cost.

  • Frontrunner Jones and the Raiders of the Dark Forest: An Empirical Study of Frontrunning on the Ethereum Blockchain
    Christof Ferreira Torres, Ramiro Camino, Radu State
    30th USENIX Security Symposium, Virtual, August 11-13, 2021. (USENIX 2021)
       Paper   Slides   PoC

    Ethereum prospered the inception of a plethora of smart contract applications, ranging from gambling games to decentralized finance. However, Ethereum is also considered a highly adversarial environment, where vulnerable smart contracts will eventually be exploited. Recently, Ethereum's pool of pending transaction has become a far more aggressive environment. In the hope of making some profit, attackers continuously monitor the transaction pool and try to front-run their victims' transactions by either displacing or suppressing them, or strategically inserting their transactions. This paper aims to shed some light into what is known as a dark forest and uncover these predators' actions. We present a methodology to efficiently measure the three types of frontrunning: displacement, insertion, and suppression. We perform a large-scale analysis on more than 11M blocks and identify almost 200K attacks with an accumulated profit of 18.41M USD for the attackers, providing evidence that frontrunning is both, lucrative and a prevalent issue.

  • ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts
    Christof Ferreira Torres, Antonio Ken Iannillo, Arthur Gervais, Radu State
    6th IEEE European Symposium on Security and Privacy, Virtual, October 7–22, 2021 (EuroS&P 2021)
       Paper   PoC

    Smart contracts are Turing-complete programs executed across the blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become an exciting target for attackers. Over the last years, they suffered from exploits costing millions of dollars due to simple programming mistakes. As a result, a variety of tools for detecting bugs have been proposed. Most of these tools rely on symbolic execution, which yields many false positives due to over-approximation. Recently, many fuzzers have been proposed to detect bugs in smart contracts. However, these tend to be more effective in finding shallow bugs and less effective in finding bugs that lie deep in the execution, therefore achieving low code coverage and many false negatives. An alternative that has proven to achieve good results in traditional programs is hybrid fuzzing, a combination of symbolic execution and fuzzing. In this work, we study hybrid fuzzing on smart contracts and present ConFuzzius, the first hybrid fuzzer for smart contracts. ConFuzzius uses evolutionary fuzzing to exercise shallow parts of a smart contract and constraint solving to generate inputs that satisfy complex conditions that prevent evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius leverages dynamic data dependency analysis to efficiently generate sequences of transactions that are more likely to result in contract states in which bugs may be hidden. We evaluate the effectiveness of ConFuzzius by comparing it with state-of-the-art symbolic execution tools and fuzzers for smart contracts. Our evaluation on a curated dataset of 128 contracts and a dataset of 21K real-world contracts shows that our hybrid approach detects more bugs than state-of-the-art tools (up to 23%) and that it outperforms existing tools in terms of code coverage (up to 69%). We also demonstrate that data dependency analysis can boost bug detection up to 18%.

  • The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts
    Christof Ferreira Torres, Antonio Ken Iannillo, Arthur Gervais, Radu State
    25th International Conference on Financial Cryptography and Data Security, Virtual, March 1–5, 2021 (FC 2021)
       Paper   PoC

    In recent years, Ethereum gained tremendously in popularity, growing from a daily transaction average of 10K in January 2016 to an average of 500K in January 2020. Similarly, smart contracts began to carry more value, making them appealing targets for attackers. As a result, they started to become victims of attacks, costing millions of dollars. In response to these attacks, both academia and industry proposed a plethora of tools to scan smart contracts for vulnerabilities before deploying them on the blockchain. However, most of these tools solely focus on detecting vulnerabilities and not attacks, let alone quantifying or tracing the number of stolen assets. In this paper, we present Horus, a framework that empowers the automated detection and investigation of smart contract attacks based on logic-driven and graph-driven analysis of transactions. Horus provides quick means to quantify and trace the flow of stolen assets across the Ethereum blockchain. We perform a large-scale analysis of all the smart contracts deployed on Ethereum until May 2020. We identified 1,888 attacked smart contracts and 8,095 adversarial transactions in the wild. Our investigation shows that the number of attacks did not necessarily decrease over the past few years, but for some vulnerabilities remained constant. Finally, we also demonstrate the practicality of our framework via an in-depth analysis on the recent Uniswap and Lendf.me attacks.

  • High-Frequency Trading on Decentralized On-Chain Exchanges
    Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc V Le, Arthur Gervais
    42nd IEEE Symposium on Security and Privacy, Virtual, May 23-27, 2021 (S&P 2021)
       Paper

    Decentralized exchanges (DEXs) allow parties to participate in financial markets while retaining full custody of their funds. However, the transparency of blockchain-based DEX in combination with the latency for transactions to be processed, makes market-manipulation feasible. For instance, adversaries could perform front-running -- the practice of exploiting (typically non-public) information that may change the price of an asset for financial gain. In this work we formalize, analytically exposit and empirically evaluate an augmented variant of front-running: sandwich attacks, which involve front- and back-running victim transactions on a blockchain-based DEX. We quantify the probability of an adversarial trader being able to undertake the attack, based on the relative positioning of a transaction within a blockchain block. We find that a single adversarial trader can earn a daily revenue of over several thousand USD when performing sandwich attacks on one particular DEX -- Uniswap, an exchange with over 5M USD daily trading volume by June 2020. In addition to a single-adversary game, we simulate the outcome of sandwich attacks under multiple competing adversaries, to account for the real-world trading environment.

  • ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks
    Christof Ferreira Torres, Mathis Baden, Robert Norvill, Beltran Fiz Pontiveros, Hugo Jonker, Sjouke Mauw
    15th ACM Asia Conference on Computer and Communications Security, Virtual, October 5–9, 2020 (AsiaCCS 2020)
       Paper   PoC

    In recent years, smart contracts have suffered major exploits, costing millions of dollars. Unlike traditional programs, smart contracts are deployed on a blockchain. As such, they cannot be modified once deployed. Though various tools have been proposed to detect vulnerable smart contracts, the majority fails to protect vulnerable contracts that have already been deployed on the blockchain. Only very few solutions have been proposed so far to tackle the issue of post-deployment. However, these solutions suffer from low precision and are not generic enough to prevent any type of attack. In this work, we introduce ÆGIS, a dynamic analysis tool that protects smart contracts from being exploited during runtime. Its capability of detecting new vulnerabilities can easily be extended through so-called attack patterns. These patterns are written in a domain-specific language that is tailored to the execution model of Ethereum smart contracts. The language enables the description of malicious control and data flows. In addition, we propose a novel mechanism to streamline and speed up the process of managing attack patterns. Patterns are voted upon and stored via a smart contract, thus leveraging the benefits of tamper-resistance and transparency provided by the blockchain. We compare ÆGIS to current state-of-the-art tools and demonstrate that our solution achieves higher precision in detecting attacks. Finally, we performa large-scale analysis on the first 4.5 million blocks of the Ethereum blockchain, thereby confirming the occurrences of well reported and yet unreported attacks in the wild.

  • ÆGIS: Smart Shielding of Smart Contracts
    Christof Ferreira Torres, Mathis Baden, Robert Norvill, Hugo Jonker
    26th ACM Conference on Computer and Communications Security, London, UK, November 11-15, 2019 (CCS 2019)
       Poster

    In recent years, smart contracts have suffered major exploits, losing millions of dollars. Unlike traditional programs, smart contracts cannot be updated once deployed. Though various tools were proposed to detect vulnerable smart contracts, they all fail to protect contracts that have already been deployed on the blockchain. Moreover, they focus on vulnerabilities, but do not address scams (e.g., honeypots). In this work, we introduce ÆGIS, a tool that shields smart contracts and users on the blockchain from being exploited. To this end, ÆGIS reverts transactions in real-time based on pattern matching. These patterns encode the detection of malicious transactions that trigger exploits or scams. New patterns are voted upon and stored via a smart contract, thus leveraging the benefits of tamper-resistance and transparency provided by blockchain. By allowing its protection to be updated, the smart contract acts as a smart shield.

  • The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts
    Christof Ferreira Torres, Mathis Steichen, Radu State
    28th USENIX Security Symposium, Santa Clara, CA, USA, August 14-16, 2019. (USENIX 2019)
       Paper   Slides   PoC

    Modern blockchains, such as Ethereum, enable the execution of so-called smart contracts – programs that are executed across a decentralised network of nodes. As smart contracts become more popular and carry more value, they become more of an interesting target for attackers. In the past few years, several smart contracts have been exploited by attackers. However, a new trend towards a more proactive approach seems to be on the rise, where attackers do not search for vulnerable contracts anymore. Instead, they try to lure their victims into traps by deploying seemingly vulnerable contracts that contain hidden traps. This new type of contracts is commonly referred to as honeypots. In this paper, we present the first systematic analysis of honeypot smart contracts, by investigating their prevalence, behaviour and impact on the Ethereum blockchain. We develop a taxonomy of honeypot techniques and use this to build HoneyBadger – a tool that employs symbolic execution and well defined heuristics to expose honeypots. We perform a large-scale analysis on more than 2 million smart contracts and show that our tool not only achieves high precision, but is also highly efficient. We identify 690 honeypot smart contracts as well as 240 victims in the wild, with an accumulated profit of more than $90,000 for the honeypot creators. Our manual validation shows that 87% of the reported contracts are indeed honeypots.

  • Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts
    Christof Ferreira Torres, Julian Schütte, Radu State
    34th Annual Computer Security Applications Conference, San Juan, PR, USA, December 3-7, 2018. (ACSAC 2018)
       Paper   PoC

    The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language. In this paper, we introduce Osiris – a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Besides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.

  • Investigating Fingerprinters and Fingerprinting-Alike Behaviour of Android Applications
    Christof Ferreira Torres, Hugo Jonker
    23rd European Symposium on Research in Computer Security, Barcelona, Spain, September 3-7, 2018. (ESORICS 2018)
       Paper

    Fingerprinting of browsers has been thoroughly investigated. In contrast, mobile phone applications offer a far wider array of attributes for profiling, yet fingerprinting practices on this platform have hardly received attention. In this paper, we present the first (to our knowledge) investigation of Android libraries by commercial fingerprinters. Interestingly enough, there is a marked difference with fingerprinting desktop browsers. We did not find evidence of typical fingerprinting techniques such as canvas fingerprinting. Secondly, we searched for behaviour resembling that of commercial fingerprinters. We performed a detailed analysis of six similar libraries. Thirdly, we investigated ~30,000 apps and found that roughly 19% of these apps is using one of these libraries. Finally, we checked how often these libraries were used by apps subject to the Children’s Online Privacy Protection Act (i.e. apps targeted explicitly at children), and found that these libraries were included 21 times.

  • FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting
    Christof Ferreira Torres, Hugo Jonker, Sjouke Mauw
    20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015. (ESORICS 2015)
       Paper   Slides   PoC

    Online tracking of users is used for benign goals, such as detecting fraudulent logins, but also to invade user privacy. We posit that for non-oppressed users, tracking within one website does not have a substantial negative impact on privacy, while it enables legitimate benefits. In contrast, cross-domain tracking negatively impacts user privacy, while being of little benefit to the user. Existing methods to counter fingerprint-based tracking treat cross-domain tracking and regular tracking the same. This often results in hampering or disabling desired functionality, such as embedded videos. By distinguishing between regular and cross-domain tracking, more desired functionality can be preserved. We have developed a prototype tool, FP-Block, that counters cross-domain fingerprint-based tracking while still allowing regular tracking. FP-Block ensures that any embedded party will see a different, unrelatable fingerprint for each site on which it is embedded. Thus, the user’s fingerprint can no longer be tracked across the web, while desired functionality is better preserved compared to existing methods.

Research Interests

  • Program Analysis and Software Testing
  • Blockchain Security and Privacy