Mojtaba Eshghie

Master's/Bachelor Students

We have bachelor's/master's degree project topics available. Do not hesitate to get in touch with me for an update on that if you are interested.

My Background

I am a PhD student at the Theoretical Computer Science division of KTH Royal Institute of Technology. My current research is focused on Monitoring Smart Contracts using state-of-the-art static and dynamic techniques. I am working under the supervision of Cyrille Arthoand Dilian Gurov. The final goal of my thesis is to utilize technologies such as Static Analysis along with AI and Dynamic Analysis to build a framework to monitor and detect vulnerabilities in smart contracts with precision.

In 2019, I was awarded a master's degree in Information Technology Engineering from the University of Tehran after successfully performing research in two fields ofInternet of Things and Network Monitoring. The latter project was conducted in Telecom Paristech LINCS laboratory.

Publications

IWBOSE 2024 (part of SANER 2024):
From Creation to Exploitation: The Oracle Lifecycle
Decentralized Finance (DeFi) systems leverage blockchain oracles to access off/on-chain data as a service. Therefore, maintaining the integrity of oracle data is essential.
However, the integrity of these oracles data can be compromised through different attacks, and the effectiveness of these attacks varies depending on the specific stage of the oracle's lifecycle. This work presents a comprehensive analysis of this lifecycle, identifying potential attack types and examining the efficacy of existing defense mechanisms. We propose a generalized model encompassingdata creation,submission,consensus,election, anddeprecation stages.
We evaluate our model against seven recent high-profile DeFi exploits totaling $187 million. We have also studied bond systems as a preventive measure against at least a subset of oracle exploits.  Our findings suggest that while bond systems increase the cost of attacks, thereby fortifying oracle data integrity against adversarial manipulations, they also require careful calibration to avoid hindering honest participation.

NWPT 2023 :
Exposing Flaws by Modeling Vulnerable-by-Design Smart Contracts
Smart contracts can manage assets worth millions of Euro but are often not formally modeled and, consequently, may contain vulnerabilities. This paper explores the application of Dynamic Condition Response (DCR) graphs, initially developed for modeling business processes, to model and analyze smart contracts’ embedded processes. Using DCR graphs, we demonstrate high-level properties in the contracts, such as event partial ordering and role-based access control via empirical analysis of several high-profile successful exploits on smart contracts. The result of our analysis offers valuable insights and underscores the potential of DCR graphs in preventing the vulnerabilities causing the breaches.

SEFM 2023:
Capturing Smart Contract Design with DCR Graphs
Smart contracts manage blockchain assets and embody business processes. However, mainstream smart contract programming languages such as Solidity lack explicit notions of roles, action dependencies, and time. Instead, these concepts are implemented in program code. This makes it very hard to design and analyze smart contracts. We argue that DCR graphs are a suitable formalization tool for smart contracts because they explicitly and visually capture the mentioned features. We utilize this expressiveness to show that many common high-level design patterns representing the underlying business processes in smart contract applications can be naturally modeled this way. Applying these patterns shows that DCR graphs facilitate the development and analysis of correct and reliable smart contracts by providing a clear and easy-to-understand specification.

EASE 2021:
Dynamic Vulnerability Detection on Smart Contracts Using Machine Learning
In this work, we propose Dynamit, a monitoring framework to detect reentrancy vulnerabilities in Ethereum smart contracts. The novelty of our framework is that it relies only on transaction metadata and balance data from the blockchain system; our approach requires no domain knowledge, code instrumentation, or special execution environment. Dynamit extracts features from transaction data and uses a random forest model to classify transactions as benign or harmful. Therefore, not only can we find the contracts that are vulnerable to reentrancy attacks, but we also get an execution trace that reproduces the attack. Using a random forest classifier, our model achieved more than 90 percent accuracy on 105 transactions, showing the potential of our technique.

Supervisor of Degree Projects

As a doctoral candidate at KTH, I can be your master's thesis supervisor. You will have the opportunity to be part of a bigger project and gain research experience from being involved in an interesting area of cybersecurity. If you are a master's student in Sweden and would like to work at the intersection of AI, software security, and blockchain, feel free contact me by email.

Conferences/Events I Helped With

4th International Workshop on Formal Methods for Blockchains, supporting reviewer

The 24th International Conference on Formal Engineering Methods, subreviewer

17th IEEE International Conference on Software Testing, Verification and Validation (ICST) 2024, subreviewer

7th Workshop on Validation, Analysis and Evolution of Software Tests, subreviewer