Yi Li bio photo

Yi Li

Associate Professor

College of Computing and Data Science (CCDS)
Nanyang Technological University (NTU)

Address: Block S3-01c-104
50 Nanyang Avenue, Singapore 639798
Phone: +65 6790 4287

Email Twitter LinkedIn GitHub Bitbucket Google Scholar ORCID

Exploiting Ethereum Rollback Semantics: Profit-Driven Attack Synthesis and Off-Chain Misinterpretation Testing

Yixuan Liu, Xinlei Li, and Yi Li

In Proceedings of the 35th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2026

Abstract: The Ethereum Virtual Machine (EVM) enforces atomic execution through rollback, reverting all state changes when execution fails. While necessary for correctness, rollback semantics introduce a distinct attack surface affecting both on-chain execution and off-chain infrastructures. On-chain, attackers can use conditional failure to filter executions, committing only profitable outcomes while rolling back unprofitable attempts. Off-chain, systems such as explorers, token trackers, and RPC providers may misinterpret aborted executions as successful, leading to inconsistent records or unintended transfers. Existing tools largely treat rollback as an execution endpoint, providing limited support for profit-driven attack synthesis or off-chain misinterpretation testing. To address this gap, we formalize two rollback attack models and develop RollGain, a unified framework for rollback-aware analysis. For on-chain attacks, RollGain models contract structure and value flows, validates candidate executions symbolically, and replays on a forked chain to rank profitability. For off-chain testing, RollGain conducts call tree analysis on 3.08 billion Ethereum transactions to characterize rollback patterns and exercises rollback-inducing execution vectors against external services. On our evaluation datasets, RollGain achieves 95.3% recall with zero false positives, and uncovers 20 rollback misinterpretation vulnerabilities across 18 off-chain systems, of which 18 have been confirmed, 16 fixed, and 5 assigned CVE identifiers.

Cite:

@inproceedings{Liu2026EER,
  author = {Liu, Yixuan and Li, Xinlei and Li, Yi},
  booktitle = {Proceedings of the 35th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)},
  month = oct,
  title = {Exploiting {Ethereum} Rollback Semantics: Profit-Driven Attack Synthesis and Off-Chain Misinterpretation Testing},
  year = {2026}
}