Conference Paper

A Survey of Tools for Analyzing Ethereum Smart Contracts

April 2019

DOI:10.1109/DAPPCON.2019.00018

Conference: 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON)

Authors:

Gernot Salzer

TU Wien

Monika Di Angelo

TU Wien

Smart contracts are at the heart of many decentralized applications, encapsulating core parts of the business logic. They handle the exchange of valuable assets like crypto-currencies or tokens in a transparent, decentralized manner. Being computer programs, they are also prone to programming errors, which have already lead to spectacular losses. Therefore, methods and tools have emerged to support the development of secure smart contracts and to aid the analysis of deployed ones. Assessing the quality of such tools turns out to be difficult. There are academic tools, tools developed by companies, and community tools in open repositories, but no comprehensive survey that may serve as a guide. Most discussions of related work in research papers are not helpful either, as they concentrate on methods rather than tools, base their review on publications about the tools rather than the tools themselves, or disregard tools outside of academia. Our survey aims at filling this gap by considering tools regardless of their provenance and by installing and testing them. It is meant as a guide for those who intend to analyze already deployed code, want to develop secure smart contracts, or plan to teach a related subject. We investigate 27 tools for analyzing Ethereum smart contracts regarding availability, maturity level, methods employed, and detection of security issues.

An Efficient Vulnerability Detection Methods For Smart Contracts

Thesis

Full-text available

Sep 2024

Abuh Ibrahim Sani

Due to smart contracts increasing use in financial institutions, healthcare organisations, real estate companies, and other commercial organisations as a secure and transparent way to speed transactions, smart contracts have recently attracted a lot of attention. Although smart contracts provide many benefits, it is important to recognise that they also include a built-in vulnerability that, if exploited, might result in significant financial losses and reputa-tional damage. Code defects, integer overflow/underflow, self-destruct, denial of service, and reentrancy attacks are the main causes of these vulnerabilities. This report used a static analysis and dynamic analysis method to detect smart contract vulnerabilities. Slither, mythril, Oyente, MAIAN, and Vertigo are the tools used in the analysis. In this study, these tools have been proven to be effective and have greatly contributed to the realisation of having vulnerability-free contracts before deployment to the blockchain. This report's main goal is to thoroughly assess the effects of smart contract vulnerabilities, specifically when employing static and dynamic methods. The research explores the area to justify the potential financial effect and decline in sectoral trust that can result from these vulnerabilities. The research further carries out thorough vulnerability detection and proposes and elaborates on mitigation solutions that hold the potential to successfully handle smart contract vulnerabilities in light of the discovered risks. The study seeks to provide these entities with actionable insights to enhance the security of their smart contract deployments and subsequently improve the resilience of their systems by effectively detecting smart contract vulnerabilities using multiple techniques. This study explores the intricate interplay between smart contract vulnerabilities, financial institutions, and business organisations. Through its analysis of potential risks and its deline-ation of mitigation techniques, it contributes to a deeper understanding of how these entities can harness the benefits of smart contracts while mitigating the associated risks, ultimately fostering a safer and more secure transactional environment. A very sizeable dataset containing 5 contracts were carefully evaluated during this research with the use of different tools to detect vulnerabilities in the contracts.

Model Checking Concurrency in Smart Contracts with a Case Study of Safe Remote Purchase

Chapter

Full-text available

Nov 2024

Blockchain Based Solution For Secure Information Sharing In Pharma Supply Chain Management

Article

Full-text available

Nov 2024

Pharmaceutical supply chain management (PSCM) aims to alleviate logistical challenges. However, traditional online pharma systems face issues during implementation, particularly regarding transparency and fostering mutual trust among stakeholders. The primary security goals for a supply chain management (SCM) solution are ensuring authentication, confidentiality, data provenance, and auditability. The proposed blockchain-based solution (BPSCM) is implemented in three phases: registration, pharmaceutical product circulation, and secure payment. The registration phase computes the identification number upon the hashed private key along with the Edwards-curve digital signature algorithm (EdDSA) for all the stakeholders. The pharm product circulation phase implements the transactions among the participants by developing smart contracts where cryptographic operators ensure data provenance. The security analysis demonstrates that the framework effectively mitigates impersonation and collusion attacks. Performance metrics, including gas consumption, throughput, latency, and computational cost, were examined and compared to standard PSCM frameworks to evaluate the BPSCM's effectiveness.

TOWARD USE CASES AND SECURITY: AN IN-DEPTH ETHEREUM SMART CONTRACTS STUDY

Thesis

Full-text available

Mar 2024

Giacomo Ibba

Blockchain technology has emerged as a paradigm-shifting innovation within the broader field of distributed computing systems, especially with the deployment of Ethereum, which introduced the development of smart contracts with a Turing complete programming language. These self-executing programs with decentralised functionalities have gained substantial attention in recent years due to their crucial role in blockchain ecosystems, their versatility, and the advantages inherited from the blockchain itself, such as transparency, decentralisation, and immutability. For this very reason, smart contracts aroused the interest of researchers and developers, who explored a wide spectrum of aspects, ranging from use cases to vulnerability issues. However, the rapid evolution of blockchain and smart contracts highlights the necessity of continuous research and investigation of this technology. This dissertation proposes an in-depth study of Ethereum smart contracts, exploring use cases, methodologies for classification and architectural analysis, and evaluating the security of such programs. First, a general overview of blockchain and smart contracts is given in the introductory chapters, underscoring use cases, and applications. The second part of the dissertation focuses on methodologies and tools for smart contracts classification, architectural, and behavioral analysis, with a particular focus on decentralised applications (dApp), in which operational efficacy is granted by the interconnection and interaction of multiple smart contracts. Next, the thesis focuses on the vulnerability exposures affecting smart contracts, exploring methodologies and tools for vulnerability detection, prevention approaches, and automatic program repair methodologies applied for fixing vulnerable patterns in such programs. Moreover, the dissertation investigates the opinions and the interests of generic users on smart contracts by analysing blockchain and smart contracts-related content extracted from social networks and forums, such as to have an exhaustive overview that includes perspectives not only related to development and research. Lastly, the thesis presents the future directions of the outlined research and the efforts required to investigate emerging technologies, with a focus on dApps.

A Malware Detection Method Based On Genetic Algorithm Optimized CNN-Senet Network

Article

Full-text available

Jan 2024

In recent years, convolutional neural network (CNN) has achieved great success in the field of network security protection. With the popularization of smart terminals and the gradual increase of power grid informatization and digitization, the protection of power monitoring system from various cybersecurity threads is a current scientific problem that needs to be solved urgently. To this end, this paper proposes a malware detection method based on genetic algorithm optimization of CNN-SENet network, which firstly introduces the SENet attention mechanism into convolutional neural network to enhance the spatial feature extraction capability of the model; then, the application programming interface (API) sequences corresponding to different software behaviors are processed by segmentation and de-duplication, which in turn leads to the sequence feature extraction through the CNN-SENet model; finally, genetic algorithm is used to optimize the hyperparameters of CNN-SENet network to reduce the computational overhead of CNN and to achieve the recognition and classification of different malware at the output layer. The examples under the public dataset containing 8 kinds of malware show that the proposed method is better than the traditional algorithmic model, and can accurately and efficiently achieve malware detection with strong generalization ability.

Blockchain based Trusted Product delivery in E-commerce system

Book

Full-text available

Jan 2022

Almost everything has become common as a result of the advent of digitization and the use of the Internet. It is most frequently used in e-commerce platforms. The majority of customers prefer Internet banking, shopping, selling and purchasing, among other services.However, along with the numerous advantages and benefits that E-commerce systems pro- vide, there are also some drawbacks. The most significant issues are with security, cash transaction and theft. Additionally, delivering product properly to the buyer is another issue. In this work we propose trust in product delivery in E-commerce Supply chain using Blockchain Technology. This solves the trust issue during product delivery. Finally, the work is implemented by Ethereum, Ganache, Solidity, React, Metamask, Web3.js and MySQL.

Model Checking Concurrency in Smart Contracts with a Case Study of Safe Remote Purchase

Conference Paper

Full-text available

Oct 2024

Blockchain technology has evolved beyond its initial role in supporting cryptocurrencies like Bitcoin, with Ethereum introducing smart contracts for decentralised applications in various domains. However, ensuring the safety and security of smart contracts remains a critical challenge, particularly concerning concurrency issues. This is of paramount importance because the smart contract ecosystem is concurrent by nature as its underlying blockchain is decentralised, and the concurrency-related vulnerabilities within smart contracts have resulted in substantial financial losses. We observe that in the literature, concur-rency is handled with two strong assumptions, leading to either unde-tected attacks or false alarms. Taking the Safe Remote Purchase smart contract as a case study, we investigated the root causes and introduced a novel method that incorporates blockchain-specific characteristics into the verification process. Our contributions include a formal framework, an automated model generator, and a compelling case study that illustrates a reduction in false attacks, thus advancing the state of smart contract security in blockchain ecosystems. The formal models and the framework generator are available online at https://github.com/FormalV erificationBlockchain/Concurrency.

A Survey of Vulnerability Detection Techniques by Smart Contract Tools

Article

Full-text available

Jan 2024

Ethereum Blockchain technology introduced a competitive environment in the financial sector. Consequently, new technologies emerged, such as Smart Contracts (SCs), which preclude code corrections due to their immutable nature. But the incorrect and faulty uploaded SCs led to uninvited penetrations into SCs’ accounts, resulting in considerable customer losses. This SC’s drawback requires tools to test the SCs and paves the way for research on vulnerability detection techniques. Our survey paper comprehensively reviews 41 SC tools and presents the vulnerability detection techniques (VDTs) of the several previously discussed tools by dividing them into general and specific classes. Finally, we also perform a classification of detection techniques to standardize the approaches. Thus, our study will help SC developers and security analysts to streamline the security of SCs and reduce the chances of malicious monetary transfers.

A Review of Deep Learning-Based Vulnerability Detection Tools for Ethernet Smart Contracts

Article

Full-text available

Apr 2024
Comput Model Eng Sci

In recent years, the number of smart contracts deployed on blockchain has exploded. However, the issue of vulnerability has caused incalculable losses. Due to the irreversible and immutability of smart contracts, vulnerability detection has become particularly important. With the popular use of neural network model, there has been a growing utilization of deep learning-based methods and tools for the identification of vulnerabilities within smart contracts. This paper commences by providing a succinct overview of prevalent categories of vulnerabilities found in smart contracts. Subsequently, it categorizes and presents an overview of contemporary deep learning-based tools developed for smart contract detection. These tools are categorized based on their open-source status, the data format and the type of feature extraction they employ. Then we conduct a comprehensive comparative analysis of these tools, selecting representative tools for experimental validation and comparing them with traditional tools in terms of detection coverage and accuracy. Finally, Based on the insights gained from the experimental results and the current state of research in the field of smart contract vulnerability detection tools, we suppose to provide a reference standard for developers of contract vulnerability detection tools. Meanwhile, forward-looking research directions are also proposed for deep learning-based smart contract vulnerability detection.

Vulnerabilities of smart contracts and mitigation schemes: A Comprehensive Survey

Preprint

Full-text available

Apr 2024

Exploring Vulnerabilities and Concerns in Solana Smart Contracts

Preprint

Apr 2025

The Solana blockchain was created by Anatoly Yakovenko of Solana Labs and was introduced in 2017, employing a novel transaction verification method. However, at the same time, the innovation process introduced some new security issues. The frequent security incidents in smart contracts have not only caused enormous economic losses, but also undermined the credit system based on the blockchain. The security and reliability of smart contracts have become a new focus of research both domestically and abroad. This paper studies the current status of security analysis of Solana by researching Solana smart contract security analysis tools. This paper systematically sorts out the vulnerabilities existing in Solana smart contracts and gives examples of some vulnerabilities, summarizes the principles of security analysis tools, and comprehensively summarizes and details the security analysis tools in Solana smart contracts. The data of Solana smart contract security analysis tools are collected and compared with Ethereum, and the differences are analyzed and some tools are selected for practical testing.

A Formally Verified Lightning Network

Preprint

Full-text available

Mar 2025

In this work we use formal verification to prove that the Lightning Network (LN), the most prominent scaling technique for Bitcoin, always safeguards the funds of honest users. We provide a custom implementation of (a simplification of) LN, express the desired security goals and, for the first time, we provide a machine checkable proof that they are upheld under every scenario, all in an integrated fashion. We build our system using the Why3 platform.

Smart contract: Revolutionizing transactions in the digital age

Article

Full-text available

Apr 2024

Blockchain technology is a revolutionary concept that has transformed various industries, offering decentralized and secure solutions for data management. At its core, a blockchain is a distributed and immutable ledger that records transactions across a network of computers. One of the key features of blockchain is its transparency, as each participant in the network has access to the same information. The application of blockchain technology extends across diverse sectors, with finance being the most promising and well-known application domain. Cryptocurrencies, like Bitcoin and Ethereum, rely on blockchain to facilitate secure and transparent transactions. The decentralized nature of blockchain eliminates the need for intermediaries, reducing transaction costs and increasing efficiency. Beyond finance, blockchain is making significant strides in supply chain management. The emergence of blockchain technology has paved the way for a transformative innovation in the realm of digital transactions: smart contracts. These self-executing contracts encoded in blockchain have garnered significant attention for their potential to revolutionize the way agreements are made, executed, and enforced. This paper explores the concept of smart contracts, delving into the underlying technology, finding applications across various industries, legal implications, and future prospects.

Navigating the smart contract threat landscape: a systematic review

Article

Full-text available

Feb 2025

Smart contracts have emerged as a transformative technology within the blockchain ecosystem, facilitating the automated and trustless execution of agreements. Their adoption spans diverse sectors such as education, agriculture, healthcare, government, real estate, transportation, supply chain, and global initiatives like Central Bank Digital Currencies (CBDCs). However, the security of smart contracts has become a significant concern, as vulnerabilities in their design and implementation can lead to severe consequences such as financial losses and system failures. This systematic review consolidates findings from 78 selected research articles, identifying key vulnerabilities affecting smart contracts and categorizing them into a taxonomy encompassing code-level, environment-dependent, and user-related vulnerabilities. It also examines the threats that exploit these vulnerabilities and the most effective detection techniques. The domain-based classification presented in this review aims to assist researchers, software engineers, and developers in identifying and mitigating significant security flaws related to the design, implementation, and deployment of smart contracts. A comprehensive understanding of these issues is essential for enhancing the security and reliability of the blockchain ecosystem, ultimately fostering the development of more secure and robust decentralized applications for end users.

MultiTagging: A Vulnerable Smart Contract Labeling and Evaluation Framework

Article

Full-text available

Nov 2024

Identifying vulnerabilities in Smart Contracts (SCs) is crucial, as they can lead to significant financial losses if exploited. Although various SC vulnerability identification methods exist, selecting the most effective approach remains challenging. This article examines these challenges and introduces solutions to enhance SC vulnerability identification. It introduces MultiTagging, a modular SC multi-labeling framework designed to overcome limitations in existing SC vulnerability identification approaches. MultiTagging automates SC vulnerability tagging by parsing analysis reports and mapping tool-specific tags to standardized labels, including SC Weakness Classification (SWC) codes and Decentralized Application Security Project (DASP) ranks. Its mapping strategy and the proposed vulnerability taxonomy resolve tool-level labeling inconsistencies, where different tools use distinct labels for identical vulnerabilities. The framework integrates an evaluation module to assess SC vulnerability identification methods. MultiTagging enables both tool-based and vote-based SC vulnerability labeling. To improve labeling accuracy, the article proposes Power-based voting, a method that systematically defines voter roles and voting thresholds for each vulnerability. MultiTagging is used to evaluate labeling across six tools: MAIAN, Mythril, Semgrep, Slither, Solhint, and VeriSmart. The results reveal high coverage for Mythril, Slither, and Solhint, which identified eight, seven, and six DASP classes, respectively. Tool performance varied, underscoring the impracticality of relying on a single tool to identify all vulnerability classes. A comparative evaluation of Power-based voting and two threshold-based methods—AtLeastOne and Majority voting—shows that while voting methods can increase vulnerability identification coverage, they may also reduce detection performance. Power-based voting proved more effective than pure threshold-based methods across all vulnerability classes.

An extensive multivocal literature review of blockchain technology: Evolution, challenges, platforms, security, and interoperability

Article

Full-text available

Oct 2024

Blockchain technology has gained enormous interest from industry and academia recently. Technology enthusiasts are exploring its use case beyond cryptocurrencies and claim that blockchain technology can overcome the inefficiencies of centralized systems. In this study, we continue the work of previous authors, aiming to provide a more comprehensive understanding of the technical aspects of blockchain. This study is the first of its kind to review and analyze the current status of different technical aspects of blockchain technology influencing its adoption. We performed an extensive multivocal review to (i) demonstrate the progress of blockchain, (ii) discuss the challenges related to the wide‐scale adoption of the technology, (iii) present a detailed analysis of blockchain platforms, (iv) highlight security and interoperability issues followed by the solutions proposed in the literature. We have considered 259 peer‐reviewed research papers and the gray literature related to 40 blockchain platforms to provide an in‐depth analysis of blockchain technology. In conclusion, this comprehensive survey provides a holistic view of blockchain technology's progress. It identifies challenges, trends, and future research directions, serving as a valuable resource for researchers and practitioners seeking to navigate the dynamic blockchain landscape.

Towards Blockchain Developer Experience (BcDEx): Exploring Dimensions of Developer Experience in Blockchain-oriented Software Engineering

Conference Paper

Full-text available

Sep 2024

The Developer Experience (DEx) in the context of blockchain and decentralized applications has to deal with new or adapted software engineering practices due to the particular characteristics of these technologies. This study proposes the idea of Blockchain Developer Experience (BcDEx) influenced by different practices of Blockchain-Oriented Software Engineering (BOSE). To achieve this purpose, we categorize and discuss critical BcDEx factors based on a well-established DEx conceptual framework covering cognitive, affective, and conation dimensions. Furthermore, we reveal new directions that can benefit both research and practice in BcDEx, encompassing practical aspects such as using technical resources and organizational considerations.

Smart Contract Vulnerability Detection based on Static Analysis and Multi-Objective Search

Preprint

Sep 2024

This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm. We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies. Initially, smart contracts are compiled into an abstract syntax tree to analyze relationships between contracts and functions, including calls, inheritance, and data flow. These analyses are transformed into static evaluations and intermediate representations that reveal internal relations. Based on these representations, we examine contract's functions, variables, and data dependencies to detect the specified vulnerabilities. To enhance detection accuracy and coverage, we apply a multi-objective optimization algorithm to the static analysis process. This involves assigning initial numeric values to input data and monitoring changes in statement coverage and detection accuracy. Using coverage and accuracy as fitness values, we calculate Pareto front and crowding distance values to select the best individuals for the new parent population, iterating until optimization criteria are met. We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts. Experimental results show that our method outperforms state-of-the-art tools in terms of coverage, accuracy, efficiency, and effectiveness in detecting the targeted vulnerabilities.

SoK: A Unified Data Model for Smart Contract Vulnerability Taxonomies

Conference Paper

Jul 2024

Vulnerability Detection in Ethereum Smart Contracts via Machine Learning: A Qualitative Analysis

Preprint

Full-text available

Jul 2024

Smart contracts are central to a myriad of critical blockchain applications, from financial transactions to supply chain management. However, their adoption is hindered by security vulnerabilities that can result in significant financial losses. Most vulnerability detection tools and methods available nowadays leverage either static analysis methods or machine learning. Unfortunately, as valuable as they are, both approaches suffer from limitations that make them only partially effective. In this survey, we analyze the state of the art in machine-learning vulnerability detection for Ethereum smart contracts, by categorizing existing tools and methodologies, evaluating them, and highlighting their limitations. Our critical assessment unveils issues such as restricted vulnerability coverage and dataset construction flaws, providing us with new metrics to overcome the difficulties that restrain a sound comparison of existing solutions. Driven by our findings, we discuss best practices to enhance the accuracy, scope, and efficiency of vulnerability detection in smart contracts. Our guidelines address the known flaws while at the same time opening new avenues for research and development. By shedding light on current challenges and offering novel directions for improvement, we contribute to the advancement of secure smart contract development and blockchain technology as a whole.

Temporarily Restricting Solidity Smart Contract Interactions

Preprint

Full-text available

May 2024

In this work we explore ways to restrict the ability to call Solidity smart contract functions for a specified duration. We describe methods to restrict functions from being called twice in the same transaction, block, or time period. This is related to the notion of non-reentrant functions, which are functions that can be called within a previous execution. These methods can be used to restrict interactions with entire sets of functions of smart contracts. We are motivated to revisit this topic for two reasons. First, we note that sixteen real-world smart contracts exploits in 2023 resulting in over $136M USD lost or stolen that could have been prevented by restricting function calls. As part of this survey, we dissect a new class of exploit that involves so-called read-only reentrancy: exploits that re-enter read-only functions to make smart contract state inconsistent in order to enable their exploitation. Second, while some of these approaches are simple, they may not always behave the same across different blockchains that support Solidity.

Salsal: blockchain for vetting cultural object collections

Article

Full-text available

Jan 2024

Many modern cultural object collections suffer from the problem of being obtained in unethical and illegal circumstances. Additionally, information about collections, including their status, object descriptions, and other data need up-to-date information presented to users. We propose a novel blockchain tool called Salsal that enables the vetting of objects, individually or as part of more extensive collections, to meet required ethical and legal guidelines while informing users about relevant information regarding collections. Blockchain provides a better and more rapid way for users to know about collections using a decentralized and immutable ledger technology. Blockchain can be used to incentivize or even pressure collections to vet their objects for ethical and legal guidelines that can benefit the public who use object collections. The prototype software we have made is presented and compared to other blockchains, with code and demonstration provided. We present how our blockchain can enable benefit, providing a useful vetting process for cultural objects, and allowing a user community to contribute to collections in a transparent and secure manner.

IJAFR International Journal of Accounting and Finance Researches Uluslararası Muhasebe ve Finans Araştırmaları Dergisi A Bibliometric Analysis on Blockchain Crypto Assets Bitcoin Web of Science Application

Article

Full-text available

Jun 2023

JEL Kodları: F02, 036 ÖZ Kripto varlıklar bilgisayar ortamında üretilen merkezi olmayan dağıtık teknolojide çalışan finansal dijital kavramlardır. Kripto varlıkların küresel piyasadaki büyük artışından dolayı ulusal yetkililer tarafından da incelenmeye başlanmıştır. Bu nedenle yapılan bu çalışmada bibliyometrik analiz tekniği ile son yıllarda kripto varlık üzerine yapılan ve Web of Science veri tabanında yer bulan çalışmalar incelenmiştir. Bibliyometrik analiz: güncel, tercih edilen bir yöntemdir. Bibliyometrik analiz incelenen alanın tarihsel ayrıntılarıyla araştırılmasını sağlayabilmektedir. Ayrıca yayınların bilimsel literatürdeki etkilerini ölçmek için de kullanılabilmektedir. Bu çalışma ile, yatırımcıların ve ilgililer için kripto varlıklar, blok zincir ve bitcoin alanlarında yapılan çalışmalar çeşitli nitelikleri açısından sınıflandırılarak bilgi verilmek istenmiştir. Bu amaçla uygulanan bibliyometrik analiz ile blok zincir alanı ve kripto varlık, bitcoin piyasalarında yapılan ve Web of Science platformunda yer alan çalışmalar sayı, yıl, finans kaynakları, çalışan ilgili kurum vb. alanlar hakkında bilgi vermek amaçlanmıştır. Blok zincir, kripto varlıklar, bitcoin üzerine son 5 yılın bibliyometrik analizi çalışması gerçekleştirilmiştir. Kripto varlık alanında kısıtlı sayıda çalışma olduğu fark edilebilmektedir. Ancak bu eksik son yıllarda yapılan yayınlarla doldurulmaya çalışıldığı da görülmektedir. Bu çalışma sonucunda, kripto varlık alanında en fazla çalışmanın 2021 yılında yapıldığı, en fazla makale türünde yayın ise yine 2021 yılında ve son olarak da yayın kategorisi olarak İşletme Finansmanı alanında çalışmaların yoğunlaştığı tespit edilmiştir. Yine blok zincir, kripto varlık, bitcoin alanlarındaki çalışmalar farklı alanlarda ve farklı dönemler ile farklı analiz yöntemleri kullanılarak analiz edilebilir. ABSTRACT Crypto assets are financial digital concepts that are generated in a decentralized distributed technology environment on computers. Due to the significant increase in the global market of crypto assets, they have also started to be examined by national authorities. Therefore, in this study, studies on crypto assets in recent years and found in the Web of Science database were examined using bibliometric analysis technique. Bibliometric analysis is a current and preferred method. Bibliometric analysis can enable the research of the historical details of the area under study. It can also be used to measure the impact of publications on scientific literature. With this study, it is aimed to classify the studies conducted in the fields of crypto assets, blockchain, and bitcoin in terms of various qualities and provide information for investors and stakeholders. The bibliometric analysis applied for this purpose aims to provide information about the number of studies, year, financial sources, relevant institutions, etc. conducted in the fields of blockchain, crypto assets, and bitcoin markets and found on the Web of Science platform. A bibliometric analysis study on blockchain, crypto assets, and bitcoin in the last 5 years has been conducted. It can be observed that there are a limited number of studies in the field of crypto assets. However, it is also seen that this gap is being filled with publications made in recent years. As a result of this study, it was determined that the most studies in the field of crypto assets were conducted in 2021, the most common type of publication was also in 2021, and finally, it was found that studies in the field of Business Finance were concentrated as the publication category. Studies in the fields of blockchain, crypto assets, and bitcoin can also be analyzed using different methods in different periods and in different areas.

A TECHNICAL REVIEW ON SMART CONTRACT PLATFORMS, LANGUAGES AND APPLICATIONS IN BLOCKCHAIN

Article

Mar 2025

A Comprehensive Survey of Smart Contracts Vulnerability Detection Tools: Techniques and Methodologies

Article

Mar 2025
J NETW COMPUT APPL

Proof of Concept for Guarantees of Origin

Conference Paper

Oct 2024

An Attention-based Wide and Deep Neural Network for Reentrancy Vulnerability Detection in Smart Contracts

Article

Feb 2025
J SYST SOFTWARE

Are the smart contracts on Q&A site reliable?

Article

Jun 2024
SOFTWARE PRACT EXPER

Ethereum, as a leading blockchain platform, has attracted a significant number of practitioners. These practitioners require a platform for communication and collaborative problem‐solving, which led to Ethereum Stack Exchange (ESE), a Q&A site dedicated to Ethereum‐related issues. While the Q&A site facilitates communication among practitioners, it also introduces new challenges. Practitioners adopt code snippets from Q&A sites to address problems encountered. However, the quality of code snippets on ESE remains largely unexplored. Vulnerabilities and gas‐inefficient patterns in ESE may spread to the code in Ethereum and threaten its regular operation. In this article, we conduct an empirical study investigating the distribution of vulnerabilities and gas‐inefficient patterns in ESE. Further, we analyze the potential impact of vulnerabilities and gas‐inefficient patterns from ESE on Ethereum. However, we encounter a problem during the vulnerability and gas‐inefficient pattern detection. Established smart contract analysis tools in the mainstream realm necessitate complete source code files for thorough analysis, while codes on ESE are often incomplete code snippets. To address this, we introduce the AST‐based code clone detection technique to construct detectable files corresponding to code snippets. This enables us to detect vulnerabilities and gas‐inefficient patterns in code snippets. In the end, our findings demonstrate that 11.18% of the contract‐level code snippets and 4.06% of function‐level code snippets in ESE have vulnerabilities. And 27.21% of contract‐level code snippets and 17.89% of function‐level code snippets contain gas‐inefficient patterns. The additional consumption caused by the gas‐inefficient pattern in ESE is approximately $1,695,002. Based on these findings, we provide recommendations for both ESE and its users, aiming to foster collaborative efforts and create a more reliable Q&A site for practitioners.

AdvSCanner: Generating Adversarial Smart Contracts to Exploit Reentrancy Vulnerabilities Using LLM and Static Analysis

Conference Paper

Oct 2024

A Review of Reentrancy Attack in Ethereum Smart Contracts

Conference Paper

Full-text available

Oct 2024

Blockchain technology has catalyzed a revolutionary shift toward decentralized applications, prominently exemplified by Ethereum’s introduction of smart contracts. A smart contract is a self-executing program running on the Ethereum Virtual Machine (EVM), designed to automate and ensure trust in transactions, bypassing traditional intermediaries. Nevertheless, as their adoption proliferates, inherent vulnerabilities come to the fore, thereby highlighting significant security challenges. Notably, Reentrancy attacks, underscored by the 2016 DAO hack that precipitated a staggering loss of approximately $60 million in Ether, stand out as paramount concerns. This paper offers a comprehensive review of Reentrancy attacks targeting Ethereum smart contracts. It elucidates the mechanics underpinning such attacks, pinpointing recurrent patterns and susceptibilities. Concurrently, an exploration of the trajectory of countermeasures and contemporary solutions proposed within the research sphere is undertaken. Through a detailed analysis of both the nature of attacks and the corresponding mitigation strategies, this work emphasizes potential future directions, offering invaluable insights to guide efforts in enhancing the robustness and security of Ethereum’s smart contracts.

Practical Verification of Smart Contracts using Memory Splitting

Article

Oct 2024

SMT-based verification of low-level code requires modeling and reasoning about memory operations. Prior work has shown that optimizing memory representations is beneficial for scaling verification—pointer analysis, for example can be used to split memory into disjoint regions leading to faster SMT solving. However, these techniques are mostly designed for C and C++ programs with explicit operations for memory allocation which are not present in all languages. For instance, on the Ethereum virtual machine, memory is simply a monolithic array of bytes which can be freely accessed by Ethereum bytecode, and there is no allocation primitive. In this paper, we present a memory splitting transformation guided by a conservative memory analysis for Ethereum bytecode generated by the Solidity compiler. The analysis consists of two phases: recovering memory allocation and memory regions, followed by a pointer analysis. The goal of the analysis is to enable memory splitting which in turn speeds up verification. We implemented both the analysis and the memory splitting transformation as part of a verification tool, CertoraProver, and show that the transformation speeds up SMT solving by up to 120x and additionally mitigates 16 timeouts when used on 229 real-world smart contract verification tasks.

Safe design and evolution of smart contracts using dynamic condition response graphs to model generic role‐based behaviors

Article

Sep 2024

Smart contracts executed on blockchains are interactive programs where external actors generate events that trigger function invocations. Events can be emitted by participants asynchronously. However, some functionalities should be restricted to participants inhabiting specific roles in the system, which might be dynamically adjusted while the system evolves. We argue that current smart contract languages adopting imperative programming paradigms require additional complicated access control code. Furthermore, smart contracts are often developed and evolved independently and cannot share a joint access control policy. This makes it challenging to ensure the correctness of access control properties and to maintain correctness when the contracts are adapted. We propose using dynamic condition response (DCR) graphs for role‐based and declarative access control for smart contracts and techniques for test‐driven modelling and refinement of DCR graphs to support the safe design and evolution of smart contracts. We show that they allow for capturing and visualizing a form of dynamic access control where access rights evolve as the contract state progresses. Their use supports the straightforward declaration of access control rights, improved code auditing, test‐driven modelling, and safe evolution of smart contracts and improves users' understanding.

A Survey on Security Analysis Methods of Smart Contracts

Article

Nov 2024

Smart contracts have gained extensive adoption across diverse industries, including finance, supply chain, and the Internet of Things. Nevertheless, the surge in security incidents of smart contracts over recent years has led to substantial economic losses. Therefore, ensuring the security of smart contracts has become a critical and complex challenge in both academic and industrial domains. Based on 539 real-world security incidents in the Ethereum platform and audit reports from 10 authoritative auditing institutions, we summarize 27 types of exploited security vulnerabilities and draw insights into their principles, typical cases, relevant research and recommended prevention strategies. Besides, we also gather 7 other potentially threatening vulnerability types as supplements. On this basis, we conduct an in-depth analysis of the root causes of vulnerabilities and further formulate eight safety practical rules. Moreover, we perform a comprehensive review of 178 recent papers on smart contract security analysis, classifying detection methods into formal verification, fuzz testing, machine learning, program analysis, and others. For each category, we seize the specific detection tools and analyze them comprehensively. Then, we conduct an extensive analysis and synthesis from various angles, presenting a comprehensive overview of the current research landscape in smart contract security detection. We also discuss current on-chain and off-chain repair methods. Finally, this review outlines major challenges and highlights potential areas for future research in this field

Survey on Quality Assurance of Smart Contracts

Article

Sep 2024

As blockchain technology continues to advance, the secure deployment of smart contracts has become increasingly prevalent, underscoring the critical need for robust security measures. This surge in usage has led to a rise in security breaches, often resulting in substantial financial losses for users. This paper presents a comprehensive survey of smart contract quality assurance, from understanding vulnerabilities to evaluating the effectiveness of detection tools. Our work is notable for its innovative classification of forty smart contract vulnerabilities, mapping them to established attack patterns. We further examine nine defense mechanisms, assessing their efficacy in mitigating smart contract attacks. Furthermore, we develop a labeled dataset as a benchmark encompassing ten common vulnerability types, which serves as a critical resource for future research. We also conduct comprehensive experiments to evaluate fourteen vulnerability detection tools, providing a comparative analysis that highlights their strengths and limitations. In summary, this survey synthesizes state-of-the-art knowledge in smart contract security, offering practical recommendations to guide future research and foster the development of robust security practices in the field.

Verifiable Multi-Level Dynamic Searchable Encryption With Forward and Backward Privacy in Cloud-Assisted IoT

Article

Dec 2024

The Internet of Things (IoT) boom has enabled massive data collection in cloud servers. Therefore, access efficiency and data privacy in cloud storage services have become a significant concern. Data and users are hierarchical in IoT applications, which require fine-grained multi-level access control. Additionally, achieving public verification to resist the malicious server and clients is indispensable. Aiming at the challenge above, we propose a new forward private multi-level dynamic searchable symmetric encryption (DSSE) scheme called Peony, employing multi-level linked lists and constrained pseudorandom function, which is more efficient and secure. Then, we introduce a cryptographic primitive named multi-level symmetric revocable encryption (MSRE), and we give a general method for constructing a novel forward and type-II backward-private multi-level DSSE scheme Peony++ based on MSRE. Further, we design the multi-level digests and utilize the smart contract as a trusted platform to support public verification for Peony++. Theoretical analysis and experimental evaluations show that Peony achieves higher security and reduces search time by an average of 35.81% compared to the state-of-the-art multi-level DSSE scheme. To the best of our knowledge, Peony++ is the only multi-level searchable encryption currently available that can achieve forward and type-II backward privacy, all while balancing efficiency and functionality.

Temporarily Restricting Solidity Smart Contract Interactions

Conference Paper

Jul 2024

Using Mutation Testing To Improve and Minimize Test Suites for Smart Contracts

Conference Paper

May 2024

Empirical Study of Impact of Solidity Compiler Updates on Vulnerabilities in Ethereum Smart Contracts

Article

Aug 2024

Vulnerabilities in Ethereum smart contracts often cause significant financial damage. Whereas the Solidity compiler has been updated to mitigate vulnerabilities, the effectiveness of these updates remains undisclosed to the best of our knowledge. In this paper, we aim to shed light on the impact of compiler versions on reducing vulnerabilities in Ethereum smart contracts. To achieve this, we collected 497,344 contracts with Solidity source codes from the Ethereum blockchain and analyzed their vulnerabilities. For three vulnerabilities of high severity, i.e., Locked Money , Using tx.origin , and Unchecked Call , we illustrate their appearance rate changes, showing decreases attributed to major updates of the Solidity compiler. Subsequently, we found the following four key insights. Firstly, updates to version 0.6 and version 0.8 led to decreased appearance rates for Locked Money . Secondly, regardless of compiler updates, the appearance rate for Using tx.origin was significantly low. Thirdly, the appearance rate for Unchecked Call significantly decreased from version 0.5 to version 0.8. Lastly, as an incidental discovery from our empirical study, we identified implications for code clones, which merit attention from subsequent researchers and developers.

Futureproofing Blockchain & Cryptocurrencies against Growing Vulnerabilities & Q-Day Threat with Quantum-Safe Ledger Technology (QLT)

Article

Jan 2024

Fazal Raheman

Vulnerability detection techniques for smart contracts: A systematic literature review

Article

Full-text available

Jul 2024
J SYST SOFTWARE

The number of applications supported by blockchain smart contracts has been greatly increasing in recent years, with smart contracts now being used across several domains, such as the music industry, finance, and retail, to name a few. Despite being used in business-critical contexts, the number of security vulnerabilities in smart contracts has also been increasing, with many of them being exploited and resulting in huge financial and reputation losses. This is despite the enormous effort that is being placed into the research and development of vulnerability detection tools and techniques, which have also greatly increased in number and type in the last few years. Motivated by the recent increase in both vulnerabilities and vulnerability detection techniques, this paper reviews the latest research in smart contract vulnerability detection, emphasizing the techniques being used, the vulnerabilities targeted, and the characteristics of the dataset used for evaluating the technique. We mapped the vulnerabilities against two common vulnerability classification schemes (DASP and SWC) and performed a consolidated analysis. We identified the current research trends and gaps in each technique and highlighted future research opportunities in the field.

A Study on Smart Contract Security Vulnerabilities

Chapter

Apr 2024

Blockchain has enabled individuals to communicate and make transactions without a central authority in a secure manner. It leverages concepts such as decentralization, immutability, and consensus to achieve the same. A blockchain is a chain of blocks linked through hashes. It is a distributed ledger where each node on the network has a copy of the blockchain. The consensus mechanism allows nodes to verify the validity of a block and decide on the next block for the chain. Smart Contracts have become the most emerging blockchain application. It is a small piece of executable code deployed on the blockchain. A contract gets triggered after a particular event/condition has been fulfilled. This trigger is generated either due to an invocation from a transaction or an explicit call. Since these contracts involve crypto transactions, they are susceptible to various kinds of attacks and exposed to a multitude of security vulnerabilities. This research paper focuses on the study of different categories of vulnerabilities in the blockchain such as Denial of Service with Failed Call, Randomness using ‘Block Hash’, Mishandled Exception, Immutable Bugs/mistakes, Transaction Ordering Dependency, etc. The paper then discusses various preventive measures and detection tools for the mentioned vulnerabilities.

The Ethereum Blockchain: Implementation and Security Aspects

Chapter

Aug 2023

Firstly introduced in 2013, Ethereum revolutionized the concept of blockchain. Compared to the previous generation of blockchains with the main representative the Bitcoin, the Ethereum blockchain extends the applications of this technology to domains such as its transfer of information and inclusion of off-chain data inside the blockchain. Furthermore, with the introduction of smart contracts, Ethereum allows for the automatic execution of operations inside the blockchain. These represent the key steps Ethereum firstly posed to enhance the blockchain technology and lead it to its widespread application. In this chapter we present an overview of the fundamental aspects that characterize the Ethereum blockchain. We discuss both its implementation from a blockchain point of view and the fundamental algorithmic aspects that characterize its functioning. Furthermore, we discuss the known vulnerabilities and security issues related to all the presented building blocks of Ethereum. Our aim is to provide a clear state-of-the-art overview of both the implementation aspects and security of the Ethereum blockchain.

Smart contract challenges and drawbacks for SME digital resilience

Article

Mar 2024
J Enterprise Inform Manag

Purpose This study aims to explore the key challenges and drawbacks of smart contracts (SCs) and how they impact digital resilience within small and medium enterprises (SMEs). Whilst this type of technology is seen as a step forward in terms of traceability, transparency and immutability to increase digital resilience, we argue that it should be approached with trepidation. Design/methodology/approach In developing this paper, the authors conduct a systematic literature search using the Scopus database. Through this, we identified 931 relevant articles, of which 30 were used as the focus of this article. Thematic analysis was used as the analytical approach to develop themes and meaning from the data. Findings In this paper, there is an emphasis on the importance of understanding the potential risks associated with SC implementation, as well as identifying appropriate strategies for mitigating any negative impact. In our findings, we puts forward three key themes, namely legality, security and human error, which we argue are key smart contract challenges that impact SME digital resilience. Originality/value In this paper, we propose the notion of “centralised control in decentralised solutions”. This comes from the research highlighting SC weaknesses in digital resilience for SMEs. We argue that there is a need for standards, regulations and legislation to address these issues, advocating, ironically, a centralised approach to decentralised technology.

Comparison of Ethereum Smart Contract Analysis and Verification Methods

Chapter

Mar 2024
Lect Notes Comput Sci

Ethereum allows to publish and use applications known as smart contracts on its public network. Smart contracts can be costly for users if erroneous. Various security vulnerabilities have occurred in the past and have been exploited causing the loss of billions of dollars. Therefore, it is in the developer’s interest to publish smart contracts that serve their intended purpose only. In this work, we study different approaches to verify if Ethereum smart contracts behave as intended and how to detect possible vulnerabilities. To this end, we compare and evaluate, different formal verification tools and tools to automatically detect vulnerabilities. Our empirical comparison of 140 smart contracts with known vulnerabilities shows that different tools vary in their success to identify issues with smart contracts. In general, we find that automated analysis tools often miss vulnerabilities, while formal verifiers based on model checking with Hoare-style source code annotations require high effort and knowledge to discover possible weaknesses. Specifically, some vulnerabilities (e.g., related to bad randomness) are not detected by any of the tools. Formal verifiers perform better than automated analysis tools as they detect more vulnerabilities and are more reliable. One of the automated analysis tools was able to find only three out of 16 Access Control vulnerabilities. On the contrary, formal verifiers have a hundred percent detection rate for selected tests. As a case study with a smart contract without previously known vulnerabilities and for a more in-depth evaluation, we examine a smart contract using a two-phase commit protocol mechanism which is key in many smart contract applications. We use the presented tools to analyze and verify the contract. Thereby we come across different important patterns to detect vulnerabilities e.g. with respect to re-entrancy, and how to annotate a contract to prove that intended the restriction and requirements hold at any time.

DA-GNN: A smart contract vulnerability detection method based on Dual Attention Graph Neural Network

Article

Feb 2024
COMPUT NETW

sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart Contracts

Article

Feb 2024

Smart contracts are becoming appealing targets for hackers because of the vast amount of cryptocurrencies under their control. Asset loss due to the exploitation of smart contract codes has increased significantly in recent years. To guarantee that smart contracts are vulnerability-free, there are many works to detect the vulnerabilities of smart contracts, but only a few vulnerability repair works have been proposed. Repairing smart contract vulnerabilities at the source code level is attractive as it is transparent to users, whereas existing repair tools, such as SCRepair and sGuard , suffer from many limitations: (1) ignoring the code of vulnerability prevention; (2) possibly applying the repair to the wrong statements and changing the original business logic of smart contracts; (3) showing poor performance in terms of time and gas overhead. In this work, we propose machine learning guided rule-based automated vulnerability repair on smart contracts to improve the effectiveness and efficiency of sGuard . To address the limitations mentioned above, we design the features that characterize both the symptoms of vulnerabilities and the methods of vulnerability prevention to learn various vulnerability patterns and reduce false positives. Additionally, a fine-grained localization algorithm is designed by traversing the nodes of the abstract syntax tree, and we refine and extend the repair rules of sGuard to preserve the original business logic of smart contracts and support new vulnerability types. Our tool, named sGuard+ , reduces time overhead based on machine learning models, and reduces gas overhead by fewer code changes and precise patching. In our experiment, we collect a publicly available vulnerability dataset from CVE, SWC and SmartBugs Curated as a ground truth for evaluations. Overall, sGuard+ repairs more vulnerabilities with less time and gas overhead than state-of-the-art tools. Furthermore, we reproduce about 9,000 historical transactions for regression testing. It is shown that sGuard+ has no impact on the original business logic of smart contracts.

Evolution of automated weakness detection in Ethereum bytecode: a comprehensive study

Article

Full-text available

Feb 2024
EMPIR SOFTW ENG

Blockchain programs (also known as smart contracts) manage valuable assets like cryptocurrencies and tokens, and implement protocols in domains like decentralized finance (DeFi) and supply-chain management. These types of applications require a high level of security that is hard to achieve due to the transparency of public blockchains. Numerous tools support developers and auditors in the task of detecting weaknesses. As a young technology, blockchains and utilities evolve fast, making it challenging for tools and developers to keep up with the pace. In this work, we study the robustness of code analysis tools and the evolution of weakness detection on a dataset representing six years of blockchain activity. We focus on Ethereum as the crypto ecosystem with the largest number of developers and deployed programs. We investigate the behavior of single tools as well as the agreement of several tools addressing similar weaknesses. Our study is the first that is based on the entire body of deployed bytecode on Ethereum’s main chain. We achieve this coverage by considering bytecodes as equivalent if they share the same skeleton. The skeleton of a bytecode is obtained by omitting functionally irrelevant parts. This reduces the 48 million contracts deployed on Ethereum up to January 2022 to 248 328 contracts with distinct skeletons. For bulk execution, we utilize the open-source framework SmartBugs that facilitates the analysis of Solidity smart contracts, and enhance it to accept also bytecode as the only input. Moreover, we integrate six further tools for bytecode analysis. The execution of the 12 tools included in our study on the dataset took 30 CPU years. While the tools report a total of 1 307 486 potential weaknesses, we observe a decrease in reported weaknesses over time, as well as a degradation of tools to varying degrees.

Public data security using Ethereum Smart Contract

Article

Full-text available

Nov 2023

Smart contracts, a unique form of blockchain technology, enable financial transactions on the Ethereum blockchain. However, the blockchain paradigm's decentralized structure raises security concerns and has been linked to significant financial losses. Contrary to typical financial entities, Ethereum lacks centralized controls to solve these challenges. These problems have been addressed and Ethereum's security has been enhanced by symbolic execution, which has grown to be a well-known technique for guaranteeing programme integrity. The security of the blockchain can be improved more efficiently by using this method to assess Ethereum's security and identify areas that require the attention of security experts.

EtherDiffer: Differential Testing on RPC Services of Ethereum Nodes

Conference Paper

Nov 2023

Automatic Generation of Solidity Test for Blockchain Smart Contract using Many Objective Search and Dimensionality Reduction

Conference Paper

Aug 2023

Security Vulnerabilities in Ethereum Smart Contracts

Conference Paper

Full-text available

Jul 2018

Towards Analyzing the Complexity Landscape of Solidity Based Ethereum Smart Contracts

Article

Full-text available

Jan 2019

Péter Hegedüs

Blockchain-based decentralized cryptocurrency platforms are currently one of the hottest topics in technology. Although most of the interest is generated by cryptocurrency related activities, it is becoming apparent that a much wider spectrum of applications can leverage the blockchain technology. The primary concepts enabling such general use of the blockchain are the so-called smart contracts, which are special programs that run on the blockchain. One of the most popular blockchain platforms that supports smart contracts is Ethereum. As smart contracts typically handle money, ensuring their low number of faults and vulnerabilities are essential. To aid smart contract developers and help to mature the technology, we need analysis tools and studies for smart contracts. As an initiative for this, we propose the adoption of some well-known OO metrics for Solidity smart contracts. Furthermore, we analyze more than 40 thousand Solidity source files with our prototype tool. The results suggest that smart contract programs are short, neither overly complex nor coupled too much, do not rely heavily on inheritance, and either quite well-commented or not commented at all. Moreover, smart contracts could benefit from an external library and dependency management mechanism, as more than 85% of the defined libraries in Solidity files code the same functionalities

Monitoring Smart Contracts: ContractLarva and Open Challenges Beyond: 18th International Conference, RV 2018, Limassol, Cyprus, November 10–13, 2018, Proceedings

Chapter

Full-text available

Nov 2018
Lect Notes Comput Sci

Smart contracts present new challenges for runtime verification techniques, due to features such as immutability of the code and the notion of gas that must be paid for the execution of code. In this paper we present the runtime verification tool ContractLarva and outline its use in instrumenting monitors in smart contracts written in Solidity, for the Ethereum blockchain-based distributed computing platform. We discuss the challenges faced in doing so, and how some of these can be addressed, using the ERC-20 token standard to illustrate the techniques. We conclude by proposing a list of open challenges in smart contract and blockchain monitoring.

Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts

Conference Paper

Full-text available

Dec 2018

The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language. In this paper we introduce Osiris - a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Besides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.

EthIR: A Framework for High-Level Analysis of Ethereum Bytecode: 16th International Symposium, ATVA 2018, Los Angeles, CA, USA, October 7-10, 2018, Proceedings

Chapter

Full-text available

Sep 2018
Lect Notes Comput Sci

Analyzing Ethereum bytecode, rather than the source code from which it was generated, is a necessity when: (1) the source code is not available (e.g., the blockchain only stores the bytecode), (2) the information to be gathered in the analysis is only visible at the level of bytecode (e.g., gas consumption is specified at the level of EVM instructions), (3) the analysis results may be affected by optimizations performed by the compiler (thus the analysis should be done ideally after compilation). This paper presents EthIR, a framework for analyzing Ethereum bytecode, which relies on (an extension of) Oyente, a tool that generates CFGs; EthIR produces from the CFGs, a rule-based representation (RBR) of the bytecode that enables the application of (existing) high-level analyses to infer properties of EVM code.

Monitoring Smart Contracts: ContractLarva and Open Challenges Beyond

Conference Paper

Full-text available

Nov 2018

Visual emulation for Ethereum's virtual machine

Conference Paper

Full-text available

Apr 2018

Tool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts

Chapter

Full-text available

Apr 2018
Lect Notes Comput Sci

Blockchain-based distributed computing platforms enable the trusted execution of computation—defined in the form of smart contracts—without trusted agents. Smart contracts are envisioned to have a variety of applications, ranging from financial to IoT asset tracking. Unfortunately, the development of smart contracts has proven to be extremely error prone. In practice, contracts are riddled with security vulnerabilities comprising a critical issue since bugs are by design non-fixable and contracts may handle financial assets of significant value. To facilitate the development of secure smart contracts, we have created the FSolidM framework, which allows developers to define contracts as finite state machines (FSMs) with rigorous and clear semantics. FSolidM provides an easy-to-use graphical editor for specifying FSMs, a code generator for creating Ethereum smart contracts, and a set of plugins that developers may add to their FSMs to enhance security and functionality.

ZEUS: Analyzing Safety of Smart Contracts

Conference Paper

Full-text available

Jan 2018

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach

Conference Paper

Full-text available

Feb 2018

The adoption of blockchain-based distributed computation platforms is growing fast. Some of these platforms, such as Ethereum, provide support for implementing smart contracts, which are envisioned to have novel applications in a broad range of areas, including finance and Internet-of-Things. However, a significant number of smart contracts deployed in practice suffer from security vulnerabilities, which enable malicious users to steal assets from a contract or to cause damage. Vulnerabilities present a serious issue since contracts may handle financial assets of considerable value, and contract bugs are non-fixable by design. To help developers create more secure smart contracts, we introduce FSolidM, a framework rooted in rigorous semantics for designing con- tracts as Finite State Machines (FSM). We present a tool for creating FSM on an easy-to-use graphical interface and for automatically generating Ethereum contracts. Further, we introduce a set of design patterns, which we implement as plugins that developers can easily add to their contracts to enhance security and functionality.

Under-Optimized Smart Contracts Devour Your Money

Conference Paper

Full-text available

Feb 2017

Smart contracts are full-fledged programs that run on blockchains (e.g., Ethereum, one of the most popular blockchains). In Ethereum, gas (in Ether, a cryptographic currency like Bitcoin) is the execution fee compensating the computing resources of miners for running smart contracts. However, we find that under-optimized smart contracts cost more gas than necessary, and therefore the creators or users will be overcharged. In this work, we conduct the first investigation on Solidity, the recommended compiler, and reveal that it fails to optimize gas-costly programming patterns. In particular, we identify 7 gas-costly patterns and group them to 2 categories. Then, we propose and develop GASPER, a new tool for automatically locating gas-costly patterns by analyzing smart contracts' bytecodes. The preliminary results on discovering 3 representative patterns from 4,240 real smart contracts show that 93.5%, 90.1% and 80% contracts suffer from these 3 patterns, respectively.

sCompile: Critical Path Identification and Analysis for Smart Contracts

Chapter

Oct 2019
Lect Notes Comput Sci

Ethereum smart contracts are an innovation built on top of the blockchain technology, which provides a platform for automatically executing contracts in an anonymous, distributed, and trusted way. The problem is magnified by the fact that smart contracts, unlike ordinary programs, cannot be patched easily once deployed. It is important for smart contracts to be checked against potential vulnerabilities. In this work, we propose an alternative approach to automatically identify critical program paths (with multiple function calls including inter-contract function calls) in a smart contract, rank the paths according to their criticalness, discard them if they are infeasible or otherwise present them with user friendly warnings for user inspection. We identify paths which involve monetary transaction as critical paths, and prioritize those which potentially violate important properties. For scalability, symbolic execution techniques are only applied to top ranked critical paths. Our approach has been implemented in a tool called sCompile, which has been applied to 36,099 smart contracts. The experiment results show that sCompile is efficient, i.e., 5 s on average for one smart contract. Furthermore, we show that many known vulnerabilities can be captured if user inspects as few as 10 program paths generated by sCompile. Lastly, sCompile discovered 224 unknown vulnerabilities with a false positive rate of 15.4% before user inspection. KeywordsBlockchainSymbolic testingSmart contract

A formal verification tool for Ethereum VM bytecode

Conference Paper

Oct 2018

In this paper, we present a formal verification tool for the Ethereum Virtual Machine (EVM) bytecode. To precisely reason about all possible behaviors of the EVM bytecode, we adopted KEVM, a complete formal semantics of the EVM, and instantiated the K-framework's reachability logic theorem prover to generate a correct-by-construction deductive verifier for the EVM. We further optimized the verifier by introducing EVM-specific abstractions and lemmas to improve its scalability. Our EVM verifier has been used to verify various high-profile smart contracts including the ERC20 token, Ethereum Casper, and DappHub MakerDAO contracts.

Securify: Practical Security Analysis of Smart Contracts

Conference Paper

Oct 2018

Permissionless blockchains allow the execution of arbitrary programs (called smart contracts), enabling mutually untrusted entities to interact without relying on trusted third parties. Despite their potential, repeated security concerns have shaken the trust in handling billions of USD by smart contracts. To address this problem, we present Securify, a security analyzer for Ethereum smart contracts that is scalable, fully automated, and able to prove contract behaviors as safe/unsafe with respect to a given property. Securify's analysis consists of two steps. First, it symbolically analyzes the contract's dependency graph to extract precise semantic information from the code. Then, it checks compliance and violation patterns that capture sufficient conditions for proving if a property holds or not. To enable extensibility, all patterns are specified in a designated domain-specific language. Securify is publicly released, it has analyzed >18K contracts submitted by its users, and is regularly used to conduct security audits by experts. We present an extensive evaluation of Securify over real-world Ethereum smart contracts and demonstrate that it can effectively prove the correctness of smart contracts and discover critical violations.

S-gram: towards semantic-aware security auditing for Ethereum smart contracts

Conference Paper

Sep 2018

Smart contracts, as a promising and powerful application on the Ethereum blockchain, have been growing rapidly in the past few years. Since they are highly vulnerable to different forms of attacks, their security becomes a top priority. However, existing security auditing techniques are either limited in fnding vulnerabilities (rely on pre-defned bug paterns) or very expensive (rely on program analysis), thus are insufcient for Ethereum. To mitigate these limitations, we proposed a novel semanticaware security auditing technique called S-gram for Ethereum. The key insight is a combination of N-gram language modeling and lightweight static semantic labeling, which can learn statistical regularities of contract tokens and capture high-level semantics as well (e.g., flow sensitivity of a transaction). S-gram can be used to predict potential vulnerabilities by identifying irregular token sequences and optimize existing in-depth analyzers (e.g., symbolic execution engines, fuzzers etc.). We have implemented S-gram for Solidity smart contracts in Ethereum. The evaluation demonstrated the potential of S-gram in identifying possible security issues.

KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine

Conference Paper

Jul 2018

Towards analyzing the complexity landscape of solidity based ethereum smart contracts

Conference Paper

May 2018

Péter Hegedüs

The blockchain based decentralized cryptocurrency platforms are one of the hottest topics in tech at the moment. Though most of the interest is generated by cryptocurrency related activities, it is becoming apparent that a much wider spectrum of applications can leverage the blockchain technology. The primary concepts enabling such general use of the blockchain are the so-called smart contracts, which are special programs that run on the blockchain. One of the most popular blockchain platforms that supports smart contracts are Ethereum. As smart contracts typically handle money, ensuring their low number of faults and vulnerabilities are essential. To aid smart contract developers and help maturing the technology, we need analysis tools and studies for smart contracts. As an initiative for this, we propose the adoption of some well-known OO metrics for Solidity smart contracts. Furthermore, we analyze more than 10,000 smart contracts with our prototype tool. The results suggest that smart contract programs are short, not overly complex and either quite well-commented or not commented at all. Moreover, smart contracts could benefit from an external library and dependency management mechanism, as more than 80% of the defined libraries in Solidity files code the same functionalities.

SmartCheck: static analysis of ethereum smart contracts

Conference Paper

May 2018

Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being "The DAO", broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area. We provide a comprehensive classification of code issues in Solidity and implement SmartCheck - an extensible static analysis tool that detects them¹. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers' toolbox, letting them fix simple bugs fast and allocate more effort to complex issues.

ReGuard: finding reentrancy bugs in smart contracts

Conference Paper

May 2018

Smart contracts enabled a new way to perform cryptocurrency transactions over blockchains. While this emerging technique introduces free-of-conflicts and transparency, smart contract itself is vulnerable. As a special form of computer program, smart contract can hardly get rid of bugs. Even worse, an exploitable security bug can lead to catastrophic consequences, e.g., loss of cryptocurrency/money. In this demo paper, we focus on the most common type of security bugs in smart contracts, i.e., reentrancy bug, which caused the famous DAO attack with a loss of 60 million US dollars. We presented ReGuard, an fuzzing-based analyzer to automatically detect reentrancy bugs in Ethereum smart contracts. Specifically, ReGuard performs fuzz testing on smart contracts by iteratively generating random but diverse transactions. Based on the runtime traces, ReGuard further dynamically identifies reentrancy vulnerabilities. In the preliminary evaluation, we have analyzed 5 existing Ethereum contracts. ReGuard automatically flagged 7 previously unreported reentrancy bugs. A demo video of ReGuard is at https://youtu.be/XxJ3_-cmUiY.

Security Assurance for Smart Contract

Conference Paper

Feb 2018

Finding The Greedy, Prodigal, and Suicidal Contracts at Scale

Article

Feb 2018

Smart contracts---stateful executable objects hosted on blockchains like Ethereum---carry billions of dollars worth of coins and cannot be updated once deployed. We present a new systematic characterization of a class of trace vulnerabilities, which result from analyzing multiple invocations of a contract over its lifetime. We focus attention on three example properties of such trace vulnerabilities: finding contracts that either lock funds indefinitely, leak them carelessly to arbitrary users, or can be killed by anyone. We implemented MAIAN, the first tool for precisely specifying and reasoning about trace properties, which employs inter-procedural symbolic analysis and concrete validator for exhibiting real exploits. Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract. On a subset of3,759 contracts which we sampled for concrete validation and manual analysis, we reproduce real exploits at a true positive rate of 89%, yielding exploits for3,686 contracts. Our tool finds exploits for the infamous Parity bug that indirectly locked 200 million dollars worth in Ether, which previous analyses failed to capture.

Removing Secrets from Android's TLS

Conference Paper

Jan 2018

A Survey of Attacks on Ethereum Smart Contracts (SoK)

Conference Paper

Mar 2017
Lect Notes Comput Sci

Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.

Making Smart Contracts Smarter

Conference Paper

Oct 2016

Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network. This article is summarized in: the morning paper an interesting/influential/important paper from the world of CS every weekday morning, as selected by Adrian Colyer

Dappguard: Active monitoring and defense for solidity smart contracts

Jan 2017

T Cook
A Latham
J H Lee

T. Cook, A. Latham, and J. H. Lee, "Dappguard: Active monitoring and defense for solidity smart contracts," MIT, student project, 2017, https://courses.csail.mit.edu/6.857/2017/project/23.pdf.

Erays: Reverse engineering Ethereum's opaque smart contracts

Y Zhou
D Kumar
S Bakshi
J Mason
A Miller
M Bailey

Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey, "Erays: Reverse engineering Ethereum's opaque smart contracts," in 27th USENIX Security Symposium (USENIX Security 18).

Ethir: A framework for high-level analysis of ethereum bytecode

Jan 2018

E Albert
P Gordillo
B Livshits
A Rubio
I Sergey

E. Albert, P. Gordillo, B. Livshits, A. Rubio, and I. Sergey, "Ethir: A framework for high-level analysis of ethereum bytecode," arXiv:1805.07208, 2018.

EtherTrust: Sound static analysis of ethereum bytecode

Jan 2018

I Grishchenko
M Maffei
C Schneidewind

I. Grishchenko, M. Maffei, and C. Schneidewind, "EtherTrust: Sound static analysis of ethereum bytecode," Technische Universität Wien, Tech. Rep., 2018.

Manticore: Symbolic Execution for Humans

Oct 2018

Trail
Bits

Trail of Bits, "Manticore: Symbolic Execution for Humans," Oct 2018, https://github.com/trailofbits/manticore.

Automatic bug finding for the blockchain

Jan 2017

F Manzano
J Feist

F. Manzano and J. Feist, "Automatic bug finding for the blockchain," 2017, https://tinyurl.com/yby396gd.

Smashing smart contracts

mueller

B. Mueller, "Smashing smart contracts," in 9th HITB Security Conference, 2018, https://tinyurl.com/y827tk72.

Porosity: A decompiler for blockchain-based smart contracts bytecode

Jan 2017

M Suiche

M. Suiche, "Porosity: A decompiler for blockchain-based smart contracts bytecode," DEF CON 25, Tech. Rep., 2017, https://tinyurl. com/y9kb47dr.

Securify: public version

Oct 2018

Sri Lab
Zurich

SRI Lab, ETH Zurich, "Securify: public version," Oct 2018, https: //github.com/eth-sri/securify.

SmartCheck: academic version

Oct 2018

Smartdec

SmartDec, "SmartCheck: academic version," Oct 2018, https:// github.com/smartdec/smartcheck.

Vandal: A scalable security analysis framework for smart contracts

Jan 2018

L Brent
A Jurisevic
M Kong
E Liu
F Gauthier
V Gramoli
R Holz
B Scholz

L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz, "Vandal: A scalable security analysis framework for smart contracts," arXiv:1809.03981, 2018.

teether: Gnawing at ethereum to automatically exploit smart contracts

1317

krupp

J. Krupp and C. Rossow, "teether: Gnawing at ethereum to automatically exploit smart contracts," in 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 2018, pp. 1317-1333.

Empirical vulnerability analysis of automated smart contracts security testing on blockchains

Jan 2018
103-113

R M Parizi
A Dehghantanha
K.-K R Choo
A Singh

R. M. Parizi, A. Dehghantanha, K.-K. R. Choo, and A. Singh, "Empirical vulnerability analysis of automated smart contracts security testing on blockchains," pp. 103-113, 2018.

Comparison of static analysis tooling for smart contracts on the evm

fontein

R. Fontein, "Comparison of static analysis tooling for smart contracts on the evm," in 28th Twente Student conference on IT, 2018.

Ethernaut -Solidity security challenges

Openzeppelin

OpenZeppelin, "Ethernaut -Solidity security challenges," https: //github.com/OpenZeppelin/ethernaut, accessed 2018-08-07.

Not So Smart Contracts

Oct 2018

Trail
Bits

Trail of Bits, "Not So Smart Contracts," Oct 2018, https://github. com/trailofbits/not-so-smart-contracts.

Dappguard: Active monitoring and defense for solidity smart contracts

Jan 2017

cook

Erays: Reverse engineering Ethereum's opaque smart contracts

1371

zhou

A Survey of Tools for Analyzing Ethereum Smart Contracts

Abstract

No full-text available

Recommended publications

Chronological Citation Recommendation with Information-Need Shifting

Style Analysis for Source Code Plagiarism Detection

Open Access Repositories, Copyright Laws, and Digital Commons for Graduate Students

Paper 12: Richard Medcalf (2011) Pressures and expectations of an early career researcher. JQRSS Vol...