Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Zhiyuan Wan,Xin Xia,David Lo,Jiachi Chen,Xiapu Luo,Xiaohu Yang

DOI: https://doi.org/10.1109/icse-companion52605.2021.00104

2021-01-01

Abstract:Smart contracts have been plagued by security incidents, which resulted in substantial financial losses. Given numerous research efforts in addressing the security issues of smart contracts, we wondered how software practitioners build security into smart contracts in practice. We performed a mixture of qualitative and quantitative studies with 13 interviewees and 156 survey respondents from 35 countries across six continents to understand practitioners' perceptions and practices on smart contract security. Our study uncovers practitioners' motivations and deterrents of smart contract security, as well as how security efforts and strategies fit into the development lifecycle. We also find that blockchain platforms have astatistically significant impact on practitioners' security perceptions and practices of smart contract development. Based on our findings, we highlight future research directions and provide recommendations for practitioners.

Tengyun Jiao,Zhiyu Xu,Minfeng Qi,Sheng Wen,Yang Xiang,Gary Nan

DOI: https://doi.org/10.1145/3643895

2024-02-12

Abstract:A smart contract is a computerised transaction agreement that carries out predefined terms without human involvement or third-party intermediaries. It serves as a trust intermediary in several industries, including finance, insurance, and supply chain management, in the blockchain 2.0 era. With the increasing interest in smart contracts, security has become a serious problem. Examining typical vulnerability types and vulnerability detection methodologies is of special importance. In this research, a comprehensive evaluation of common smart contract security vulnerabilities is conducted, and a three-tier threat model is then provided to classify the vulnerabilities. In addition, we examine fourteen existing smart contract analysis tools for finding vulnerabilities and classify them according to the main technique they apply. This paper is designed to serve as a reference for people who wish to analyse deployed code and enhance existing detection techniques. At the conclusion, open issues and future research paths regarding smart contract vulnerability detection are presented.

Yongfeng Huang,Yiyang Bian,Renpu Li,J. Leon Zhao,Peizhong Shi

DOI: https://doi.org/10.1109/access.2019.2946988

IF: 3.9

2019-01-01

IEEE Access

Abstract:Smart contract security is an emerging research area that deals with security issues arising from the execution of smart contracts in a blockchain system. Generally, a smart contract is a piece of executable code that automatically runs on the blockchain to enforce an agreement preset between parties involved in the transaction. As an innovative technology, smart contracts have been applied in various business areas, such as digital asset exchange, supply chains, crowdfunding, and intellectual property. Unfortunately, many security issues in smart contracts have been reported in the media, often leading to substantial financial losses. These security issues pose new challenges to security research because the execution environment of smart contracts is based on blockchain computing and its decentralized nature of execution. Thus far, many partial solutions have been proposed to address specific aspects of these security issues, and the trend is to develop new methods and tools to automatically detect common security vulnerabilities. However, smart contract security is systematic engineering that should be explored from a global perspective, and a comprehensive study of issues in smart contract security is urgently needed. To this end, we conduct a literature review of smart contract security from a software lifecycle perspective. We first analyze the key features of blockchain that can cause security issues in smart contracts and then summarize the common security vulnerabilities of smart contracts. To address these vulnerabilities, we examine recent advances in smart contract security spanning four development phases: 1) security design; 2) security implementation; 3) testing before deployment; and 4) monitoring and analysis. Finally, we outline emerging challenges and opportunities in smart contract security for blockchain engineers and researchers.

Hanting Chu,Pengcheng Zhang,Hai Dong,Yan Xiao,Shunhui Ji,Wenrui Li

DOI: https://doi.org/10.1016/j.infsof.2023.107221

IF: 3.9

2023-07-01

Information and Software Technology

Abstract:Smart contracts contain many built-in security features, such as non-immutability once being deployed and non-involvement of third parties for contract execution. These features reduce security risks and enhance users’ trust towards smart contracts. However, smart contract security issues still persist, resulting in huge financial losses. Contract publishers cannot fully cover contract vulnerabilities through contract version updating. These security issues affect further development of blockchain technologies. So far, there are many related studies focusing on smart contract security issues and tend to discuss from a particular perspective (e.g., development cycle, vulnerability attack methods, security detection tools, etc.). However, smart contract security is a complicated issue that needs to be explored from a multi-dimensional perspective. In this paper, we explore smart contract security from the perspectives of vulnerability data sources, vulnerability detection, and vulnerability defense. We first analyze the existing security issues and challenges of smart contracts, investigate the existing vulnerability classification frameworks and common security vulnerabilities, followed by reviewing the existing contract vulnerability injection, detection, and repair methods. We then analyze the performance of existing security methods. Next, we summarize the current status of smart contract security-related research. Finally, we summarize the state of the art and future trends of smart contract security-related research. This paper aims to provide systematic knowledge and references to this research field.

computer science, information systems, software engineering

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Zhiyuan Wei,Jing Sun,Zijian Zhang,Xianhao Zhang,Xiaoxuan Yang,Liehuang Zhu

DOI: https://doi.org/10.1145/3695864

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:As blockchain technology continues to advance, the secure deployment of smart contracts has become increasingly prevalent, underscoring the critical need for robust security measures. This surge in usage has led to a rise in security breaches, often resulting in substantial financial losses for users. This article presents a comprehensive survey of smart contract quality assurance, from understanding vulnerabilities to evaluating the effectiveness of detection tools. Our work is notable for its innovative classification of 40 smart contract vulnerabilities, mapping them to established attack patterns. We further examine nine defense mechanisms, assessing their efficacy in mitigating smart contract attacks. Furthermore, we develop a labeled dataset as a benchmark encompassing 10 common vulnerability types, which serves as a critical resource for future research. We also conduct comprehensive experiments to evaluate 14 vulnerability detection tools, providing a comparative analysis that highlights their strengths and limitations. In summary, this survey synthesizes state-of-the-art knowledge in smart contract security, offering practical recommendations to guide future research and foster the development of robust security practices in the field.

computer science, theory & methods

Nikolay Ivanov,Chenning Li,Qiben Yan,Zhiyuan Sun,Zhichao Cao,Xiapu Luo

DOI: https://doi.org/10.1145/3593293

2023-01-01

Abstract:The blockchain technology has been used for recording state transitions of smart contracts - decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other programs, smart contracts are prone to security vulnerabilities that have incurred multimillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy a regularly updated comprehensive open-source online registry of threat mitigation solutions.

Bin Hu,Zongyang Zhang,Jianwei Liu,Yizhong Liu,Jiayuan Yin,Rongxing Lu,Xiaodong Lin

DOI: https://doi.org/10.1016/j.patter.2020.100179

2021-02-01

Patterns

Abstract:<h2 class="section-title u-h3 u-margin-l-top u-margin-xs-bottom">Summary</h2><p>Smart contracts are regarded as one of the most promising and appealing notions in blockchain technology. Their self-enforcing and event-driven features make some online activities possible without a trusted third party. Nevertheless, problems such as miscellaneous attacks, privacy leakage, and low processing rates prevent them from being widely applied. Various schemes and tools have been proposed to facilitate the construction and execution of secure smart contracts. However, a comprehensive survey for these proposals is absent, hindering new researchers and developers from a quick start. This paper surveys the literature and online resources on smart contract construction and execution over the period 2008–2020. We divide the studies into three categories: (1) design paradigms that give examples and patterns on contract construction, (2) design tools that facilitate the development of secure smart contracts, and (3) extensions and alternatives that improve the privacy or efficiency of the system. We start by grouping the relevant construction schemes into the first two categories. We then review the execution mechanisms in the last category and further divide the state-of-the-art solutions into three classes: private contracts with extra tools, off-chain channels, and extensions on core functionalities. Finally, we summarize several challenges and identify future research directions toward developing secure, privacy-preserving, and efficient smart contracts.</p>

Fan Jiang,Kailin Chao,Jianmao Xiao,Qinghua Liu,Keyang Gu,Junyi Wu,Yuanlong Cao

DOI: https://doi.org/10.3390/electronics12092046

IF: 2.9

2023-04-29

Electronics

Abstract:As blockchain technology continues to advance, smart contracts, a core component, have increasingly garnered widespread attention. Nevertheless, security concerns associated with smart contracts have become more prominent. Although machine-learning techniques have demonstrated potential in the field of smart-contract security detection, there is still a lack of comprehensive review studies. To address this research gap, this paper innovatively presents a comprehensive investigation of smart-contract vulnerability detection based on machine learning. First, we elucidate common types of smart-contract vulnerabilities and the background of formalized vulnerability detection tools. Subsequently, we conduct an in-depth study and analysis of machine-learning techniques. Next, we collect, screen, and comparatively analyze existing machine-learning-based smart-contract vulnerability detection tools. Finally, we summarize the findings and offer feasible insights into this domain.

engineering, electrical & electronic,computer science, information systems,physics, applied

Nikolay Ivanov,Chenning Li,Qiben Yan,Zhiyuan Sun,Zhichao Cao,Xiapu Luo

DOI: https://doi.org/10.1145/3593293

IF: 16.6

2023-04-19

ACM Computing Surveys

Abstract:The blockchain technology, initially created for cryptocurrency, has been re-purposed for recording state transitions of smart contracts — decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other computer programs, smart contracts are prone to security vulnerabilities that have incurred multibillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy and maintain a regularly updated comprehensive open-source online registry of threat mitigation solutions, called Security Threat Mitigation (STM) Registry at https://seit.egr.msu.edu/research/stmregistry/.

computer science, theory & methods

Zhiyuan Wei,Jing Sun,Zijian Zhang,Xianhao Zhang,Meng Li,Liehuang Zhu

2023-11-02

Abstract:Blockchain smart contracts have emerged as a transformative force in the digital realm, spawning a diverse range of compelling applications. Since solidity smart contracts across various domains manage trillions of dollars in virtual coins, they become a prime target for attacks. One of the primary challenges is keeping abreast of the latest techniques and tools for developing secure smart contracts and examining those already deployed. In this paper, we seek to address these challenges from four aspects: (1) We begin by examining ten automatic tools, specifically focusing on their methodologies and their ability to identify vulnerabilities in solidity smart contracts. (2) We propose a novel criterion for evaluating these tools, based on the ISO/IEC 25010 standard. (3) To facilitate the evaluation of the selected tools, we construct a benchmark that encompasses two distinct datasets: a collection of 389 labelled smart contracts and a scaled set of 20,000 unique cases from real-world contracts. (4) We provide a comparison of the selected tools, offering insights into their strengths and weaknesses and highlighting areas where further improvements are needed. Through this evaluation, we hope to provide developers and researchers with valuable guidance on selecting and using smart contract analysis tools and contribute to the ongoing efforts to improve the security and reliability of smart contracts.

Distributed, Parallel, and Cluster Computing

Zhiyuan Wan,Xin Xia,David Lo,Jiachi Chen,Xiapu Luo,Xiaohu Yang

DOI: https://doi.org/10.48550/arXiv.2102.10963

2021-03-27

Abstract:Smart contracts have been plagued by security incidents, which resulted in substantial financial losses. Given numerous research efforts in addressing the security issues of smart contracts, we wondered how software practitioners build security into smart contracts in practice. We performed a mixture of qualitative and quantitative studies with 13 interviewees and 156 survey respondents from 35 countries across six continents to understand practitioners' perceptions and practices on smart contract security. Our study uncovers practitioners' motivations and deterrents of smart contract security, as well as how security efforts and strategies fit into the development lifecycle. We also find that blockchain platforms have a statistically significant impact on practitioners' security perceptions and practices of smart contract development. Based on our findings, we highlight future research directions and provide recommendations for practitioners.

Software Engineering

Sundas Munir,Walid Taha

DOI: https://doi.org/10.48550/arXiv.2301.06079

2023-06-30

Abstract:Smart contracts are programs that execute transactions involving independent parties and cryptocurrencies. As programs, smart contracts are susceptible to a wide range of errors and vulnerabilities. Such vulnerabilities can result in significant losses. Furthermore, by design, smart contract transactions are irreversible. This creates a need for methods to ensure the correctness and security of contracts pre-deployment. Recently there has been substantial research into such methods. The sheer volume of this research makes articulating state-of-the-art a substantial undertaking. To address this challenge, we present a systematic review of the literature. A key feature of our presentation is to factor out the relationship between vulnerabilities and methods through properties. Specifically, we enumerate and classify smart contract vulnerabilities and methods by the properties they address. The methods considered include static analysis as well as dynamic analysis methods and machine learning algorithms that analyze smart contracts before deployment. Several patterns about the strengths of different methods emerge through this classification process.

Cryptography and Security,Software Engineering

Dongfang Jia,Zhicong Liu,Zhengqi Zhang,Jun Ye

DOI: https://doi.org/10.1007/978-981-16-7469-3_108

2022-01-01

Abstract:In recent years, the second-generation blockchain platforms and applications represented by smart contracts have seen explosive growth, but frequent smart contract vulnerability incidents have seriously threatened the ecological security of blockchain. In view of the low efficiency of code audit based on expert experience, it is important to develop a general automation tool to mine smart contract vulnerabilities. In the beginning, the security threats of smart contracts should be investigated and analyzed, and many smart contract vulnerabilities and attack modes that occur frequently, such as code reentrant, access control, integer overflow, etc., were summarized. Then, the technology method of smart contract vulnerability detection conforming to The Times is obtained, and the current samples of smart contract vulnerability detection are summarized. The current investigation includes too few types of vulnerabilities, with a variety of inaccuracies and deviations. It is only carried out through manual audit. Through these methods, according to the state of including after put forward the general ideas of this kind of situation, and puts forward a kind of symbolic execution auxiliary fuzzy test framework, can reduce the symbolic execution channel congestion and fuzzy test code coverage degree is too little, so as to improve test efficiency, easy to dig holes of large and medium-sized intelligent contracts quality improvement.

S. Vani,M. Doshi,A. Nanavati,A. Kundu

DOI: https://doi.org/10.48550/arXiv.2212.07387

2022-12-15

Abstract:Blockchain platforms and smart contracts are vulnerable to security breaches. Security breaches of smart contracts have led to huge financial losses in terms of cryptocurrencies and tokens. In this paper, we present a systematic survey of vulnerability analysis of smart contracts. We begin by providing a brief about the major types of attacks and vulnerabilities that are present in smart contracts. Then we discuss existing frameworks, methods and technologies used for vulnerability detection. We summarise our findings in a table which lists each framework and the attacks it protects against.

Cryptography and Security

S. Porkodi,D. Kesavaraja

DOI: https://doi.org/10.1007/s11276-023-03587-z

IF: 2.701

2023-11-29

Wireless Networks

Abstract:Smart contracts become significant as blockchain technology is blooming around the technological globe. In this juncture, smart contract is an automatic programming framework executed based upon pre-conditions in blockchain even among untrusted parties by eliminating third party. The usage of blockchain in various fields keeps on increasing enormously from crypto-currency to 6G wireless communication. While developing smart contracts for novel purposes, vulnerability and various challenges are discovered. Smart contracts are still in the emerging development stage with few bugs and errors, which are often exploited by hackers leading to huge losses. There are loopholes and misinterpretations in the development of smart contracts, thus it is necessary to design smart contracts. The anonymity and self-execution of the smart contract are taken as an advantage for illegal business. Hence, various modern tools are developed to identify the vulnerabilities in the smart contract but still, there is a research gap in this area. In this paper, various smart contracts and their challenges are studied to analyze the current state and a survey is carried out mainly focusing on its security aspects. Hence, providing a way to develop highly secure smart contracts and providing directions for contributing to future research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tanusree Sharma,Zhixuan Zhou,Andrew Miller,Yang Wang

DOI: https://doi.org/10.48550/arXiv.2204.11193

2022-04-24

Cryptography and Security

Abstract:Smart contracts are self-executing programs that run on blockchains (e.g., Ethereum). 680 million US dollars worth of digital assets controlled by smart contracts have been hacked or stolen due to various security vulnerabilities in 2021. Although security is a fundamental concern for smart contracts, it is unclear how smart contract developers approach security. To help fill this research gap, we conducted an exploratory qualitative study consisting of a semi-structured interview and a code review task with 29 smart contract developers with diverse backgrounds, including 10 early stage (less than one year of experience) and 19 experienced (2-5 years of experience) smart contract developers. Our findings show a wide range of smart contract security perceptions and practices including various tools and resources they used. Our early-stage developer participants had a much lower success rate (15%) of identifying security vulnerabilities in the code review task than their experienced counterparts (55%). Our hierarchical task analysis of their code reviews implies that just by accessing standard documentation, reference implementations and security tools is not sufficient. Many developers checked those materials or used a security tool but still failed to identify the security issues. In addition, several participants pointed out shortcomings of current smart contract security tooling such as its usability. We discuss how future education and tools could better support developers in ensuring smart contract security.

M. Goyal,Nitin Kumar Tyagi

DOI: https://doi.org/10.1145/3607947.3608069

2023-08-03

Abstract:Smart contracts are simply computer programs. These programs are deployed on distributed nodes over the blockchain network. These are executed without the need for third-party authentication. Usually, smart contracts are used for transferring assets so it requires the error-free execution of smart contract code. But, due to computer code pitfalls, it may be the possibility of errors or exceptions that may vulnerable to the security of smart contracts. Thus, this paper surveys the smart contract security issues and smart contract code vulnerabilities that have been investigated and security analysis tools are presented. A series of vulnerable codes is presented that may have the risk of stealing assets and information. The solution to these vulnerabilities has also been discussed. A comparison with existing work has also been presented.

Engineering,Computer Science