Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Daojing He,Rui Wu,Xinji Li,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2023.3241544

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the wide application of IoT and blockchain, research on smart contracts has received increased attention, and security threat detection for smart contracts is one of the main focuses. This paper first introduces the common security vulnerabilities in blockchain smart contracts, and then classifies the vulnerabilities detection tools for smart contracts into six categories according to the different detection methods: formal verification method, symbol execution method, fuzzy testing method, intermediate representation method, stain analysis method and deep learning method. We test 27 detection tools, and analyze them from several perspectives, including the capability of detecting a smart contract version. Finally, it is concluded that most of the current vulnerability detection tools can only detect vulnerabilities in a single and old version of smart contracts. Although the deep learning method detects fewer types of smart contract vulnerabilities, it has higher detection accuracy and efficiency. Therefore, the combination of static detection methods such as deep learning method and dynamic detection methods including the fuzzy testing method to detect more types of vulnerabilities in multi-version smart contracts to achieve higher accuracy is a direction worthy of research in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tengyun Jiao,Zhiyu Xu,Minfeng Qi,Sheng Wen,Yang Xiang,Gary Nan

DOI: https://doi.org/10.1145/3643895

2024-02-12

Abstract:A smart contract is a computerised transaction agreement that carries out predefined terms without human involvement or third-party intermediaries. It serves as a trust intermediary in several industries, including finance, insurance, and supply chain management, in the blockchain 2.0 era. With the increasing interest in smart contracts, security has become a serious problem. Examining typical vulnerability types and vulnerability detection methodologies is of special importance. In this research, a comprehensive evaluation of common smart contract security vulnerabilities is conducted, and a three-tier threat model is then provided to classify the vulnerabilities. In addition, we examine fourteen existing smart contract analysis tools for finding vulnerabilities and classify them according to the main technique they apply. This paper is designed to serve as a reference for people who wish to analyse deployed code and enhance existing detection techniques. At the conclusion, open issues and future research paths regarding smart contract vulnerability detection are presented.

Dongfang Jia,Zhicong Liu,Zhengqi Zhang,Jun Ye

DOI: https://doi.org/10.1007/978-981-16-7469-3_108

2022-01-01

Abstract:In recent years, the second-generation blockchain platforms and applications represented by smart contracts have seen explosive growth, but frequent smart contract vulnerability incidents have seriously threatened the ecological security of blockchain. In view of the low efficiency of code audit based on expert experience, it is important to develop a general automation tool to mine smart contract vulnerabilities. In the beginning, the security threats of smart contracts should be investigated and analyzed, and many smart contract vulnerabilities and attack modes that occur frequently, such as code reentrant, access control, integer overflow, etc., were summarized. Then, the technology method of smart contract vulnerability detection conforming to The Times is obtained, and the current samples of smart contract vulnerability detection are summarized. The current investigation includes too few types of vulnerabilities, with a variety of inaccuracies and deviations. It is only carried out through manual audit. Through these methods, according to the state of including after put forward the general ideas of this kind of situation, and puts forward a kind of symbolic execution auxiliary fuzzy test framework, can reduce the symbolic execution channel congestion and fuzzy test code coverage degree is too little, so as to improve test efficiency, easy to dig holes of large and medium-sized intelligent contracts quality improvement.

Saltanat Mohammed Abdullah Shaikh

DOI: https://doi.org/10.52783/cana.v31.737

2024-06-20

Abstract:Background: Research has been done on the vulnerabilities of Ethereum smart contract detection since the emergence of blockchain technologies. Ethereum is one of the most popular platforms for DApps (decentralized applications) and smart contracts but turns more undoubtedly when their number and popularity grow. Methods: The study evaluates different detection methods including static analysis, dynamic code analysis, symbolic execution, and machine learning. Findings: The performance metrics on key areas, e.g. detection time, true positive rate, false positive rate, and scalability are emphasized in this evaluation analysis. These inferences imply that although Static Analysis can provide fast detection and high accuracy, Machine Learning is better at High scalability. The study also identifies trending flaws often encountered such as re-entrancy attacks and lack of input validation and stresses further the necessity of strong security methods. Besides, you may consider the sensitivity analysis in different network load scenarios as it shows the efficiency of detection technique in changing operational settings. Novelty and applications: Overall, the research brings a reliable development to smart contracts in Ethereum's security industries through analyzing and profiling vulnerability types and performance metrics that inform the development of more stable and efficient security activities for distributed applications.

Daojing He,Zhi Deng,Yuxing Zhang,Sammy Chan,Yao Cheng,Nadra Guizani

DOI: https://doi.org/10.1109/MNET.001.1900656

IF: 10.294

2020-01-01

IEEE Network

Abstract:Ethereum started the blockchain-based smart contract technology that due to its scalability more and more decentralized applications are now based on. On the downside this has led to the exposure of more and more security issues and challenges, which has gained widespread attention in terms of research in the field of Ethereum smart contract vulnerabilities in both academia and industry. This article presents a survey of the Ethereum smart contract's various vulnerabilities and the corresponding defense mechanisms that have been applied to combat them. In particular, we focus on the random number vulnerability in the Fomo3d-like game contracts, as well as that attack and defense methods applied. Finally, we summarize the existing Ethereum smart contract security audit methods and compare several mainstream audit tools from various perspectives.

Aftabuddin,Atul Malhotra,Amandeep Nagpal,Shaikh Aftabuddin

DOI: https://doi.org/10.2139/ssrn.4493497

2024-01-01

SSRN Electronic Journal

Abstract:The Blockchain is a distributed and decentralized ledger that has been in use since its inception and is being used in a variety of industries, including cross-border payment systems, and cryptocurrencies such as Bitcoin and Ethereum. As a result, various tools and frameworks are available to detect these vulnerabilities. This study identifies various cyber-attacks that occurred inthe last two years. Some smart contract-specific vulnerabilities are also investigated, including Call to Unknown, Reentrancy, Immutable bug, Out of Gas, Code Injection, DoS with Failed Call, and Outdated Compiler. Various detection methods are discussed. This allows for the creation of a framework to address these issues and mitigate vulnerabilities such as DoS with Failed call and Outdated compiler, which were not accurately detected by previous symbolic execution-based detection tools. The framework's execution method will be symbolic. It is capable of efficiently identifying and detecting the aforementioned vulnerabilities. Many issues against various vulnerabilities can be solved by detecting and debugging the code itself beforedeployment.

Nikolay Ivanov,Chenning Li,Qiben Yan,Zhiyuan Sun,Zhichao Cao,Xiapu Luo

DOI: https://doi.org/10.1145/3593293

IF: 16.6

2023-04-19

ACM Computing Surveys

Abstract:The blockchain technology, initially created for cryptocurrency, has been re-purposed for recording state transitions of smart contracts — decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other computer programs, smart contracts are prone to security vulnerabilities that have incurred multibillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy and maintain a regularly updated comprehensive open-source online registry of threat mitigation solutions, called Security Threat Mitigation (STM) Registry at https://seit.egr.msu.edu/research/stmregistry/.

computer science, theory & methods

Nikolay Ivanov,Chenning Li,Qiben Yan,Zhiyuan Sun,Zhichao Cao,Xiapu Luo

DOI: https://doi.org/10.1145/3593293

2023-01-01

Abstract:The blockchain technology has been used for recording state transitions of smart contracts - decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other programs, smart contracts are prone to security vulnerabilities that have incurred multimillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy a regularly updated comprehensive open-source online registry of threat mitigation solutions.

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Chang Chu

DOI: https://doi.org/10.48550/arXiv.2312.15392

2023-12-24

Cryptography and Security

Abstract:The security of smart contracts, which are an important part of blockchain technology, has attracted much attention. In particular, reentrancy vulnerability, which is hidden and complex, poses a great threat to smart contracts. In order to improve the existing detection methods, which exhibit low efficiency and accuracy, in this paper, we propose a smart contract threat detection technology based on symbolic execution. In this method, first, the recursive descent algorithm is used to recover the basic blocks of contract code and control flow diagram, and static type inference is performed for static single assignment (SSA) variables. Then, the control flow diagram is encoded into constrained horn clause (CHC) constraints in combination with the symbolic execution technology. Model checking is conducted for the generated constraints using an automatic theorem prover based on the abstraction refinement technique for fast static detection of common security threats in smart contracts. Compared with existing detection methods, the method proposed in this paper allows the detection of both the checks-effects-interactions pattern and the vulnerability in relation to reentrant locks. It can simulate the state changes of reentrant locks as well as other global variables in multiple recursive transactions. The experimental results show that this method significantly increases both detection efficiency and accuracy, improving the security of smart contracts.

Zeli Wang,Hai Jin,Weiqi Dai,Kim-Kwang Raymond Choo,Deqing Zou

DOI: https://doi.org/10.1007/s11704-020-9284-9

IF: 2.6688

2020-01-01

Frontiers of Computer Science

Abstract:Blockchain has recently emerged as a research trend, with potential applications in a broad range of industries and context. One particular successful Blockchain technology is smart contract, which is widely used in commercial settings (e.g., high value financial transactions). This, however, has security implications due to the potential to financially benefit from a security incident (e.g., identification and exploitation of a vulnerability in the smart contract or its implementation). Among, Ethereum is the most active and arresting. Hence, in this paper, we systematically review existing research efforts on Ethereum smart contract security, published between 2015 and 2019. Specifically, we focus on how smart contracts can be maliciously exploited and targeted, such as security issues of contract program model, vulnerabilities in the program and safety consideration introduced by program execution environment. We also identify potential research opportunities and future research agenda.

Xiaotao Feng,Qin Wang,Xiaogang Zhu,Sheng Wen

DOI: https://doi.org/10.48550/arXiv.1905.00799

2019-05-02

Abstract:With the frantic development of smart contracts on the Ethereum platform, its market value has also climbed. In 2016, people were shocked by the loss of nearly $50 million in cryptocurrencies from the DAO reentrancy attack. Due to the tremendous amount of money flowing in smart contracts, its security has attracted much attention of researchers. In this paper, we investigated several common smart contract vulnerabilities and analyzed their possible scenarios and how they may be exploited. Furthermore, we survey the smart contract vulnerability detection tools for the Ethereum platform in recent years. We found that these tools have similar prototypes in software vulnerability detection technology. Moreover, for the features of public distribution systems such as Ethereum, we present the new challenges that these software vulnerability detection technologies face.

Software Engineering,Cryptography and Security

Pankaj Chandra,Santosh Soni,Akanksha Gupta,Prayas Kumar,Kunal Raj

DOI: https://doi.org/10.55766/sujst-2023-05-e01234

2023-11-24

Abstract:Blockchain technology now relies heavily on smart contracts, which offer self-executing code for the exchange of goods and data. Smart contracts enable financial activities like payments and auctions on blockchain systems. Even if bugs are found, they cannot be changed. They are frequently used to automate the implementation of agreements so that all parties may be confident in the conclusion without the need for an intermediary. But because of their openness and how they interact with one another in the blockchain ecosystem, these contracts are vulnerable to security risks. Smart contract security research has advanced significantly in recent years. The research community of smart contract security has made a significant improvement recently. Researchers have identified several security flaws in smart contracts and have created frameworks for verification and static analysis to find them. This study attempts to identify the most critical software security issues that affect smart contracts. These are then handled utilizing a variety of methods and equipment common to the sector

Misha Kakkar,Namya Aankur Gupta,D. Mehrotra,M. Bansal,Seema Sharma

DOI: https://doi.org/10.1109/CICTN57981.2023.10140767

2023-04-20

Abstract:Smart contract technology in today’s world is becoming really popular as it is changing the way transactions in industrial and commercial fields work. Smart contracts are scripts that are stored on the blockchain's distributed network and are used to carry out transactions consequently based on specific criteria without the need for third-party consent. Hence, they can help to minimize the costs of administration and services and at the same time, enhance operational efficiencies and lessen the risk. Despite the smart contracts having a lot of potential to unleash a new surge of technology, it is accompanied with a number of challenges that hinder the privacy and security of the user. Some vulnerabilities are reentrancy, timestamp, delegate call and integer underflow. To resolve these issues, the goal is to develop a smart contract vulnerability detection model based on machine learning algorithms.

Computer Science

Satpal Singh Kushwaha,Heung-No Lee,Dilbag Singh,Manjit Kaur,Sandeep Joshi

DOI: https://doi.org/10.1109/ACCESS.2022.3169902

IF: 3.9

IEEE Access

Abstract:Blockchain technology and its applications are gaining popularity day by day. It is a ground-breaking technology that allows users to communicate without the need of a trusted middleman. A smart contract (self-executable code) is deployed on the blockchain and auto executes due to a triggering condition. In a no-trust contracting environment, smart contracts can establish trust among parties. Terms and conditions embedded in smart contracts will be imposed immediately when specified criteria have been fulfilled. Due to this, the malicious assailants have a special interest in smart contracts. Blockchains are immutable means if some transaction is deployed or recorded on the blockchain, it becomes unalterable. Thus, smart contracts must be analyzed to ensure zero security vulnerabilities or flaws before deploying the same on the blockchain because a single vulnerability can lead to the loss of millions. For analyzing the security vulnerabilities of smart contracts, various analysis tools have been developed to create safe and secure smart contracts. This paper presents a systematic review on Ethereum smart contracts analysis tools. Initially, these tools are categorized into static and dynamic analysis tools. Thereafter, different sources code analysis techniques are studied such as taint analysis, symbolic execution, and fuzzing techniques. In total, 86 security analysis tools developed for Ethereum blockchain smart contract are analyzed regardless of tool type and analysis approach. Finally, the paper highlights some challenges and future recommendations in the field of Ethereum smart contracts.

Computer Science

Reza M. Parizi,Ali Dehghantanha,Kim-Kwang Raymond Choo,Amritraj Singh

DOI: https://doi.org/10.5555/3291291.3291303

2018-09-08

Abstract:The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity to provide the first...

Cryptography and Security

Guangfu Wu,Haiping Wang,Xin Lai,Mengmeng Wang,Daojing He,Sammy Chan

DOI: https://doi.org/10.1016/j.jnca.2024.103882

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Future protocols in the digital society will be built on the foundation of smart contracts, which are code and algorithmic contracts. Smart contracts enable all phases of the contracting process without the need for outside parties by using protocols and user interfaces. But as blockchain technology has quickly advanced, many security flaws in smart contracts have also come to light. This article offers a thorough examination and organized summary of the pertinent material of smart contract security analysis. These sections make up the bulk of our survey’s contributions. First, a brief history of Ethereum is provided, followed by a proposal of the security difficulties now faced by blockchain smart contracts, with a focus on the analysis and classification of various security flaws. Second, based on a thorough examination of these studies, we present a summary of various smart contract security options, including case studies and detailed descriptions of the state-of-the-art in terms of automatic auditing, subject matter experts, scalable smart contracts, smart contract templates, decompilers, semantic frameworks, and anomaly detection. Finally, we go over each sort of solution’s advantages and disadvantages and outline potential future research trajectories.

Junzhou Xu,Fan Dang,Xuan Ding,Min Zhou

DOI: https://doi.org/10.1109/iciscae51034.2020.9236931

2020-01-01

Abstract:As the core of present blockchain applications, smart contracts are designed to help multiple parties reach an agreement. Along with the promotion of smart contract applications, a large number of economic losses caused by attacks on smart contract vulnerabilities have emerged. Since most smart contracts only disclose bytecode, in recent years, there have been numerous researches on the vulnerability detection of smart contract bytecode, mainly for Ethereum smart contracts, achieving considerable results. My survey summarizes the methods and supported vulnerability types of these tools, aimed at Ethereum or EOSIO, over the years. The problems reflected in it shed light on the future work of smart contract bytecode vulnerability detection.

Jinggang Li,Gehao Lu,Yulian Gao,Feng Gao

DOI: https://doi.org/10.3390/math11234823

IF: 2.4

2023-11-30

Mathematics

Abstract:With the proliferation of blockchain technology in decentralized applications like decentralized finance and supply chain and identity management, smart contracts operating on a blockchain frequently encounter security issues such as reentrancy vulnerabilities, timestamp dependency vulnerabilities, tx.origin vulnerabilities, and integer overflow vulnerabilities. These security concerns pose a significant risk of causing substantial losses to user accounts. Consequently, the detection of vulnerabilities in smart contracts has become a prominent area of research. Existing research exhibits limitations, including low detection accuracy in traditional smart contract vulnerability detection approaches and the tendency of deep learning-based solutions to focus on a single type of vulnerability. To address these constraints, this paper introduces a smart contract vulnerability detection method founded on multimodal feature fusion. This method adopts a multimodal perspective to extract three modal features from the lifecycle of smart contracts, leveraging both static and dynamic features comprehensively. Through deep learning models like Graph Convolutional Networks (GCNs) and bidirectional Long Short-Term Memory networks (bi-LSTMs), effective detection of vulnerabilities in smart contracts is achieved. Experimental results demonstrate that the proposed method attains detection accuracies of 85.73% for reentrancy vulnerabilities, 85.41% for timestamp dependency vulnerabilities, 83.58% for tx.origin vulnerabilities, and 90.96% for integer Overflow vulnerabilities. Furthermore, ablation experiments confirm the efficacy of the newly introduced modal features, highlighting the significance of fusing dynamic and static features in enhancing detection accuracy.

mathematics