Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Misha Kakkar,Namya Aankur Gupta,D. Mehrotra,M. Bansal,Seema Sharma

DOI: https://doi.org/10.1109/CICTN57981.2023.10140767

2023-04-20

Abstract:Smart contract technology in today’s world is becoming really popular as it is changing the way transactions in industrial and commercial fields work. Smart contracts are scripts that are stored on the blockchain's distributed network and are used to carry out transactions consequently based on specific criteria without the need for third-party consent. Hence, they can help to minimize the costs of administration and services and at the same time, enhance operational efficiencies and lessen the risk. Despite the smart contracts having a lot of potential to unleash a new surge of technology, it is accompanied with a number of challenges that hinder the privacy and security of the user. Some vulnerabilities are reentrancy, timestamp, delegate call and integer underflow. To resolve these issues, the goal is to develop a smart contract vulnerability detection model based on machine learning algorithms.

Computer Science

Daojing He,Rui Wu,Xinji Li,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2023.3241544

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the wide application of IoT and blockchain, research on smart contracts has received increased attention, and security threat detection for smart contracts is one of the main focuses. This paper first introduces the common security vulnerabilities in blockchain smart contracts, and then classifies the vulnerabilities detection tools for smart contracts into six categories according to the different detection methods: formal verification method, symbol execution method, fuzzy testing method, intermediate representation method, stain analysis method and deep learning method. We test 27 detection tools, and analyze them from several perspectives, including the capability of detecting a smart contract version. Finally, it is concluded that most of the current vulnerability detection tools can only detect vulnerabilities in a single and old version of smart contracts. Although the deep learning method detects fewer types of smart contract vulnerabilities, it has higher detection accuracy and efficiency. Therefore, the combination of static detection methods such as deep learning method and dynamic detection methods including the fuzzy testing method to detect more types of vulnerabilities in multi-version smart contracts to achieve higher accuracy is a direction worthy of research in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dongfang Jia,Zhicong Liu,Zhengqi Zhang,Jun Ye

DOI: https://doi.org/10.1007/978-981-16-7469-3_108

2022-01-01

Abstract:In recent years, the second-generation blockchain platforms and applications represented by smart contracts have seen explosive growth, but frequent smart contract vulnerability incidents have seriously threatened the ecological security of blockchain. In view of the low efficiency of code audit based on expert experience, it is important to develop a general automation tool to mine smart contract vulnerabilities. In the beginning, the security threats of smart contracts should be investigated and analyzed, and many smart contract vulnerabilities and attack modes that occur frequently, such as code reentrant, access control, integer overflow, etc., were summarized. Then, the technology method of smart contract vulnerability detection conforming to The Times is obtained, and the current samples of smart contract vulnerability detection are summarized. The current investigation includes too few types of vulnerabilities, with a variety of inaccuracies and deviations. It is only carried out through manual audit. Through these methods, according to the state of including after put forward the general ideas of this kind of situation, and puts forward a kind of symbolic execution auxiliary fuzzy test framework, can reduce the symbolic execution channel congestion and fuzzy test code coverage degree is too little, so as to improve test efficiency, easy to dig holes of large and medium-sized intelligent contracts quality improvement.

S. Vani,M. Doshi,A. Nanavati,A. Kundu

DOI: https://doi.org/10.48550/arXiv.2212.07387

2022-12-15

Abstract:Blockchain platforms and smart contracts are vulnerable to security breaches. Security breaches of smart contracts have led to huge financial losses in terms of cryptocurrencies and tokens. In this paper, we present a systematic survey of vulnerability analysis of smart contracts. We begin by providing a brief about the major types of attacks and vulnerabilities that are present in smart contracts. Then we discuss existing frameworks, methods and technologies used for vulnerability detection. We summarise our findings in a table which lists each framework and the attacks it protects against.

Cryptography and Security

Rexford Nii Ayitey Sosu,Jinfu Chen,Edward Kwadwo Boahen,Zikang Zhang

DOI: https://doi.org/10.1049/2023/6631967

2023-12-29

IET Software

Abstract:Smart contracts have gained immense popularity in recent years as self-executing programs that operate on a blockchain. However, they are not immune to security flaws, which can result in significant financial losses. These flaws can be detected using dynamic analysis methods that extract various aspects from smart contract bytecode. Methods currently used for identifying vulnerabilities in smart contracts mostly rely on static analysis methods that search for predefined vulnerability patterns. However, these patterns often fail to capture complex vulnerabilities, leading to a high rate of false negatives. To overcome this limitation, researchers have explored machine learning-based methods. However, the accurate interpretation of complex logic and structural information in smart contract code remains a challenge. In this study, we present a technique that combines real-time runtime batch normalization and data augmentation for data preprocessing, along with n-grams and one-hot encoding for feature extraction of opcode sequence information from the bytecode. We then combined bidirectional long short-term memory (BiLSTM), convolutional neural network, and the attention mechanism for vulnerability detection and classification. Additionally, our model includes a gated recurrent units memory module that enhances efficiency using historical execution data from the contract. Our results demonstrate that our proposed model effectively identifies smart contract vulnerabilities.

computer science, software engineering

M. Goyal,Nitin Kumar Tyagi

DOI: https://doi.org/10.1145/3607947.3608069

2023-08-03

Abstract:Smart contracts are simply computer programs. These programs are deployed on distributed nodes over the blockchain network. These are executed without the need for third-party authentication. Usually, smart contracts are used for transferring assets so it requires the error-free execution of smart contract code. But, due to computer code pitfalls, it may be the possibility of errors or exceptions that may vulnerable to the security of smart contracts. Thus, this paper surveys the smart contract security issues and smart contract code vulnerabilities that have been investigated and security analysis tools are presented. A series of vulnerable codes is presented that may have the risk of stealing assets and information. The solution to these vulnerabilities has also been discussed. A comparison with existing work has also been presented.

Engineering,Computer Science

Satpal Singh Kushwaha,Sandeep Joshi,Dilbag Singh,Manjit Kaur,Heung-No Lee

DOI: https://doi.org/10.1109/access.2021.3140091

IF: 3.9

2022-01-01

IEEE Access

Abstract:Blockchain is a revolutionary technology that enables users to communicate in a trust-less manner. It revolutionizes the modes of business between organizations without the need for a trusted third party. It is a distributed ledger technology based on a decentralized peer-to-peer (P2P) network. It enables users to store data globally on thousands of computers in an immutable format and empowers users to deploy small pieces of programs known as smart contracts. The blockchain-based smart contract enables auto enforcement of the agreed terms between two untrusted parties. There are several security vulnerabilities in Ethereum blockchain-based smart contracts, due to which sometimes it does not behave as intended. Because a smart contract can hold millions of dollars as cryptocurrency, so these security vulnerabilities can lead to disastrous losses. In this paper, a systematic review of the security vulnerabilities in the Ethereum blockchain is presented. The main objective is to discuss Ethereum smart contract security vulnerabilities, detection tools, real life attacks and preventive mechanisms. Comparisons are drawn among the Ethereum smart contract analysis tools by considering various features. From the extensive depth review, various issues associated with the Ethereum blockchain-based smart contract are highlighted. Finally, various future directions are also discussed in the field of the Ethereum blockchain-based smart contract that can help the researchers to set the directions for future research in this domain.

computer science, information systems,telecommunications,engineering, electrical & electronic

Reza M. Parizi,Ali Dehghantanha,Kim-Kwang Raymond Choo,Amritraj Singh

DOI: https://doi.org/10.5555/3291291.3291303

2018-09-08

Abstract:The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity to provide the first...

Cryptography and Security

Bibin K. Baby,Alan Sunil,Neetha Thomas

Abstract:: Smart Contracts have gained tremendous popularity in the past few years., to the point that billons of US Dollars are currently exchanged very day through such technology. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other and other application running on blockchains. We analyze a case of study where a bug discovered in a Smart Contract Library, and perhaps “unsafe” programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers. In this study we analyze the source code of Parity and the Library, and discuss how recognized best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also specify the Smart Contract software development, which make some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.

Computer Science

Zulfiqar Ali Khan,Akbar Siami Namin

DOI: https://doi.org/10.1109/access.2024.3401623

IF: 3.9

2024-05-24

IEEE Access

Abstract:Ethereum Blockchain technology introduced a competitive environment in the financial sector. Consequently, new technologies emerged, such as Smart Contracts (SCs), which preclude code corrections due to their immutable nature. However, the incorrect and faulty uploaded SCs led to uninvited penetrations into SCs' accounts, resulting in considerable customer losses. This SC's drawback requires tools to test the SCs and paves the way for research on vulnerability detection techniques. Our survey paper comprehensively reviews 41 SC tools and presents the vulnerability detection techniques (VDTs) of several previously invented tools by dividing them into general and specific classes. Finally, we also perform a classification of detection techniques to standardize the approaches. Thus, our study will help SC developers and security analysts to streamline the security of SCs and reduce the chances of malicious monetary transfers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Saltanat Mohammed Abdullah Shaikh

DOI: https://doi.org/10.52783/cana.v31.737

2024-06-20

Abstract:Background: Research has been done on the vulnerabilities of Ethereum smart contract detection since the emergence of blockchain technologies. Ethereum is one of the most popular platforms for DApps (decentralized applications) and smart contracts but turns more undoubtedly when their number and popularity grow. Methods: The study evaluates different detection methods including static analysis, dynamic code analysis, symbolic execution, and machine learning. Findings: The performance metrics on key areas, e.g. detection time, true positive rate, false positive rate, and scalability are emphasized in this evaluation analysis. These inferences imply that although Static Analysis can provide fast detection and high accuracy, Machine Learning is better at High scalability. The study also identifies trending flaws often encountered such as re-entrancy attacks and lack of input validation and stresses further the necessity of strong security methods. Besides, you may consider the sensitivity analysis in different network load scenarios as it shows the efficiency of detection technique in changing operational settings. Novelty and applications: Overall, the research brings a reliable development to smart contracts in Ethereum's security industries through analyzing and profiling vulnerability types and performance metrics that inform the development of more stable and efficient security activities for distributed applications.

Gupta, Namya Aankur,Bansal, Mansi,Sharma, Seema,Mehrotra, Deepti,Kakkar, Misha

DOI: https://doi.org/10.1007/s11276-024-03755-9

IF: 2.701

2024-05-10

Wireless Networks

Abstract:Blockchain helps to give a sense of security as there is only one history of transactions visible to all the involved parties. Smart contracts enable users to manage significant asset amounts of finances on the blockchain without the involvement of any intermediaries. The conditions and checks that have been written in smart contract and executed to the application cannot be changed again. However, these unique features pose some other risks to the smart contract. Smart contracts have several flaws in its programmable language and methods of execution, despite being a developing technology. To build smart contracts and implement numerous complicated business logics, high-level languages are used by the developers to code smart contracts. Thus, blockchain smart contract is the most important element of any decentralized application, posing the risk for it to be attacked. So, the presence of vulnerabilities are to be taken care of on a priority basis. It is important for detection of vulnerabilities in a smart contract and only then implement and connect it with applications to ensure security of funds. The motive of the paper is to discuss how deep learning may be utilized to deliver bug-free secure smart contracts. Objective of the paper is to detect three kinds of vulnerabilities- reentrancy, timestamp and infinite loop. A deep learning model has been created for detection of smart contract vulnerabilities using graph neural networks. The performance of this model has been compared to the present automated tools and other independent methods. It has been shown that this model has greater accuracy than other methods while comparing the prediction of smart contract vulnerabilities in existing models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Oualid Zaazaa,Hanan El Bakkali

DOI: https://doi.org/10.5121/ijcnc.2023.15603

2023-12-01

Abstract:With the rise in using immature smart contract programming languages to build a decentralized application, more vulnerabilities have been introduced to the Blockchain and were the main reasons behind critical financial losses. Moreover, the immutability of Blockchain technology makes deployed smart contracts unfixable for the whole life of the Blockchain itself. The lack of complete and up-to-date resources that explain those vulnerabilities in detail has also contributed to increasing the number of vulnerabilities in Blockchain. In addition, the lack of a standardized nomination of the existing vulnerabilities has made redundant research and made developers more confused. Therefore, in this paper, we propose the most complete list of smart contract vulnerabilities that exist in the most popular Blockchains with a detailed explanation of each one of them. In addition, we propose a new codification system that facilitates the communication of those vulnerabilities between developers and researchers. This codification, help identify the most uncovered vulnerabilities to focus on in future research. Moreover, the discussed list of vulnerabilities covers multiple Blockchain and could be used for even future built Blockchains.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Christopher De Baets,Basem Suleiman,Armin Chitizadeh,Imran Razzak

2024-07-08

Abstract:In the growing field of blockchain technology, smart contracts exist as transformative digital agreements that execute transactions autonomously in decentralised networks. However, these contracts face challenges in the form of security vulnerabilities, posing significant financial and operational risks. While traditional methods to detect and mitigate vulnerabilities in smart contracts are limited due to a lack of comprehensiveness and effectiveness, integrating advanced machine learning technologies presents an attractive approach to increasing effective vulnerability countermeasures. We endeavour to fill an important gap in the existing literature by conducting a rigorous systematic review, exploring the intersection between machine learning and smart contracts. Specifically, the study examines the potential of machine learning techniques to improve the detection and mitigation of vulnerabilities in smart contracts. We analysed 88 articles published between 2018 and 2023 from the following databases: IEEE, ACM, ScienceDirect, Scopus, and Google Scholar. The findings reveal that classical machine learning techniques, including KNN, RF, DT, XG-Boost, and SVM, outperform static tools in vulnerability detection. Moreover, multi-model approaches integrating deep learning and classical machine learning show significant improvements in precision and recall, while hybrid models employing various techniques achieve near-perfect performance in vulnerability detection accuracy. By integrating state-of-the-art solutions, this work synthesises current methods, thoroughly investigates research gaps, and suggests directions for future studies. The insights gathered from this study are intended to serve as a seminal reference for academics, industry experts, and bodies interested in leveraging machine learning to enhance smart contract security.

Cryptography and Security,Machine Learning

Menglin Fu,Lifa Wu,Zheng Hong,Feng Zhu,He Sun,Wenbo Feng

DOI: https://doi.org/10.1109/access.2019.2947146

IF: 3.9

2019-01-01

IEEE Access

Abstract:The second generation of blockchain represented by smart contracts has been developing vigorously in recent years. However, frequent smart contract vulnerability incidents pose a serious risk to blockchain ecosystem security. Since current symbol execution tools often fall into path explosion and thus lead to inefficient detection, this paper expands Mythril's framework to optimize its performance. Firstly, it finds out potential vulnerable code regions using static analysis and identifies critical paths that may have security defects. Then, aiming at the problem that traditional search algorithms cannot actively locate and explore critical paths, this paper presents a multi-objective oriented path search (MOPS) strategy based on path priority. This strategy guides dynamic symbolic execution to cover critical paths quickly, avoiding blind traversal of program execution paths. Finally, it describes security rules and proposes corresponding detection logics for different vulnerability categories. This paper analyzes over 1000 smart contracts extracted from Etherscan. Compared with existing tools based on symbolic execution, the proposed method can reduce time consumption by around 35% while ensuring the accuracy of vulnerability detection. Moreover, existing tools often issue warnings that do not actually cause financial losses. But the proposed method only concentrates on code regions related to transfer of funds, so it can reduce the false alarm rate to some extent.

Junzhou Xu,Fan Dang,Xuan Ding,Min Zhou

DOI: https://doi.org/10.1109/iciscae51034.2020.9236931

2020-01-01

Abstract:As the core of present blockchain applications, smart contracts are designed to help multiple parties reach an agreement. Along with the promotion of smart contract applications, a large number of economic losses caused by attacks on smart contract vulnerabilities have emerged. Since most smart contracts only disclose bytecode, in recent years, there have been numerous researches on the vulnerability detection of smart contract bytecode, mainly for Ethereum smart contracts, achieving considerable results. My survey summarizes the methods and supported vulnerability types of these tools, aimed at Ethereum or EOSIO, over the years. The problems reflected in it shed light on the future work of smart contract bytecode vulnerability detection.

Gerardo Iuliano,Dario Di Nucci

2024-12-03

Abstract:Smart contracts are self-executing programs on blockchain platforms like Ethereum, which have revolutionized decentralized finance by enabling trustless transactions and the operation of decentralized applications. Despite their potential, the security of smart contracts remains a critical concern due to their immutability and transparency, which expose them to malicious actors. The connections of contracts further complicate vulnerability detection. This paper presents a systematic literature review that explores vulnerabilities in Ethereum smart contracts, focusing on automated detection tools and benchmark evaluation. We reviewed 1,888 studies from five digital libraries and five major software engineering conferences, applying a structured selection process that resulted in 131 high-quality studies. The key results include a hierarchical taxonomy of 101 vulnerabilities grouped into ten categories, a comprehensive list of 144 detection tools with corresponding functionalities, methods, and code transformation techniques, and a collection of 102 benchmarks used for tool evaluation. We conclude with insights on the current state of Ethereum smart contract security and directions for future research.

Software Engineering

Pankaj Chandra,Santosh Soni,Akanksha Gupta,Prayas Kumar,Kunal Raj

DOI: https://doi.org/10.55766/sujst-2023-05-e01234

2023-11-24

Abstract:Blockchain technology now relies heavily on smart contracts, which offer self-executing code for the exchange of goods and data. Smart contracts enable financial activities like payments and auctions on blockchain systems. Even if bugs are found, they cannot be changed. They are frequently used to automate the implementation of agreements so that all parties may be confident in the conclusion without the need for an intermediary. But because of their openness and how they interact with one another in the blockchain ecosystem, these contracts are vulnerable to security risks. Smart contract security research has advanced significantly in recent years. The research community of smart contract security has made a significant improvement recently. Researchers have identified several security flaws in smart contracts and have created frameworks for verification and static analysis to find them. This study attempts to identify the most critical software security issues that affect smart contracts. These are then handled utilizing a variety of methods and equipment common to the sector

Yao Yao,Hui Li 0022,Xin Yang,Yiwang Le

DOI: https://doi.org/10.1109/BigData55660.2022.10020730

IF: 4.426

2022-01-01

Big Data

Abstract:Smart contracts emerged as programs running on the blockchain. Security is one of the major concerns against smart contracts which also exist various vulnerabilities as for any other traditional programs. What was worse, security vulnerabilities in smart contracts may lead to irreversible economic losses. Hence, there is an apparent demand for security audits of contracts before deployment. In recent years, a large number of smart contract vulnerability detection tools have emerged. The methods used by these tools include formal verification, symbolic execution, machine learning, and fuzz testing. These methods can well analyze vulnerabilities, but there are still limitations. In this paper, we optimized and extended the Mythril symbolic execution tool. The optimized pruning algorithm improves the speed of symbolic execution, while the proposed detection algorithm for Transaction Order Dependence vulnerability expands the range of detecting vulnerability. In addition, a machine learning vulnerability detection model is introduced as an auxiliary detection method, which is used to build the complete smart contract vulnerability detection system. The experimental results show that the proposed system reduces the execution time, and improves the accuracy as well as the recall of vulnerability detection compared with the original Mythril tool.