Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Satpal Singh Kushwaha,Sandeep Joshi,Dilbag Singh,Manjit Kaur,Heung-No Lee

DOI: https://doi.org/10.1109/access.2021.3140091

IF: 3.9

2022-01-01

IEEE Access

Abstract:Blockchain is a revolutionary technology that enables users to communicate in a trust-less manner. It revolutionizes the modes of business between organizations without the need for a trusted third party. It is a distributed ledger technology based on a decentralized peer-to-peer (P2P) network. It enables users to store data globally on thousands of computers in an immutable format and empowers users to deploy small pieces of programs known as smart contracts. The blockchain-based smart contract enables auto enforcement of the agreed terms between two untrusted parties. There are several security vulnerabilities in Ethereum blockchain-based smart contracts, due to which sometimes it does not behave as intended. Because a smart contract can hold millions of dollars as cryptocurrency, so these security vulnerabilities can lead to disastrous losses. In this paper, a systematic review of the security vulnerabilities in the Ethereum blockchain is presented. The main objective is to discuss Ethereum smart contract security vulnerabilities, detection tools, real life attacks and preventive mechanisms. Comparisons are drawn among the Ethereum smart contract analysis tools by considering various features. From the extensive depth review, various issues associated with the Ethereum blockchain-based smart contract are highlighted. Finally, various future directions are also discussed in the field of the Ethereum blockchain-based smart contract that can help the researchers to set the directions for future research in this domain.

computer science, information systems,telecommunications,engineering, electrical & electronic

M. Goyal,Nitin Kumar Tyagi

DOI: https://doi.org/10.1145/3607947.3608069

2023-08-03

Abstract:Smart contracts are simply computer programs. These programs are deployed on distributed nodes over the blockchain network. These are executed without the need for third-party authentication. Usually, smart contracts are used for transferring assets so it requires the error-free execution of smart contract code. But, due to computer code pitfalls, it may be the possibility of errors or exceptions that may vulnerable to the security of smart contracts. Thus, this paper surveys the smart contract security issues and smart contract code vulnerabilities that have been investigated and security analysis tools are presented. A series of vulnerable codes is presented that may have the risk of stealing assets and information. The solution to these vulnerabilities has also been discussed. A comparison with existing work has also been presented.

Engineering,Computer Science

Reza M. Parizi,Ali Dehghantanha,Kim-Kwang Raymond Choo,Amritraj Singh

DOI: https://doi.org/10.5555/3291291.3291303

2018-09-08

Abstract:The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity to provide the first...

Cryptography and Security

Gerardo Iuliano,Dario Di Nucci

2024-12-03

Abstract:Smart contracts are self-executing programs on blockchain platforms like Ethereum, which have revolutionized decentralized finance by enabling trustless transactions and the operation of decentralized applications. Despite their potential, the security of smart contracts remains a critical concern due to their immutability and transparency, which expose them to malicious actors. The connections of contracts further complicate vulnerability detection. This paper presents a systematic literature review that explores vulnerabilities in Ethereum smart contracts, focusing on automated detection tools and benchmark evaluation. We reviewed 1,888 studies from five digital libraries and five major software engineering conferences, applying a structured selection process that resulted in 131 high-quality studies. The key results include a hierarchical taxonomy of 101 vulnerabilities grouped into ten categories, a comprehensive list of 144 detection tools with corresponding functionalities, methods, and code transformation techniques, and a collection of 102 benchmarks used for tool evaluation. We conclude with insights on the current state of Ethereum smart contract security and directions for future research.

Software Engineering

Aftabuddin,Atul Malhotra,Amandeep Nagpal,Shaikh Aftabuddin

DOI: https://doi.org/10.2139/ssrn.4493497

2024-01-01

SSRN Electronic Journal

Abstract:The Blockchain is a distributed and decentralized ledger that has been in use since its inception and is being used in a variety of industries, including cross-border payment systems, and cryptocurrencies such as Bitcoin and Ethereum. As a result, various tools and frameworks are available to detect these vulnerabilities. This study identifies various cyber-attacks that occurred inthe last two years. Some smart contract-specific vulnerabilities are also investigated, including Call to Unknown, Reentrancy, Immutable bug, Out of Gas, Code Injection, DoS with Failed Call, and Outdated Compiler. Various detection methods are discussed. This allows for the creation of a framework to address these issues and mitigate vulnerabilities such as DoS with Failed call and Outdated compiler, which were not accurately detected by previous symbolic execution-based detection tools. The framework's execution method will be symbolic. It is capable of efficiently identifying and detecting the aforementioned vulnerabilities. Many issues against various vulnerabilities can be solved by detecting and debugging the code itself beforedeployment.

S. Vani,M. Doshi,A. Nanavati,A. Kundu

DOI: https://doi.org/10.48550/arXiv.2212.07387

2022-12-15

Abstract:Blockchain platforms and smart contracts are vulnerable to security breaches. Security breaches of smart contracts have led to huge financial losses in terms of cryptocurrencies and tokens. In this paper, we present a systematic survey of vulnerability analysis of smart contracts. We begin by providing a brief about the major types of attacks and vulnerabilities that are present in smart contracts. Then we discuss existing frameworks, methods and technologies used for vulnerability detection. We summarise our findings in a table which lists each framework and the attacks it protects against.

Cryptography and Security

Satpal Singh Kushwaha,Heung-No Lee,Dilbag Singh,Manjit Kaur,Sandeep Joshi

DOI: https://doi.org/10.1109/ACCESS.2022.3169902

IF: 3.9

IEEE Access

Abstract:Blockchain technology and its applications are gaining popularity day by day. It is a ground-breaking technology that allows users to communicate without the need of a trusted middleman. A smart contract (self-executable code) is deployed on the blockchain and auto executes due to a triggering condition. In a no-trust contracting environment, smart contracts can establish trust among parties. Terms and conditions embedded in smart contracts will be imposed immediately when specified criteria have been fulfilled. Due to this, the malicious assailants have a special interest in smart contracts. Blockchains are immutable means if some transaction is deployed or recorded on the blockchain, it becomes unalterable. Thus, smart contracts must be analyzed to ensure zero security vulnerabilities or flaws before deploying the same on the blockchain because a single vulnerability can lead to the loss of millions. For analyzing the security vulnerabilities of smart contracts, various analysis tools have been developed to create safe and secure smart contracts. This paper presents a systematic review on Ethereum smart contracts analysis tools. Initially, these tools are categorized into static and dynamic analysis tools. Thereafter, different sources code analysis techniques are studied such as taint analysis, symbolic execution, and fuzzing techniques. In total, 86 security analysis tools developed for Ethereum blockchain smart contract are analyzed regardless of tool type and analysis approach. Finally, the paper highlights some challenges and future recommendations in the field of Ethereum smart contracts.

Computer Science

Misha Kakkar,Namya Aankur Gupta,D. Mehrotra,M. Bansal,Seema Sharma

DOI: https://doi.org/10.1109/CICTN57981.2023.10140767

2023-04-20

Abstract:Smart contract technology in today’s world is becoming really popular as it is changing the way transactions in industrial and commercial fields work. Smart contracts are scripts that are stored on the blockchain's distributed network and are used to carry out transactions consequently based on specific criteria without the need for third-party consent. Hence, they can help to minimize the costs of administration and services and at the same time, enhance operational efficiencies and lessen the risk. Despite the smart contracts having a lot of potential to unleash a new surge of technology, it is accompanied with a number of challenges that hinder the privacy and security of the user. Some vulnerabilities are reentrancy, timestamp, delegate call and integer underflow. To resolve these issues, the goal is to develop a smart contract vulnerability detection model based on machine learning algorithms.

Computer Science

Harry Virani,Manthan Kyada

DOI: https://doi.org/10.48550/arXiv.2212.05099

2022-12-10

Abstract:Smart contracts are blockchain-based algorithms that execute when specific criteria are satisfied. They are often used to automate the implementation of an agreement so that all parties may be confident of the conclusion right away, without the need for an intermediary or additional delay. They can also automate a process so that the following action is executed when circumstances are satisfied. This study seeks to pinpoint the most significant weaknesses in smart contracts from the viewpoints of their internal workings and software security flaws. These are then addressed using various techniques and tools used across the industry. Additionally, we looked into the limitations of the tools or analytical techniques about the found security flaws in the smart contracts.

Cryptography and Security

Pankaj Chandra,Santosh Soni,Akanksha Gupta,Prayas Kumar,Kunal Raj

DOI: https://doi.org/10.55766/sujst-2023-05-e01234

2023-11-24

Abstract:Blockchain technology now relies heavily on smart contracts, which offer self-executing code for the exchange of goods and data. Smart contracts enable financial activities like payments and auctions on blockchain systems. Even if bugs are found, they cannot be changed. They are frequently used to automate the implementation of agreements so that all parties may be confident in the conclusion without the need for an intermediary. But because of their openness and how they interact with one another in the blockchain ecosystem, these contracts are vulnerable to security risks. Smart contract security research has advanced significantly in recent years. The research community of smart contract security has made a significant improvement recently. Researchers have identified several security flaws in smart contracts and have created frameworks for verification and static analysis to find them. This study attempts to identify the most critical software security issues that affect smart contracts. These are then handled utilizing a variety of methods and equipment common to the sector

Anna Vacca,Andrea Di Sorbo,Corrado A. Visaggio,Gerardo Canfora

DOI: https://doi.org/10.1016/j.jss.2020.110891

IF: 3.5

2021-04-01

Journal of Systems and Software

Abstract:Blockchain platforms and languages for writing smart contracts are becoming increasingly popular. However, smart contracts and blockchain applications are developed through non-standard software life-cycles, in which, for instance, delivered applications can hardly be updated or bugs resolved by releasing a new version of the software. Therefore, this systematic literature review oriented to software engineering aims at highlighting current problems and possible solutions concerning smart contracts and blockchain applications development. In this paper, we analyze 96 articles (written from 2016 to 2020) presenting solutions to tackle software engineering-specific challenges related to the development, test, and security assessment of blockchain-oriented software. In particular, we review papers (that appeared in international journals and conferences) relating to six specific topics: smart contract testing, smart contract code analysis, smart contract metrics, smart contract security, Dapp performance, and blockchain applications. Beyond the systematic review of the techniques, tools, and approaches that have been proposed in the literature to address the issues posed by the development of blockchain-based software, for each of the six aforementioned topics, we identify open challenges that require further research.

computer science, theory & methods, software engineering

Valentina Piantadosi,Giovanni Rosa,Davide Placella,Simone Scalabrino,Rocco Oliveto

DOI: https://doi.org/10.1002/spe.3156

2022-10-21

Software Practice and Experience

Abstract:Blockchain is a platform of distributed elaboration, which allows users to provide software for a huge range of next‐generation decentralized applications without involving reliable third parties. Smart contracts (SCs) are an important component in blockchain applications: they are programmatic agreements among two or more parties that cannot be rescinded. Furthermore, SCs have an important characteristic: they allow users to implement reliable transactions without involving third parties. However, the advantages of SCs have a price. Like any program, SCs can contain bugs, some of which may also constitute security threats. Writing correct and secure SCs can be extremely difficult because, once deployed, they cannot be modified. Although SCs have been recently introduced, a large number of approaches have been proposed to find bugs and vulnerabilities in SCs. In this article, we present a systematic literature review on the approaches for the automated detection of bugs and vulnerabilities in SCs. We survey 68 papers published between 2015 and 2020, and we annotate each paper according to our classification framework to provide quantitative results and find possible areas not explored yet. Finally, we identify the open problems in this research field to provide possible directions to future researchers.

English Else

Oualid Zaazaa,Hanan El Bakkali

DOI: https://doi.org/10.5121/ijcnc.2023.15603

2023-12-01

Abstract:With the rise in using immature smart contract programming languages to build a decentralized application, more vulnerabilities have been introduced to the Blockchain and were the main reasons behind critical financial losses. Moreover, the immutability of Blockchain technology makes deployed smart contracts unfixable for the whole life of the Blockchain itself. The lack of complete and up-to-date resources that explain those vulnerabilities in detail has also contributed to increasing the number of vulnerabilities in Blockchain. In addition, the lack of a standardized nomination of the existing vulnerabilities has made redundant research and made developers more confused. Therefore, in this paper, we propose the most complete list of smart contract vulnerabilities that exist in the most popular Blockchains with a detailed explanation of each one of them. In addition, we propose a new codification system that facilitates the communication of those vulnerabilities between developers and researchers. This codification, help identify the most uncovered vulnerabilities to focus on in future research. Moreover, the discussed list of vulnerabilities covers multiple Blockchain and could be used for even future built Blockchains.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Loi Luu,Duc-Hiep Chu,Hrishi Olickel,Prateek Saxena,Aquinas Hobor

DOI: https://doi.org/10.1145/2976749.2978309

2016-10-24

Abstract:Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding millions dollars worth of virtual coins. In this paper, we investigate the security of running smart contracts based on Ethereum in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among 19, 336 existing Ethereum contracts, Oyente flags 8, 833 of them as vulnerable, including the TheDAO bug which led to a 60 million US dollar loss in June 2016. We also discuss the severity of other attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.

NI Yuandong,ZHANG Chao,YIN Tingting

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2020.05.07

2020-01-01

Journal of Cyber Security

Abstract:Smart contract is a decentralized application that operates on a blockchain platform, providing secure and reliable capabilities to contract participants. Smart contracts play an important role in decentralized application scenarios. They are widely used in many fields, such as equity crowdfunding, games, insurance, and the Internet of Things, making them attractive to attackers. Compared to traditional programs, the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts. Therefore, analyzing the security of smart contracts and associated vulnerabilities is crucial. In this paper, we analyzed the characteristics of smart contracts and new security risks they bring. We propose a three-layer threat model, i.e., threats from high-level languages, virtual machines, and the blockchain, for characterizing smart contract security. We use the world′s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts. We then summarize the main challenges and progress of smart contract security research on vulnerability, including automated vulnerability detection, automated exploit generation and mitigations for smart contracts. At the end of this paper, we highlight the future of smart contract security research, and proposed two potential research directions.

Jitendra Singh Yadav,Narendra Singh Yadav,Akhilesh Kumar Sharma

DOI: https://doi.org/10.1080/09540091.2022.2066065

2022-04-26

Connection Science

Abstract:Nowadays, Blockchain-based rating/review systems are gaining popularity as a backbone for recommender systems due to the inherent cryptographically secured decentralised architecture, immutability, user anonymity, and inclusion of smart contracts. However, the existing Blockchain-based rating/review systems address resistance to the standard attacks, i.e. collusion attack, user threatening, and unfair rating. Still, they do not present security analyses of smart contracts that may result in substantial threats to the users of the systems. This manuscript presents an in-depth study of twelve publicly available security analysis tools and standard vulnerabilities in smart contracts and reviews. The experimental setup uses a two-step approach for selecting the security analysis tool. The first step identifies the seven tools their proposers or independent researchers have compared, and the second step proposes a new method for selecting tools based on continuous improvement. Our experimental results show security issues in 51.72% of the analysed smart contracts of four Blockchain-based rating/review systems. 6.67% of vulnerable smart contracts exhibit high-level severity threats that raise an alarming condition for the current state of system developments.

computer science, artificial intelligence, theory & methods

Yongfeng Huang,Yiyang Bian,Renpu Li,J. Leon Zhao,Peizhong Shi

DOI: https://doi.org/10.1109/access.2019.2946988

IF: 3.9

2019-01-01

IEEE Access

Abstract:Smart contract security is an emerging research area that deals with security issues arising from the execution of smart contracts in a blockchain system. Generally, a smart contract is a piece of executable code that automatically runs on the blockchain to enforce an agreement preset between parties involved in the transaction. As an innovative technology, smart contracts have been applied in various business areas, such as digital asset exchange, supply chains, crowdfunding, and intellectual property. Unfortunately, many security issues in smart contracts have been reported in the media, often leading to substantial financial losses. These security issues pose new challenges to security research because the execution environment of smart contracts is based on blockchain computing and its decentralized nature of execution. Thus far, many partial solutions have been proposed to address specific aspects of these security issues, and the trend is to develop new methods and tools to automatically detect common security vulnerabilities. However, smart contract security is systematic engineering that should be explored from a global perspective, and a comprehensive study of issues in smart contract security is urgently needed. To this end, we conduct a literature review of smart contract security from a software lifecycle perspective. We first analyze the key features of blockchain that can cause security issues in smart contracts and then summarize the common security vulnerabilities of smart contracts. To address these vulnerabilities, we examine recent advances in smart contract security spanning four development phases: 1) security design; 2) security implementation; 3) testing before deployment; and 4) monitoring and analysis. Finally, we outline emerging challenges and opportunities in smart contract security for blockchain engineers and researchers.

S. Porkodi,D. Kesavaraja

DOI: https://doi.org/10.1007/s11276-023-03587-z

IF: 2.701

2023-11-29

Wireless Networks

Abstract:Smart contracts become significant as blockchain technology is blooming around the technological globe. In this juncture, smart contract is an automatic programming framework executed based upon pre-conditions in blockchain even among untrusted parties by eliminating third party. The usage of blockchain in various fields keeps on increasing enormously from crypto-currency to 6G wireless communication. While developing smart contracts for novel purposes, vulnerability and various challenges are discovered. Smart contracts are still in the emerging development stage with few bugs and errors, which are often exploited by hackers leading to huge losses. There are loopholes and misinterpretations in the development of smart contracts, thus it is necessary to design smart contracts. The anonymity and self-execution of the smart contract are taken as an advantage for illegal business. Hence, various modern tools are developed to identify the vulnerabilities in the smart contract but still, there is a research gap in this area. In this paper, various smart contracts and their challenges are studied to analyze the current state and a survey is carried out mainly focusing on its security aspects. Hence, providing a way to develop highly secure smart contracts and providing directions for contributing to future research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ruhi TAŞ

DOI: https://doi.org/10.18185/erzifbed.1105551

2023-03-31

Erzincan Üniversitesi Fen Bilimleri Enstitüsü Dergisi

Abstract:A smart contract is a concept of computer protocols that helps to facilitate blockchain technology. This blockchain-based smart contract is a public ledger of all participating transactions. It is considered a self-executable application and contains predetermined rules. It also operates by decentralizing networks that are shared between all parties, and this execution of contracts between parties could be securely done without a middleman or a third party. With blockchain technology, developers could provide an efficient framework and ensure security issues. While the new blockchain has successfully been developed to prevent the problems of fraud and hacking, there is still a considerable risk concerning security and confidentiality. Therefore, we should not underestimate this matter. This study aims to review the potential risks that may take place on blockchain-based smart contracts. In addition, the options that may assist application developers in order to provide viable guidance, and to avoiding these security vulnerabilities.